(upbeat music) >> Welcome back to Fal.Con 22. We're here at the ARIA hotel in Las Vegas. We're here in Las Vegas, a lot. Dave Nicholson, Dave Alante. Fal.Con 22, wall to wall coverage, you're watching theCUBE. Anthony Kunya is here. He's the chief information security officer at Mercury Financial. And he's joined by his deputy CISO, Alex Arengo. Welcome, gentlemen. >> Good to see you. >> Thank you very much. Good to be here. Thank you for the opportunity to speak. >> Yeah, so this is a great event. This is our first time being at the, a CrowdStrike customer event. We do a lot of security shows, but this is really intimate. We got a high flying company. Tell us first about, of Mercury Financial. What are you guys all about? >> Oh, that's a fantastic question. Let's leeway into that. So Mercury Financial is a credit card company that serves people who are near prime. So be it some kind of hardship in their life. They had something impacted, be a financial impact, maybe a medical impact, an emergency, something, a death family where somehow their credit was impacted. We give 'em the opportunity through our motto, better credit, better life, to build up that credit score to add livelihood to their ability to be financially stable. >> I mean, I think this is huge because you know, so many people it's like, okay, one strike and you're out. >> Right. >> You know, that's just not right. You got- >> No, not at all. >> You got to give people another chance. And so there's so much talent out there. I think about some of the mistakes I made, Dave, when I was a younger man, but- >> No comment. >> Right. So I heard a stat today that I thought was great. Did you guys see the keynote? >> Yes. >> Of course. >> So in the keynote, the, they did the thing at Black Hat but they said what's XDR and I thought- Anthony] Oh goodness. >> My favorite, and I'm not going to ask you what XDR is. >> Okay, good, thank God. >> But my favorite answer was a holistic approach to endpoint security. And, you know, I think as a CISO you have to take a holistic approach to a security- >> Of course. >> Okay. >> Maybe talk about, a little bit about how you do that. >> Wow, a holistic approach I would say and I could, I'll give you an opportunity to speak as well, but a holistic approach it's people processes in technology. So a holistic approach would be, it isn't one box that you check. It's not a technology that is a silver bullet that fixes anything. Those technologies, those services are implemented by people. So good training, our human firewall, the forefront of implementing those technologies to build those processes and incorporate people and a level of sincerity and integrity that we build. So I feel like a holistic approach is both cyber culture to build the cyber resilience program that we so dearly need. >> And I could spend all day talking about security organizations, SecOps, DevSecOps, data SecOps, et cetera, but, but Alex, how, what is your role as the deputy CISO? How do you compliment what Anthony does? >> I got to bring it all together, right? So technically, what are we putting in place? What are the requirements that these stakeholders have? Their needs, their wants. We all have something that we need and want in our environment as an employee, as a customer, as a stakeholder. How do do we get that to market? How can we get it there quickly? You know, and it's really about finding the partners that can get us there, right? That can leverage us, that can force multiply us. >> Yes. >> You know, give my people more time to get the work done, the good work. >> Right, the hard work, of course. >> So paint a picture. You know, we hear a lot about all the different, the bevy of tools, the, how complicated CISOs tell us all the time, that we just don't have enough talent. We're looking for partners to help us compromise, but paint a picture of your environment and how you guys use CrowdStrike. >> Oh, that's a good one. Do you want to take this one? >> Great one, right? I mean, we leverage CrowdStrike at every way we can. We're a Fal.Con complete customer. So they're an extension of our team. They're an extension of our SOC right? >> Yeah. >> We leverage them for many things. We leverage them to understand the risk in our environment. Where we're at in zero trust. How we can really bring a lot of the new processes that the business wants to market, right? How can we get there as fast as possible? Can we make it secure, right? I'm a Mercury card customer also. So I'm, I have a vested interested in that. And I like to drive that, that's, so it comes down to can you align your holistic approach, or your organizational goals and bring that to a really good security product that is world class? >> And I can add a little bit to that as well. So I look at it as a triangle. So we leverage Fal.Con complete as that first level, tier one triage, people who do and understand the product extremely well, we leverage them quite a bit. We also have a VSOC service that we have this like, consider tier two or the middle of the triangle, by Verse, right? >> Yeah. >> Fantastic boutique security company that just has been working with us year over year, innovation, strategic initiatives, always there to play. And then Alex Arengo, and the threat management team, is our top tier, that's tier three, that's the top of the pyramid. By the time it bubbles up to Alex, that's when the real work happens, everyone's triaging, collecting data, putting together pieces. And then Alex and his