On this episode of the Futurum Tech Webcast – Interview Series I am joined by Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, for a timely conversation about the current state of our threat landscape, which is as Mounir said, “Gloomy with a chance of ransomware,” as well as what businesses need to do to protect themselves.
Understanding our Current Cybersecurity Threat Landscape
In our conversation we discussed the following:
- How Juniper Threat Labs builds models to assess the current landscape
- What the biggest current threat is to organizations
- How Juniper is translating its threat detection to actionable insights for its customers
- Advice for security officers on how to deal with our current landscape
This is an excellent conversation about security threats that can impact businesses of any size so it’s one that you don’t want to miss.
You can grab the video of my interview with Mounir here (and subscribe to our YouTube channel if you’ve not yet done so)
Or listen to my interview with Mounir on your favorite streaming platform here:
Don’t Miss An Episode – Subscribe Below:
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
More insights from Futurum Research:
Daniel Newman: Hey, everybody. Welcome to another edition of the Futurum Tech Webcast/Podcast and Futurum Tech TV. I’m your host, Daniel Newman, principal analyst, founding partner at Futurum Research. Excited about this Futurum Tech Interview Series that I have with me Mounir Hahad of Juniper Networks. And I’ll be bringing Mounir on in just a moment.
But as always, a quick disclaimer, this show is for information and entertainment purposes only. And while we will be talking to and about publicly-traded companies, please, do not take anything we say on this show as investment advice. And thank you to Juniper for being part of this program, and giving us access to the folks within Juniper’s team to have this conversation on security, and learning more about Juniper Threat Labs. Very interesting business led by Mr. Mounir Hahad. And Mounir, without further ado, good to have you here on the show.
Mounir Hahad: Hey, Daniel. Good to be with you. I’m super excited about this.
Daniel Newman: Yeah, it’s great to have you here. You know, we’re kind of meeting for the first time, and it’s always great to have the opportunity to meet somebody, bring them on the show and just get right down to business because, you know, there’s no better way to build a relationship than asking someone really tough questions about their work, their role, their job, their business, et cetera.
But these will only be mildly hard questions because I think what you’re doing is really interesting, so I want to give you a platform to share it with our audience here at Futurum Research. So, quick introduction would probably be welcomed. So, Mounir Hahad, give us a quick background, little interest, your role at Juniper.
Mounir Hahad: Oh, wow. You know, I have been in a cybersecurity forum for a number of years, and people typically ask me like how did you get into this cybersecurity business? And to me, it’s honestly a calling. And I recognize that in a lot of my colleagues as well. It’s a calling. It’s not a job that we do. It’s really something that we have vested interest in personally. And for me, it really started a while back when I was, I’m originally from North Africa, and when I moved out, I had to communicate with my parents through more modern means. They’re not necessarily very versed in the technologies of the internet, and I felt really bad knowing that, hey, they could get hacked any day. They can’t really use the internet safely. So for me, making the internet as a safer place is very personal story.
And the other thing that I really realized is that, I completed my studies in Europe, and it was important for me to have access to all the information, all the teachings at European universities, but I was wondering what’s happening in places like Africa when people don’t have access to these things? With the advent of new ways of getting education to far-flung places, it became even more important to allow this growth in underserved areas of the world.
And it’s not just for education, sometimes, it’s also for commerce. And when we think of Facebook as just a platform for social media, it’s actually a commerce platform in a lot of these countries that lack the real infrastructure. So, it’s really important for me to make sure that it’s a safe place for people to interact and learn, and conduct the business. I’ve actually done a couple of summer universities over the internet like this for places that don’t have access to high talent. And I’ve been a chair for invest competing program in those kind of opportunities. So, this is really great. So, that’s, at a high level, kind of my story and how I got into this.
