>> Live from San Francisco. It's the Cube covering artists. A conference twenty nineteen brought to you by for scout. >> Hey, Welcome back, everybody. Jefe Rick here with the Cube were in the force caboose that Arcee and Mosconi center forty thousand people walking around talking about security is by far the biggest security of it in the world. We're excited to be here. And welcome back a Cube. Alumni has been playing in the security space for a very long time. He's Bradman bury the GDP from Booz Allen >> Hamilton. Brad, great to see you. >> Hey, thanks for having me here today. Absolutely. Yeah. I've, uh I've already walked about seven miles today, and, uh, just glad to be here to have >> a conversation. Yeah, the fit bitten. The walking trackers love this place, right? You feel your circles in a very short period of time. >> I feel very fit fit after today. So thank >> you. But it's pretty interesting rights, >> and you're in it. You're in a position where you're >> advising companies, both government and and commercial companies, you know, to come into an environment like this and just be overwhelmed by so many options. Right? And you can't buy everything here, and you shouldn't buy everything here. So how do you help? How do you hope your client's kind of navigate this crazy landscape. >> It's interesting, so you mentioned forty thousand people. Aziz, you see on the show, should share room floor behind us, Thousands of product companies, and, frankly, our clients are confused. Um, you know, there's a lot of tools, lot technologies. There's no silver bullet, and our clients are asking a couple of fundamental problem. A couple of fundamental questions. One. How effective in mine and then once them effective, you know, how can I be more efficient with my cyber pretty spent? >> So it's funny, effective. So how are they measuring effective, Right? Because that's a that's a kind of a changing, amorphous thing to target as well. >> That's I mean, that's that's That's the that's the key question in cybersecurity is how effective my, you know, there's lots of tools and technologies. We do a lot of instant response, but commercially and federally and in general, when looking at past reaches, its not a problem. In most cases, everyone has the best of the best and tools and technologies. But either they're drowning in data on DH or the tools aren't configured properly, so you know we're spending a lot of time helping our client's baseline their current environment. Help them look at their tool configurations, help them look at their screw. The operation center helping them figure out Can they detect the most recent threats? And how quickly can we respond? >> Right? And then how did they prioritize? That's the thing that always amazes me, because then you can't do everything right. And and it's fascinating with, you know, the recent elections and, you know, kind of a state funded threats. Is that what the bad guys are going on going after? Excuse me? Isn't necessarily your personal identifying information or your bank account, but all kinds of things that you may not have thought were that valuable yesterday, >> right? I mean, you know, it's funny. We talk a lot about these black swan events, and so you look at not Petra and you know what? Not Pecchia. There was some companies that were really hit in a very significant way, and, you know, everyone, everyone is surprised, right and way. See it time after time, folks caught off guard by, you know, these unanticipated attack vectors. It's a big problem. But, you know, I think you know, our clients are getting better. They're starting to be more proactive. There start. They're starting to become more integrated communities where they're taking intelligence and using that to better tune and Taylor there screw the operation programs. And, you know, they're starting to also used take the tools and technologies in their environment, better tie them and integrate them with their operational processes and getting better. >> Right. So another big change in the landscape. You said you've been coming here for years. Society, right? And yeah. And it's just called Industrial. I owe to your Jean. Call it. Yeah. And other things. A lot more devices should or should not be connected. Well, are going to be connected. They were necessarily designed to be connected. And you also work on the military side as well. Right? And these have significant implications. These things do things, whether it's a turbine, whether it's something in the hospital, this monitoring that hard or whether it's, you know, something in a military scenarios. So >> how are you seeing >> the adoption of that? Obviously the benefits far out way you know, the potential downfalls. But you gotta protect for the downfall, >> you know? Yo, Tio, we've u o T is one of the most pressing cyber security challenges that our client's case today. And it's funny. When we first started engaging in the OT space, there was a big vocabulary mismatch. You had thesis, Oh, organizations that we're talking threat actors and attack vectors, and then you had head of manufacturing that we're talking up time, availability and reliability and they were talking past each other. I think now we're at an attorney point where both communities air