teammates, and people that he's trained, fantastic, comes and puts it all together and paints a picture so we can then take that information and describe it in layman's terms, simple terms, to the business, to make them understand the level of risk, what we have to do to get to, and through that attack, or that indication of compromise, et cetera, so that we can remediate it, rectify it. >> Right, it's building that security culture foundation, right? It's getting everyone to buy into that. >> Yeah. >> It's a holistic approach and it's really the best way to do it, right? You get bought in from the stakeholders understand what they need to do, and what the goals of the business are. And it really works really well >> We journey together. >> We build a program together. >> Dave, I think that that cultural aspect is critical. Cause I've said many times, bad user behavior trumps good security every time. >> Yeah, absolutely. >> Oh goodness. >> Every time. >> Nicely put, I like that. >> So, I know we're early in the week still, but we did have the keynote. Is there anything that you are hearing, in terms of vision, that peaks your interest specifically, and then also sort of the follow up question is, are you guys kind of like lifeguards who can't ever relax at the beach? >> That's why I have a deputy CISO. Well, nobody can take time off, we have to share this. Of course we do. Most definitely. What would you say would be the next, most innovative thing that were looking for? >> Yeah, what's the next big thing, as far as you're concerned? >> The next biggest thing is definitely building the relationships we have. As we bring in new technologies, we go even more Cloud native. How do we leverage that expertise, that of the partners that we're bringing on board like Zscaler, CrowdStrike, Verse, right? How do we make them a part of the team, and make them perform, bring that world class quality talent across the spectrum, you know, from DevOps to that security analyst, picking up the phone and saying, I'm not really sure what's going on, but there's a culture that's built there where everybody comes to the table to feed, right? We all eat together. >> The ecosystem. >> Yes. >> That is the tooling that we leverage day in and day out. That's how we sleep at night. We have to pick our partners. >> You know, we talked about the ecosystem up front, and you look around, you can see the ecosystem and it's growing. >> Yes. >> And I predict it's going to grow a lot more. >> Yes. >> That's, and it has to, right? I mean, exactly what you're saying is that no one company can do it alone. And we heard, you know, we heard, it is confusing. You hear CrowdStrike's doing Identity, but then they partner with Okta. Right, and they're here out on the floor. So that's what you guys need. Talk a little bit more about the importance of ecosystem and partnerships from your perspective. >> Oh I got a good one for this. So I use the metaphor of having a restaurant. So we run a restaurant really well. We know what we want in the menu. We have a chef, we know how we want to put together, but we need excellent ingredients. You make muffins well. Bring your muffin into the restaurant. That brings and builds that rapport. That I want the menu to be rich and empower people to come in and say, you know, I've never had scallops or octopus before, I hear you guys make it better than anyone else, well, our ingredients are fantastic. Therefore, no matter what we do when we present it, it's perfect, it's palatable. >> Yeah. That's great. You're not making ice cream, but you're serving it. >> I can't, if you ever want to show us. >> We're just converging our bakery, you know? >> Yeah, yeah, yeah, salt, salt is the key. >> We're just working the bakery part out, yeah. >> Okay, I want to ask you about Cloud because you know, in 2010, 2011, when you talk to a financial services firm, Cloud, no, that's an evil word, now everybody's Cloud first. George Kurts talks about how, I mean essentially CrowdStrike is dogmatic. We are Cloud native. We have a Cloud native architecture. I know Gartner has this term CNAP or Cloud native application platform. So what does the Cloud mean to you guys? How does it fit in? What does Cloud native architecture do for you? >> It lets us converge everything we've been talking about. How do we, you know, that's a really big struggle that all security teams are having at, having today. How do I converge threat intelligence? How do I converge the environment that I'm in? How do I converge the threat intel that's coming in, right? All this, you're getting, security teams are constantly on a swivel, right? They're looking left, they're looking right. They're trying to identify what to do first. And you bring in the right partners. >> Yes. >> And you get in, you build the right program. You cement that culture internally. And it really provides dividends. >> You know what I think as well, Dave, is in the past, everyone was more data center based. >> Right. >> The Cloud was like a thing we'd forklift, we'd move over, we were born in the Cloud. So Cloud native Application protection is something that we need and will drive innovation. Will align with our strategic initiatives. We need people to think like the Cloud is what's happening. Super Cloud, some of the things that we spoke about. >> Yeah, so I was at, when we were at reinforced, I had this new mental model emerge, and it sort of hit me in the face. And you tell me, I'd love to talk to practitioners to say, yeah, that