>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

>>As we've been reporting, the pandemic has called CSOs to really shift their spending priorities towards securing remote workers. Almost overnight. Zero trust has gone from buzzword to mandate. What's more as we wrote in our recent cybersecurity breaking analysis, not only Maseca pro secured increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone. And welcome to this Q conversation. My name is Dave Vellante and I'm pleased to welcome Derek manky. Who's chief security insights, and global threat alliances for four guard labs with fresh data from its global threat landscape report. Derek. Welcome. Great to see you. >>Thanks so much for, for the invitation to speak. It's always a pleasure. Multicover yeah, >>You're welcome. So first I wonder if you could explain for the audience, what is for guard labs and what's its relationship to fortunate? >>Right. So 40 grand labs is, is our global sockets, our global threat intelligence operation center. It never sleeps, and this is the beat. Um, you know, it's, it's been here since inception at port in it. So it's it's 20, 21 years in the making, since Fortinet was founded, uh, we have built this in-house, uh, so we don't go yum technology. We built everything from the ground up, including creating our own training programs for our, our analysts. We're following malware, following exploits. We even have a unique program that I created back in 2006 to ethical hacking program. And it's a zero-day research. So we try to meet the hackers, the bad guys to their game. And we of course do that responsibly to work with vendors, to close schools and create virtual patches. Um, and, but, you know, so it's, it's everything from, uh, customer protection first and foremost, to following, uh, the threat landscape and cyber. It's very important to understand who they are, what they're doing, who they're, uh, what they're targeting, what tools are they using? >>Yeah, that's great. Some serious DNA and skills in that group. And it's, it's critical because like you said, you can, you can minimize the spread of those malware very, very quickly. So what, what now you have, uh, the global threat landscape report. We're going to talk about that, but what exactly is that? >>Right? So this a global threat landscape report, it's a summary of, uh, all, all the data that we collect over a period of time. So we released this, that biannually two times a year. Um, cyber crime is changing very fast, as you can imagine. So, uh, while we do release security blogs, and, uh, what we call threat signals for breaking security events, we have a lot of other vehicles to release threat intelligence, but this threat landscape report is truly global. It looks at all of our global data. So we have over 5 million censorship worldwide in 40 guard labs, we're processing. I know it seems like a very large amount, but North of a hundred billion, uh, threat events in just one day. And we have to take the task of taking all of that data and put that onto scale for half a year and compile that into something, um, that is, uh, the, you know, that that's digestible. That's a, a very tough task, as you can imagine, so that, you know, we have to work with a huge technologies back to machine learning and artificial intelligence automation. And of course our analyst view to do that. >>Yeah. So this year, of course, there's like the every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past? Let's say 12 months. I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate network? >>Yeah, it was quite interesting last year. It certainly was not normal. Like we all say, um, and that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the scrap threat landscape, cyber cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey off here and ride waves of global trends and themes. We've seen this before in, uh, natural disasters as an example, you know, um, trying to do charity kind of scams and campaigns. And they're usually limited to a region where that incident happened and they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next to the next trip. That's braking, of course, because COVID is so global and dominant. Um, we saw attacks coming in from, uh, well over 40 different languages as an example, um, in regions all across the world that wasn't lasting two to three weeks and it lasted for the better part of a year. >>And of course, what they're, they're using this as a vehicle, right? Not preying on the fear. They're doing everything from initial lockdown, uh, fishing. We were as COVID-19 movers to, um, uh, lay off notices then to phase one, reopenings all the way up to fast forward to where we are today with vaccine rollover development. So there's always that new flavor and theme that they were rolling out, but because it was so successful for them, they were able to, they didn't have to innovate too much, right. They didn't have to expand and shifted to new to new trends. And themes are really developed on new rats families as an example, or a new sophisticated malware. That was the first half of the year and the second half of the year. Um, of course people started to experience COVID fatigue, right? Um, people started to become, we did a lot of education around this. >>People started to become more aware of this threat. And so, um, cyber criminals have started to, um, as we expected, started to become more sophisticated with their attacks. We saw an expansion in different ransomware families. We saw more of a shift of focus on, on, um, uh, you know, targeting the digital supply chain as an example. And so that, that was, that was really towards Q4. Uh, so it, it was a long lived lead year with success on the Google themes, um, targeting healthcare as an example, a lot of, um, a lot of the organizations that were, you know, really in a vulnerable position, I would say >>So, okay. I want to clarify something because my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt and not have to, but they adapt it to these new vulnerabilities. Uh, my sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I, am I getting that right? That they did their sort of their, their, their increased sophistication in the first half, and then they sort of deployed it, did it, uh, w what actually happened there from your data? >>Well, if we look at, so generally there's two types of attacks that we look at, we look at the, uh, the premeditated sophisticated attacks that can have, um, you know, a lot of ramp up work on their end, a lot of time developing the, the, the, the weaponization phase. So developing, uh, the exploits of the sophisticated malware that they're gonna use for the campaign reconnaissance, understanding the targets, where platforms are developed, um, the blueprinting that DNA of, of, of the supply chain, those take time. Um, in fact years, even if we look back to, um, uh, 10 plus years ago with the Stuxnet attacks, as an example that was on, uh, nuclear centrifuges, um, and that, that had four different zero-day weapons at the time. That was very sophisticated, that took over two years to develop as an example. So some of these can take years of time to develop, but they're, they're, uh, very specific in terms of the targets are going to go after obviously the ROI from their end. >>Uh, the other type of attack that we see is as ongoing, um, these broad, wide sweeping attacks, and the reality for those ones is they don't unfortunately need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the cool, the deem, and they still do today with the vaccine road and development. Uh, but, but it's really because they're just playing on, on, um, you know, social engineering, um, using, uh, topical themes. And in fact, the weapons they're using these vulnerabilities are from our research data. And this was highlighted actually the first pop landscape before last year, uh, on average were two to three years old. So we're not talking about fresh vulnerabilities. You've got to patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. >>So you mentioned stuck next Stuxnet as the former sort of example, of one of the types of attacks that you see. And I always felt like that was a watershed moment. One of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talk to CSOs about the recent government hack, they, they, they suggest I infer maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that, is that accurate or not necessarily? >>Yeah, there's definitely a, there's definitely some comparisons there. Uh, you know, one of the largest things is, uh, both attacks used digital circuits certificate personation, so they're digitally signed. So, you know, of course that whole technology using cryptography is designed by design, uh, to say that, you know, this piece of software installed in your system, hassles certificate is coming from the source. It's legitimate. Of course, if that's compromised, that's all out of the window. And, um, yeah, this is what we saw in both attacks. In fact, you know, stocks in that they also had digitally designed, uh, certificates that were compromised. So when it gets to that level of students or, uh, sophistication, that means definitely that there's a target that there has been usually months of, of, uh, homework done by cyber criminals, for reconnaissance to be able to weaponize that. >>W w what did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? >>Yeah, so we're actually, ransomware is always the thorn in our side, and it's going to continue to be so, um, you know, in fact, uh, ransomware is not a new itself. It was actually first created in 1989, and they demanded ransom payments through snail mail. This was to appeal a box, obviously that, that, that didn't take off. Wasn't a successful on the internet was porn at the time. But if you look at it now, of course, over the last 10 years, really, that's where it ran. The ransomware model has been, uh, you know, lucrative, right? I mean, it's been, um, using, uh, by force encrypting data on systems, so that users had to, if they were forced to pay the ransom because they wanted access to their data back data was the target currency for ransomware. That's shifted now. And that's actually been a big pivotal over the last year or so, because again, before it was this let's cast a wide net, in fact, as many people as we can random, um, and try to see if we can hold some of their data for ransom. >>Some people that data may be valuable, it may not be valuable. Um, and that model still exists. Uh, and we see that, but really the big shift that we saw last year and the threat landscape before it was a shift to targeted rats. So again, the sophistication is starting to rise because they're not just going out to random data. They're going out to data that they know is valuable to large organizations, and they're taking that a step further now. So there's various ransomware families. We saw that have now reverted to extortion and blackmail, right? So they're taking that data, encrypting it and saying, unless you pay us as large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of, um, you know, damages that can happen from that. The other thing we're seeing is, is a target of going to revenue services, right? So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding, you know, X, millions of dollars a day, so they can demand Y million dollars of ransom payments, and that's effectively what's happening. So it's, again, becoming more targeted, uh, and more sophisticated. And unfortunately the ransom is going up. >>So they go to where the money is. And of course your job is to, it's a lower the ROI for them, a constant challenge. Um, we talked about some of the attack vectors, uh, that you saw this year that, that cyber criminals are targeting. I wonder if, if, you know, given the work from home, if things like IOT devices and cameras and, you know, thermostats, uh, with 75% of the work force at home, is this infrastructure more vulnerable? I guess, of course it is. But what did you see there in terms of attacks on those devices? >>Yeah, so, uh, um, uh, you know, unfortunately the attack surface as we call it, uh, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, um, I saw, I mentioned earlier vulnerabilities from two years ago that are being used in some cases, you know, over the holidays where e-commerce means we saw e-commerce heavily under attack in e-commerce has spikes since last summer, right. It's been a huge amount of traffic increase everybody's shopping from home. And, uh, those vulnerabilities going after a shopping cart, plugins, as an example, are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense being attacked, but we're also now seeing this complication of, yeah, as you said, IOT, uh, B roll out everywhere, the really quick shift to work from home. Uh, we really have to treat this as if you guys, as the, uh, distributed branch model for enterprise, right. >>And it's really now the secure branch. How do we take, um, um, you know, any of these devices on, on those networks and secure them, uh, because yeah, if you look at the, what we highlighted in our landscape report and the top 10 attacks that we're seeing, so hacking attacks hacking in tabs, this is who our IPS triggers. You know, we're seeing attempts to go after IOT devices. Uh, right now they're mostly, uh, favoring, uh, well in terms of targets, um, consumer grade routers. Uh, but they're also looking at, um, uh, DVR devices as an example for, uh, you know, home entertainment systems, uh, network attached storage as well, and IP security cameras, um, some of the newer devices, uh, what, the quote unquote smart devices that are now on, you know, virtual assistance and home networks. Uh, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. Um, cause we always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is, all of this is still happening. IOT is being targeted. Of course they're being targeted because they're easy targets. Um, it's like for cybercriminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry points into networks. >>I mean, it's, um, I mean, attackers they're, they're highly capable. They're organized, they're well-funded they move fast, they're they're agile, uh, and they follow the money. As we were saying, uh, you, you mentioned, you know, co vaccines and, you know, big pharma healthcare, uh, where >>Did you see advanced, persistent >>Threat groups really targeting? Were there any patterns that emerged in terms of other industry types or organizations being targeted? >>Yeah. So just to be clear again, when we talk about AP teams, um, uh, advanced, specific correct group, the groups themselves they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the target, the, um, the premeditated targeted attacks usually points to nation state. Um, sometimes of course there's overlap. They can be affiliated with cyber crime, cyber crime, uh, uh, groups are typically, um, looking at some other targets for ROI, uh, bio there's there's a blend, right? So as an example, if we're looking at the, uh, apt groups I had last year, absolutely. Number one I would say would be healthcare. Healthcare was one of those, and it's, it's, it's, uh, you know, very unfortunate, but obviously with the shift that was happening at a pop up medical facilities, there's a big, a rush to change networks, uh, for a good cause of course, but with that game, um, you know, uh, security holes and concerns the targets and, and that's what we saw IPT groups targeting was going after those and, and ransomware and the cyber crime shrine followed as well. Right? Because if you can follow, uh, those critical networks and crippled them on from cybercriminals point of view, you can, you can expect them to pay the ransom because they think that they need to buy in order to, um, get those systems back online. Uh, in fact, last year or two, unfortunately we saw the first, um, uh, death that was caused because of a denial of service attack in healthcare, right. Facilities were weren't available because of the cyber attack. Patients had to be diverted and didn't make it on the way. >>All right. Jericho, sufficiently bummed out. So maybe in the time remaining, we can talk about remediation strategies. You know, we know there's no silver bullet in security. Uh, but what approaches are you recommending for organizations? How are