(upbeat music) >> Hello everyone, welcome back to theCUBE's coverage of Cloud Native SecurityCon North America 2023. Obviously, CUBE's coverage with our CUBE Center Report. We're not there on the ground, but we have folks and our CUBE Alumni there. We have entrepreneurs there. Of course, we want to be there in person, but we're remote. We've got Ben Hirschberg, CTO and Co-Founder of Armo, a cloud native security startup, well positioned in this industry. He's there in Seattle. Ben, thank you for coming on and sharing what's going on with theCUBE. >> Yeah, it's great to be here, John. >> So we had written on you guys up on SiliconANGLE. Congratulations on your momentum and traction. But let's first get into what's going on there on the ground? What are some of the key trends? What's the most important story being told there? What is the vibe? What's the most important story right now? >> So I think, I would like to start here with the I think the most important thing was that I think the event is very successful. Usually, the Cloud Native Security Day usually was part of KubeCon in the previous years and now it became its own conference of its own and really kudos to all the organizers who brought this up in, actually in a short time. And it wasn't really clear how many people will turn up, but at the end, we see a really nice turn up and really great talks and keynotes around here. I think that one of the biggest trends, which haven't started like in this conference, but already we're talking for a while is supply chain. Supply chain is security. I think it's, right now, the biggest trend in the talks, in the keynotes. And I think that we start to see companies, big companies, who are adopting themselves into this direction. There is a clear industry need. There is a clear problem and I think that the cloud native security teams are coming up with tooling around it. I think for right now we see more tools than adoption, but the adoption is always following the tooling. And I think it already proves itself. So we have just a very interesting talk this morning about the OpenSSL vulnerability, which was I think around Halloween, which came out and everyone thought that it's going to be a critical issue for the whole cloud native and internet infrastructure and at the end it turned out to be a lesser problem, but the reason why I think it was understood that to be a lesser problem real soon was that because people started to use (indistinct) store software composition information in the environment so security teams could look into, look up in their systems okay, what, where they're using OpenSSL, which version they are using. It became really soon real clear that this version is not adopted by a wide array of software out there so the tech surface is relatively small and I think it already proved itself that the direction if everyone is talking about. >> Yeah, we agree, we're very bullish on this move from the Cloud Native Foundation CNCF that do the security conference. Amazon Web Services has re:Invent. That's their big show, but they also have re:Inforce, the security show, so clearly they work together. I like the decoupling, very cohesive. But you guys have Kubescape of Kubernetes security. Talk about the conversations that are there and that you're hearing around why there's different event what's different around KubeCon and CloudNativeCon than this Cloud Native SecurityCon. It's not called KubeSucSecCon, it's called Cloud Native SecurityCon. What's the difference? Are people confused? Is it clear? What's the difference between the two shows? What are you hearing? >> So I think that, you know, there is a good question. Okay, where is Cloud Native Computing Foundation came from? Obviously everyone knows that it was somewhat coupled with the adoption of Kubernetes. It was a clear understanding in the industry that there are different efforts where the industry needs to come together without looking be very vendor-specific and try to sort out a lot of issues in order to enable adoption and bring great value and I think that the main difference here between KubeCon and the Cloud Native Security Conference is really the focus, and not just on Kubernetes, but the whole ecosystem behind that. The way we are delivering software, the way we are monitoring software, and all where Kubernetes is only just, you know, maybe the biggest clog in the system, but, you know, just one of the others and it gives great overview of what you have in the whole ecosystem. >> Yeah, I think it's a good call. I would add that what I'm hearing too is that security is so critical to the business model of every company. It's so mainstream. The hackers have a great business model. They make money, their costs are lower than the revenue. So the business of hacking in breaches, ransomware all over the place is so successful that they're playing offense, everyone's playing defense, so it's about time we can get focus to really be faster and more nimble and agile on solving some of these security challenges in open source. So I think that to me is a great focus and so I give total props to the CNC. I call it the event operating system. You got the security group over here decoupled from the main kernel, but they work together. Good call and so this brings back up to some of the things that are