>> Narrator: From Las Vegas, it's theCUBE, covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey, welcome back, everybody. Jeff Rick here with theCUBE. We're in Las Vegas at the Bellagio at the Qualys Security Conference. They've been doing this for 19 years. They've been in this business for a long time, seen a lot of changes, so we're happy to be here. Our next guest works for Caterpillar. He is Brian Rossi, the senior security manager vulnerability management. Brian, great to see you. >> Thanks for having me. >> So I was so psyched, they had an interview, a gentleman from Caterpillar a few years ago, and it was fascinating to me how far along the autonomous vehicle route Caterpillar is. And I don't think most people understand, right? They see the Waymo cars driving around, and they read about all this stuff. But Caterpillar's been doing autonomous vehicles for a super long time. >> A really long time, a really long time, 25-plus years, pioneering a lot of the autonomous vehicle stuff that's out there. And we've actually, it's been cool, had an opportunity to do some security testing on some of the stuff that we're doing. So, even making it safer for the mines and the places that are using it today. >> Yeah, you don't want one of those big-giant dump-truck things to go rogue. (laughing) >> Off a cliff. Yeah, no, bad idea. >> Huge. Or into a bunch of people. All right, so let's jump into it. So, vulnerability management. What do you focus on, what does that mean exactly? >> So, for me, more on the traditional vulnerability management side. So I stay out of the application space, but my group is focused on identifying vulnerabilities for servers, workstations, endpoints that are out there, working with those IT operational teams to make sure they get those patched and reduce as many vulnerabilities as we can over the course of a year. >> So we've done some stuff with Forescout, and they're the kings of vulnerability sniffing-out. In fact, I think they have an integration with Qualys as well. So, is it always amazing as to how much stuff that gets attached to the network that you weren't really sure was there in the first place? >> Yes, absolutely. (laughs) And it's fun to be on the side that gets to see it all, and then tell people that it's there. I think with Qualys and with some of the other tools that we use, right? We're seeing these things before anybody else is seeing them and we're seeing the vulnerabilities that are associated with them, before anyone else sees them. So it's an interesting job, to tell people what's out there when they didn't even know. >> Right, so another really important integration is with ServiceNow, and you're giving a talk I believe tomorrow on how you use both Qualys and ServiceNow together. Give us kind of the overview of what you're going to be talking about. >> Absolutely, so the overview is really what our motto has been all year, right? Is put work where people work. So what we found was that with our vulnerability management program, we're doing scanning, we're running reports, we're trying to communicate with these IT operational teams to fix what's out there. But that's difficult when you're just sending spreadsheets around and you're trying to email people. There's organizational changes, people are moving around. They might not be responsible for those platforms anymore. And keeping track of all that is incredibly difficult in a global scale, with hundreds of thousands of assets that people are managing. And so we turned to ServiceNow and Qualys to really find a way to easily communicate, not just easily, but also timely, communicate those vulnerabilities to the teams that are responsible for doing it. >> Right, so you guys already had the ServiceNow implementation obviously, it was something that was heavily used. You're kind of implying that that was the screen that a lot of people had open on their desktop all the time. >> We lucked out that we were early in the implementation with ServiceNow. So, Caterpillar was moving from a previous IT service management solution to ServiceNow so we got in on the ground floor with the teams that were building out the configuration management database. We got in with the ground floor with the teams who were operationalizing, using ServiceNow to drive their work. We had the opportunities to just build relationships with them, take those relationships, ask them how they want that to work, and then go build it for them. >> Right, it's so funny because everyone likes to talk about single pane of glass, and to own that real estate that's on our screens that we sit and look at all day long, and it used to be emails. It's not so much email anymore, and ServiceNow is one of those types of apps that when you're in it, you're working it, that is your thing. And it's one thing to sniff out the vulnerabilities and find vulnerabilities, but you got to close the loop. >> Brian: You got to, absolutely. >> And that's really where the ServiceNow piece fits. >> And it's been great. We've seen a dramatic reduction in the number of vulnerabilities that are getting fixed over the course of a 30-day period. And I think it simply is because the visibility is finally there, and it's real-time visibility for these groups. They're not receiving data 50 days after we found it. We're getting them that data as soon as we find it, and they're able to operationalize it immediately. >> Right, and what are some of the actions that are the higher frequency that you've found, that you're triggering, that this process is helping you mitigate? >> I would say, actually, what it's really finding is some of our oldest vulnerabilities, a lot of stuff that people have just let fall off the plate. And they're isolated, right? They may have run patching for a specific vulnerability six months ago, but there was no