October 12, 2024 • 32 mins
Ever wondered what it takes to stay ahead in the fast-paced world of cybersecurity? Join us as we chat with Jack Chan, Fortinet's Vice President of Product Management and Field CTO for APAC, who brings nearly two decades of industry experience to the table. We'll explore Jack's fascinating journey from a NetScreen trainer to a leading figure in cybersecurity, providing unique insights into the evolving landscape of cyber threats in the APAC region. Our discussion highlights how cloud adoption and remote work are reshaping security measures and the vital role of innovative solutions in managing data more effectively.
Discover the cutting-edge strategies behind Fortinet's rollout of Zero Trust architecture and Secure Access Services Edge (SASE) technologies. Jack sheds light on their phased approach, starting with small user groups, and expanding to a larger scale while integrating SD-WAN with SASE. This episode highlights the challenges and benefits of transitioning to cloud-native technologies and the crucial importance of constant device posture checks. Jack also shares Fortinet's internal deployment experiences, offering valuable insights into their scalable technology solutions and what lies ahead in the world of cybersecurity.
Finally, we explore how Fortinet maintains its leadership by effectively managing IoT devices, from home networks to smart cities, with an emphasis on security and connectivity. Jack provides a glimpse into Fortinet's product development strategies, which balance in-house innovation with strategic acquisitions like Lacework and NextDLP. The conversation wraps up with reflections on generational shifts in technology use, particularly AI, and its growing influence on our daily lives. Listen in for a rich, engaging discussion that not only highlights today's cybersecurity challenges but also paints a picture of where the future might lead us.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jack Chan (00:02):
It might be secure now, but the next minute someone
does something silly and yournetwork might not be secure
anymore.
Michael van Rooyen (00:08):
The most uncontrollable element the human
Today I have the pleasure ininterviewing and having a chat
with Jack Chan, who is the VicePresident of Product Management
and the Field CTO of APAC forFortinet.
We're just going to talk allthings cyber, converged networks
, new technologies andeverything else, jack.
(00:29):
Welcome to today.
Before we get started, do youmind sharing a bit about your
background in the industry andwhat led you to your current
role as VP of Product Managementand field CTO of APAC for
Fortinet?
All right, thanks for having me.
Jack Chan (00:40):
I guess, first of all , at a personal level, I'm a
Kiwi, I work in the APAC regionand secondly, I think I've spent
18 years in Fortinet.
Now I'm not saying HR will bepleased about that, but before
that I was.
Actually.
I've got quite a bit oftechnical background.
I was working in resellerdistribution.
What brought me to Fortinet wasI actually worked as a
NetScreen trainer.
Oh wow, NetScreen trainer oh,wow, before that.
(01:02):
So you know the story how can?
And michael, our founder, andcto, found the net screen, yes,
and then sold the juniper andthen came out find the fortinet.
So a bit of legacy sort ofthere, the whole firewall story
and how fortinet has evolved towhere we're now.
So I looked after three regionshong kong, new zealand,
australia, new zealand and nowI'm in a global role.
Michael van Rooyen (01:21):
Few products in the product management group
wow, wow, that's's a bit of ahistory and certainly always
been security related, right?
You're luckily one of thesethat's had the opportunity to be
doing.
You know, used to be calledinformation security and now
obviously cybersecurity, butyou've been doing it before it
became cool, right, you've beendoing it for a long time.
Correct, everybody thinks it'scool now, but it's been around a
long time, been part of history, so that's great context.
(01:42):
So you've seen a lot of changeover the years.
Then, as someone who is out inthe field, as a CTO and
obviously looking at products etcetera, what are the most
significant technology trendsthat you're currently seeing in
our cybersecurity landscape, andmaybe particularly in the APAC
region, because obviously youhave a global view, but maybe
more specifically around APAC?
Jack Chan (02:00):
Yeah, sure, I think I mean over the last what 20
(02:27):
years?
I think we've seen theexplosion of technology in
general.
I mean everyone knows thatwe're surrounded by over 60 plus
solution, that anything youthink about osi layer, anything
from layer 2 to layer 7, wepretty much have a solution for
and after covert and use ofcloud, you know, we see highly
remote workforce needing toaccess highly distributed
resources, right.
So that drives some of oursolutions and, of course, the
(02:49):
never-ending evolving landscape.
I was also the spokesperson forFortiGuard, our R&D security
arm, so I've seen how, I guess,threats has evolved over time.
To give you an idea of scalelike 20 years ago we used to
have probably 200,000 malwarearchived from the 18th century,
but now, net new, we'll probablyhave 200,000 net new malware
(03:11):
per day that we do not detect.
So what that means is, ofcourse, everything's automated,
with training of new networks,writing signatures and rolling
out to our global customersmillions of devices and
signatures out there.
So yeah, it's just scaledexponentially.
Michael van Rooyen (03:28):
Yes, so you touched on and I've been to a
few Fortinet events this yearinternationally and obviously
we're catching up at Fast andSecure in Sydney today.
But there's a lot of discussionabout converged network and
security.
Fortify Network is obviouslywhere the Fortinet name came
from and the explosion ofdevices.
Are those the biggest trends orare some of the other trends
(03:48):
you're seeing around OTconvergence, like what are some
of the field discussions you'rehaving with customers in the
software trend?
Jack Chan (03:55):
Oh for sure, OT is definitely a big trend and
Fortinet has quite biginvestment apart from the
convergence network security andalso in the OT world.
So we actually start to buildsolutions that are OT specific
because traditionally it hasbeen quite separated right.
We all know that OT and let'stalk about IoT.
You can't really installendpoint sort of software on
(04:16):
these OT or even legacy devices,so you got to have different
ways to surface attack, likelooking at the network data or
looking at anomaly.
The PLC water pump usuallymight be on value five, right,
but suddenly it says to valuenine.
It's not necessary in attack,but it's definitely anomalies
that you want to pick up.
(04:36):
And a lot of these solutionsthe analogy I use is like sea of
information and you're justtrying to pick a needle out of
it right.
Which is difficult.
So how can you manage all thisdata lake and service the right
information at the right time tothe users, that is?
Michael van Rooyen (04:51):
the challenge we all face, of course
, of course, yeah, just the massconsumption of data, logging,
et cetera.
And if I think about yourheritage there, talking about
way back to NetScreen and beendoing it for a long time and
what you're talking to a lot ofcustomers about is, how have the
cyber threats evolved over thepast few years and what new
challenges are organizers facingin this area?
(05:12):
Yeah, I mean, I spoke about themalware context.
Jack Chan (05:15):
Right, you know it's still, if you look at, I mean,
everyone's probably bored withransomware, but you know it's
still a very profitable industry.
Why are there still those scamcalls, phishing links around?
It's because it's kind ofevolved into its own industry.
Right, and with the use ofmachine learning AI, I mean,
it's almost like a battle of thegood and the evil.
While the hackers are, I mean,everyone's lazy, you know they
(05:42):
will use the machine learning AIto assist with the attack.
Right, including deepfakes andbusiness email compromise, and
the vendors, the good guys, thewhite hats we will also use
machine learning AI to combat,right.
So it's an evolving game andwhat I tend to educate the users
or customers I speak to is youreally need to look at what is a
usable threat intelligence.
(06:03):
People behavior changes whenyou have different threat intel.
Right, if I'm going to tell you, hey, what five steps, you're
going to fall in a hole.
You won't walk those five steps, right?
So threat intel is actuallyquite important and most
organizations almost have silosof threat intel.
So I guess the Fortinet way ishey, why don't you leave that to
(06:23):
Fortinet?
We will wait and we willbalance out all this for Intel.
So you focus on your corebusiness, whether it's banking,
airline or whatever you guys do,and leave the hard work to the
vendor.
Michael van Rooyen (06:35):
Yeah, fair enough, and I was reflecting and
I'm sure in the sessions youwere representing they called
you out during one of thesessions and the presenter was
talking about that there's aperception of it being so much
more intelligent or so much morehigher type of attack, but it
turns out that's not actuallyreally the case.
Based on the data you guys aresaying, it's actually still very
basic security that people aremissing, but basic lessons
(06:58):
learned.
Is that the education partyou're talking about, Correct?