going on so I have to ask you, as your startup as a CTO, you guys have the Kubescape platform, how do you guys fit into the landscape and what's different from your tools for Kubernetes environments versus what's out there? >> So I think that our journey is really interesting in the solution space because I think that our mode really tries to understand where security can meet the actual adoption because as you just said, somehow we have to sort out together how security is going to be automated and integrated in its best way. So Kubescape project started as a Kubernetes security posture tool. Just, you know, when people are really early in their adoption of Kubernetes systems, they want to understand whether the installation is is secure, whether the basic configurations are look okay, and giving them instant feedback on that, both in live systems and in the CICD, this is where Kubescape came from. We started as an open source project because we are big believers of open source, of the power of open source security, and I can, you know I think maybe this is my first interview when I can say that Kubescape was accepted to be a CNCF Sandbox project so Armo was actually donating the project to the CNCF, I think, which is a huge milestone and a great way to further the adoption of Kubernetes security and from now on we want to see where the users in Armo and Kubescape project want to see where the users are going, their Kubernetes security journey and help them to automatize, help them to to implement security more fast in the way the developers are using it working. >> Okay, if you don't mind, I want to just get clarification. What's the difference between the Armo platform and Kubescape because you have Kubescape Sandbox project and Armo platform. Could you talk about the differences and interaction? >> Sure, Kubescape is an open source project and Armo platform is actually a managed platform which runs Kubescape in the cloud for you because Kubescape is part, it has several parts. One part is, which is running inside the Kubernetes cluster in the CICD processes of the user, and there is another part which we call the backend where the results are stored and can be analyzed further. So Armo platform gives you managed way to run the backend, but I can tell you that backend is also, will be available within a month or two also for everyone to install on their premises as well, because again, we are an open source company and we are, we want to enable users, so the difference is that Armo platform is a managed platform behind Kubescape. >> How does Kubescape differ from closed proprietary sourced solutions? >> So I can tell you that there are closed proprietary solutions which are very good security solutions, but I think that the main difference, if I had to pick beyond the very specific technicalities is the worldview. The way we see that our user is not the CISO. Our user is not necessarily the security team. From our perspective, the user is the DevOps and the developers who are working on the Kubernetes cluster day to day and we want to enable them to improve their security. So actually our approach is more developer-friendly, if I would need to define it very shortly. >> What does this risk calculation score you guys have in Kubscape? That's come up and we cover that in our story. Can you explain to the folks how that fits in? Is it Kubescape is the platform and what's the benefit, what's the purpose? >> So the risk calculation is actually a score we are giving to clusters in order for the users to understand where they are standing in the general population, how they are faring against a perfect hardened cluster. It is based on the number of different tests we are making. And I don't want to go into, you know, the very specifics of the mathematical functions, but in general it takes into account how many functions are failing, security tests are failing inside your cluster. How many nodes you are having, how many workloads are having, and creating this number which enables you to understand where you are standing in the global, in the world. >> What's the customer value that you guys pitching? What's the pitch for the Armo platform? When you go and talk to a customer, are they like, "We need you." Do they come to you? Is it word of mouth? You guys have a strategy? What's the pitch? What's so appealing to the customers? Why are they enthusiastic about you guys? >> So John, I can tell you, maybe it's not so easy to to say the words, but I nearly 20 years in the industry and though I've been always around cyber and the defense industry and I can tell you that I never had this journey where before where I could say that the the customers are coming to us and not we are pitching to customers. Simply because people want to, this is very easy tool, very very easy to use, very understandable and it very helps the engineers to improve security posture. And they're coming to us and they're saying, "Well, awesome, okay, how we can like use it. Do you have a graphical interface?" And we are pointing them to the Armor platform and they are falling in love and coming to us even more and we can tell you that we have a big number of active users behind the platform itself. >> You know, one of the things that comes up every time at KubeCon and Cloud NativeCon when we're