you consulting with folks? >>Sure. Yeah. So a couple of things, um, good news is there's a lot that we can do about this, right? And, um, and, and basic measures go a long way. So a couple of things just to get out of the way I call it housekeeping, cyber hygiene, but it's always worth reminding. So when we talk about keeping security patches up to date, we always have to talk about that because that is reality as et cetera, these, these vulnerabilities that are still being successful are five to six years old in some cases, the majority two years old. Um, so being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it a work from home. So the reality is it's work from anywhere a lot of the times for some people. So really treat that as, as the, um, as a secure branch, uh, methodology, doing things like segmentations on network, secure wifi access, multi-factor authentication is a huge muscle, right? >>So using multi-factor authentication because passwords are dead, um, using things like, uh, XDR. So Xers is a combination of detection and response for end points. This is a mass centralized management thing, right? So, uh, endpoint detection and response, as an example, those are all, uh, you know, good security things. So of course having security inspection, that that's what we do. So good threat intelligence baked into your security solution. That's supported by labs angles. So, uh, that's, uh, you know, uh, antivirus, intrusion prevention, web filtering, sandbox, and so forth, but then it gets that that's the security stack beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain. We talked about. The supply chain is, is, is a target for attackers attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users where we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended to, um, so that's what we can do, obviously that's, what's recommended to secure, uh, via the endpoints in the secure branch there's things we're also doing in the industry, um, to fight back against that with prime as well. >>Well, I, I want to actually talk about that and talk about ecosystems and collaboration, because while you have competitors, you all want the same thing. You, SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on the cube a couple of years ago, a former defense secretary. And I said, yeah, but don't, we have like the best security people and can't we go on the offensive and weaponize that ourselves. Of course, there's examples of that. Us. Government's pretty good at it, even though they won't admit it. But his answer to me was, yeah, we gotta be careful because we have a lot more to lose than many countries. So I thought that was pretty interesting, but how do you collaborate with whether it's the U S government or other governments or other other competitors even, or your ecosystem? Maybe you could talk about that a little bit. >>Yeah. Th th this is what, this is what makes me tick. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. Um, so, you know, we, we need, I always say we can't win this war alone. You actually hit on this point earlier, you talked about following and trying to disrupt the ROI of cybercriminals. Absolutely. That is our target, right. We're always looking at how we can disrupt their business model. Uh, and, and in order, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about increasing the security stack so that they go knocking on someone else's door. But beyond that, uh, it comes down to private, private sector collaborations. So, uh, we, we, uh, co-founder of the cyber threat Alliance in 2014 as an example, this was our fierce competitors coming in to work with us to share intelligence, because like you said, um, competitors in the space, but we need to work together to do the better fight. >>And so this is a Venn diagram. What's compared notes, let's team up, uh, when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack to gradation the solutions themselves. Uh, but let's, let's level the playing field here because cybercriminals moved out, uh, you know, um, uh, that, that there's no borders and they move with great agility. So, uh, that's one thing we do in the private private sector. Uh, there's also, uh, public private sector relationships, right? So we're working with Interpol as an example, Interfor project gateway, and that's when we find attribution. So it's not just the, what are these people doing like infrastructure, but who, who are they, where are they operating? What, what events tools are they creating? We've actually worked on cases that are led down to, um, uh, warrants and arrests, you know, and in some cases, one case with a $60 million business email compromise fraud scam, the great news is if you look at the industry as a whole, uh, over the last three to four months has been for take downs, a motet net Walker, uh, um, there's also IE Gregor, uh, recently as well too. >>And, and Ian Gregor they're actually going in and arresting the affiliates. So not just the CEO or the King, kind of these organizations, but the people who are distributing the ransomware themselves. And that was a unprecedented step, really important. So you really start to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them, where it hurts on all angles. I've most recently, um, I've been heavily involved with the world economic forum. Uh, so I'm, co-author of a report from last year of the partnership on cyber crime. And, uh, this is really not just the pro uh, private, private sector, but the private and public sector working together. We know a lot about cybercriminals. We can't arrest them. Uh, we can't take servers offline from the data centers, but working together, we can have that whole, you know, that holistic effect. >>Great. Thank you for that, Derek. What if people want, want to go deeper? Uh, I know you guys mentioned that you do blogs, but are there other resources that, that they can tap? Yeah, absolutely. So, >>Uh, everything you can see is on our threat research blog on, uh, so 40 net blog, it's under expired research. We also put out, uh, playbooks, w we're doing blah, this is more for the, um, the heroes as he called them the security operation centers. Uh, we're doing playbooks on the aggressors. And so this is a playbook on the offense, on the offense. What are they up to? How are they doing that? That's on 40 guard.com. Uh, we also release, uh, threat signals there. So, um, we typically release, uh, about 50 of those a year, and those are all, um, our, our insights and views into specific attacks that are now >>Well, Derek Mackie, thanks so much for joining us today. And thanks for the work that you and your teams do. Very important. >>Thanks. It's yeah, it's a pleasure. And, uh, rest assured we will still be there 24 seven, three 65. >>Good to know. Good to know. And thank you for watching everybody. This is Dave Volante for the cube. We'll see you next time.

>> From theCUBE Studios in Palo Alto and Boston bringing you data driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. >> After a two year hiatus, AWS re:Inforce is back on as an in-person event in Boston next week. Like the All-Star break in baseball, re:Inforce gives us an opportunity to evaluate the cyber security market overall, the state of cloud security and cross cloud security and more specifically what AWS is up to in the sector. Welcome to this week's Wikibon cube insights powered by ETR. In this Breaking Analysis we'll share our view of what's changed since our last cyber update in May. We'll look at the macro environment, how it's impacting cyber security plays in the market, what the ETR data tells us and what to expect at next week's AWS re:Inforce. We start this week with a checkpoint from Breaking Analysis contributor and stock trader Chip Simonton. We asked for his assessment of the market generally in cyber stocks specifically. So we'll summarize right here. We've kind of moved on from a narrative of the sky is falling to one where the glass is half empty you know, and before today's big selloff it was looking more and more like glass half full. The SNAP miss has dragged down many of the big names that comprise the major indices. You know, earning season as always brings heightened interest and this time we're seeing many cross currents. It starts as usual with the banks and the money centers. With the exception of JP Morgan the numbers were pretty good according to Simonton. Investment banks were not so great with Morgan and Goldman missing estimates but in general, pretty positive outlooks. But the market also shrugged off IBM's growth. And of course, social media because of SNAP is getting hammered today. The question is no longer recession or not but rather how deep the recession will be. And today's PMI data was the weakest since the start of the pandemic. Bond yields continue to weaken and there's a growing consensus that Fed tightening may be over after September as commodity prices weaken. Now gas prices of course are still high but they've come down. Tesla, Nokia and AT&T all indicated that supply issues were getting better which is also going to help with inflation. So it's no shock that the NASDAQ has done pretty well as beaten down as tech stocks started to look oversold you know, despite today's sell off. But AT&T and Verizon, they blamed their misses in part on people not paying their bills on time. SNAP's huge miss even after guiding lower and then refusing to offer future guidance took that stock down nearly 40% today and other social media stocks are off on sympathy. Meta and Google were off, you know, over 7% at midday. I think at one point hit 14% down and Google, Meta and Twitter have all said they're freezing new hires. So we're starting to see according to Simonton for the first time in a long time, the lower income, younger generation really feeling the pinch of inflation. Along of course with struggling families that have to choose food and shelter over discretionary spend. Now back to the NASDAQ for a moment. As we've been reporting back in mid-June and NASDAQ was off nearly 33% year to date and has since rallied. It's now down about 25% year to date as of midday today. But as I say, it had been, you know much deeper back in early June. But it's broken that downward trend that we talked about where the highs are actually lower and the lows are lower. That's started to change for now anyway. We'll see if it holds. But chip stocks, software stocks, and of course the cyber names have broken those down trends and have been trading above their 50 day moving averages for the first time in around four months. And again, according to Simonton, we'll see if that holds. If it does, that's a positive sign. Now remember on June 24th, we recorded a Breaking Analysis and talked about Qualcomm trading at a 12 X multiple with an implied 15% growth rate. On that day the stock was 124 and it surpassed 155 earlier this month. That was a really good call by Simonton. So looking at some of the cyber players here SailPoint is of course the anomaly with the Thoma Bravo 7 billion acquisition of the company holding that stock up. But the Bug ETF of basket of cyber stocks has definitely improved. When we last reported on cyber in May, CrowdStrike was off 23% year to date. It's now off 4%. Palo Alto has held steadily. Okta is still underperforming its peers as it works through the fallout from the breach and the ingestion of its Auth0 acquisition. Meanwhile, Zscaler and SentinelOne, those high flyers are still well off year to date, with Ping Identity and CyberArk not getting hit as hard as their valuations hadn't run up as much. But virtually all these tech stocks generally in cyber issues specifically, they've been breaking their down trend. So it will now come down to earnings guidance in the coming months. But the SNAP reaction is quite stunning. I mean, the environment is slowing, we know that. Ad spending gets cut in that type of market, we know that too. So it shouldn't be a huge surprise to anyone but as Chip Simonton says, this shows that sellers are still in control here. So it's going to take a little while to work through that despite the positive signs that we're seeing. Okay. We also turned to our friend Eric Bradley from ETR who follows these markets quite closely. He frequently interviews CISOs on his program, on his round tables. So we asked to get his take and here's what ETR is saying. Again, as we've reported while CIOs and IT buyers have tempered spending expectations since December and early January when they called for an 8% plus spending growth, they're still expecting a six to seven percent uptick in spend this year. So that's pretty good. Security remains the number one priority and also is the highest ranked sector in the ETR data set when you measure in terms of pervasiveness in the study. Within security endpoint detection and extended detection and response along with identity and privileged account management are the sub-sectors with the most spending velocity. And when you exclude Microsoft which is just dominant across the board in so many sectors, CrowdStrike has taken over the number one spot in terms of spending momentum in ETR surveys with CyberArk and Tanium showing very strong as well. Okta has seen a big dropoff in net score from 54% last survey to 45% in July as customers maybe put a pause on new Okta adoptions. That clearly shows in the survey. We'll talk about that in a moment. Look Okta still elevated in terms of spending momentum, but it doesn't have the dominant leadership position it once held in spend velocity. Year on year, according to ETR, Tenable and Elastic are seeing the biggest jumps in spending momentum, with SailPoint, Tanium, Veronis, CrowdStrike and Zscaler seeing the biggest jump in new adoptions since the last survey. Now on the downside, SonicWall, Symantec, Trellic which is McAfee, Barracuda and TrendMicro are seeing the highest percentage of defections and replacements. Let's take a deeper look at what the ETR data tells us about the cybersecurity space. This is a popular view that we like to share with net score or spending momentum on the Y axis and overlap or pervasiveness in the data on the X axis. It's a measure of presence in the data set we used to call it market share. With the data, the dot positions, you see that little inserted table, that's how the dots are plotted. And it's important to note that this data is filtered for firms with at least 100 Ns in the survey. That's why some of the other ones that we mentioned might have dropped off. The red dotted line at 40% that indicates highly elevated spending momentum and there are several firms above that mark including of course, Microsoft, which is literally off the charts in both dimensions in the upper right. It's quite incredible actually. But for the rest of the pack, CrowdStrike has now taken back its number one net score position in the ETR survey. And CyberArk and Okta and Zscaler, CloudFlare and Auth0 now Okta through the acquisition, are all above the 40% mark. You can stare at the data at your leisure but I'll just point out, make three quick points. First Palo Alto continues to impress and as steady as she goes. Two, it's a very crowded market still and it's complicated space. And three there's lots of spending in different pockets. This market has too many tools and will continue to consolidate. Now I'd like to drill into a couple of firms net scores and pick out some of the pure plays that are leading the way. This series of charts shows the net score or spending velocity or granularity for Okta, CrowdStrike, Zscaler and CyberArk. Four of the top pure plays in the ETR survey that also have over a hundred responses. Now the colors represent the following. Bright red is defections. We're leaving the platform. The pink is we're spending less, meaning we're spending 6% or worse. The gray is flat spend plus or minus 5%. The forest green is spending more, i.e, 6% or more and the lime green is we're adding the platform new. That red dotted line at the 40% net score mark is the same elevated level that we like to talk about. All four are above that target. Now that blue line you see there is net score. The yellow line is pervasiveness in the data. The data shown in each bar goes back 10 surveys all the way back to January 2020. First I want to call out that all four again are seeing down trends in spending momentum with the whole