Jack Chan (07:01):
I think with the use of AI, deepfakes, social media,
the entry point is kind of stillthe same.
The hackers might use themachine learning AI in this area
, but it doesn't differ from thefact that you're still looking
at accessing to information andthat information is harder now
to protect because it can resideon on-prem, it can reside on
(07:22):
someone's laptop, it can residein the cloud.
It makes companies difficult toprotect all this information
and it's very fluid.
The information flowseverywhere.
If you look at the three goalsof any IT security solution is
you want to keep it simple, fast, speed and secure.
So the three S right.
But it's almost like a tug ofwar.
(07:42):
You pull one direction and youlose the other two, like maybe
you want more security, but then, oh, it's not so simple and not
so fast anymore.
But there are some technologieslike 40 sassy or secure ssa
which, when you balance it right, you can probably get all three
.
You can probably win of course.
Michael van Rooyen (07:59):
Of course, and just if I think about, then,
the shift to, to remote andhybrid working, because that's
we all talk about return to workand all that, but we're still
seeing this as a hybrid world.
Right and security, then, hasbeen a challenge, as you touched
on before about workloadseverywhere, data everywhere,
information everywhere.
What impact has this had?
Jack Chan (08:28):
Have you seen, if I think, traditional model coming
back from the heritage firewalls, central location, central way
to control it, with now thespread everywhere, how
organization security strategychanging and how they're
adopting to towards that, fromwhat your discussions have been?
Yeah, yes, very good question.
I mean I touch on um remote.
After covid and explosion ofcloud technology, right,
companies need a cloud nativeway to control access to, yeah,
data.
So I'm a traveling employee.
You know, I was in differentcountries every month really.
But when I bring my laptop towork and I have the, now, with
(08:49):
the secure SSH, I have theability to access critical
finance system or whateverimportant application I need
access to, without connecting todifferent VPNs.
Probably like five, 10 yearsago, not long ago, you'll be
okay, I need to access thisapplication.
Let's connect to Europe orlet's connect to US.
So the world has quicklychanged.
(09:10):
Secure SSH has kind of becomequite important and Fortinet has
invested with our partners inthat technology area.
Michael van Rooyen (09:17):
Right, right , which really leads onto a
great topic of zero trust, right?
So we know that the US isdeploying at presidential level
this kind of zero trust right?
So we know that the US isdeploying at presidential level
this kind of zero trust mandate.
We know the big hyperscalershave been built for zero trust
for a long time.
That's kind of top down.
We know that today there was adiscussion around from the user
up point of view and from theapplication device point of view
.
So zero trust is obviously abig topic, right, and it's a
(09:39):
long journey.
It's not something you can justturn on tomorrow.
I'm keen to see in yourdiscussions what people are
thinking about zero trust, whereyou think we are in the
maturity cycle of that and kindof what else we need to do
towards approaching zero trustand the adoption of that, or at
least implementation.
Jack Chan (09:54):
Yeah, I mean, vendors almost abuse the word zero
trust they do.
But I mean, I'll boil it downto really simple messaging.
It's really around need to know, right From a device and a user
perspective.
And Fortinet has actually beenthrough this journey, rolling
out Zero Trust ourselves, right.
So Fortinet is a relatively bigcompany now.
(10:16):
We actually ship half of thefirewalls around the world and
we've got like 13,000 employeesworldwide and we journey from
six months to a year.
We've rolled out the secure SSHwith the zero trust architecture
, but what that really means isthat people, laptops and users
will only need to access whatthey need to, right, and we do
(10:36):
constant posture check on thedevices.
Like I'll bring my laptoparound that's my core working
device, right, but before, oh,maybe CISO or the CEO might go.
Oh, I want to access that on mycore working device, right, but
before, oh, maybe CISO or theCEO might go, oh, I want to
access that on my iPhone, butsorry, now because your device
is not trusted, no, byod, sorry.
And then you need to accessthis application from your
laptop and that's really asimple example of how Zero Trust
(10:59):
works.
And when Fortinet rolled it out, we took stages.
We don't roll it out likeglobally, like no, hey, everyone
needs to switch now becauseyou're affecting user behavior,
which is quite important.
So you always start small, afew applications, a small bunch
of users.
After success, mis gets used toit and then you start gradually
rolling it out, yes, yes.
Michael van Rooyen (11:18):
Now, I did do a session with one of your
counterparts, carl Windsor,earlier in the year and we
talked a lot Gateway.
Do you want to just, at a veryhigh level, just explain for
those who haven't heard that, orgetting familiar with these
technologies, what SASE, secureAccess Services, edge and Secure
Web Gateway are and why they'reessential today just as part of
(11:40):
that cyber environment orarchitecture?
Jack Chan (11:43):
Good question.
So we spoke a little bit aboutthe Secure SSH.
There are some companies I wasactually in Singapore like two
weeks ago and there were stillbig companies, finance companies
that will use this secure webgateway like local proxy, maybe
due to compliance reasons.
Most of the VLE very largeenterprise still thinks, hey, if
(12:03):
I have a single point ofinternet access that prevents me
attack, I can check all thedata, et cetera.
But events may attack.
I can check all the data, etcetera.
But with the cloud nativetechnology, often it's almost a
challenge with enterprise.
Now it's like, okay, should Iproxy everything through a local
proxy or should I just trustthe cloud and send it off there?
And how do I control thistechnology?
(12:25):
It's almost like a push andpull.
Now it will be quiteinteresting what happens in the
next five years.
You know with okay, is SWGgoing away?
Is everything just going to SSH?
Michael van Rooyen (12:36):
right, it will be very interesting to see
how the organizations will adoptto the adoption of the
technology of both.
Yeah, look, and that's a goodpoint, and I think what we're
seeing with customers and againI'd be interested to see what
you're seeing across the APACregion, which our opinion is,
our organization is all aboutsecuring client to cloud right,
which is really a good way toboil it down.
But if you haven't reallydeployed SD-WAN today, there's
no point.
Well, of course, sd-wan isfundamental to it, but but you
(12:57):
should be having a SASEdiscussion, right, it shouldn't
be that pointed SD-WANdiscussion.
Jack Chan (13:01):
It should really be a SASE discussion and then SD-WAN
just forms part of thatdiscussion yeah, absolutely
correct, because I thinkFortinet has quite a unique
foundation, you know, because westarted from the firewall and
then we built SD-WAN, sort ofquoted free features, and then
that will evolve to a SASE,versus some pure plate SASE
plate who say, hey, sase is allyou need, send everything to the
cloud, trust us, no, we don'twant customers' investment to go
(13:25):
away.
Right, your investment in thecurrent firewall infrastructure,
sd-wan and on your endpoint.
All that will be translate andalmost kind of quote-unquote
migrate you to the SaaSinfrastructure.
Michael van Rooyen (13:36):
So very good point Are there some common
challenges that organisationshave been facing when looking at
integrating or deploying SaaSor Secure Web Gateway, and have
they overcome these or have youengaged them to overcome those?
Jack Chan (13:50):
I think I spoke about how Fortinet actually deployed
some of these internally.
Actually, michael C, ourfounder, has a directive and go
hey, why don't we talk about ourown story of how we actually
rolled out, like SESI and SD-WAN, globally with 13,000 users and
a couple of thousand, like8,000 endpoints or whatever it
is, and we took on the journey.
(14:11):
It's almost six months to ayear.
I mentioned we started small,you know, with a couple of users
called guinea pigs, a couple ofcritical applications, put them
behind the chassis and then MIsget used to their technology so
they're comfortable managingthe volume of support, and then
you gradually roll this outBasically now, scale-wise,
(14:31):
basically any city you can nameworldwide will have a Fortinet
presence in there, right Apartfrom a few countries, and
everyone is on the Zero Trustand SASE architecture.
And now I guess MIS can have afew good sleeps.
They don't need to manage a lotof IPsec, ssl, vpn and sitting
(14:52):
in the cloud, and the technologyis scalable in nature.
Michael van Rooyen (14:56):
You're not bound to a hardware device and
because it's cloud-nativetechnology, we can implement the
stack just exponentially growit based on the user's needs,
right right and there's so manyoptions, we haven't really seen
the outcome of SASE deployment,if I think alone just about even
secure private access right forOT being able to remotely get
(15:17):
into those environments usingthat.
