>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019. Brought to you by Qualys. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the Bellagio Hotel in Las Vegas, at the Qualys Security Conference. This conference has been going on for 19 years. It's our first time to be here. We're excited to be here, but it's amazing that they've just been clipping along through wave after wave after wave. They've got some new announcements today and we're excited to get the full rundown here. Our next guest is Chris Carlson, the VP of Strategy from Qualys. Chris, great to meet you. >> Great, thanks, great to be here. >> Yeah, so you just got out of your session. How did your session go? >> Yeah, it was fantastic. In fact, that's the great thing about a Qualys Security Conference, because we have the ability to not only interact with our customers and partners, but actually showcase what's new, but also what we're working on coming in the future. >> Jeff: Right. >> And that's really important for us at Qualys because we get the feedback from the customers early, and we can work very closely with them to find the right set of solutions and the right products for their use in their environment and programs. >> Now, the security landscape has changed quite a bit over the last two decades, and Phillipe's keynote, I mean he is right on the edge in terms of really appreciating cloud and the benefits of cloud. You guys have a lot of great integration partners. You know, did you have to re-architect this thing, at some point down the road? I mean it's pretty amazing that you've been at it for two decades and still really sitting in a good spot here as kind of the cloud and IOT and 5G and this next big wave of innovation starts to hit. >> Well that's right, and I think that's why it starts with that vision, but it's not just a vision of where the market is going, but the vision of where technology is going. So when Qualys started, they started in the cloud, and they started with the cloud delivered architecture. And that was really, maybe early for a lot of first customers. 20 years ago security was maybe not as much, and put security in the cloud, that's where all the bad guys are. But it's really that architecture vision technology that allowed us to not only innovate quickly on a platform, but as our customers grew, as our customers moved to the cloud, as our customers moved to IOT and OT and mobile computing and those aspects, we're already there. >> Jeff: Right, right. >> We're already there. So and that is what really the advantage for us is, we don't have to re-architect our platform, we can layer on new capabilities and new services, new products leveraging the existing architecture that we've developed in the cloud. >> Yeah, it's really little bit of good fortune, a little bit of luck, a little bit of smarts, right. >> I think it's maybe a lot of experience and smarts from that. >> Well, it's just funny right, 'cause we had John Chambers on not that long ago, and his kind of computing waves, he was using kind of 10 year waves as kind of the starting points. And Phillipe's were a little bit longer, but it's the same kind of story with mainframes and minis and client server and now cloud, but as he said, and as you've reinforced, if you don't architect it to be able to do that at the beginning, you can't necessary repurpose it for this new application. It's really architecture-specific, and without that kind of vision, you're not going to be able to take advantage. >> That's right. >> Of these kind of new waves. >> Exactly, and I think that architecture breaks down into different levels. So one is systems architecture, but there's also the design architecture. So the technologies that we're using on our platform today aren't the same 20 years ago. We've swapped out those technologies. We use new modern technologies. Technically, like Kafka streaming blasts to do real-time event streaming. Cassandra for object data store. Those did not exist five or six years ago. But from our architecture that we're collecting lightweight data from our customers, and analyzing it in our cloud platform. Doesn't matter if we have one million events, a billion events, a hundred billion events, the platform can scale the process of those. >> Right. The other piece clearly that you've mentioned two or three vocabulary words right there is the open source component. You know, the open source has grown dramatically since the early days of Linux, both in terms of market acceptance as well as kind of new opportunities for things like Kafka to be able to grab that type of , integrate it into your product set and really drive a whole bunch of extra value. >> Yeah, that's right. I think we benefit as Qualys is using some of these open source technologies and we do contribute back, because we work with those teams. If there's any defects or performance enhancements, we do that. But while we've benefited from some of the open source technologies, our customers have benefited as well. Now they've benefited from new technology architectures, but in some cases they've benefited from new security problems. So if you get commercial off-the-shelf software, the vendor produces a security patch, they test that patch and they can apply the patch. In many cases with some open source software it's not like that. The customer has to get the software, compile it, make sure it works. Maybe it doesn't fix the vulnerability, and that's why in that case for them open-source technology can improve some of their IT systems and their business initiatives, but it puts a challenge on security to keep up with all the security risks that are happening across the