- info
- Clips
- Transcript
(upbeat music) From our studios in the heart of Silicon Valley, Palo Alto, California, this is a Cube Conversation. Hello everyone. Welcome to this special Cube Conversation. And we are here in Palo Alto, California, theCUBE Studios. Here, Tony Giandomenico, who's the Senior Security Strategist and Researcher at Fortinet and FortiGuard Labs, live from Las Vegas, where Black Hat and then DEF CON security activity's happening. Tony, also known as Tony G, Tony G, welcome to this Cube Conversation. Hey, thanks John, man. Thanks for having me. So, lot of action happening in Vegas. We live there all the time with events. You're there on the ground. You guys have seen all the action there. You guys just published your Quarterly Threat Report. I got a copy of it right here with the Threat Index on it. Talk about this Quarterly Global Threats Report because the backdrop that we're living in today. Obviously, you're at the conference and the cutting edges. Security is impacting businesses at such a level. We almost have shell shock from all the breaches and threats that are going on. Every day, you hear another story, another story, another hack, more breaches. It's at an all-time high. Yeah, you know, I think a lot of people start to get numb to the whole thing. It's almost like they're kind of throwing their hands up and saying, "Oh, well I just kind of give up. "I don't know what else to do." But obviously, there are a lot of different things that you can do to be able to make sure that you secure your cybersecurity program, so at least you minimize the risk of these particular breaches happening. But with that said, with the Threat Landscape Report, what we typically do is we start out with this overall Threat Index. And we started this last year. And if we fast forward to where we are in this actual Q2 report, it's been one year now, and the bad news is that the threats are continuing to increase. They're getting more sophisticated. The evasion techniques are getting more advanced. And we've seen an uptick of about 4% in threat volume over the year before. Now, the silver lining is I think we expected the threat volume to be much higher, so I think though it is continuing to increase, I think the good news is it's probably not increasing as fast as we thought it was going to. Well, you know, it's always you have to know what you're going to have to look for. A lot of people talk about what you can't see, and there's a lot of a blind spot there. It's become a data problem. I just want to let people know they can find the report. Go to Fortinet's website. There's a blog there for the detailed, all the Threat Index. But the notable point is it's only up 4% from the position year over year. The attempts are more sophisticated. So I got to ask you, is there stuff that we're not seeing in there? Is there blind spots? What's the net net of the current situation because observability's a hot topic in cloud computing, which is essentially monitoring two point oh. But you got to be able to see everything. Are we seeing everything? What's out there? Well, I mean I think us as FortiGuard and our cyberthreat intelligence, I think we're seeing a good amount. But when you talk about visibility, if you go back down into the organizations, I think that's where there's definitely a gap there because a lot of the conversations that I have with organizations is they don't necessarily have all the visibility they need from Cloud all the way down to the endpoint. So there are some times that you're not going to be able to catch certain things. Now with that said, if we go back to the report, at the end of the day, the adversaries have some challenges to be able to break into an organization. And of course, the obvious one is they have to be able to circumvent our security controls. And I think as a security community, we're gotten a lot better at being able to identify when the threat is coming into an organization. Now on the flip side, though, if you refer back to the MITRE ATT&CK knowledge base, you'll see a specific tactic category called defense evasions. There's about 60-plus techniques, evasion techniques, the adversary has at their disposal, at least that we know. There may be others but, so they do have a lot of opportunity, a lot of different techniques to be able to leverage. With that said, there's one technique, it's disabling security tools, that we starting seeing a bit of an increase in this last Q2 Threat Landscape Report. So a lot of different types of threats and malware have the capability to be able to one, look at the different processes that may be running on a workstation, identifying which one of those processes happen to be security tools, and then disabling them, whether they're, maybe they might just be able to turn the actual service off. Or maybe there's something in the registry that they can tweak that'll disable the actual security control. Maybe they'll actually suppress the alerts. Whatever they can do to make sure that that security control doesn't prevent them from doing that malicious activity. Now with that said, on the flip side, from an organization perspective, you want to make sure that