Secure private access is kindof one common use case we're
solving really solve the remoteaccess challenge.
So while SASE has been aroundfor a couple of years from a
Gartner framework point of viewand we're seeing a lot more
adoption in that, I just want topivot a little bit, knowing
that you're really focusing onproduct management and those
components of the Fortinetfamily.
But what emerging technologiesdo you believe will
(15:39):
significantly impactcybersecurity over the next few
years?
What do you think is going tochange our cyber?
Jack Chan (15:44):
landscape?
Yeah, no problem.
I think one good way to answerthis question is if you look at
the recent acquisition, so thatwill kind of reveal you a little
bit of what's on Michael C'sand Ken's mind of where the
company is heading.
While we have our three pillarsof secure networking
alternative firewall, switching,routing, access point we have
the user success and then now wehave the security operations.
(16:06):
But recently we've acquired twocompanies.
But recently we've acquired twocompanies.
The first company is Lacework,which focuses on cloud security,
posture management, cspm, somepeople call it CNAPP Cloud
Native Application Protection.
I hate acronyms, sorry.
And then you work in the techindustry.
I know, I know Because in mypresentation just now I tried to
(16:27):
explain every acronym, notassuming the audience
understands it.
That's a fair point.
And then the company that wecompleted acquisition about only
two or three weeks ago wasNextDLP, nextdlpcom.
So it's to do with data leakage.
Basically, if you think aboutour traditional security, from
security operations to SASEcloud, and we're adding the
(16:47):
cloud native security on topbecause organization now uses a
lot of cloud, whether it'sGoogle, azure, aws, even Alibaba
in Asia.
Right, there needs to be a wayto.
It's almost like an overlay andgo hey, how is my cloud
security posture looking at Forthe SecOps great opportunity for
partners to sort of addadditional services so they can
(17:10):
add it to like your existing SOCservices yes, and also look at
insider threats data leakageusing machine learning, ai
that's what Next DLP is about.
But if you think about thefuture, fortinet's got all these
technology that we can mix andmatch and combine.
It puts us in a really uniqueplace because we're not a pure
play.
Michael van Rooyen (17:29):
So to use and utilize all these data lakes
, yeah, yeah yeah, right, right,and you've touched on the AI,
machine learning, which isobviously a big focus and and
some of these acquisitions helpdrive that strategy and, if we
think about this, the additionalamount of consumption of these
logs and data and AI obviouslyreally helps us get through that
data.
How vital is the threatintelligence in today's cyber
(17:50):
landscape and how are you guysintegrating into those solutions
to really leverage thatfootprint you've got at
FortiGuard's research center?
Jack Chan (17:58):
Yeah, correct, I mean if you think about how Fortinet
uses machine learning AI.
I mean we're almost separateinto three areas where we roll
out different services to ourproducts and, of course, we've
got the product AI as well.
An example will be networkdetection response, where we
collect a lot of networktelemetry data and a client
recently in the US it was quiteinteresting use case.
(18:20):
They wasn't using like NDR fordetecting attacks, they were
actually using it down to huntdown BitTorrent clients on
network.
I was like, okay, okay, fine,this is a good way to use the
solution, not bad.
And NDR is probably the firsttype of solution where they
because we're collecting a lotof data and we're using machine
learning AI to harvest theattack.
(18:40):
An example which I just gave inthe Fast and Secure event is,
for example, fortinet is keepingtrack of all the botnet IPs and
bad IOCs out there in the world.
So we can build models thatwill look like oh, to this
botnet network or to thisransomware IOC phishing link.
It will have time to live, itwill have a number of packets
beginning interviews.
So we feed all that intomachine learning and go oh,
(19:02):
here's the model of whatmalicious traffic looks like.
Hackers are not dumb.
They will use DGAs to generatethousands of domains, spin up
something on Azure new IPaddress that no one detects in a
C2, right.
But if it matches that profileof beginning interview time to
live number of packets et cetera, we kind of know it's kind of
(19:23):
bad traffic, right.
So that's one model of how weuse, like, ai, machine learning
in a product, right?
The third part is degenerativeAI Think open chat GDP on
Fortinet products.
Just think about thepossibility we want to reduce
the expertise required to runand operate these solutions.
(19:43):
So even if you hire juniorengineers, which you pay them
less, and then they can interactwith the solution and type in
using LLM models, large languagemodeling and go, hey, have I
got an outbreak in this area?
Yes, how do I build the bestSD-WAN out of these Fortinet
technologies?
Right?
That's kind of the three areaswhere Fortinet is invested and
heading towards Right right.
Michael van Rooyen (20:04):
So that's a real reduction in time to
resolve, time to find the rootcause.
And I think the big step hereis those tools are so powerful.
It's really come down to thehygiene and making sure people
are seeing all the logs to it.
It needs the best data sourcefor that right.
So it's fascinating.
I think we haven't even seenmany of the use cases.
Jack Chan (20:20):
Too many.
If I'm honest, I think we'restill at the beginning of
tapping into the gold mine ofinformation, right?
I agree?
I mean you mentioned surfacingof attacks Most of the time, not
just Fortinet, with everyvendor solution it can detect,
but it's just been flooded withother logs that you could not
see, you know.
So part of the I guess the AIpromise quoted is to kind of
(20:42):
surface the important elementsof what is important for you so
you can actually imagine feedingand training the AI to go.
This is important to me.
I look at this every day.
It changes my behavior, itchanges my decisions and the
solutions should eventually I'mtalking about like quite future
here so eventually learn what isimportant to that user, whether
it's a size or the soft analyst, right, so to service the
(21:04):
information to them.
Michael van Rooyen (21:05):
Yeah, yeah, yeah, great.
And if I think, I think aboutsmall, medium, medium
enterprises right, soenterprises, government have
obviously much bigger resourcesand ability to put cyber in, but
SMEs have generally got alimited resource pool to do that
.
Have you got any suggestions orhow you work with customers on
solutions for SMEs to kind ofprotect themselves without the
human power law?
(21:26):
How do I help in that area?
Jack Chan (21:28):
Great question, I guess.
First, fortinet has got quite agood strategy to tackle SMEs.
So first, I mean we run thesame operating system from our
desktop firewall, which is thesize of a laptop, to our
firewall, which can tacklethousands of users, and, of
course, our trusted partner.
We give them a lot of room tobuild services to serve the SME
(21:52):
market.
So you can either rely on thepartners and Fortinet has also
got a service.
Basically it means eyes andears on your logs so that SMEs
don't need to hire engineersovernight to look at the logs.
So I think that that's kind ofwhere Fortinet will help and
differentiate with our partnerscommunity and also what Fortinet
offers.
Michael van Rooyen (22:13):
And look, one of the common themes this
year has been very much againwhy Fortinet exists is around
the evolution of securitynetworking or secure networking,
or there's many ways to saythis but especially increasing
the adoption of cloud andinternet of things.
How do you see that landscapeevolving around the convergence?
Do you see customers reallyadopting the convergence?
Do you think it's still a bitof a trial?
My feeling is and I was sayingthis this afternoon is that the
(22:35):
IT industry generally has alwaysbeen very siloed.
We're always doing an upgradeof a particular service, which
is why we're out of sync, right,so it's very rare you get a
customer who does an end-to-endplay.
Obviously, the end-to-end playis there from seeing the same
sort of life cycle, or how doyou see this convergence really
playing out?
Jack Chan (22:50):
yeah, I've answered this question in two contexts.
Sure, on a small scale, like onmy home 40k of course I run a
40k, right, to block my kidsgames.
Apart from that, um, you know,we've got so many iot devices.
Man, look at my firewall scope.
What is this mac address orhidden mac address that's
connecting to to it?
Is it my xiaomi, like homevacuum, that's trying to connect
(23:11):
to the internet?
Right, that's the small scale.
Right, on the larger scale ofIoT, I was in Singapore two
weeks ago, as I mentioned.
We're talking about smart cities.
Smart cities need smart IoTs,right?
And we are talking about thescale, with thousands or tens of
thousands of devices needingnetwork access, connecting to
(23:31):
URLs or the vendor's URL.
How do you maintain the patchesand security for those?
