>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media >>and welcome back. You're ready Jeffrey here with the cube. We are a day four here at the RSA conference in Moscone Thursday. We've been going all day Monday, Tuesday, Wednesday, Thursday. It's a huge conference over 40,000 people, you know, kind of the first big us conference after the mobile world Congress thing with a coronavirus. So we were all kind of curious to see how it would work out. There was some companies that pulled out but you know Rohit and the team stayed the course, they got the support they needed from the city and it's turned out to be quite a show. So I'm sure there's a lot of people all over the industry kind of watching this as an indicator of how do you execute a conference and these kinds of crazy times. So we're excited for our next guest. He's Andy Smith, the senior vice president of marketing for Centrify. >>Andy, great to see you. Good to be here, Jeff. Doing great. So you said you've been coming to this show for a while, you're a seasoned veteran of the industry. First off kind of general impressions of this show versus versus other kinds of RSAs you've been doing in the past. It's super interesting to watch. It ebbs and flows of the security industry, right? I mean I've been 15 years over the past 25 I've been at this show and you've seen it be big and then shrink down, you know, to one hall and then the two halls again. I mean what's interesting the last couple of years is it's, it's big again, like security is hot. We know budgets are going up, a breach, cultures out there. And so, you know, the IC, the RSA show is a reflection of what's happening with the industry when you look at the size and number of attendees. >>Right. The other kind of theme this year was the human centric, uh, boat. And we had row head guy on just a little bit earlier in his keynote. I thought it was really interesting. It was not about security per se. It was not about threats and detection. It was really about stories and narratives and peoples and kind of taking that back as an industry. I wonder, you know, kinda your impression as this kind of human centric theme as we're surrounded by tech tech and more tech. It is, if you think about human centric, it's a, it's a big piece of your, your security strategy, right? I mean, uh, what, there was just this morning, uh, one of the sharks got fished, right? Lost $400,000. One of the, yeah. And so, uh, you know, educating people about looking out for fishing attacks, right? Uh, uh, looking at insiders who are one of our biggest threats and you know, they're, they're a huge piece of this is not technology at all. >>Right? I thought Wendy's keynote was great too from Cisco. Talking about everything we do on computers is about clicking. And yet we tell people, you know, click the download the patch, but don't click on anything else. And really, you know, kind of taken an approach that people need to be part of the solution. They're not these horrible people that keep clicking on the wrong things, but you really need to integrate them into your strategy. Yeah, absolutely. I mean, it's about educating your workforce. It's about educating consumers, right? Whether you're talking B to C security or whether you're talking to me to be that human element and educating to be diligent right to you, you got to know a little bit about how to look for something that might be suspicious and know what is, what you should be clicking on, what you shouldn't. There's, there's not a lot of technology that can solve that for you. >>It's getting out and, and, and making sure people are educated. And unfortunately, the bad guys have been working hard on their grammar and, uh, and doing all the AI on the background. So, you know, it's not, a lot of things today are not easily identifiable like they used to. They've gotten, that's no longer really kind of a baseline, a hope not to click that thing. They've gotten way better. Right? So rather than these attacks that are spray and pray, they're going after, you know, just going after anybody. They can, they're targeted now. Right? So spear fishing, right. And uh, and so specific individuals. And that's why one of the things that, that is a little bit coming up at this show and something that we talk about is identity centric security. So that you've got a tie, that kind of human element to your security. >>You know, there's network centric, but getting identity centric and tying that human element to your security aspect, making sure the security, the identity technologies and the security technologies are working together. That is brings that human element into your own security strategy. And when you, when you talk about identity, how should people be thinking about identity? Because clearly we see the kind of the rise in multi-factor now, right? We have to do, we have to go to the, our phones all the time with the code. Now we're hearing people, you know, can spoof identity, they can Smoove faces. I guess identity is not a face, but you know, some of these indicators of identity. So when you help people think about identity, what are some of the factors they should think about? What are the things they don't but they should be thinking about? Yeah, yeah. >>I mean some of the things that we talked a lot about is multifactor authentication. So although yes, right, real sophisticated people can have ways of getting around that, but most attackers and hackers are lazy, right? They're going to go for somebody who's got no multi-factor in place, like even doing the basics is way better than doing nothing. I mean, the statistics bear out that you do a little something right? And then you can always step it up and get more sophisticated where you've got tokens that you have to put your finger on, right? And you know, you can get smart cards and all those kinds of things. You can get much more sophisticated, but multi-factor in general works. I mean, you're just going to take it a far bit above. But what's interesting about identity, because we always think of humans, right? But when we talk identity, where this market is going is identity is machines. >>You have to give a machine an identity, you have to give a service account, an identity, you have to give a microservice identity. And these more and more, this is just completely automated world. This isn't humans logging into things anymore. This is microservices talking to each other. Each of those needs an identity needs an authorization cause they have accounts that can be hacked also. Right? So the you need protect those just as much as needed to protect those human accounts. It's funny cause we, we cover a lot of RPA shows, right? And the whole talk of, of of people that do RPA, right, is that they're, they're, they treat them as people, right? They treat them as kind of like your little assistance, your own little bot to do little tasks that you assigned them to do. So treating them with kind of an identity protocol. >>Then that gives all the authorizations and you kind of leverage all that back end is the way to integrate them into the workforce. Absolutely. It's all about access controls, authentication, authorization. Those are the controls that have been there forever. You're supplying these two new types of identities and you know, the, we're in the privileged access management space, so it used to always be a windows admin or a Unix Linux admin logging into a physical box, right? And so it was about protecting those accounts. But more and more it's about giving a machine and identity and a microservice and identity and how are those things talking to each other? We're protecting, that's all completely automated with dev ops. You think about if I have a, as I moved to the cloud, I want to be able to scale out dynamically, right? Uh, horizontally, vertically. So all of a sudden new servers, virtual servers or containers just popping up automatically. >>You have to be able to control the access to all those automatically, dynamically on the spot, and then they shrink back down. You need to get rid of all that, right? So the automation that's come into our space, although the same, I'm still trying to do authentication, authorization, same type of privilege access controls we've been doing for 30 years, but how they're applied in this new world is much different right now. What about then you layer you layer on top of that zero trust, so I definitely want to identify, but I have zero trust and I'm presuming at some point in time you might end up either being a bad guy or some bad guy's going to come in via your credential. How does the zero trust piece fit on top of the identity kind of management? It's really why we're talking about identity centric security now is because you can't, you, you have to assume somebody on your network. >>You can't trust all those perimeter controls that are there. The reality is they're going to get in and so that identity centric security starts at that access layer and not not trusting just because you got onto the network that, Oh, sure, here you go. You can, you can do whatever you want. That's where zero trust comes in. I don't, every time I want to get access to a piece of data or a system, et cetera, I need to do that F indication that authorization apply, that multi-factor. Those are all identity centric controls that result in this, this journey towards the zero trust world. It's, it's funny, uh, I've sat down with Mike and Caesar, uh, for scout and you know, he talks about when they do the little sniff on all the little devices that are plugged into the networks and it's usually multiples back of what people think are on the network, especially remote location. >>People are plugging stuff in. But then too, you know, like you said in the machine, identify, you know, what should a logic cam do and how should it act. And as soon as it starts acting and asking for things in accounts payable, maybe that's not necessarily what a lot to take camera wants do or should be doing. Yeah. Yeah. And so first there's like knowing what that device is giving you an identity so he know what it is, know what it should be doing. It has a role, it has specific access and authorization rights that are granted to it. So the logic camera, if I know what that camera is, you have an identity. I know what it's supposed to be doing. I should be able to restrict the access it has to just what it needs to do. Right. Rather than it's got root account to do whatever or some God account to create, you know, like those are the kinds of controls we have in place. >>And it's just logical identity management controls that have been there forever. But you're a, once you can identify those devices connected, you can, you can give them those, you know, limited. There's talk about least privilege, right? That's again, a 30 year old control, but giving at least privilege on just what it should do and nothing more. And do you see in the future just more and more kind of multifactor, uh, validation points that we'll have to get added to the, to the process as we move from single factor to factor, however many factors is going to take? For sure. Yeah. I mean, so the multi-factor, cause there's one thing are you authenticate yourself at the front door, right? So that's what most authentication is, but there's this concept of continuous authentication. You're the trust in that, uh, that initial authentication degrades as your session goes on. >>Right? So the longer I've had a session open, you know, is that still that same person or that same service that is clicking away at the keyboard there? There's cool stuff, wrong continuous authentication where there they can tell it's still the same person based on the cadence. They click on the keyboard, other biometric methods, the swiping I do on my phone and stuff like that. So there's ways to have continuous concepts now called continuous authentication. Right? And so I absolutely see that those behavior based, uh, types of, uh, of authentication. You're going out through a user's entire session. So I want to shift gears a little bit. One of the things that amazes me about this show, and I don't know when it was small, but it's been big ever since I've been coming. It's right, there's so many vendors here, there's so many companies in this and there's so many kinds of stories that a lot of really enthusiastic people work in booths that are screaming at you to come over and tell you all the great things they do. >>From a marketing point of view, you're, you're the SVP marketing. How do you, you know, kind of package your messaging, how do you kind of break through the clutter? What advice do you give to, to buyers, um, to help them kind of navigate what is a, a very large, loud and complex system? Yeah, it's a, it's a complex battle, right? So you have to be able to, because there are so many different technologies here, uh, in, in the security arena, uh, we're all fighting for the same share of wallet in a sense. Right? And so first you have to identify yourself with something people recognize a market that people recognize like identity, privilege, access management, endpoint security, you know, et cetera. But then you have to differentiate yourself within that market, right? So you've got to add something to the market space I'm in to that gives a little twist. >>So for us, it's identity centric, privilege access management and that, you know, we suppose that against Balt centric or you know, something else that we've tried to put the other bets. So you try to, in your message, you got to categorize what's the space I'm in and how do I differentiate? And in something as short and brand-able as possible. And then you got to have this kind of ongoing solutions, partnership relationship with, with your clients, right? Because this is not something you're going to be switching things out that frequently and, and, and, and the landscape and the threats evolve and change so rapidly. I think we've had a number of people come on to publish this report or that report, his report, he's come out every six months and there's actually the online version so he can keep up with what happened today or what happens tomorrow. >>So not an easy, uh, not an easy kind of marketing challenge to stay relevant, stay connected and state stay really in people's mind. Well, and you know, there's, there's awareness aspects to it and it is really just what really helps is you just create as many happy customers as you can. Right? I mean, you're amazed at the how connected this industry actually is. I mean, the attendees that are coming to this conference, they know each other. They've been coming here from here. It's just like we have. Right, right. And a word of mouth between people who have used your technology, they share that with something else. I mean the security industry as big as it is, it's, it's super interconnected. One person goes from one company to the other and so tons of business just comes from word of mouth, referral, etc. So the happier you can keep your customers, the more uh, you know, mind share. >>You can get up there. Okay. Last question before I let you go. We just like to say we just had row hit on one of the topics was they just got bought by a symphony. I think it's symphony, a private equity firm. Um, we met the other night at a, at a cocktail party put on by Tom Thoma Bravo and you were at Centrify before they came in. And after, you know, I think some people are kind of confused, you know, what is private equity, how does it impact the company? So wonder if you can kind of share, you know, how that transition has come along and you know, kind of give us an update on what's going on at Centrify and where you guys are going next. Yeah, so we were acquired about a year and a half ago now, uh, by private equity and you know, they basically, they take later stage companies and uh, help them get, uh, profitable, uh, they increased value and then they look for going, taking that company IPO or selling it off, et cetera. >>Right? But it's really about looking for opportunities, uh, in existing market with larger companies, the venture capitalists will go after smaller, much larger risks. These are bigger dollar amounts, right? Larger companies. But then they, they look about how to optimize. They're very sophisticated on how to run a B to B business. Tama Bravo happens to have a huge investment in security and it comes like eight or 10 companies there the other night. Yeah. So they, they realize that this is a hot space right now. So they've, if they can take a company and create value that they realize that there's more stuff popping up. There's probably money being invested in. And one of the things that, but not all private equities created equal. Yes, they are about all about kind of optimizing, increasing value. But what we really found with Tom or Bravo is they're interested in investing in that company, looking at other folds and acquisitions, et cetera. >>And that's a part of a strategy for me as a, as a manager and an I'm part of the executive team. When you're backed, they don't have the money to go after acquisitions. Uh, like that they, you know, they make these smaller investments. We're talking about Bravo actually does have the capital to look at other things that can be immediately accretive and add to your value. And that's a, a real part of our strategy now that didn't exist before we were owned by PE. I think they spun out a whole nother, another company out of what your technology say. Correct. Exactly. So one of the unique things about our particular acquisition is Centrify was both a privileged access management. And a identity as a service. And I Daz a company and they looked at what we were doing and they said, geez, you're really selling to two different markets and it's two different sales cycles and two different business models. >>We could actually create more value if we split these up and each of you focused on your individual markets. And so that there's a, there's an MQ and a market segment and a wave for IDASS and there's an MQ and a wave, you know, et cetera for Pam. But there's not anything that does both. And that's what Centrify was. So they actually, we, we completely divested of our IDASS capabilities spun off in an entirely separate company called adaptive. And so over the last year, that's was a lot of the work that was going on. It was, was splitting this company, uh, uh, into two. But it really provided us a much more focused to go after the market that we were going after. Well, they wouldn't come in if they didn't see some opportunity to, uh, to pull some more value out that wasn't really being unlocked. Absolutely. Right. Andy, we'll thank for taking a few minutes and uh, and great to catch up and best you for the rest of the show. Awesome. Thanks a lot, Jay. He's Andy. I'm Jeff. You're watching the cube where? At the RSA show in San Francisco. Thanks for watching. We'll see you next time.

>> Narrator: From downtown San Francisco it's TheCUBE covering RSA North American 2018. >> Hey, welcome back everybody. Jeff Frick from TheCUBE. We're on the floor at the RSA Conference 2018. 40,000 plus people packed in Moscone North, South, West, and we're excited to be here. It's a crazy conference, Security's top of mind obviously and everybody is aware of this. And our next guest, he's Bill Mann, chief product officer from Centrify. Bill, great to see you. >> Great to see you. >> So you guys have a lot of stuff going on but what I think what's interesting to me is you guys have this kind of no trust as your starting foundation. Don't trust anybody, anything, any device. How do you work from there? Why is that the strategy? >> Well that strategy is because we've got a really new environment now. A new environment where we have to appreciate that the bad actors are already within our environment. And if you stop believing that bad actors are already in your environment, you have to start changing the way you think about security. So it's a really different way of thinking about security. So what we call this new way of thinking about security is zero trust security. And you might have heard this from Google with BeyondCorp and so forth. And with that as the overarching kind of way we are thinking about security, we're focusing on something called NextGenAccess. So how do you give people access to applications and services where they're remote. They're not on the network and they're not behind a firewall because who cares about the firewall anymore because it's not secure. >> Right. So there's four tenants of NextGenAccess. One is verify the user, verify the device that they are coming from so they're not coming from a compromised device. Then give them limited access to what they are trying to access or what we call Limit Privilege and Access. And that last one is learn and adapt which is this kind of pragmatic viewpoint which is we're never going to get security right day one, right? To learn and adapt and what we're doing look at auto tune logs and session logs to change your policy and adapt to get a better environment. >> So are you doing that every time they access the system? As they go from app to app? I mean how granular is it? Where you're consistently checking all these factors? >> We're always checking the end factor and where we use an actual machine learning to check what's happening in the environment and that machine learning is able to give that user a better experience when they are logging in. Let's say Bill's logging into Salesforce.com from the same location, from the same laptop all the time. Let's not get in the way right? But if Bill the IT worker is going from a different location and logging into a different server that's prompting for another factor of authentication because you want to make sure that this is really Bill. Because fundamentally you don't trust anybody in the network. >> And that's really what you guys call this NextGenAccess, right? [Bill]- That right, that's right, that's right. >> It's not just I got a VPN. You trust my VPN. I got my machine. Those days are long gone. >> Well VPNs, no no to VPNs as well, right? We do not trust VPNs either. >> So a bit topic ever since the election, right, has been people kind of infiltrating the election. Influencing you know how people think. And you guys are trying to do some proactive stuff even out here today for the 2018 election to try to minimize that. Tell us a little bit more about it. >> Yeah we call it Secure The Vote. And if the audience has looked at the recent 60 Minutes episode that came on. That did a really good that walked everybody through what was really happening with the elections. The way you know the Russians really got onto the servers that are storing our databases for the registration systems and changed data and created chaos in the environment. But the fundamental problem was compromised credentials. I mean 80% of all breaches believe it or not have to do with compromised credentials. They are not around all the things we think are the problem. So what we're doing here with Secure The Vote is giving our technology to state and local governments for eight months for free. And essentially they can then upgrade their systems, right? So they can secure the vote. So fundamentally securing who has access to what and why and when. And if you look at the people who are working on election boards, they're volunteers, there are a lot of temporary staff and so forth. >> Right, right. >> So you can imagine how the bad guys get into the environment. Now we've got a lot of experience on this. We sell to state and local governments. We've seen our technology being used in this kind of environment. So we're really making sure that we can do our part in terms of securing the election by providing our technology for free for eight months so election boards can use our technology and secure the vote. >> So how hard is it though for them to put it in for temporary kind of situation like that? You made it pretty easy for them to put it in if they are not an existing customer? >> Absolutely I mean one of the things, one of the fallacies around this whole NextGenAccess space is the fact that it's complicated. It's all SAS-Space, it's easy to use, and it's all in bite-sized chunks, right? So some customers can focus on the MFA aspects, right? Some customers can focus on making sure the privileged users who have access to the databases, right, are limiting their access right? So there's aspects of this that you can implement based upon where you want to be able to, what problem you want to be able to solve. We do provide a very pragmatic best practices way of implementing zero trust. So we are really providing that zero trust platform for the election boards. [Jeff]- Alright well that's great work Bill and certainly appreciated by everybody. We don't want crazy stuff going on in the elections. >> Absolutely. >> Jeff: So we'll have to leave it there. We'll catch up back in the office. It's a little chaotic here so thanks for taking a few minutes. >> Thank you very much. >> Alright, he's Bill Mann and I'm Jeff Frick. You're watching TheCUBE from RSCA 2018. Thanks for watching. (bright music)

>> Announcer: Live from Las Vegas, it's theCUBE covering AWS re:Invent 2017. Presented by AWS, Intel, and our ecosystem of partners. (techno music) >> Welcome back here on theCUBE, of course, the flagship broadcast for SilconANGLE, along with Justin Warren, I am John Walls, and we are live at re:Invent, AWS' annual shin-dig here in Las Vegas, and certainly with great success, they have staged this year's event. We'll have more on that a little bit later on, right now we're joined by Bill Mann, who's the Chief Product Officer at Centrify, the latest newcomer to the AWS marketplace. >> Yes. >> John: Bill good to see you, thanks for the time today. >> Thanks for the time as well. >> Big week for you, right? >> Yup >> Joining the marketplace, tell us about the driver of that decision, and then what you're bringing, literally, to the marketplace? >> Sure, sure. Well, we're bringing our products to the marketplace. We're very excited about getting our products on the marketplace, and what was really the driver for us was, we wanted to really be part of the Amazon ecosystem, and we wanted to make, reduce the friction of selling to enterprise and mid-market customers, and this was the way to get to those customers. We realized really early on that, customers are already buying all the other services from Amazon already. They're buying their instances. They're buying their storage, and so forth. So, getting our products on the marketplace was just an important aspect of reaching those customers and removing the friction, and so forth. Also, with the move to the cloud, our customers were asking for how to secure servers in the cloud, and secure access to applications in the cloud, and then things just kind of lead, one thing leads to another, where you say, okay, let's put everything in one place as well. I kind of used the analogy of we buy our diapers from Amazon, now, and everything else, so, but the IT shop is working the same way. They don't want to deal with multiple vendors, and if you can reduce that friction, at least, my theory is, reducing that friction will mean, we can sell more product to the customer. >> That's an interesting image, diapers from... (laughter) >> It's the everything store. >> I didn't give a chance to talk about Centrify, a little bit. Security firm with the tag "The breach stops here", so, just tell for those at home who might not be familiar with Centrify, a little bit more about your specific offers. >> Sure, well, let's start with the breech stops here, the reason we have our tagline, "the breech stops here" is, it really is a definition of what's happening in the marketplace. If you look at most of the breaches out there, there's 80% of most breaches are to do with compromised credentials, our passwords, and that is really an area that we focus on. We are really trying to solve the problem, how users have access to the applications, like Sales Force, or any home grown applications, or how IT users have access to their servers, like a server on AWS, and using a password, and having too much privileges, is really the wrong way to do things, so we are solving that problem, and that's why we kinda start off with that line of the breach stops here, because we fundamentally believe that if you implement security based upon identity you're gonna be able to reduce your risk. >> Security is such a hot market right at the moment. We're hearing constantly, we were talking earlier on theCUBE, where we're talking IOT, and it immediately went to security. It was being really, really top of mind for people, so the things that you're doing with Centrify, there's kind of two prongs to it, if I understand it. So, one is identity management. So, knowing who people are. So that credentials management. And the other one's to do with the access, is that right? We were talking before we went to air that, about the Beyond Corp concept, where instead of having this, sort of inside protected crunchy layer, and then everything outside is bad, now it's just becoming everything everywhere should not be trusted, unless you are cleared by something like Centrify. >> So, yes, so, for those of you who are familiar with the Beyond Corp model, the model really is about zero trust. So, if you think of these two things here in our user, let's say a server instance, the thing in between you can't trust, and in the past we've been trusting the firewall to stop the bad guys from coming into our network. So really the concept is around, assume the bad actors are everywhere, and now that you've assumed that, let's now focus on what you can do to actually gain security. So the concepts are, let's do identity assurance. Let's make sure this is really Bill. Let's do, let's make sure Bill's coming from a trusted device, yeah, like a known mobile phone that hasn't been jailbroken, has the right configuration policies, et cetera. Then, let's do access control, or what we call, lease privilege, to the asset that they're trying to have access to. So, is Bill coming from this show, from his phone, allowed to access SalesForce.com? Or is Bill coming from this phone able login to a Unix instance on AWS, now? And what can he do on that instance? Can he go to root, and restart the Oracle database, or can he just run some lower level privilege commands? So, that's the scope of what we're doing. In fact, Beyond Corp is a great descriptor of what we do, if a company wants to implement Beyond Corp, that security paradigm, which I think a lot of modern companies are thinking that way, you can use the services that we provide on the Amazon Marketplace to implement that. We have a service called Application Service, which is all about securing your applications. We have a service called Endpoints Service, which is securing the endpoints, like the mobile phones and so forth, and we have a service called Infrastructure Service, which is securing instances in the cloud. Access to those instances, and those, all those services can be used together, as well, because, as you know I'm an IT user. One day, I'm using Outlook to read my email, and in the next second I'm logging onto a Unix instance. So, for me, it's bringing all these components together, and that's providing throughout by the marketplace. >> Yeah, and really, providing that security in context, as you mentioned. It could be the same person. Like, I'm at work, and I'm doing some things, and I've got access to all these great, all of this information inside the company, but when I go home, should I still have access to that? Probably not. So, if I'm sitting home and I'm using my device, as many of us do, I have children, and they sometimes put games on your phone, or load stuff on your computer. So, if I've got my work computer at home with me, and I suddenly start deciding, hmm I think I'll login and download all of the sales information, that shouldn't happen. >> That's absolutely right. So, the context is that core part of it, and that's what endpoint services does for us. So going back to an Amazon use case, if I'm at home, and I'm logging on to my Amazon console, yeah? From my home machine, let's say, and I'm kicking off an instance, should I be able to do that? I'm not using, maybe an endpoint that is authorized, but I could authorize an endpoint and say, this is a known endpoint, like a lot of IT workers do. And you could also do things like, I'm in Vegas now, and I'm using my Mac, and I'm trying to go to the Amazon console, should I be able to, because that's outside of my normal behavior, in which case, we would up-level your multi-factor authentication, it would re-prompt me to re-authenticate. So, all of that is built into our environment. So, our services are not just for Amazon. It's for on-premises, and for cloud apps, cause it's the whole gamut of what an enterprise has. As companies are moving, or migrating from one premises to the cloud, we can protect the applications, and servers on premises, as well as servers in cloud, and applications on premises, as well as SAAS apps, like Sales Force, or Concur, et cetera, et cetera. So, it's that gamut of giving a user access to applications and infrastructure that we're doing with this Beyond Corp model in mind. Which is, I think the cool, and the interesting thing about what we're doing, because we are connecting these components together, and that's the only way we're going to raise security, cause if you go back to the stat I gave you earlier about the 80%, that is the problem, right? A firewall will not protect you from these breaches, and we could have an argument about it, but if it was, then we wouldn't see the breaches, right? That's kind of the high-level. >> John: Yeah >> There's only so much that you as, like Amazon can do so much about securing their environment, but ultimately you as the customer need to spend a bunch of time, and -- >> Just like they did, share responsibility, right? >> Absolutely right. I mean, Amazon does an awesome job in defining the shared responsibility model, and we are relying on them to do their part of the responsibility, and we're proving the technology for the customers to worry about their aspect, right? So, Amazon does not worry about Bill coming from this device, having access to an instance, we're worrying about those things. So, absolutely, we're part of the shared responsibility model for Amazon. >> We're not going to worry about Bill coming in either. I think you're okay. I think it'll be alright. How do you guys, in the big picture, put on your bad guy hat? How do you look for, if you offer a product, this is our latest security offering, now let's go look for holes? Now let's, I mean, you're trying to beat it up all the time, right? You're always, you're looking for vulnerabilities? So, how do you switch gears like that, and go to the other side of the fence to think about what the next problem is going to be, or what the next vulnerability is going to be? >> Well, you know, I think we, like most other security, modern security companies, we are thinking, one side of our brain is thinking like the bad guys all the time. We have to, and, and honestly, they are always multiple steps ahead of us, and one of the things I like to really make sure customers understand is, some customers get really wound up about zero risk, right? They want it to be perfect before they implement a solution, and really the reality is, most companies don't even have multi-factor authentication for implemented for all of their employees, and if companies just implemented multi-factor authentication for all their users, for all their access, you would have a significant reduction in risk. So, the types of security we're focused on, is not about reducing risk to zero, or finding every single vulnerability out there. It's really trying to attack the problem that hasn't been attacked already. Let me give you another analogy. As we all know patching is a basic security model that we all need to know. Yeah, but how many vulnerabilities have there been in the news where patching was not done? We're like patching. You know, understanding the user is authenticating an environment without a password, and instead using multi-factor authentication, is the best precaution against the bad guys. It won't limitate risk, right, but its going to drastically reduce it. Now, as part of the services we're offering on Amazon, we have multi-factor authentication as a service, right? By definition, as it's a service means it can be implemented extremely fast for enterprise. It's a SAAS Service, right? It's pay by use, right? By definition. So, gone are the days where the technology was the reason you couldn't implement these sets of capabilities, cause they're easy to procure, they're in the cloud, they're mobile friendly, they're modern, et cetera, et cetera. So that's how we really deal with the aspect of the bad guys, right? They're going to be there all the time, but honestly speaking companies have spent so much time, and energy, and dollars on the wrong security products, right? Or focusing on the wrong stuff, and it was fine when you had a legacy, closed environment with no cloud, and no SAAS, but that's not the environment anybody lives in, especially a show like this. Everybody's using the cloud, it's like, the obvious thing, right? So, it should be obvious that these kind of controls need to be implemented. >> I agree. Just do the simple things. If you can do one or two simple things, multi-factor, absolutely. Just do these basic things. You will eliminate 80% of your risk. Do that first, then worry about the esoteric problems that are going to cost millions and millions of dollars to solve, just, you know, brush your teeth. Go for a walk. (John laughing) >> We define a maturity model of going towards Beyond Corp's slash zero trust, and the first thing on that maturity chart is identity assurance, i.e. multifactor authentication, and that's the first thing that organizations need to implement, and the issue is companies haven't implemented these products in the past, because they've been too expensive on-premise, hard to implement, not mobile friendly. So we're hoping once we're on Amazon's marketplace with the reach we've got with Amazon, we're going to see a lot of customers adopting those. So, it's good for us as a business, but ultimately it's good for enterprises. They're going to get safer, and our data is gonna be safeguarded, and so forth, which is the primary responsibility. >> I'm not sure. I think Justin just told you to take some time off. (laughing) I'm not sure. Bill, thanks for being with us. >> [Bill} Thank you very much. >> Thanks for the time, and congratulations on joining the marketplace, and we wish you continued success at Centrify. >> Cheers. Thank you. >> Thank you, sir. Bill Mann, Chief Product Officer at Centrify. Back with more here, Live at AWS. We're at re:Invent. Live at Las Vegas. Back with more on theCUBE, just in a bit. (techno music)