makes sense or, no, that's crap. So it seems like the Cloud has become the first line of defense for CISOs. Now you're Cloud first or Cloud native, so, okay. But then now you've got the shared responsibility model. And I don't know if you use multiple Clouds. Do you use multiple Clouds? >> We cannot say. >> Cannot say, okay, let's assume for a second, your, some of your colleagues, CISO colleagues, use multiple Clouds. >> They should, okay, sure. >> Now they've got multiple shared responsibility models. Now you've got also the application development team. They're being asked to be the pivot point to actually execute, they got to secure the platform. They got to secure the containers, their run time. >> Workloads, yes. >> And then you got audit behind you is kind of the last line of defense. So things are shifting. Describe sort of the organizational dynamic that you see, not necessarily specific to Mercury Financial, or that would be cool, but generally in the industry. >> Oh, I would say, I could say this, that having Cloud, multitenancy Cloud or the super Cloud model where we could abstract our services our protection, the different levels of security tooling, being able to abstract and speak a common language where you could run in Azure, GCP or AWS, and still have a common language that you can interpret and leverage between all the tooling would be something I would love to see. >> That's Super Cloud >> A magical, that is that. >> That is a Cloud interpreter essentially. >> I think we use different words, but yes. >> A PAs layer, super PAs layer, sorry to take it too far. >> Yeah, like, I want to be able to abstract it and speak a language that would work in any of the- >> What does that do for you as a technology practitioner? >> Well, imagine if you had to speak three different languages with three different people, get lost in translation. If we could speak a common language across all the different platforms and all the different footprints, it would be easier to define our security posture. Where are we? Are we secure? You might say security groups in AWS, it might be, mean something else, but it's still a level of protection that surrounds the end point, right? Something that would abstract that level would be very fun. Very good for me. >> It's, you know, it's pretty easy to understand your use case for this. When you're talking about here we are, Mercury Financial, you have the most sensitive financial information about people, right? >> Right, absolutely. >> A data breach where all of the information about your customers getting out there on the dark web. Right? Heart attack time. >> Instantly. >> What are some things that people might not think about though, that are going on in your world? What would surprise someone who maybe isn't a security specialist in terms of the things that you're dealing with as far as threats are concerned? >> I'm going to leave that on you. >> Can you think of some examples of things that you could, you know, obviously generic examples. >> Right. >> Yes. >> I'm going to point to the number one and two most common ways that applications and businesses are getting owned right now. And that's misconfigurations on your web app or a vulnerable application or phishing. And those are both very important things, right? A lot of development teams, they want to get things to market as soon as possible. And maybe security's on the back foot. It's about building that culture and to, you know, being Cloud native helps you have a, you can provide different tool sets to your organization that helps you understand that posture and makes you help those business decisions. Are we in a good posture to go forward right now? That's a big question that I think most security organizations need to ask themselves and the need to hold other stakeholders accountable. >> So phishing and the concept of social engineering, still alive and well? >> Oh, goodness. >> Always. >> Everything starts with people. The human firewall has to be front of mind. Security can't be an afterthought or a bolt on, that's something that you think about, well, I guess if I have to meet our compliance, it doesn't work with us. >> Comes back to the culture that you're actually talking about before. >> 100%, yeah, cyber resiliency starts with cyber culture. >> Kevin Mandy has said it today. I, never underestimate the adversary. The adversary- >> Of course. >> Is highly capable, motivated, big ROI and it just keeps getting bigger. The more technology gets embedded into our lives. The more lucrative hacking becomes. >> And more attack vectors. We have more areas that we could be potentially penetrated. >> They have a lot of time. Those threat actors have a lot of time. >> They do have a lot of time, yeah. >> Right. >> Right and to your point, you're constantly on the swivel. Right, you don't have time. >> Right. >> No, we don't. >> So do your responsibilities touch on things like fraud detection as well? >> Yeah, oh, that- >> Is that a silly question? I'm thinking- >> Yeah, no, it really is, so- >> No, not at all. >> Or there isn't segregation between what we would think of as IT and the credit card transaction that fires up a red flag. >> Those are integrated. >> It's definitely important. And in any business, right? Is to, like I mentioned, I use this word a lot converge, right? It's converging that intel, that fraud intelligence and making it into a process where we're reducing the risk and the losses that the business is incurring. >> Yes. >> It's