coming together to recognize that this is a really an imminent threat to the survival of their organization and that they've got to protect they're ot environment. They're starting by making sure that they have segmentation in place. But that's not enough. And you know, it's interesting when we look into a lot of the OT environments, you know, I call it the Smithsonian of it. And so, you know, I was looking at one of our client environments and, you know, they had, Ah, lot of Windows and T devices like that's great. I'm a Windows NT expert. I was using that between nineteen ninety four in nineteen ninety six, and you know, I mean, it's everybody's favorite vulnerability. Right on Rodeo. I'm your guy. So, you know, one of the challenges that we're facing is how do you go into these legacy environments that have very mission critical operations and, you know, integrates cyber security to protect and ensure their mission. And so we're working with companies like for Scott, you know, that provide Asian agent lis capabilities, that that allow us to better no one understand what's in the environment and then be able to apply policies to be able to better protect and defend them. But certainly it's a major issue that everyone's facing. We spent a lot of time talking about issues in manufacturing, but but think about the utilities. Think about the power grid. Think about building control systems. H back. You know, I was talking to a client that has a very critical mission, and I asked them all like, what's your biggest challenge? You face today? And I was thinking for something. I was thinking they were going to be talking about their mission control system. Or, you know, some of some of the rial, you know, critical critical assets they have. But what he said, My biggest challenge is my, my age back, and I'm like, really, He's like my age back goes down, My operation's gonna be disrupted. I'm going out to Coop halfway across the country, and that could result in loss of life. It's a big issue. >> Yeah, it's wild. Triggered all kinds. I think Mike earlier today said that a lot of a lot of the devices you don't even know you're running in tea. Yeah, it's like a little tiny version of Inti that's running underneath this operating system that's running this device. You don't even know it. And it's funny. You talked about the HBC. There was a keynote earlier today where they talk about, you know, if a data center HBC goes down first. I think she said, sixty seconds stuff starts turning off, right? So, you know, depending on what that thing is powering, that's a pretty significant data point. >> Yeah, you know, I think where we are in the journey and the OT is, you know, we started by creating the burning platform, making sure that there was awareness around hate. There is a problem. There is a threat. I think we've moved beyond that. WeII then moved into, you know, segmenting the BOT environment, A lot of the major nation state attacks that we've seen started in the enterprise and move laterally into the OT environment. So we're starting to get better segmentation in place. Now we're getting to a point where we're moving into, you know, the shop floors, the manufacturing facilities, the utilities, and we're starting Teo understand what's on the network right in the world This has probably been struggling with for years and have started to overcome. But in the OT environment, it's still a problem. So understanding what's connected to the network and then building strategy for how we can really protecting defendant. And the difference is it's not just about protecting and defending, but it's insuring continuity of mission. It's about being resilient, >> right and being able to find if there's a problem down the problem. I mean, we're almost numb. Tow the data breach is right there in the paper every day. I mean, I think Michael is really the last big when everyone had a connection fit down. Okay, it's another another data breach. So it's a big It's a big issue. That's right. So >> one of the things you talked about last time we had >> John was continuous diagnostic and mitigation. I think it's a really interesting take that pretty clear in the wording that it's not. It's not by something, put it in and go on vacation. It was a constant, an ongoing process, and I have to really be committed to >> Yeah, you know, I think that, you know, our clients, the federally and commercially are moving beyond compliance. And if you rewind the clock many years ago, everyone was looking at these compliance scores and saying Good to go. And in reality, if you're if you're compliant, you're really looking in the rear view mirror. And it's really about, you know, putting in programs that's continually assessing risk, continuing to take a continues to look at your your environment so that you can better understand what are the risks, one of the threats and that you can prioritize activity in action. And I think the federal government is leading the way with some major programs. I got a VHS continuous diagnostic in mitigation where they're really looking Teo up armor dot gov and, you know, really take a more proactive approach. Teo, you know, securing critical infrastructure, right? Just >> curious because you you kind >> of split the fence between