Well, you think about that.
It really creates a bigheadache, right?
You think about the securitymanager or the network manager
on the smart city and they go oh, I've got, I don't know, just a
couple of hundred devices, oneaccess to the internet.
What are these devices?
What OS do they run?
Who do they need to connect to?
(23:53):
So that's why we have differentsolutions, like next solutions
or automatic approvals, and, andall these solutions to tackle
anything as small as my home.
Yes, to aspect as like a smartcity.
Yeah, of course of course.
Michael van Rooyen (24:04):
What's the statistic I read recently?
Most homes are kind of 30 plusto 60.
Devices is becoming prettystandard and common, and of
course, course, then you talkabout large cities, right, but
the key really is thisconvergence.
If I then turn a little bitaway from specific products
we've been talking about, Ireally want to just have a
further few questions with youaround cybersecurity leadership.
Obviously you play asignificant role within Fortinet
(24:27):
.
You have the benefit ofassessing new products and
everything like that.
What are some of the principlesthat guide you in your approach
to product management and fieldleadership at Fortinet?
Jack Chan (24:36):
Very good question.
I think, from a productstrategy perspective, fortinet
always have like two options weeither build our own because
we've got enough developers with60 products, or we look at what
technologies are out therewhich are new and shiny and we
acquire it.
So we actually do both.
So, ken and Michael, I guesstheir philosophy around running
(24:59):
a company is, hey, we build whatmakes sense and we acquire what
makes sense.
So, with recent acquisition ofLacework and NextDLP, that will
give us additional age.
Yes, that will give usadditional age, and as a
technology vendor, it's almoston a bleeding age, because you
are supposed to be the mostinnovative solution provider out
there, right?
So I think the great thingabout Fortinet is we have lots
(25:21):
of broad range of technology.
Just look at our share priceover the last 20 years, I
actually joined the companybefore IPO and we actually
halved the price of our sharesand double the shares twice,
right.
So I guess we must be doingsomething right in order for
that to happen.
So I think this technology cyclewill continue.
(25:42):
I mean, of course, firewall westill sell a lot of firewalls
nowadays but the way it'sevolved to SD-WAN and SASE and
now with the different cloudsecurity solution, secops
solution, I think, yeah,fortinet has just changed over
the last 20 years.
Michael van Rooyen (25:57):
Yeah, yeah, 100% right, and it's been timely
.
What the markets needed, how wewant to secure this digital
lifestyle, that would that welive right.
So it's really moving into that.
That.
That and at heart, really,fortinet is still an engineering
company, right?
I know some fortinet.
People don't like me saying thatbut realistically, you are a
real engineering company, yeah,and that's why you're having a
(26:18):
success and being able todevelop that.
And one of the key insights Igot in April at Accelerate in
the US was you've been limitedon acquisitions because you
don't want to break the corefundamentals right.
So it's tempting to buy lots oforganizations, but really you
want to think about what itmeans to the software base, the
code, the reliability, yeah verygood point.
Jack Chan (26:36):
Like when Fortinet acquired our company, we
actually try very hard tointegrate it into our security
fabric and that is not just kindof vendor chat speeding, I call
it.
But if you look at historically, hey, when we acquired Maroo
for Wi-Fi, when we acquiredExcelOps, which becomes Fortisim
, and Silo becomes our EDR, andall of these data lakes are
starting to talk to each otherand the same will happen with
(26:58):
Lacework and NextDLP, right?
No, we're not a type of companywho will buy something and just
fold away the technologybecause they're a competitor.
So we try to really integrateit into our fabric and provide
some useful scenarios and usecase for our customers.
Yeah, great, and one of theideas, statistics-wise, if you
look at our patents, we are likeyou said, we're a very
(27:18):
engineering-orientated company.
Our patents are probably likethree times as a competitor and
we award I think there was apresentation from a telco team
which two of the field engineershas got patents and we actually
award innovative ideas withinFortinet and that really drives
the culture in the vendor world.
You know to be more, I guess,quoted superior.
(27:40):
Also, I think we share the samementality with our partners, you
know, and our partners are onclever people.
You know, selectively pick.
Hey, which vendor has thevision, has strategy to partner
with them?
And customers are clever peopletoo.
When I spoke to a lot ofcustomers in singapore,
basically I would tell them hey,of course you can pick the best
(28:00):
of breed of everything, butthen you you'll be end up like
the poor guys trying tointegrate all these best of
breed vendors together and thenwhy don't you leave it to the
vendor so that you can focus onbusiness?
And that's what actually thefortinet security fabric offers.
And while we pay big bucks formarketing to name products, but
we actually implement it in theproduct management philosophy.
So it's actually in our DNA.
Michael van Rooyen (28:21):
Yes, so is the heart of security is really
awareness and training, etcetera, et cetera, as we come
near the end of the session.
But can you explain to me ortell me how you help customers
foster a culture of securityawareness amongst employees and,
from a leadership point pointof view, how you really do that
to help in that area?
Jack Chan (28:39):
yeah, um, good question.
Actually.
Years ago I was actually I wasa CSC, issp guest speaker for
security awareness.
I still remember those days.
But to foster a culture ofsecurity awareness, 14 has
ramped up our certificationprogram, I think the last 10
years.
We realized the need so wepartnered with, like the US
(29:03):
retired army and also FortinetUniversity training programs
that we can roll up intertiaries across with our
partners and roll out this likenew shiny program for training
awareness, and we also gotproducts that are specific in
this area, like FortiFish, like45, etc.
And then we are actually, yeah,using our products every day.
So maybe sometimes Iaccidentally clicked on a link
and michael might lock on mydoor and go why, jerry?
(29:24):
Why?
Michael van Rooyen (29:25):
did you do that?
Jack Chan (29:26):
so we constantly test our own solution.
It's super important, I think.
I think people from theheadlines, especially customers
and partners, and they dorealize the impact of a security
breach and how important thatthe most uncontrollable element,
yes, the human- yeah, of course.
Michael van Rooyen (29:42):
Of course.
That's where it all startsright so to some extent.
A couple final questions foryou jack um.
What advice would you giveemerging cyber security leaders
who want to make an impact orget into the industry to make an
impact?
Jack Chan (29:53):
wow, it's a very broad question question, but I
would say keeping up with thethreads, which is very
challenging.
If you go to 40guardcom, ourfriend research center,
fortunately, try to make it easyfor customers.
Hey, we waited out all thethreads so that you don't have
to do all that type of job.
Keep up with the emergingthreads and know what the
(30:14):
weakest link is.
Years ago I presented at RSA,us where I show a scanning or
hacking of a IoT camera.
Of course we can see what thecamera sees, but it was used as
a scanning platform for the restof the network.
So in that particular case,your weakest link is actually
not the human, it's actuallyyour device that talks out to
(30:35):
the internet, your camera.
It might be secure now, but thenext minute someone does
something silly and your networkmight not be secure anymore.
So, keeping up with the threads, the latest hacks and how a
vendor approach, a use case, Ithink that's quite important,
but that will kind of show youwhere the cybersecurity area is
heading.
Michael van Rooyen (30:54):
And if you're able to share what's
Fortinet's long-term goals inthe APAC region and what
exciting developments can weexpect from yourself and the
team?
Jack Chan (31:02):
Yeah, so I guess, apart from the two acquisitions,
I think in the next year or sowe'll try very hard to integrate
those as a standalone offering,as well as information for the
customers to implement, and ofcourse this offers great
opportunities for partners andend users to adopt and try new
solutions.
Michael van Rooyen (31:19):
That's pretty much what we'll be
focused on in the next year orso, Right right and sticking
with your core stitching, whichis fortifying people's
environments right, fortifyingnetworks, fortifying.
You know the picture betterthan me and look.
Finally, one of the questions Ilike to ask all participants in
the podcast is tell me aboutthe most significant and it
doesn't have to be specifically14-year-old related technology
(31:40):
change or shift you've seen orbeen involved with during your
career.
Jack Chan (31:44):
Yeah, I think I mean, apart from cybersecurity, you
know the use of devices or AI,right?
I think a good example is likemy son.
We do some charity, freecoaching of sports etc.
And when I asked him to come upwith some junior development
plan, the first thing he did ishe typed a question in ChatGDP
(32:06):
and that was his coachingprogram.