so important, right? That we build that culture within the fraud teams, the operational teams, the, you know really anybody who has a really large stake in whatever the business product is. And, you know, being Cloud native, bringing in the right partners, building that security culture. I mean, that's the biggest one. >> Yeah, we've flown. >> It's last and definitely not least, it is, the culture's where you need to be. >> Absolutely. >> You know, you guys, I'm sure, you know, work with a lot of different vendors, a lot of tools, or sometimes the tools are point tools, they're best to breed. CrowdStrike says it wants to be a generational company. >> Oh, yeah. >> It says this notion of an unstoppable breach is a myth. You guys can't live that way. You have to assume you're going to breach but can CrowdStrike be a generational company? >> I think they've proven themselves. They've been around over a decade now. it's 11 years. They just had their birthday yesterday, right? >> Yeah. >> Or anniversary, the company started? >> Yeah. 11 years, yeah. >> I absolutely, and I also agree to add it a little bit part, from the fraud part. I think CrowdStrike would be an integral piece of the overall solution that we have. It hits so many different aspects and looks at so many different potential attack vectors. I keep using that word, but I think integrating fraud in other parts and other functions of the business will start to see that they can leverage CrowdStrike. That there's tooling within CrowdStrike innovatively, like ahead of the game. And I always like that about CrowdStrike, being way ahead of the game and thinking in front of our adversaries. I think other departments will be like, what tools do you have, how can we use them? This is fantastic, this makes us feel better. We don't have to worry about that. We can focus in on what we're good at and build that best of breed solution. So fraud can focus on fraud and you can leverage the tooling and the infrastructure that we provide them together holistically to build a security program that's beyond reproach. >> Guys, we got to go, great perspectives. Always love having the practitioners on. >> Yeah, thank you. >> I really appreciate your time, thank you. >> Yeah, absolutely, always a pleasure. Thank you so much for your time. >> Anthony, Alex, Dave and Dave will be right back, right after this short break. You're watching theCUBE from Fal.Con 2022 from the ARIA in Las Vegas. >> Cheers my friend. >> Yeah, of course. (cheerful music)

live from Boston Massachusetts it's the cube covering AWS reinforced 2019 brought to you by Amazon Web Services and its ecosystem partners hey welcome back everyone's cute live coverage here in Boston Massachusetts for AWS Amazon Web Services reinforced this is in our roll call for an RO conference for security this is the first event Amazon's dedicating to security I'm Jeffrey day Volante Dave reinvents the big show reinforced will be the big show for security 12,000 people we have Vittorio for Arango who's the VP of Marketing cloud business unit McAfee formerly of sky-high networks great to see you again on the cube I am happy to be here you guys had an institution so delighted to be here with you guys super excited been big fan of your work but finally work at VMware sky high networks now McAfee you've seen the big company of the startup real change is going on in cloud the McAfee certainly the expertise and the antivirus and security been there check now cloud comes into the equation with sky-high networks gives the update what's that what it's all about sky high comes in to McAfee you got a cloud business unit they leave you alone you get to do your own thing but take advantage of the McAfee goodness it give us the what's going on tell us well you know when you wake an acquisition usually you do it for two reasons why one is I sit at the table in a new market acquiring the skills of the people those are the two two main reasons so Skye McAfee when they acquire sky high in January 2018 they kept the sky high as a separate business unit to keep the momentum and if you think about the the investment thesis there is that today works gets done on endpoints that are attached to the cloud increasingly the network now is used to be the control point for everything security but now we run applications in on infrastructure we don't own that traverses network we don't operate and so the our strategy is secured data what works get gets done which is in on the device which that's the Mac of you know heritage and then in the cloud that's where the McAfee the with the sky-high acquisition what will bring it I'm usually exclusive they both work together because once an endpoint one's kind of a in transit data and cloud all that stuff happening there are two different things but they work together yeah it's it to me device is mobile devices and laptops are the the the land endpoints to the cloud right and so I think we are and then on top of it IT ones complete disability and so McAfee has this great footprint with the device the cloud and then EPO which is our management management layer on top of it it gives you visibility across everything so you guys are making mad mcafee with the cloud business unit which is sky-high enactment a big investment at this show you guys look at reinforces an opportunity why are you making such a big investment in reinforce this show this community what's the big move well if you look at the what the enterprise data is increasingly