>> Narrator: Live from Las Vegas, it's theCUBE. Covering AWS reInvent 2017, presented by AWS, Intel, and our ecosystem of partners. >> Okay, welcome back everyone, this is theCUBE's exclusive coverage, live, in Las Vegas, 45,000 people here on the ground, for Amazon Web Services reInvent 2017. Their annual conference. Our fifth year doing it, I got two sets, two cubes, a lot of action. Day two of three days of wall to wall coverage. My next guest, Tom Kemp, CEO, of Centrify, security company out of California in Silicon Valley, leader in identity based security in the cloud, on-prem, big business growing, fast growing startup in the area. Good to see you. >> Yeah it's great to be here again. >> Security has been Amazon's kryptonite for many years. They've done their work, their paying their dues, they're checking the boxes. Certainly we see that on the federal side, public sector. Great success, Teresa Carlson, has done an amazing job. It's been fun watch her go from an outcast to, in the marketplace, "Ah, we don't trust the cloud", to winning. They've done the work. Security, you've gotta do the work. >> Yeah, I mean, they've done a great job of evangelizing the shared responsibiloty model where they clearly identify, "Hey, this is what we do", and then, "This is what the customer needs to do." So it's actually a very nice model that they offer that vendors such as us can slot into. >> And they move so fast but again, security is one of those things, you can't fake it til you make it. Right? (Tom laughs) You can't make it til you make it. Which means, it's hard. What are you guys doing with Amazon now? What's your story here for Centrify? >> Yeah, we're doing a couple of things. So the first thing is that we do privilege management. I mean the reality is is that the keys to the kingdom are in the AWS console in terms of the billing systems, firing up servers, shutting down servers et cetera. A lot of the more recent hacks have been because people have gotten the access to those keys of those systems as well. So we help lockdown the AWS environment and then we also help lockdown the actual servers being deployed on EC2. We provide multifactor authentication et cetera. The other thing that we do is and what we announced just the other day is we've actually moved our platform over to AWS. So before we ran on at Azure, can I say that at this, ah? >> John: That's fine. >> It's okay, yeah, just joking. >> All fair in love and sharing the cloud. >> So now we have a production cloud on AWS and we've also integrated in the marketplace. So there's SaaS billing that people can get as well, which actually is a very unique thing that AWS offers that the other cloud providers don't do. >> Alright, so I gotta ask you, obviously, to me, super exciting show because some of the announcements are really kind of cool and sexy, and some are under the hood geeky, like Lambda. And then you got the cool AI stuff happening, whether it's VR, AR, or recognition, all these cool machine learning, democratized toolkits. So does this help you? I mean Lambda server lists is a dream for a developer. Just, "Oh my God, I don't have to worry about anything. "What's a local host? "I don't need to know what a load balancer is." Does that help you guys or not? >> Yeah it does, I mean the reality is is that the amount of servers and applications, be it server or server-less, the amount of applications, the users that are connecting to it, it just adds more to the potential complexity. And we can, through the power of identity, provide a control plane to give people identity driven security and really allow people to move-- >> But it doesn't replace us. My point is, I guess, if you're locking down servers, this is a value right? >> Yeah. >> EC2 instances. But if the developers aren't using EC2 instances 'cause it's server-less. Are you guys transparent, are you abstracted away? >> So we also then, then integrate into the application and then help facilitate security for the actual users themselves. But look the reality of the situation is is that people are always gonna have a hybrid environment. They still have on-premises, which users have to access that environment. They're gonna have the cloud environment. And it's gonna be heterogenous. So AWS is a clear leader in the cloud but you're also gonna have Azure, Google, and then the SaaS applications as well, which are gonna be used in conjunction with the custom applications people are building. So the one constant-- >> I've been saying, I've been saying this for years, the specialty cloud is a big market. Oracle's a specialty cloud, Microsoft's a specialty cloud, 'cause they have apps for them. They can be different clouds. Multi-cloud is what's coming, would you agree? >> Yeah, and the reality is as companies go through digital transformation they're gonna open up more and more of their applications to more and more users. They're gonna be more and more devices, and that's just gonna lead to identity sprawl, more and more passwords that people have to deal with as well. And that's why in a world in which-- >> How bad is that problem? 'Cause that's a huge problem, at least in my mind. Identity sprawl, explain what that is and how bad is it? And what are the consequences if it's not fixed? >> Well look the reality is 80% of breaches nowadays involve compromised credentials. I mean we had the whole election, Podesta, the DNC, the recent hack of HBO, you had Sony. It always tied into people stealing credentials and people having too many credentials, sharing credentials, et cetera. So the problem that we face as consumers in terms of having too many user names and passwords has now entered into the actual enterprise and we're now in a situation that, yeah, there's an app for that but that means that there's a password for that. So IT is having a hard time controlling who can access what while end users are just dealing with too many user names and passwords as well. So you have identity sprawl, it's difficult to provision access. And then now you have IoT coming onboard and those devices need an identity unto themselves. And probably the thing that excites me most about some of today's announcements is what AWS is doing with IoT. Some pretty cool stuff. >> I mean I think IoT is the trend, AI and IoT, because, to me the data center, and this might be a little bit over the top, but I'll say it anyway. I think private cloud is real, the way Wikibon talks about it but it's still cloud and the cloud looks at these endpoints as edge devices. So a data center is just an IoT device, a big one. >> Yeah. >> Or, a series of devices connected to the network which connect to the cloud. I mean if it's operating as a cloud what's the difference? Private and public. >> Yeah, no, I, I, I-- >> IoT has gotta be connected. That's where identity could be helpful. >> Identity, I mean, 'cause look, every device has an identity beyond just an IP address. I mean some of the attacks have even taken over IoT devices and then pointed them against websites and brought those websites down as well. So users have multiple identities. Devices have identities unto themselves so you've got this kinda n-by-m, you know, situation where you multiply the number of users times the number of devices, and we're told digital transformation, more and more users are coming online connecting to applications. So I think that's a, it's just a great market to be in. >> Tom, great to have you on theCUBE, congratulations on your business growth. What's your secret sauce? We'll end this segment by you just taking a minute to describe to the folks watching why are you doing so good, what's your secret sauce, what are the tailwinds for you, why the success? >> Well the tailwinds are, first of all, identity has become the top attack vector. It's now involved, compromised credentials stolen at NEs is now involved in over 80% of all breaches. And the other tailwind is the whole move to the cloud that just says, introduces password sprawl. And we're very unique in the market in that we can secure both end users and their identities but we can also secure the privileged accounts that are built into the infrastructures of service. The AWS, EC2, IAM-- >> John: The critical resources. >> Yeah, and we do this in a hybrid environment. So, yes, people are aggressively moving to the cloud but you know and I know that still, what, 70, 80% of IT is still on-prem, and it's gonna be a mixed hybrid environment. And we offer both software and cloud services to secure both end users as well as privileged accounts in that environment. >> Alright, the bottom line, the AWS cloud phenomenon. Describe it in a sentence. >> In a sentence? Oh, it's just, the complete consolidation of all IT in a single platform. I mean, it's amazing that every year they announce another couple a hundred new brand new services as well. So it's just like a phenomena that I've never seen before in terms of a vendor aggressively able to come out with new capabilities and deliver more and more features. >> Cloud as an operating system that's what I always say. And I can see it coming together, and they're staying on their track. I gotta give Andy Jassy credit, even though I busted his chops by putting the Gartner slide on there, because that's old guard technically, doesn't match his presentation, so he's gotta fix that. They stay on their line, they're not wavering. They are mission focused. Changing the game, adding value for customers. >> And they're thinking about new app scenarios and I think it was brilliant that, take IoT, there's so many different flavors of operating systems for IoT. They're saying, "Hey, we're gonna come out "with a standard operating system "that you can leverage. "And we're gonna provide device management, "and we're gonna tie it back into the platform." So they're gonna capture the, they're trying to capture the edge. And the good news is stuff like that does provide opportunities for vendors such as Centrify. >> And they surround themselves with a great ecosystem. You guys are doing great in there. I know you're growing but you're soon to be bigger. But Intel, they're doing great with Intel. Intel gets a lift off this, more compute, everywhere. >> Absolutely. >> So even if they, they kind of have to split some of the business, whatever they do, who knows what happens there but Intel wins with this scenario. Amazon's not trying to eat the whole pie, they're sharing. They're sharing the wealth. And they do it, in the case of security again I go back to their shared responsibility model. It provides a great framework where it makes it very easy for vendors such as ourselves to say, "We play here, here, and here." So it makes it great to partner with and the ability for them to actually have SaaS based applications in their marketplace as well. And that's powerful, and no other of the cloud guys have a similar concept. Yeah, you could put AMIs on infrastructure as a service but to actually have a cloud based service tied into the billing system of AWS is incredibly powerful. We're very excited about being a part of that. >> And we will keep an eye on them on the open source side, certainly that's an area we're watching very carefully. Hey the developers love Amazon and that's a good thing. Now the enterprise love Amazon, public sector loves Amazon. Who doesn't love Amazon Web Services? We'll be following that very closely over the course of the next few months and next year, 2018. Of course live here in here in Las Vegas is AWS reInvent 2017. Back with more coverage after this short break. (upbeat electronic music)

>> Announcer: Live from New York City, it's theCube covering Cyber Connect 2017. Brought to you by Centrify and The Institute for Critical Infrastructure Technology. >> Okay, welcome back everyone, this is a live Cube coverage here in New York City at the Grand Hyatt Ballroom. I'm John Furrier with my co-host Dave Vellante. This is Cyber Connect 2017, the inaugural conference of a new kind of conference bringing industry and government and practitioners together to solve the crisis of this generation, according to Keith Alexander, who was on stage earlier. Our next guest is the CEO of the company that's under running this event, Tom Kemp, co-founder and CEO of Centrify. Congratulations, Tom, we met, we saw you last week, came in the studio in Palo Alto. Day one was coming to a close. Great day. >> Yeah, it's been amazing, we've had over 500 people here. We've been webcasting this, we have 1,000 people. And, of course, we've got your audience as well. So, clearly, over 2,000 people participating in this event, so we're really pleased with the first day turn-out. >> So, I would say this is, like, a new kind of event, a little bit different than most events in the business. Response has been very well received, sold out, packed house, I couldn't get a chair, strolled in, not late, but, I mean, you know, towards the end of your Keynote. This is the dynamic, there's demand for this. Why is this so popular? You guys had a good hunch here, what's been the feedback? >> Well, the feedback's been great, first of all. But, the reality is, is that, organizations are spending 10% more per year on security but the reality is the breaches are growing 40 to 70% per year. So, no matter how much money they're throwing at it, the problem's getting worse, and so people are, for the most part, kind of throwing up their hands and saying, how can we re-think security as well? So, I think there's just a complete hunger to hear best practices from some of the top CSO's. You know we had US bank CSO, we had Etna, Blue Cross Blue Shield, etcetera. What are these guys doing to keep their data secure and make sure that they don't make headlines? >> So, I want to ask you a question on the business front, obviously we saw last week, Alphabet, AKA Google, Twitter and Facebook in front of the Setna committee, around this influence thing going on with the media, still an exploit, but a little bit different than pay load based stuff we're normally seeing with security hacks, still relevant, causes some problems, you guys have been very successful in Washington. I'm not saying you're lobbying, but as a start up, you ingratiated yourself into the community there, took a different approach. A lot of people are saying that the tech companies could do a better job in D.C., and a lot of the times Google and these treasure troves of data, they're trying to figure it out. You took a different approach and the feedback we heard on theCube is working. You guys are well received in there, obviously the product, good timing to have an identity solution, and zero trust philosophy you have. Well, you did something different. What was the strategy? Why so much success in D.C. for Centrify? >> Well, we actually partnered with the IT folks and the security people. I mean, we actually spent a lot of time on site, talking with them, and actually, we built a lot of capabilities for what the government was looking to address from an identity access security perspective. That's just the reality of the situation. And so, we took a long haul view, we've done very great in the, two of our largest customers are intelligence agencies, but we actually have over 20% of our sales that goes to the federal government, state and local as well. So, you really can't just go in there, spend a lot of money, do a lot of hype. You actually have to roll up your sleeves and help them solve the mission. They call it the mission, right, they have mission, and you got to be focused on how you can address them and work with the technologist out there to make sure, so it was just, really just blocking and tackling the ground game, >> So common sense sounds like, just do the work. >> Yeah, do the work, really listen. And think about it as a multi-year investment, right? I mean, in a lot of start ups, they just, like, oh, can't get the sale, move on, right. But you actually have to realize, especially in security, that most tech companies that have a big security presence, they should get 15-20% of their business from the US government. >> That's a big bet for you guys, were you nervous at first? I mean, obviously, you have confidence now looking back, I mean, it must've been pretty nerve wracking because it's a big bet. >> It's a big bet because you also have to meet certain government standards and requirements. You got to get FIP certification, you got to get common criteria, in the cloud, you got to get FedRAMP, and that means you also have to have customers in the federal government approve you and bring you in and then you have to go through the lengthy audit process. And we're actually about to get our FedRAMP certification, just passed the audit and that's going to be coming up pretty soon as well. So, yeah, to go get common criteria, to get FedRAMP, you have to spend a million dollars for those types of certifications. At the same time, working with the large federal agencies. >> So Tom, you gave us the numbers, 10% more spending every year on security but breaches are up 40 to 70%, you said in your talk that's two trillion dollars in lost dollars, productivity, IP, etcetera, so obviously it's not working, you've mentioned a number of folks in here talking today. What's their mindset? Is their mindset this is a do-over? Or, is it, just we got to do a better job? >> I think we're getting to the point where its' going to be a do-over. And I think, first of all, people realize that the legacy technology that they have have historically focused on premises. But, the world's rapidly moving to the cloud, right? And so, you need to have cloud-based scale, a cloud-based architecture, to deliver security nowadays because the perimeter is completely going away. That's the first thing. And, I think there's also realization that there needs to be Big Data machine learning applied to this. And you guys talk about this all the time, the whole rise of Big Data. But, security is probably the best vertical. >> Data application. >> Exactly, it's probably the best vertical, because you need real-time instantaneous should I let this person come into the system or not, right? Or, over time, is this, does this represent malicious activity as well? So, I think people are realizing that what they've been doing's not working, they realize they're moving to the cloud, they need to adopt cloud, to, not only secure cloud, but have their technology be based in the cloud and they need to apply machine learning to the problem as well. >> So, in your talk, you talked about a paradigm shift, which I inferred as a mindset shift in how security practices in technologies should be applied, you got to lot of content in there. But could you summarize for our audience sort of the fundamentals? >> Well, the first fundamental is, is that the attack vector is completely changed, right? Before, it was all about vulnerabilities that someone hadn't patched this latest version of Windows, etcetera. Those problems are really solved, for the most part. I mean, occasionally it kind of pops in now and then, but for the most part, enterprises and governments are good about patching systems etcetera. You don't hear about sequel injections anymore. So, a lot of those problems have been resolved. But, where the attackers are going, they're going after the actual users, and so, I know you had the Verizon folks here on theCube, and if you look at the latest Verizon data breacher port, eight out of 10 breaches involve stolen and compromised credentials, right? And that has grown over the last few years from 50% to 60% now to over 80%. Look at the election, right? You talk about all this Twitter stuff and Facebook and all that stuff, it's John Podesta's emails getting stolen, it's the democrat's emails getting stolen, and you know, now that people have the Equifax data, they've got even more information to help figure out-- >> Social engineering is a big theme here. >> Absolutely. >> They have this data out on the dark web, this methodologies and there's also, you know, we talked with the critical interset guys that you're partnering with about all the terrorism activity, so, there's influence campaigns going on that are influencing through social engineering, but that data's being cross connected for, you know, radicalizing people to kill people in the United States. >> Well, there's that. And then there's nation states, there's insiders. So, the reality is, is that, it turns out from a security perspective, that we, the humans, we're the weakest link in this. And so, yes, there needs to be process, there needs to be technology, there needs to be education here as well. But the reality is that the vast majority of spin on security is for the old stuff, it's like we're trying to fight a land war in Asia, and that's how we're investing, we're still investing in M1 tanks in security, but the reality is that 80% of the breaches are occurring because they're attacking the individuals. They're either fooling them, or stealing it by some means or mechanisms, and so the attack vector is now the user. And that's this, and people are probably spending less than 10% securing the users, but it represents 80% of the actual attack vector. >> Talk about the general, you've had some one-on-one times with him, he's giving a keynote here, gave a keynote this morning, very inspiring. I mean, I basically heard him pounding on the table, "we don't fix this mess, You know, we're going to be in trouble, it's going to be worse than it is!" Think differently, almost re-imagining, his vibe was almost about let's re-imagine, let's partner, let's be a community. What else can you share with you interaction with him? I know he's a very rare to get to speak, but you know, running the cyber command for the NSA, great on offense, we need work on defense. What have you learned from him that industry could take away? >> Yeah, I think you hit it, which is, and I didn't realize that there's a bigger opportunity here, which is, is that in real time, there needs to be more sharing among like constituents. For example, in the energy industry, these organizations, they need to come together and they need to share, not only in terms of round tables, but they actually need to share data. And it probably needs to happen in the cloud, where there's the threats, the attacks that are happening in real time, need to be shared with their peers in the industry as well. And so, and I think government needs to also play a part in that as well. Because each of us, we're trying to fight the Russians, right? And the Chinese and the North Koreans, etcetera and a enterprise just can't deal with that alone and so they need to band together, share information, not only from an educational, like we have today, but actually real time information. And then again, leverage that machine learning. That artificial intelligence to say, "wait a minute, we've detected this of our peers and so we should apply some preventative controls to stop it." >> And tech is at the center of the government transformation more than ever. And again, Twitter, Facebook, and Alphabet in front of the senate, watching them, watching the senators kind of fumbling with the marbles. You know, hey, what's Facebook again? I mean, the magnitude of the data and the impact of these new technologies and with Centrify, the collision between government and industry is happening very rapidly. So, the question is that, you know, how will you guys, seeing this going forward, is it going to be, you know, the partnership as they come together fast or will more mandates come and regulations, which could stifle innovations, so, there's this dimension going on now where I see the formation of either faster partnership with industry and government, or, hey industry, if you don't move fast enough poof, more regulations. >> And that's also what the general brought up as well, is that if you guys don't do something on your own, if you don't fix your own problems, right, then the government's going to step in. Actually, that's what's already starting to happen right now, that if Facebook, Twitter, all these other social networks are not going to do something about foreign governments advertising on their platform, they're going to get regulated. So, if they don't start doing something. So, it's better to be in front of these things right here, the reality is that, yes, from a cyber security in terms of protecting users, protecting data, enterprise needs to do more. But, you know what, regulations are starting to already occur, so, there's a major regulation that came out of New York with the financial services that a lot of these financial firms are talking about. And then in Europe, you got GDPR, right? And that goes into effect I think in May of next year. And there's some serious finds. It could be up to four percent of your revenue as well, while, in the past, the kind of, the hand slaps that have happened here, so if you do business in Europe, if you're a financial services firm doing business in New York. >> People are going to run from there, Europe. I mean, regulation, I'm not a big fan of more regulation, I like regulation at the right balance, cause innovation's key. What have you heard here from talks? Share, cause we haven't had a chance 'cause we've been broadcasting all day, share some highlights from today's sessions after, you know, Jim from Etna was on there, which, I'm sure you got a kick out of his history comment, you're a history buff. Weren't you a history major and computer science? >> I was a history major and computer science, you got that right. >> You'd be a great dean of the sciences by today's standards. But I mean, he had a good point. Civilization crumbles when there's no trust. That comment, he made that interesting comment. >> So, it's interesting what Etna's done, from his presentation, was they've invested heavily in models, they've modeled this. And I think that kind of goes back to the whole Big Data, so I think Etna is ahead of the game, and it's very impressive what he's put forth as well. And just think about the information that Etna has about their customers etcetera. That is not something that you want. >> He was also saying that he modeled, you don't model for model's sake because stuff's going on in real time, you know what I'm saying? So, the data lake wasn't the answer. >> Well, he said his mistake was, so they were operationalizing the real time, you know, security Big Data activity, and he didn't realize it, he said that was the real answer, not just, sort of, analyzing the data swamp, so. >> Yeah, absolutely. >> So, that was the epiphany that he realized. You know, that is where the opportunity was. >> John: It was unconventional tactics, too. >> What can businesses expect, Tom? What's the business outcome they can expect if they, sort of, follow the prescription that you talked about and, sort of, understand that humans are the weakest link and take actions to remediate that. What kind of business impact can that have? >> Yeah, so, we actually, we spent a lot of time on this and we partnered with Forrester, a well known analyst group, and we did this study with them, and they went out and they interviewed 120 large enterprises. And it was really interesting that one group, group A, was getting breached left and right and group B, about half the number of breaches, right? And we were like, what is group B doing versus group A? And it had to do with implementing a maturity model as it relates to identity which is, first and foremost, implementing identity assurance, getting, reducing the number of logins, delivering single sign-in, multi factor authentication. Which we should all do as consumers as well, turn on that MFA button for Twitter, and your Gmail etcetera. Then, from there, the organizations that were able to limit lateral movement and break down, make sure that people don't have too much access to too many things as well. There was an incident, it was Saudi Generale that there was a backend IT guy, he became a traitor, he started making some losses, and so he tried to, he doubled down, he leveraged the credentials that he had as a former IT person to continue trading even though he kind of turned off all the the guardrails right there, and he should have been shut down. When he made that move into that new position, so, there's just too much lateral movement aloud. And then, from there, you got to implement the concept of least privilege and then finally you got to audit, and so if you can follow this maturity model, we have seen that organizations have seen significant reduction in the number of breaches out there as well. So, that was another thing that I talked about at my keynote, that I presented this study that Forrester did by talking to customers and there turned out to be a significant difference between group A and group B in terms of the number of breaches as well. And that actually tied very well with what Jim was talking about as well, which was, you know, I call it a maturity model, he called it just models, right, as well. But there is a path forward that you can better be smarter about security. >> But there's a playbook. >> There is a playbook, absolutely. >> And it revolves around not having a lot of moving parts where human error, and this is where passwords and these directories of stuff out there, are silos, is that right? Did I get that right? So you want to go level? >> That's the first step, I mean the first step is that we're drowning in a sea of passwords, right, and we need what's known as identity assurance, we need to reduce the number of passwords. With the fewer passwords we have, we need to better protect it by adding stronger authentication. Multi-factor authentication. The new face ID technology, which I've been hearing good reviews about, coming from Apple as well, I mean, stuff like that, and say, look, before I log into that, yes, I need to do