 from our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hello everyone, well, this is a special CUBE Conversation and we are here in Palo Alto, California, the CUBE studios. Here at Tony, Gianna Domenico, who's the senior security strategist and research at Fortinet and Fort Agard Labs, live from Las Vegas, where Black Hat and then DEF CON security activities happening. Tony, also known as Tony G. Welcome to this CUBE Conversation. Hey, thanks, John, man. Thanks for having me. So a lot of action happening in Vegas. We just live there all the time with events. You're there on the ground. You guys have seen all the action there. You guys are just published your quarterly threat report. Got a copy of it right here with the threat index on it. Talk about this quarterly global threats report because the backdrop that we're living in today, obviously you're at the conference and the cutting edge is security, impacting businesses at such a level. We almost have shell shock from all the breaches and threats that are going on. Every day you hear another story, another story, another hack, more breaches. It's at an all-time high. Yeah, I think a lot of people start to get numb to the whole thing. It's almost like they're kind of throwing their hands up and say, oh, well, I just kind of give up. I don't know what else to do. But obviously there are a lot of different things that you can do to be able to make sure that you secure your cybersecurity program. So at least you minimize the risk of these particular breaches happening. But with that said, with the threat landscape report, what we typically do is we start out with this overall threat index. And we started this last year. And if we fast forward to where we are in this actual Q2 report, it's been one year now. And the bad news is that the threats are continuing to increase. They're getting more sophisticated. The evasion techniques are getting more advanced. And we've seen an uptake of about 4% in threat volume over the year before. Now, the silver lining is, I think we expected the threat volume to be much higher. So I think, though it is continuing to increase, I think the good news is it's probably not increasing as fast as we thought it was going to. Well, it's always, you have to know it. You're going to have to look for it. A lot of people talk about what you can't see. And there's a lot of a blind spot there. It's become a data problem. I just want to let people know they can find the report, go to Fortinet's website, there's a blog there for the details of all the threat index. But the notable point is it's only up 4% from the position year of the year. The attempts are more sophisticated. So I got to ask you, is there stuff that we're not seeing in there? I mean, is there blind spots? What's the net net of the current situation? Because observability is a hot topic in cloud computing, which is essentially monitoring 2.0. But you got to be able to see everything. Are we seeing everything? What's out there? Well, I mean, I think us as you know, Fortiguard and our cyber threat intelligence, I think we're seeing a good amount. But when you talk about visibility, if you go back down into the organizations, I think that's where there's definitely a gap there because a lot of the conversations that I have with organizations is they don't necessarily have all the visibility they need from cloud all the way down to the end point. So there are some times that you're not going to be able to catch certain things. Now with that said, if we go back to the report, at the end of the day, the adversaries have some challenges to be able to break into an organization. And of course, the obvious one is they have to be able to circumvent our security controls. And I think as a security community, we've gotten a lot better at being able to identify when the threat is coming into an organization. Now on the flip side though, if you refer back to the MITRE attack knowledge base, you'll see a specific tactic category called defense evasions. There's about 60 plus techniques, evasion techniques, the adversary has at their disposal, at least that we know, there may be others, but so they do have a lot of opportunity, a lot of different techniques to be able to leverage. With that said, there's one technique. It's a disabling security tools that we started seeing a bit of an increase in this last Q2 threat landscape report. So a lot of different types of threats in malware have the capability to be able to one, look at the different processes that may be running on a workstation, identifying which one of those processes happen to be security tools and then disabling them. Whether they're, maybe they might just be able to turn the actual service off, or maybe there's something in the registry that they can tweak that'll disable the actual security control. Maybe they'll actually suppress the alerts, whatever they can do to make sure that that security control doesn't prevent them from doing that malicious activity. Now, with that said, on the flip side, from an organization perspective, you wanna make sure that you're able to identify when someone's turning on and turning off those security control to any type of alert that might be coming out of that control. Also, and this is a big one, because a lot of organizations don't necessarily do this, minimize who has the ability to turn those particular security controls on and off. The worst case is you don't wanna have all of your employees, you don't wanna give them the ability to be able to turn those controls on and off. You're never gonna be able to baseline, you're never gonna be able to identify anomalous activity in the environment, and you're basically gonna lose your visibility. I mean, this increase in malware and exploit activity you guys are pointing out is clearly a challenge. The other thing that the report kind of teases out, I wanna get your opinion on this, is that the upping the ante on the evasion tactics has been very big trend. The adversaries are out there, they're upping the ante, you guys are upping the ante, this game is continuing, this flywheel continues. Talk about this feature of upping the ante on evasion tactics. Yeah, so that's what I was kind of referring to before with all the