it's in the cloud so we recently ran a report of the live system so we have a run a thousand customers using our cloud solutions so we know exactly what data is and around thirty five percent is in SAS office CCC five boss Dropbox twenty five percent is in structured application like Salesforce ServiceNow and twenty four percent is in iis and pass and that's the area that is growing the most and so in the past if you look at the evolution of cloud security there have been a lot of different point solution to solve these different problems we're trying to bring it all together so we have a single point for visibility and control of your data in a cloud so I is and pass is where data is growing the fastest and the show like this is the perfect opportunity for a hard question on to you right now because this is what everyone's been asking us see shows and CIOs run or running or managing or trying to figure out the security equation we love our vendors giving us alerts we don't need more alert anymore if there's a really video more alerts we need our suppliers to help us fix the problem yes that's the big focus of this show we're hearing a lot of that and a lot of help my people be better so not just tell me what the problem is fix it yeah what's your view on that absolutely so once you get visibility and you set your policies our system enforces those policies in real time and so it doesn't require human intervention for the most part plus there is another aspect if you look at the number of incident that happens in the cloud there are one order of magnitude higher than on-prem so what we do we bring the users into the picture as a solution so let me give you an example so it said that you look use the cloud to collaborate right and that makes us productive we found that 85% I didn't have a percent of people to go to the cloud find business acceleration in their business and so why because people working collaborate freely but sometimes collaborating they share a document that contains confidential information so when we detect that instead of we let IT know but instead of asking IT to fix it we inform the user and we say hey mr. user did you know that you just share a document that contains credit card information and healthcare information and we show them what it is so they can fix it in most cases people don't do it maliciously like that just trying to get their job done and so we make the user be part of the solution instead of just creating the problem why our instance ray internet rates so much higher in the cloud material because the just the number of peopie definition the moment you start to put your data in the cloud to collaborate you collaborate with many more people right and so that's why the number of incident is so much higher against that the stuff is all out there and the number of people that I have access to your data is much larger so when you think of risk you think of you know the probability of an event and then the impact of that event so we just heard that the probability goes up when you're collaborating in the cloud you have any data on the impact in terms of specific to the cloud is the cloud doing a better job than say on Prem is it more higher impact is it not there's not as enough enough high value data in the cloud yet more data's on Prem do you have any sort of senses first of all there is our actual use of the cloud we know that confidential data is in the cloud and we also know that over time 50% of and confidential data or computational documents in the cloud gets shared in the process all right here's the the good news is that we believe that with the proper tools like an visual cloud and the proper Cosby platform in place the cloud can be more secure than on pram and this is why first these cloud providers AWS and others they put more resources in security that any comprend company ever could right but then you still have the share responsibility model it's a part of the the security puzzle that the end-user is in charge of and if you put in place a cosmic platform we love for people to use ours but any costly platform I think eventually the cloud will become more secure than on Prem ever was yeah so that shared responsibility you talk about endpoints data user access right and you start from SAS the your responsibility is really device security and user access so if an end user logs in with their credential and start stealing your data AWS or Microsoft they're not gonna be responsive to take care of that when you're doing going to pass your responsibility goes deeper because now you're running your own applications there so you have to make sure that the applications the infrastructure that the application runs on is properly configured and the data going in and out of the application and the container are secure and then you're going to I is your responsibility goes even deeper but these are problems now that can be solved well understood it can be solved by leveraging the underlying platform and then building your own infrastructure or your security solution gobbled it sorry I talk about the most important story that that's that should be told in technology security industry today or that media should tell are not being told what is the most important story for first customers to to know about and or the media should be covering more of that's uh putting me on the spot well I think I the thing that I'm most excited right now in NIT is DevOps I think about every technology transition for the last 