So I think that the generationsjust grow up with different
technologies now and the waythey use it.
I would call my friends and theGeneration Z.
They will ask things onFacebook.
The Facebook is used by unclesand aunties now.
Right, the next generation willuse chat GDP and who knows
what's next?
Right, in the next five years,we're probably just at the
(32:27):
beginning of this generative AI.
When our kids' generation growup, a few jobs might be replaced
and let's see what jobs areleft out there for us to do.
Michael van Rooyen (32:36):
Yeah, absolutely Couldn't agree with
you more.
Well, that's really it fortoday, jack.
So, look, I really appreciatethe time.
Thanks for the insights andappreciate it again.
Jack Chan (32:45):
No problem.
Thanks for having me.
No problem, thanks.
It might be secure now, but the next minute someone
does something silly and yournetwork might not be secure
anymore.
Michael van Rooyen (00:08):
The most uncontrollable element the human
Today I have the pleasure ininterviewing and having a chat
with Jack Chan, who is the VicePresident of Product Management
and the Field CTO of APAC forFortinet.
We're just going to talk allthings cyber, converged networks
, new technologies andeverything else, jack.
(00:29):
Welcome to today.
Before we get started, do youmind sharing a bit about your
background in the industry andwhat led you to your current
role as VP of Product Managementand field CTO of APAC for
Fortinet?
All right, thanks for having me.
Jack Chan (00:40):
I guess, first of all , at a personal level, I'm a
Kiwi, I work in the APAC regionand secondly, I think I've spent
18 years in Fortinet.
Now I'm not saying HR will bepleased about that, but before
that I was.
Actually.
I've got quite a bit oftechnical background.
I was working in resellerdistribution.
What brought me to Fortinet wasI actually worked as a
NetScreen trainer.
Oh wow, NetScreen trainer oh,wow, before that.
(01:02):
So you know the story how can?
And michael, our founder, andcto, found the net screen, yes,
and then sold the juniper andthen came out find the fortinet.
So a bit of legacy sort ofthere, the whole firewall story
and how fortinet has evolved towhere we're now.
So I looked after three regionshong kong, new zealand,
australia, new zealand and nowI'm in a global role.
Michael van Rooyen (01:21):
Few products in the product management group
wow, wow, that's's a bit of ahistory and certainly always
been security related, right?
You're luckily one of thesethat's had the opportunity to be
doing.
You know, used to be calledinformation security and now
obviously cybersecurity, butyou've been doing it before it
became cool, right, you've beendoing it for a long time.
Correct, everybody thinks it'scool now, but it's been around a
long time, been part of history, so that's great context.
(01:42):
So you've seen a lot of changeover the years.
Then, as someone who is out inthe field, as a CTO and
obviously looking at products etcetera, what are the most
significant technology trendsthat you're currently seeing in
our cybersecurity landscape, andmaybe particularly in the APAC
region, because obviously youhave a global view, but maybe
more specifically around APAC?
Jack Chan (02:00):
Yeah, sure, I think I mean over the last what 20
(02:27):
years?
I think we've seen theexplosion of technology in
general.
I mean everyone knows thatwe're surrounded by over 60 plus
solution, that anything youthink about osi layer, anything
from layer 2 to layer 7, wepretty much have a solution for
and after covert and use ofcloud, you know, we see highly
remote workforce needing toaccess highly distributed
resources, right.
So that drives some of oursolutions and, of course, the
(02:49):
never-ending evolving landscape.
I was also the spokesperson forFortiGuard, our R&D security
arm, so I've seen how, I guess,threats has evolved over time.
To give you an idea of scalelike 20 years ago we used to
have probably 200,000 malwarearchived from the 18th century,
but now, net new, we'll probablyhave 200,000 net new malware
(03:11):
per day that we do not detect.
So what that means is, ofcourse, everything's automated,
with training of new networks,writing signatures and rolling
out to our global customersmillions of devices and
signatures out there.
So yeah, it's just scaledexponentially.
Michael van Rooyen (03:28):
Yes, so you touched on and I've been to a
few Fortinet events this yearinternationally and obviously
we're catching up at Fast andSecure in Sydney today.
But there's a lot of discussionabout converged network and
security.
Fortify Network is obviouslywhere the Fortinet name came
from and the explosion ofdevices.
Are those the biggest trends orare some of the other trends
(03:48):
you're seeing around OTconvergence, like what are some
of the field discussions you'rehaving with customers in the
software trend?
Jack Chan (03:55):
Oh for sure, OT is definitely a big trend and
Fortinet has quite biginvestment apart from the
convergence network security andalso in the OT world.
So we actually start to buildsolutions that are OT specific
because traditionally it hasbeen quite separated right.
We all know that OT and let'stalk about IoT.
You can't really installendpoint sort of software on
(04:16):
these OT or even legacy devices,so you got to have different
ways to surface attack, likelooking at the network data or
looking at anomaly.
The PLC water pump usuallymight be on value five, right,
but suddenly it says to valuenine.
It's not necessary in attack,but it's definitely anomalies
that you want to pick up.
(04:36):
And a lot of these solutionsthe analogy I use is like sea of
information and you're justtrying to pick a needle out of
it right.
Which is difficult.
So how can you manage all thisdata lake and service the right
information at the right time tothe users, that is?
Michael van Rooyen (04:51):
the challenge we all face, of course
, of course, yeah, just the massconsumption of data, logging,
et cetera.
And if I think about yourheritage there, talking about
way back to NetScreen and beendoing it for a long time and
what you're talking to a lot ofcustomers about is, how have the
cyber threats evolved over thepast few years and what new
challenges are organizers facingin this area?
(05:12):
Yeah, I mean, I spoke about themalware context.
Jack Chan (05:15):
Right, you know it's still, if you look at, I mean,
everyone's probably bored withransomware, but you know it's
still a very profitable industry.
Why are there still those scamcalls, phishing links around?
It's because it's kind ofevolved into its own industry.
Right, and with the use ofmachine learning AI, I mean,
it's almost like a battle of thegood and the evil.
While the hackers are, I mean,everyone's lazy, you know they
(05:42):
will use the machine learning AIto assist with the attack.
Right, including deepfakes andbusiness email compromise, and
the vendors, the good guys, thewhite hats we will also use
machine learning AI to combat,right.
So it's an evolving game andwhat I tend to educate the users
or customers I speak to is youreally need to look at what is a
usable threat intelligence.
(06:03):
People behavior changes whenyou have different threat intel.
Right, if I'm going to tell you, hey, what five steps, you're
going to fall in a hole.
You won't walk those five steps, right?
So threat intel is actuallyquite important and most
organizations almost have silosof threat intel.
So I guess the Fortinet way ishey, why don't you leave that to
(06:23):
Fortinet?
We will wait and we willbalance out all this for Intel.
So you focus on your corebusiness, whether it's banking,
airline or whatever you guys do,and leave the hard work to the
vendor.
Michael van Rooyen (06:35):
Yeah, fair enough, and I was reflecting and
I'm sure in the sessions youwere representing they called
you out during one of thesessions and the presenter was
talking about that there's aperception of it being so much
more intelligent or so much morehigher type of attack, but it
turns out that's not actuallyreally the case.
Based on the data you guys aresaying, it's actually still very
basic security that people aremissing, but basic lessons
(06:58):
learned.
Is that the education partyou're talking about, Correct?
Jack Chan (07:01):
I think with the use of AI, deepfakes, social media,
the entry point is kind of stillthe same.
The hackers might use themachine learning AI in this area
, but it doesn't differ from thefact that you're still looking
at accessing to information andthat information is harder now
to protect because it can resideon on-prem, it can reside on
(07:22):
someone's laptop, it can residein the cloud.
It makes companies difficult toprotect all this information
and it's very fluid.
The information flowseverywhere.
If you look at the three goalsof any IT security solution is
you want to keep it simple, fast, speed and secure.
So the three S right.
But it's almost like a tug ofwar.
(07:42):
You pull one direction and youlose the other two, like maybe
you want more security, but then, oh, it's not so simple and not
so fast anymore.
But there are some technologieslike 40 sassy or secure ssa
which, when you balance it right, you can probably get all three
.