you're able to identify when someone's turning on and turning off those security controls, any type of alert that might be coming out of that control. Also, and this is a big one, 'cause a lot of organizations don't necessarily do this, minimize who has the ability to turn those particular security controls on and off. The worst case is you don't want to have all of your employees, you don't want to give them the ability to be able to turn those controls on and off. You're never going to be able to baseline. You're never going to be able to identify anomalous activity in the environment, and you're basically going to lose your visibility. This increase in malware and exploit activity that you guys are pointing out is clearly a challenge. The other thing that the report kind of teases out, I want to get your opinion on this, is that the upping the ante on the evasion tactics has been very big trend. The adversaries are out there. They're upping the ante. You guys are upping the ante. This game is continuing. This flywheel continues. Talk about this feature of upping the ante on evasion tactics. Yeah, so that's what I was kind of referring to before with all the different types of evasion techniques. But what I will say is most of the, all the threats these days all have some type of evasion capabilities. A great example of this is every quarter, if you didn't know, we look at different types of actors and different types of threats and we find one that's interesting for us to dig into and we'll create what's called an actual playbook, where we want to be able to dissect that particular threat or those threat actor methodologies and be able to determine what are their tactics and corresponding techniques, which sometimes, of course, includes evasion techniques. Now, the one that we focused on for this quarter was called Zegost. What Zegost is, it's a specific threat that is an information stealer so it's gathering information really based on the mission goals of whatever that particular campaign is. And it's been around for a while, going all the way back to 2011. Now you might be asking yourself, "Well, why did we actually choose this?" Well, there's a couple different reasons. One happens to be the fact that we've seen an uptick in this activity. Usually when we see that, it's something we want to dive into a little bit more. Number two, though, this is a tactic of the adversary. What they'll do is, they'll have their threat there for a little while, and then they'll go dormant. They'll stop using that particular malware, that specific sort of threat. They'll let the dust settle. Let things die down. Organizations will let their guard down a little bit on that specific threat. Security organizations, you know, vendors, might actually do the same, let that digital dust kind of settle. And then, they'll come back bigger, faster, stronger. And that's exactly what Zegost did is we looked at a specific campaign, and this new malware, the new and improved malware, is they're adding in other capabilities for not just being able to siphon information from your machine, but they also now can capture video from your webcam. Also, the evasion techniques, since we're on that particular subject, what they're also able to do is they're looking at your application logs, your system logs, your security logs, deleting them, making it a lot more difficult, from a forensic perspective, to be able to go back and figure out what happened and what that actual malware was doing on the machine. Another interesting one is they were looking at a specific JPEG file. So they were looking for that hash, and if the hash was there, the actual malware wouldn't run. And we didn't know what that was, so we researched it a little bit more and what we found out was that JPEG file happened to be a desktop sort of picture for one of the sandboxes. So it knew if that particular JPEG was present, it wasn't going to run because it knew it was being analyzed in a sandbox. So that was a second interesting thing. The third one that really leaned us towards digging into this is a lot of the actual security community attribute this particular threat back to cybercriminals that are located in China. The specific campaign that we were focused on was on a government agency also in China. So that was kind of interesting. So you're continuing to see these malwares maybe sort of go dormant for a little bit, but they always seem to come back bigger, faster, stronger. And that's by design. This is that long-haul, long view that these adversaries are taking, and they're actually organizing economies behind what they're doing. They're targeting. This is not just hit and run. It's get in, have a campaign, this long game is very much active. How do enterprises get on top of this? I mean, is it a people-process issue? Is it some tech from FortiGuard Labs? What's Fortinet's view on this because I mean, I can see that happening all the time. It is happening. Yeah, it's really, it's a combination of everything. It's a combination, you kind of hit like some of it. It's people, it's processes, and technology. Of course, we have a people shortage of skilled resources, but that's a key part of it. You