market. That's that blue line. They're seeing that this quarter, again, the market is off overall. Everybody is kind of seeing that down trend for the most part. Very few exceptions. Okta is being hurt by fewer new additions which is why we highlighted in red, that red dotted area, that square that we put there in the upper right of that Okta bar. That lime green, new ads are off as well. And the gray for Okta, flat spending is noticeably up. So it feels like people are pausing a bit and taking a breather for Okta. And as we said earlier, perhaps with the breach earlier this year and the ingestion of Auth0 acquisition the company is seeing some friction in its business. Now, having said that, you can see Okta's yellow line or presence in the data set, continues to grow. So it's a good proxy from market presence. So Okta remains a leader in identity. So again, I'll let you stare at the data if you want at your leisure, but despite some concerns on declining momentum, notice this very little red at these companies when it comes to the ETR survey data. Now one more data slide which brings us to our four star cyber firms. We started a tradition a few years ago where we sorted the ETR data by net score. That's the left hand side of this graphic. And we sorted by shared end or presence in the data set. That's the right hand side. And again, we filtered by companies with at least 100 N and oh, by the way we've excluded Microsoft just to level the playing field. The red dotted line signifies the top 10. If a company cracks the top 10 in both spending momentum and presence, we give them four stars. So Palo Alto, CrowdStrike, Okta, Fortinet and Zscaler all made the cut this time. Now, as we pointed out in May if you combined Auth0 with Okta, they jumped to the number two on the right hand chart in terms of presence. And they would lead the pure plays there although it would bring down Okta's net score somewhat, as you can see, Auth0's net score is lower than Okta's. So when you combine them it would drag that down a little bit but it would give them bigger presence in the data set. Now, the other point we'll make is that Proofpoint and Splunk both dropped off the four star list this time as they both saw marked declines in net score or spending velocity. They both got four stars last quarter. Okay. We're going to close on what to expect at re:Inforce this coming week. Re:Inforce, if you don't know, is AWS's security event. They first held it in Boston back in 2019. It's dedicated to cloud security. The past two years has been virtual and they announced that reinvent that it would take place in Houston in June, which everybody said, that's crazy. Who wants to go to Houston in June and turns out nobody did so they postponed the event, thankfully. And so now they're back in Boston, starting on Monday. Not that it's going to be much cooler in Boston. Anyway, Steven Schmidt had been the face of AWS security at all these previous events as the Chief Information Security Officer. Now he's dropped the I from his title and is now the Chief Security Officer at Amazon. So he went with Jesse to the mothership. Presumably he dropped the I because he deals with physical security now too, like at the warehouses. Not that he didn't have to worry about physical security at the AWS data centers. I don't know. Anyway, he and CJ Moses who is now the new CISO at AWS will be keynoting along with some others including MongoDB's Chief Information Security Officer. So that should be interesting. Now, if you've been following AWS you'll know they like to break things down into, you know, a couple of security categories. Identity, detection and response, data protection slash privacy slash GRC which is governance, risk and compliance, and we would expect a lot more talk this year on container security. So you're going to hear also product updates and they like to talk about how they're adding value to services and try to help, they try to help customers understand how to apply services. Things like GuardDuty, which is their threat detection that has machine learning in it. They'll talk about Security Hub, which centralizes views and alerts and automates security checks. They have a service called Detective which does root cause analysis, and they have tools to mitigate denial of service attacks. And they'll talk about security in Nitro which isolates a lot of the hardware resources. This whole idea of, you know, confidential computing which is, you know, AWS will point out it's kind of become a buzzword. They take it really seriously. I think others do as well, like Arm. We've talked about that on previous Breaking Analysis. And again, you're going to hear something on container security because it's the hottest thing going right now and because AWS really still serves developers and really that's what they're trying to do. They're trying to enable developers to design security in but you're also going to hear a lot of best practice advice from AWS i.e, they'll share the AWS dogfooding playbooks with you for their own security practices. AWS like all good security practitioners, understand that the keys to a successful security strategy and implementation don't start with the technology, rather they're about the methods and practices that you apply to solve security threats and a top to bottom cultural approach to security awareness, designing security into systems, that's really where the developers come in, and training for continuous improvements. So you're going to get heavy doses of really strong best practices and guidance and you know, some good preaching. You're also going to hear and see a lot of partners. They'll be very visible at re:Inforce. AWS is all about ecosystem enablement and AWS is going to host close to a hundred security partners at the event. This is key because AWS doesn't do it all. Interestingly, they don't even show up in the ETR security taxonomy, right? They just sort of imply that it's built in there even though they have a lot of security tooling. So they have to apply the shared responsibility model not only with customers but partners as well. They need an ecosystem to fill gaps and provide deeper problem solving with more mature and deeper security tooling. And you're going to hear a lot of positivity around how great cloud security is and how it can be done well. But the truth is this stuff is still incredibly complicated and challenging for CISOs and practitioners who are understaffed when it comes to top talent. Now, finally, theCUBE will be at re:Inforce in force. John Furry and I will be hosting two days of broadcast so please do stop by if you're in Boston and say hello. We'll have a little chat, we'll share some data and we'll share our overall impressions of the event, the market, what we're seeing, what we're learning, what we're worried about in this dynamic space. Okay. That's it for today. Thanks for watching. Thanks to Alex Myerson, who is on production and manages the podcast. Kristin Martin and Cheryl Knight, they helped get the word out on social and in our newsletters and Rob Hoff is our Editor in Chief over at siliconangle.com. You did some great editing. Thank you all. Remember all these episodes they're available, this podcast. Wherever you listen, all you do is search Breaking Analysis podcast. I publish each week on wikibon.com and siliconangle.com. You can get in touch with me by emailing avid.vellante@siliconangle.com or DM me @dvellante, or comment on my LinkedIn post and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching and we'll see you in Boston next week if you're there or next time on Breaking Analysis (soft music)

>>from around the globe. It's the Cube with digital coverage of VM World 2020 brought to you by VM Ware and its ecosystem partners. Hello and welcome back to the cubes. Virtual coverage of VM World 2020 Virtual I'm John for your host of the Cube, our 11th year covering V emeralds. Not in person. It's virtual. I'm with my coast, Dave. A lot, of course. Ah, guest has been on every year since the cubes existed. Sanjay Putin, who is now the chief operating officer for VM Ware Sanjay, Great to see you. It's our 11th years. Virtual. We're not in person. Usually high five are going around. But hey, virtual fist pump, >>virtual pissed bump to you, John and Dave, always a pleasure to talk to you. I give you more than a virtual pistol. Here's a virtual hug. >>Well, so >>great. Back at great. >>Great to have you on. First of all, a lot more people attending the emerald this year because it's virtual again, it doesn't have the face to face. It is a community and technical events, so people do value that face to face. Um, but it is virtually a ton of content, great guests. You guys have a great program here, Very customer centric. Kind of. The theme is, you know, unpredictable future eyes is really what it's all about. We've talked about covert you've been on before. What's going on in your perspective? What's the theme of your main talks? >>Ah, yeah. Thank you, John. It's always a pleasure to talk to you folks. We we felt as we thought, about how we could make this content dynamic. We always want to make it fresh. You know, a virtual show of this kind and program of this kind. We all are becoming experts at many Ted talks or ESPN. Whatever your favorite program is 60 minutes on becoming digital producers of content. So it has to be crisp, and everybody I think was doing this has found ways by which you reduce the content. You know, Pat and I would have normally given 90 minute keynotes on day one and then 90 minutes again on day two. So 180 minutes worth of content were reduced that now into something that is that entire 180 minutes in something that is but 60 minutes. You you get a chance to use as you've seen from the keynote an incredible, incredible, you know, packed array of both announcements from Pat myself. So we really thought about how we could organize this in a way where the content was clear, crisp and compelling. Thekla's piece of it needed also be concise, but then supplemented with hundreds of sessions that were as often as possible, made it a goal that if you're gonna do a break out session that has to be incorporate or lead with the customer, so you'll see not just that we have some incredible sea level speakers from customers that have featured in in our pattern, Mikey notes like John Donahoe, CEO of Nike or Lorry beer C I, a global sea of JPMorgan Chase partner Baba, who is CEO of Zuma Jensen Wang, who is CEO of video. Incredible people. Then we also had some luminaries. We're gonna be talking in our vision track people like in the annuity. I mean, one of the most powerful women the world many years ranked by Fortune magazine, chairman, CEO Pepsi or Bryan Stevenson, the person who start in just mercy. If you watch that movie, he's a really key fighter for social justice and criminal. You know, reform and jails and the incarceration systems. And Malala made an appearance. Do I asked her personally, I got to know her and her dad's and she spoke two years ago. I asked her toe making appearance with us. So it's a really, really exciting until we get to do some creative stuff in terms of digital content this year. >>So on the product side and the momentum side, you have great decisions you guys have made in the past. We covered that with Pat Gelsinger, but the business performance has been very strong with VM. Where, uh, props to you guys, Where does this all tie together for in your mind? Because you have the transformation going on in a highly accelerated rate. You know, cov were not in person, but Cove in 19 has proven, uh, customers that they have to move faster. It's a highly accelerated world, a lot. Lots changing. Multi cloud has been on the radar. You got security. All the things you guys are doing, you got the AI announcements that have been pumping. Thean video thing was pretty solid. That project Monterey. What does the customer walk away from this year and and with VM where? What is the main theme? What what's their call to action? What's what do they need to be doing? >>I think there's sort of three things we would encourage customers to really think about. Number one is, as they think about everything in infrastructure, serves APS as they think about their APS. We want them to really push the frontier of how they modernize their athletic applications. And we think that whole initiative off how you modernized applications driven by containers. You know, 20 years ago when I was a developer coming out of college C, C plus, plus Java and then emerge, these companies have worked on J two ee frameworks. Web Logic, Be Aware logic and IBM Web Street. It made the development off. Whatever is e commerce applications of portals? Whatever was in the late nineties, early two thousands much, much easier. That entire world has gotten even easier and much more Micro service based now with containers. We've been talking about kubernetes for a while, but now we've become the leading enterprise, contain a platform making some incredible investments, but we want to not just broaden this platform. We simplified. It is You've heard everything in the end. What works in threes, right? It's sort of like almost t shirt sizing small, medium, large. So we now have tens Ooh, in the standard. The advanced the enterprise editions with lots of packaging behind that. That makes it a very broad and deep platform. We also have a basic version of it. So in some sense it's sort of like an extra small. In addition to the small medium large so tends to and everything around at modernization, I think would be message number one number two alongside modernization. You're also thinking about migration of your workloads and the breadth and depth of, um, er Cloud Foundation now of being able to really solve, not just use cases, you are traditionally done, but also new ai use cases. Was the reason Jensen and us kind of partner that, and I mean what a great company and video has become. You know, the king maker of these ai driven applications? Why not run those AI applications on the best infrastructure on the planet? Remember, that's a coming together of both of our platforms to help customers. You know automotive banking fraud detection is a number of AI use cases that now get our best and we want it. And the same thing then applies to Project Monterey, which takes the B c f e m A Cloud Foundation proposition to smart Knicks on Dell, HP Lenovo are embracing the in video Intel's and Pen Sandoz in that smart make architectural, however, that so that entire world of multi cloud being operative Phobia Macleod Foundation on Prem and all of its extended use cases like AI or Smart Knicks or Edge, but then also into the AWS Azure, Google Multi Cloud world. We obviously had a preferred relationship with Amazon that's going incredibly well, but you also saw some announcements last week from, uh, Microsoft Azure about azure BMR solutions at their conference ignite. So we feel very good about the migration opportunity alongside of modernization on the third priority, gentlemen would be security. It's obviously a topic that I most recently taken uninterested in my day job is CEO of the company running the front office customer facing revenue functions by night job by Joe Coffin has been driving. The security strategy for the company has been incredibly enlightening to talk, to see SOS and drive this intrinsic security or zero trust from the network to end point and workload and cloud security. And we made some exciting announcements there around bringing together MAWR capabilities with NSX and Z scaler and a problem black and workload security. And of course, Lassiter wouldn't cover all of this. But I would say if I was a attendee of the conference those the three things I want them to take away what BMR is doing in the future of APS what you're doing, the future of a multi cloud world and how we're making security relevant for distributed workforce. >>I know David >>so much to talk about here, Sanjay. So, uh, talk about modern APS? That's one of the five franchise platforms VM Ware has a history of going from, you know, Challenger toe dominant player. You saw that with end user computing, and there's many, many other examples, so you are clearly one of the top, you know. Let's call it five or six platforms out there. We know what those are, uh, and but critical to that modern