my thumbprint and do the old face ID. >> And multi factor authentication I think is a good point, also known as MFA, that's not two factor, it's more than one, but two seems to be popular cause you get your phone, multi factor could be device, IOT device, card readers, it starts getting down into other mechanisms, is that right? >> Absolutely, it's something you have, and something you know, right? >> Answer five questions. >> Yeah, but at the same time you don't want to make it too, >> Too restrictive. >> Too restrictive, etcetera. But then here's where the machine learning comes in, then you add the word adaptive in front of multi factor authentication. If the access is coming from the corporate network, odds are that means that person was badged, got through. So, maybe you don't ask as much, for much information to actually allow the person on right there. But, what if that person was, five minutes ago, was in New York, and now he's trying to access from China? Well wait a minute, right? Or what if it's a device that he or she's never accessed from before as well? So, you need to start using that machine learning and look at what is normal behavior and what deviates from that behavior? And then, factor it into the multi factor authentication. >> Well, we've seen major advancements in the last couple years, even, in fraud detection, you know, real time. And is that seeping into the enterprise? >> Well, it should, that's the ironic thing is, is that with our credit card, I mean, we get blocked all the time, right? >> It is annoying sometimes, but you know at the end of the day you say, good. >> Yeah, thank you for doing that, you know. And so that's, in effect, the multi factor authentication is you calling up the credit card company, ironically my credit card, maybe I shouldn't reveal this, too much information, someone will hack me, but I use US bank, right there, and we had Jason the CSO of US bank right there, but, you know, calling in and actually saying, yes, I'm trying to do this transaction represents another form of authentication. Why aren't we doing similar things for people logging onto mission critical servers or applications? It's just shocking. >> I'm going to ask you a personal question, so, you mentioned history and computer science, a lot of security folks that I talk to, when they were little kids, they used to sort of dream about saving the world. Did you do that? (laughter) >> Well, I definitely want to do something that adds value to society, so, you know, this is not like the Steve Jobs telling Scully, do you want to make sugared water and all that stuff? >> Dave: No, but like, superhero stuff, were you into that as a kid, or? >> D.C. or Marvel? >> Good versus evil? >> Don't answer that question, you like 'em both. >> But the nice thing about security is, when you're a security vendor, you're actually, the value that you have is real. It's not like, you know, some app or whatever where you get a bunch of teenagers to waste time and all that stuff. >> John: Serious business. >> Yeah, you're in serious business. You're protecting people, you're protecting individuals, their personal information, you're protecting corporations, their brand, look what happened to Equifax when their, when it was announced, the breach, their stock went down 13, 14%, Chipotle went down by 400 million, their market cap went. I mean, so, nowadays, if you have a, if there's a breach, you got to short that stock. >> Yeah, and security's now part of the product, cause the brand image, not just whatever the value is in the brand, I mean the product, the brand itself is the security. If you're a bank, security is the product. >> Absolutely, if you're known for being breached, who the heck's going to bank with you? >> Whole 'nother strategy there. Okay, final question from me is, this event, what are some of the hallway conversations, what's notable, what can you share for the folks watching? Some of the conversations, the interests, the kind of people here, what was the conversations? >> Yeah, I mean, the conference, we really did a great job working with our partner ICIT of attracting sea level folks, right? So, this was more of a business focus, this was not, you know, people gathered around a laptop and try to hack into the guy sitting right next to them as well. And, so, I think there, what has come out of the conversations is a better awareness of, as I said before, it's like, you know what, we got to completely, we got to like step back, completely rethink what we're trying to do here as well, cause what we're doing now is not working, right? And so I think it's, in effect, we're kind of forcing some soul searching here as well. And having others present what's been working for them, what technologies, cloud, machine learning, the zero trust concept, etcetera, where you only, you have to assume that your internal network is just as polluted as the outside. >> I know this might be early, but what's the current takeaway for you as you ruminate here on theCube that you're going to take back to the ranch in Palo Alto and Silicon Valley, what's the takeaway, personally, that you're now going to walk away with? Was there an epiphany, was there a moment of validation, what can you share about what you'll walk away with? >> There's just a hunger. I mean there's just a hunger to know more about the business of security etcetera. I mean, we're just, we were amazed with the turn out here, we're pleased with working with you guys and the level of interest with your viewership, our webcast, I mean, this is, you know, for the first time event to have both in-person and online, well over 2,000 people participating, that says a lot. That there's just this big hunger. So, we're going to work with you guys, we're going to work with ICIT and we're going to figure out how we're going to make this bigger and even better because there is an untapped need for a conference such as this. >> And a whole new generation's coming up though the ranks, our kids and the younger, new millennials , whatever they're called, Z or letters they're called, they're going to end up running the cyber. >> Yeah absolutely, absolutely. So there just needs to be a new way of going about it. >> Tom, congratulations. >> Thank you. >> Great event, you guys got a lot of credibility in D.C., you've earned it, it shows. The event, again, good timing lighting the bottle, The CyberConnect inaugural event, Cube exclusive coverage in Manhattan here, live in New York City at the Grand Hyatt Ballroom for the CyberConnect 2017 presented by Centrify, I'm here with the CEO and co-founder of Centrify, Tom Kemp, I'm John Furrier, Dave Vellante, more live coverage after this short break. (modern electronic music)

>> Narrator: Live from New York City, it's the CUBE covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Okay welcome back everyone. This is the CUBE's live coverage in New York City exclusively with the CyberConnect 2017, it's an inaugural event presented by Centrify. It's not a Centrify event. Centrify one of the fastest growing security startups in Silicon Valley and around the world. It is underwriting this great event bringing industry, government and practitioners together to add value on top of the great security conversations. I'm John Furrier, your host with Dave Vellante, my co-host, my next guest is Bill Mann who's the Chief Product Officer with Centrify. Welcome back to the CUBE, great to see you. >> Hey, great to be here. >> Thanks and congratulations for you guys doing what I think is a great community thing, underwriting an event, not just trying to take the event, make it about Centrify, it's really an organically driven event with the team of customers you have, and industry consultants and practitioners, really, really great job, congratulations. >> Bill: Thank you. >> Alright so now let's get down to the meat of the conversation here at the show in the hallways is general's conversation, General Alexander talking about his experience at the NSA and the Fiber Command Center. Really kind of teasing out the future of what cyber will be like for an enterprise whether it's a slow moving enterprise or a fast moving bank or whatever, the realities are this is the biggest complexity and challenge of our generation. Identity's at the heart of it. You guys were called the foundational element of a new solution that has people have to coming together in a community model sharing data, talking to each other, why did he call you guys foundational? >> I think he's calling us foundational because I think he's realizing that having strong identity in an environment is kind of the keys to getting yourself in a better state of mind and a better security posture. If we look at the kind of the foundational principles of identity, it's really about making sure you know who the people are within your organization, by doing identity assurance so that's a foundational principle. The principle of giving people the least amount of access within an organization, that's a foundational principle. The principle of understanding what people did and then using that information and then adjusting policy, that's a foundational principle. I think that's the fundamental reason why he talks about it as a foundational principle and let's face it, most organizations are now connected to the Cloud, they've got mobile user, they've got outsourced IT so something's got to change, right. I mean the way we've been running security up until now. If it was that great, we wouldn't have had all the threats, right? >> And all kinds of silver bullets have been rolling out, Dave and I were commenting and Dave made a point on our intro today that there's no silver bullet in security, there's a lot of opportunities to solve problems but there's no, you can't buy one product. Now identity is a foundational element. Another interesting thing I want to get your reaction to was on stage was Jim from Aetna, the Chief Security Officer and he was kind of making fun with himself by saying I'm not a big computer science, I was a history major and he made a comment about his observation that when civilizations crumble, it's because of trust is lost. And kind of inferring that you can always connect the dots that trust in fundamental and that email security and most of the solutions are really killing the trust model rather than enhancing it and making it more secure so a holistic view of trust stability and enhancement can work in security. What's your reaction to that? >> So it's a complicated area. Trust is complicated let me just kind of baseline that for the moment. I think that we unfortunately, need to have better trust but the way we're approaching trust at the moment is the wrong way so let me give you a simple example. When we go, when we're at home and we're sleeping in our homes and the doors and windows are closed, we inherently trust the security of our environment because the doors and windows are closed but reality is the doors and windows can be really easily opened right, so we shouldn't be trusting that environment at all but we do so what we need to instead do is get to a place where we trust the known things in our environment very, very well and understand what are the unknown things in our environment so the known things in our environment can be people right, the identity of people, can be objects like knowing that this is really Bill's phone, it's a registered phone and it's got a device ID is better than having any phone being used for access so like I said, trust, it's complicated. >> John: But we don't know it has malware on there though. You could have malware. >> You could have malware on there but look, then you've got different levels of trust, right. You've got zero trust when you don't know anything about it. You've got higher levels of trust when you know it's got no malware. >> So known information is critical. >> Known information is critical and known information can then be used to make trust decisions but it's when we make decisions on trust without any information and where we infer that things are trustworthy when they shouldn't be like the home example where you think the doors are closed but it's so easy to break through them, that's when we infer trust so trust is something that we need to build within the environment with information about all the objects in the environment and that's where I think we can start building trust and that's I think how we have to approach the whole conversation about trust. Going back to your example, when you receive an email from somebody, you don't know if it came from that person right. Yet I'm talking to you, I trust that I'm talking to you, right, so that's where the breakdown happens and once we have that breakdown, society can breakdown as well. >> But going back to your device example so there are situations today. I mean you try to log on to your bank from your mobile device and it says do you want to remember this device, do you want to trust this device? Is that an example of what you're talking about and it might hit me a text with a two factor authentication. >> That's an example, that's absolutely an example of trust and then so there's a model in security called the zero trust model and I spoke about it earlier on today and that model of security is the foundational principles of that is understanding who the user is, understanding what endpoint or device they're coming from and that's exactly what you've described which is understanding the context of that device, the trustworthy of the device, you know the location of that device, the posture of that device. All of those things make that device more trustworthy than knowing nothing about that device and those are the kind of fundamental constructs of building trust within the organization now as opposed to what we've got at the moment is we're implying trust without any information about really trust right. I mean most of us use passwords and most of us use password, password so there's no difference between both of you, right and so how can I trust-- >> I've never done that. >> I know but how can we trust each other if we're using you know, data like that to describe ourselves. >> Or using the data in your Linkedin profile that could be socially engineered. >> Bill: Exactly. >> So there's all kinds of ways to crack the passwords so you brought up the trust so this is a, spoofing used to be a common thing but that's been resolved that some, you know same calling some techniques and other things but now when you actually have certificates being compromised, account compromised, that's where you know, you think you know who that person is but that's not who it is so this is a new dynamic and was pointed out in one of the sessions that this account, real compromises of identity is a huge issue. What are you guys doing to solve that problem? Have you solved that problem? >> We're addressing parts of solving that problem and the part of the problem that we're trying to solve is increasing the posture of multi factor authentication of that user so you know more certainty that this is really who that person is. But the fact of the matter is like you said earlier on, trying to reduce the risk down to zero is almost impossible and I think that's what we have to be all clear about in this market, this is not about reducing risk to zero, it's about getting the risk down to something which is acceptable for the type of business you are trying to work on so implementing MFA is a big part of what Centrify advocates within organizations. >> Explain MFA real quick. >> Oh, multi factor authentication. >> Okay, got it. >> Something that we're all used to when we're using, doing online banking at the moment but unfortunately most enterprises don't implement MFA for all the use cases that they need to be able to implement before. So I usually describe it as MFA everywhere and the reason I say MFA everywhere, it should be for all users, not a subset of the users. >> Should be all users, yeah. >> And it should be for all the accesses when they're accessing salesforce.com for concur so all the application, all the servers that they access, all the VPNs that they access, all the times that they request any kind of privilege command, you should reauthenticate them as well at different points in time. So implementing MFA like that can reduce the risk within the organization. >> So I buy that 100% and I love that direction, I'd ask you then a hard question. Anyone who's an Apple user these days knows how complicated MFA could be, I get this iCloud verification and it sends me a code to my phone which could be hacked potentially so you have all these kinds of complexities that could arise depending upon how complicated the apps are. So how should the industry think about simplifying and yet maintaining the security of the MFA across workloads so application one through n. >> So let me kind of separate the problems out so we focus on the enterprise use case so what you're describing is more the consumer use case but we have the same problem in the enterprise area as well but at least in the enterprise area I think that we're going to be able to address the problems sooner in the market. >> John: Because you have the identity baseline? >> One, we have the identity and there's less applications that the enterprise is using. >> It's not Apple. >> It's not like endpoints. >> But take Salesforce, that's as much of a pain, right. >> But with applications like Salesforce, and a lot of the top applications out there, the SaaS applications out there, they already support SAML as a mechanism for eliminating passwords altogether and a lot of the industry is moving towards using API mechanisms for authentication. Now your example for the consumer is a little bit more challenging because now you've got to get all these consumer applications to tie in and so forth right so that's going to be tougher to do but you know, we're focused on trying to solve the enterprise problem and even that is being a struggle in the industry. It's only now that you're seeing standards like SAML and OWASP getting implemented whereby we can make assertions about an identity and then an application can then consume that assertion and then move forward. >> Even in those situations if I may Bill, there's take the trust to another level which is there's a trusted third party involved in those situations. It might be Twitter, Linkedin, Facebook or Google, might be my bank, it might be RSA in some cases. Do you envision a day where we can eliminate the trusted third party with perhaps blockchain. >> Oh I actually do. Yeah, no, I do, I think the trusted third party model that we've got is broken fundamentally because if a break in to the bank, that's it, you know the third party trust but I'm a big fan of blockchain mainly because it's going to be a trusted end party right so there's going to be end parties that are vouching for Bill's identity on the blockchain so and it's going to be harder to get to all those end minors and convince them that they need to change their or break into them right. So yeah I'm a big fan of the trust model changing. I think that's going to be one of the biggest use cases for blockchain when it comes to trust and the way we kind of think about certificates and browsers and SSL certificates and so forth. >> I think you're right on the money and what i would add to that is looking at this conference, CyberConnect, one theme that I see coming out of this is I hear the word reimagining the future here, reimagining security, reimagining DNS, reimagining so a lot of the thought leaders that are here are talking about things like okay, here's what we have today. I'm not saying throwing it away but it's going to be completely different in the new world. >> Yeah and I think you know the important thing about the past is got to learn from the past and we got to apply some of the lessons to the future and things are just so different now. We know with microservices versus monolithic application architectures you know security used to be an afterthought before but you know, you talk to the average developer now, they want to add security in their applications, they realize that right so, and that's going to, I mean, maybe I'm being overly positive but I think that's going to take us to a better place. >> I think we're in a time. >> We need to be overly positive Bill. >> You're the chief officer, you have to have a 20 mouth stare and I think you know legacy always has been a thing we've heard in the enterprise but I just saw a quote on Twitter on the internet and it was probably, it's in quotes so it's probably right, it's motivating, a motivating quote. If you want to create the future, you've got to create a better version of the past and they kind of use taxis versus Uber obviously to answer of a shift in user behavior so that's happening in this industry. There's a shift of user experience, user expectations, changing internet infrastructure, you mentioned blockchain, a variety of other things so we're actually in a time where the better mouse trap actually will work. If you could come out with a great product that changes the economics and the paradigm or use case of an old legacy. So in a way by theory if you believe that, legacy shouldn't be a problem. >> You know and I certainly believe that. Having a kid who's in middle school at the moment, and the younger generation, to understand security way more than we ever used to and you know, this generation, this coming generation understands the difference between a password and a strong password and mobile be used as a second factor authentication so I think that the whole tide will rise here from a security perspective. I firmly believe that. >> Dave: You are an optimist. >> Well about government 'cause one thing that I liked about the talk here from the general was he was pretty straight talk and one of his points, I'm now generalizing and extrapolating out is that the HR side of government has to change in other words the organizational behavior of how people look at things but also the enterprise, we've heard that a lot in our Cloud coverage. Go back eight years when the Clouderati hit, oh DevOps is great but I can't get it through 'cause I've got to change my behavior of my existing staff. So the culture of the practitioners have to change. >> Bill: Yes, absolutely. >> 'Cause the new generation's coming. >> Oh absolutely, absolutely. I was speaking to a customer this morning who I won't mention and literally they told me that their whole staff has changed and they had to change their whole staff on this particular project around security because they found that the legacy thinking was there and they really wanted to move forward at a pace and they wanted to make changes that their legacy staff just wouldn't let 'em move forward with so basically, all of their staff had been changed and it was a memorable quote only because this company is a large organization and it's struggling with adopting new technologies and it was held back. It was not held back because of product or strategies, >> John: Or willingness. >> Or willingness. It was held back by people who were just concerned and wanted to stick to the old way of doing things and that has to change as well so I think you know, there's times will change and I think this is one of those times where security is one of those times where you got to push through change otherwise I mean I'm also a believer that security is a competitive advantage for an organization as well and if you stick with the past, you're not going to be able to compete in the future. >> Well, and bad user behavior will always trump good security. It was interesting to hear Jim Routh today talk about unconventional message and I was encouraged, he said, you know spoofing, we got DMARC, look alike domains, we got sink holes, display name deception, we've got, you know we can filter the incoming and then he talked about compromised accounts and he said user education and I went oh, but there's hope as an optimist so you've got technologies on the horizon to deal with that even right so you. >> I'm also concerned that the pace at which the consumer world is moving forward on security, online banking and even with Google and so forth that the new generation will come into the workforce and be just amazed how legacy the environments are right, 'cause the new generation is used to using you know, Google Cloud, Google Mail, Google everything and everything works, it's all integrated already and if they're coming to the workplace and that workplace is still using legacy technologies right, they're not going to be able to hire those people. >> Well I'll give you an example. When I went to college, I was the first generation, computer science major that didn't have to use punch cards and I was blown away like actually people did that like what, who the hell would ever do that? And so you know, I was the younger guy coming up, it was like, I was totally looking down. >> Dave: That's ridiculous. >> I would thank God I don't do that but they loved it 'cause they did it. >> I mean I've got the similar story, I was the first generation in the UK. We were the first Mac-Lab in the UK, our university had the first large Mac, Apple Macintosh Lab so when I got into the workplace and somebody put a PC in front of me, I was like hold on, where's the mouse, where's the windows, I couldn't handle it so I realized that right so I think we're at that kind of junction at the moment as well. >> We got two minutes left and I want to ask you kind of a question around the comment you just made a minute ago around security as a competitive advantage. This is really interesting, I mean you really can't say security is a profit center because you don't sell security products if you're deploying state of the art security practices but certainly it shouldn't be a cost center so we've seen on our CUBE interviews over the past year specifically, the trend amongst CCOs and practitioners is when pressed, they say kind of, I'm again generalizing the trend, we're unbundling the security department from IT and making it almost a profit center reporting to the board and or the highest levels, not like a profit center but in a way, that's the word they use because if we don't do that, our ability to make a profit is there so you've brought up competitive strategy, you have to have a security and it's not going to be underneath an IT umbrella. I'm not saying everyone's doing it but the trend was to highlight that they have to break out security as a direct report as if it was a profit center because their job is so critical, they don't want to be caught in an IT blanket. Do you see that trend and your comment and reaction to that statement? >> I see that trend but I see it from a perspective of transparency so I think that taking security out of the large umbrella of IT and given its own kind of foundation, own reporting structure is all about transparency and I think that modern organizations understand now the impact a breach can have to a company. >> John: Yeah, puts you out of business. >> Right, it puts you out of business right. You lose customers and so forth so I think having a security leader at the table to be able to describe what they're doing is giving the transparency for decision makers within the organization and you know, one of my other comments about it being a competitive advantage, I personally think let's take the banking arena, it's so easy to move from bank A to bank B and I personally think that people will stay with a certain bank if that bank has more security features and so forth. I mean you know, savings, interest rates going to be one thing and mortgage rates are going to be one thing but if all things are even. >> It's a product feature. >> It's a product feature and I think that again, the newer generation is looking for features like that, because they're so much more aware of the threat landscape. So I think that's one of the reasons why I think it's a competitive advantage but I agree with you, having more visibility for an organization is important. >> You can't make a profit unless the lights are on, the systems are running and if you have a security hack and you're not running, you can't make a profit so it's technically a profit center. Bill I believe you 100% on the competitive strategy. It certainly is going to be table stakes, it's part of the product and part of the organization's brand, everything's at stake. Big crisis, crisis of our generation, cyber security, cyber warfare for the government, for businesses as a buzz thing and business, this is the Centrify presented event underwritten by Centrify here in New York City. CyberConnect 2017, the CUBE's exclusive coverage. More after this short break. (electronic jingle)

(upbeat music) >> Narrator: Live from New York City It's theCUBE, covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Hey, welcome back everyone. Live here in New York is theCUBE's exclusive coverage of Centrify's CyberConnect 2017, presented by Centrify. It's an industry event that Centrify is underwriting but it's really not a Centrify event, it's really where industry and government are coming together to talk about the best practices of architecture, how to solve the biggest crisis of our generation, and the computer industry that is security. I am John Furrier, with my co-host Dave Vellante. Next guest: David McNeely, who is the vice president of product strategy with Centrify, welcome to theCUBE. >> Great, thank you for having me. >> Thanks for coming on. I'm really impressed by Centrify's approach here. You're underwriting the event but it's not a Centrify commercial. >> Right >> This is about the core issues of the community coming together, and the culture of tech. >> Right. >> You are the product. You got some great props from the general on stage. You guys are foundational. What does that mean, when he said that Centrify could be a foundational element for solving this problem? >> Well, I think a lot of it has to do with if you look at the problems that people are facing, the breaches are misusing computers in order to use your account. If your account is authorized to still gain access to a particular resource, whether that be servers or databases, somehow the software and the systems that we put in place, and even some of the policies need to be retrofitted in order to go back and make sure that it really is a human gaining access to things, and not malware running around the network with compromised credentials. We've been spending a lot more time trying to help customers eliminate the use of passwords and try to move to stronger authentication. Most of the regulations now start talking about strong authentication but what does that really mean? It can't just be a one time passcode delivered to your phone. They've figured out ways to break into that. >> Certificates are being hacked and date just came out at SourceStory even before iStekNET's certificate authorities, are being compromised even before the big worm hit in what he calls the Atom Bomb of Malware. But this is the new trend that we are seeing is that the independent credentials of a user is being authentically compromised with the Equifax and all these breaches where all personal information is out there, this is a growth area for the hacks that people are actually getting compromised emails and sending them. How do you know it's not a fake account if you think it's your friend? >> Exactly. >> And that's the growth area, right? >> The biggest problem is trying to make sure that if you do allow someone to use my device here to gain access to my mail account, how do we make it stronger? How do we make sure that it really is David that is logged onto the account? If you think about it, my laptop, my iPad, my phone all authenticate and access the same email account and if that's only protected with a password then how good is that? How hard is it to break passwords? So we are starting to challenge a lot of base assumptions about different ways to do security because if you look at some of the tools that the hackers have their tooling is getting better all the time. >> So when, go ahead, sorry. finish your thoughts. >> Tools like their HashCat can break passwords. Like millions and millions a second. >> You're hacked, and basically out there. >> When you talk about eliminating passwords, you're talking about doing things other than just passwords, or you mean eliminating passwords? >> I mean eliminating passwords. >> So how does that work? >> The way that works is you have to have a stronger vetting process around who the person is, and this is actually going to be a challenge as people start looking at How do you vet a person? We ask them a whole bunch of questions: your mother's maiden name, where you've lived, other stuff that Equifax asked-- >> Yeah, yeah, yeah, everybody has. >> We ask you all of that information to find out is it really you?. But really the best way to do it now is going to be go back to government issued IDs because they have a vetting process where they're establishing an identity for you. You've got a driver's license, we all have social security numbers, maybe a passport. That kind of information is really the only way to start making sure it really is me. This is where you start, and the next place is assigning a stronger credential. So there is a way to get a strong credential on to your mobile device. The issuance process itself generates the first key pair inside the device in a protected place, that can't be compromised because it is part of the hardware, part of the chip that runs the processes of the phone and that starts acting as strong as a smart card. In the government they call it derived credentials. It's kind of new technology, NIST has had described documentation on how to make that work for quite some time but actually implementing it and delivering it as a solution that can be used for authentication to other things is kind of new here. >> A big theme of your talk tomorrow is on designing this in, so with all of this infrastructure out there I presume you can't just bolt this stuff on and spread it in a peanut butter spread across, so how do we solve that problem? Is it just going to take time-- >> Well that's actually-- >> New infrastructure? Modernization? >> Dr. Ron Ross is going to be joining me tomorrow and he is from the NIST, and we will be talking with him about some of these security frameworks that they've created. There's cyber security framework, there's also other guidance that they've created, the NIST 800-160, that describe how to start building security in from the very start. We actually have to back all the way up to the app developer and the operating system developers and get them to design security into the applications and also into the operating systems in such a way that you can trust the OS. Applications sitting on top of an untrusted operating system is not very good so the applications have to be sitting on top of trusted operating systems. Then we will probably get into a little bit of the newer technology. I am starting to find a lot of our customers that move to cloud based infostructures, starting to move their applications into containers where there is a container around the application, and actually is not bound so heavily to the OS. I can deploy as many of these app containers as I want and start scaling those out. >> So separate the workload from some of your infostructure. You're kind of seeing that trend? >> Exactly and that changes a whole lot of the way we look at security. So now your security boundary is not the machine or the computer, it's now the application container. >> You are the product strategist. You have the keys to the kingdom at Centrify, but we also heard today that it's a moving train, this business, it's not like you can lock into someone. Dave calls it the silver bullet and it's hard to get a silver bullet in security. How do you balance the speed of the game, the product strategy, and how do you guys deal with bringing customer solutions to the market that has an architectural scalability to it? Because that's the challenge. I am a slow enterprise, but I want to implement a product, I don't want to be obsolete by the time I roll it out. I need to have a scalable solution that can give me the head room and flexibility. So you're bringing a lot to the table. Explain what's going on in that dynamic. >> There's a lot of the, I try as much as possible to adhere to standards before they exist and push and promote those like on the authentication side of things. For the longest time we used LDAP and Kerberos to authenticate computers, to act a directory. Now almost all of the web app develops are using SAML or OpenID Connect or OLAF too as a mechanism for authenticating the applications. Just keeping up with standards like that is one of the best ways. That way the technologies and tools that we deliver just have APIs that the app developers can use and take advantage of. >> So I wanted to follow up on that because I was going to ask you. Isn't there a sort of organizational friction in that you've got companies, if you have to go back to the developers and the guys who are writing code around the OS, there's an incentive from up top to go for fast profits. Get to market as soon as you can. If I understand what you just said, if you are able to use open source standards, things like OLAF, that maybe could accelerate your time to market. Help me square that circle. Is there an inherent conflict between the desire to get short term profits versus designing in good security? >> It does take a little bit of time to design, build, and deliver products, but as we moved to cloud based infostructure we are able to more rapidly deploy and release features. Part of having a cloud service, we update that every month. Every 30 days we have a new version of that rolling out that's got new capabilities in it. Part of adapting an agile delivery models, but everything we deliver also has an API so when we go back and talk to the customers and the developer at the customer organizations we have a rich set of APIs that the cloud service exposes. If they uncover a use case or a situation that requires something new or different that we don't have then that's when I go back to the product managers and engineering teams and talk about adding that new capability into the cloud service, which we can expect the monthly cadence helps me deliver that more rapidly to the market. >> So as you look at the bell curve in the client base, what's the shape of those that are kind of on the cutting edge and doing by definition, I shouldn't use the term cutting edge, but on the path to designing in as you would prescribe? What's it look like? Is it 2080? 