the federal clients and the commercial clients. Everybody's, you know, kind of points of view in packs away they see the world. >> What if you could share? >> Kind of, maybe what's more of a federal kind of centric view that wasn't necessarily shared on the commercial side of they prioritize. And what's kind of the one of the commercial side that the feds are missing? I assume you want to get him both kind of thinking about the same thing, but there's got to be a different set of priorities. >> Yeah, you know, I think after some of the major commercial breaches, Way saw the commercial entities go through a real focused effort. Teo, take the tools that they have in the infrastructure to make sure that they're better integrated. Because, you know, in this mass product landscape, there's lots of seems that the adversaries livin and then better tie the tooling in the infrastructure with security operations and on the security operation side, take more of an intelligence driven approach, meaning that you're looking at what's going on out in the wild, taking that information be able to enrich it and using that to be more proactive instead of waiting for an event to pop up on the screen hunt for adversaries in your network. Right now, we're seeing the commercial market really refining that approach. And now we're seeing our government clients start to adopt an embrace commercial. Best practices. >> Write some curious. I love that line. Adversaries live in the scene. Right? We're going to an all hybrid world, right? Public cloud is kicking tail. People have stuff in public, cloud their stuff in their own cloud. They have, you know, it's very kind of hybrid ecosystems that sounds like it's making a whole lot of scenes. >> Yeah, you know, it. You know, just went Just when we think we're getting getting there, you know, we're getting the enterprise under control. We've got asset management in place, You know. We're modernizing security operations. We're being Mohr Hunt driven. More proactive now the attacks services expanding. You know, earlier we talked about the OT environment that's introducing a much broader and new attack service. But now we're talking about cloud and it's not just a single cloud. There's multiple cloud providers, right? And now we're not. Now we're talking about software is a service and multiple software's of service providers. So you know, it's not just what's in your environment now. It's your extended enterprise that includes clouds. So far is the service. Excuse me, ot Io ti and the problem's getting much more complex. And so it's going to keep us busy for the next couple of years. I think job security's okay, I think where I think we're gonna be busy, all >> right, before I let you go, just kind of top trends that you're thinking about what you guys are looking at a za company as we had in twenty >> nineteen, you know, a couple of things. You know, Who's Alan being being deeply rooted in defense and intelligence were working, Teo, unlocking our tradecraft that we've gained through years of dealing with the adversary and working to figure out howto better apply that to cyber defense. Things like advanced threat hunting things like adversary red teaming things like being able to do base lining to assess the effectiveness of an organisation. And then last but not least, a i a. I is a big trend in the industry. It's probably become one of the most overused but buzzwords. But we're looking at specific use cases around artificial intelligence. How do you, you know better Accelerate. Tier one tier, two events triaging in a sock. How do you better detect, you know, adversary movement to enhance detection in your enterprise and, you know, eyes, you know, very, you know, a major major term that's being thrown out at this conference. But we're really looking at how to operationalize that over the next three to five years, >> right? Right. And the bad guys have it too, right? And never forget tomorrow's Law. One of my favorite, not quoted enough laws, right, tend to overestimate in the short term and underestimate in the long term, maybe today's buzzword. But three to five years A I's gonna be everywhere. Absolutely. Alright. Well, Brad, thanks for taking a few minutes of your day is done by. Good >> to see you again. All right, >> all right. He's Brad. I'm Jeff. You're watching. The Cube were in Arcee conference in downtown San Francisco. Thanks >> for watching. We'LL see you next time.

>> Announcer: Live from Washington, DC it's theCube covering .conf 2017 brought to you by Splunk. >> Welcome back here on theCube the flagship broadcast for Silicon Angle TV, glad to have you here at .conf 2017 along with Dave Vellante, John Walls. We are live in Washington, DC and balmy Washington, DC. It's like 88 here today, really hot. >> It's cooler here than it is in Boston, I here. >> Yeah, right, but we're not used to it this time of year. Brad Medairy now joins us he's an SVP at Booz Allen Hamilton and Brad, thank you for being with us. >> Dave: And another Redskins fan I heard. >> Another Redskins fan. >> It was a big night wasn't it? Sunday night, I mean we haven't had many of those in the last decade or so. >> Yeah, yeah, I became a Redskins fan in 1998 and unfortunately a little late after the three or