board. >> Right. So one of the big announcements today was the VMDR. >> That's right. >> Tell us all about it. >> Great, so VMDR stands for Vulnerability Management Detection and Response, and that really is a capability that we've actually had in the platform itself, but the feedback from our customers were that internally their own people, their own process and their own tools created these artificial silos that prevented them from actually doing security detection and remediation at scale quickly. We have all these capabilities in the Qualys platform anyway, but with this new VMDR bundle we're bringing it together with new automation, new workflow, new orchestration, new user interfaces that actually reduce the time to remediate down to near zero in some cases. So, we had an example of a live attack that happened two years ago, WannaCry with EternalBlue, and many companies did nothing for two months. So they had the right tools, but maybe the data silos to go from one application to another application, to one team to another team just increased that length of when they could remediate. Our customers that had Qualys already had that data within the Qualys platform. We can tell them what assets they have, what the vulnerabilities were, that WannaCry was a big thing happening. And then with our patch management they can click one button and then just fix those assets easily. >> Jeff: Right, right. >> That was two years ago. Now this summer something called Blue Key. So Blue Key and Deja Blue is another attack that's happening, is going on right now. People don't know about it. Well, maybe not you. (laughing) Maybe if you're a Windows. >> I got nothing, I got nothing. >> Maybe if he has a Windows Operating System he's being attacked right now, I don't know about that. But a lot of our customers here, they're struggling with that every day. Not that Qualys can't tell them where it is, but they have to rely on another team to actually fix it. And that's what's so exciting about VMDR, Vulnerability Management Detection and Response, is the D and the R, the detection and the response allow them to remediate in a full life-cycle very quickly, very effectively, and with a high confidence that it has actually corrected those issues. >> Yeah, it's really interesting. You know, kind of the application versus platform conversation. You guys are integration partners with ServiceNow. Fred Luddy's been on many, many times, and tells a great story. You know, he wanted to build a platform, but you can't go to market with a platform. You got to go to market with an application, hopefully get some traction, and over time he started adding more applications, and it was pretty interesting listening to you guys. >> Well, I was actually going to stop you right there if you don't mind. >> No. >> The marketing people go to market with the platform. The marketing people say, "Hey version one is a platform." >> To their customers? But nobody's got a line-item to buy a new platform today, right. >> Exactly, and that's sort of the disconnect. >> Right. >> Really with normal enterprise sales models and technology. The marketing sales disconnect versus the technical reality that customers depend on for their environment. >> But if you do it right, then you can build that application stack, and I think in their earnings call, your guys last earnings call, you defined seven specific applications that sit on this platform that enabled in you to bundle and have kind of multi-application integration in the new VDMR. >> Yes, that's right, and I think that the difference with Qualys is they knew that the architecture was important. So our vulnerability management was an application on the architecture when it first launched 20 years ago. >> Right. >> And that really helped us going forward. So from the earnings call it's seven product capabilities on our lightweight agent, but the entire Qualys platform has 19 different product capabilities, in the same platform using the same user interface model and the VMDR takes many of those and bring it together in that single bundle on a per asset basis. >> Okay great, thanks for that clarification. Slight shift of focus. Another thing that came up in Philippe's keynote was kind of re-architecting the sales side and the market bundles that you guys are going to go to market with over time. And he broke it down into really only four big buckets of categories. Cloud providers, I think managed security service providers, enterprises, and I can't remember what the the last one was. Oh, OT and IOT vendors. >> Chris: IOT, correct, yes. >> So as you kind of look forward in the way that you're going to develop your products to go to market, how is that impacting your strategy, and are you seeing that start to play out in the marketplace? >> Yes, when we look at security technology and actually part of his keynote, he had this slide that had, you couldn't zoom in, because there's a million logos on this slide, security companies. And you go to some of the security shows, there's 800 vendors in the exhibit hall. >> Jeff: Oh yeah, we go to RSAC. I mean that that's why, it's chaos, right. >> So it's crazy, it's crazy. And there was an analyst that actually said a couple years ago that whenever there's a new threat, there's a new tech. Here's a new threat vector, now there's five new startups. And is that new threat vector super narrow, and it's only a feature, or is it a product, but our view of Qualys was a little bit different in that while the buying centers may be different, while some of the assets may be different, an OT asset versus a cloud asset versus the endpoint asset, the ability to discover it, identify