199? >> That's going to be hard to put a number on. Most of the customers are covering the basics with respect to consolidating identities, moving to stronger authetication, I'm finding one of the areas that the more mature companies have adopted as this just in time notion where by default nobody has any rights to gain access to either systems or applications, and moving it to a workflow request access model. So that's the one that's a little bit newer that fewer of my customers are using but most everybody wants to adopt. If you think about some of the attacks that have taken place, if I can get a piece of email to you, and you think it's me and you open up the attachment, at that point you are now infected and the malware that's on your machine has the ability to use your account to start moving around and authenticating the things that you are authorized to get to. So if I can send that piece of email and accomplish that, I might target a system administrator or system admins and go try to use their account because it's already authorized to go long onto the database servers, which is what I'm trying to get to. Now if we could flip it say well, yeah. He's a database admin but if he doesn't have permissions to go log onto anything right now and he has to make a request then the malware can't make the request and can't get the approval of the manager in order to go gain access to the database. >> Now, again, I want to explore the organizational friction. Does that slow down the organization's ability to conduct business and will it be pushed back from the user base or can you make that transparent? >> It does slow things down. We're talking about process-- >> That's what it is. It's a choice that organizations have to make if you care about the long term health of your company, your brand, your revenues or do you want to go for the short term profit? >> That is one of the biggest challenges that we describe in the software world as technical debt. Some IT organizations may as well. It's just the way things happen in the process by which people adhere to things. We find all to often that people will use the password vault for example and go check out the administrator password or their Dash-A account. It's authorized to log on to any Windows computer in the entire network that has an admin. And if they check it out, and they get to use it all day long, like okay did you put it in Clipboard? Malware knows how to get to your clipboard. Did you put it in a notepad document stored on your desktop? Guess what? Malware knows how to get to that. So now we've got a system might which people might check out a password and Malware can get to that password and use it for the whole day. Maybe at the end of the day the password vault can rotate the password so that it is not long lived. The process is what's wrong there. We allow humans to continue to do things in a bad way just because it's easy. >> The human error is a huge part in this. Administrators have their own identity. Systems have a big problem. We are with David McNeely, the vice president of product strategy with Centrify. I've got to get your take on Jim Ruth's, the chief security officer for Etna that was on the stage, great presentation. He's really talking about the cutting edge things that he's doing unconventionally he says, but it's the only way for him to attack the problem. He did do a shout out for Centrify. Congratulations on that. He was getting at a whole new way to reimagine security and he brought up that civilizations crumble when you lose trust. Huge issues. How would you guys seeing that help you guys solve problems for your customers? Is Etna a tell-sign for which direction to go? >> Absolutely, I mean if you think about problem we just described here the SysAdmin now needs to make a workflow style request to gain access to a machine, the problem is that takes time. It involves humans and process change. It would be a whole lot nicer, and we've already been delivering solutions that do this Machine learning behavior-based access controls. We tied it into our multifactor authentication system. The whole idea was to get the computers to make a decision based on behavior. Is it really David at the keyboard trying to gain access to a target application or a server? The machine can learn by patterns and by looking at my historical access to go determine does that look, and smell, and feel like David? >> The machine learning, for example. >> Right and that's a huge part of it, right? Because if we can get the computers to make these decisions automatically, then we eliminate so much time that is being chewed up by humans and putting things into a queue and then waiting for somebody to investigate. >> What's the impact of machine-learning on security in your opinion? Is it massive in the sense of, obviously it's breached, no it's going to be significant, but what areas is it attacking? The speed of the solution? The amount of data it can go through? Unique domain expertise of the applications? Where is the a-ha, moment for the machine learning value proposition? >> It's really going to help us enormously on making more intelligent decisions. If you think about access control systems, they all make a decision based on did you supply the correct user ID and password, or credential, or did you have access to whatever that resource is? But we only looked at two things. The authentication, and the access policy, and these behavior based systems, they look at a lot of other things. He mentioned 60 different attributes that they're looking at. And all of these attributes, we're looking at where's David's iPad? What's the location of my laptop, which would be in the room upstairs, my phone is nearby, and making sure that somebody is not trying to use my account from California because there's no way I could get from here to California at a rapid pace. >> Final question for you while we have a couple seconds left here. What is the value propositions for Centrify? If you had the bottom line of the product strategy in a nutshell? >> Well, kind of a tough one there. >> Identity? Stop the Breach is the tagline. Is it the identity? Is it the tech? Is it the workflow? >> Identity and access control. At the end of the day we are trying to provide identity and access controls around how a user accesses an application, how we access servers, privileged accounts, how you would access your mobile device and your mobile device accesses applications. Basically, if you think about what defines an organization, identity, the humans that work at an organization and your rights to go gain access to applications is what links everything together because as you start adopting cloud services as we've adopted mobile devices, there's no perimeter any more really for the company. Identity makes up the definition and the boundary of the organization. >> Alright, David McNeely, vice president of product strategy, Centrify. More live coverage, here in New York City from theCUBE, at CyberConnect 2017. The inaugural event. Cube coverage continues after this short break. (upbeat music)

(upbeat music) >> Hello, everyone and welcome to this special CUBE conversation here in our studios in Palo Alto, California. I'm John Furrier, the co-founder of SiliconANGLE Media and cohost of theCUBE, with a special preview of CyberConnect 2017, a global security conference presented by Centrify, it's an industry-independent event. I'm here with the CEO and Founder of Centrify, Tom Kemp. Tom, thanks for joining me on this preview of CyberConnect 2017. >> It's great to be here again. >> So, you guys, obviously, as a company are no longer struggling, you're clearly clearing the runway on growth. Congratulations on the success. This event will be broadcasting live on theCUBE as folks should know on the site. CyberConnect 2017 is a different kind of event, it's really the first of its kind where it's an industry gathering, not just a Black Hat, I mean, RSA's got Black Hat and they try to weave a little business in. This is all about leadership in the industry. Is that right? >> Yeah, absolutely. You know, there's really a dearth of business-focused discussions with C-Level people discussing the issues around security. And so, what we found was, was that most of the conversations were about the hackers, you know, the methodology of goin' in and hacking in. And, that doesn't really help the business people, they have to understand what are the higher level strategies that should be deployed to make their organizations more secure. So, we kind of wanted to up-level the conversation regarding security and help C-Level people, board people, figure out what they should be doing. >> And, we've obviously been reporting at SiliconANGLE, obviously, the latest and greatest on hacks. You know, you've seen everything from cyber threats, where are real hacking, to nuanced things like the rushing dissidents campaign on Facebook around voter impressions. And we saw that in the hearings in the senate where Facebook got really grilled by, you know, "Is it a real threat," no, but it is a threat in the sense that they're putting opinion-shaping. So, there's a broad range of business issues, some are highly-nuanced, some are very specific business values, you're out of business if you get hacked. So, how do you see that, because is that the discussion point? Is it more policy, all of the above, what is the overall conversations going to be like at CyberConnect 2017? >> Yeah, I think it's, look, the reality is, is that breaches before were about potentially stealing your data. But, now it's an impact on your brand. Like, what if the Russians were doing that to Pepsi or Coca-Cola, et cetera? They could just completely setup a lot of negative sentiment about you, so there's a lot of different ways to impact organizations as well. And so, what we're doing at CyberConnect is, putting forth CIOs of Aetna, US Bank, and having them describe what they do. I mean, think about a major healthcare company, Aetna, US Bank, the list goes on, you know, Blue Cross Blue Shield. And we're having the major CSOs of these large organizations tell their peers what they're doing to protect their company, their brands, et cetera. >> Well, I want to get back to the business impact in a second, but some notable key notes here. Securing a Nation Amid Change, A Roadmap to Freedom, from Retired General Keith Alexander, Former Director of the NSA and Chief of the U.S. Cyber Command. Why is he there, what's the focus for his talk? >> Well, you can't ignore the government aspect. Well, first of all, government is a huge target and we obviously saw that with the election, we saw that with the hack of the Office of Personnel Management, et cetera. And so, you know, nation states are going after governments as well as criminal organizations, so General Alexander can talk about what he did to protect us as citizens and our government. But, he also has a great insight in terms of what hackers are doing to go after critical infrastructure. >> John: He's got some experience thinking about it, so he's going to bring that thinking in? >> Absolutely, and he's going to give us an update on the latest vectors of attacks that are happening, and give us some insight on what he experienced trying to protect the United States but also trying to protect our businesses and infrastructure. So, we wanted to have him kick things off to give, you know, what more, the NSA, the ex-NSA head telling us what's going on. >> And you got amazing guests here, again the CSO from Aetna, the Chief Security Officer from Cisco, The Global Value Chain, you got US Bank. You got Amazon Web Services here talking about the Best Practice of Running Workloads on an Amazon Service Cloud. So, you got the gamut of industry, as well as some government people who have experienced dealing with this from a practitioners standpoint? What's the convoluence of that, what's the trends that are coming out of those? What can people expect to hear and look forward to watching the videos for? >> You know, I think it's going to be some of the trends that you guys talk about. It's like, how can you leverage AI and machine learning to help better protect your organization as well? So, that's going to be one huge trend. I think the other trend, and that's why we have the folks from Amazon, is in a world in which we're increasingly using mobile and Cloud and leaving the perimeter, you know, in a world where there's no perimeter, how can you secure your users, your data, et cetera? So, I think the focus of the conference is going to be very much on leveraging modern and new technologies, AI, machine learning, discussing concepts like Zero Trust. And then, also, figuring out and helping people really get some good ideas as they make the move to Cloud, how can they secure themselves, make themselves, more secure than when they had the traditional perimeter set up? >> I mean, given the security landscape, you and I discussed this in and around the industry, go back seven years, "Oh, Cloud's un-secure," now Cloud seems to be more secure then on perim because of the work that Amazon, for instance, they upped their game significantly in security, haven't they? >> Absolutely, and you know, it's interesting, it's, I mean, you see it first hand, Google comes out with announcements, Microsoft, Oracle, et cetera, and security is a key issue. And they're trying to provide a more secure platform to get people comfortable moving with the Cloud. At the same time, there's vendors such as Centrify, that's there's value-add that we can provide and one area that we specifically provide is in the area of identity and controlling who can access what, as well. So, yeah, it completely reshapes how you do security, and the vendors are contributing. What's so important that the solutions that we had before are being completely disruptive and they need to be completely adopted for the new Cloud world. >> I know it's your first event, you guys are underwriting this, it's presented by Centrify, it's not sponsored by, it's not your show. Although you're doing a lot of heavy lifting in supporting this, but your vision for this CyberConnect is really more of a gathering amongst industry folks. We're certainly glad to be a part of it, thanks for inviting us, we're glad to be there. But, this is not a Centrify-only thing, explain the presented by Centrify vis-a-vis CyberConnect. >> So, and we've also put forth another organization that we've worked with. It's an organization called ICIT, the Institute for Critical Information Technology. And, what they are, is they're a think tank. And they are very much about how can we support and secure the infrastructure of the United States, as well? We didn't want this to be a vendor fest, we wanted to be able to have all parties, no matter what technologies they use, to be able to come together and get value of this. It benefits Centrify because it raises awareness and visibility for us, but even more important, that we wanted to give back to the community and offer something unique and different. That this is not just another vendor fest show, et cetera, this is something where it's a bringing together of really smart people that are on the front-lines of securing their organizations. And we just felt that so much value could be driven from it. Because, all the other shows are always about how you can hack and ATM and all that stuff, and that's great, that's great for a hacker but that doesn't really help business people. >> Or vendors trying to sell something, right? >> Exactly. >> Another platform to measure something? >> Yeah, exactly. >> This is more of a laid-back approach. Well, I think that's great leadership, I want to give you some props for that. Knowing that you guys are very, as you say, community-centric. Now you mentioned community, this is about giving back and that's certainly going to be helpful. But, security has always been kind of a community thing, but now you're starting to see the business and industry community coming together. What's your vision for the security community at this CSO level? What's needed, what's your vision? >> I think what's needed is better sharing of best practices, and really, more collaboration because the same attacks that are going to happen for, say one healthcare organization, the hackers are going to use the same means and methods, as well. And so, if you get the CSOs in the room together and hear what the others are experiencing, it's just going to make them more better. So, the first thing, is to open up the communication. The second thing is, is that could we figure out a way, from a platform or a technology perspective, to share that information and share that knowledge? But, the first step is to get the people in the room to hear from their peers of what's going on. And, frankly, government at one point was supposed to be doing it, it's not really doing it, so, I think an event like this could really help in that regard. >> Well, and also, I would just point out the growth in GovCloud and following some of the stuff going on at Amazon, as an example, had been skyrocketing. So, you're starting to see industry and government coming together? >> Yeah. >> And now you got a global landscape, you know, this is interesting times and I want to get your reaction to some of the things that have been said here on theCUBE but also, out in the marketplace where, you know, it used to be state-actor game, not state on state. And then, if they revealed their cards, then they're out in the open. But now, the states are sponsoring, through open source, and also, in these public domains, whether it's a WikiLeaks or whatever, you're starting to see actors being subsidized or sponsored. And so that opens up the democratization capability for people to organize and attack the United States. And companies. >> Oh, absolutely, and you could right now, they have a help desk, and it's like ordering a service. "Oh, you want 500 bots going after this?" >> John: Smear a journalist for $10k. >> (laughing) Exactly, it's like as a service. Hacking as a service, they have help desk, et cetera. And, the interesting thing is. >> It's a business model. >> It's a business model, you're absolutely right. The people, it's all pay to play, right? And, just the number of resources being devoted and dedicated, and we're talking about thousands of people in Russia, thousands of people in North Korea, and thousands of people in China. And, what came out just recently, is now that they're shifting their target to individuals, and so, now you may have an individual that there may be a person just dedicated to them in China, or Russia or North Korea, trying to hack into them as well. So, it's getting really scary. >> It's almost too hard for one company with brute force, this is where the collective intelligence of the community really plays a big difference on the best practices because when you thought you had one model nailed, not just tech, but business model, it might shift. So, it seems like a moving train. >> Yeah, and we're having Mist show up, and so we're getting the government. But, I really think that there does need to be, kind of, more of an open-sourcing of knowledge and information to help better fine tune the machine learning that's needed and required to prevent these type of breaches. >> So, what can we expect? Obviously, this is a preview to the show, we'll be there Monday broadcasting live all day. What can people expect of the event, content-wise, what are your favorites? >> Well, I mean, first of all, just the people that we have there. We're going to get the two CCOs from two of the biggest healthcare companies, we're going to get the former head of the NSA, we're going to get the CSO of US Bank, I mean, we're talking the biggest financial services organizations. We're going to have the biggest healthcare organizations. We're going to have the people doing cyber. >> John: MasterCard's there. >> Yeah, MasterCard, we have the German government there as well, so we've got government, both U.S. as well as European. We've got all the big people in terms of, that have to secure the largest banks, the largest healthcare, et cetera. And then, we also have, as you talked about, obviously Centrify's going to be there, but we're going to have AWS, and we're going to have some other folks from some of the top vendors in the industry as well. So, it's going to be a great mixture of government, business, as well as vendors. Participating and contributing and talking about these problems. >> So, it's an inaugural event? >> Yes. >> So, you're looking for some success, we'll see how it goes, we'll be there. What can you expect, are you going to do this every year? Twice a year, what's the thoughts on the even itself? >> It's been amazing, the response. So, we just thought we were going to have 400 people, we sold out, we're getting close to 600 people. And now, we're going to have over 1,000 people that are going to be doing the live streaming. There's just a huge, pent-up demand for this, as well. So, we actually had to shut down registration and said sold out a week or two ago. And, so far, it looks really good, let's see how it goes. It looks like we can easily double this. We're already thinking about next year, we'll see how the event goes. If you just look at the line-up, look at the interest, or whatever, there's a pent-up demand to better secure government and enterprises. >> And leadership, like you guys are taking this as an issue, plus, others coming together. We're certainly super glad to be a part of the community, and we look forward to the coverage. This is really, kind of, what the industry needs. >> Absolutely. >> All right, Tom Kemp, the CEO and Founder of Centrify, really fast growing start up, doing an event for the community. Very strong approach, I love the posture, I think that's the way to go than these vendor shows. You know how I feel about that. It's all about the community, this is a community. I mean, look at the Bitcoin, the Blockchain, know you're customer isn't into money laundering. It's an identity game. >> Yeah, absolutely. >> Now, by the way, quick, is there going to be any Blockchain action there? >> Oh, I don't know about that, I don't think so. >> Next year. (laughing) >> Next year, exactly. >> It's certainly coming, Blockchain security, as well as a lot of great topics. Check out CyberConnect 2017. If you can't make it to New York, they're sold out, theCUBE.net is where you can watch it live. And, of course, we'll have all the video coverage on demand, on theCUBE.net, as well. So, we'll have all the sessions and some great stuff. Tom Kemp, CEO. I'm John Furrier from theCUBE, here in Palo Alto, thanks for watching. (upbeat music)

(upbeat music) >> Narrator: Live, from Silicon Valley. It's the Cube. Covering Google Cloud X17. >> Okay welcome back, everyone. We are live in Palo Alto for two days of coverage of Google Next 2017. I'm John Furrier, we're here with Tom Kemp, CEO of Centrify. No longer a startup, they're scaling up. You guys do it very well. Tom, great to see you. Welcome to the Cube. >> Great to be here. >> Saw you at RSA, you guys had an exceptional event. One Presence to show, obviously a security show, you're in the security business. But also mobile world congress will try to get you on again security's hot, front and center at mobile world congress. >> Yeah. >> Security is front and center at Google Cloud Next. Security is front and center at blank event. It's happening everywhere right? So give us the update. What is Centrify, obviously the "No Breach" is your tagline. What's up with Centrify? Give us a quick update on what you're up to. >> Yeah, absolutely. So we're a security company focused, as you said, on identity. And we really address the issue of too many passwords and too much privilege. The fundamental issue that's happening within security, is like 75 billion dollars is being spent on it, it's one of the fastest growing market segments, but it's failing because the breaches are far outnumbering, and growing at a faster rate, than the amount of money being spent on that. And so, we're trying to rethink security by looking at where are the breaches are coming from, and they're coming in from, like in the case of Podesta, stealing usernames and passwords. And Verizon said two thirds of breaches involve stolen credentials. And Forrester just recently said that 80 percent of breaches involve the compromise of privileged accounts, the rude accounts for the infrastructure etc. So if two thirds, to 80 percent of breaches involve identity, we fundamentally believe you need to focus a lot more on that, and that's what we're all about. Focusing on identity. >> And what is this? Is this a new revelation, or is this something that you guys have felt was happening for a long time, or has it just been the matter of fact, that's what's happening? >> You know it's, we have some great investors, and we have Excel, Mayfield, Index, Sigma now called Jex, and Square Adventures. And one of the board members told me, the markets come to you, because we've been doing this for over 10 years. And focusing on identity, and people are like, "Oh okay, that's interesting." But now, if you look at just the massive number of breaches that are occurring, and the focus that identity is the leading attack vector, and then you couple it with the whole move to the Cloud, I know we're going to be talking about what Google is doing in the Cloud, etc. It actually makes the problem even worse. And so we feel that we've been plugging along, doing and focusing on identity, and now kind of the market has come to us, because of the move to Cloud, and the hackers are going after identities. >> Yeah it's interesting, I saw a Facebook friend, I won't say his name for privacy, because I don't have the right to talk about it, he's in bitcoin, so obviously that world is an underbelly in itself. Yeah but, interesting thing is that he had two factor authentication on his phone, and someone hacked his phone and they sent the password back to his phone, all his bank accounts are gone. >> Oh my goodness. >> So this is an example of that privileged identity. So that even two factor authentication, in that case, didn't work. So you starting to see this, right? So what's the answer, and how does it relate to cloud? There's no perimeter in the cloud. Is it federated identity, is it some blocked chain thing, is there new model? What's your view on this, and how you guys attacking it specifically? >> Yeah, I mean in a world in which we're increasingly moving to the cloud, what can you secure? Like if I'm at a Starbucks in Palo Alto, on my Ipad, talking to Google apps, talking to sales force etc., I don't have any Anti Virus, I'm not using any next gen firewall, or VPN etc. So the focus needs to shift to securing the user. And you really need to start integrating, and leveraging, from a multi factor authentication biometrics as well. Use that phone, use the touch ID, to actually ensure that. And then also, in the cloud, start analyzing user behavior. And actually determine, well wait a minute, this person normally doesn't login from China, but now he's accessing the sales force, or Facebook etc. So, it's becoming, evolving more to utilizing mobile device as part of your identity, and it's also leveraging machine learning to understand what normal behavior is, and blocking abnormal behavior. >> And also using big data techniques, because your point about China is interesting. Anyone who travels might have had this situation, we go to Vegas a lot for the Cube, but like I'm in Vegas then I pull out an ATM withdrawal, next I go to use my other credit card, and it says "woah fraud alert." >> Tom: Yes. >> Well, wait a minute, I made a cell phone call, I took money out of the bank, and yet the credit card didn't know that I'm in Vegas. Now that's interesting, so conversely, China's accessing my accounts, and I'm making phone calls in Palo Alto, that should be obvious. >> Yeah. >> That just seems like it's just so disfragmented data sets. >> So historically, the definition of identity was a username, and a password. But, in a Cloud world, identity should be redefined in terms of your applications, your device, your location, and your activity. So, if you are trying to access an app from China, it should ask you for four or five additional bits of information, instead of two factors, it should be multi-factor, and it should include biometrics as well. So, machine learning is this going to become even more critical to reduce fraud, and the compromise of credentials. >> So, let's talk about google next. Because one of the things that, I mean really we know Google, we're living in Palo Alto, they're all around us, they're in Mountain View, Larry Page lives in the hood here. Google has always been a technology innovator, and it's clear that that's the lead for their Cloud. But the enterprise, which they're by the way serious, Dian Green is very serious with enterprise, they're just starting to move down that road. You've been there for awhile, on mobile, and in the enterprise, what is some of the things that people should know about on how hard it is in the enterprise? Specifically with Cloud, what is some of the things that you see as table stakes? >> Yeah, it's actually having meat eating sales reps out in the field. Not relying on some person who's-- >> John: Some bot. >> Yeah some bot, or some 20 year old calling from Austin, or Mountain View, but it's actually having someone there, with a technical architect, that can hop on a subway, or be there within a half hour to spend some quality time. >> John: And strategic selling too right? >> Exactly. Because they have a challenge, which is they're competing with both Microsoft and Amazon. And obviously Microsoft has the enterprise people, and Amazon is really ramping up in that area. And I think that, so you can throw the technology, but enterprise accounts want to be able to have a conversation face to face, more so than executive coming out and having a dinner with someone. >> Take me through a sales motion, because this is important. You and I have talked about this in the past, and Dave Loth and