there, and we'll be in Amsterdam, so folks watching, you know, we'll see onsite, developer productivity is like the number one thing everyone talks about and security is so important. It's become by default a blocker or anchor or a drag on productivity. This is big, the things that you're mentioning, easy to use, engineering supporting it, developer adoption, you know we've always said on theCUBE, developers will be the de facto standards bodies by their choices 'cause developers make all the decisions. So if I can go faster and I can have security kind of programmed in, I'm not shifting left, it's just I'm just having security kind of in there. That's the dream state. Is that what you guys are trying to do here? Because that's the nirvana, everyone wants to do that. >> Yeah, I think your definition is like perfect because really we had like this, for a very long time we had this world where we decoupled security teams from developers and even for sometimes from engineering at all and I think for multiple reasons, we are more seeing a big convergence. Security teams are becoming part of the engineering and the engineering becoming part of the security and as you're saying, okay, the day-to-day world of developers are becoming very tangled up in the good way with security, so the think about it that today, one of my developers at Armo is creating a pull request. He's already, code is already scanned by security scanners for to test for different security problems. It's already, you know, before he already gets feedback on his first time where he's sharing his code and if there is an issue, he already can solve it and this is just solving issues much faster, much cheaper, and also you asked me about, you know, the wipe in the conference and we know no one can deny the current economic wipe we have and this also relates to security teams and security teams has to be much more efficient. And one of the things that everyone is talking, okay, we need more automation, we need more, better tooling and I think we are really fitting into this. >> Yeah, and I talked to venture capitalists yesterday and today, an angel investor. Best time for startup is right now and again, open source is driving a lot of value. Ben, it's been great to have you on and sharing with us what's going on on the ground there as well as talking about some of the traction you have. Just final question, how old's the company? How much funding do you have? Where you guys located? Put a plug in for the company. You guys looking to hire? Tell us about the company. Were you guys located? How much capital do you have? >> So, okay, the company's here for three years. We've passed a round last March with Tiger and Hyperwise capitals. We are located, most of the company's located today in Israel in Tel Aviv, but we have like great team also in Ukraine and also great guys are in Europe and right now also Craig Box joined us as an open source VP and he's like right now located in New Zealand, so we are a really global team, which I think it's really helps us to strengthen ourselves. >> Yeah, and I think this is the entrepreneurial equation for the future. It's really great to see that global. We heard that in Priyanka Sharma's keynote. It's a global culture, global community. >> Right. >> And so really, really props you guys. Congratulations on Armo and thanks for coming on theCUBE and sharing insights and expertise and also what's happening on the ground. Appreciate it, Ben, thanks for coming on. >> Thank you, John. >> Okay, cheers. Okay, this is CUB coverage here of the Cloud Native SecurityCon in North America 2023. I'm John Furrier for Lisa Martin, Dave Vellante. We're back with more of wrap up of the event after this short break. (gentle upbeat music)

(upbeat music) >> From around the globe, it's theCUBE, with coverage of KubeCon and CloudNativeCon Europe 2020, virtual brought to you by Red Hat. The Cloud Native Computing Foundation and ecosystem partners. >> Welcome back I'm Stu Miniman and this is theCUBEs coverage of KubeCon, CloudNativeCon the Europe 2020 virtual edition. Of course, even before 2020 security was one of the top concerns out there, with everyone working from home, some of the ramifications what's happening. Security is even more heightened and something we've had great pleasure digging into in this cloud native ecosystem. Happy to welcome to the program first time guest and first time we've had CyberArmor on theCUBE, so welcome Ben Hirschberg who's the co-founder and vice president of R&D. Ben thank you so much for joining us. >> (mumbles) Thank you for having me Stu. Thank you. >> All right so you know Ben 10 years ago when I became an analyst, security was one of those things that if you look at security and management overall, it's uh, these are the things we need to fix in IT. Unfortunately a decade later, it's still something that I can say. So if you could just frame for us a little bit as one of the co-founders of the company, what was the why for CyberArmor, what did you see out in the marketplace, what was some of the core competencies that you and your team had that made you form the company? >> Yeah, so it's a really good question because three years ago when we started look around, in the cyber industry and we're really looking into what's happening today because CyberArmor was