always need to have those skilled resources. Also making sure you have the right processes. How are you actually monitoring things? I know a lot of folks may not actually be monitoring all the things that they need to be monitoring from what is really happening out there on the Internet today. So making sure you have clear visibility into your environment and you can understand, at any given point in time, what your situational awareness is. From a technology perspective, you start to see, and this is kind of a trend, we're starting to leverage artificial intelligence, automation. The threats are coming and at such a high volume, once they hit the environment, instead of it taking hours for your incident response to be able to at least, not necessarily mitigate but isolate or contain the breach, it takes a while, so if you start to leverage some artificial intelligence and automatic response, where the security controls are working together, that's a big part of it. Awesome, thanks for commenting on this. This is a huge problem. I think no one can let their guard down these days, certainly with surface area expanding. We're going to get to that talk track in a second. I want to quickly get your thoughts on ransomware. This continues to be a drum that keeps on beating from an attack standpoint. It's almost as if when the attackers need money, they just hit the same ransomware target again. They pay in bitcoin. This has been kind of a real lucrative, but persistent problem with ransomware. What's going on with ransomware? What's the state of the report, and what's the state of the industry right now in solving that? Yeah, you know, we alluded to this a little bit in last quarter and actually a few quarters. And this is a continuous sort of trend. Ransomware typically is where, it's on the cybercrime ecosystem. And a lot of times, the actual threat itself is being delivered through some type of phishing email where you need a user to be able to click a link or click an attachment. And it's usually kind of a pray and spray thing. But what we're seeing is more of a targeted approach. What they'll do is they'll look for, do some reconnaissance on organizations that may not have the security posture that they really need to have. It's not as mature, and they know that they might be able to get that particular ransomware payload in there undetected. So they do a little reconnaissance there. And some of the trend here that we're actually seeing is they're looking at externally, RDP sessions. There's a lot of RDP sessions. They're Remote Desktop Protocol sessions that organizations have externally so they can enter into their environment. But these RDP sessions are basically not as secure as they need to be, either weak username and passwords or they are vulnerable and haven't actually been patched, and they're taking advantage of those. They're entering in there, and then once they have that initial access into the network, they spread their payload all throughout the environment and hold all those devices hostage for a specific ransom. Now, if you don't have the particular backup strategy to be able to get that ransomware out of there and get your information back on those machines again, sometimes, you actually may be forced to pay that ransom, not that I'm recommending that you sort of do so, but you see organizations are deciding to go ahead and pay that ransom. And the more they do that, the more the adversary's going to say, "Hey, I'm coming back, "and I know I'm going to be able to get more and more." Yeah, 'cause they don't usually fix the problem or they come back in, and it's like an open banking, a blank check for them. They come in and keep on hitting the same target over and over again. We've seen that at hospitals. We've seen it at kind of the more anemic IT departments, where they don't have the full guard capabilities there. Yeah, and I would add on, what's really becoming a big issue, and I'll ask you a question here, John. What does Microsoft, NSA, and DHS have in common for this last quarter? Robin Hood? (both laughing) That's actually a good guess, (John laughing) but the thing that they have in common is the fact that each one of them urged the public to patch a new vulnerability that was just released on the RDP sessions called BlueKeep. And the reason why they were so hyped about this, making sure people get out there and patch, is because it was wormable. You didn't really need to have a user click a link or click an attachment that basically, when you would actually exploit that vulnerability, it could spread like wildfire. And that's what wormable is. A great example of that is with WannaCry a couple years ago. It spread so quickly, so everybody was really focused on making sure that that vulnerability actually gets patched. Adding onto that, we did a little bit of research on our own and ran some Internet scans, and there's about 800,000 different devices that are vulnerable to that particular new vulnerability that was announced. And you know, I still think a lot of people haven't actually patched all of that, and that's a real big concern, especially because of the trend that we just talked about. Ransomware