I always talk about it on the Cube. And it used to be well known in the VC circles, that sales forces are expensive because the sales motions are different. What is the typical sales motion for an enterprise like Sell. Because it's not as simple as saying, "self service, Cloud, put your credit card down," and get you know, Cooper and Eddy's support, terminal access, static IP's, virtual servers, oh by the way I got a support DB2 as well. A non Oracle database, or Oracle. >> Well, look I mean, it's very easy to have that bite over the web for when you start a developer for a new application. And Amazon's done a great job at that, Microsoft's getting there as well. So if you really want the existing applications to move to the Cloud, you have to sit down and have conversations about a hybrid Cloud environment. Because people will have on premise active directory, they'll have a set of security policies, etc. And so the conversation needs to be had, is like how do you bridge on premise, with the Cloud as well, and make that heterogeneous environment look and feel and smell like it's homogeneous from authentication, authorization, audit perspective, compliance perspective, etc. So you certainly need to first and foremost be able to put architects out there, have that conversation, etc. And you just can't rely too much on partners. And I think from there service level agreements, and then also showing that your Cloud platform is incredibly secure as well. >> Yeah I would agree, I would just say one, on the meat eating sales rep, basically what that means people understand the domain, with an architect technically that's going to SC, and then you have to really kind of have an understanding that there's a multiple stakeholder role. One's a recommender, one's an influencer, one's a decision maker, and it is a campaign. It's a multi pronged campaign. >> Yeah you have to think-- >> John: Know their problems, give them a solution, value creation. >> Absolutely. >> John: Value selling. >> Because there's just a level of complexity. And again I'm not saying that Google for new projects, with the current sales motion, can't bring on an app, and maybe that app leverages their machine learning, which seems to be world class right? >> TensorFlow's getting great traction, Intel's building chips for that as well. >> Yeah. >> Google owns a great developer mind share, and I think they've really cracked the code on open source, and they have great empathy with the developers, we were talking about with Val earlier. But with operationally I just see a disconnect. And Amazon's quietly ramping up too, they're no spring chicken either when it comes to direct selling, but they're been working more years on that. >> And I think you seen the word Hybrid Cloud, and I know you spent time with the folks at Vmware, talking about the relationship with Ama... That's all about the Hybrid Cloud, which people need, the enterprises need a bridge and on ramp. And I think, from our perspective- >> Vmware is very solid with Gelsinger and their sales force. They're very, >> Yeah absolutely. >> Very strong with enterprise selling. >> And that's what we focus, cause we initially started on premise, we tied things in to active directory for example, but now we have a Cloud platform, and we advertise and promote ourselves as addressing identity for the Hybrid environment, and providing the bridge between the two, and I think that's critical. >> Now do you guys have an enterprise sales force, right? >> Absolutely. >> So you've invested in that, over ten years? >> Oh yeah, absolutely. So we have over 60 percent of the Fortune 50, and 80 percent of our sales comes from the Global 2000. We've grown, we're over 100 million in sales, so we're in there having that conversation with enterprises all the time. >> So Tom, so we know Diane Green lives in the neighborhood, so let's pretend she calls us up, "Hey Tom, John, come over. "We'll have a cocktail, and dinner. "I need your advice on how to ramp up my enterprise, "operational empathy, and strategy." What would we advise her? What would you advise her, I have my own opinion. But go to you first. >> I really think and focus on, obviously use the machine learning as a key wedge for new applications, but really focus on the concept of Hybrid. And she mastered going from physical to virtual. Now, everyone's virtualized, and so she needs to figure out how I can get virtual to Cloud, V to C, right? And have the people, and have the conversation, and provide bridging technologies as well. So I think that is going to require, not just purely Cloud based stuff, but it's going to probably provide, she's going to need, either through partnerships, or developer stuff. >> Or M and A. >> Or M and A, she's going to have to build connectors, to help facilitate the bridging, because she can go after definitely the 20 percent of the new stuff, but if you want to attack the 80 percent of the existing stuff, and she did a masterful job of going physical to virtual-- >> At VMware. >> At VMware, and now her challenge is to go V to C. Virtual to Cloud. >> So my advice, Diane if you're watching, is the following: One, don't screw up the Google formula. And I know she's transforming Google, and that's a good thing, they need that right now. But I think, what I like about what I'm seeing at Google Next right now is that they have great technology chops. In kind of the Google, pat themselves on the back kind of way, which is they got mojo, they've always had great technology mojo, and that comes down from the founder. So the machine learning stuff, the AI, the stuff that they're doing in their portfolio has, I call the coolness-relevant factor on the tech. What I would do, is I would specifically nurture that, cause she's also a good knack for doing innovative things, and she's very innovative manager, and I've seen that at Vmware, and other places that she's been advising. So she's got a knack for, "Ahh that's cool, look we should do that cool technology "that's going to have legs in the future." So she's got a good sage picking out the technology. I would do an M and A. I would just stop expanding the existing Google culture relative to that sales motions and the enterpriseness, and just go buy somebody. Spend the billion dollars, or more, take someone out whose got full global, regional sales force, why not? Because then those guys already have the relationships, so the buy, build, to the sales force might take too long. I'm not sure that they could get there. I mean, what do you think about that? >> Yeah I think it's, I think they've been public about it. I think they have to invest in their own, but I do think that M and A, I mean they're number three, and they got to do something. Clearly the machine learning AI stuff is going to be huge. We're actually very impressed, I got emails from the folks at the show, about this whole video stuff, in terms of their ability to use the machine learning, and AI to interpret video, which is pretty impressive. But again that's going to be more for a vertical. Or a specific type of application. And so I think they're going to need to do a combination . >> Here's the thing that I'm seeing though. There's a speed of Google, and there's a speed of enterprise. They might have to throttle down, I don't want to say dumb down, that's particularly not the issue, it's more of throttle down the cadence of what enterprises are comfortable with. For example, SLA's, their SLA's are a little bit gray area, but they're awesome on, "hey it only costs X dollars, "import this great data and crunch all this stuff." So they've got great pricing. >> They need to master, Diane did a masterful job of like, overnight she had a utility that could go P to V, and you flipped it up, and everything just magically worked. And they need to prove that they can forklift the applications, with minimal to no changes, and things magically work. And that requires a bunch of software partnership technology, that it's like flipping a switch to go the Cloud. And if you don't like it, then you can roll it back as well. >> What's their security in position in your mind? You've done an audit, you been keeping track of it, or they're secure. Or what's the needs of the enterprise that they should be addressing for security? Well you guys have a relationship with any other booth at the event. >> Yeah absolutely, and we integrate at multiple levels as well. I think they're doing a pretty good job, I think that other vendors like Microsoft are really more heavily investing in areas that we're in, such as identity, so Microsoft has basically replicated the playbook with active directory, and they have something called Azure AD, and so Google doesn't have anything that's equivalent. That's good for us, that actually leads to opportunities, but they could do more in the areas of identity. I think if you look at what Amazon's doing in terms of web application firewalls, and protecting applications that are being spun up in the cloud. I think those are areas that can be improved. Encryption, key management, etc. So if you look at the slide that they have where they say insecurity, I think they list three items, but then if you were to compare it to say Microsoft, or Amazon, they've got five, six, seven items right there as well. I think that there's definitely going to be needs and requirements that need to be met and addressed there. So it's good, for us. >> Well to me it's just a matter of their evolution, they can only go as fast as they can go. That's what the people that I tend to talk to don't get. They can be critical of Google, but at the end of the day they can only go so fast. >> Yeah, and also another bit of advice, is they do have a very good install base with Gsuite, formerly Google apps, but they got to do a better job of leveraging that when people try to move to infrastructure as a server-- >> I think they're taken that advice because it was clear that they're at this event, was they're showcasing a lot of the stats on Gsuite, they're also talking about the apps. And that's consistent with IBM, Oracle, and Microsoft. They're throwing in their Sass layers as part of the stack as well. That's how they can differentiate from Google. What else do they have right? >> Really it's almost like a startup company that's been around for a few years. They have their initial product, and they come out with their second product and the board members will say, "Well what's the adoption of cross selling "the new product with the existing?" And so it should be interesting to see if they can get people that bought in to the Gsuite vision, to say, "Oh okay, now I'm going to start firing up servers "on the Google Cloud platform." >> Well you bring up a good point about their Gsuite, and I mentioned Microsoft using Office 365 as an example. Oracle throws their apps into the blender, if you will. On the numbers and everything. It's interesting Wikibon research is showing that the past layers squeezing, that's a big debate in our own research team, but Gartner research that I just recently looked at from February. Basically there's a new talk about Sass, so if you start including Sass, then you got to open up the conversation to Salesforce, Adobe, and on and on and on. Because there's a Cloud service provider model out there. Linkedin's a service provider. So what is Sass, I always look at it like what's the Sass equation look like. I mean, what does Cloud really look like? >> I look at the statistics, because we address both infrastructure as a service, and software as a service as well, with our identity solutions. Clearly infrastructure as a service is a much bigger market, Sass is pretty significant, but if you add up Sass, infrastructure, and Pass, it's about 24 billionish right there. But guess what, Amazon already has over 10 of it last year. Amazon has 40 percent of the Cloud market as well. And they've proven that you don't have to have a Sass capability to be incredibly successful in the Cloud. >> Well they have their one Sass that was called Amazon.com, but they broke that out. Alright, Tom what's next for you guys at Centrify. What's on your, anything coming up, things you're working on, share some quick plug for Centrify, and the progress you're making in status? >> We've been doing this for 10 years, and we feel really good about providing basically a platform for identity. And one theme and trend that we're seeing a lot of in the security market is that buyers have security fatigue, they're so sick of dealing with point solutions, and I think that's working to our advantage, that people are looking at a vendor such as us, that can address, not only single sign up, but multi-factor authentication, privilege account management as well. So we're very much focused these days on providing a set of solutions that are all built on a platform, and just kind of filling in-- >> When you say fatigue, you mean sprawl and applications they're buying just another platform, because they do try to try everything, why wouldn't they? They're getting tired of that? >> In security you just have a lack of security knowledge. There's a huge skills gap when it comes to security. And if you have to buy a point solution to address every little bit of security, you just can't hire people, right? And then you find that you have air gaps that actually makes you less secure. And so we've over time built this platform up, and now we're really seeing that people are like, I don't have to get a standalone EMM, a standalone SSO, a standalone MFA solution, a standalone password vault solution etc. So we're very much focused on selling our platform to customers and with this whole mindset of customers wanting to consolidate vendors. Historically vendor consolidation was about buyers wanting that, but now IT people want that. And so we're really just focusing on, internally articulating how we can actually address a lot of problems that people have with too much privilege, and too many passwords. >> And you guys are expanding your sales force team? >> Oh absolutely. We've definitely hit the critical mass. We're over a hundred million sales, we're growing fast, we're cash flow positive as well. >> John: Alright, congratulations. The VC's happy. Time to go public, so what's your evaluation? Unicorn. >> No comment on that, rule 40 and all that fun stuff. We got a lot of checkboxes right there. >> I think your VC partner is right, your investor, the world is spinning towards you because if you look at the identity, and nearly everything in the digital world, whether it's Cloud, data, or packets or people. It's going to be a persona based focus. Not like, what company you work for. >> We had this huge trend of consumerization of IT, so it's really about the user. So focus on securing the user, not focusing on securing the network, because the network's gone. >> Finally, 30 years later, it's coming back to the user. It's been talked about, the passports, the digital wallet. >> Exactly. >> John: Tom Kemp, CEO of Centrify, a hot startup growing over 100 million in sales. Heard here on the Cube. Very successful company. Really have a nice approach, world's spinning towards them. Really hopefully a great solution for our security and our liberties so we don't get hacked over and over again. It's the Cube, bringing you all the coverage of Google Next, here in the studio I'm John Furrier. Be right back with more, after this short break. (resonant techno music)

>> From "theCUBE" studios in Palo Alto in Boston, bringing you data-driven insights from "theCUBE" in ETR. This is breaking analysis with Dave Vellante. >> Chief Information Security Officer's site trust, is the number one value attribute, they can deliver to their organizations. And when it comes to security, identity is the new attack surface. As such identity and access management, continue to be the top priority among technology decision makers. It also happens to be one of the most challenging and complicated areas of the cybersecurity landscape. Okta, a leader in the identity space has announced its intent to converge privileged access and Identity Governance in an effort to simplify the landscape and re-imagine identity. Our research shows that interest in this type of consolidation is very high, but organizations believe technical debt, compatibility issues, expense and lack of talent are barriers to reaching cyber nirvana, with their evolving Zero-Trust networks. Hello and welcome to this week's Wikibon CUBE insights, powered by ETR. In this breaking analysis, we'll explore the complex and evolving world of identity access and privileged account management, with an assessment of Okta's market expansion aspirations and fresh data from ETR, and input from my colleague Eric Bradley. Let's start by exploring identity and why it's fundamental to digital transformations. Look the pandemic accelerated digital and digital raises the stakes in cybersecurity. We've covered this extensively, but today we're going to drill into identity, which is one of the hardest nuts to crack in security. If hackers can steal someone's identity, they can penetrate networks. If that someone has privileged access to databases, financial information, HR systems, transaction systems, the backup corpus, well. You get the point. There are many bespoke tools to support a comprehensive identity access management and privilege access system. Single sign-on, identity aggregation, de-duplication of identities, identity creation, the governance of those identities, group management. Many of these tools are open source. So you have lots of vendors, lots of different systems, and often many dashboards. Practitioners tell us that it's the paper cuts that kill them, patches that aren't applied, open ports, orphan profiles that aren't disabled. They'd love to have a single dashboard, but it's often not practical for large organizations because of the bespoke nature of the tooling and the skills required to manage them. Now, adding to this complexity, many organizations have different identity systems for privileged accounts, the general employee population and customer identity. For example, around 50 percent of ETR respondents in a recent survey use different systems for workforce identity and consumer identity. Now this is often done because the consumer identity is a totally different journey. The consumer is out in the wild and takes an unknown, nonlinear path and then enters the known space inside a brand's domain. The employee identity journey is known throughout. You go onboarding, to increasing responsibilities and more access to off-boarding. Privileged access may even have different attributes, does usually like no email and, or no shared credentials. And we haven't even touched on the other identity consumers in the ecosystem like selling partners, suppliers, machines, etcetera. Like I said, it's complicated and meeting the needs of auditors is stressful and expensive for CSOs. Open chest wounds, such as sloppy histories of privileged access approvals, obvious role conflicts, missing data, inconsistent application of policy and the list goes on. The expense of securing digital operations goes well beyond the software and hardware acquisition costs. So there's a real need and often desire, to converge these systems. But technical debt makes it difficult. Companies have spent a lot of time, effort and money on their identity systems and they can't just rip and replace. So they often build by integrating piece parts or they add on to their Quasi-integrated monolithic systems. And then there's the whole Zero-Trust concept. It means a lot of different things to a lot of different people, but folks are asking if I have Zero-Trust, does it eliminate the need for identity? And what does that mean for my architecture, going forward. So, let's take a snapshot of some of the key players in identity and PAM, Privileged Access Management. This is an X-Y graph that we always like to show. It shows the net score or spending velocity, spending momentum on the vertical axis and market share or presence in the ETR dataset on the horizontal axis. It's not like revenue market share. It's just, it's mentioned market share if you will. So it's really presence in the dataset. Now, note the chart insert, the table, which shows the actual data for Net Score and Shared In, which informs the position of the dot. The red dotted line there, it indicates an elevated level. Anything over 40 percent that mark, we consider the strongest spending velocity. Now within this subset of vendors that we've chosen, where we've tried to identify some, most of them are pure plays, in this identity space. You can see there are six above that 40 percent mark including Zscaler, which tops the charts, Okta, which has been at or near the top for several quarters. There's an argument by the way, to be made that Okta and Zscaler are on a collision course as Okta expands it's TAM, but let's just park that thought for a moment. You can see Microsoft with a highly elevated spending score and a massive presence on the horizontal axis, CyberArk and SailPoint, which Okta is now aiming to disrupt and Auth zero, which Okta officially acquired in may of this year, more on that later now. Now, below that 40 percent mark you can see Cisco, which is largely acquired companies in order to build its security portfolio. For example, Duo which focuses on access and multi-factor authentication. Now, word of caution, Cisco and Microsoft in particular are overstated because, this includes their entire portfolio of security products, whereas the others are more closely aligned as pure plays in identity and privileged access. ThycotyicCentrify is pretty close to that 40 percent mark and came about as a result of the two companies merging in April of this year. More evidence of consolidation in this space, BeyondTrust is close to the red line as well, which is really interesting because this is a company whose roots go back to the VAX VMS days, which many of you don't even know what a VAX VMS is in the mid 1980s. It was the mini computer standard and the company has evolved to provide more modern PAM solutions. Ping Identity is also notable in that, it essentially emerged after the dot com bust in the early 2000s as an identity solution provider for single sign-on, SSO and multifactor authentication, MFA solutions. In IPO'd in the second half of 2019, just prior to the pandemic. It's got a $2 billion market cap-down from its highs of around $3 billion earlier this year and last summer. And like many of the remote work stocks, they bounced around, as the reopening trade and lofty valuations have weighed on many of these names, including Okta and SailPoint. Although CyberArk, actually acted well after its August 12th earnings call as its revenue growth about doubled year on year. So hot space and a big theme this year is around Okta's acquisition of Auth zero and its announcement at Oktane 2021, where it entered the PAM market and announced its thrust to converge its platform around PAM and Identity Governance and administration. Now I spoke earlier this week with Diya Jolly, who's the Chief Product Officer at Okta and I'll share some of her thoughts later in this segment. But first let's look at some of the ETR data from a recent drill down study that our friends over there conducted. This data is from a drill down that was conducted early this summer, asking organizations how important it is to have a single dashboard for access management, Identity Governance and privileged access. This goes directly to Okta strategy that it announced this year at it's Oktane user conference. Basically 80 percent of the respondents want this. So this is no surprise. Now let's stay on this theme of convergence. ETR asks security pros if they thought convergence between access management and Identity Governance would occur within the next three years. And as you can see, 89% believe this is going to happen. They either strongly agree, agree, or somewhat agree. I mean, it's almost as though the CSOs are willing this to occur. And this seemingly bodes well for Okta, which in April announced its intent to converge PAM and IGA. Okta's Diya jolly stressed to me that this move was in response to customer demand. And this chart confirms that, but there's a deeper analysis worth exploring. Traditional tools of identity, single sign-on SSO and multi-factor authentication MFA, they're being commoditized. And the most obvious example of this is OAuth or Open Authorization. You know, log in with Twitter, Google, LinkedIn, Amazon, Facebook. Now Okta currently has around a $35 billion market cap as of today, off from its highs, which were well over 40 billion earlier this year. Okta stated, previously stated, total addressable market was around 55 billion. So CEO, Todd McKinnon had to initiate a TAM expansion play, which is the job of any CEO, right? Now, this move does that. It increases the company's TAM by probably around $20 to $30 billion in our view. Moreover, the number one criticism of Okta is, "Your price is too high." That's a good problem to have I say. Regardless, Okta has to think about adding more value to its customers and prospects, and this move both expands its TAM and supports its longer-term vision to enable a secure user-controlled ubiquitous, digital identity, supporting federated users and data within a centralized system. Now, the other thing Jolly stressed to me is that Okta is heavily focused on the user experience, making it simple and consumer grade easy. At Oktane 21, she gave a keynote laying out the company's vision. It was a compelling presentation designed to show how complex the problem is and how Okta plans to simplify the experience for end users, service providers, brands, and the overall technical community across the ecosystem. But look, there are a lot of challenges, the company faces to pull this off. So let's dig into that a little bit. Zero-Trust has been the buzz word and it's a direction, the industry is moving towards, although there are skeptics. Zero-Trust today is aspirational. It essentially says you don't trust any user or device. And the system can ensure the right people or machines, have the proper level of access to the resources they need all the time, with a fantastic user experience. So you can see why I call this nirvana earlier. In previous breaking analysis segments, we've laid out a map for protecting your digital identity, your passwords, your crypto wallets, how to create Air Gaps. It's a bloody mess. So ETR asked security pros if they thought a hybrid of access management and Zero-Trust network could replace their PAM systems, because if you can achieve Zero-Trust in a world with no shared credentials and real-time access, a direction which Diya jolly clearly told me Okta is headed, then in theory, you can eliminate the need for Privileged Access Management. Another way of looking at this is, you do for every user what you do for PAM users. And that's how you achieve Zero-Trust. But you can see from this picture that there's more uncertainty here with nearly 50 percent of the sample, not in agreement that this is achievable. Practitioners in Eric Bradley's round tables tell us that you'll still need the PAM system to do things, like session auditing and credential checkouts and other things. But much of the PAM functionality could be handled by this Zero-Trust environment we believe. ETR then asks the security pros, how difficult it would be to replace their PAM systems. And this is where it gets interesting. You can see by this picture. The enthusiasm wanes quite a bit when the practitioners have to think about the challenges associated with replacing Privileged Access Management Systems with a new hybrid. Only 20 percent of the respondents see this as, something that is easy to do, likely because they are smaller and don't have a ton of technical debt. So the question and the obvious question is why? What are the difficulties and challenges of replacing these systems? Here's a diagram that shows the blockers. 53 percent say gaps in capabilities. 26 percent say there's no clear ROI. IE too expensive and 11 percent interestingly said, they want to stay with best of breed solutions. Presumably handling much of the integration of the bespoke capabilities on their own. Now speaking with our Eric Bradley, he shared that there's concern about "rip and replace" and the ability to justify that internally. There's also a significant buildup in technical debt, as we talked about earlier. One CSO on an Eric Bradley ETR insights panel explained that the big challenge Okta will face here, is the inertia of entrenched systems from the likes of SailPoint, Thycotic and others. Specifically, these companies have more mature stacks and have built in connectors to legacy systems over many years and processes are wired to these systems and would be very difficult to change with skill sets aligned as well. One practitioner told us that he went with SailPoint almost exclusively because of their ability to interface with SAP. Further, he said that he believed, Okta would be great at connecting to other cloud API enabled systems. There's a large market of legacy systems for which Okta would have to build custom integrations and that would be expensive and would require a lot of engineering. Another practitioner said, "We're not implementing Okta, but we strongly considered it." The reason they didn't go with was the company had a lot of on-prem legacy apps and so they went with Microsoft Identity Manager, but that didn't meet the grade because the user experience was subpar. So they're still searching for a solution that can be good at both cloud and on-prem. Now, a third CSO said, quote, " I've spent a lot of money, writing custom connectors to SailPoint", and he's stressed a lot of money, he said that several times. "So, who was going to write those custom connectors for me? Will Okta do it for free? I just don't see that happening", end quote. Further, this individual said, quote, "It's just not going to be an easy switch. And to be clear, SailPoint is not our PAM solution. That's why we're looking at CyberArk." So the complexity that, unquote. So the complexity and fragmentation continues. And personally I see this as a positive trend for Okta, if it can converge these capabilities. Now I pressed Okta's Diya Jolly on these challenges and the difficulties of replacing them over to our stacks of the competitors. She fully admitted, this was a real issue But her answer was that Okta is betting on the future of microservices and cloud disruption. Her premise is that Okta's platform is better suited for this new application environment, and they're essentially betting on organizations modernizing their application portfolios and Okta believes that it will be ultimately a tailwind for the company. Now let's look at the age old question of best of breed versus incumbent slash integrated suite. ETR and it's drilled down study ask customers, when thinking about identity and access management solutions, do you prefer best of breed and incumbent that you're already using or the most cost efficient solution? The respondents were asked to force rank one, two and three, and you can see, incumbent just edged out best in breed with a 2.2 score versus a 2.1, with the most cost-effective choice at 1.7. Now, overall, I would say, this is good news for Okta. Yes, they faced the issues that we brought up earlier but as digital transformations lead to modernizing much of the application portfolio with container and microservices, Okta will be in a position, assuming it continues to innovate, to pick up much of this business. And to the point earlier, where the CSO told us they're going to use both SailPoint and CyberArk. When ETR asked practitioners which vendors are in the best position to benefit from Zero-Trust, the Zero-Trust trend, the answers were not surprisingly all over the place. Lots of Okta came up. Zscaler came up a lot too, hmm. There's that collision course. But plenty of SailPoint, Palo Alto, Microsoft, Netskope, Dichotic, Centrify, Cisco, all over the map. So now let's look specifically at how practitioners are thinking about Okta's latest announcements. This chart shows the results of the question. Are you planning to evaluate Okta's recently announced Identity Governance and PAM offerings? 45 to nearly 50 percent of the respondents either were already using or plan to evaluate, with just around 40 percent saying they had no plans to evaluate. So again, this is positive news for Okta in our view. The huge portion of the market is going to take a look at what Okta's doing. Combined with the underlying trends that we shared earlier related to the need for convergence, this is good news for the company. Now, even if the blockers are too severe to overcome, Okta will be on the radar and is on the radar as you can see from this data. And as with the Microsoft MIM example, the company will be seen as increasingly strategic, Okta that is, and could get another bite at the apple. Moreover, Okta's acquisition of Auth zero is strategically important. One of the other things Jolly told me is they see initiative starting both from devs and then hand it over to IT to implement, and then the reverse where IT may be the starting point and then go to devs to productize the effort. The Auth zero acquisition gives Okta plays in both games, because as we've reported earlier, Okta wasn't strong with the devs, Auth zero that was their wheelhouse. Now Okta has both. Now on the one hand, when you talk to practitioners, they're excited about the joint capabilities and the gaps that Auth zero fills. On the other hand, it takes out one of Okta's main competitors and customers like competition. So I guess I look at it this way. Many enterprises will spend more money to save time. And that's where Okta has traditionally been strong. Premium pricing but there's clear value, in that it's easier, less resources required, skillsets are scarce. So boom, good fit. Other enterprises look at the price tag of an Okta and, they actually have internal development capabilities. So they prefer to spend engineering time to save money. That's where Auth zero has seen its momentum. Now Todd McKinnon and company, they can have it both ways because of that acquisition. If the price of Okta classic is too high, here's a lower cost solution with Auth zero that can save you money if you have the developer talent and the time. It's a compelling advantage, that's unique. Okay, let's wrap. The road to Zero-Trust networks is long and arduous. The goal is to understand, support and enable access for different roles, safely and securely, across an ecosystem of consumers, employees, partners, suppliers, all the consumers, (laughs softly) of your touch points to your security system. You've got to simplify the user experience. Today's kluge of password, password management, security exposures, just not going to cut it in the digital future. Supporting users in a decentralized, no-moat world, the queen has left her castle, as I often say is compulsory. But you must have federated governance. And there's always going to be room for specialists in this space. Especially for industry specific solutions for instance, within healthcare, education, government, etcetera. Hybrids are the reality for companies that have any on-prem legacy apps. Now Okta has put itself in a leadership position, but it's not alone. Complexity and fragmentation will likely remain. This is a highly competitive market with lots of barriers to entry, which is both good and bad for Okta. On the one hand, unseating incumbents will not be easy. On the other hand, Okta is both scaling and growing rapidly, revenues are growing almost 50% per annum and with it's convergence agenda and Auth zero, it can build a nice moat to its business and keep others out. Okay, that's it for now. Remember, these episodes are all available as podcasts, wherever you listen, just search braking analysis podcast, and please subscribe. Thanks to my colleague, Eric Bradley, and our friends over at ETR. Check out ETR website at "etr.plus" for all the data and all the survey action. We also publish a full report every week on "wikibon.com" and "siliconangle.com". So make sure you check that out and browse the breaking analysis collection. There are nearly a hundred of these episodes on a variety of topics, all available free of charge. Get in touch with me. You can email me at "david.vellante@siliconangle.com" or "@dvellante" on Twitter. Comment on our LinkedIn posts. This is Dave Vellante for "theCUBE" insights powered by ETR. Have a great week everybody. Stay safe, be well And we'll see you next time. (upbeat music)