Daniel Newman: That’s a great story, and personal experiences tend to be passion creators for us. You know, whether it was a football match you saw early in your career, or early in your life that sticks with you forever, I’m an Arsenal fan, I’ve been forever, and I still don’t know why, but I do know why. It was just something that came up from my very youngest days. And of course, having the personal need for secure communications, I love your mention of Facebook, especially on today, because we’re actually capturing this on October 20th.
And this is the day that story broke that Facebook may in fact be planning to rename itself. That’s going to be super interesting, but even they’ve been through some interesting, I don’t know if you call it network turbulence, security issues, we may never actually know exactly what happened. But I think when we did have that outage a few weeks ago, if nothing else, it was a reminder to us that even the biggest companies on the planet that pride themselves on being available 99.999999% of the time, are susceptible to issues. In your world, it’s all about threats, security…
Mounir Hahad: That’s right.
Daniel Newman: … and risk. You lead Threat Labs for Juniper. Talk a little bit, at the high level, given that this is what you eat, sleep and drink at work, what does the threat landscape look like right now?
Mounir Hahad: Well, I have to be honest with you, I would say it’s a gloomy with a chance of ransomware. You know, when I talk about it internally, I coined the phrase, and I usually say cybersecurity is a race without a finish line. So, you’re constantly fighting the bad guys.
They’re coming up with new things. You’re trying to beat them to the punch. And it’s something that doesn’t really allow you to sleep. I mean, think about it. Most of the attacks happen just before the weekend, or they happen just before a holiday period because they know that some people are going to let their guards down, and therefore, they take maximum advantage of the situation.
So you have to constantly be alert on what the adversary is up to, and hopefully, get ahead, a little bit ahead of them, right? If you take malware detection, that’s actually a good example, in malware detection, if you’re still using signature to detect malware, you’re probably in for a number of surprises. I mean, kind of speak from experience, right? A lot of cybersecurity products these days will tell you, oh no, no, no, we actually use AI for detection, and we updated every 15 minutes, and that allows us to stay current.
Every time I hear that, I kind of cringe. I’m like, oh my God, what kind of a solution that is artificial intelligence-based that is only valid for 15 minutes? What does that really tell you? That tells you that the data set that people are using to build their AI models or their ML models, it is very time-sensitive. It knows about what happened in the last 15 minutes. Maybe the 15 minutes before that, but it really has no clue about what’s going to happen in the next 15 minutes. And therefore, it needs these constant updates. So, you’re not going to have any good efficacy if you’re coming up with 15-minute updates. It doesn’t make sense to me, not in the world of AI.
We strive ourselves, for example, in order to kind of stay current with what’s happening in threat landscape, to build models that are valid for anywhere between three to six months. And that gives us a little bit of cushion into whatever the bad guys are coming up with. And the one big difference for me in assessing this landscape, it’s what comes out of it. It has to be something that’s actionable, right?
You hear a lot of companies that have threat labs, but they’re usually at arm’s length with their development teams and their engineering teams. They do outbound reach. Some of them even go after the bad guys. But it’s pretty rare that you see systematically that research going back into products that end up protecting people and customers. So, in my team, we combine the three major functions of a cybersecurity lab.
One of them is we monitor what’s happening in the wild, all activity in the wild is being monitored. Second one is we do design the detection methods, and we implement them as well in our own products. That makes really a huge difference. There is no miscommunication, or lost information in translation. People who design the detection methods are the people who are monitoring what’s happening in the wild.
And finally, which is a critical point, we actually have a threat operations team that monitors the effectiveness of what we’re producing in customer environments. So that if anything goes awry, we’re right on top of it. Before customers even notice, we know.
If we, for example, happened to mess up something, and we get a spike of detections of false positives, we’re on it before the customer even knows. And you know, it could happen to the best of us, right? You get some updates, sometimes, something goes wrong, you have to be on top of it. But more importantly, we try to do this in a way that even the false negatives we’re able to detect, and that may seem a little bit difficult to do, and it is difficult to do. But we figured out ways to identify our false negatives, and improve the products before anybody complaints about it.