APS. Focus is developers, and I think it's fair to say that that's not your wheelhouse today, but you're making moves there. You agree that that is, that is a critical part of modern APS, and you update us on what you're doing for that community to really take a leadership position there. >>Yeah, no, I think it's a very good point, David. We way seek to constantly say humble and hungry. There's never any assumption from us that VM Ware is completely earned anyplace off rightful leadership until we get thousands, tens of thousands. You know, we have a half a million customers running on our virtualization sets of products that have made us successful for 20 years 70 million virtual machines. But we have toe earn that right and containers, and I think there will be probably 10 times as many containers is their virtual machines. So if it took us 20 years to not just become the leader in in virtual machines but have 70 million virtual machines, I don't think it will be 20 years before there's a billion containers and we seek to be the leader in that platform. Now, why, Why VM Where and why do you think we can win in their long term. What are we doing with developers Number one? We do think there is a container capability independent of virtual machine. And that's what you know, this entire world of what hefty on pivotal brought to us on. You know, many of the hundreds of customers that are using what was formerly pivotal and FDR now what's called Tan Xue have I mean the the case. Studies of what those customers are doing are absolutely incredible. When I listen to them, you take Dick's sporting goods. I mean, they are building curbside, pick up a lot of the world. Now the pandemic is doing e commerce and curbside pick up people are going to the store, That's all based on Tan Xue. We've had companies within this sort of world of pandemic working on contact, tracing app. Some of the diagnostic tools built without they were the lab services and on the 10 zoo platform banks. Large banks are increasingly standardizing on a lot of their consumer facing or wealth management type of applications, anything that they're building rapidly on this container platform. So it's incredible the use cases I'm hearing public sector. The U. S. Air Force was talking about how they've done this. Many of them are not public about how they're modernizing dams, and I tend to learn the best from these vertical use case studies. I mean, I spend a significant part of my life is you know, it s a P and increasingly I want to help the company become a lot more vertical. Use case in banking, public sector, telco manufacturing, CPG retail top four or five where we're seeing a lot of recurrence of these. The Tan Xue portfolio actually brings us closest to almost that s a P type of dialogue because we're having an apse dialogue in the in the speak of an industry as opposed to bits and bytes Notice I haven't talked at all about kubernetes or containers. I'm talking about the business problem being solved in a retailer or a bank or public sector or whatever have you now from a developer audience, which was the second part of your question? Dave, you know, we talked about this, I think a year or two ago. We have five million developers today that we've been able to, you know, as bringing these acquisitions earn some audience with about two or three million from from the spring community and two or three million from the economic community. So think of those five million people who don't know us because of two acquisitions we don't. Obviously spring was inside Vienna where went out of pivotal and then came back. So we really have spent a lot of time with that community. A few weeks ago, we had spring one. You guys are aware of that? That conference record number of attendees okay, Registered, I think of all 40 or 50,000, which is, you know, much bigger than the physical event. And then a substantial number of them attended live physical. So we saw a great momentum out of spring one, and we're really going to take care of that, That that community base of developers as they care about Java Manami also doing really, really well. But then I think the rial audience it now has to come from us becoming part of the conversation. That coupon at AWS re invent at ignite not just the world, I mean via world is not gonna be the only place where infrastructure and developers come to. We're gonna have to be at other events which are very prominent and then have a developer marketplace. So it's gonna be a multiyear effort. We're okay with that. To grow that group of about five million developers that we today Kate or two on then I think there will be three or four other companies that also play very prominently to developers AWS, Microsoft and Google. And if we're one among those three or four companies and remembers including that list, we feel very good about our ability to be in a place where this is a shared community, takes a village to approach and an appeal to those developers. I think there will be one of those four companies that's doing this for many years to >>come. Santa, I got to get your take on. I love your reference to the Web days and how the development environment change and how the simplicity came along very relevant to how we're seeing this digital transformation. But I want to get your thoughts on how you guys were doing pre and now during and Post Cove it. You already had a complicated thing coming on. You had multi cloud. You guys were expanding your into end you had acquisitions, you mentioned a few of them. And then cove it hit. Okay, so now you have Everything is changing you got. He's got more complex city. You have more solutions, and then the customer psychology is change. You got to spectrums of customers, people trying to save their business because it's changed, their customer behavior has changed. And you have other customers that are doubling down because they have a tailwind from Cove it, whether it's a modern app, you know, coming like Zoom and others are doing well because of the environment. So you got your customers air in this in this in this, in this storm, you know, they're trying to save down, modernized or or or go faster. How are you guys changing? Because it's impacted how you sell. People are selling differently, how you implement and how you support customers, because you already had kind of the whole multi cloud going on with the modern APS. I get that, but Cove, it has changed things. How are you guys adopting and changing to meet the customer needs who are just trying to save their business on re factor or double down and continue >>John. Great question. I think I also talked about some of this in one of your previous digital events that you and I talked about. I mean, you go back to the last week of February 1st week of March, actually back up, even in January, my last trip on a plane. Ah, major trip outside this country was the World Economic Forum in Davos. And, you know, there were thousands of us packed into the small digits in Switzerland. I was sitting having dinner with Andy Jassy in a restaurant one night that day. Little did we know. A month later, everything would change on DWhite. We began to do in late February. Early March was first. Take care of employees. You always wanna have the pulse, check employees and be in touch with them. Because the health and safety of employees is much more important than the profits of, um, where you know. So we took care of that. Make sure that folks were taking care of older parents were in good place. We fortunately not lost anyone to death. Covert. We had some covert cases, but they've recovered on. This is an incredible pandemic that connects all of us in the human fabric. It has no separation off skin color or ethnicity or gender, a little bit of difference in people who are older, who might be more affected or prone to it. But we just have to, and it's taught me to be a significantly more empathetic. I began to do certain things that I didn't do before, but I felt was the right thing to do. For example, I've begun to do 25 30 minute calls with every one of my key countries. You know, as I know you, I run customer operations, all of the go to market field teams reporting to me on. I felt it was important for me to be showing up, not just in the big company meetings. We do that and big town halls where you know, some fractions. 30,000 people of VM ware attend, but, you know, go on, do a town hall for everybody in a virtual zoom session in Japan. But in their time zone. So 10 o'clock my time in the night, uh, then do one in China and Australia kind of almost travel around the world virtually, and it's not long calls 25 30 minutes, where 1st 10 or 15 minutes I'm sharing with them what I'm seeing across other countries, the world encouraging them to focus on a few priorities, which I'll talk about in a second and then listening to them for 10 15 minutes and be, uh and then the call on time or maybe even a little earlier, because every one of us is going to resume button going from call to call the call. We're tired of T. There's also mental, you know, fatigue that we've gotta worry about. Mental well, being long term. So that's one that I personally began to change. I began to also get energy because in the past, you know, I would travel to Europe or Asia. You know, 40 50%. My life has travel. It takes a day out of your life on either end, your jet lag. And then even when you get to a Tokyo or Beijing or to Bangalore or the London, getting between sites of these customers is like a 45 minute, sometimes in our commute. Now I'm able to do many of these 25 30 minute call, so I set myself a goal to talk to 1000 chief security officers. I know a lot of CEOs and CFOs from my times at S A P and VM ware, but I didn't know many security officers who often either work for a CEO or report directly to the legal counsel on accountable to the audit committee of the board. And I got a list of these 1,002,000 people we called email them. Man, I gotta tell you, people willing to talk to me just coming, you know, into this I'm about 500 into that. And it was role modeling to my teams that the top of the company is willing to spend as much time as possible. And I have probably gotten a lot more productive in customer conversations now than ever before. And then the final piece of your question, which is what do we tell the customer in terms about portfolio? So these were just more the practices that I was able to adapt during this time that have given me energy on dial, kind of get scared of two things from the portfolio perspective. I think we began to don't notice two things. One is Theo entire move of migration and modernization around the cloud. I describe that as you know, for example, moving to Amazon is a migration opportunity to azure modernization. Is that whole Tan Xue Eminem? Migration of modernization is highly relevant right now. In fact, taking more speed data center spending might be on hold on freeze as people kind of holding till depend, emmick or the GDP recovers. But migration of modernization is accelerating, so we wanna accelerate that part of our portfolio. One of the products we have a cloud on Amazon or Cloud Health or Tan Xue and maybe the other offerings for the other public dog. The second part about portfolio that we're seeing acceleration around is distributed workforce security work from home work from anywhere. And that's that combination off workspace, one for both endpoint management, virtual desktops, common black envelope loud and the announcements we've now made with Z scaler for, uh, distributed work for security or what the analysts called secure access. So message. That's beautiful because everyone working from home, even if they come back to the office, needs a very different model of security and were now becoming a leader in that area. of security. So these two parts of the portfolio you take the five franchise pillars and put them into these two buckets. We began to see momentum. And the final thing, I would say, Guys, just on a soft note. You know, I've had to just think about ways in which I balance work and family. It's just really easy. You know what, 67 months into this pandemic to burn out? Ah, now I've encouraged my team. We've got to think about this as a marathon, not a sprint. Do the personal things that you wanna do that will make your life better through this pandemic. That in practice is that you keep after it. I'll give you one example. I began biking with my kids and during the summer months were able to bike later. Even now in the fall, we're able to do that often, and I hope that's a practice I'm able to do much more often, even after the pandemic. So develop some activities with your family or with the people that you love the most that are seeing you a lot more and hopefully enjoying that time with them that you will keep even after this pandemic ends. >>So, Sanjay, I love that you're spending all this time with CSOs. I mean, I have a Well, maybe not not 1000 but dozens. And they're such smart people. They're really, you know, in the thick of things you mentioned, you know, your partnership with the scale ahead. Scott Stricklin on who is the C. C so of Wyndham? He was talking about the security club. But since the pandemic, there's really three waves. There's the cloud security, the identity, access management and endpoint security. And one of the things that CSOs will tell you is the lack of talent is their biggest challenge. And they're drowning in all these products. And so how should we think about your approach to security and potentially simplifying their lives? >>Yeah. You know, Dave, we talked about this, I think last year, maybe the year before, and what we were trying to do in security was really simplified because the security industry is like 5000 vendors, and it's like, you know, going to a doctor and she tells you to stay healthy. You gotta have 5000 tablets. You just cannot eat that many tablets you take you days, weeks, maybe a month to eat that many tablets. So ah, grand simplification has to happen where that health becomes part of your diet. You eat your proteins and vegetables, you drink your water, do your exercise. And the analogy and security is we cannot deploy dozens of agents and hundreds of alerts and many, many consoles. Uh, infrastructure players like us that have control points. We have 70 million virtual machines. We have 75 million virtual switches. We have, you know, tens of million's off workspace, one of carbon black endpoints that we manage and secure its incumbent enough to take security and making a lot more part of the infrastructure. Reduce the need for dozens and dozens of point tools. And with that comes a grand simplification of both the labor involved in learning all these tools. Andi, eventually also the cost of ownership off those particular tool. So that's one other thing we're seeking to do is increasingly be apart off that education off security professionals were both investing in ah, lot of off, you know, kind of threat protection research on many of our folks you know who are in a threat. Behavioral analytics, you know, kind of thread research. And people have come out of deep hacking experience with the government and others give back to the community and teaching classes. Um, in universities, there are a couple of non profits that are really investing in security, transfer education off CSOs and their teams were contributing to that from the standpoint off the ways in which we can give back both in time talent and also a treasure. So I think is we think about this. You're going to see us making this a long term play. We have a billion dollar security business today. There's not many companies that have, you know, a billion dollar plus of security is probably just two or three, and some of them have hit a wall in terms of their progress sport. We want to be one of the leaders in cybersecurity, and we think we need to do this both in building great product satisfying customers. But then also investing in the learning, the training enable remember, one of the things of B M worlds bright is thes hands on labs and all the training enable that happened at this event. So we will use both our platform. We in world in a variety of about the virtual environments to ensure that we get the best education of security to professional. >>So >>that's gonna be