(light orchestral music) >> Hello, everyone, and welcome to the Cube Conversation here at the Palo Alto studios for theCUBE. I'm John Furrier, the co-founder of SiliconANGLE Media. We're here for some news analysis with Peter Smails, the CMO of Datos.IO D-a-t-o-s dot I-O. Hot new start up with some news. Peter was just here for a thought leader segment with Chris Cummings talking about the industry breakdown. But the news is hot, prior to re:Invent which you will be at? >> Absolutely. >> RecoverX is the product. 2.5, it's a release. So, you've got a point release on your core product. >> Correct. >> Welcome to this conversation. >> Thanks for having me. Yeah, we're excited to share the news. Big day for us. >> All right, so let's get into the hard news. You guys are announcing a point release of the latest product which is your core flagship, RecoverX. >> Correct. >> Love the name. Love the branding of the X in there. It reminds me of the iPhone, so makes me wanna buy one. But you know ... >> We can make that happen, John. >> You guys are the X Factor. So, we've been pretty bullish on what you guys are doing. Obviously, like the positioning. It's cloud. You're taking advantage of the growth in the cloud. What is this new product release? Why? What's the big deal? What's in it for the customer? >> So, I'll start with the news, and then we'll take a small step back and sort of talk about why exactly we're doing what we're doing. So, RecoverX 2.5 is the latest in our flagship RecoverX line. It's a cloud data management platform. And the market that we're going after and the market we're disrupting is the traditional data management space. The proliferation of modern applications-- >> John: Which includes which companies? >> So, the Veritas' of the world, the Commvault's of the world, the Dell EMC's of the world. Anybody that was in the traditional-- >> 20-year-old architected data backup and recovery software. >> You stole my fun fact. (laughs) But very fair point which is that the average age approximately of the leading backup and recovery software products is approximately 20 years. So, a lot's changed in the last 20 years, not the least of which has been this proliferation of modern applications, okay? Which are geo-distributed microservices oriented and the rapid proliferation of multicloud. That disrupts that traditional notion of data management specifically backup and recovery. That's what we're going after with RecoverX. RecoverX 2.5 is the most recent version. News on three fronts. One is on our advanced recovery, and we can double-click into those. But it's essentially all about giving you more data awareness, more granularity to what data you wanna recover and where you wanna put it, which becomes very important in the multicloud world. Number two is what we call data center aware backup and recovery. That's all about supporting geo-distributed application environments, which again, is the new normal in the cloud. And then number three is around enterprise hardening, specifically around security. So, it's all about us increased flexibility and new capabilities for the multicloud environment and continue to enterprise-harden the product. >> Okay, so you guys say significant upgrade. >> Peter: Yep. >> I wanna just look at that. I'm also pretty critical, and you know how I feel on this so don't take it personal, multicloud is not a real deal yet. It's in statement of value that customers are saying-- It's coming! But cloud is here today, regular cloud. So, multicloud ... Well, what is multicloud actually mean? I mean, I can have multiple clouds but I'm not actually moving workloads across clouds, yet. >> I disagree. >> Okay. >> I actually disagree. We have multiple customers. >> All right, debunk that. >> I will debunk that. Number one use case for RecoverX is backup and recovery. But with a twist of the fact that it's for these modern applications running these geo-distributed environments. Which means it's not about backing up my data center, it's about, I need to make a copy of my data but I wanna back it up in the cloud. I'm running my application natively in the cloud, so I want a backup in the cloud. I'm running my application in the cloud but I actually wanna backup from the cloud back to my private cloud. So, that in lies a backup and recovery, and operation recovery use case that involves multicloud. That's number one. Number two use case for RecoverX is what we talk about on data mobility. >> So, you have a different definition of multicloud. >> Sorry, what was your-- Our definition of multicloud is fundamentally a customer using multiple clouds, whether it be a private on-prem GCP, AWS, Oracle, any mix and match. >> I buy that. I buy that. Where I was getting critical of was a workload. >> Okay. >> I have a workload and I'm running it on Amazon. It's been architected for Amazon. Then I also wanna run that same workload on Azure and Google. >> Okay. >> Or Oracle or somewhere else. >> Yep. >> I have to re-engineer it (laughs) to move, and I can't share the data. So, to me what multicloud means, I can run it anywhere. My app anywhere. Backup is a little bit different. You're saying the cloud environments can be multiple environments for your solution. >> That is correct. >> So, you're looking at it from the other perspective. >> Correct. The way we define ourselves is application-centric data management. And what that essentially means is we don't care what the underlying infrastructure is. So, if you look at traditional backup and recovery products they're LUN-based. So, I'm going to backup my storage LUN. Or they're VM-based. And a lot of big companies made a lot of money doing that. The problem is they are no LUN's and VM's in hybrid cloud or multicloud environment. The only thing that's consistent across application, across cloud-environments is the data and the applications that are running. Where we focus is we're 100% application-centric. So, we integrate at the database level. The database is the foundation of any application you create. We integrate there, which makes us agnostic to the underlying infrastructure. We run, just as examples, we have customers running next generation applications on-prem. We have customers running next generation applications on AWS in GCP. Any permutation of the above, and to your point about back to the multicloud we've got organizations doing backup with us but then we also have organizations using us to take copies of their backup data and put them on whatever clouds they want for things like test and refresh. Or performance testing or business analytics. Whatever you might wanna do. >> So, you're pretty flexible. I like that. So, we talked before on other segments, and certainly even this morning about modern stacks. >> Yeah. >> Modern applications. This is the big to-do item for all CXOs and CIOs. I need a modern infrastructure. I need modern applications. I need modern developers. I need modern everything. Hyper, micro, ultra. >> Whatever buzz word you use. >> But you guys in this announcement have a couple key things I wanna just get more explanation on. One, advanced recovery, backup anywhere, recover anywhere, and you said enterprise-grade security is the third thing. >> Yep. >> So, let's just break them down one at a time. Advanced recovery for Datos 2.5, RecoverX 2.5. >> Yep. >> What is advanced recovery? >> It's very specifically about providing high levels of granularity for recovering your data, on two fronts. So, the use case is, again, backup. I need to recover data. But I don't wanna necessarily recover everything. I wanna get smarter about the data I wanna recover. Or it could be for non-operational use cases, which is I wanna spin up a copy of data to run test dev or to do performance testing on. What advanced recovery specifically means is number one, we've introduced the notion of queryble recovery. And what that means is that I can say things like star dot John star. And the results returning from that, because we're application-centric, and we integrated the database, we give you visibility to that. I wanna see everything star dot John star. Or I wanna recover data from a very specific row, in a very specific column. Or I want to mask data that I do not wanna be recovered and I don't want people to see. The implications of that are think about that from a performance standpoint. Now, I only recover the data I need. So, I'm very, very high levels of granularity based upon a query. So, I'm fast from an RTO standpoint. The second part of it is for non-operational requirements I only move the data that is select to that data set. And number three is it helps you with things like GDPR compliance and PII compliance because you can mask data. So, that's query-based recovery. That's number one. The second piece of advanced recovery is what we call incremental recovery. That is granular recovery based upon a time stamp. So, you can get within individual points in time. So, you can get to a very high level of granularity based upon time. So, it's all about visibility. It's your data and getting very granular in a smart way to what you wanna recover. So, if I kind of hear what you're saying, what you're saying is essentially you built in the operational effectiveness of being effective operationally. You know, time to backup recovery, all that good RTO stuff. Restoring stuff operationally >> Peter: Very quickly. >> very fast. >> Peter: In a smart way. >> So, there's a speed game there which is table stakes. But you're real value here is all these compliance nightmares that are coming down the pike, GDPR and others. There's gonna be more. >> Peter: Absolutely. I mean, it could be HIPPA, it could be GDPR, anything that involves-- >> Policy. >> Policies. Anything that requires, we're completely policy-driven. And you can create a policy to mask certain data based upon the criteria you wanna put in. So, it's all about-- >> So you're the best of performance, and you got some tunability. >> And it's all about being data aware. It's all about being data aware. So, that's what advanced recovery is. >> Okay, backup anywhere, recover anywhere. What does that mean? >> So, what that means is the old world of backup and recovery was I had a database running in my data center. And I would say database please take a snapshot of yourself so I can make a copy. The new world of cloud is that these microservices-based modern applications typically run, they're by definition distributed, And in many cases they run distributed across they're geo-distributed. So, what data center aware backup and recovery is, use a perfect example. We have a customer. They're running their eCommerce. So, leading online restaurant reservations company. They're running their eCommerce application on-prem, interestingly enough, but it's based on Cassandra distributed database. Excuse me, MongoDB. Sorry. They're running geo-distributed, sharded MongoDB clusters. Anybody in the traditional backup and recovery their head would explode when you say that. In the modern application world, that's a completely normal use case. They have a data center in the U.S. They have a data center in the U.K. What they want is they wanna be able to do local backup and recovery while maintaining complete global consistency of their data. So again, it's about recovery time ultimately but it's also being data aware and focusing only on the data that you need to backup and recovery. So, it's about performance but then it's also about compliance. It's about governance. That's what data center aware backup is. >> And that's a global phenomenon people are having with the GO. >> Absolutely. Yeah, you could be within country. It could be any number of different things that drive that. We can do it because we're data aware-- >> And that creates complexity for the customer. You guys can take that complexity away >> Correct. >> From the whole global, regional where the data can sit. >> Correct. I'd say two things actually. To give the customers credit, the customers building these apps or actually getting a lot smarter about what they're data is and where they're data is. >> So they expect this feature? >> Oh, absolutely. Absolutely. I wouldn't call it table stakes cause we're the only kids on the block that can do it. But this is in direct response to our customers that are building these new apps. I wanna get into some of the environmental and customer drivers in a second. I wanna nail the last segment down. Cause I wanna unpack the whole why is this trend happening? What's the gestation period? What's the main enabler for you? But okay, final point on the significant announcements. My favorite topic enterprise-grade security. What the hell does that mean? First of all, from your standpoint the industry's trying to solve the same thing. Enterprise-grade security, what are you guys providing in this? >> Number one, it's basically security protocol. So, TLS and SSL. This is weed stuff. TLS, SSL, so secure protocol support. It's integration with LDAP. So, if organizations are running, primarily if they're running on-prem and they're running in an LDAP environment, we're support there. And then we've got Kerberos support for Kerberos authentication. So, it's all about just checking the boxes around the different security >> So, this is like in between >> and transport protocol. >> the toes, the details around compliance, identity management. >> Peter: Bingo. >> I mean we just had Centrify's CyberConnect conference, and you're seeing a lot of focus on identity. >> Absolutely. And the reason that that's sort of from a market standpoint the reason that these are very important now is because the applications that we're supporting these are not science experiments. These are eCommerce applications. These are core business applications that mainstream enterprises are running, and they need to be protected and they're bringing the true, classic enterprise security, authentication, authorization requirements to the table. >> Are you guys aligning with those features? Or is there anything significant in that section? >> From an enterprise security standpoint? It's primarily about we provide the support, so we integrate with all of those environments and we can check the boxes. Oh, absolutely TLS. Absolutely, we've got that box checked because-- >> So, you're not competing with other cybersecurity? >> No, this is purely we need to do this. This is part of our enterprise-- >> This is where you partner. >> Peter: Well, no. For these things it's literally just us providing the protocol support. So, LDAP's a good example. We support LDAP. So, we show up and if somebody's using my data management-- >> But you look at the other security solutions as a way to integrate with? >> Yeah. >> Not so much-- >> Absolutely, no. This has nothing to do with the competition. It's just supporting ... I mean Google has their own protocol, you know, security protocols, so we support those. So, does Amazon. >> I really don't want to go into the customer benefits. We'll let the folks go to the Datos website, d-a-t-o-s dot i-o is the website, if you wanna check out all their customer references. I don't wanna kind of drill on that. I kind of wanna really end this segment on the real core issue for me is reading the tea leaves. You guys are different. You're now kind of seeing some traction and some growth. You're a new kind of animal in the zoo, if you will. (Peter laughs) You've got a relevant product. Why is it happening now? And I'm trying to get to understanding Cloud Oss is enabling a lot of stuff. You guys are an effect of that, a data point of what the cloud is enabled as a venture. Everything that you're doing, the value you create is the function of the cloud. >> Yes. >> And how data is moving. Where's this coming from? Is it just recently? Is it a gestation period of a few years? Where did this come from? You mentioned some comparisons like Oracle. >> So, I'll answer that in sort of, we like to use history as our guide. So, I'll answer that both in macro terms, and then I'll answer it in micro terms. From a macro term standpoint, this is being driven by the proliferation of new data sources. It's the easiest way to look at it. So, if you let history be your guide. There was about a seven to eight year proliferation or gap between proliferation of Oracle as the primary traditional relational database data source and the advent of Veritas who really defined themselves as the defacto standard for traditional on-prem data center relational data management. You look at that same model, you'll look at the proliferation of VMware. In the late 90s, about a seven to eight year gestation with the rapid adoption of Veeam. You know the early days a lot of folks laughed at Veeam, like, "Who's gonna backup VMs? People aren't gonna use VMs in the enterprise. Now, you looked at Veeam, great company. They've done some really tremendous things carving out much more than a niche providing backup and recovery and availability in a VM-based environment. The exact same thing is happening now. If you go back six to seven years from now, you had the early adoption of the MongoDBs, the Cassandras, the Couches. More recently you've got a much faster acceleration around the DynamoDBs and the cloud databases. We're riding that same wave to support that. >> This is a side effect of the enabling of the growth of cloud. >> Yes. >> So, similar to what you did in VMware with VMs and database for Oracle you guys are taking it to the next level. >> These new data sources are completely driven by the fact that the cloud is enabling this completely distributed, far more agile, far more dynamic, far less expensive application deployment model, and a new way of providing data management is required. That's what we do. >> Yeah, I mean it's a function of maturity, one. As Jeff Rickard, General Manager of theCube, always says, when the industry moves to it's next point of failure, in this case failure is problem and you solve. So, the headaches that come from the awesomeness of the growth. >> Absolutely. And to answer that micro-wise briefly. So, that was the macro. The micro is the proliferation of, the movement from monolithic apps to microservices-based app, it's happening. And the cloud is what's enabling them. The move from traditional on-prem to hybrid cloud is absolutely happening. That's by definition the cloud. The third piece which is cloud-centric is the world's moving from a scale up world to an elastic-compute, elastic storage model. We call that the modern IT stack. Traditional backup and recovery, traditional data management doesn't work in the new modern IT stack. That's the market we're planning. That's the market we're disrupting is all that traditional stuff moving to the modern IT stack. >> Okay, Datos IO announcing a 2.5 release of RecoverX, their flagship product, their start up growing out of Los Gatos. Peter Smails here, the CMO. Where ya gonna be next? What's going on-- I know we're gonna see you re:Invent in a week in a half. >> Absolutely. So, we've got two stops. Well, actually the next stop on the tour is re:Invent. So, absolutely looking forward to being back on theCUBE at re:Invent. >> And the company feels good about those things are good. You've got good money in the bank. You're growing. >> We feel fantastic. It's fascinating to watch as things develop. The conversations we have now versus even six months ago. It's sort of the tipping point of people get it. You sort of explain, "Oh, yeah it's data management from modern applications. Are you deploying modern applications?" Absolutely. >> Share one example to end this segment on what you hear over and over again from customers that illuminates what you guys are about as a company, the DNA, the value preposition, and their impact on results and value for customers. >> So, I'll use a case study as an example. You know, we're the world's largest home improvement retailers. Old way, was they ran their multi-billion dollar eCommerce infrastructure. Running on IBM Db2 database. Running in their on-prem data center. They've moved their world. They're now running, they've re-architected their application. It's now completely microservices-based running on Cassandra, deployed 100% in Google cloud platform. And they did that because they wanted to be more agile. They wanted to be more flexible. It's a far more cost effective deployment model. They are all in on the cloud. And they needed a next generation backup and recovery data protection, data management solution which is exactly what we do. So, that's the value. Backup's not a new problem. People need to protect data and they need to be able to take better advantage of the data. >> All right, so here's the final, final question. I'm a customer watching this video. Bottom line maybe, I'm kind of hearing all this stuff. When do I call you? What are the signals? What are the little smoke signals I see in my organization burning? When do I need to call you guys, Datos? >> You should call Datos IO anytime, if you're doing anything with development of modern applications, number one. If you're doing anything with hybrid cloud you should call us. Because you're gonna need to reevaluate your overall data management strategy it's that simple. >> All right, Peter Smails, the CMO of Datos, one of the hot companies here in Silicon Valley, out of Los Gatos, California. Of course, we're in Palo Alto at theCube Studios. I'm John Furrier. This is theCUBE conversation. Thanks for watching. (upbeat techno music)

>> Announcer: Live from New York City. It's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify, and the Institute for Critical Infrastructure Technology. >> Hey, welcome back everyone. Live here with Cube coverage in New York City, our favorite place to be when we've got all the action going on. CyberConnect 2017 is an inaugural event where industry, government comes together to solve the crisis of our generation. That's cybersecurity. I'm John Furrier, co-host theCube My partner Dave Vellante here. Our next guest is Chris Novak, VTRAC Global Director, Threat Research Advisory Center at Verizon. Welcome to theCube, great to have you. >> Thanks, pleasure to be here. >> So you do all the homework. You've got the forensic data. You're the one looks at the threats. You're the burning bush of cyber intelligence. What's happening? Tell us what's the threats? >> Everything. So, it's interesting because I always find what I do to be wildly exciting just because it's always changing, right? Everything we see. It's kind of' like being a cop. Ultimately you're investigating unknowns all the time, trying to figure out how they happen, why they happen, who they happen to, but more importantly than that, how do you get ahead of it to prevent being the next one, or prevent it happening to others? And that's really the thrust of what we're out to do. >> Talk about the challenges 'cause General Keith Alexander was on stage talking about how he compared it to an airline crashing, where they come in looking for the black box, and it's worse because you don't even know what happened, who was involved. >> Chris: That's right. >> The notion of anonymous, public domain software is causing all kinds of democratization, good and bad, bad being actors that we don't even know attacking us. What is the landscape of how you identify what's going on? >> Yeah, and it gets even more challenging than that because I like that analogy, and I'd say I'd almost take it one step further and say the analogy of the airline and looking for the black box. In many cases when we go in to do an investigation, we're just hoping that there was a black box to look at to begin with. In many cases, we get there and there was no information, and we're trying to take all the pieces and put it together of what's left. And ultimately what we see is, it keeps evolving, right? It keeps getting harder, and the threat actors keep getting better. What I always tell folks is, while many of us all have to play by a set of rules, or regulations, or compliance obligations, the threat actors don't have to do any of that. They're free to do whatever works for them, and repeat it over and over again, and, for them, it's a business. >> So Dave and I were talking earlier. I want to get your reaction to this. About the importance of Stuxnet. Ars Technica has a report coming out that certificate authorities were compromised well before Stuxnet. But Stuxnet is the Pearl Harbor, cyber Pearl Harbor, as a point in time. So much has happened since then. So from that kind of Pearl Harbor moment of the wakening of, oh my God, to today, what's the landscape look like? How important was the Stuxnet to that point in time now, and how has it evolved? What's changed? >> Sure, and I think a couple of key things that come out of that. One is, you start to see more and more attribution to government-related attacks. Some are actively sponsored and known. Some are, we're just diggin' through the details and the weeds to try and figure out who's actually behind it and attribution may never actually take place. >> Or it could not be real 'cause they want to blame their enemy so that they get attacked. >> Well, and that's the either beauty or downside of cyber is that you can conduct it in a vacuum, in an anonymous fashion. So, in many respects, you can conduct an attack remotely and try to give it all the hallmarks of someone else, making it further difficult to attribute it. >> And the tools are now available too, so like, I hear reports that states are sponsoring, or releasing in the public domain, awesome hacks, like Stuxnet of the future, which some say was released and then got out of control by accident. >> And that's always something you have to be concerned about is the fact that once this stuff gets out there, even if you only intended to use this malware or attack vector once. Once you use it on that victim, there is a potential that that spreads. >> But you guys have been doing this study for the last decade. >> Correct. >> So you've seen the shift from sort of hacktivist to nation-sponsored malware. What has the research shown you over the last decade as that shift has occurred? >> Yeah, it's interesting because you look at it and a lot of what we still see today are financially-motivated and interestingly enough, opportunistic, low-hanging fruit kind of attacks. About 70 to 80% fall in that category, and about 20 to 25, depending on the year, are nation state, but that keeps growing each year. And, I think a lot of it is. >> John: What the nation state piece? >> The nation state piece. But it's still the smaller piece of the pie or the graph, whatever you're looking at, because, at the end of the day >> It's cash. >> It's cash. >> They want the cash. >> And so much of what we find when you look back at the old days of breaches where the majority of them were, they weren't even really breaches of theft of data, it was someone. >> Confetti, graffiti. >> I should have actually asked that question differently because it's really went from hacktivist to criminals. >> Chris: Correct. >> To nation states and you're saying the dominant now is criminal activity. >> That's correct. Yeah, we find the large piece of it about more than half is organized crime. It comes down to, look, you can steal money in a variety of different ways. This is a way to do it safely from thousand miles away >> And no one knows who you are. >> on the other end of a keyboard. >> So it's annoyance. >> And by the way, no consequence. Who's going to? >> Virtually, yeah. >> What court do you go to? >> So its annoyance is the hacktivist. Okay, we can kind of' live with that. It's cash and it's threats to critical infrastructure. >> And we see kind of a graduation there where you see the activists realize, I can this and make a point, but a point doesn't necessarily make me money, or I can do this for an organized crime group and make millions of dollars. Hmmmm. >> And, by the way, to your point which we were just teasing out, Dave. There is zero downside, because if you get caught, what happens? >> Yeah. >> If you get caught. >> If you get caught, yeah. And then what happens if you get caught? >> There's no jurisdiction. >> You don't make money. >> No, no, there's no courts. >> It's very hard to prosecute. >> There's actually no process for that. >> So, we heard this morning that WannaCry and other examples of malware really weren't about malware. I mean, sorry, they really weren't about ransomware, they were about sending a message, or politics. So, you're obviously seeing more of that in your research. >> Chris: Exactly right. >> Fake news, and I wonder if you could comment. >> Absolutely, yeah. So, in fact, it was interesting because some of those had continued to come out. Everyone kept thinking that it was all ransomware, and then as we studied it further we found some of these, they never had the intention of collecting a ransom, or giving the data back. It was all about making a political point, and you now have this kind of injection of politics into something that was really, traditionally, just organized crime, smash and grab, make cash. Now politics is feeding into that, going, wait, we can affect and influence and all sorts of things in ways people have never imagined and people don't even know it's going on. >> So you must be seeing a dramatic improvement in the quality, hate to say this, but the quality of malware, over the last decade. Less bugs, less errors, >> More sophisticated. >> More insidious, sophisticated. >> That's exactly right >> Vectors. >> We do see that continuing to improve and for them, like I always tell folks, they operate it like a business. You'll have some of these groups where they'll have different divisions or departments. People will have clearly-defined roles and responsibilities of what they're supposed to be doing in generating that malware, troubleshooting it, and they'll even reward people for how well it works. >> Chris, I'd like to get your personal opinion. If you could put your Verizon hat on too, I will take any opinions that you have. How do we solve this? 'Cause this event here. We like this inaugural event because it's the first industry event that talks about the big picture, the holistic view, the 20-mile stare, if you want to' say it that way. Not the Black Hat, which has its own conference, and there should be more of that. This is industry coming together. Governments now intersecting here. What's your opinion on how this gets solved. We heard community, shared data, that's been going around. What do you think? >> So, that's probably the hardest question I get asked, and, honestly, I think it's because there's not really a simple answer to it, right? It's like saying, how do we stop crime? We don't. It's not going to be possible. It's a matter of, how do we put up better defenses? And also, important, how do we put up better detection, so that we can see things and, potentially, stop them sooner before they blow up into these big, multi-hundred-million record, or billion record breaches? So, one of the biggest things that I advocate is awareness. We also have to do things like pro-active threat hunting, right? If you're not out there. It's kind of like having security guards, right? You go through any office and you've got security guards walking the halls, sitting in the lobby, looking for things that are unusual. If we're not out there in the cyber realm looking for unusual things, you can't expect that you're going to see them until they've reached a certain blow-up point. >> Or are they cloaked? Completely cloaked. You can't see 'em. >> That's also true. >> Security guards are looking for someone they can't see. >> That's true. >> Chris, thanks so much for coming here and sharing the opinion. Follow the research. And your report's public, or? >> Yes, the reports are all available on the VerizonEnterprise.com website. >> Okay, VerizonEnterprise.com. Check it out. These reports are a treasure trove of information. Always getting it out. Thanks for your perspective. Lookin' for more trends. Chris Novak here inside theCube here in New York City's live coverage of CyberConnect 2017. I'm John with Dave Vallente. We're back with more coverage after this short break. (techno music)