view to tell them whether or not they got everything. Or maybe it was an asset that was off the network when they were patching, and now it's back on the network. So we're getting them the real-time visibility. Stuff that they may have missed, that they would have never seen before, without this integration. >> So I'd love to get your take on one of the top topics that came in the keynote this morning, both with Dick Clark as well as Philippe, was IoT-5G and the increasing surface-area, attack surface area, vulnerability surface area. You guys, Caterpillar's obviously well into internet of things. You've got a lot of connected devices. I'm sure you're excited about 5G, and I'm sure in a mining environment, or those types of environments are just prime 5G opportunities. Bad news is, your attack surface just grew exponentially. >> Yeah. >> So you're in charge of keeping track of vulnerabilities. How do you balance the opportunity, and what you see that's coming with 5G and connected devices and even a whole other rash of sensors, compared to the threat that you have to manage? >> Certainly in the IoT space it's unique. We can't do the things to those devices that we would do with normal laptops' assets, right? So I think figuring out unique ways to actually deal with them is going to be the hardest part. Finding vulnerabilities is always the easiest thing to do, but dealing with them is going to be the hard part. 5G is going to bring a whole new ballgame to a lot of the technology that we use. Our engineering groups are looking at those, and we're going to be partnering with them all the way through their journey on how to use 5G, how to use IoT to drive better services for our customers, and hopefully security will be with them the whole way. >> Right, the other piece that didn't get as much talk today, but it's a hot topic everywhere else we go is Edge, right? And this whole concept of, do you move the data, do you move the data to the computer or the computer to the data? I'm sure you guys are going to be leveraging Edge in a big way, when you're getting more of that horsepower closer to the sites. There's a lot of challenges with Edge. It's not a pristine data center. There are some nasty environmental conditions and you're limited in power, connectivity, and some of these other things. So when you think about Edge in your world, and maybe you're not thinking of it, but I bet you are, how are you seeing that, again, as an opportunity to bring more compute power closer to where you need it, closer to these vehicles? >> So I think, I wish I had our other security division here with me to talk about it. We're piloting a lot of those things, but that's been a big piece of our digital transformation at Caterpillar, is really leveraging data from those connected devices that are out in the field. And we actually, our Edge has to be brought closer to home. Our engineers pack so much into the little space they have on the devices that are out there, that they don't have room to actually calculate on that data that's out in the field, right? So we are actually bringing the Edge a little closer to home, in order for us to provide the best service for our customers. >> Right, so another take on digital transformation. You talked about Caterpillar's digital transformation. You've been there for five years now. Before that you were at State Farm. Checking on your LinkedIn, right? State Farm is the business of actuarial numbers, right? Caterpillar has got big heavy metal things, and yet you talk about digital transformation. How did you guys, how are you thinking about digital transformation in this heavy-equipment industry that's in construction? Probably not what most people think of as a digital enterprise, but in fact you guys are super aggressively moving in that direction. >> Yeah, and for us, from a securities perspective, it's been all about shift-left, right? We have to get embedded with these groups when they're designing these things. We have to be doing threat models. We have to be doing pen testing. We have to be doing that secure life cycle the entire way through the product. Because with our product line, unlike State Farm where we could easily just make a change to an application so that it was more secure, once we produce these vehicles, and once we roll them out and start selling them, they're out there. And we build our equipment to last, right? So there's not an expectation that a customer is going to come back and say, "I'm ready to buy a new truck two years from now," because of security vulnerability. >> Jeff: Right, right. >> So, yeah, it's a big thing for us to get as early in the development life cycle as possible and partner with those groups. >> I'm curious in terms of the role of the embedded software systems in these things now, compared to what it was five years ago, 10 years ago 'cause you do need to upgrade it. And we've seen with Teslas, right? You get patches and upgrades and all types of things. So I would imagine you're probably a lot more Tesla-like than the Caterpillar of 20 years ago. >> Moving in that direction, and that is the goal, right? We want to be able to get the best services and the most quality services to our customers as soon as possible. >> Right, very cool. Well, Brian, next time we talk, I want to do it on a big truck. >> Okay. >> A big, yellow truck. >> Let's do it. >> I don't want to do it here at the Bellagio. >> Let's do it, all right. >> Okay, excellent. Well, thanks for-- >> Thank you. >> For taking a few minutes, really appreciate it. >> Absolutely. >> All right, he's Brian, I'm Jeff, you're watching theCUBE. We're at the Bellagio in Las Vegas, not on a big yellow truck, out in the middle of nowhere digging up holes and moving big dirt around. Thanks for watching. We'll see you next time. (upbeat techno music)