F5 Breach Raises New Chinese Security Concerns

Bloomberg

Watch F5 Breach Raises New Chinese Security Concerns - Bloomberg on Dailymotion

Transcript

00:00I'm interested as to what your read is on this situation. How fierce is the threat coming from

00:06state-related activists and hackers? It's actually incredibly fierce and it's because there's a very

00:13strong motivation to do these kinds of attacks and what you'll see is that this particular group

00:18who is you know part of we think Silk Typhoon or maybe a separate group we've been seeing this type

00:24of activity classified under something called brick storm and it sounds terrifying because it

00:28is terrifying and that's why the cybersecurity agency in the United States put out an emergency

00:34directive just this Wednesday because 48 out of the you know fortune 50 are using F5 a vast number

00:43of the federal government are using F5 we suspect that there's thousands of devices being deployed

00:48and you know really because the source code is now out there and in the hands of the Chinese that

00:55means that a nation-state attacker is now looking for vulnerabilities in this source code and has

01:02information they never should have had about undisclosed vulnerabilities that F5 was already

01:07investigating and because the attacker was there for more than a year studying F5 it's actually quite

01:15terrifying all the capability they could have. How have they gone unnoticed for so long? Well one of the

01:22biggest reasons is because if the attacker comes in over remote management devices and protocols using

01:29zero days it's very hard to find the initial vector of how they originally got into that network and you

01:35know simply if they got in more than a year ago the chances are high that there's not even logs that hold

01:43that type of log retention for over a year that's let's start there that's how we don't know when they

01:48actually got in in the first place. The second part of that problem is most of these network devices

01:55don't have like a sort of you know detection and response that we can actually see there's no EDR

02:02in these network devices so we can't actually see this malicious activity we don't necessarily see this

02:08telemetry as they're conducting this lateral movement. I mean theoretically we should and at some point

02:14F5 did but that was as late as August of this year and they were directed for national security concerns

02:21to keep it quiet until they could release this information in their SEC filing. Jaya you are making

02:29it clear to our audience how critical this is but when we all go home and sit around our dinner tables I

02:35don't feel like this is becoming the top of conversation that perhaps it should be given the strength of the

02:39concerns and anxieties you make clear. What is it that ends up affecting the consumer or more writ large

02:45in this circumstance? The fact of the matter is especially from a consumer perspective we don't

02:50always feel like paying for cyber security. We think it should be built in rather than bolted on from a

02:55consumer perspective. Enterprises are more used to this notion that you know it's like a never done thing

03:01that we continuously need to improve that it's a rinse and repeat like action but we still expect more and

03:08better from cyber security vendors from people who are comfortable in this space but frankly if you

03:14are really successful with your software and hardware you should expect that nation states will target

03:20you for some side of supply chain compromise. It's almost inevitable it's because of that very success

03:27that your reputation and your network and information systems are critically at risk. And particularly in the

03:32world of AI where the ever more sophisticated attacks are happening and writ large at such pace. Jaya this is

03:38where your company comes in and I'm so interested in Aisle and what you're currently building because

03:42you're saying it's the first AI native cyber reasoning system. Can you talk us through exactly how it works

03:47differently from others? Yes. So we are Aisle which means that everything we do starts from an AI first

03:54principle and one of the most tenacious problems we have in cyber security is this ability to both find

04:01the right set of vulnerabilities and then remediate them quickly. So what we do at Aisle is exactly that. We have an analyzer

04:09that actually looks to find those vulnerabilities that truly matter and not just small low-level bugs and we've proven

04:15that with you know several very famous programs that you have online open source programs we found incredibly

04:23critical zero days. We've reported them responsibly to the maintainers of these open source projects and they have

04:30fixed them and what we've really been trying to do is make sure that we are not just showing hey this stuff is

04:37broken but allowing customers to actually be able to remediate those incredibly quickly at superhuman speed and that

04:45has to be how we work because you can bet your bottom dollar that the attackers are using AI. Now we need to make sure that the

04:52defenders are too and this is something that really we haven't been doing in this way for so long and this

04:58kind of static basis that we've had is no longer suitable for the types of threats that we face.

05:04Just going to Aisle and who its core customer is feels that it's everyone but all these cyber companies are

05:10becoming ever more platforms and want to own your entire ecosystem of cyber. So where do you fit in Jai?

05:17Well we start where everything is being built so if you're right now I feel like every customer

05:24that we look at is really I mean it's remarkable but we have changed into a planet that operates on

05:31software so everything that we actually look at is a company that's using software so if they build

05:36software if they're having someone else build software for them for their manufacturing process for

05:40their supply chain you know for those kinds of potential customers and design partners that's

05:46where we come in and we try to make sure that those supply chain vulnerabilities that could impact others

05:52downstream as well as their own vulnerabilities that we give them critical knowledge to know what is it

05:58that's really broken that you need to focus on and how can we get you to a place where you have zero

06:04vulnerabilities coming in most of these companies also have rather terrifying backlogs of vulnerabilities

06:11that they have not fixed millions in the backlog and I'm telling you as a CISO of three different

06:16publicly listed companies I've had these experiences myself of these tenacious hard to fix

06:22vulnerabilities and I wished for this solution which is why we now built it

Category

Transcript

Be the first to comment

Recommended