founded by veterans of the industry. And we were looking into what part of the chain was missing in the security field. And we saw one of the key components which is even today is missing and we're coming in to solve it, is the component of the software itself. I mean we're really looked for many many years as just you said, we looked into the field and we so firewalls and segments and perimeters, and we saw authentication of users, and this is the most important aspects of cybersecurity. And we saw that there is a big change in the field because today the systems are so elastic, so changing, so much many new components went into the field and so much is changing that we've seen it. We cannot still build our security upon the old infrastructure we had before. And we went into the most common denominator you have in the field and it's the software. Because if you're looking into what you're trying to protect today, obviously you try to protect your data and your data is sitting behind some kind of software. And usually the software is running some kind of an infrastructure which is in the old world it was a data center, today we're advancing things into the cloud. And between two steps came into the new kind of containerization and cloud native infrastructure. Which really changes the whole way we are looking into how to run our software today. And we still did the... Most common denominator is the software itself. So what we call workloads. And we said that well, if I need to protect something, I need to protect the workload. And I run to protecting the way that I don't really care who is running it and where it's being run. But I am in our case we are also SAS provider for security solution. When I'm running my workloads, I want to be in control, and this is the thing we are targeting. We are targeting giving the one who's writing the software, the one who is deploying the software, the owner of service, giving him let's say the keys and only to him and no one else. >> All right, so Ben if I hear you right, is that then the application developer is the one that's interacting with your software and using it, obviously the DevOps movement really rallied around telling people that security can't be an afterthought it needs to be something baked into the process. Recently DevSecOps is a term that we hear used quite a bit so who are the people that are involved will help us understand a little bit really the organizational impact of what you're doing. >> So today we see our world really gravitating towards development and DevOps. I mean I see DevOps as an integral part of the development because we don't want to create a different organization to handle these kind of deployment things. If I have a group who's in charge of all the service, I want this group to handle the service from A to Z. And we are targeting not really the developers in sense that we are not integrating the software with APIs, but we are integrating our solution through the deployment tools. So in order to use our solution which is actually a software identity based control plane. You don't need to integrate it with your software you're developing. We can take any kind of software anyone wrote. And we can integrate it with the system using a cloud native techniques like Kubernetes integration, so it's really who is going to interface with our solution is more DevOps and set DevOps as you mentioned. >> All right, Ben when I look at your website, you talked quite a bit about the integration, you mentioned Kubernetes of course we're here at the cloud native conference, so what integrations, how much work is there to do to integrate with the various Kubernetes platforms, how do you tie into things like service meshes, are there any other of the dozens and dozens of projects that the CNCF has out there that your team needs to be involved in integrating with? >> So we took a really... It's interesting phrase but we took an Orthodox approach here where we said that we want to integrate with the core features of Kubernetes only. Because from our perspective we don't want to bring in other solutions into the service-based what our customers are having. So therefore we are integrating ourselves only with the Kubernetes core components and literally installation of our system takes a second, and which is virtual because Kubernetes itself is such a good solution that such a good project that literally installations and all setups are taking no time. And we are bringing our own service to service authentication control plane. We're on an early stage startup, and we are looking into developing our solutions to integrate with the service mesh also at a later phase, bring our security on board. Also they're the missing chain in the security which the service mesh was missing. Because we simply see that there're really great products and really great solutions there so we want to enable our customers to enjoy all they can, but without compromising their security. >> All right, your product itself, what's the relationship with open source? Many of the companies we've seen doing security, have open source projects, you when the event is in person, you walk around the show floor, and open source is a big piece of this community here, so what's your relationship when it comes to open source? >> It's really interesting