four superbowls. >> John: That's a long dry spell, yeah. >> Are you guys Nats fans? >> Oh, huge Nats fan, I don't know, how about Brad, I don't want to speak for you. >> I've got a soft spot in my heart for the Nats, what's the story with that team? >> Well, it's just been post-season disappointment, but this year. >> This is the year. >> This is the year, although-- >> Hey, if the Redsox and the Cubs can do it. >> I hate to go down the path, but Geos worry me a little bit, but we can talk about it offline. >> Brad: Yeah, let's not talk about DC Sports. >> Three out of five outings now have not been very good, but anyway let's take care of what we can. Cyber, let's talk a little cyber here. I guess that's your expertise, so pretty calm, nothing going on these days, right? >> It's a boring field, you know? Boring field, yeah. >> A piece of cake. So you've got clients private sector, public sector, what's kind of the cross-pollination there? I mean, what are there mutual concerns, and what do you see from them in terms of common threats? >> Yeah, so at Booz Allen we support both federal and commercial clients, and we have a long history in cyber security kind of with deep roots in the defense and the intelligence community, and have been in the space for years. What's interesting is I kind of straddle both sides of the fence from a commercial and a federal perspective, and the commercial side, some of the major breaches really force a lot of these organizations to quickly get religion, and early on everything was very compliance driven and now it's much more proactive and the need to be much more both efficient and effective. The federal space is, I think in many cases, catching up, and so I've done a lot of work across .mil and there's been a lot of investment across .mil, and very secure, .gov, you know, is still probably a fast follower, and one of the things that we're doing is bringing a lot of commercial best practices into the government space and the government's quickly moving from a compliance-based approach to cyber security to much more proactive, proactive defense. >> Can you get, it's almost like a glacier sometimes, right, I mean there's a legacy mindset, in a way, that government does it's business, but I would assume that events over the past year or two have really prompted them along a little bit more. >> I mean there's definitely been some highly publicized events around breaches across .gov, and I think there's a lot of really progressive programs out there that are working to quickly you know, remediate a lot of these issues. One of the programs we're involved in is something called CDM that's run out of DHS, Continuous Diagnostic and Mitigation, and it's a program really designed to up-armor .gov, you know to increase situational awareness and provide much more proactive reporting so that you can get real-time information around events and postures of the network, so I think there's a lot of exciting activities and I think DHS and partnership with the federal agencies is really kind of spearheading that. >> So if we can just sort of lay out the situation in the commercial world and see how it compares to what's going on in gov. Product creep, right, there's dozens and dozens and dozens of products that have been installed, security teams are just sort of overwhelmed, overworked, response is too slow, I've seen data from, whatever, 190 days to 350 days, to identify an infiltration, nevermind remediate it, and so, it's a challenge, so what's happening in your world and how can you guys help? >> Yeah, you know it's funny, I love going out to the RSA conference and, you know, I watch a lot of folks in the space, walking around with a shopping cart and they meet all these great vendors and they have all these shiny pebbles and they walk away with the silver bullet, right, and so if they implement this tool or technology, they're done, right? And I think we all know, that's not the case, and so over the years I think that we've seen a lot of, a lot of organizations, both federal and commercial, try to solve a lot of the problems through, you know, new technology solutions, whether it's the next best intrusion detection, or if it's endpoint, you know, the rage now is EDR, MDR, and so, but the problem is at the end of the day, the adversaries live in the seams, and in the world that I grew up in focused a lot around counter-terrorism. We took a data-centric approach to finding advanced adversaries, and one of the reasons that the Booz Allen has strategically partnered with Splunk is we believe that, you know, in a data-centric approach to cyber, and Splunk as a platform allows us to quickly integrate data, independent of the tools because the other thing with these tool ecosystems is all these tools work really well within their own ecosystem, but as soon as you start to mix and match best of breed tools and capabilities, they tend to not play well together. And so we use Splunk as that integration hub to bring together the data that allows us to bring our advanced trade-craft and tech-craft around hunting, understanding of the adversaries to be able to fuse that data and do advanced detection and help our clients be a lot more proactive. >> So cyber foresight is the service that you lead