So, that’s really what makes our threat labs within Juniper networks somewhat unique when you compare it to threat labs in other cybersecurity companies.
Daniel Newman: Yeah. Kind of my experiential gut check as an analyst that covers it all, here’s from every company on the planet, is I think you have a really good foundational approach. I think we’re going to increasingly see a blend, I think your longer horizon and being able to address the longer tail is really important. I do think people are increasingly wanting to be able to act on data in real time. You know, we’ve seen a massive rise in observability in different basic technologies that allow sort of all data to be constantly being monitored, because things are happening so fast.
So, I feel like it’s a blend of really rich, robust, well-defined, understood security that can look at the broader market, the broader threats and deal with them. And then, there’s kind of the, how do we, as rapidly as possible, identify a new threat, and get it under control quickly. Which kind of brings me to my next question, as you see it, and as you’re analyzing all of this, what do you think, at this moment in time, is the biggest cybersecurity, you know, this biggest cyber threat to organizations and consumers?
Mounir Hahad: Well, I mean, it’s pretty obvious, it’s ransomware, right? This is what everybody is really extremely worried about. As a matter of fact, I think I just… as a service, actually, the ransomware is called BlackMatter.
This ransomware group is relatively new. I mean, it’s probably been on the scene for, I don’t know, three, four months, maybe five, at the most, but it’s funny to listen to these guys on how they work. They’ve actually went ahead and studied their competitors, and their competitors are other ransomware as a service platforms. And they picked up the best of each one of them. They based a lot of their code on existing ransomware platforms, but they also improved on the things that they felt other people are not doing well.
And honestly, it’s not the kind of thing you and I might think as, oh, this is the most important thing in a ransomware, it has to encrypt the files properly. No, they’re thinking about customer service. They’re like, oh, their portal was not very good, so we made a better portal. So, if you get attacked by us, you’ll have a good experience with us. So, it was really interesting to look at that.
But they learned from DarkSide, REvil, LockBit and they made what they think is the best platform. Now, I’m extremely worried about this kind of a group, because it obviously did its homework. It knows when things were not working quite right with other platforms, and they’re not going to make silly mistakes. It’s not the kind of attack that you’re going to see a decryptor for free showing up somewhere. So, that’s really number one concern.
The second one is one that might actually surprise you. The botnets. They’re becoming really common, or the availability of IoT exploits specifically is fueling the rise of botnets, because you know, vulnerable firmware on IoT devices tend to go on pass for months, sometimes, years. I guarantee you, everyone has, in their homes, some device that they have no clue what they’re running. What version of the firmware, when was the last time it was updated, they have probably no clue.
So, the threat actors used to sweat quite a bit to get their hands on zero day exploits. If you remember, like five years ago, the exploit kits were all the rage, but they don’t need that anymore because they have access to so many devices that are still unpatched. We just, as a matter of fact, published last week, some research that Juniper Threat Labs has done about a botnet called the Necro Python botnet. And it’s going after, at least… Last week when we published it, it was going after vulnerable visual tools DVRs, this particular product.
Now, when you think of a botnet, you’re thinking, oh, this is the thing that is going to do Monero mining, and it might participate in DDoS attack. But you know, it’s kind of a nuisance more than anything else. Not this kind of a botnet, no. These kind of botnets have the ability to sniff network traffic, to open up reverse shells, to install root kits, to download and execute any secondary malware of choice. And they support multiple platforms. They’re like, hey, you want Windows? Sure. Linux. I got it.
They use DGA for communication. So, it’s relatively sophisticated. And to me, it looks like a Swiss army knife of botnets. And if you think about it, Emotet kind of started as something that was very dedicated to the final show, data theft, but it became, again, another Swiss army knife of botnets. It can deploy Ryuk ransomware. It can do whatever it wants. And so, that to me, means we have to pay a little bit more attention to these botnets, because they could become an avenue for very severe network intrusions. And it’s not just the simple Monero mining.