>> Narrator: New York City, it's the Cube covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Welcome back, everyone. This is the Cube's live coverage in New York City's Grand Hyatt Ballroom for CyberConnect 2017 presented by Centrify. I'm John Furrier, the co-host of the Cube with my co-host this week is Dave Vellante, my partner and co-founder and co-CEO with me in SiliconAngle Media in the Cube. Our next guest is James Scott who is the co-founder and senior fellow at ICIT. Welcome to the Cube. >> Thanks for having me. >> You guys are putting on this event, really putting the content together. Centrify, just so everyone knows, is underwriting the event but this is not a Centrify event. You guys are the key content partner, developing the content agenda. It's been phenomenal. It's an inaugural event so it's the first of its kind bringing in industry, government, and practitioners all together, kind of up leveling from the normal and good events like Black Hat and other events like RSA which go into deep dives. Here it's a little bit different. Explain. >> Yeah, it is. We're growing. We're a newer think tank. We're less than five years old. The objective is to stay smaller. We have organizations, like Centrify, that came out of nowhere in D.C. so we deal, most of what we've done up until now has been purely federal and on the Hill so what I do, I work in the intelligence community. I specialize in social engineering and then I advise in the Senate for the most part, some in the House. We're able to take these organizations into the Pentagon or wherever and when we get a good read on them and when senators are like, "hey, can you bring them back in to brief us?" That's when we know we have a winner so we started really creating a relationship with Tom Kemp, who's the CEO and founder over there, and Greg Cranley, who heads the federal division. They're aggressively trying to be different as opposed to trying to be like everyone else, which makes it easy. If someone wants to do something, they have to be a fellow for us to do it, but if they want to do it, just like if they want to commission a paper, we just basically say, "okay, you can pay for it but we run it." Centrify has just been excellent. >> They get the community model. They get the relationship that you have with your constituents in the community. Trust matters, so you guys are happy to do this but more importantly, the content. You're held to a standard in your community. This is new, not to go in a different direction for a second but this is what the community marketing model is. Stay true to your audience and trust. You're relied upon so that's some balance that you guys have to do. >> The thing is we deal with cylance and others. Cylance, for example, was the first to introduce machine learning artificial intelligence to get passed that mutating hash for endpoint security. They fit in really well in the intelligence community. The great thing about working with Centrify is they let us take the lead and they're very flexible and we just make sure they come out on top each time. The content, it's very content driven. In D.C., we have at our cocktail receptions, they're CIA, NSA, DARPA, NASA. >> You guys are the poster child of be big, think small. >> Exactly. Intimate. >> You say Centrify is doing things differently. They're not falling in line like a lemming. What do you mean by that? What is everybody doing that these guys are doing differently? >> I think in the federal space, I think commercial too, but you have to be willing to take a big risk to be different so you have to be willing to pay a premium. If people work with us, they know they're going to pay a premium but we make sure they come out on top. What they do is, they'll tell us, Centrify will be like, "look, we're going to put x amount of dollars into a lunch. "Here are the types of pedigree individuals "that we need there." Maybe they're not executives. Maybe they're the actual practitioners at DHS or whatever. The one thing that they do different is they're aggressively trying to deviate from the prototype. That's what I mean. >> Like a vendor trying to sell stuff. >> Yeah and the thing is, that's why when someone goes to a Centrify event, I don't work for Centrify (mumbles). That's how they're able to attract. If you see, we have General Alexander. We've got major players here because of the content, because it's been different and then the other players want to be on the stage with other players, you know what I mean. It almost becomes a competition for "hey, I was asked to come to an ICIT thing" you know, that sort of thing. That's what I mean. >> It's reputation. You guys have a reputation and you stay true to that. That's what I was saying. To me, I think this is the future of how things get done. When you have a community model, you're held to a standard with your community. If you cross the line on that standard, you head fake your community, that's the algorithm that brings you a balance so you bring good stuff to the table and you vet everyone else on the other side so it's just more of a collaboration, if you will. >> The themes here, what you'll see is within critical infrastructure, we try to gear this a little more towards the financial sector. We brought, from Aetna, he set up the FS ISAC. Now he's with the health sector ISAC. For this particular geography in New York, we're trying to have it focus more around health sector and financial critical infrastructure. You'll see that. >> Alright, James, I've got to ask you. You're a senior fellow. You're on the front lines with a great Rolodex, great relationships in D.C., and you're adivising and leaned upon by people making policy, looking at the world and the general layout in which, the reality is shit's happening differently now so the world's got to change. Take us through a day in the life of some of the things you guys are seeing and what's the outlook? I mean, it's like a perfect storm of chaos, yet opportunity. >> It really depends. Each federal agency, we look at it from a Hill perspective, it comes down to really educating them. When I'm in advising in the House, I know I'm going to be working with a different policy pedigree than a Senate committee policy expert, you know what I mean. You have to gauge the conversation depending on how new the office is, House, Senate, are they minority side, and then what we try to do is bring the issues that the private sector is having while simultaneously hitting the issues that the federal agency space is. Usually, we'll have a needs list from the CSWEP at the different federal agencies for a particular topic like the Chinese APTs or the Russian APT. What we'll do is, we'll break down what the issue is. With Russia, for example, it's a combination of two types of exploits that are happening. You have the technical exploit, the malicious payload and vulnerability in a critical infrastructure network and then profiling those actors. We also have another problem, the influence operations, which is why we started the Center for Cyber Influence Operations Studies. We've been asked repeatedly since the elections last year by the intelligence community to tell us, explain this new propaganda. The interesting thing is the synergies between the two sides are exploiting and weaponizing the same vectors. While on the technical side, you're exploiting a vulnerability in a network with a technical exploit, with a payload, a compiled payload with a bunch of tools. On the influence operations side, they're weaponizing the same social media platforms that you would use to distribute a payload here but only the... >> Contest payload. Either way you have critical infrastructure. The payload being content, fake content or whatever content, has an underpinning that gamification call it virality, network effect and user psychology around they don't really open up the Facebook post, they just read the headline and picture. There's a dissonance campaign, or whatever they're running, that might not be critical to national security at that time but it's also a post. >> It shifts the conversation in a way where they can use, for example, right now all the rage with nation states is to use metadata, put it into big data analytics, come up with a psychographic algorithm, and go after critical infrastructure executives with elevated privileges. You can do anything with those guys. You can spearfish them. The Russian modus operandi is to call and act like a recruiter, have that first touch of contact be the phone call, which they're not expecting. "Hey, I got this job. "Keep it on the down low. Don't tell anybody. "I'm going to send you the job description. "Here's the PDF." Take it from there. >> How should we think about the different nation state actors? You mentioned Russia, China, there's Iran, North Korea. Lay it out for us. >> Each geography has a different vibe to their hacking. With Russia you have this stealth and sophistication and their hacking is just like their espionage. It's like playing chess. They're really good at making pawns feel like they're kings on the chessboard so they're really good at recruiting insider threats. Bill Evanina is the head of counterintel. He's a bulldog. I know him personally. He's exactly what we need in that position. The Chinese hacking style is more smash and grab, very unsophisticated. They'll use a payload over and over again so forensically, it's easy to... >> Dave: Signatures. >> Yeah, it is. >> More shearing on the tooling or whatever. >> They'll use code to the point of redundancy so it's like alright, the only reason they got in... Chinese get into a network, not because of sophistication, but because the network is not protected. Then you have the mercenary element which is where China really thrives. Chinese PLA will hack for the nation state during the day, but they'll moonlight at night to North Korea so North Korea, they have people who may consider themselves hackers but they're not code writers. They outsource. >> They're brokers, like general contractors. >> They're not sophisticated enough to carry out a real nation state attack. What they'll do is outsource to Chinese PLA members. Chinese PLA members will be like, "okay well, here's what I need for this job." Typically, what the Chinese will do, their loyalties are different than in the west, during the day they'll discover a vulnerability or an O day. They won't tell their boss right away. They'll capitalize off of it for a week. You do that, you go to jail over here. Russia, they'll kill you. China, somehow this is an accepted thing. They don't like it but it just happens. Then you have the eastern European nations and Russia still uses mercenary elements out of Moscow and St. Petersburg so what they'll do is they will freelance, as well. That's when you get the sophisticated, carbonic style hack where they'll go into the financial sector. They'll monitor the situation. Learn the ins and outs of everything having to do with that particular swift or bank or whatever. They go in and those are the guys that are making millions of dollars on a breach. Hacking in general is a grind. It's a lot of vulnerabilities work, but few work for long. Everybody is always thinking there's this omega code that they have. >> It's just brute force. You just pound it all day long. >> That's it and it's a grind. You might have something that you worked on for six months. You're ready to monetize. >> What about South America? What's the vibe down there? Anything happening in there? >> Not really. There is nothing of substance that really affects us here. Again, if an organization is completely unprotected. >> John: Russia? China? >> Russia and China. >> What about our allies? >> GCHQ. >> Israel? What's the collaboration, coordination, snooping? What's the dynamic like there? >> We deal, mostly, with NATO and Five Eyes. I actually had dinner with NATO last night. Five Eyes is important because we share signals intelligence and most of the communications will go through Five Eyes which is California, United States, Australia, New Zealand, and the UK. Those are our five most important allies and then NATO after that, as far as I'm concerned, for cyber. You have the whole weaponization of space going on with SATCOM interception. We're dealing with that with NASA, DARPA. Not a lot is happening down in South America. The next big thing that we have to look at is the cyber caliphate. You have the Muslim brotherhood that funds it. Their influence operations domestically are extremely strong. They have a lot of contacts on the Hill which is a problem. You have ANTIFA. So there's two sides to this. You have the technical exploit but then the information warfare exploit. >> What about the bitcoin underbelly that started with the silk roads and you've seen a lot of bitcoin. Money laundering is a big deal, know your customer. Now regulation is part of big ICOs going on. Are you seeing any activity from those? Are they pulling from previous mercenary groups or are they arbitraging just more free? >> For updating bitcoin? >> The whole bitcoin networks. There's been an effort to commercialize (mumbles) so there's been a legitimate track to bring that on but yet there's still a lot of actors. >> I think bitcoin is important to keep and if you look at the more black ops type hacking or payment stuff, bitcoin is an important element just as tor is an important element, just as encryption is an important element. >> John: It's fundamental, actually. >> It's a necessity so when I hear people on the Hill, I have my researcher, I'm like, "any time you hear somebody trying to have "weakened encryption, back door encryption" the first thing, we add them to the briefing schedule and I'm like, "look, here's what you're proposing. "You're proposing that you outlaw math. "So what? Two plus two doesn't equal four. "What is it? Three and a half? "Where's the logic?" When you break it down for them like that, on the Hill in particular, they begin to get it. They're like, "well how do we get the intelligence community "or the FBI, for example, to get into this iphone?" Civil liberties, you've got to take that into consideration. >> I got to ask you a question. I interviewed a guy, I won't say his name. He actually commented off the record, but he said to me, "you won't believe how dumb some of these state actors are "when it comes to cyber. "There's some super smart ones. "Specifically Iran and the Middle East, "they're really not that bright." He used an example, I don't know if it's true or not, that stuxnet, I forget which one it was, there was a test and it got out of control and they couldn't pull it back and it revealed their hand but it could've been something worse. His point was they actually screwed up their entire operation because they're doing some QA on their thing. >> I can't talk about stuxnet but it's easy to get... >> In terms of how you test them, how do you QA your work? >> James: How do you review malware? (mumbles) >> You can't comment on the accuracy of Zero Days, the documentary? >> Next question. Here's what you find. Some of these nation state actors, they saw what happened with our elections so they're like, "we have a really crappy offensive cyber program "but maybe we can thrive in influence operations "in propaganda and whatever." We're getting hit by everybody and 2020 is going to be, I don't even want to imagine. >> John: You think it's going to be out of control? >> It's going to be. >> I've got to ask this question, this came up. You're bringing up a really good point I think a lot of people aren't talking about but we've brought up a few times. I want to keep on getting it out there. In the old days, state on state actors used to do things, espionage, and everyone knew who they were and it was very important not to bring their queen out, if you will, too early, or reveal their moves. Now with Wikileaks and public domain, a lot of these tools are being democratized so that they can covertly put stuff out in the open for enemies of our country to just attack us at will. Is that happening? I hear about it, meaning that I might be Russia or I might be someone else. I don't want to reveal my hand but hey, you ISIS guys out there, all you guys in the Middle East might want to use this great hack and put it out in the open. >> I think yeah. The new world order, I guess. The order of things, the power positions are completely flipped, B side, counter, whatever. It's completely not what the establishment was thinking it would be. What's happening is Facebook is no more relevant, I mean Facebook is more relevant than the UN. Wikileaks has more information pulsating out of it than a CIA analyst, whatever. >> John: There's a democratization of the information? >> The thing is we're no longer a world that's divided by geographic lines in the sand that were drawn by these two guys that fought and lost a war 50 years ago. We're now in a tribal chieftain digital society and we're separated by ideological variation and so you have tribe members here in the US who have fellow tribe members in Israel, Russia, whatever. Look at Anonymous. Anonymous, I think everyone understands that's the biggest law enforcement honeypot there is, but you look at the ideological variation and it's hashtags and it's keywords and it's forums. That's the Senate. That's congress. >> John: This is a new reality. >> This is reality. >> How do you explain that to senators? I was watching that on TV where they're trying to grasp what Facebook is and Twitter. (mumbles) Certainly Facebook knew what was going on. They're trying to play policy and they're new. They're newbies when it comes to policy. They don't have any experience on the Hill, now it's ramping up and they've had some help but tech has never been an actor on the stage of policy formulation. >> We have a real problem. We're looking at outside threats as our national security threats, which is incorrect. You have dragnet surveillance capitalists. Here's the biggest threats we have. The weaponization of Facebook, twitter, youtube, google, and search engines like comcast. They all have a censorship algorithm, which is how they monetize your traffic. It's censorship. You're signing your rights away and your free will when you use google. You're not getting the right answer, you're getting the answer that coincides with an algorithm that they're meant to monetize and capitalize on. It's complete censorship. What's happening is, we had something that just passed SJ res 34 which no resistance whatsoever, blew my mind. What that allows is for a new actor, the ISPs to curate metadata on their users and charge them their monthly fee as well. It's completely corrupt. These dragnet surveillance capitalists have become dragnet surveillance censorists. Is that a word? Censorists? I'll make it one. Now they've become dragnet surveillance propagandists. That's why 2020 is up for grabs. >> (mumbles) We come from the same school here on this one, but here's the question. The younger generation, I asked a gentleman in the hallway on his way out, I said, "where's the cyber west point? "We're the Navy SEALS in this new digital culture." He said, "oh yeah, some things." We're talking about the younger generation, the kids playing Call of Duty Destiny. These are the guys out there, young kids coming up that will probably end up having multiple disciplinary skills. Where are they going to come from? So the question is, are we going to have a counterculture? We're almost feeling like what the 60s were to the 50s. Vietnam. I kind of feel like maybe the security stuff doesn't get taken care of, a revolt is coming. You talk about dragnet censorship. You're talking about the lack of control and privacy. I don't mind giving Facebook my data to connect with my friends and see my thanksgiving photos or whatever but now I don't want fake news jammed down my throat. Anti-Trump and Anti-Hillary spew. I didn't buy into that. I don't want that anymore. >> I think millennials, I have a 19 year old son, my researchers, they're right out of grad school. >> John: What's the profile like? >> They have no trust whatsoever in the government and they laugh at legislation. They don't care any more about having their face on their Facebook page and all their most intimate details of last night's date and tomorrow's date with two different, whatever. They just don't... They loathe the traditional way of things. You got to talk to General Alexander today. We have a really good relationship with him, Hayden, Mike Rogers. There is a counterculture in the works but it's not going to happen overnight because we have a tech deficit here where we need foreign tech people just to make up for the deficit. >> Bill Mann and I were talking, I heard the general basically, this is my interpretation, "if we don't get our shit together, "this is going to be an f'd up situation." That's what I heard him basically say. You guys don't come together so what Bill talked about was two scenarios. If industry and government don't share and come together, they're going to have stuff mandated on them by the government. Do you agree? >> I do. >> What's going to happen? >> The argument for regulation on the Hill is they don't want to stifle innovation, which makes sense but then ISPs don't innovate at all. They're using 1980s technology, so why did you pass SJ res 34? >> John: For access? >> I don't know because nation states just look at that as, "oh wow another treasure trove of metadata "that we can weaponize. "Let's start psychographically charging alt-left "and alt-right, you know what I mean?" >> Hacks are inevitable. That seems to be the trend. >> You talked before, James, about threats. You mentioned weaponization of social. >> James: Social media. >> You mentioned another in terms of ISPs I think. >> James: Dragnet. >> What are the big threats? Weaponization of social. ISP metadata, obviously. >> Metadata, it really depends and that's the thing. That's what makes the advisory so difficult because you have to go between influence operations and the exploit because the vectors are used for different things in different variations. >> John: Integrated model. >> It really is and so with a question like that I'm like okay so my biggest concern is the propaganda, political warfare, the information warfare. >> People are underestimating the value of how big that is, aren't they? They're oversimplifying the impact of info campaigns. >> Yeah because your reality is based off of... It's like this, influence operations. Traditional media, everybody is all about the narrative and controlling the narrative. What Russia understands is to control the narrative, the most embryo state of the narrative is the meme. Control the meme, control the idea. If you control the idea, you control the belief system. Control the belief system, you control the narrative. Control the narrative, you control the population. No guns were fired, see what I'm saying? >> I was explaining to a friend on Facebook, I was getting into a rant on this. I used a very simple example. In the advertising world, they run millions of dollars of ad campaigns on car companies for post car purchase cognitive dissonance campaigns. Just to make you feel good about your purchase. In a way, that's what's going on and explains what's going on on Facebook. This constant reinforcement of these beliefs whether its for Trump or Hillary, all this stuff was happening. I saw it firsthand. That's just one small nuance but it's across a spectrum of memes. >> You have all these people, you have nation states, you have mercenaries, but the most potent force in this space, the most hyperevolving in influence operations, is the special interest group. The well-funded special interests. That's going to be a problem. 2020, I keep hitting that because I was doing an interview earlier. 2020 is going to be a tug of war for the psychological core of the population and it's free game. Dragnet surveillance capitalists will absolutely be dragnet surveillance propagandists. They will have the candidates that they're going to push. Now that can also work against them because mainstream media, twitter, Facebook were completely against trump, for example, and that worked in his advantage. >> We've seen this before. I'm a little bit older, but we are the same generation. Remember when they were going to open up sealex? Remember the last mile for connectivity? That battle was won before it was even fought. What you're saying, if I get this right, the war and tug of war going on now is a big game. If it's not played in one now, this jerry rigging, gerrymandering of stuff could happen so when people wake up and realize what's happened the game has already been won. >> Yeah, your universe as you know it, your belief systems, what you hold to be true and self evident. Again, the embryo. If you look back to the embryo introduction of that concept, whatever concept it is, to your mind it came from somewhere else. There are very few things that you believe that you came up with yourself. The digital space expedites that process and that's dangerous because now it's being weaponized. >> Back to the, who fixes this. Who's the watchdog on this? These ideas you're talking about, some of them, you're like, "man that guy has lost it, he's crazy." Actually, I don't think you're crazy at all. I think it's right on. Is there a media outlet watching it? Who's reporting on it? What even can grasp what you're saying? What's going on in D.C.? Can you share that perspective? >> Yeah, the people that get this are the intelligence community, okay? The problem is the way we advise is I will go in with one of the silos in the NSA and explain what's happening and how to do it. They'll turn around their computer and say, "show me how to do it. "How do you do a multi vector campaign "with this meme and make it viral in 30 minutes." You have to be able to show them how to do it. >> John: We can do that. Actually we can't. >> That sort of thing, you have to be able to show them because there's not enough practitioners, we call them operators. When you're going in here, you're teaching them. >> The thing is if they have the metadata to your treasure trove, this is how they do it. I'll explain here. If they have the metadata, they know where the touch points are. It's a network effect mole, just distributive mole. They can put content in certain subnetworks that they know have a reaction to the metadata so they have the knowledge going in. It's not like they're scanning the whole world. They're monitoring pockets like a drone, right? Once they get over the territory, then they do the acquired deeper targets and then go viral. That's basically how fake news works. >> See the problem is, you look at something like alt-right and ANTIFA. ANTIFA, just like Black Lives Matter, the initiatives may have started out with righteous intentions just like take a knee. These initiatives, first stage is if it causes chaos, chaos is the op for a nation state in the US. That's the op. Chaos. That's the beginning and the end of an op. What happens is they will say, "oh okay look, this is ticking off all these other people "so let's fan the flame of this take a knee thing "hurt the NFL." Who cares? I don't watch football anyway but you know, take a knee. It's causing all this chaos. >> John: It's called trolling. >> What will happen is Russia and China, China has got their 13 five year plan, Russia has their foreign influence operations. They will fan that flame to exhaustion. Now what happens to the ANTIFA guy when he's a self-radicalized wound collector with a mental disorder? Maybe he's bipolar. Now with ANTIFA, he's experienced a heightened more extreme variation of that particular ideology so who steps in next? Cyber caliphate and Muslim brotherhood. That's why we're going to have an epidemic. I can't believe, you know, ANTIFA is a domestic terrorist organization. It's shocking that the FBI is not taking this more serious. What's happening now is Muslim brotherhood funds basically the cyber caliphate. The whole point of cyber caliphate is to create awareness, instill the illusion of rampant xenophobia for recruiting. They have self-radicalized wound collectors with ANTIFA that are already extremists anyway. They're just looking for a reason to take that up a notch. That's when, cyber caliphate, they hook up with them with a hashtag. They respond and they create a relationship. >> John: They get the fly wheel going. >> They take them to a deep web forum, dark web forum, and start showing them how it works. You can do this. You can be part of something. This guy who was never even muslim now is going under the ISIS moniker and he acts. He drives people over in New York. >> They fossilized their belief system. >> The whole point to the cyber caliphate is to find actors that are already in the self-radicalization phase but what does it take psychologically and from a mentoring perspective, to get them to act? That's the cyber caliphate. >> This is the value of data and context in real time using the current events to use that data, refuel their operation. It's data driven terrorism. >> What's the prescription that you're advising? >> I'm not a regulations kind of guy, but any time you're curating metadata like we're just talking about right now. Any time you have organizations like google, like Facebook, that have become so big, they are like their own nation state. That's a dangerous thing. The metadata curation. >> John: The value of the data is very big. That's the point. >> It is because what's happening... >> John: There's always a vulnerability. >> There's always a vulnerability and it will be exploited and all that metadata, it's unscrubbed. I'm not worried about them selling metadata that's scrubbed. I'm worried about the nation state or the sophisticated actor that already has a remote access Trojan on the network and is exfiltrating in real time. That's the guy that I'm worried about because he can just say, "forget it, I'm going to target people that are at this phase." He knows how to write algorithms, comes up with a good psychographic algorithm, puts the data in there, and now he's like, "look I'm only going to promote this concept, "two people at this particular stage of self-radicalization "or sympathetic to the kremlin." We have a big problem on the college campuses with IP theft because of the Chinese Students Scholar Associations which are directly run by the Chinese communist party. >> I heard a rumor that Equifax's franchising strategy had partners on the VPN that were state sponsored. They weren't even hacking, they had full access. >> There's a reason that the Chinese are buying hotels. They bought the Waldorf Astoria. We do stuff with the UN and NATO, you can't even stay there anymore. I think it's still under construction but it's a no-no to stay there anymore. I mean western nations and allies because they'll have bugs in the rooms. The WiFi that you use... >> Has fake certificates. >> Or there's a vulnerability that's left in that network so the information for executives who have IP or PII or electronic health records, you know what I mean? You go to these places to stay overnight, as an executive, and you're compromised. >> Look what happened with Eugene Kaspersky. I don't know the real story. I don't know if you can comment, but someone sees that and says, "this guy used to have high level meetings "at the Pentagon weekly, monthly." Now he's persona non grata. >> He fell out of favor, I guess, right? It happens. >> James, great conversation. Thanks for coming on the Cube. Congratulations on the great work you guys are doing here at the event. I know the content has been well received. Certainly the key notes we saw were awesome. CSOs, view from the government, from industry, congratulations. James Scott who is the co founder and senior fellow of ICIT, Internet Critical Infrastructure Technology. >> James: Institute of Critical Infrastructure Technology. >> T is for tech. >> And the Center for Cyber Influence Operations Studies. >> Good stuff. A lot of stuff going on (mumbles), exploits, infrastructure, it's all mainstream. It's the crisis of our generation. There's a radical shift happening and the answers are all going to come from industry and government coming together. This is the Cube bringing the data, I'm John Furrier with Dave Vellante. Thanks for watching. More live coverage after this short break. (music)