with? >> Yeah, you know, one of the things, having a company that's been, Booz Allen I think now is 103 years old, with obvious deep roots in the federal government, and so we have a pedigree in defense and intelligence, and we have a lot of amazing analysts, a lot of amazing, what we call, tech-craft, and what we did was, this was many many years ago, and we're probably one of the best kept secrets in threat intelligence, but after maybe five or six years ago when you started to see a lot of the public breaches in the financial services industry, a lot of the financial service clients came to us and said, "Hey, Booz Allen, you guys understand the threat, you understand actors, you understand TTPs, help educate us around what these adversaries are doing. Why are they doing it, how are they doing it, and how can we get out in front of it?" So the question has always been, you know, how can we be more proactive? And so we started a capability that we, or we developed a capability called cyber foresight where we provided some of our human intelligence analysts and applied them to open-source data and we were providing threat intelligence as a service. And what's funny is today you see a lot of the cyber threat intelligence landscape is fairly crowded, when I talk to clients they affectionately refer to people that provide threat intelligence as beltway book reporters, which I love. (laughter) But for us, you know, we've lived in that space for so many years we have the analysts, the scale, the tradecraft, the tools, the technologies, and we feel that we're really well positioned to be able to provide clients with the insights. You know, early on when we were working heavily in the financial services sector, the biggest challenge a lot of our clients had in threat intelligence was, what do I do with it? Okay, so you're going to send me, what we call a Spot Report, and so hey we know this nation-state actor with this advanced set of TTPs is targeting my organization, so what, right? I'm the CISO, I'm the CIO, should I resign? Should I jump out the window? (laughter) What do I do? I know these guys are coming after me, how do I actually operationalize that? And so what we've spent a lot of time thinking about and investing in is how to operationalize threat intelligence, and when we started, you kind of think of it as a pitcher and a catcher, right? You know, so the threat intelligence provider throws those insights, but the receiver needs to be able to catch that information, be able to put it in context, process it, and then operationalize it, implement it within their enterprise to be able to stop those advanced threats. And so one of the reasons that we gravitated toward Splunk, Splunk is a platform, Splunk is becoming really, in our mind, one of the defacto repositories for IT and cyber data across our client space, so when you take that, all those insights that Splunk has around the cyber posture and the infrastructure of an enterprise, and you overlay the threat intelligence with that, it gives us the ability to be able to quickly operationalize that intelligence, and so what does that mean? So, you know, when a security operator is sitting at a console, they're drowning in data, and, you know, analysts, we've investigated tons of commercial breaches and in most cases what we see is the analyst, at some point, had a blinking red light on their screen that was an indicator of that particular breach. The problem is, how do you filter through the noise? That's a problem that this whole industry, it's a signal to noise ratio issue. >> So you guys bring humans to that equation, human intelligence meets analytics and machine intelligence, and your adversary has evolved, and I wonder if you can talk about that, it's gone from sort of hacktivists to organized crime and nation-states, so they've become much more sophisticated. How have the humans sort of evolved as well that your bridge to bear? >> Yeah, I mean certainly the bear to entry is lower, and so now we're seeing ransomware as a service, we're seeing attacks on industrial control systems, on IOT devices, you know, financial services now is extremely concerned about building control systems because if you can compromise and build a control system you can get into potentially laterally move into the enterprise network. And so our analysts now not only are traditional intelligence analysts that understand adversaries and TTPs, but they also need to be technologists, they need to have reverse engineering experience, they need to be malware analysts, they need to be able to look at attack factors in TTPs to be able to put all the stuff in context, and again it goes back to being able to operationalize this intelligence to get value out of it quickly. >> They need to have imaginations, right? I mean thinking like the bad guys, I guess. >> Yeah, I mean we spend a lot of time, we've started up a new capability called Dark Labs and it's our way to be able to unlock some of those folks that think like bad guys and be able to unleash them to look at the world through a different lens, and be able to help provide clients insights into attack factors, new TTPs, and it's fascinating to watch those teams work. >> How does social media come into play here? Or is that a problem at