And finally, I want to add to that list something a little bit uncommon. We are actually the biggest threats to our organizations, it’s ourselves. We are one of the biggest ones, because we tend to be phished relatively easily. You know, a lot of… Actually that… Which one was it? The BlackMatter ransomware group, they posted a note saying, hey, we’re looking for network access to organizations, because they won’t attack them obviously. And they said, don’t give us anything complicated. We don’t want any VPN, or any multi-layer exploits or anything. We just want simple credentials, something that makes it easy for us to get in and out.
What that tells you is that phishing is so successful that it became the easy way to get into an organization. And when you think about it, the attackers are taking time to study their victims, right? So, phishing campaigns are more and more realistic. The campaigns are more targeted, which means they give you context. When they send you that email, there’s a context that’s fairly unique to you. Google Translate is doing a better job, which means you’re not seeing those awful grammar mistakes. Mobile devices make it harder for you to spot when there is a phishing attempt, for simple things like, in a mobile device, you’ll see the name, you never see the email address, so you can’t tell if there is a typosquatting, something like that.
And finally, the movement towards the cloud, the transition to the cloud with more and more SaaS applications being prevalent in corporate environment, means every day, you and I would get emails from third parties, and they’re very legitimate. Something that tells you, hey, you’re, I don’t know, your drive on OneDrive, Microsoft OneDrive needs to be reset or something. You know, the policy says, you need to reset your password.
You get these things, you don’t think about it twice. It used to be like, if I don’t get an email from juniper.net, I’m suspicious. Now, I get 20 of them from very legitimate SaaS applications that any company would use. So that makes it really hard. So, to me, these are like the top threats to organizations today.
Daniel Newman: We have a ton of threats coming into the market, I love that you mentioned threats to ourselves. We definitely tend to open the doors to some of the worst hacks. You know, the Raspberry Pis, the USB drives, the thumb drives, and of course, the really… The visual hacking that people do in coffee shops and just laziness, the sticky notes that people keep on their keyboards that become a quick buck for somebody that doesn’t care that much about their organization. And so, there’s a lot of things that end up happening. We do this to ourselves.
I’ve got a couple more questions, and we’ve got about five more minutes. I’m really enjoying the conversation. We’d probably have another conversation, dig deeper into some of these, but talk about outcomes. Because you’re doing all this threat detection, you’re capturing this stuff, you’ve become really aware. How is this translating for Juniper and its customers to better outcomes?
Mounir Hahad: Yeah. That’s a great question because, honestly, we could make as much noise as we want. The end of the day, what’s going to matter? What’s going to matter is how are we making our customer’s networks a little bit safer, and hopefully, people can get their weekends back.
To me, the kind of things that we do that go in that direction, very simple things. We talked earlier about threat intel. Threat intel is one of those things that could be a double-edged sword, honestly. You could decide to use it and it may help, but a lot of the time, it’ll actually give you more headache than anything else. So, one of the things that we have done at Juniper threat labs is we do threat intel curation that goes well above and beyond industry standards. And it’s one of the things I’m personally proud of.
You know, when I came in to Juniper, I heard a lot of numerous complaints actually from people who wanted to use some threat feeds, not necessarily from Juniper, right? You can get threat feeds from a lot of places. But they couldn’t trust them, because you get a threat feed from one place, you put it in a policy on your firewall. You see, I’m going to block everything coming through this. The very next day, you have like your dashboard lining up with customer complaints, oh, you blocked my access to this site or this domain or whatever it is.
So, we actually spent a lot of time and effort in automating the curation of threat intelligence. I’m really happy that things worked out, and I use, as one of our own example, is Juniper’s own IoT. You know, our own IoT functions as completely independent organization. They buy their security tools from wherever they want. They just happen to use ours as well because they like them. But they could go anywhere else. And I asked them actually recently, and I said, hey, how’s it working out for you for the threat intel that we’re producing? Thumbs up. We’re not hearing any complaints anymore.
