In The Arena by TechArena - Security in the AI Era with Fortinet's Srija Allam and Julian Petersohn
Episode Date: December 5, 2023TechArena host Allyson Klein chats with Fortinet security experts Srija Allam and Julian Petersohn about the expansive Fortinet solution portfolio and how the company is leaning into AI to help delive...r the protection customers require.
Transcript
Discussion (0)
Welcome to the Tech Arena, featuring authentic discussions between tech's leading innovators
and our host, Alison Klein.
Now, let's step into the arena.
Welcome to the tech arena. My name is Alison Klein. And today I'm delighted to be joined by Srija Alam and Julian Peterson from Fortinet. Welcome to the program. Thank you,
Alison. And why don't we just start with introductions? Julian, do you want to go
first? Yeah, sure. Also, from my side, a big thank you for having us today. Yeah, my name is Trine
Peterson. I'm a principal systems engineer at Quadinet. I'm over 16 years in IT, and my main
focus is about SAP application security and cloud security. My background is a bit more in the
offensive security world. And yeah, Srija is basically my counterpart. Thank you, Johan.
Hi, everyone.
I am Sreeja Alnam, and I'm a cloud DevOps architect at Fortinet.
Been with Fortinet for almost like three years now.
I do a lot of security in Azure.
And again, I am also focused on FortiWeb, which is our web application firewall in cloud and many other products at Fortinet.
Previously, I was a network engineer in operations,
and then I was also a pre-sales security engineer before that.
Now, Fortinet is a company that is new to the tech arena, but obviously has a well-established
footprint in security. And I've had the opportunity to engage with Fortinet when I was in the industry, and I've been following your trajectory ever since.
Can you provide a little bit of background on the company for those in the audience who are not familiar with Fortinet?
I can. So Fortinet is a cybersecurity leader, and we have several products in our cybersecurity space or, you know, networking and logging,
either way, right, any of the space.
So we provide products where you can do some secure connectivity and you can also reduce
complexity with our access points, which is, you know, on-premises kind of security.
And also we have our footprint in cloud.
That's where me and julian focus but in cloud we
also have several products what we you can deploy on premises in order to secure your workloads
your kubernetes workspace or your applications running anywhere afforded has been a leader and
they have like several we like several security products and great customer base with a lot of good feedback. Now, I caught up with you guys at the Tech Field Day recently in the Bay Area.
You guys hosted a day there.
One thing that I walked away with from your presentation
is how AI is just representing a massive opportunity,
but also a massive challenge for security.
And you guys shared an incredible presentation on what Fortinet is doing. a massive opportunity, but also a massive challenge for security.
And you guys shared an incredible presentation on what Fortinet is doing.
Can you provide some perspective just at high level of why this is such a seminal moment in the security industry and how you look at this opportunity?
There are two sides always of the metal, right? You have that one side, or you have those challenges, speaking about there's a lack
of workflows.
We need skilled employees taking care of the security operations, but also doing secure
application development.
But on the other side, there has to be an incredible fast development of applications.
And with all that in combination, you run into a complexity to have that fast and secure and cheap.
And that combination often gets combined by AI, for example.
So speaking of what, for example, GitHub Copilot, it's a very helpful solution.
It makes it easy to code. For example, for me, to be honest, I'm not a great skilled coder.
So my development skills are definitely not great, but with GitHub Copilot, for me,
it works quite fast. But on the other side, which is a huge challenge in the security market is that also let's say the dark side of the internet
uses ai meaning attackers are getting more and more skilled they can evolve much faster
um it's even easier for them to develop new for example malware ransomware and even that gets
very very skilled and in combination all of that, you run into the problem.
Now you have a very fast evolution of malware and attacks.
Maybe the detection vulnerability also increases.
The development has to increase, but you don't have really the
workforce to handle all that.
So the time to respond to such attacks gets incredibly
small. To be honest,
think about, I think it
was the Bian Li
Yao tech
group. They had, I think
within 20 hours,
they took some leaked credentials
and infiltrated the company.
That's 20 hours. They
didn't even know their Derek Trudenfeld got leaked
within that time.
So you need to be very fast.
What I can add is
two sides of the metal.
Julian did bring up a good point,
but at the same time,
like you mentioned,
as fast as the creation of malware becomes,
as fast as we can also figure out
because we can use AI
to read through the alerts, right?