all, or is that a consideration for you at all? >> Well, you know, when we look at a lot of attacks, what's kind of interesting with the space now is you look at nation-state and nation-state activists and they have sophisticated TTPs. In general they don't have to use them. Nation-states haven't even pulled out their quote "good stuff" yet because right now, for the most part they go with low-hanging fruit, low-hanging fruit being-- >> Just pushing the door open, right? >> Yeah, I mean, why try to crash through the wall when you can just, you know, the door's not locked? And so, you know, when you talk about things like social media whether it's phishing, whether it's malware injected in images, or on Facebook, or Twitter, you know, the majority of tacts are either driven through people, or driven through just unpatched systems. And so, you know, it's kind of cliche, but it really starts with policies, training of the people in your organization, but then also putting some more proactive monitoring in place to be able to kind of start to detect some of those more advanced signatures for some of the stuff that's happening in social media. >> It's like having the best security system in the world, but you left your front door unlocked. >> That's right, that's right. >> So I wonder if, Brad, I don't know how much you can say, but I wonder if you could comment just generally, like you said, we haven't seen their best pitch yet, we had Robert Gates on, and when I was interviewing him he said, "You know, we have great offensive posture and security, but we have to be super careful how we use it because when it comes to critical infrastructure we have the most to lose." And when you think about the sort of aftermath of Stuxnet, when basically the Iranians said hey we can do this too, what's the general sort of philosophy inside the beltway around offense versus defense? >> You know, I think from, that's a great question. From an offensive cyber perspective I think where the industry is going is how do you take offensive tradecraft and apply it to defensive? And so by that I mean, think about we take folks that have experience thinking like a bad guy, but unleash them in a security operation center to do things like advanced hunting, and so what they'll do is take large sets of data and start doing hypothesis driven analytics where they'll be able to kind of think like a bad guy and then they'll have developers or techies next to them building different types of analytics to try to take their mind and put it into an analytic that you can run over a set of data to see, hey, is there an actor on your network performing like that? And so I think we see in the space now a lot of focus around hunting and red teaming, and I think that's kind of the industry's way of trying to take some of that offensive mentality, but then apply it on the defensive side. >> Dave: It just acts like kind of Navy Seal operations in security. >> Right, right, yeah. I mean the challenge is there's a finite set of people in the world that really, truly have that level of tradecraft so the question is, how do you actually deliver that at any level of scale that can make a difference across this broader industry. >> So it's the quantity of those skill sets, and they always say that the amazing thing, again I come back to Stuxnet, was that the code was perfect. >> Brad: Yeah. >> The antivirus guy said, "We've never seen anything like that where the code is just perfect." And you're saying it's just a quantity of skills that enables that, that's how you know it's nation-state, obviously, something like that. >> Yeah, I mean the level of expertise, the skill set, the time it take to be able to mature that tradecraft is many many years, and so I think that when we can crack the bubble of how we can take that expertise, deliver it in a defensive way to provide unique insights that, and do that at scale because just taking one of those folks into an organization doesn't help the whole, right? How can you actually kind of operationalize that to be able to deliver that treadecraft through things like analytics as a service, through manage, detection, and response, at scale so that one person can influence many many organizations at one time. >> And, just before we go, so cyber foresight is available today, it's something you're going to market with. >> Yeah, we just partnered with Splunk, it's available as a part of Splunk ES, it's an add-on, and it provides our analysts the ability to provide insights and be able to operationalize that within Splunk, we're super excited about it and it's been a great partnership with Splunk and their ES team. >> Dave: So you guys are going to market together on this one. >> We are partnered, we're going to market together, and delivering the best of our tradecraft and our intelligence analysts with their platform and product. >> Dave: Alright, good luck with it. >> Hey, thank you, thank you very much, guys. >> Good pair, that's for sure, yeah. Thank you, Brad, for being with us here, and Monday night, let's see how it goes, right? >> Yeah, I'm optimistic. >> Very good, alright. Coach Brad Medairy joining us with his rundown on what's happening at Booz Allen. Back with more here on theCube, you're watching live .conf 2017.