different types of evasion techniques, but what I will say is most of all the threats these days all have some type of evasion capabilities. A great example of this is every quarter, if you didn't know, we look at different types of actors and different types of threats and we find one that's interesting for us to dig into, and we'll create what's called an actual playbook where we wanna be able to dissect that particular threat or those threat actor methodologies and be able to determine what are their tactics and corresponding techniques, which sometimes, of course, includes evasion techniques. Now, the one that we focused on for this quarter was called Zegos. What Zegos is, it's a specific threat that is an information stealer, so it's gathering information really based on the mission goals of whatever that particular campaign is, and it's been around for a while going all the way back to 2011. Now, you might be asking yourself, well, why do we actually choose this? Well, there's a couple of different reasons. One happens to be the fact that we've seen an uptick in this activity, usually when we see that, it's something we wanna dive into a little bit more. Number two, though, this is a tactic of the adversary. What they'll do is they'll have their threat there for a little while and then they'll go dormant. They'll stop using that particular malware that's a specific sort of threat. They'll let the dust settle, let things die down, organizations will let their guard down a little bit on that specific threat. Security organizations, vendors might actually do the same, let that digital dust kind of settle, and then they'll come back bigger, faster, stronger. And that's exactly what Zegos did, is we looked at a specific campaign and this new malware, the new and improved malware, is they're adding in other capabilities for not just being able to siphon information from your machine, but they're also now can capture video from your webcam. Also, the evasion techniques, since we're on that particular subject, what they're also able to do is they're looking at your application logs, your system logs, your security logs, deleting them, making it a lot more difficult from a forensic perspective, be able to go back and figure out what happened, what that actual malware was doing on the machine. Another interesting one is they were looking at a specific JPEG file. So they were looking for that hash and if the hash was there, the actual malware would run and we didn't know what that was, so we researched a little bit more and what we found out was that JPEG file happened to be a desktop sort of picture for one of the sandboxes. So it knew if that particular JPEG was present, it wasn't going to run because it knew it was being analyzed in a sandbox. So that was a second interesting thing. The third one that really leaned us towards digging into this is a lot of the actual security community attribute this particular threat back to cyber criminals that are located in China. The specific campaign that we were focused on was on a government agency also in China. So that was kind of interesting. So you're continuing to see these these malwares maybe sort of go dormant for a little bit, but they always seem to come back bigger, faster, strong. And that's by design. This is that long haul, long view that these adversaries are taking in there, actually organized as economies behind what they're doing. They're targeting this, not just hit and run. It's get in, have a campaign. This long game is very much active. How do enterprises get on top of this? I mean, is it a people process issue? Is it some tech from ForteGuard Labs or what's Fortinet's view on this? Because I mean, I can see that happening all the time, it is happening. It's really, it's a combination of everything. It's a combination, you kind of hit like some of it. It's people, it's processes and technology. Of course, we have a people shortage of skilled resources, but that's a key part of it. You always need to have those skilled resources. Also making sure you have the right processes. How are you actually monitoring things? I know a lot of folks may not actually be monitoring all the things that they need to be monitoring from what is really happening out there on the internet today. So making sure you have clear visibility into your environment and you can understand and maybe give them point in time what your situational awareness is. From a technology perspective, you start to see, and this is kind of a trend, we're starting to leverage artificial intelligence, automation, the threats are coming and it's such a high volume. Once they hit the environment, instead of it taking hours for your incident response to be able to at least not necessarily mitigate but isolate or contain the breach, it takes a while. So if you start to leverage some artificial intelligence and automatic response where the security controls are working together, that's a big part of it. Awesome, thanks for coming on. This is a huge problem. I think no one can let their guard down these days. Certainly with the service here expanding, we're going to get to that talk track in a second. I want to quickly get your thoughts on ransomware. This continues to be a drum that keeps on beating from an attack standpoint. It's almost as if when the attackers need money, they just hit the same ransomware target again. They pay in Bitcoin. This has been kind of a real lucrative but persistent problem with ransomware. What's going on with ransomware? What's the state of the report and what's the state of the industry right now in solving that? Yeah, yeah. We alluded to this a little bit in last quarter and actually a few quarters. And this is a continuous sort of trend. Ransomware typically is where it's on the cyber crime ecosystem. And a lot of times the actual threat itself is being delivered through some type of a phishing email where you need a user to be able to click a link or click an attachment. And it's usually kind of a prey and spray thing. But what we're seeing is more of a targeted approach. What they'll do is they'll look for and do some reconnaissance on organizations that may not have the security posture that they really need to have. It's not as mature and they