exciting, Because if you look at some of the evaluations of some of the pure plays I mean, you're a cloud security business growing a triple digits and, you know, you see some of these guys with, you know, $30 billion valuations, But I wanted to ask you about the market, E v m. Where used to be so simple Right now, you guys have expanded your tam dramatically. How are you thinking about, you know, the market opportunity? You've got your five franchise platforms. I know you're very disciplined about identifying markets, and then, you know, saying, Okay, now we're gonna go compete. But how do you look at the market and the market data? Give us the update there. >>Yeah, I think. Dave, listen, you know, I like davinci statement. You know, simplicity is the greatest form of sophistication, and I think you've touched on something that which is cos we get bigger. You know, I've had the great privilege of working for two great companies. s a P and B M where the bulk of my last 15 plus years And if something I've learned, you know, it's very easy. Both companies was to throw these TLS three letter acronyms, okay? And I use an acronym and describing the three letter acronyms like er or s ex. I mean, they're all acronyms and a new employee who comes to this company. You know, Carol Property, for example. We just hired her from Google. Is our CMO her first comments like, My goodness, there is a lot of off acronyms here. I've gotta you need a glossary? I had the same reaction when I joined B. M or seven years ago and had the same reaction when I joined the S A. P 15 years ago. Now, of course, two or three years into it, you learn everything and it becomes part of your speed. We have toe constantly. It's like an accordion like you expanded by making it mawr of luminous and deep. But as you do that it gets complex, you then have to simplify it. And that's the job of all of us leaders and I this year, just exemplifying that I don't have it perfect. One of the gifts I do have this communication being able to simplify things. I recorded a five minute video off our five franchise pill. It's just so that the casual person didn't know VM where it could understand on. Then, when I'm on your shore and when on with Jim Cramer and CNBC, I try to simplify, simplify, simplify, simplify because the more you can talk and analogies and pictures, the more the casual user. I mean, of course, and some other audiences. I'm talking to investors. Get it on. Then, Of course, as you go deeper, it should be like progressive layers or feeling of an onion. You can get deeper. It's not like the entire discussion with Sanjay Putin on my team is like, you know, empty suit. It's a superficial discussion. We could go deeper, but you don't have to begin the discussion in the bowels off that, and that's really what we don't do. And then the other part of your question was, how do we think about new markets? You know, we always start with Listen, you sort of core in contact our borough come sort of Jeffrey Moore, Andi in the Jeffrey more context. You think about things that you do really well and then ask yourself outside of that what the Jason sees that are closest to you, that your customers are asking you to advance into on that, either organically to partnerships or through acquisitions. I think John and I talked about in the previous dialogue about the framework of build partner and by, and we always think about it in that order. Where do we advance and any of the moves we've made six years ago, seven years ago and I joined the I felt VM are needed to make a move into mobile to really cement opposition in end user computing. And it took me some time to convince my peers and then the board that we should by Air One, which at that time was the biggest acquisition we've ever done. Okay. Similarly, I'm sure prior to me about Joe Tucci, Pat Nelson. We're thinking about nice here, and I'm moving to networking. Those were too big, inorganic moves. +78 years of Raghu was very involved in that. The decisions we moved to the make the move in the public cloud myself. Rgu pack very involved in the decision. Their toe partner with Amazon, the change and divest be cloud air and then invested in organic effort around what's become the Claudia. That's an organic effort that was an acquisition fast forward to last year. It took me a while to really Are you internally convinced people and then make the move off the second biggest acquisition we made in carbon black and endpoint security cement the security story that we're talking about? Rgu did a similar piece of good work around ad monetization to justify that pivotal needed to come back in. So but you could see all these pieces being adjacent to the core, right? And then you ask yourself, Is that context meaning we could leave it to a partner like you don't see us get into the hardware game we're partnering with. Obviously, the players like Dell and HP, Lenovo and the smart Knick players like Intel in video. In Pensando, you see that as part of the Project Monterey announcement. But the adjacent seas, for example, last year into app modernization up the stack and into security, which I'd say Maura's adjacent horizontal to us. We're now made a lot more logical. And as we then convince ourselves that we could do it, convince our board, make the move, We then have to go and tell our customers. Right? And this entire effort of talking to CSOs What am I doing is doing the same thing that I did to my board last year, simplified to 15 minutes and get thousands of them to understand it. Received feedback, improve it, invest further. And actually, some of the moves were now making this year around our partnership in distributed Workforce Security and Cloud Security and Z scaler. What we're announcing an XDR and Security Analytics. All of the big announcements of security of this conference came from what we heard last year between the last 12 months of my last year. Well, you know, keynote around security, and now, and I predict next year it'll be even further. That's how you advance the puck every year. >>Sanjay, I want to get your thoughts. So now we have a couple minutes left. But we did pull the audience and the community to get some questions for you, since it's virtually wanted to get some representation there. So I got three questions for you. First question, what comes after Cloud and number two is VM Ware security company. And three. What company had you wish you had acquired? >>Oh, my goodness. Okay, the third one eyes gonna be the turkey is one, I think. Listen, because I'm gonna give you my personal opinion, and some of it was probably predates me, so I could probably safely So do that. And maybe put the blame on Joe Tucci or somebody else is no longer here. But let me kind of give you the first two. What comes after cloud? I think clouds gonna be with us for a long time. First off this multi cloud world, you just look at the moment, um, that AWS and azure and the other clouds all have. It's incredible on I think this that multi cloud from phenomenon. But if there's an adapt ation of it, it's gonna be three forms of cloud. People are really only focus today in private public cloud. You have to remember the edge and Telco Cloud and this pendulum off the right balance of workloads between the data center called it a private cloud. The public cloud on one end and the telco edge on the other end. I think we're in a really good position for workloads to really swing between all three of those locations. Three other part that I think comes as a sequel to Cloud is cloud native. All of the capabilities a serverless functions but also containers that you know. Obviously the one could think of that a sister topics to cloud but the entire world of containers. The other seat, uh, then cloud a cloud native will also be topics, but these were all fairly connected. That's how I'd answer the first question. A security company? Absolutely. We you know, we aspire to be one of the leading companies in cyber security. I don't think they will be only one. We have to show this by the wealth on breath of our customers. The revenue momentum we have Gartner ranking us or the analysts ranking us in top rights of magic quadrants being viewed as an innovator simplifying the stack. But listen, we weren't even on the radar. We weren't speaking of the security conferences years ago. Now we are. We have a billion dollar security business, 20,000 plus customers, really strong presences and network endpoint and workload and Cloud Security. The three Coppola's a lot more coming in Security analytics, Cloud Security distributed workforce Security. So we're here to stay. And if anything, BMR persist through this, we're planning for multi your five or 10 year timeframe. And in that course I mean, the competition is smaller. Companies that don't have the breadth and depth of the n words are Andy muscle and are going market. We just have to keep building great products and serving customer on the third man. There's so many. But I mean, I think Listen, when I was looking back, I always wondered this is before I joined so I could say the summit speculatively on. Don't you know, make this This is BMR. Sorry. This is Sanjay one's opinion. Not VM. I gotta make very, very clear. Well, listen, I would have if I was at BMO in 2012 or 2013. I would love to about service now then service. It was a great company. I don't even know maybe the company's talk, but then talk about a very successful company at that time now. Maybe their priorities were different. I wasn't at the company at the time, but I can speculate if that had happened, that would have been an interesting Now I think that was during the time of Paul Maritz here and and so on. So for them, maybe there were other priorities the company need to get done. But at that time, of course, today s so it's not as big of a even slightly bigger market cap than us. So that's not happening. But that's a great example of a good company that I think would have at that time fit very well with VM Ware. And then there's probably we don't look back and regret we move forward. I mean, I think about the acquisitions we have made the big ones. Okay, Nice era air watch pop in black. Pivotal. The big moves we've made in terms of partnership. Amazon. What? We're announcing this This, you know, this week within video and Z scaler. So you never look back and regret. You always look for >>follow up on that To follow up on that from a developer, entrepreneurial or partner Perspective. Can you share where the white spaces for people to innovate around vm Where where where can people partner and play. Whether I'm an entrepreneur in a garage or venture back, funded or say a partner pivoting and or resetting with Govind, where's the white spaces with them? >>I think that, you know, there's gonna be a number off places where the Tan Xue platform develops, as it kind of makes it relevant to developers. I mean, there's, I think the first way we think about this is to make ourselves relevant toe all of that ecosystem around the C I. C. D type apply platform. They're really good partners of ours. They're like, get lab, You know, all of the ways in which open source communities, you know will play alongside that Hash E Corp. Jay frog there number of these companies that are partnering with us and we're excited about all of their relevancy to tend to, and it's our job to go and make that marketplace better and better. You're going to hear more about that coming up from us on. Then there's the set of data companies, you know, con fluent. You know, of course, you've seen a big I p o of a snowflake. All of those data companies, we'll need a very natural synergy. If you think about the old days of middleware, middleware is always sort of separate from the database. I think that's starting to kind of coalesce. And Data and analytics placed on top of the modern day middleware, which is containers I think it's gonna be now does VM or play physically is a data company. We don't know today we're gonna partner very heavily. But picking the right set of partners been fluent is a good example of one on. There's many of the next generation database companies that you're going to see us partner with that will become part of that marketplace influence. And I think, as you see us certainly produce out the VM Ware marketplace for developers. I think this is gonna be a game changing opportunity for us to really take those five million developers and work with the leading companies. You know, I use the example of get Lab is an example get help there. Others that appeal to developers tie them into our developer framework. The one thing you learn about developers, you can't have a mindset. With that, you all come to just us. It's a very mingled village off multiple ecosystems and Venn diagrams that are coalescing. If you try to take over the world, the developer community just basically shuns you. You have to have a very vibrant way in which you are mingling, which is why I described. It's like, Listen, we want our developers to come to our conferences and reinvent and ignite and get the best experience of all those provide tools that coincide with everybody. You have to take a holistic view of this on if you do that over many years, just like the security topic. This is a multi year pursuit for us to be relevant. Developers. We feel good about the future being bright. >>David got five minutes e. >>I thought you were gonna say Zoom, Sanjay, that was That was my wildcard. >>Well, listen, you know, I think it was more recently and very fast catapult Thio success, and I don't know that that's clearly in the complete, you know, sweet spot of the anywhere. I mean, you know, unified collaboration would have probably put us in much more competition with teams and, well, back someone you always have to think about what's in the in the bailiwick of what's closest to us, but zooms a great partner. Uh, I mean, obviously you love to acquire anybody that's hot, but Eric's doing really well. I mean, Erica, I'm sure he had many people try to come to buy him. I'm just so proud of him as a friend of all that he was named to Time magazine Top 100. But what he's done is phenomenon. I think he could build a company that's just his important, his Facebook. So, you know, I encourage him. Don't sell, keep building the company and you'll build a company that's going to be, you know, the enterprise version of Facebook. And I think that's a tremendous opportunity to do this better than anybody else is doing. And you know, I'm as an immigrant. He's, you know, China. Born now American, I'm Indian born, American, assim immigrants. We both have a similar story. I learned a lot from him. I learned a lot from him, from on speed on speed and how to move fast, he tells me he learns a thing to do for me on scale. We teach each other. It's a beautiful friendship. >>We'll make sure you put in a good word for the Kiwi. One more zoom integration >>for a final word or the zoom that is the future Facebook of the enterprise. Whatever, Sanjay, Thank >>you for connecting with us. Virtually. It is a digital foundation. It is an unpredictable world. Um, it's gonna change. It could be software to find the operating models or changing you guys. We're changing how you serve customers with new chief up commercial customer officer you have in place, which is a new hire. Congratulations. And you guys were flexing with the market and you got a tailwind. So congratulations, >>John and Dave. Always a pleasure. We couldn't do this without the partnership. Also with you. Congratulations of Successful Cube. And in its new digital format, Thank you for being with us With VM world here on. Do you know all that you're doing to get the story out? The guests that you have on the show, they look forward, including the nonviable people like, Hey, can I get on the Cuban like, Absolutely. Because they look at your platform is away. I'm telling this story. Thanks for all you're doing. I wish you health and safety. >>I'm gonna bring more community. And Dave is, you know, and Sanjay, and it's easier without the travel. Get more interviews, tell more stories and tell the most important stories. And thank you for telling your story and VM World story here of the emerald 2020. Sanjay Poon in the chief operating officer here on the Cube I'm John for a day Volonte. Thanks for watching Cube Virtual. Thanks for watching.