payload, the threat actors, are looking at our RDP as the initial access into the environment. So on BlueKeep, that's the one you were talking about, right? >> Yeah. So what is the status of that? You said there's a lot of vulnerabilities out there. Are people patching it? Is it moving down the path in terms of, are people on it? What's your take on that? What's the assessment? Yeah, so I mean I think some people are starting to patch, but shoot, the scans that we do, they're still a lot of unpatched systems out there. And I would also say we're not seeing what's inside the network. There may be other RDP sessions in the environment, inside an organization's environment, which really means now that if ransomware happens to get in there that has that capability then to be able to spread, like be of some RDP vulnerability, that's going to be even a lot more difficult to be able to stop that once it's inside a network. I mean some of the recommendations, obviously, for this one is you want to be able to patch your RDP sessions, for one. Also, you want to be able to enable network authentication. That's really going to help as well. Now, I would also say maybe you want to harden your username and passwords, but if you can't do some of this stuff, at least put some mitigating controls in place. Maybe you can isolate some of those particular systems, limit the amount of access organizations have or their employees have to that, or maybe even just totally isolate it if it's possible. Internal network segmentation is a big part of making sure you're able to mitigate some of these potential risks or at least minimize the damage that they may cause. Tony G, I want to get your thoughts on, your opinion and analysis, expert opinion on the attack surface area with digital and then ultimately what companies can do for it. Let's start with the surface area. What's your analysis there? A lot of companies are recognizing, obviously with IoT and other digital devices, the surface area is just everywhere, right? So gone are the perimeter days. That's kind of well-known. It's out there. What's the current digital surface area threats look like? What's your opinion? Sure, yeah, yeah. You know, it's funny these days. John, I'll tell ya, it's like everything that seems to be made has an IP address on it, which means it's actually able to access the Internet, and if it can access the Internet, the bad guys can probably reach out and touch it. And that's really the crux of the problem these days. So anything that is being created is out on the Internet. And like we all know, there's really not a really rigid security process to make sure that that particular device is as secure as it actually needs to be. Now, we talked earlier on about IoT as it relates to maybe home routers and how you need to be able to harden that because we're seeing a lot of IoT botnets that are taking over those home routers and creating these super large IoT botnets. On the other side of it, we've seen a lot of SCADA systems now that traditionally, were in air-gapped environments. Now they're being brought in to the traditional network, that they're being connected there, so there's an issue there. But one of the ones we haven't actually talked a lot about, and we're starting to see the adversaries focus on these a little bit more, is devices in smart homes and smart buildings. In this Q2 Threat Landscape Report, there was a vulnerability in one of these U.motion business management systems. We looked at all the different exploits out there and the adversaries were actually looking at targeting that specific exploit on that smart management building service device. We had about 1% of all of our exploit hits on that device. Now that might not seem like a lot, but in the grand scheme of things, when we're collecting billions and billions of events, that's a fairly substantial amount. Now that really starts to bring a whole 'nother thought process into, as a security professional, as someone responsible for securing my cyber assets, what do I include in my cyber assets now? Do I include all the business management systems that my employees are in for my overall business now that that actually might be connected to my internal network, where all of my other cyber assets are? Maybe it actually should be. Maybe it should be part of your vulnerability patch management process, but what about all the devices in your smart home now? All these different things are available, and you know what the trend is, John, right? I mean, the actual trend is to work from home. So you have a lot of your remote workers have a great access into the environment. Now, there's a great conduit for the adversaries to be able to break into some of those smart home devices and maybe that, from there, they're on the employee's machine, and that kind of gets them into the other environment. So I would say, start looking at maybe you don't want to have those home devices as part of what you're responsible for protecting, but you definitely want to make sure your remote users have a hardened access into the environment. They're separated from all of those other smart home devices, and educate your employees on that in the