question because I actually also offer... Many of our founders came from the direction not from the open source but from classical closed source companies. And personally this is due to simply the sensitivity of security field and there're historical reasons for that but I myself and some of our key people have always gave into our open source and took part in many open source projects in the past. As a company CyberArmor looks into open source as something very very valuable. We are really looking into how we can interact and how we can open source parts of our solution, which can interest other companies and other people because everyone of us knows that there are two main reasons to open source. One is it shows some kind of transparency, and the other is to let others enjoy also your project and take part in it. So right now at this stage we have only a few open source parts of our system, which are more... We have open sourced them for transparency reasons. But we're really looking into that criteria we're looking into how we could take some parts of our system and make it generally available because we think it's a good idea. >> All right, Ben what can you tell me about your customers, oftentimes if you've got an example even if it's anonymized, helps explain the value proposition of what your company is offering. >> Okay. Where to start? One of our first customers is a big service provider, BTC service provider, which is a well known company and this company really had high security expectations from the cloud native systems. And they tried many solutions they wanted to protect their services and their internal service to service communication. And they simply after a few trials they tried our solution and understood that our solution has also big benefits from the security side and outside from the performance side, therefore they decided to go with CyberArmor in order to protect their... Ease fast communications within their systems. Another company which is a B2C company Simply it's deploying it's system in a cloud infrastructure which they're less rely on and less feel secure because of legal reasons, and therefore they decided to use CyberArmor to completely protect their services and not just the communication between the services, but also the intellectual property that they have within their services in order to protect themselves. This is a very interesting use case because they're simply, I think one of the biggest beyond Google and Facebook and the big companies we know, customers we know. They are one of the biggest cloud users I know. So they really have a very interesting scale of going from way from 3000 notes in Kubernetes spanning up to within a few hours to 200 thousands notes scale, which was very interesting experience for us because as a new startup this is how you are trying your system out and prove that your solution is indeed made for the clouds. And we're really happy to say that we passed this phase. >> All right. Well, Ben, since you have the R&D component in your role, give us a little bit of an insight as to the things you're working on, what you see as some of the big challenges that security in this space need to be addressing a little bit further down the road. >> So there're two big things which we are working on and I think that's two interesting parts of the security question cause one part is that no one of us really like to pay more for security. We don't like to pay for it. Once just we have it, it's something you want to be there, but you don't want to know about it. And when we are talking about even hearing (mumbles) we are talking about simple things like moving from clear communications to TLS and right away understand that it costs us money. And one of our biggest goals here is to add security without having excessive costs toward the service provider. And we really are trying to improve our system and make them more performing in the sense that they should take as less toll on services they can in order to provide the security. And the other big part is runtime security because our solution is making sure that your workload which you're running in your system is being the same workload throughout the whole runtime process just as you wanted to be. And in order to do that, we're taking what we call code DNA in the CI/CD of our customers. And we understand how these workload should work. And in runtime, make sure that this workload is not changing maliciously and the same behavior stays as it shouldn't be. And this is something we are really improving because we're looking into the newest texts coming from many many directions, and we want to incorporate that in our solutions and make sure that you can throughout the whole runtime process of your workloads, we can keep you secure and safe. And this you know this is very interesting work, and as someone who is a veteran of cybersecurity and a white hat hacker of myself in my previous jobs, I see this as something really interesting and really evolving today. >> All right, well Ben Hirschberg thanks so much for introducing our community to CyberArmor, great catching up with you. >> Yeah I was glad to be here, thank you very much. >> All right, and thank you. Stay tuned for more coverage of KubeCon, CloudNativeCon, I'm Stu Miniman thanks for watching. (soft music)