>>live from San Francisco. It's the queue covering our essay conference 2020 San Francisco Brought to you by Silicon Angle Media >>Hey, welcome back here. Ready? Jeff Frick here with the Cube. We're in our 2020 the biggest security conference in the country, if not the world. I guess there's got to be 50,000 people. We'll get the official word tomorrow. It's our sixth year here and we're excited to be back. I'm not sure why. It's 2020. We're supposed to know everything at this point in time with the benefit on inside. We got two people that do. You know a lot. We're excited to have him. My left is Chris Bets is the SVP and chief security officer for Centurylink. Chris, Great to see you. And to his left is Chris Smith, VP Global security Services for Centurylink. Welcome. >>Thank you for having me. >>Absolutely. You guys just flew into town >>just for the conference's great To be here is always a really exciting space with just a ton of new technology coming out. >>So let's just jump into it. What I think is the most interesting and challenging part of this particular show we go to a lot of shows you 100 shows a year. I don't know that there's one that's got kind of the breadth and depth of vendors from the really, really big the really, really small that you have here. And, you know, with the expansion of Moscone, either even packing more women underneath Howard Street, what advice do you give to people who are coming here for the first time? Especially on more than the buyer side as to how do you navigate this place >>when I when I come here and see So I'm always looking at what the new technologies are. But honestly, having a new technology is not good enough. Attackers are coming up with new attacks all the time. The big trick for me is understanding how they integrate into my other solutions. So I'm not so I'm not just focused on the technology. I'm focused on how they all fit together. And so the vendors that have solutions that fit together that really makes a difference in my book. So I'm looking for for products that are designed to work with each other, not just separate >>from a practice standpoint. The theme of IRA say this year is the human element, and for us, if you look at this floor, it's overwhelming. And if you're a CSO of an average enterprise, it's hard to figure out what you need to buy and how to build a practice with all of the emerging tools. So for us core to our practice, I think any mature, 30 security practices having a pro services capability and consulting capability that can be solved this all together, that helps you understand what to buy, what things to piece together and how to make it all work >>right. And it's funny, the human element that is the kind of the global theme. And what's funny is for all the technology it sounds like. Still, the easiest way in is through the person, whether it's a phishing attack or there's a myriad of ways that people are getting him to the human. So that's kind of a special challenge or trying to use technology to help people do a better job. At the end of the day, sometimes you're squishy ISS or easier access point is not a piece of technology, but it's actually a person. It's >>often because We asked people to do the wrong things. We're having them. Focus on security steps. Use email. Security is an easy to grasp example way all go through training every year to teach folks how to make sure that they avoid clicking on the wrong emails for us more often than a year. So the downside of that is arresting people to take a step away from their job and try to figure out how to protect themselves. And is this a bad emails that are really focusing on the job? So that's why it's so important to me to make sure that we've got solutions that help make the human better and frankly, even worse in security. We don't have the staff that we need. And so how do we help Make sure that the right tools are there, that they work together. They automate because asking everybody to take those steps, it's just it's a recipe for disaster because people are going to make mistakes >>right? Let's go a little deeper into the email thing. A friend of mines and commercial real estate, and he was describing an email that he got from his banker describing a wire transfer from one of his suppliers that he has a regular, ongoing making relationship with. You know, it's not the bad pronunciation and bad grammar and kind of the things that used to jump out is an obvious. But he said it was super good to the point where thankfully, you know, it was just this time. But, you know, he called the banker like, did you just send me this thing? So you know where this as the sophistication of the bad guys goes up specifically targeting people, how do you try to keep up with how do you give them the tools to know Woe versus being efficient? I'm trying to get my job done. >>Yeah, for me, it starts with technology. That takes a look. We've only got so many security practitioners in the company. Actually. Defend your email example. We've got to defend every user from those kinds of problems. And so how do I find technology solutions that help take the load off security practitioners so they can focus on the niche examples that really, really well crafted emails and help take that load off user? Because users just not gonna be able to handle that right? It's not fair to ask them. And like you said, it was just poorly time that helped attack. So how do we help? Make sure that we're taking that technology load off, identify the threats in advance and protect them. And so I think one of the biggest things that Chris and I talk a lot about is how to our solutions help make it easier for people to secure themselves instead of just providing only technology technology advantage, >>our strategy for the portfolio and it sort of tied to the complexity. CN This floor is simplicity. So from our perspective, our goal is a network service provider is to deliver threat free traffic to our customers even before it gets to the human being. And we've got an announcement that we launched just a week ago in advance of the show called Rapid Threat Defense. And the idea is to take our mature threat Intel practice that Chris has a team of folks focused on that. We branded black Lotus labs and Way built a machine learning practice that takes all the bad things that we see out in the network and protects customers before it gets to their people. >>So that's an interesting take. You have the benefit of seeing a lot of network traffic from a lot of customers and not just the stuff that's coming into my building. So you get a much more aggregated approach, so tell us a little bit more about that. And what is the Black Lotus Labs doing? And I'm also curious from an industry point of view, you know, it's just a collaboration with the industry cause you guys are doing a lot of traffic. There's other big network providers carrying a lot of traffic. How well do you kind of work together when you identify some nasty new things that you're doing the horizon? And where do you draw the line between better together versus still independent environment? >>When we're talking about making the Internet safer, it's not really to me a lot about competitive environment. It's really about better together. That's one of things I love about the security community. I'm sure you see it every year when you're here. You're talking security practitioners how across every industry security folks work together to accomplish something that's meaningful. So as the largest world's largest global I P we get to see a ton of traffic, and it's really, really interesting we'll be able to put together, you know, at any given point in time. We're watching many tens of thousands of probable malware networks. We're protecting our customers from that. But we're also able to ourselves take down nearly 65 now where networks every month just knock them off the Internet. So identify the command and control, and we take it off the Internet. We work with our partners. We go talk to hosting providers, maybe competitors of ours. And we say, Hey, here's a bad, bad actors bad server that's being used to control now where? Going shut it down. And so the result of that is not only protecting our customers, but more importantly, protecting tens of thousands of customers every month. By removing now where networks that were attacking, that really makes a difference. To me, that's the biggest impact we bring. And so it really is a better together. It's a collaboration story and, of course, for said, we get the benefit of that information as we're developing it as we're building it, we can protect our customers right away while we're building the confidence necessary to take something as dramatic and action as shutting down on our network. Right. Unilaterally, >>Citrix. I was gonna ask you kind of the impact of I o t. Right in this in this crazy expansion of the tax services, when you hear about all the time with my favorite example, somebody told the story of attacking a casino through the connected thermometer in the fish tank in the lobby, which may or may not be true, is still a great story. Great story. But I'm curious, you know, looking at the network, feeding versus the devices connecting that's really in an interesting way to attack this proliferation of attack services. You're getting it before it necessarily gets to all these new points of presence doing it based on the source. For >>us, that's the only way to make it scalable. It is true that automation blocking it before it gets to the azure to a device. It is what will create simplicity and value for our customers. >>Right on the other piece of the automation. Of course, that we hear about all the time is there just aren't enough security professionals, period. So if you don't have the automation. You don't have the machine learning, as you said, to filter low hanging fruit and the focus your resource. If they need to be, you're not going to do it. The bad news is the bad guys, similar tools. So as you look at kind of the increase in speed of automation, the increase in automated connectivity between these devices making decisions amongst each other, how do you see that kind of evolving? But you're kind of role and making sure you stay a step ahead of the bad guys. For >>me, it's not about just automation. It's about allowing smart people to put their brains against hard problems, hard impactful problems and so on. So simply automating is not enough. It's making sure that automation is reducing the the load on people so that they're able to focus on those hard, unique problems really solve all those solutions and, yes, Attackers, Attackers build automation as well. And so if we're not building faster and better than we're falling behind, so like every other part of this race, it's about getting better, faster and why it's so important that technology work together because we're constantly throwing out more tools and if they don't work better together, even if we got incremental automation, these place way still miss overall because it's end to end that we need to defend ourselves and our customers >>layered on what he said. For the foreseeable future, you're gonna need smart security people that help protect your practice. Our goal in automation is take the road tasks out of out of the gate. They live so they can focus on the things that provide the most value protecting their enterprise. >>Right when you're looking, you talked about making sure things work together, for you talked about making sure things work together. How do you decide what's kind of on the top of the top of the stack, where everybody wants to own the single pane of glass? Everybody wants to be the control plane. Everybody wants to be that thing that's on your computer all the time, which is how you work your day to day. How do you kind of dictate what are the top level tools while still going out? And, he said, exploring some of these really cutting edge things out around the fringe, which don't necessarily have a full stack solution that you're going to rely on but might have some cool kind of point solutions if you will, or point products to help you plug some new and emerging holes. Yeah, >>yeah. So for us, yeah, we take security capabilities and we build them into the other things that we sell. So it's not a bolt on. So when you buy things from us, whether whether it's bandwidth or whether its SD wan and security comes baked in, so it's not something you have to worry about integrating later. It's an ingredient of the things that we sell in all of the automation that we build is built into our practice, So it's simple for our customers to understand, like, simple and then layered. On top of that, we've got a couple different ways that we bring pro services and consulting to our practice. So we've got a smart group of folks that could lean into staff, augment and sit on site, do just about anything to help customers build a practice from day zero to something more mature. But now we're toying with taking those folks in building them into products and services that we sell for 10 or 20 hours a month as an ingredient. So you get that consulting wrapper on top of the portfolio that we sell as a service provider. >>Get your take on kind of budgets and how people should think about their budgets. And when I think of security, I can't help but think of like insurance because you can't spend all your money on security. But you want to spend the right amount on security. But at the end of the day, you can't be 100% secure, right? So it's kind of kind of working the margins game, and you have to make trade offs in marketing, wants their money and product development, wants their money and sales, wants their money. So what people are trying to assess kind of the risk in their investment trade offs. What are some of the things they should be thinking about to determine what is the proper investment on security? Because it can't just be, you know, locker being 100% it's not realistic, and then all the money they help people frame that. >>Usually when companies come to us in, Centurylink plays in every different segment, all the way down to, you know, five people company all the way to the biggest multinationals on the planet. So that question is, in the budget is a little bit different, depending on the type of customer, the maturity and the lens are looking at it. So, typically, way have a group of folks that we call security account managers those our consultants and we bring them in either in a dedicated or a shared way. Help companies that's us, wear their practices today in what tool sets for use again things that they need to purchase and integrate to get to where they need to be >>really kind of a needs analysis based on gaps as much as anything else. >>That's part of the reason why we try to build prisons earlier, so many of the technologies into our solution so that so that you buy, you know, SD wan from us, and you get a security story is part of it is that that allows you to use the customer to save money and really have one seamless solution that provides that secure experience. We've been building firewalls and doing network based security for going on two decades now, in different places. So at this point, that is a good place that way, understand? Well, we can apply automation against it. We can dump, tail it into existing services and then allow focused on other areas of security. So it helps. From a financial standpoint, it also helps customers understand from where they put their talent. Because, as you talked about, it's all about talents even more so than money. Yes, we need to watch our budgets. But if you buy these tools, how do you know about the talent to deploy them? And easier You could make it to do that simpler. I think the better off right >>typical way had the most success selling security practices when somebody is either under attacker compromised right, then the budget opens right up, and it's not a problem anymore. So we thought about how to solve that commercially, and I'll just use Vitas is an example. We have a big D dos global DDOS practice that's designed to protect customers that have applications out on the Internet that are business critical, and if they go down, whether it's an e commerce or a trading site losing millions of dollars a day, and some companies have the money to buy that up front and just have it as a service. And some companies don't purchase it from us until they're under attack. And the legacy telco way of deploying that service was an order and a quote. You know, some days later, we turned it up. So we've invested with Christine the whole orchestration layer to turn it up in minutes and that months so you can go to our portal. You can enter a few simple commercial terms and turn it on when you need it. >>That's interesting. I was gonna ask you kind of how has cloud kind of changed the whole go to market and the way people think about it. And even then you hear people have stuff that's secure in the cloud, but they mis configured a switch left something open. But you're saying, too it enables you to deploy in a very, very different matter based on you know, kind of business conditions and not have that old, you know, get a requisite get a p o requisition order, install config. Take on another kind of crazy stuff. Okay, so before I let you go, last question. What are your kind of priorities for this show for Centurylink when it's top of mind, Obviously, you have the report and the Black Lotus. What do you guys really prioritizing for this next week? Here for Cisco. >>We're here to help customers. We have a number of customers, a lot of learning about our solutions, and that's always my priority. And I mentioned earlier we just put out a press release for rapid threat defense. So we're here to talk about that, and I think the industry and what we're doing this little bit differently. >>I get to work with Chris Motions Week with customers, which is kind of fun. The other part that I'm really excited about, things we spent a bunch of time with partners and potential partners. We're always looking at how we bring more, better together. So one of the things that we're both focused on is making sure that we're able to provide more solutions. So the trick is finding the right partners who are ready to do a P I level integration. The other things that Chris was talking about that really make this a seamless and experience, and I think we've got a set of them that are really, really interested in that. And so those conversations this week will be exceptionally well, I think that's gonna help build better technology for our customers even six months. >>Alright, great. Well, thanks for kicking off your week with the Cube and have a terrific week. Alright. He's Chris. He's Chris. I'm Jeff. You're watching the Cube. Where? The RSA Conference in downtown San Francisco. Thanks for watching. See you next time. >>Yeah, yeah.