So, this is really a good signal to me that we were down the right path. The second one is the machine learning that we developed at Juniper, I make it a point that we have to strive for an extremely low false positive rates. And I’d be lying to you if anybody… If I said, or anybody will tell you that, hey, we have this machine learning approach, and it has very few false positives. That just doesn’t exist. Unless you’re highly tuning and biasing your models, you’re going to have false positives, which means, you need to develop techniques that mitigate those false positives in order to make it useful.
So, when I look at our own customer malware detections, our machine learning detection varies between 40 to 80%. Let me be specific. 40 to 80% of what we detect is detected using our machine learning algorithms alone. We have plenty of engines, and some of them are signature-based. But those tend to fluctuate. From one month to the next month, the value add of those things kind of goes up and down, but the machine learning is always there to do a dive and catch.
So, I’m really proud that we were able to achieve this kind of results with relatively extremely small set of false positives. And that’s the kind of thing that has been tested by third parties. You know, we run a continuous test with a company called ICSA Labs. I don’t know if you’re familiar with them, but they’re part of Verizon now. And they’re the counterparts to people who produce the Verizon data breach investigation report, the Verizon DB report.
So those guys figured out what’s going on in customer environments. They handed off to their labs. The labs test products. And it’s a completely blind test. We give them our product, and they come back at the end of the quarter with results and say, hey, here’s your detection rate. Here’s your false positive rate. In Q3, or not Q3, sorry.
In Q2. Q2 of this year, our result has been 100% detection of everything they throw at us, and zero false positives. I’m not going to lie to you, this is not every quarter results. We had that in Q2, we had that in Q4 of last year, but Q1 and Q3 had 100% detection, and one false positive in Q1. I think, if I remember well, but Q3 had three false positives, that, I remember because it was like the test finished not too long ago.
Daniel Newman: But-
Mounir Hahad: So, that… Go ahead. Sorry.
Daniel Newman: No, I’m just going to say, but like a couple of false positives works as long as you get a hundred percent of the actuals, you know what I mean?
Mounir Hahad: Absolutely.
Daniel Newman: I do understand maybe there’s a little inconvenience, but it’s kind of like in the end, right? You know, having a flight delayed for an additional security check to only have it be cleared, everyone’s like, yeah, that’s okay. Or like you’re going to make the extra maintenance fix. Oh, it wasn’t actually broken, but we looked anyways. I’m okay with that. I think the world should actually just be like, that’s good.
Mounir Hahad: Yeah. Daniel, we’re talking about minimum stuff here, honestly.
Daniel Newman: Yeah.
Mounir Hahad: Three false positive in a quarter, trust me, this is like top-notch.
Daniel Newman: Yeah, I mean…
Mounir Hahad: It’s really… But the hundred percent detection is really a testament to the fact that we really put in a lot of effort, and it’s not just a single engine. We layer a number of detection techniques. We keep coming up with new ones all the time. And many of them use machine learning. And fortunately, we reached that goal of good protection, minimum, really minimum effort for the [SOC] Teams.
Daniel Newman: I think that’s great. I think that’s some very, very good numbers, data back. Congratulations on the success. I want to take you home by talking a little bit about the CIO, CSOs, CTOs, depending on your organization. But you know, the person that has the CSO responsibilities in an organization, let’s take them out with a little advice from where you sit, on how to deal with the wrestling, with all the ongoing and consistent attacks that are coming every which way at companies these days.
Mounir Hahad: Yeah. CSOs have a hot seat, really. They’re the ones under the spotlight everything something happens, and they rarely get the thank you when nothing happens. So, honestly, I do not want to repeat what others say in this space because there’s enough books and blogs and podcasts about what CSOs should do. As a matter of fact, I have my self-authored book titled Preventing Ransomware, and it’s just like two weeks ago. I saw something on LinkedIn, I think, that said it was listed one of the top seven books about ransomware that are available today on Amazon.