You can probably win of course.
Michael van Rooyen (07:59):
Of course, and just if I think about, then,
the shift to, to remote andhybrid working, because that's
we all talk about return to workand all that, but we're still
seeing this as a hybrid world.
Right and security, then, hasbeen a challenge, as you touched
on before about workloadseverywhere, data everywhere,
information everywhere.
What impact has this had?
Jack Chan (08:28):
Have you seen, if I think, traditional model coming
back from the heritage firewalls, central location, central way
to control it, with now thespread everywhere, how
organization security strategychanging and how they're
adopting to towards that, fromwhat your discussions have been?
Yeah, yes, very good question.
I mean I touch on um remote.
After covid and explosion ofcloud technology, right,
companies need a cloud nativeway to control access to, yeah,
data.
So I'm a traveling employee.
You know, I was in differentcountries every month really.
But when I bring my laptop towork and I have the, now, with
(08:49):
the secure SSH, I have theability to access critical
finance system or whateverimportant application I need
access to, without connecting todifferent VPNs.
Probably like five, 10 yearsago, not long ago, you'll be
okay, I need to access thisapplication.
Let's connect to Europe orlet's connect to US.
So the world has quicklychanged.
(09:10):
Secure SSH has kind of becomequite important and Fortinet has
invested with our partners inthat technology area.
Michael van Rooyen (09:17):
Right, right , which really leads onto a
great topic of zero trust, right?
So we know that the US isdeploying at presidential level
this kind of zero trust right?
So we know that the US isdeploying at presidential level
this kind of zero trust mandate.
We know the big hyperscalershave been built for zero trust
for a long time.
That's kind of top down.
We know that today there was adiscussion around from the user
up point of view and from theapplication device point of view
.
So zero trust is obviously abig topic, right, and it's a
(09:39):
long journey.
It's not something you can justturn on tomorrow.
I'm keen to see in yourdiscussions what people are
thinking about zero trust, whereyou think we are in the
maturity cycle of that and kindof what else we need to do
towards approaching zero trustand the adoption of that, or at
least implementation.
Jack Chan (09:54):
Yeah, I mean, vendors almost abuse the word zero
trust they do.
But I mean, I'll boil it downto really simple messaging.
It's really around need to know, right From a device and a user
perspective.
And Fortinet has actually beenthrough this journey, rolling
out Zero Trust ourselves, right.
So Fortinet is a relatively bigcompany now.
(10:16):
We actually ship half of thefirewalls around the world and
we've got like 13,000 employeesworldwide and we journey from
six months to a year.
We've rolled out the secure SSHwith the zero trust architecture
, but what that really means isthat people, laptops and users
will only need to access whatthey need to, right, and we do
(10:36):
constant posture check on thedevices.
Like I'll bring my laptoparound that's my core working
device, right, but before, oh,maybe CISO or the CEO might go.
Oh, I want to access that on mycore working device, right, but
before, oh, maybe CISO or theCEO might go, oh, I want to
access that on my iPhone, butsorry, now because your device
is not trusted, no, byod, sorry.
And then you need to accessthis application from your
laptop and that's really asimple example of how Zero Trust
(10:59):
works.
And when Fortinet rolled it out, we took stages.
We don't roll it out likeglobally, like no, hey, everyone
needs to switch now becauseyou're affecting user behavior,
which is quite important.
So you always start small, afew applications, a small bunch
of users.
After success, mis gets used toit and then you start gradually
rolling it out, yes, yes.
Michael van Rooyen (11:18):
Now, I did do a session with one of your
counterparts, carl Windsor,earlier in the year and we
talked a lot Gateway.
Do you want to just, at a veryhigh level, just explain for
those who haven't heard that, orgetting familiar with these
technologies, what SASE, secureAccess Services, edge and Secure
Web Gateway are and why they'reessential today just as part of
(11:40):
that cyber environment orarchitecture?
Jack Chan (11:43):
Good question.
So we spoke a little bit aboutthe Secure SSH.
There are some companies I wasactually in Singapore like two
weeks ago and there were stillbig companies, finance companies
that will use this secure webgateway like local proxy, maybe
due to compliance reasons.
Most of the VLE very largeenterprise still thinks, hey, if
(12:03):
I have a single point ofinternet access that prevents me
attack, I can check all thedata, et cetera.
But events may attack.
I can check all the data, etcetera.
But with the cloud nativetechnology, often it's almost a
challenge with enterprise.
Now it's like, okay, should Iproxy everything through a local
proxy or should I just trustthe cloud and send it off there?
And how do I control thistechnology?
(12:25):
It's almost like a push andpull.
Now it will be quiteinteresting what happens in the
next five years.
You know with okay, is SWGgoing away?
Is everything just going to SSH?
Michael van Rooyen (12:36):
right, it will be very interesting to see
how the organizations will adoptto the adoption of the
technology of both.
Yeah, look, and that's a goodpoint, and I think what we're
seeing with customers and againI'd be interested to see what
you're seeing across the APACregion, which our opinion is,
our organization is all aboutsecuring client to cloud right,
which is really a good way toboil it down.
But if you haven't reallydeployed SD-WAN today, there's
no point.
Well, of course, sd-wan isfundamental to it, but but you
(12:57):
should be having a SASEdiscussion, right, it shouldn't
be that pointed SD-WANdiscussion.
Jack Chan (13:01):
It should really be a SASE discussion and then SD-WAN
just forms part of thatdiscussion yeah, absolutely
correct, because I thinkFortinet has quite a unique
foundation, you know, because westarted from the firewall and
then we built SD-WAN, sort ofquoted free features, and then
that will evolve to a SASE,versus some pure plate SASE
plate who say, hey, sase is allyou need, send everything to the
cloud, trust us, no, we don'twant customers' investment to go
(13:25):
away.
Right, your investment in thecurrent firewall infrastructure,
sd-wan and on your endpoint.
All that will be translate andalmost kind of quote-unquote
migrate you to the SaaSinfrastructure.
Michael van Rooyen (13:36):
So very good point Are there some common
challenges that organisationshave been facing when looking at
integrating or deploying SaaSor Secure Web Gateway, and have
they overcome these or have youengaged them to overcome those?
Jack Chan (13:50):
I think I spoke about how Fortinet actually deployed
some of these internally.
Actually, michael C, ourfounder, has a directive and go
hey, why don't we talk about ourown story of how we actually
rolled out, like SESI and SD-WAN, globally with 13,000 users and
a couple of thousand, like8,000 endpoints or whatever it
is, and we took on the journey.
(14:11):
It's almost six months to ayear.
I mentioned we started small,you know, with a couple of users
called guinea pigs, a couple ofcritical applications, put them
behind the chassis and then MIsget used to their technology so
they're comfortable managingthe volume of support, and then
you gradually roll this outBasically now, scale-wise,
(14:31):
basically any city you can nameworldwide will have a Fortinet
presence in there, right Apartfrom a few countries, and
everyone is on the Zero Trustand SASE architecture.
And now I guess MIS can have afew good sleeps.
They don't need to manage a lotof IPsec, ssl, vpn and sitting
(14:52):
in the cloud, and the technologyis scalable in nature.
Michael van Rooyen (14:56):
You're not bound to a hardware device and
because it's cloud-nativetechnology, we can implement the
stack just exponentially growit based on the user's needs,
right right and there's so manyoptions, we haven't really seen
the outcome of SASE deployment,if I think alone just about even
secure private access right forOT being able to remotely get
(15:17):
into those environments usingthat.
Secure private access is kindof one common use case we're
solving really solve the remoteaccess challenge.
So while SASE has been aroundfor a couple of years from a
Gartner framework point of viewand we're seeing a lot more
adoption in that, I just want topivot a little bit, knowing
that you're really focusing onproduct management and those
components of the Fortinetfamily.
But what emerging technologiesdo you believe will
(15:39):
significantly impactcybersecurity over the next few
years?
What do you think is going tochange our cyber?
Jack Chan (15:44):
landscape?
Yeah, no problem.
I think one good way to answerthis question is if you look at
the recent acquisition, so thatwill kind of reveal you a little
bit of what's on Michael C'sand Ken's mind of where the
company is heading.