25 years was driven by one set of people developers and so over the years developers had all these roadblocks or I need a server or now I need the security clearance now I did compliance clearance and so we always got in the way of them until they figured out in you a new platform and your way to be more agile and I think right now in the cloud is with DevOps is the ultimate of expression of that so I think it's very exciting and I think as security vendors instead of this is my pet peeve with security is you have to scare people into buying your stuff I hate that right you know if you don't buy this you're gonna get fired you're gonna get breached all true but the reason why people go to the cloud is business agility the ability to unleash the developers to build new differentiating applications and so to me a better way to sell insecurity and build a security solution is to cater to that need and build security that that is transparent to the users and now transparent to the developers and also here what you're really saying there is you want to increase the speed of security for that slot that is lagging behind the agility of DevOps yeah if I get faster so it's in line with the developer in fact today we just announced that this shift left right instead of like make it easier to deploy application then put security on top of it how about we look at your development process and trying to identify flaws they may end up into a non secure runtime environment and so last goes along the lines of like let's forget about security that doesn't create friction let's put build security in the code it's a shift left by that you mean security is code exactly talk about you now last time we talked to you the cube you were an engineer yeah now you're in marketing what happened well I'm seeing engineer so what happened was you know I I never planned my career I always look for smart people and we're smart people kind of aggregate there's some good stuff to do and when I was at I when I left VMware I joined MobileIron and the only spot that they helped that was open was CMO and so once I got the job I had to learn it I well you're a builder I mean Amazon love Zion generic mindset then you're gonna build our mindset how are you going to build out your cloud division because you have some big tail winds big demand for security price to be sold in a new way yeah and consumed with services so good opportunities for you what's your strategy what are you gonna do our strategy is to keep growing this business right now the cloud as you will expect is the fastest growing business at McAfee and so from from my perspective within the cloud business unit when we're trying to inject energy and the vision for cloud and and that's that's what I think McAfee needs from us so obviously you're a fan of agile scrum I mean you know modern modern development techniques are you bringing that to marketing in any way yeah absolutely so when I made a transition to marketing I realized that whenever you have an environment where you have to ship something in engineering is shipping software in marketing is shipping a new webpage or a new campaign and you a video or something and where there is a lot of unknown and market the moves fast scrum and agile is the perfect solution for it so basically what I do I take the priority from the company we make these plans like a year out right who knows what's gonna happen in here our recipe take these goals and then break them down in two weeks interval and every two weeks here are the priorities the map to those and then every two weeks you have you moved the needle I just talked to some people and and AWS you know they told me maybe it's confidential information or not they told me two weeks it's too long we have it weekly so sometimes when somebody new comes to my team and they see this mechanism workers who always on the treadmill take all this this guy's insane and they may have a point but then you look at the companies that are changing the world and guess what they are doing weekly it's a graph it's like a task week once you get on that cadence you're in shape and you get the team rolling because success is a great motivator yeah it has that kind of success when you're agile and you can respond faster yeah because look at this our counterpart is sales right and if you engage with sales you talk to sales everything is an emergency that was needed yesterday and that's okay they're bringing the money so we like them but with agile would these two weeks print what allows me and my team to do is to say hey what you're asking for is it more important than these things that were shipping in average a week from now and be answers typically no or can you wait the two weeks and you're not and then I can take the whole team and focus on whatever is that do your best work you bring in the best of cloud ethos yep into marketing and then again look if we do believe that engineers make the work around I truly believe that in Silicon Valley Engineers change the world to make the workaround let's take some of those best practices and apply them to other part of the organization why not sorry I've great to chat with you love your vision thanks for coming on the cube and sharing hi thank you for insights great insights here that we're driving all the data here inside the cube for reinforced Amazon Web Services first security conference its inaugural we're excited to be here two days of live cover staying with us for more after this short break