user awareness training programs. Talk to them about what's happening out there, how the adversaries are starting to compromise, or at least focus on some of them smart devices in their home environments. These entry points you point out are just so pervasive. You have work at home. You're totally right. That's a great trend that a lot of companies are going to. This is a virtual first kind of world where we build this new generation of workers. They want to work anywhere. So you got to think about all those devices that your son or your daughter brought home, or your husband or your wife installed a new light bulb with an IP connection to it, fully threaded processor. I know, I know. Gosh, this kind of concerns me. You know, say, for example, and then what's hot these days is the webcam, right? Let's say you have an animal and you happen to go away, you always want to know what your animal's doing. So you have these webcams here. I betcha, someone might be placing a webcam that might be near where they actually sit down and work on their computer. Someone compromises that webcam, maybe they can see some of the username and passwords that you're using to log in. Maybe they can see some information that might be sensitive on your computer. The options are endless here. Tony G, I want to get your thoughts on how companies protect themselves because this is the real threat. And IoT doesn't help either. Industrial IoT to just Internet of things, whether it's humans working at home to sensors and light bulbs inside other factory floors or whatever. I mean it's everywhere now. The surface area is anything with an IP address and power and connectivity. How do companies protect themselves? What's the playbook? What's coming out of Red Hat? What's coming out of 4net? What are you advising? What's the playbook? Yeah, you know, I get asked this question a lot. I really sound like a broken record sometimes, and I try to find so many different ways to spin it. Maybe I can actually kind of say it like this, and it always means the same thing. Work on the fundamentals. And John, you mentioned it earlier from the very beginning. Visibility, visibility, visibility. If you can't understand all the assets that you're protecting within your environment, it's game over from the beginning. I don't care what other whiz-bang product you bring into the environment. If you're not aware of what you're actually protecting, there's just no way that you're going to be able to understand what threats are happening in and out of your network. At a higher level, it's all about situational awareness. I want to make sure if I'm a CISO, I want my security operations team to have situational awareness at any given moment all over the environment. So that's one, grabbing that overall sort of visibility. And then, once you can understand where all your assets are, what type of information's on those assets, you get a good idea of what your vulnerabilities are. You start monitoring that stuff. You can also start understanding some of the different types of gaps. I know it's challenging because you got everything in the Cloud all the way down to the endpoint, all these mobile devices. It's not easy, but I think if you focus on that a little bit more, it's going to go a longer way. And I'd also mention, we as humans, when something happens into the environment, we can only act so fast. And I kind of alluded to this earlier on in this interview, where we need to make sure that we're leveraging automation, artificial intelligence, to help us be able to determine when threats happen, to actually be in the environment. Being able to determine some anomalous activity and taking action. It may not be able to remediate, but at least it can take some initial action. The security controls can talk to each other, isolate the particular threat, and let you fight to the attack, give you more time to figure out what's going on. If you can reduce the amount of time it takes you to identify the threat and isolate it, the better chances that you're going to have to be able to minimize the overall impact of that particular breach. You know, Tony, you're jogging up a lot of memories from interviews I've had in the past. I've interviewed some four-star generals, Head of NSA, Head of Cyber Command. You get a lot of military kind of thinkers behind the security practice because there is a keep an eyes on the enemy, on the target, on the adversary kind of dialogue going on. They all talk about automation and augmenting the human piece of it, which is making sure that you have as much real-time information as possible, so you can keep your eyes on the targets and understand, to your point, contextual awareness. This seems to be the biggest problem that CISOs are focused on, how to eliminate the tasks that take the eyes off the targets and keep the situational awareness on point. Your thoughts on that? Yeah, you know what, I used to do and I still do 'em now, I do a lot of presentations about situational awareness and being able to build your security operations center to get that visibility. And I always start off with the question of when your CISO walks in and says, "Hey, I saw something in the