>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners. >> Okay, welcome back. Everyone's two cubes Live coverage here in Boston, Massachusetts, for AWS reinforce. This is Amazon Web services Inaugural conference around Cloud security There first of what? Looks like we'll be more focused events around deep dive security to reinvent for security. But not no one's actually saying that. But it's not a summit. It's ah, branded event Reinforce. We're hearing Mark Ryland off director Office of the Sea. So at eight of us, thanks for coming back. Good to see you keep alumni. Yeah, I'm staying here before It's fun. Wait A great Shadow 80 Bucks summit in New York City Last year we talked about some of the same issues, but now you have a dedicated conference here on the feedback from the sea. So as we've talked to and the partners in the ecosystem is, it's great to have an event where they go deep dives on some of the key things that are really, really important to security. Absolutely. This is really kind of a vibe that how reinvents started, right? So reinventing was a similar thing for commercial. You're deep, not easy to us. Three here, deeper on Amazon. But with security. Yeah, security lens on some of the same issues. One thing that happened >> and kind of signal to us that we needed an event like this over the years with reinvent was consistently over the years, the security and compliance track became one of the most important tracks that was oversubscribed in overflow rooms and like, Hey, there's a signal here, right? And so, but at the same time, we wanted to be able to reach on audience. Maybe they wouldn't go to reinvent because they thought I'd say It's all the crazy Dale Ops guys were doing this cloud thing. But now, of course, they're getting the strong message in their security organizations like, Hey, we're doing cloud. Or maybe as a professional, I need to really get smart about this stuff. So it's been a nice transition from still a lot of the same people, but definitely the different crowd that's coming here and was a cross pollination between multiple and I was >> just at Public sector summit. They about cyber security from a national defense and intelligence standpoint. Obviously, threesome Carlson leads That team you got on the commercial side comes like Splunk who our data and they get into cyber. So you started to see kind of the intersection of all the kind of Amazon ecosystems kind of coming around security, where it's now part of its horizontal. It's not just these are the security vendors and partners writes pretty much everyone's kind of becoming native into thinking about security and the benefits that you guys have talk about that what Amazon has to have a framework, a posture. Yeah, they call it shared responsibility. But I get that you're sharing this with the ecosystem. Makes sense. Yeah, talk about the Amazon Web service is posture for this new security >> world. Well, the new security world is if you look at like a typical security framework like Mist 853 120 50 controls all these different things you need to worry about if you're a security professional. And so what eight obvious able to do is say, look, there's a whole bunch of these that we can take care of on your behalf. There's some that we'll do some things and you got to do some things and there's some There's still your responsibility, but we'll try to make it easy for you to do those parts. So right off the bat we can get a lot of wins from just hey, there's a lot of things will just take care of. And you could essentially delegate to us. And for the what remain, You'll take your expertise and you'll re focus it on more like applications security. There still may be some operating systems or whatever. If using virtual machine service, you still have to think about that. But even there, we'll use we have systems Manager will make it easy to do patch management, updating, et cetera. And if you're willing to go all the way to is like a lambda or some kind of a platform capability, make it super easy because all you gotta do is make sure your code is good and we'll take care of all the infrastructure automatically on your behalf so that share responsibility remains. There's a lot of things you still need to be careful about and do well, but your experts can refocus. They could be very you know like it's just a lot less to worry about it. So it's really a message for howto raise the bar for the whole community, but yet still have >> that stays online with the baby value properties, which is, you know, build stuff, ship fast, lower prices. I mazon ethos in general. But when you think about the core A. W. S what made it so great Waas you can reduce the provisioning of resource is to get something up and running. And I think that's what I'm taking away from the security peace you could say. We know Amazon Web service is really well, and we're gonna do these things. You could do that so us on them and then parts to innovate. So I get that. That's good. The other trend I want to get your reaction to is comments we've had on the Cube with si SOS and customers is a trend towards building in house coding security. Your point about Lambda some cool things air being enabled through a B s. There's a real trend of big large companies with security teams just saying, Hey, you know what? I wanna optimize my talent to code and be security focused on use cases that they care about. So you know, Andy Jazz talks about builders. You guys are about builders you got cos your customers building absolutely. Yet they don't want Tonto, but they are becoming security. So you have a builder mindset going on in the big enterprises. >> Yes, talk about that dynamic. That's a That's a really important trend. And we see that even in security organizations which historically were full of experts but not full of engineers and people that could write code. And what we're seeing now is people say, Look, I have all this expertise, but I also see that with a software defined the infrastructure and everything's in a P I. If I pair up in engineering team with a security professional team, then well, how good things will happen because the security specials will say, Gosh, I do this repetitive task all the time. Can you write code to do that like, Yeah, we can write code to do that. So now I can focus on things that require judgment instead of just more rep repetitive. So So there's a really nice synergy there, and our security customers are becoming builders as well, and they're codifying if you moment expression in code, a policy that used to be in a document. And now they write code this as well. If that policy is whatever password length or how often we rode a credentials, whatever the policy is where Icho to ensure that that actually happening. So it's a real nice confluence of security expertise with the engineering, and they're not building the full stack >> themselves. This becomes again Aki Agility piece I had one customer on was an SMS business. They imported to eight of US Cloud with three engineers, and they wrote all the Kuban aged code themselves. They could have used, you know, other things, but they wanted to make sure it's stable so they could bring in some suppliers that could add value. So, again, this is new. Used to be this way back in the old days, in House developers build the abs on the mainframe, build the APS on the mini computers and then on I went to outsourcing, so we're kind of back. The insourcing is the big trend now, >> right in with the smaller engineering team, I can do a lot that used to require so many more people with a big waterfall method and long term projects. And now I take all these powerful building blocks and put an engineering team five people or what we would call it to pizza team five or six people off to the side, given 34 weeks, and they can generate a really cool system that would have required months and not years before. So that's a big trend, and it applies across the board, including two security. >> I think there's a sea change, and I think it's clear what I like about this show is this cloud security. But it's also they have the on premises conversation, Mrs Legacy applications that have been secured and or need to be secured as they evolve. And then you got cloud native and all these things together where security has to be built in. Yeah, this is a key theme, so I want to get your thoughts on this notion of built in security from Day one. What's your what's your view on this? And how should customers start thinking >> about it? And >> what did you guys bringing to the table? Well, I think that's just a general say maturation that goes on in the industry, >> whether it's cloud or on Prem is that people realize that the old methods we used to use like, Hey, I'm gonna build a nap And then I'm gonna hand it to the security team and they're gonna put firewalls around it That's not really gonna have a good result. So security by design, having security is equal co aspect of If I'm getting doing an architecture, I look a performance. I look, it cost. I look at security. It's just part of my system designed. I don't think of it as like a bolt on afterwards, so that leads to things like, you know, Secure Dev ops and kind of integration teams through. This could be happening on premises to it's just part of I T. Modernization. But Cloud is clearly a driver as well, and cloud makes it easier because it's all programmable. So things that are still manual on premises, you can do in a more automated getting into a lot of conversations here under the covers, A lot of under the hood conversations here around >> security BC to one of the most popular service is you guys have obviously compute a big part of the mission Land, another of the feature VPC traffic flows, where mirroring was a big announcement. Like we talked about that a lot of talking about the E c two nitro. You gave a talk on that. Did you just unpacked it a little bit because this has been nuanced out there. It's out there people are interested in. What's that talk about inscription is, is in a popular conversation taking minutes? Explain your talk. Sure, So we've talked for now a year and 1/2 >> about how we've essentially rien. Imagine reinvented our virtual machine architecture, too. Go from a primarily soft defined system where you have a mainboard with memory and intel processor and all that kind of a coup treatments of a standard server. And then your virtual ization layer would run a full copy of an operating system, which we call a Dom zero privileged OS that would mediate access between the guest OS is in this and the outside world because it would maintain the device model like how do I talk to a network card? How I talked to a storage device. I talked through the hyper visor, but through also a dom zero Ah, copy of Lennox. A copy of Windows to do all that I owe. So what we just did over the past few years, we begin to take all the things we're running inside that privileged OS and move that into dedicated hardware software, harbor combination where we now have components we call nitro components their actual separate little computers that do dbs processing. They do vpc processing they do instance, storage. So at this point now, we've taken all of the components of that damn zero. We've moved it out into these You could call Cho processors. I almost think of them is like the Nitro controllers. The main processor and the Intel motherboard is a co processor where customer workloads run because the trust now is in these external all systems. And when you go to talk to the outside world from easy to now you're talking through these very trusted, very powerful co processors that do encryption. They do identity management for you. They do a lot of work that's off the main processor, but we can accelerate it. We could be more assured that it's trustworthy. It can it can protect itself from potential types of hacks that might have been exposed if that, say, an encryption key was in the and the main motherboard. Now it's not so it's a long story until one hour version and doing three minutes now. But overall we feel that we built a trustworthy system for virtual. What was the title of talk so people can find it online? So I was just called the night to architecture security implications of the night to architecture. So it's taking information that we had out there. But we're like highlighting the fact that if you're a security professional, you're gonna really like the fact that this system has it has no damn zero. It has no shell. You can't log into the system as a human being. It's impossible to log in. It's all software to find suffer driven, and all the encryption features air in these co processors so we can do like full line made encryption of 100 gigabits of network traffic. It's all encrypted like that's never been done before. Really, in the history of computing, what's the benefit of nitro architectural? Simply not shelter. More trust built into it a trusted root. That's not the main board encryption, off load and more isolation. Because even if I somehow we're toe managed to the impossible combination of facts to get sort of like ownership of that main board, I still don't have access to the outside world. From there, I have to go through a whole another layer of very secure software that mediates between the inner world of where customer were close run and the outside world where the actual cloud is. So it's just a bunch of layers that make things more secure, >> and I'm sure Outpost will have that as well. Can you waste on that? Seem to me to hear about that. Okay, Encryption, encrypt everything. Is it philosophy we heard in the keynote? You also talked about that as well. Um, encrypting traffic on the hour. I didn't talk about what that means. What was talked to you? What's the big conversation around? Encryption within a. W s just inside and outside. What's the main story there? >> There's a lot of pieces to the pie, but a big one that we were talking about this week is a pretty long term project we call Project lever. It was actually named after a ah female cryptographer. Eventually Park team that was help. You know, one of the major factors, including World War Two, are these mathematicians and cryptographers. So we we wanted to do a big scale encryption project. We had a very large scale network and we had, you know, all the features you normally have, but we wanted to make it so that we really encrypted everything when it was outside of our physical control. So we done that took a long time. Huge investment, really exciting now going forward, everything we build. So any time data that customers give to us or have traffic between regions between instances within the same region outside reaches, whenever that traffic leaves our physical control so kind of our building boundaries or gates and guards and going down the street on a fiber optic to another data center, maybe not far away or going inter continent intercontinental links are going sub oceanic links all those links. Now we encrypt all the traffic all the time. >> And what's the benefit of that? So the benefit of that is there. Still, you know, it's it's obscure, >> but there is a threat model where, you know, governments have special submarines that are known to exist that go in, sniff those transoceanic links. And potentially a bad guy could somehow get into one of those network junction points or whatever. Inspect traffic. It's not, I would say, a high risk, but it's possible now. That's a whole nother level of phishing attacks. Phishing attack, submarine You're highly motivated to sniff that line couldn't resist U. S. O. So that's now so people could feel comfortable that that protection exists and even things like here's a kind of a little bit of scare example. But we have customers that say, Look, I'm a European customer and I have a very strong sense of regional reality. I wanna be inside the European community with all my data, etcetera, and you know, what about Brexit? So now I've got all this traffic going through. A very large Internet peering point in London in London won't be part of Europe anymore according to kind of legal norms. So what are you doing in that case? Unless they Well, how about this? How about if yes, the packets are moving through London, but they're always encrypted all the time. Does that make you feel good? Yeah, that makes me feel good. I mean, I so my my notion of work as extra territorial extra additional congee modified to accept the fact that hey, if it's just cipher text, it's not quite the same as unscripted. >> People don't really like. The idea of encrypted traffic. I mean, just makes a lot of