Faster response time, faster checking of data, and then figuring out the aggregation and to see what are the most
important alerts. We can use AI as an assistant there. So the incident response time will be
much faster, I think. So it's really just putting the organizations in the best place with tools that are going to help them make fast decisions.
How has that manifested in terms of your product development and what you're delivering?
So at TechField, we did present about what is SOAR, which is our security orchestration product, automation and response, what SOAR means is. And then that is, again, we obviously showed everything
how we can take immediate response when these alerts get triggered
and how we can use AI as part of this information, right?
But the other thing which we have already done at Fortinet
is we do have inculcated AI and ML into a lot of our products.
So one of the examples is our WAF, which is Fortinet Web,
which is our web application
and API security firewall
where we do some kind of anomaly detection
where we run machine learning
on the VM itself
or on the appliance itself.
And we are also using to detect
like shadow APIs,
which are not exposed
with the concepts of AI.
Obviously, that's ML.
That we are doing there.
That's just one example. And the other thing is, we are also using, going back to a conversation of alert fatigue, we do have threat analytics, where we are checking the aggregation of the
alerts, attacks, and then we put them in the form of the alerts so that security administrators can
concentrate on the most important ones.
So the machine learning will run, it will group the common factors so we can go and check in and tune those policies in order to make sure your applications are secure.
The other thing is our FortiGuard labs.
So how we also work with our ML AI is FortiGuard is a threat intelligence team at Fortinet. They receive
about like 5 million threats every week.
They have artificial AI
nodes running all over the globe.
They get this malware signatures, they
collect them, and then they use machine
learning algorithms in order to make a
signature, and then they upload
to all our devices. All
our customers are protected.
And not only that, our team is also looking at the signatures manually.
So in those two terms, right, that's how Fortinet is already inculcating AI, ML into its products.
Thank you for that great overview, Sreja.
Well, to be honest, SOAR is the central point for the Security Operations Center.
As I mentioned, there are a huge amount of different threat actors
and attack groups out there.
We have a look, for example, at the MITRE attack framework,
how many different techniques there exist.
Now, you as a security or SOC analyst, you have to classify your attack, right?
You have to know which vectors or which attack techniques are in use
and getting recommendations,
understanding all the different threads and what else is out there.
And that's exactly where we can help with AI.
So with AI, we, for example, can provide tools like an assistant,
which allows you to answer questions, just stupid, simple questions.
Hey, can you give me more details,
for example? Or hey, can you write me an email? Can you articulate it for me? We use that quite
often in our day-to-day tasks, but that's stuff we can automate. On the other side,
get enriching information because as Fritja mentioned, alert fatigue, you get millions
of alerts per day in the security operations center. But to be honest, the human is pretty bad in detecting those patterns over a huge amount of database sets.
So using those data sets and analyzing by an AI, you maybe find stuff which you have never looked at before.
So speaking about here about threat hunting and also street challenge of 40-guide labs, which provide our core intelligence, let's say it that way.
Exactly those guides have those huge amount of information I need to analyze and bring it as fast as possible to the customers.
If we, for example, think we were able to provide something like a
virtual patch, which you can put in front and you have a first aid.
You definitely need to patch, but that helps.
And in developing pretty fast security solutions and mechanisms to prevent
attacks, stop them, or even identify them pretty quickly.
One question that I have, you mentioned alert fatigue, and this is something that I've thought
about quite a bit.
When you think about all of the alerts that are happening in real time, people are human,
right?
This is a tremendous amount of data coming at them.
Do you see and envision Fortinet to be able to deliver something that automates lower
level alerts in terms of actions and allows for humans to only focus on the most important or
pertinent things? Or how do you approach that so that IT managers feel like they've got control over what's happening in their environment.
Definitely.
For sure.
Thinking about, for example, in our CM solution,
where we have all the raw log information at just one point,
where we do those analysis based on pre-trained models from our experience, what we have learned and also of Bodyguard Labs' learn, but that evolves at the customer side.
Because as you mentioned, we are humans.
And to be honest, companies are driven by humans.
And every human at the end, every company is different.
I wouldn't say each company is doing the same.
No, they're all different.
They have different handlings, different mechanism in the network, different behaviors.