While we have our three pillarsof secure networking
alternative firewall, switching,routing, access point we have
the user success and then now wehave the security operations.
(16:06):
But recently we've acquired twocompanies.
But recently we've acquired twocompanies.
The first company is Lacework,which focuses on cloud security,
posture management, cspm, somepeople call it CNAPP Cloud
Native Application Protection.
I hate acronyms, sorry.
And then you work in the techindustry.
I know, I know Because in mypresentation just now I tried to
(16:27):
explain every acronym, notassuming the audience
understands it.
That's a fair point.
And then the company that wecompleted acquisition about only
two or three weeks ago wasNextDLP, nextdlpcom.
So it's to do with data leakage.
Basically, if you think aboutour traditional security, from
security operations to SASEcloud, and we're adding the
(16:47):
cloud native security on topbecause organization now uses a
lot of cloud, whether it'sGoogle, azure, aws, even Alibaba
in Asia.
Right, there needs to be a wayto.
It's almost like an overlay andgo hey, how is my cloud
security posture looking at Forthe SecOps great opportunity for
partners to sort of addadditional services so they can
(17:10):
add it to like your existing SOCservices yes, and also look at
insider threats data leakageusing machine learning, ai
that's what Next DLP is about.
But if you think about thefuture, fortinet's got all these
technology that we can mix andmatch and combine.
It puts us in a really uniqueplace because we're not a pure
play.
Michael van Rooyen (17:29):
So to use and utilize all these data lakes
, yeah, yeah yeah, right, right,and you've touched on the AI,
machine learning, which isobviously a big focus and and
some of these acquisitions helpdrive that strategy and, if we
think about this, the additionalamount of consumption of these
logs and data and AI obviouslyreally helps us get through that
data.
How vital is the threatintelligence in today's cyber
(17:50):
landscape and how are you guysintegrating into those solutions
to really leverage thatfootprint you've got at
FortiGuard's research center?
Jack Chan (17:58):
Yeah, correct, I mean if you think about how Fortinet
uses machine learning AI.
I mean we're almost separateinto three areas where we roll
out different services to ourproducts and, of course, we've
got the product AI as well.
An example will be networkdetection response, where we
collect a lot of networktelemetry data and a client
recently in the US it was quiteinteresting use case.
(18:20):
They wasn't using like NDR fordetecting attacks, they were
actually using it down to huntdown BitTorrent clients on
network.
I was like, okay, okay, fine,this is a good way to use the
solution, not bad.
And NDR is probably the firsttype of solution where they
because we're collecting a lotof data and we're using machine
learning AI to harvest theattack.
(18:40):
An example which I just gave inthe Fast and Secure event is,
for example, fortinet is keepingtrack of all the botnet IPs and
bad IOCs out there in the world.
So we can build models thatwill look like oh, to this
botnet network or to thisransomware IOC phishing link.
It will have time to live, itwill have a number of packets
beginning interviews.
So we feed all that intomachine learning and go oh,
(19:02):
here's the model of whatmalicious traffic looks like.
Hackers are not dumb.
They will use DGAs to generatethousands of domains, spin up
something on Azure new IPaddress that no one detects in a
C2, right.
But if it matches that profileof beginning interview time to
live number of packets et cetera, we kind of know it's kind of
(19:23):
bad traffic, right.
So that's one model of how weuse, like, ai, machine learning
in a product, right?
The third part is degenerativeAI Think open chat GDP on
Fortinet products.
Just think about thepossibility we want to reduce
the expertise required to runand operate these solutions.
(19:43):
So even if you hire juniorengineers, which you pay them
less, and then they can interactwith the solution and type in
using LLM models, large languagemodeling and go, hey, have I
got an outbreak in this area?
Yes, how do I build the bestSD-WAN out of these Fortinet
technologies?
Right?
That's kind of the three areaswhere Fortinet is invested and
heading towards Right right.
Michael van Rooyen (20:04):
So that's a real reduction in time to
resolve, time to find the rootcause.
And I think the big step hereis those tools are so powerful.
It's really come down to thehygiene and making sure people
are seeing all the logs to it.
It needs the best data sourcefor that right.
So it's fascinating.
I think we haven't even seenmany of the use cases.
Jack Chan (20:20):
Too many.
If I'm honest, I think we'restill at the beginning of
tapping into the gold mine ofinformation, right?
I agree?
I mean you mentioned surfacingof attacks Most of the time, not
just Fortinet, with everyvendor solution it can detect,
but it's just been flooded withother logs that you could not
see, you know.
So part of the I guess the AIpromise quoted is to kind of
(20:42):
surface the important elementsof what is important for you so
you can actually imagine feedingand training the AI to go.
This is important to me.
I look at this every day.
It changes my behavior, itchanges my decisions and the
solutions should eventually I'mtalking about like quite future
here so eventually learn what isimportant to that user, whether
it's a size or the soft analyst, right, so to service the
(21:04):
information to them.
Michael van Rooyen (21:05):
Yeah, yeah, yeah, great.
And if I think, I think aboutsmall, medium, medium
enterprises right, soenterprises, government have
obviously much bigger resourcesand ability to put cyber in, but
SMEs have generally got alimited resource pool to do that
.
Have you got any suggestions orhow you work with customers on
solutions for SMEs to kind ofprotect themselves without the
human power law?
(21:26):
How do I help in that area?
Jack Chan (21:28):
Great question, I guess.
First, fortinet has got quite agood strategy to tackle SMEs.
So first, I mean we run thesame operating system from our
desktop firewall, which is thesize of a laptop, to our
firewall, which can tacklethousands of users, and, of
course, our trusted partner.
We give them a lot of room tobuild services to serve the SME
(21:52):
market.
So you can either rely on thepartners and Fortinet has also
got a service.
Basically it means eyes andears on your logs so that SMEs
don't need to hire engineersovernight to look at the logs.
So I think that that's kind ofwhere Fortinet will help and
differentiate with our partnerscommunity and also what Fortinet
offers.
Michael van Rooyen (22:13):
And look, one of the common themes this
year has been very much againwhy Fortinet exists is around
the evolution of securitynetworking or secure networking,
or there's many ways to saythis but especially increasing
the adoption of cloud andinternet of things.
How do you see that landscapeevolving around the convergence?
Do you see customers reallyadopting the convergence?
Do you think it's still a bitof a trial?
My feeling is and I was sayingthis this afternoon is that the
(22:35):
IT industry generally has alwaysbeen very siloed.
We're always doing an upgradeof a particular service, which
is why we're out of sync, right,so it's very rare you get a
customer who does an end-to-endplay.
Obviously, the end-to-end playis there from seeing the same
sort of life cycle, or how doyou see this convergence really
playing out?
Jack Chan (22:50):
yeah, I've answered this question in two contexts.
Sure, on a small scale, like onmy home 40k of course I run a
40k, right, to block my kidsgames.
Apart from that, um, you know,we've got so many iot devices.
Man, look at my firewall scope.
What is this mac address orhidden mac address that's
connecting to to it?
Is it my xiaomi, like homevacuum, that's trying to connect
(23:11):
to the internet?
Right, that's the small scale.
Right, on the larger scale ofIoT, I was in Singapore two
weeks ago, as I mentioned.
We're talking about smart cities.
Smart cities need smart IoTs,right?
And we are talking about thescale, with thousands or tens of
thousands of devices needingnetwork access, connecting to
(23:31):
URLs or the vendor's URL.
How do you maintain the patchesand security for those?
Well, you think about that.
It really creates a bigheadache, right?
You think about the securitymanager or the network manager
on the smart city and they go oh, I've got, I don't know, just a
couple of hundred devices, oneaccess to the internet.
What are these devices?
What OS do they run?
Who do they need to connect to?
(23:53):
So that's why we have differentsolutions, like next solutions
or automatic approvals, and, andall these solutions to tackle
anything as small as my home.
Yes, to aspect as like a smartcity.
Yeah, of course of course.
Michael van Rooyen (24:04):
What's the statistic I read recently?
Most homes are kind of 30 plusto 60.
Devices is becoming prettystandard and common, and of
course, course, then you talkabout large cities, right, but
the key really is thisconvergence.
If I then turn a little bitaway from specific products
we've been talking about, Ireally want to just have a
further few questions with youaround cybersecurity leadership.