know that they might be able to get that particular ransomware payload in there undetected. So they do a little reconnaissance there. And some of the trend here that we're actually seeing is they're looking at externally RDP sessions. There's a lot of RDP sessions, the remote desktop protocol sessions that organizations have externally so they can enter into their environment. But these RDP sessions are basically not as secure as they need to be either weak username and passwords or they are vulnerable and haven't actually been passed and they're taking advantage of those. They're entering in there. And then once they have that initial access into the network, they spread their payload all throughout the environment and hold all those devices hostage for a specific ransom. Now, if you don't have the particular backup strategy to be able to get that ransomware out of there and get your information back on those machines again, sometimes you actually may be forced to pay that ransom. Not that I'm recommending that you sort of do so but you see organizations are deciding to go ahead and pay that ransom. And the more they do that, the more the adversary is going to say, hey, I'm coming back and I know I'm going to be able to get more and more. Yeah, cause they don't usually fix the problem or they come back in and it's like a blank check for them. They come in and keep on hitting the same target over and over again. We've seen that at hospitals, we've seen it at kind of the more anemic IT departments where they don't have the full guard capabilities there. Yeah, and I would add on, what's really becoming a big issue. You know, and I'll ask you a question here, John. I mean, what does Microsoft, NSA and DHS have in common for this last quarter? Robin Hood. That's actually a good guess. What they have in common is the fact that each one of them urge the public to patch a new vulnerability that was just released on the RDP sessions called Blue Keep. And the reason why they were so hyped about this, making sure that people get out there and patch is because it was wormable. You didn't really need to have a user click a link or click an attachment. You know, basically when you would actually exploit that vulnerability, it could spread like wildfire and that's what wormable is. A great example of that is with WannaCry a couple years ago, it spread so quickly. So everybody was really focused on making sure that that vulnerability actually gets patched. Adding on to that, we did a little bit of research on our own and ran some internet scans and there's about 800,000 different devices that are vulnerable to that particular new vulnerability that was announced. And, you know, I still think a lot of people haven't actually patched all of that. And that's a real big, you know, concern especially because of the trend that we just talked about ransomware payload, the threat actors are looking at our RDP as the initial access into the environment. So on Blue Keep, that's the one you were talking about, right? So what is the status of that? You said there's a lot of vulnerabilities out there. Are people patching it? Is it moving down the path in terms of are people on it? What's your take on that? What's the assessment? Yeah, so I think some people are starting to patch but shoot, so the scans that we do, there's still a lot of unpatched systems out there. And I would also say we're not seeing what's inside the network. There may be other RDP sessions in the environment inside an organization's environment which really means now if ransomware happens to get in there that has that capability then to be able to spread like via some RDP vulnerability, that's gonna be even a lot more difficult to be able to stop that once it's inside a network. I mean, some of the recommendations obviously for this one is you want to be able to patch your RDP sessions for one. Also, if you want to be able to enable network authentication, that's really going to help as well. Now, I would also say maybe you want to harden your username and passwords but if you can't do some of this stuff at least put some mitigating controls in place. Maybe you can isolate some of those particular systems, limit the amount of access organizations have or their employees have to that or maybe even just totally isolated if it's possible. Internal network segmentation is a big part of making sure you're able to mitigate some of these potential risks or at least minimize the damage that they may cause. Tony, G, I want to get your thoughts on your opinion and analysis expert opinion on the attack surface area with digital and then ultimately what companies can do for. Well, let's start with the surface area. What's your analysis there? A lot of companies are recognizing obviously with IoT and other digital devices, the surface area is just everywhere, right? So, you know, gone to the perimeter days, that's kind of well-known. It's out there. What's the current digital surface area threats look like? What's your opinion? Sure, yeah, yeah, it's funny these days. You know, John, I'll tell you, I'd say everything that seems to be made as an IP address on it, which means it's actually able to access the internet and if it can access the internet, the bad guys can probably reach out and touch it and that's really the crux of the problem these days. So, anything that is being created is out on the internet and like we all know, there's really not a really rigged security process to make sure that that particular device as secure is as secure as it actually needs to be. Now, we talked earlier on about, you know, IoT as it relates to maybe home routers and how you need to be able to harden that because you will see a lot of IoT botnets that are taking over those home routers and creating these super large IoT botnets. On the other side of it, you know, we've seen a lot of SCADA systems now that traditionally were in air-gapped environments. Now they're being brought in to the traditional network, they're being connected there. So there's an issue there, but one of the ones we haven't actually talked a lot about and we're starting to see the adversaries focus on these little bit more as devices in smart homes and smart buildings. In this Q2 Threat Landscare