it, categorize it, assess it, prioritize and remediate it is the same. That is the same. So whether it is a PLC on a shop floor from a car manufacturing, or a ecommerce web server that's running in a public cloud, or an end-user machine, the process to identify assess and remediate is exactly the same through us at Qualys with their platform. Different sensors for different asset types, normalized security data and different remediation approaches for different asset types, but all the same platform. >> But it sounds like you're doing some special stuff with Azure. >> Chris: Yes. >> So, tell us a little bit about kind of what's special about that relationship, what's special about that solution. >> Yeah, and that integration was announced two weeks ago at Microsoft Ignite, which is a big Microsoft show, and that really is a close partnership that we have with Microsoft. We actually did an early integration with them four years ago, but this is a lot deeper. And that really is Phillipe's and Qualys vision that security needs to be built in and not bolted on. >> Jeff: Right. >> That if you take, let's take a car for example. When you buy a car, you don't buy the car without a seat belt, an airbag, maybe a radio. You don't buy it without tires, it all comes together. You don't buy a car, then go to the seatbelt shop, and then buy a car and then go to the airbag shop. It all comes together, and that's what we're very excited about this announcement with Microsoft and Azure is that the vulnerability assessment is powered by Qualys already built into Azure. So there may be a whole set of customers that know nothing about Qualys, know nothing about our 20-year history, know nothing about our conference. they go to Microsoft Azure's, the security center, and it goes, "Assess your vulnerabilities," click a button and there's the vulnerability information. So this opens up a new capability for customers that they may not have used, but more importantly bringing security into IT without them knowing that they're doing security. And that is very powerful. >> So is it like a white label, under the covers or? >> So, it's not a white label, it's a joint integration. >> Chris: Okay. >> And it's a Microsoft Azure. >> Chris: So they eventually have, probably is in the bottom of the report. >> Powered by Qualys, powered by Qualys, right, so we got to have that name in there. >> Right, right, right, good. >> And what's exciting about Microsoft Ignite is that we had a lot of Microsoft IT and dev people come up to our Qualys booth and say, hey I don't know much about Qualys, but I get this report of things that I need to fix, tell me more about what you're doing and how can we help that fix faster. >> Chris: Right. >> And it's really about speed. Time to market, time to acquire customers, time to service customers, but more importantly time to produce new technology, time to secure the new technology, and lastly, unfortunately, time to respond to security events that may have happened in your network. >> And I presume they can buy more of the suite through the, and run it on the Azure stack. >> Yes, that's right. In fact, all of our capabilities can go on there from it, and that really is a strong partnership. In fact the group product manager for Azure is speaking at Qualys Security Conference just later today. That really shows a testament of the deep integration of partnership that we have with them. >> All right, Chris, before I let you go, you're the strategy guy. So as you look down the road in your crystal ball, I won't say more than three years, two years, three years, four years. What are some of the things you're keeping an eye on, what are the things you're excited about, what are the things you're a little concerned about? >> Well, I think that the things that we're excited about is a vision that Philippe and of course Ahmet has painted for it, is that the computing environment is accelerating dramatically, it's fragmenting dramatically. 5g might be a complete game-changer across the board. We have some of our large customers that have a project that they call Data Center Zero. 17 data centers, in two years, no data centers at all. I say that in their corporate offices they have laptops and printers, that's it. How do you secure and assess an environment that is ephemeral and that is virtual and that is remote, and that's where the Qualys platform architecture can move along with those customers. Our very largest customers are the ones leading the charge, not only developing new capabilities, but also using them as they come out. So I think that's what we're very excited about. I think that's some areas that we're working deeper with our customers on, is at the end of the day, it's people, process, and tools. And we're working on the technology capability and stack that can also influence and make the process better, but ultimately the people have to come in and understand that security has to be built in, we have to shift left, integrate it into the dev cycle to really reduce that attack surface and have a stronger, more secure enterprise. >> All right Chris, well, think you're going to be busy for the next couple years. >> It's a exciting time, it's an exciting time for Qualys. >> All right, well again, congrats on the event. >> Thanks very much. >> Thanks for having us. Can't believe it's been here for 19 years and we haven't been here yet. So again, thanks for having us and congrats on all your success. >> Great, fantastic Jeff. >> All right, he's Chris, I'm Jeff. You're watching theCUBE. We're at the Qualys Security Conference in Las Vegas. Thanks for watching. We'll see you next time. (upbeat music)