Obviously you play asignificant role within Fortinet
(24:27):
.
You have the benefit ofassessing new products and
everything like that.
What are some of the principlesthat guide you in your approach
to product management and fieldleadership at Fortinet?
Jack Chan (24:36):
Very good question.
I think, from a productstrategy perspective, fortinet
always have like two options weeither build our own because
we've got enough developers with60 products, or we look at what
technologies are out therewhich are new and shiny and we
acquire it.
So we actually do both.
So, ken and Michael, I guesstheir philosophy around running
(24:59):
a company is, hey, we build whatmakes sense and we acquire what
makes sense.
So, with recent acquisition ofLacework and NextDLP, that will
give us additional age.
Yes, that will give usadditional age, and as a
technology vendor, it's almoston a bleeding age, because you
are supposed to be the mostinnovative solution provider out
there, right?
So I think the great thingabout Fortinet is we have lots
(25:21):
of broad range of technology.
Just look at our share priceover the last 20 years, I
actually joined the companybefore IPO and we actually
halved the price of our sharesand double the shares twice,
right.
So I guess we must be doingsomething right in order for
that to happen.
So I think this technology cyclewill continue.
(25:42):
I mean, of course, firewall westill sell a lot of firewalls
nowadays but the way it'sevolved to SD-WAN and SASE and
now with the different cloudsecurity solution, secops
solution, I think, yeah,fortinet has just changed over
the last 20 years.
Michael van Rooyen (25:57):
Yeah, yeah, 100% right, and it's been timely
.
What the markets needed, how wewant to secure this digital
lifestyle, that would that welive right.
So it's really moving into that.
That.
That and at heart, really,fortinet is still an engineering
company, right?
I know some fortinet.
People don't like me saying thatbut realistically, you are a
real engineering company, yeah,and that's why you're having a
(26:18):
success and being able todevelop that.
And one of the key insights Igot in April at Accelerate in
the US was you've been limitedon acquisitions because you
don't want to break the corefundamentals right.
So it's tempting to buy lots oforganizations, but really you
want to think about what itmeans to the software base, the
code, the reliability, yeah verygood point.
Jack Chan (26:36):
Like when Fortinet acquired our company, we
actually try very hard tointegrate it into our security
fabric and that is not just kindof vendor chat speeding, I call
it.
But if you look at historically, hey, when we acquired Maroo
for Wi-Fi, when we acquiredExcelOps, which becomes Fortisim
, and Silo becomes our EDR, andall of these data lakes are
starting to talk to each otherand the same will happen with
(26:58):
Lacework and NextDLP, right?
No, we're not a type of companywho will buy something and just
fold away the technologybecause they're a competitor.
So we try to really integrateit into our fabric and provide
some useful scenarios and usecase for our customers.
Yeah, great, and one of theideas, statistics-wise, if you
look at our patents, we are likeyou said, we're a very
(27:18):
engineering-orientated company.
Our patents are probably likethree times as a competitor and
we award I think there was apresentation from a telco team
which two of the field engineershas got patents and we actually
award innovative ideas withinFortinet and that really drives
the culture in the vendor world.
You know to be more, I guess,quoted superior.
(27:40):
Also, I think we share the samementality with our partners, you
know, and our partners are onclever people.
You know, selectively pick.
Hey, which vendor has thevision, has strategy to partner
with them?
And customers are clever peopletoo.
When I spoke to a lot ofcustomers in singapore,
basically I would tell them hey,of course you can pick the best
(28:00):
of breed of everything, butthen you you'll be end up like
the poor guys trying tointegrate all these best of
breed vendors together and thenwhy don't you leave it to the
vendor so that you can focus onbusiness?
And that's what actually thefortinet security fabric offers.
And while we pay big bucks formarketing to name products, but
we actually implement it in theproduct management philosophy.
So it's actually in our DNA.
Michael van Rooyen (28:21):
Yes, so is the heart of security is really
awareness and training, etcetera, et cetera, as we come
near the end of the session.
But can you explain to me ortell me how you help customers
foster a culture of securityawareness amongst employees and,
from a leadership point pointof view, how you really do that
to help in that area?
Jack Chan (28:39):
yeah, um, good question.
Actually.
Years ago I was actually I wasa CSC, issp guest speaker for
security awareness.
I still remember those days.
But to foster a culture ofsecurity awareness, 14 has
ramped up our certificationprogram, I think the last 10
years.
We realized the need so wepartnered with, like the US
(29:03):
retired army and also FortinetUniversity training programs
that we can roll up intertiaries across with our
partners and roll out this likenew shiny program for training
awareness, and we also gotproducts that are specific in
this area, like FortiFish, like45, etc.
And then we are actually, yeah,using our products every day.
So maybe sometimes Iaccidentally clicked on a link
and michael might lock on mydoor and go why, jerry?
(29:24):
Why?
Michael van Rooyen (29:25):
did you do that?
Jack Chan (29:26):
so we constantly test our own solution.
It's super important, I think.
I think people from theheadlines, especially customers
and partners, and they dorealize the impact of a security
breach and how important thatthe most uncontrollable element,
yes, the human- yeah, of course.
Michael van Rooyen (29:42):
Of course.
That's where it all startsright so to some extent.
A couple final questions foryou jack um.
What advice would you giveemerging cyber security leaders
who want to make an impact orget into the industry to make an
impact?
Jack Chan (29:53):
wow, it's a very broad question question, but I
would say keeping up with thethreads, which is very
challenging.
If you go to 40guardcom, ourfriend research center,
fortunately, try to make it easyfor customers.
Hey, we waited out all thethreads so that you don't have
to do all that type of job.
Keep up with the emergingthreads and know what the
(30:14):
weakest link is.
Years ago I presented at RSA,us where I show a scanning or
hacking of a IoT camera.
Of course we can see what thecamera sees, but it was used as
a scanning platform for the restof the network.
So in that particular case,your weakest link is actually
not the human, it's actuallyyour device that talks out to
(30:35):
the internet, your camera.
It might be secure now, but thenext minute someone does
something silly and your networkmight not be secure anymore.
So, keeping up with the threads, the latest hacks and how a
vendor approach, a use case, Ithink that's quite important,
but that will kind of show youwhere the cybersecurity area is
heading.
Michael van Rooyen (30:54):
And if you're able to share what's
Fortinet's long-term goals inthe APAC region and what
exciting developments can weexpect from yourself and the
team?
Jack Chan (31:02):
Yeah, so I guess, apart from the two acquisitions,
I think in the next year or sowe'll try very hard to integrate
those as a standalone offering,as well as information for the
customers to implement, and ofcourse this offers great
opportunities for partners andend users to adopt and try new
solutions.
Michael van Rooyen (31:19):
That's pretty much what we'll be
focused on in the next year orso, Right right and sticking
with your core stitching, whichis fortifying people's
environments right, fortifyingnetworks, fortifying.
You know the picture betterthan me and look.
Finally, one of the questions Ilike to ask all participants in
the podcast is tell me aboutthe most significant and it
doesn't have to be specifically14-year-old related technology
(31:40):
change or shift you've seen orbeen involved with during your
career.
Jack Chan (31:44):
Yeah, I think I mean, apart from cybersecurity, you
know the use of devices or AI,right?
I think a good example is likemy son.
We do some charity, freecoaching of sports etc.
And when I asked him to come upwith some junior development
plan, the first thing he did ishe typed a question in ChatGDP
(32:06):
and that was his coachingprogram.
So I think that the generationsjust grow up with different
technologies now and the waythey use it.
I would call my friends and theGeneration Z.
They will ask things onFacebook.
The Facebook is used by unclesand aunties now.
Right, the next generation willuse chat GDP and who knows
what's next?
Right, in the next five years,we're probably just at the
(32:27):
beginning of this generative AI.
When our kids' generation growup, a few jobs might be replaced
and let's see what jobs areleft out there for us to do.
Michael van Rooyen (32:36):
Yeah, absolutely Couldn't agree with
you more.
Well, that's really it fortoday, jack.
So, look, I really appreciatethe time.
Thanks for the insights andappreciate it again.
Jack Chan (32:45):
No problem.
Thanks for having me.
No problem, thanks.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.