Report, there was a vulnerability in one of these U-motion business management systems. And, you know, we looked at all the different exploits out there and the adversaries were actually looking at targeting that specific exploit on that smart management building service device. We had about 1% of all of our exploit hits on that device. Now that might not seem like a lot, but in the grand scheme of things, when we're collecting billions and billions of events, it's a fairly substantial amount. Now that really starts to kind of bring a whole another thought process into, as a security professional, as someone responsible for securing my cyber assets. What do I include in my cyber assets now? Do I include all the business management systems that my employees are in for my overall business? Now that actually might be connected to my internal network where all of my other cyber assets are. Maybe it actually should be, maybe it should be part of your vulnerability patch management process, but what about all the devices in your smart home now? All these different things are available and you know what the trend is, John, right? I mean, the actual trend is to work from home. So you have a lot of your remote workers have a great access into the environment. Now there's a great conduit for the adversaries to be able to break into some of those smart home devices and maybe that from there, they're on the employee's machine and that kind of gets them into the other environment. So I would say start looking at, maybe you don't want to have those home devices as part of what you're responsible for protecting, but you definitely want to make sure your remote users have a hardened access into the environment. They're separated from all of those other smart home devices and educate your employees on that. And the user awareness training programs talk to them about what's happening out there, how the adversaries are starting to compromise or at least focus on some of them smart devices in their home environment. These entry points, or you can point out are just so pervasive. You have work at home, you're totally right. That's a great trend that a lot of companies are going to and this is a virtual first come in the world, we build this new generation of workers they want to work at home anywhere. So no, you got to think about all that, those devices that your son or your daughter brought home or your husband or your wife installed a new light bulb with an IP connection to it, fully threaded processor. I know, I know, gosh, this kind of concern me, you know, say for example, and then what's hot these days is the webcam, right? You know, let's say you have an animal and you happen to go away, you always want to know what your animal is doing, right? So you have these webcams here. I bet you, someone might be placing a webcam that might be near where they actually sit down and work on their computer. Someone compromises that webcam, you maybe they can see some of the username and passwords that you're using to log in, maybe they can see some information that might be sensitive on your computer. You know, it's the, you know, the options are endless here. Tony, Gia, I want to get your thoughts on how companies protect themselves because this is the real threat. An IoT doesn't help either industrial IoT to just internet of things, whether it's humans working at home to, you know, sensors and light bulbs inside other factory floors or whatever, I mean, it's everywhere now. The surface area is anything with an IP address and power and connectivity. How do companies protect themselves? What's the playbook? What's coming out of Red Hat? What's coming out of Fortinet? What are you advising? What's the playbook? Yeah, you know, I, you know, when I get asked this question a lot, I really, I sound like a broken record sometimes and I try to find so many different ways to spin it. You know, maybe I can actually kind of say it like this and it's always means the same thing. Work on the fundamentals. John, you mentioned it earlier from the very beginning, visibility, visibility, visibility. If you can't understand all the assets that you're protecting within your environment, it's game over from the beginning. I don't care what other whizbang product you bring into the environment. If you're not aware of what you're actually protecting, there's just no way that you're gonna be able to understand what threats are happening in and out of your network. At a higher level, it's all about situational awareness. I want to make sure if I'm, if I'm a CISO, I want my security operations team to have situational awareness at any given moment all over the environment, right? So that's one, you know, grabbing that overall sort of visibility. And then once you can understand where all your assets are, what type of informations on those assets, you get a good idea of what your vulnerabilities are. You start monitoring that stuff. You can also start understanding some of the different types of gaps. I know it's challenging because you got everything in the cloud all the way down to the end point, all these mobile devices. It's not easy, but I think if you focus on that a little bit more, it's gonna go a longer way. And I also mentioned, we as humans, when something happens into the environment, we can only act so fast. And I kind of alluded to this earlier on in this interview where we need to make sure that we're leveraging automation, artificial intelligence to help us be able to determine when threats happen, you know, to actually be in the environment, being able to determine some anomalous activity and taking action. It may not be able to remediate, but at least it can take some initial action. The security controls can talk to each other, isolate the particular threat and let you fight to the attack, give you more time to figure out what's going on. If you can reduce the amount of time it takes you to identify the threat and isolate it, the better chances that you're going to have to be able to minimize the overall impact of that particular region. You know, Tony, you're jogging up a lot of memories from interviews I've had in the past. I've interviewed some four-star generals, head of NSA, head of cyber command. You get a lot of