And I also have like a biweekly podcast that I published on threat labs.juniper.net, which goes through a little bit more timely events and give some specific advice on those particular topics that we discuss. But in general, I would like to address it through a potentially controversial angle. It’s like, what should CSOs do?
Well, number one, I would say try to focus on the prevalence of network-based attacks, because pretty much, all attacks today have to transit somehow through the network. So, having a threat aware network is really a major boost to a security posture. Let’s say, for example, your switches or your routers are not helping, either divert traffic, block traffic, isolate infected devices from your own network, and I’m not saying isolate them from the internet. I’m saying isolate them from your own network.
If you’re not doing that, then, you’re probably missing out, because that’s a major thing. When you’re able to identify that something is off with any kind of a security product, and your switch is capable of taking that device off the network until somebody looks at it, it’s a huge boom. So, take advantage of that. The second one is… I’m a little bit worried about a trend I’ve heard over the last several years which kind of is pushing people to relying exclusively on endpoint protection. And the reason they usually justify this with is, oh, the perimeter is disappearing. Therefore, let’s all go and defend the endpoint. But I would say that’s not entirely true.
The edge of the network has moved. It has morphed. But it’s still there. Say for example, you embark on a SaaSy journey, you need to make sure that security is front and center in that conversation. It’s not an afterthought. When you think of cloud providers today, which kind of happened to host a lot of infrastructure, as well as a lot of SaaS applications, they are responsible for their own network, for the security of their own network, their own infrastructure. They build their own applications, but they’re not responsible for yours. You are still responsible for your applications, for your users, who is accessing what, your own data, you’re still responsible for that. So, I think that relying on a network in that SaaSy journey is going to be even more important than when you knew you had your own corporate network.
And finally, I want to stress the fact that people need to pay attention to the efficacy of the products they’re putting in place. And usually, it’s as verified by third parties. You don’t want to get into really lengthy POCs and you’re testing products efficacy because it’s relatively difficult to do it on your own. I get that. But there are third parties that do blind tests, and you can usually trust those. So, we live, unfortunately, in a time when… I would say the one with the loudest marketing voice wins the conversation. It shouldn’t be that way.
The truth is that protecting your infrastructure and your users matters. It’s not just the chatbots. So, let’s not go and put in place product just because their marketing is good, without going in and checking the efficacy of the product themselves. So, I’ll just leave it at that.
Daniel Newman: I think that was quite a bit, Mounir. I think the audience got a lot. I think the CSOs got a lot. I think it was very interesting to spend some time learning about threat labs, kind of hearing about the current state, the hopeful end state. And the one thing that we know is that anytime that you and all the great work you’re doing catches up with these bad actors, they will get more sophisticated, and they will get better.
In our crazy supply chain world, if you’re working at the ports or the trucks, your job, driving a truck, you’d probably feel pretty safe. If you’re a working as a CSO, or trying to secure a network, as long as you keep yours safe, you’re going to be safe too.
So, it’s going to be a job that’s only going to continue to require great skills and great technology partners. So, Mounir Hahad, head of Threat Labs at Juniper Networks, thank you so much for joining me here on the Futurum Tech Webcast. I hope to have you back sometime soon.
Mounir Hahad: It was a pleasure, Daniel.
Daniel Newman: All right, everybody. Thank you so much for tuning in to the Futurum Tech Webcast. Really appreciate having you here. Go ahead and check out the show notes, learn more about Juniper Networks. Learn more about the Threat Labs. The link is in there. Mounir was a great guest. What a great bit of insight, experience.
And of course, he does so much research that, you know, this is information, it’s a wealth of information if you’re a CSO or if security is part of your responsibility. And it’s really all of our responsibility. So, hit that subscribe button. Join us again. We love having you here with us at the show. But I got to say goodbye now. So, I’m signing off and I’ll see you next time. Bye-bye.