And also besides that, all those alert and correlation, thinking about the network traffic one step before. So the traffic which goes through your network,
is that normal that those network packages
walk through the network?
Or maybe usually that client
doesn't send that many ping requests.
Maybe an attacker is trying to exfiltrate data
via an ICMP-based shell
or doing there some data exfiltration
or there's a data leak.
Another component which I see and I think is also quite important there is
security is a big thing, but security also includes availability.
And for availability, you need to have your network up and running,
and you need to know and maybe predict what happens in the future on your network.
And, for example, if you see that a queue is running full on your switches on your firewall,
that can cause maybe a memory leak or maybe your queue is running over and your network
dies.
So speaking here about network monitoring and recommending some next steps, what you
should do, maybe, I don't know, increase the workload
or the capabilities of the network devices.
That's a very helpful thing.
Sreeja, anything you could add?
Yeah, application of alerts on our 40SIM
is a great example, right?
We are aggregating alerts for them to take a look at it
so their network administrators can act fast.
But they can also integrate, again, going back to the SOAR conversation, right?
They can take those alerts, integrate with the SOAR platform so that it can really kick
off a playbook of what activity or what response the playbook needs to take when we are seeing
an alert that is being aggregated by SIM or body analyzer.
And then there is this automated response.
But again, coming to a conversation of 40 web pages are WAF,
the threat analytics feature can integrate with ServiceNow
and Jira platforms where it will aggregate the attacks
or alerts based on common factors.
Like, for example, I didn't share the example,
but one of the thing is what is the amount of threats that are originating from which country is what that will be aggregated?
If multiple IP addresses are part of one country, they can just say, well, you know, I don't have a user base there.
So network administrators can do IP protection for their applications, right? The other thing is maybe somebody is doing a DDoS attack or, you know, some kind of alert
that is, or because they did some misconfiguration of the policies.
They can see that at the, you know, it's not just one IP, it's multiple IP addresses that
are doing DDoS.
The admin can do that policy, can tune in to make sure.
And this integration with ServiceNow and Jira, which I helped them to create those tickets, identify and assign to the stakeholders.
But also they are immediately alerted and they can take a response.
So that's how I think we offer product.
You also have NDR, which is a network detection response.
And also is where AI and network detection also uses some AI-based,
machine learning-based learning capabilities to identify some sophisticated attacks.
So overall, with our fabric integration,
a lot of our products, AI and ML have been, you know,
something which we've been using since several years now.
That makes a lot of sense.
Now, I know that you work with customers quite a bit
on deployments of solutions,
and I'm sure you get some insights about what's on the top of their mind in terms of capabilities they're looking for and how they would love for Fortinet to innovate.
Can you share any examples of companies or industries who've used your solutions to address emerging threats and any interesting stories about how they've used your solutions?
Well, to be honest, that's quite hard to share.
It's a bit difficult because, you know, in the security field, usually customers
don't want to have them in the news and they don't like to speak about them.
But one example to be us we can really bring,
because that was bulletproof tested,
was what we showed in the Cloud Field Day.
One topic is we have a lot for customers,
or we see also evolving, even for me,
with the SAP space is,
for example, in the SAP and business application market,
there are a lot of custom development going on on companies, meaning they don't use the standard which is provided by the vendor.
They develop their own tools to fit into their business leads and business process.
And that results, on the other side, in applications, maybe they're unique to a certain
company and not used everywhere else, right?
And that results in maybe an application which contains a vulnerability no one
has ever figured out because who should, right?
I mean, it's just that single use case.
And there, for example, we have the challenge with the 40Web, which
we use to solve the problem.
Think about the drone API.
We had an API which no one ever has used before, but we need to secure it. And while using, doing development, and while that's ongoing, there are tests
ongoing, so developers for sure testing the applications, so we use there our
machine learning capabilities for the web to train how the API looks.
And in production, we can use it to harden it.
Makes it great for us because there are,
for the customers,
because there's no undetected endpoints.
And if there is one, it's blocked
because no one tested it earlier.
It's not published yet.
It makes it a little bit more secure.
Sricha, do you have any
stories right off the bat?
Yeah, I do. Going back to
FortiWeb, right, I definitely can't
share any customer information, but
this one was more by a research team
called Team 82.
It was, I think, in January
of this year or February, something
around that time frame,
where they call it Clarity's WAF bypass.