military kind of thinkers behind the security practice because there is a keep an eyes on the enemy, on the target, on the adversary kind of dialogue going on. They all talk about automation and augmenting the human piece of it, which is making sure that you have as much real-time information as possible so you can keep your eyes on the targets and understand to your point contextual awareness. This seems to be the biggest problem that CSOs are focused on, how to eliminate the tasks that take the eyes off the targets and keep the situation awareness on point. Your thoughts on that? Yeah, yeah, I have to, you know what's, I used to do, and I still do them now, I do a lot of presentations about situational awareness and being able to build your security operation center and to get that visibility. And I always start off with the question of, when your CISO walks in and says, hey, I saw something in the news about a specific threat, how are we able to deal with that? 95% of the responses are, well, I'd have to kind of go back and kind of like, you know, I'd have to actually come dig in and see and it takes them a while for them to be able to get, right? Yeah. So yeah, the classic was, let me get back to you, boss. What a patch, patch that thing. Tony G, thank you so much for the insight. Great, congratulations on the quarterly report. Keep up the good work. Quick, quick story on Black Hat. What's the vibe in Vegas? DEF CON is right around the corner after it. You're seeing the security industry become much more broader. Obviously as the industry surface area becomes from technical to business impact, you're starting to see the industry change. Amazon Web Services had an event, cloud security called Reinforce. You're starting to see a much broader scope to the industry. What's the big news coming out of Black Hat? Yeah, you know, it's a lot of the same. You're the thing that actually kind of changes. There's just so many different vendors that are coming in with different types of security solutions and that's awesome. That is really good. With that said though, you know, we talked about the security shortage that we don't have a lot of, you know, security professionals with the right skill sets. What ends up happening is, you know, these folks that may not have that particular skill, you know, needed, they're being placed in these higher level security positions and they're coming to these events and they're overwhelmed. Cause they're all, they all have a slight, it's all a similar message, but slightly different. So how do they determine which one is actually better than the other? So it's, I would say from that side, it gets to be a little bit kind of challenging, but at the same time though, I mean, we continue to advance. I mean, from the, you know, from the actual technical controls, solutions perspective, you know, we talked about it. You know, we're getting better with automation, doing the things that the humans used to do, automating that a little bit more, letting technology do some of that mundane, everyday kind of grind activities that we would, as humans would do, would take us a little bit longer, push that off, let the actual technology controls deal with that so that you can focus, like you had mentioned before, on those higher level, you know, issues and also the overall sort of strategy on either how to actually not allow the adversary to come in or how to determine once they're in and how quickly are we able to get them out? You know, we talk, we have a panel of CISOs that we talked to and we were running surveys through them, through theCUBE, insights. Most CISOs we talked to, obviously they all want to talk off the record and they don't want anyone to know what they work for, they all talk to them, they say, look, I'm bombarded with more and more security solutions. I'm actually trying to reduce the number of suppliers and increase the number of partners. And this is nuanced point, but to your, what you're getting at is a tsunami of new things, new threats, new solutions, that could be either features or platforms or tools, whatever, but most CISOs want to build an engineering team, they want to have full stack developers on site, they want to have compliance teams, investigative teams, situational awareness teams, and they want to partner with suppliers. They want partners, not just suppliers. So reduce the number of suppliers, increase the partners. What's your take on that? You're a big partner, a lot of the biggest companies. Do you agree with that statement? Well, that's true. Yeah, yeah, I mean, that's actually really our whole strategy, overall strategy for Fortinet is, and that's why we came up with this security fabric. We know that skills are really not as prevalent as they actually need to be. And of course, there's not endless amounts of money as well, right? And you want to be able to get these particular security controls to talk to each other. And this is why we built this security fabric. We want to make sure that the controls that we're actually going to build in, and we have quite a few different types of security controls that work together to give you the visibility that you're really looking for. And then here's a trusted partner that you can actually kind of come to, and we can work with you on, one, identifying the different types of ways the adversaries are moving into the environment and ensuring that we have security controls in place to be able to thwart that threat actor playbook, making sure that we have a defensive playbook that aligns with those actual TTPs in the offensive playbook. And we can actually either detect or ultimately protect against that malicious activity. Tony, thanks for sharing your insights here on theCUBE conversation. We're going to have to come back to you on some of these follow-on conversations. We'd love to get your thoughts on observability, visibility, and get into what kind of platforms are needed to go this next generation with cloud security and surface area being so massive. So thanks for spending the time. Appreciate it. Hey, thanks a lot. All right. Have a great time in Vegas. This is theCUBE conversation. I'm John Furrier here in Palo Alto. Talking with Tony G with Fortinet in Las Vegas. Thanks for watching.