news about a specific threat. "How are we able to deal with that?" 95% of the responses are "Uh, well. "I'd have to kind of go back. "I have to actually kind of dig in and see." It takes them a while for them-- For them to get back to you. (John laughing) So, yeah, the classic response. "Let me get back to you, boss. "Patch that thing." >> Yeah. Tony G, thank you so much for the insight. Great, congratulations on the Quarterly Report. Keep up the good work. Quick story on Black Hat. What's the vibe in Vegas? DEF CON's right around the corner after it. You're seeing the security industry become much more broader, obviously as the industry service area becomes from technical to business impact. You're starting to see the industry change. Amazon Web Services had an event, cloud security, called re:Inforce. You're starting to see a much broader scope to the industry. What's the big news coming out of Black Hat? Yeah, you know, it's a lot of the same. The thing that actually kind of changes more, there's just so many different vendors that are coming in with different types of security solutions and that's awesome. That is really good. With that said, though, we talked about the security shortage, that we don't have a lot of security professionals with the right skill sets. What ends up happening is these folks that may not have that particular skill needed, they're being placed in these higher-level security positions and they're coming to these events and they're overwhelmed. 'Cause they all have a slight, it's all a similar message, but slightly different. So how do they determine which one is actually better than the other. So I would say from that side, it gets to be a little bit kind of challenging. But at the same time, now, I mean we continue to advance. From the axle or technical controls, solutions perspective, we talked about it. We're getting better with automation, doing the things that the humans used to do, automating that a little bit more, letting technology do some of that mundane, everyday kind of grind activities that we as humans, would do. It would take us a little longer. Push that off. Let the axle of technology controls deal with that so then you can focus, like you had mentioned before, on those higher-level issues and also the overall strategy on either how to actually not allow the adversary to come in or how to determine once they're in, and how quickly are we able to get them out. You know we have a panel of CISOs that we talk to and we were running surveys through them through theCUBE Insights. Most CISOs we talked to, they want to talk off the record. They don't want anyone to know who they work for. They all talked and they say, "Look, I'm bombarded with more and more security solutions. "I'm actually trying to reduce the number of suppliers "and increase the number of partners." Now this is a nuanced point, but to what you're getting at is there's a tsunami of new things, new threats, new solutions. They could be either features or platforms for tools, whatever. But most CISOs want to build an engineering team. They want to have full-stack developers on site. They want to have compliance teams, investigative teams, situational awareness teams, and they want to partner with suppliers. They want partners, not just suppliers. So reduce the number of suppliers, increase the partners. What's your take on that? You're a big partner, a lot of the biggest companies. Do you agree with that statement? Yeah, I mean, that's actually really our whole strategy, overall strategy for Fortinet is, and that's why we came up with this Security Fabric. We know that skills are really not as sort of prevalent as they actually need to be. And of course, there's not endless amounts of money as well, all right? And you want to be able to get these particular security controls to talk to each other and this is why we built this Security Fabric. We want to make sure that the controls that we're actually kind of building, and we have quite a few different types of security controls that work together to give you the visibility that you're really looking for. And then, here's a trusted partner that you can actually kind of come to, and we can work with you on one, identifying the different types of ways the adversaries are moving into the environment and ensuring that we have security controls in place to be able to thwart that threat actor playbook, making sure that we have a defensive playbook that aligns with those actual TTPs in the offensive playbook and we can actually either detect or ultimately protect against that malicious activity. Tony G, thanks for sharing your insights here on the Cube Conversation. We're going to have to come back to you on some of these follow-on conversations. Love to get your thoughts on observability, visibility, and get into what kind of platforms are needed to go this next generation with cloud security and surface area being so massive. So thanks for spending the time. Appreciate it. Hey, thanks a lot. See you all later. Have a great time in Vegas. This is Cube Conversations. I'm John Furrier, here in Palo Alto, talking with Tony G with Fortinet in Las Vegas. Thanks for watching. (upbeat music)