If Alyssa or Julian, you might have heard about it.
But it's a research team where they took some SQL plus JSON syntaxes
because nobody have ever tested.
We always been doing SQL injection-based testing,
but nobody appended JSON
payloads to SQL and tested them. But the team at H2 did that, right? And they tested on major
WAF vendors to see if they are actually being blocked, that payloads are being blocked.
I don't want to mention the names, but most of the vendors, they couldn't block that because
it's a new payload, right? It's more like a zero-day payload that they compiled. And Fortinet was not part of that list, but obviously I definitely had
interest in testing that. So I worked with our product management team. I did have machine
learning running on my FortiWeb WAF on one of the applications. So when I tested those payloads
personally, right, like I did test myself and the ML came into rescue. We were
able to block all of those payloads right away. And we immediately released a blog post in our
community portal on how our customers can do use of machine learning. So I think that's one of the
clear examples of how it speaks well. In a real-world scenario where there's a zero-day payload,
FortiWeb's AI ML capability
can come into a rescue
because I think we never talked
about how it works,
but this happens in our two layers
of machine learning process.
The first layer is where we collect
the information about your application.
FortiWeb will learn about it.
And then in the second layer
of machine learning,
once an anomaly is detected,
it will be fed to our Threat Analytics by FortiCard team. Our main goal is to make sure our customers are
protected from these kind of zero-day payloads, but at the same time to reduce false positives.
I love that story always. I definitely want our customers to utilize everything of our products.
That's fantastic. I think that the only thing
that I would love to ask you about more,
and I think that's the top thing on people's minds,
is given what we've talked about today with AI,
where do you think the security industry is going?
And as we turn to 2024,
what are you looking forward to
in terms of broader industry engagement,
what Fortinet will deliver,
anything else that you'd like to call out?
It's a big topic, to be honest, and
there's a lot ongoing there.
I mean, to be honest, the
AI systems are always getting
smarter and smarter, which is
great. And definitely
one big thing I'm really looking forward
is, right now we've worked a lot
with pre-craned models
with a quite old data set.
So as more accurate
and more up-to-date
the information we're getting,
the faster maybe is the response,
the smarter they are,
and the more input and help
they can provide in general,
to be honest. And also the more input and help they can provide in general, to be honest.
And also the more input we can provide,
like using it just for our daily monitoring, for example,
we teach them, right?
It's like for us, every day if we read the news,
we learn something because we maybe didn't hear about it.
I think another topic,
which is maybe,
let's say, the shaky side
on the network is
the bad guys
are getting smarter
and smarter.
And I think
they will use that
and even maybe
try to turn the AI
a bit more on their side.
Maybe try to leak
information others have
provided.
I assume that that's a big topic
which will come. Another big topic
is to be asked, security automation.
That's a huge thing
which will definitely
and that's something in the near
future, I would say. For me, I think
not anything
related to Fortinet. It's just more in the cybersecurity future, I would say. For me, I think not anything related to Fortinet, right?
It's just more in the cybersecurity space.
Now that we are recognizing deepfakes,
a lot of them are using it for bad purposes.
We want to make sure we identify the same things
with some intelligent products,
and that's where AI can come handy
in order to identify, again, that deepfakes,
which are being created by AI itself.
The more intelligent products in order to identify those more intelligent, you know,
what we call like disadvantages of AI is my personal thing.
Well, thanks so much, Shreja and Julianne for being on the show today.
One final thing for you.
I know that people are going to want to ask you more questions and continue to engage. So where can they find out more information about Fortinet and engage with your teams?
I would say Julian and I definitely are open to reach out via LinkedIn. Definitely reach us out
on our LinkedIn space. Fortinet has been coming to most of our conferences. So, you know, meet us at
any of the conferences. But if we go on to our fortinet.com website,
you can check our product portfolio and there is an option to get a free demo.
So if you click that and fill out your information,
our teams, our BDRs will reach out to you all.
So we can just get a call going
and then they will put you in touch
with exactly the right team.
I think nearly every security conference,
someone is jumping around.
Speak, speak to us.
Don't hesitate to ask questions.
Thanks so much for being here.
It's been a real pleasure.
Thank you all.
Thanks for joining the Tech Arena.
Subscribe and engage at our website,
thetecharena.net.
All content is copyright by The Tech Arena.