(upbeat music) >> Announcer: New York City. It's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify, and the Institute For Critical Infrastructure Technology. >> Hey, welcome back everyone. This is theCUBE, live in New York City, in Manhattan. We're here at the Grand Hyatt Ballroom for CyberConnect 2017. Inaugural event presented by Centrify. I'm John Furrier, with my co-host Dave Vellante, both Co-Founders of SiliconANGLE Media. Our next guest is Parham Eftekhari, who's the Co-Founder and Senior Fellow of ICIT. Also part of the team and the lead around putting the content agenda together. These are the guys who put it all together. Really inaugural conference, great success. Turns out, you know we (laughs), we talked about it was going to be big, it was going to be huge. By the numbers, it's just a great beachhead, the right people showed up. Welcome to theCUBE, thanks for joining us. >> Yeah, thank you for having me, excited to be here, good to chat with you again. >> So, we, before the event started, just, you know, a couple months ago when we were talking about the event, we're like, this is, love the name, first event of its kind. Always wondering, you know, will people show up? Right, you know? >> That's right, first-time events, we've talked about this before, there are so many cyber security events out there, and so many organizations competing for a limited time and resources. So, I think to have a, an event like this be such a big success in the first time speaks to the quality of the content, and, you know, Centrify's role and ICIT's role in putting it together. >> I want to give you guys congratulations, to you and your partner, for running a really amazing company and event. You guys go big by thinking small, by being small, being relevant. Your model and how you do business earns trust, it's very community-driven. Same ethos as what we believe in. So, wanted to give you props for that. >> Parham: Thank you. >> It's not usual you see great execution thinking about your audience and constituents, so congratulations. >> Thank you. >> Okay, so, with that, you've got a lot of heavy hitters in your rolodex, you guys got a great community, big names. General's up there, you have big time SiSoS. >> Parham: Yeah. >> What's the vibe? I mean, you guys are dealing with this profile persona all the time. What's on the minds? I mean, obviously the General's banging his fist on the table, virtual table, or he's holding his coffee cup, telling war stories, he's basically saying, if we don't get our act together, industry and government... >> Yeah, well, I think what's happening today, and you know the business of the Institute, we're a research-driven organization, so as an organization that provides objective research, we have the fortunate position to be able to advise to some of these commercial and public sector leaders. And so, in that advisory, we have a really good sense on the pulse of the community. And we're able to hear directly from these individuals, we don't have to look at market research studies, we don't have to look at what some of these third-party groups are talking about. We're able to communicate directly, and we can actually see and feel their feedback to what we're discussing. >> There's no lag to your model, you have your fingers on the pulse. What is it telling you? Obviously, we heard the message here, there's some work to be done, there's some technical core fundamental infrastructure things, there's application-specific things, obviously the threats aren't stopping. >> Parham: That's right. >> What are the, what's-- >> If you look at the program that was built, it really does mirror the way that the Institute believes we need to approach solving these issues. And that comes with a layered security strategy. And so, oftentimes you'll go to these events, and we understand that there's organizations that are looking to make this into more of a marketing opportunity for them. So, unfortunately, the curriculum and content only touches one or two core competencies, which obviously really underscore what the sponsors do. What we've done here at CyberConnect, which is why Centrify's such a great partner, they understand that they may be one of the world's leading identity access management organizations, but they know for us to have a cyber security renaissance and actually make that quantum leap that the General and some of the executives that you were mentioning were discussing all day, we need to have a number of different technologies discussed, and have that education talk about things like the use of machine-learning based artificial intelligence. Talk about how technology can enable automation. Talk about identity access management. Talk about, like we just heard Terry Gravenstein, talk about the importance of building a culture of trust, right? Security has a human element to it, people's one of the biggest problems we have. So, I think this is one of the reasons why this event, to your point earlier, is such a big success only the first year out. >> Parham, we heard a lot today about sort of the partnership, really the imperative, of government and commercial enterprises working together. You do a lot of work in the government. And there seems to be, anyway our impression is, there's a heightened sense of security, for obvious reasons. And, board levels in the commercial side have really tuned in to security. But still, organizations seem to be struggling with what's the right regime. You know, it used to be just an IT problem, or a security team problem, and as you really pointed out many, many times at this event, it's everybody's problem. >> Parham: Yeah. >> So, what are you seeing in terms of, things that commercial enterprises can learn from government, particularly from the top, in the top down initiative. >> Yeah, I think one of the themes you've heard discussed several times today is, and Terry again just talked about us having a seat at the table, I think there's so much media discussion about cyber security. You know, all of our families, our moms, our grandparents, are understanding that cyber security is a major issue. We're even starting to get some more general consensus that cyber security is a national security imperative. And, so I think this is helpful. I think now we have to start to, as cyber security practitioners, we have to speak in the language that resonates with, so, if you're talking to a chief operating officer, and trying to educate them on the impact of ITOT convergence, then you have to speak in the terms that a COO is interested in, versus a CFO, versus your CIO, versus your Board of Directors. So I think language matters, vocabulary matters. And I think it's one of the things that we see, we see starting to percolate up in some of the conversations that we're having. >> Given that humans are the main problem, I mean we all have this assumption, we talk about it in theCUBE all the time, but oh my gosh, internet of things is going to create this huge space of people to attack, a huge attack vector. But if the humans aren't managing the devices, is there potentially an upside there, if that makes sense? >> Yeah, so, you know, I think it all goes back to, tomorrow morning, we'll hear from Dr. Ron Ross and David from Centrify. And they're going to be talking about security by design. In this, Dr. Ross actually put out a paper, 800-160, which really talks about the importance of building better systems, devices, products. So, I think that we are moving towards automation, we're moving towards machine learning, we already see it impacting a lot of our society, and even down to the, to your point, the IoT devices. We just put out a paper about cyborgs and the use of embedded devices in an actual, in humans, trans-humanism. This is all a, this, this ship has, the train has left the station, I guess you could say. I think what's important now is to not make the same mistakes we did the first go around, and pause and not put profits over security and privacy, and actually understand that, if we can't build it with security, certain security requirements there, then we can't get that functionality, or it may not cost the price point that we want it to cost, which may, you know, have it be more affordable for consumers. So I think we have to re-prioritize. >> US companies generally have not taken that pause and put security over profits. It's really been the reverse. And many would say, okay, but it's actually worked out pretty well for US companies, they dominate the technology industry. What do you say to those folks that say, well, profits are actually more important? >> Well, I think, I think it depends, when you say it worked out well, I think if you look at all those individuals that have been impacted by the breaches, I think that's where people are really starting to understand how it's impacting us, and going back to my comment about the national security side, this is no longer just about being able to steal your PII, and maybe doing some fraud in terms of identity theft and what not. When we're talking about meta-data and capitalistic dragnet surveillance, and now if you're looking at who is stealing and curating this information, it could be special interest groups, could be nation states, so now this becomes a much larger issue and a much larger challenge. >> So it's a ticking timebomb, is essentially what you're saying. And so that begs the next question: does really government have to get involved, to begin to impose its will, if you will, on commercial organizations? >> Yeah, I think what's going to happen, and actually we were talking about this at lunch with General Alexander earlier today, it's going to be a balance. You know, the government will be getting involved, they are getting involved, there's a lot of legislation being passed that truly is trying to make a bi-partisan push to address some of these issues. But I think, ultimately, that's going to be, as the General kind of said earlier, it's just going to be the government beating these, these folks virtually on the head until they start to do some self-governance and self-regulation. >> Parham, talk about your relationship with the General, vis-a-vis, this event. I see he had a great keynote, inspiring us, he moved a lot of people, talked about the general common defense versus civil liberties balancing privacy, as you mentioned. What more can you share about some of the things that he sees and feels strongly about, that you guys are seeing in your research in the Institute, because this is interesting, because you got a guy who says, "I'm an Army guy," right, who's now looking through the prism of the future, with past history at the NSA Command Center, Cyber Command Center. >> Yeah. >> He's got a pretty interesting view, and he sees both sides of the coin. >> Yeah. >> You guys are seeing that, people in the tech business are like deer in the headlights. We saw Twitter, Facebook and Alphabet, you know, like (groans). And then the center's trying to grock what Twitter does. >> Parham: Yeah. >> So, I mean, you have this generational gap, you also have historical analog to digital transformation going on. This is a societal impact, this is pretty huge. What does the General truly feel, what's his vision, what's his point of view these days? >> So, I'm not going to speak for the General, I wouldn't dare do that, but I will say that, if you listen to his comments on stage, one of the things he does talk about, and where our relationship is very strong, is the importance of public-private sector collaboration. The General actually received our pinnacle, I'm sorry, was named our pioneer last year at our gala which is actually happening in a couple of days in Washington, DC. And he really, if you listen to his message, he underscores the importance of collaboration, not just within a sector, not just within government, but cross-sector and between public-private sector, and between technology providers and government and legislative community. So, I think one of the things that I am comfortable saying is that, he would encourage more collaboration, and more information sharing, and more trust among the sectors to work together to solve these problems. >> How should people measure success in this business? >> That's a loaded question. I think, I think success needs to be, at this stage, incremental. I think that we need to be realistic in terms of how much quote success can we achieve overnight. We've, as we mentioned earlier, the ship has sailed, and so I think we need to do multiple things simultaneously. We, of course, do need to continue to implement technology and strategies that detect and respond to threats. But I personally would say that the true success is going to really be accomplished when we start to deploy strategies and re-prioritize so we're actually building more secure systems, more secure devices. I think that's going to be... Needs to go hand-in-hand, and we'll hear a lot about that tomorrow with Dr. Ross. >> Would that imply that, either, you know, the rate of growth of breaches starts to moderate, or the amount of data or loss, revenue dollars lost, begins to, you know, slow down its growth rate or-- >> Yeah, at some point that's absolutely going to be the goal, I think that-- >> Is that a reality though, I mean given that everything is growing so fast in our business? >> Oh, yeah, I'm an eternal optimist. I think absolutely, we'll get there. I can't tell you the timeframe, but I do know that venues like this, and the work that ICIT is doing, is really important to getting us to that point. Until we get folks in the media and on Capitol Hill and in federal agencies talking about these issues, so then it's not just the security folks who are focused on this, but a broader group. >> Yeah, and I think that's the opportunity, and as we wrap up day one here, education and content value is what we're seeing. You guys see that all the time, I know I'm preaching to the choir. But again, looking at mainstream media and some of the techniques that the Russians and other states have used to implement means and the election conversations, it's being gamified, we know that. So, the media picks up on it because there's identity politics going on. So, I think there needs to be a wake-up call, I mean, I think the educational process is critical. >> Yeah. >> What's next? >> And, and, and that's where, you know, we feel very fortunate to be in the position that we're in, because ICIT is a neutral, third-party, non-profit, and non-partisan research organization. So what we're doing is putting out content. We're not, we're not, the... I should say it this way, the information comes out-- >> You've no agenda in terms of how to capture? >> Yeah, exactly. >> It's all transparent. >> Our, our, our agenda is national security. Our agenda is improving the security of our nation's critical infrastructure sectors, improving resiliency. And providing trusted advisory to these various stakeholders. >> Well, getting the people here on theCUBE, and having you guys come on, and doing this great event really get, opens up the door for more voices to be heard. >> Parham: Absolutely. >> And we heard from your partner, had some great things to say. This has got to get out there, so the people, the press can report on it-- >> Parham: That's right. We'll turn on the cameras. >> Parham: Yeah. >> Dave, what's your take on the event here? Obviously, as an inaugural event, what's your analysis? >> Well, I mean, we touched on some big topics, right? I mean, the General, in particular, was talking about collaboration with the FBI, you know, Sony came in. >> John: The role of government. >> Privacy, ACLU, Jeffrey Stone. I think, you know, my big takeaway, as we were just discussing, was... And the General said that Sony, for example, he gave that example, can't do it alone. And I, we've been saying this for a while. And John, you predicted this, you said a while back that, that the government's processes, technologies, know-how, is going to seep into commercial businesses. As it has so often. I mean, you look at, you know, space launch, you know, radar, nuclear energy, the internet, et cetera. And I think security, cyber security, is such a big problem, only the government can help solve this problem. >> Well, the government's always been dealing with the moving train, and the corporations and the enterprise have traditionally been buying shrink-wrapped software loaded on a server that's evolved to buying more servers that have been pre-integrated with software. And buying silver bullet solutions, and then leave it alone until something breaks, and then fixes it. And I think, you know, when we were talking and looking at this event, my takeaway here is, the moving train is never going to stop, and the shifting of the game is going to be a cat-and-mouse, good versus bad, new technology versus reality. Open source certainly accelerated the role of the public domain. Treasure troves of information are being amassed, whether it's WikiLeaks or in the open source. This is a problem, and then there's no real, like, real creative solutions. I am not seeing anything. So, to me, this event takeaway is that, this is the first time a step has been taken to saying, whoa, holistic big picture. What is the architecture of a global society, where nation states can compete with no borders. >> Yeah. >> In a digital, virtual space, be effective, have freedom, and then respect for the individual. I mean, no one's ever had that conversation. >> Yeah, well we're excited to have it. We've gotten really great feedback from just some of the conversations that we're hearing in the hallway, as people are taking, learning actionable intelligence, where I can actually take this and instill it. I think a lot of people are actually being inspired, and that's something we need, especially in an industry where every day is about how, you know, cyber security folks don't get in the news when nothing happens. There's a commercial, I think it's an IBM commercial, right, where it's, my, my, nothing happened at work for my dad today, right? That never happens, it's always about what does go wrong, so I think we need to be inspired and motivate ourselves. >> Well, one of the things that we're excited about, as you know, we're community-model like you guys are. You look at some of the early indicators of how blockchain, and even though it's kind of crazy, you know, bubbly with the ICOs and cryptocurrency and overall blockchain, it all comes down to the common thread. We see an open source software over multiple generations, we're seeing it in blockchain, we're seeing it in security. Community matters. And I think the role of individuals and communities will be a big part of the change, as a new generation comes up. Really fundamental, so congratulations. >> Parham: Absolutely, thank you. >> Okay, Parham here's inside theCUBE for our wrap-up of day one of CyberConnect 2017. I'm John, with Dave Vellante. Thanks for watching. (synthesizer music)

>> Narrator: Live from New York City, It's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify, and The Institute for Critical Infrastructure Technology. (synth music tag) >> And government industries together for the first time. A unique kind of collaboration unlike normal events, like black hat or RSA, that are mostly about hacks and really geeky sessions. There's a great place for that, but again, this is the first of its kind, and it's presented by Centrify's theCUBE as an exclusive partner here, I'm John Furrier, co-host of theCUBE, co-founder of SiliconANGLE, my co-founder, Dave Vellante here. Dave, I mean, Centrify really taking an industry proactive role, not having their own event. Instead, using their money to fund an industry event. This is the trend in digital media. Presented by Centrify, not 'sponsored by' or 'their event'. This, we've seen this in the big data space before where events are sponsored for the community. You know, cyber security, really a big topic. You know, General Keith Alexander, retired general, was on stage as the keynote. Really talking about the crisis in the United States and around the world, around cyber security, cyber war, a whole new reality. This is the thrust of the event. >> Well, they say content is king. Well, context is kind of the empire, and the context here is, the world is changing. And the seriousness of that change is significant. General Alexander, many people may not know, General Keith, former, retired General Keith Alexander, he was the first Head of Chief $of Cyber Security at U.S., appointed by Obama. John, he was appointed Director of the NSA in 2005. Now, you guys remember, I'm sure, Stuxnet was right around 2004, 2005 when it was developed, and it bridged the Bush to the Obama administration. So he had the, all the inside baseball. He didn't talk about Stuxnet, but that was, >> He did share some nice war stories. >> Yeah, but that was the first and most significant, the way they got into Natanz, and he was at the center of all that. And he did share some war stories. He talked about Snowden, he talked about collaboration with the FBI, he talked about saving lives. And basically he said, hey, I stood in front of the ACLU. They basically undressed him, right? And then came back and said, hey, this is one of the most ethical agencies, and law-abiding agencies I've ever, he's seen, so he read that note from the head of the ACLU, it was very proud of that. >> Yeah, and the Stuxnet, it was in the news obviously, just yesterday it was reported, actually the day before November 1st, November 2nd, that Stuxnet was highly underestimated. In fact, the digital certificates that were spoofed were, been hanging around, the malware's been out there. Then again, this is, this is an indictment of the problem that we have, which is, we've got to get the security. Now, the things that the General talked about, I want to get your reaction to, because certainly I honed in on a couple key things. "Foundational tech for common defense." So he talked a lot about the Constitution and the role of government, I did a tweet on that, but what is the role of the government? That's the common defense of the United States, citizens and business. One. Not just protect the Department of Defense. At the same time, he did kind of put a plug in that we need the civil liberties and privacy to be addressed. But this is the biggest crisis we have, and it's a problem that can only be solved by working together. And if you look at, Dave, the trends that we're following on theCUBE and SiliconANGLE and Wikibon, the common thread is community. If you look at blockchain and what's going on in that disruptive, decentralized world, the role of the community is critical. If you look at what's going on in security, it's the role of the community. If you look at open source, the biggest success story of our multiple generations and now impacting the younger generation in the computer science industry and the computer industry, open source software. Community. You're starting to see the role of communities where knowing your neighbor, knowing who's involved with things, is really critical, and you can't highlight it any more than this conference that Centrify's presenting with these gurus, because they're all saying the same thing. You've got to share the data. The community's got to work together. So, common defense, maintaining civil liberties and maintaining privacy at the same time, solving the biggest crisis of our time. >> Well the other big thing and, John, you actually made this prediction to me a couple weeks ago, was that government and industry are going to start working together. It's going, it has to happen. General Alexander basically said that, is it the government's role, job, to protect commercial industry? And it was an emphatic yes, and he pulled out his fake version of the Constitution, and said yes, and he got in front of Panetta, in front of the US Senate, and made the case for that. And I think there's no question about it. Industries control critical infrastructure. And industries aren't in a good position to protect that critical infrastructure. They need help from the government, and the government has some of the most advanced technologies in the world. >> And the other thing we've been hearing from this, the executive at Aetna, is attack, maintaining intelligence on the data and sharing is critical to resolve the problem, but his point was that most people spend time on an attack vector that's usually wrong. He said, quote, "You're better off having people be idle, than chasing down on an attack vector that's wrong." So his point is, report that to the agencies quickly, to, one, reverse-engineer the problem. Most likely you're going to get better intel on the attack, on the vector, then you can start working effectively. So he says a lot of problems that are being solved by unconventional means. >> Well, General Alexander said that when he was head of Cyber Command, his number one challenge was visibility, on the attacks, they could only respond to those attacks. So, my question to you, John, is how will data, big data, machine learning, AI, whatever you want to call it, how will that affect our ability as an industry to proactively identify threats and thwart them, as opposed to just being a response mechanism? >> I think it's going to be critical. I think if you look at the AI and machine learning, AI is basically machine learning on steroids, that's really kind of what it is now, but it hopefully will evolve into bigger things, is really going through the massive amounts of data. One of the points that General Alexander talked about was the speed and velocity of how things are changing, and that most IT departments can't even keep up with that right now, never mind security. So machine learning will allow things to happen that are different analysis faster, rather than relying on data lakes and all kinds of old modeling, it's just not fast enough, so speed. The other thing too is that, as you start looking at security, this decentralized approach, most attacks are coming in on state-sponsored but democratized attacks, meaning you don't have, you can use open source and public domain software to provide attacks. This is what he's been talking about. So the number one thing is the data. Sharing the data, being part of a community approach where companies can work in sectors, because there's a lot of trend data coming out that most attackers will come out, or state-sponsored attacks, will target specific things. First of all, the one problem that can be solved immediately is that there's no way any of the United States military and-or energy grid should be attached to the Internet. And you can mask out all foreign attacks just by saying only people in the US should be accessing. That's one network conventional thing you can do. But getting the data out there is critical, but working in sectors. Most attacks happen like on the financial services industry, so if you sit in there and trying to solve the problem and keeping it on the down-low, you're going to get fired anyway, you know? The business is probably going to get hurt. Report it early, with your peers in the community, share some data, anonymize that data, don't make it, you know, privacy breaching, but get it out there. Number one thing. >> Well, here's the problem is, 80 billion dollars is spent a year on security, and the vast majority of that is still spent on perimeter security, and we heard today that the number one problem is things like credential stuffing, and password, poor user behavior, and our response to that is education. Jim Routh talked about, that's a conventional response. We need unconventional responses. I mean, the bottom line is that there's no silver bullet to security. You talked about, critical infrastructure should not be connected to the internet, but even then, when you have an air gap, you go back to Stuxnet, Natanz had an air gap. Mossad got through the air gap. There's always a way to get through somehow. So there's no one silver bullet. It's a portfolio of approaches and practices, and education, and unconventional processes that you have to apply. And as we talked about, >> Well I mean, there's no silver bullet, but there are solutions. And I think that's what he's saying. He gave it, General Alexander gave specific examples, when he was in charge, of the NSA command center was, you know, terrorist attacks being thwarted. Those are actual secure problems on the terrorism front that were solved. There was a silver bullet for that, it's called technology. So as you generalize it, Dave, I can hear what you're saying, because IT guys want a silver bullet. I want to buy a product that solves my security problem. >> So here's the problem I have with that is, I used to read Art Coviello's, you know, memo every year, >> Yeah. >> It was like, he tried to do like the, and he still does. But I look back every year and I say, Do we feel safer and more secure than we were last year? And every year the answer is no. So we, despite all the technology, and we've talked about this on theCUBE with Pat Gelsinger, security is essentially a do-over. We do need unconventional new ways, >> No debate. >> Of attacking the problem. >> No debate. Well I noticed, I'm just highlighting the point, I mean if you look at it from an IT perspective, the old conventional wisdom was, I want to buy a product. Hey, vendor, sell me your security product. What General's kind of pointing out is, he's kind of pointing out and connecting the dots, is like, hey, what they learned in the NSA was, it's an ongoing iterative thing that's happening in real time. It's not an IT solution anymore. It's a more of a holistic problem. Meaning, if you don't under stand the problem space, you can't attack it. So when they talked about the terrorist attack, they had a phone record, and they had to give it to the FBI. The FBI had to get into it. They discovered the guy in basically 24 hours, and then it took a week to kind of vet the information. Luckily they caught it and saved a subway attack in New York City in 2008 that would have been devastating. Okay, still, they were successful, but, weeks. So machine learning, and to your point, is only going to accelerate those benefits. And again, the real counterpoint as General pointed out is, civil liberties and privacy. >> Well, talk- >> I mean, what do you want? You want subway attacks, or you want to have your email, and your email be clean, or you want to have people read your email, and no subway attacks? I mean, come on. >> Well, you and I have talked about this on theCUBE over a number of years, and talking about Snowden, and General Alexander brought it up, you know, basically saying, hey, he told he story and he was pretty emphatic as to, his job is to protect, not only the citizens of the United States, but the infrastructure, and basically saying that we couldn't have done it without the laws that allowed us to analyze the metadata. >> I think, I think, in my opinion, what I think's going to happen is, we're going to have a completely reimagined situation on government. If you look at the trends with GovCloud, what's going on with AWS, Amazon Web Services, in the federal area, is an acceleration of massive agility and change happening. You're going to see a reimagine of credentials. Reimagining of culture around hiring and firing people that are the right people. You know I said, and I always say, there should be a Navy SEALs for cyber, a West Point for cyber. So I think you're going to start to see a cultural shift from a new generation of leaders, and a new generation of citizens in the US, that are going to look at citizenship differently. So for instance, Centrify, which is putting on this event, has an identity solution. That's an easy solution. Take it out of IT's problem, no one should be patching 1200 different IT systems in the government. Screw it. It's like a driver's license. Here's your credential, you know? >> So, >> So there's new ways to think of it. Radical ways, progressive ways, whatever you want to call it, I think those are going to be coming fast. Blockchains is a solution. >> I was going to ask you about that. So, four out of five breaches are password related. From credential stuffing or just bad password behavior. Everybody uses the same password, because they can remember it, across all these sites. So four out of five of the breaches can be traced back to poor password behavior. So, will things like blockchain or single sign-on, really, the answer, that's about the wrong question. When will, and how will, things like blockchain come to front and center, to solve that problem? >> I don't know, Dave. I mean, all I know is in today's Wall Street Journal, Andy Kessler writes a story that if you want to predict the future, it's all about dodgeball. You've got to get in the game and get hit by a few balls to know what's kind of going on around you. >> Dave: So you've got to fail first. >> Everybody has an opinion, nobody actually knows the answer, this has been a premise in the tech business. In my opinion, my opinion is, to reimagine things, you've got to look at it differently. So if you look at Jim Routh, the CSO at Aetna said, he said, look, we're going to solve these problems in a way, and he said, I'm not even a computer science major, I'm a history major, and I'm running Aetna's security practice. And his point was, he's a history major, civilizations crumble when trust crumbles. Okay, so trust is a huge issue, so trust on the government, trust on the systems, trust with email, so that, so he's looking at it and saying, hey, I want systems that don't erode trust, because the civilization of the world will disintegrate. So trust is a big factor, these are the new things that the best minds have to solve. >> I think the other thing, that really important topic that came up is, is public policy, and there was a discussion on sort of the, you know, hacktivists versus state-sponsored terrorism, so the payload, or the signature of a hacktivist malware is dramatically different than that of a state-sponsored initiative. State-sponsored initiatives are much more sophisticated and much more dangerous. And so, Robert Gates, when he was on theCUBE, brought this up, and he said, listen, we have the best technology in the world. The best security in the world. And we apply that largely for defense, and he said, we could go on the offensive. He said the problem is, so can everyone else, and we have, as a nation, a lot more to lose. So when you, we talked about Stuxnet earlier, Stuxnet basically was your tax dollars at work, getting into the hands eventually of the bad guys, who then use that to come back and say, okay, we can attack critical infrastructure, US, so you better be careful. >> It's bigger than that, though, Dave. That's a one, that's an old point, which is a good point, but Stuxnet was the beginning of a movement that state-sponsored actors were doing. In the old days, a state-sponsored actor, in the Iran case, came from a state sponsor, they revealed their hands in their hack a little too early, and we could counter that. But when you look at the specific attacks over the past 15 years, if a state-sponsored attack on the US was happening, it was their, they had to show their hand. That's different now, with WikiLeaks and public domain, states can still remain anonymous and saying "It wasn't us!" And point to these organizations by democratizing hacker tools. So whether it's Stuxnet or something else, you're seeing state-sponsored actors, and I won't, China, Russia, whoever they are, they can actually enable other people who hate the US to attack us. Their signature's not even on it. So by democratizing the hacker tools, increases the number of people that could attack the US. And so the state sponsors aren't even doing anything. >> Well, so, Jim Routh talked about WannaCry and NotPetya, which were, you know, generally believed to be ransomware. He said no, they weren't ransomware. They only collected about 140 thousand from that in US dollars. They were really about state-sponsored political acts. I don't know, sending warnings. We're going to ask him about that when he comes in theCUBE. >> Alright. We've got a big day here. New York City here for CyberConnect 2017, this is the inaugural event presented by Centrify. All the top leaders in the industry and government are here solving the problem, the crisis of our generation's cyber attack security, both government and industry coming together. This is theCUBE, we'll be back, more live coverage after this short break.