sense. Why would absolutely Why wouldn't you want to do that right now? Final question At this event, a lot of attendee high, high, high caliber people on the spectrum is from biz dab People building out the ecosystem Thio Hardcore check. He's looking under the hood to see SOS, who oversee the regime's within companies, either with the C i O or whatever had that was formed and every couple is different. But there's a lot of si SOS here to information security officers. You are in the office of the Chief Security Information officer. So what is the conversations they're having? Because we're hearing a lot of Dev ops like conversations in the security bat with a pretty backdrop about not just chest undead, but hack a phone's getting new stuff built and then moving into production operations. Little Deb's sec up So these kinds of things, we're all kind of coming together. What are you hearing from those customers inside Amazon? Because I know you guys a customer driven in the customers in the sea SOS as your customer. What are they saying? What are they asking for? So see, so's our first getting their own minds around >> this big technical transformations that are happening on dhe. They're thinking about risk management and compliance and things that they're responsible for. They've got a report to a board or a board committee say, Hey, we're doing things according to the norms of our industry or the regulated industries that we sit in. So they're building the knowledge base and the expertise and the teams that can translate from this sort of modern dev ops e thing to these more traditional frameworks like, Hey, I've got this oversight by the Securities Exchange Commission or by the banking regulators, or what have you and we have to be able to explain to them why our security posture not only is maintained, it in some ways improved in these in this new world. So they're they're challenge now is both developing their own understanding, which I think they're doing a good job at, but also kind of building this the muscle of the strength. The terminology translate between these new technologies, new worlds and more traditional frameworks that they sit within and people who give oversight over them. So you gotta risk. So there's risk committees on boards of these large publics organizations, and the risk committees don't know a lot about cloud computing. So s O they're part of what they do now is they do that translation function and they can say, Look, I've I've got assurance is based on my work that I do in the technology and my compliance frameworks that I could meet the risk profiles that we've traditionally met in other ways with this new technology. So it's it's a pretty interesting >> had translations with the C I A. Certainly in public sector, those security oriented companies, a cz well, as the other trend, they're gonna educate the boards and they're secure and not get hacked the obsolete. And then there's the innovation side of it. Yeah, we actually gotta build out. Yes. This is what we just talked about a big change for our C says. That we talk to and work with all the time is that hey, we're in engineering community now. We didn't used to write a lot of code, and now we do. We're getting strong in that way. Or else we're parting very closely with an engineering team who has dedicated teams that support our security requirements and build the tools. We need to know that things are going well from our perspective. So that's a really cool, I think, changing that. I think that is probably one >> of my favorite trends that I see because he really shows the criticality of security was pretty much all critically, only act. But having that code coding focus really shows that they're building in house use case that they care about and the fact that I can now get native network traffic. Yeah, and you guys are exposing new sets of service is with land and other things >> over the top. >> It just makes for a good environment to do these clouds. Security things. That seems to be the show >> in a nutshell. Yeah, I think that's one of the nice thing about this show. Is It's a very positive energy here. It's not like the fear and scary stuff sometimes hear it. Security conference is like a the sky's falling by my product kind of thing Here. It's much more of a collaborative like, Hey, we got some serious challenges. There's some bad guys out there. They're gonna come after us. But as a community using new tooling, new techniques, modern approaches, modernization generally like let's get rid of a lot of these crusty old systems we've never updated for 10 or 20 years. It's a positive energy, which is really exciting. Good Mark, get your insights out. So this is your wheelhouse Show. Congratulations. >> You got to ask you the question. Just take your see. So Amazon had off just as an industry participant riding this way, being involved in it. What is the most important story that needs to be told in the press? In the media that should be told what's as important. Either it's being told it, then should be amplified or not being told and be written out. What's the What's the top story? I don't think that even after all this time that you know when people >> hear public cloud computing. They still have this kind of instinctive reaction like, Oh, that sounds kind of scary or a little bit risky and, you know, way need to get to the point where those words don't elicit some sense of risk in people's minds, but rather elicit like, Oh, cool, that's gonna help me be secure instead of being a challenge. Now that's a journey, and people have to get there, and our customers who go deep, very consistently, say, And I'm sure you've had them say to you, Hey, I feel more confident in my cloud based security. Then I do my own premises security. But that's still not the kind of the initial reaction. And so were we still have a ways, a fear based mentality. Too much more >> of a >> Yeah. Modernization base like this is the modern way to get the results in the outcomes I want, and cloud is a part of that, and it doesn't not only doesn't scare me, I want to go there because it's gonna take a community as well. Yeah, Mark, thanks so much for coming back on the greatest. Be hearing great Mark Mark Riley, direct of the office of the chief information security at Amazon Web services here, sharing his inside, extracting the signal. But the top stories and most important things >> being being >> said and discussed and executed here, it reinforced on the Cube. Thanks for watching. We'll be right back with more after this short break.

>> From Boston, Massachusetts, it's the Cube covering WTG Transform 2019. Brought to you by Winslow Technology Group. >> Welcome back. I'm Stu Miniman, and we're here at WTG Transform 2019. Happy to welcome to the program first time guest, Marty Sanders who's the Chief Security Services Officer at Arctic Wolf. Marty, thanks so much for joining us. >> Thank you, Stu. >> All right Arctic Wolf's a partner, but before we get there, I have to say welcome back. >> Thank you, thank you. >> Because you're familiar with this event quite well. You have a background at Compellent, which of course we were just talking to Scott Winslow. It's where his company started. Just give our audience a little bit thumbnail of your background. >> Perfect. So yeah, Scott and I go back a long time. We actually started back working together at Zylotech back in the late 90's. After we left Zylotech, we actually went to Compellent. We started building Compellent back in 2002. As a company we wanted to start a new philosophy. Really sit down with customers prior to actually releasing products. So we actually built a customer council. We started that in Minneapolis, and then what we wanted to do is take it to the next level. We wanted to replicate that out to other parts of the country, and the first person we called was Scott. We started to do it with Scott, and started back in 2004. Had the first meeting here at the Commonwealth, actually with a handful of customers, and now it's grown into this. So it's unbelievable what he's done with the company. And when I look at what he does, he provides a tremendous amount of value to the customers and just sells them exactly what they want. But what they need as well. >> Yeah we always know when certain segments of the market that degree of separation, you look on LinkedIn is like, one and a half. >> Absolutely. >> Everybody knows each other. We all run around some of the same circles. So bring us up to speed. Arctic Wolf. I believe you're the first person we've had on from the company. So give us a little bit kind of the who and the what and the why. >> Perfect. ^- [Stu] Of Arctic Wolf. >> And again thank you very much for inviting us out for this as well. Yeah Arctic Wolf has been around since 2012. Started off in the SOC as a service. Obviously, in that small-medium business, they didn't have the capabilities to do a lot of the security work. Actually, Brian NeSmith, our CEO, started the company with his other founder Kim Tremblay. They worked at Blue Coat, they understood the security world. But understood that there was a big hole in that space, in that small-medium enterprise business. So they were actually way ahead of their time. I mean you look at from 2012 to 2015, it was a little bit slow growth. But now you start to look at where we're at, and the adoption of that, having a SOC as a service 7 by 24, hasn't been adopted very well. >> Yeah, I thought it was rather telling, actually in the keynote this morning, some people were asking about security, and they're like, wait, if I do this hybrid cloud stuff, how does that work? And I'm like, yeah I go to too many events. It's like, I have ingrained in my system now security is everyone's problem. There is no such thing as a moat. You assume that they are going to get in, so therefore I need to build at every level of the stack. I need to get in. But I'm an industry watcher. ^- [Marty] Yep. >> The people that are doing, what's their mindset, what's workin' well for them? Is security heightened? How's Arctic Wolf going? >> And you want to take that premise. I mean, one of the things that we do is we actually assign a concierge security team to that customer. So we want to be that extension of their environment. I mean, in fact, as we started to talk to some of the clients that we have here, they're repeating the words, what they feel like. My team is part of their team. And it makes it so much easier. So you're not dealing with somebody fresh every time that you call in. If you have any type of event that validates that there's somebody trying to break in. You want to have that person that understands your environment. Understands exactly where you've been. Making sure that you're up to speed on their network, all their ingress/egress points that they can come into. So it makes it so much easier if you have that consistent face that you're dealing with. >> Okay. Marty, is there a typical customer of Arctic Wolf? Where do you fit in the WTG? Their customer base? >> Yeah, I mean, that's a great question. I mean, when you look at where we really fit is, the first questions that we want to ask is do you have a security team? Do you have it 7 by 24? I mean, that's where we really want to make sure that we're augmenting that. I mean, when you look at a lot of the companies they might have that office admin that became the IT person, that became the security person. What we want to do is make sure that we're providing the true level of high security for those companies 7 by 24. Because obviously the bad guys know that there's going to be a hole after hours or whatever it's going to be. So that's when they want to go in. So we want to make sure that we're covering that. So Scott and his clients are kind of in that medium to small-medium business, moving up into the small enterprise, and it fits really well with them. >> Yeah, so you're saying most of them don't have an entire security SWAT team. >> Exactly. ^- Waiting 7 by 24, to do that. Walk us through maybe if you have a customer example or kind of a genericized version that you can share. What does an engagement look like from when they first plug in to when they're fully engaged? >> Perfect. So typically what we do is we actually once the deal is closed what we want to do is sit down with the customer and understand exactly all their different applications, all their environments. Understand all their ingress/egress points that they have coming in. We want to make sure that we're maximizing coverage. And what we want to do is triangulate anything that comes into that. Understand all the attack vectors that the bad guys may try to come in. So it takes us about 30 days to go through all of that. So once we get them onboarded, we assign that concierge security team. Going to be a senior and a less-senior person dedicated to that team. And basically they're going to go through and review that environment, make sure that they understand all the different applications. Is it Office 365? Any cloud apps that we need to hook up to it? All the different servers to make sure we're getting all that information. We want to provide more quiet service. We don't want to be, anytime someone knocks on the door, we don't want to be calling, Little Red Hen-type stories. We want to make sure that anything that we actually report on is going to be actionable for those customers. So that's that trusted confidante, that's where we build that strong relationship rather than sending out a note and retracting it as a false positive or anything like that. >> Okay. And Marty, I heard you mentioned some SAS applications and their infrastructure environment. Is public cloud included in that also? >> Absolutely. And what we want to do is make sure that we understand, like you said. And like Joe and Rick went through and talked about. There's going to be that private and public cloud. We want to make sure that we're capturing everything internally, but also if you're using those SAS applications on the outside, whatever they may be, we want to make sure that we're capturing all that information so that we can help with that. >> Okay. And billing. Is there multi-year commitments? Or how does the financial piece of this work? >> It can be MRR. I mean, we're going to go through on a monthly basis and we'd like to get at least a year commitment. It can be something that they sign up for a couple of months or they sign up for a year and pay monthly whatever they need to do. But typically what we want to do is provide that level of service and when you think about it, if you were to go out and buy a security team to cover 7 by 24, it's at least a minimum of six, seven people to do that. So when you look at the price point, we want to be less than that. We want to provide that high level of value. When you think about a single team going out and trying to do something, the typical threat is it has been in their environment for at least 100 days before they notice it. What we want to do is get it down to minutes. We want to make sure that any threat that's coming in we're notifying on it immediately. We want to make sure that we're going to capture all those things. >> All right. So Marty, when I talk to the big enterprises, security it's not only top of mind it's often a board-level discussion. When you come down to kind of the mid-size to small companies, where does security fit in their overall pictures? What are some of the biggest things on their mind? >> So it's very interesting. When you start to think about it, one of the things that is challenging, you look at some of the places that were having the greatest adoption rates are those companies that have the biggest threats. You look at where the money is. You look in the healthcare environments. The smaller healthcare. Or you look at the legal side of things. I mean, people know where there's money and where they need to have that data. So when you look at it, it's becoming a higher topic and it's becoming every conversation. And we don't like to say that the conversation gets highlighted after a breach or whatever it's going to be, but it does. I mean, and we'll be in the middle of some discussions and you'll hear about somebody that just got hit in a similar environment. And that's how then it gets brought up. >> Oh, boy. Sounds almost all the discussion is data is the new oil. >> Yes. Well those bad actors out there know where the oil is. >> Absolutely >> And therefore that's a security risk for them. >> Absolutely. And I mean the thing that you look at is, you hear about where some of the Atlanta, and some of the other cities that were hit. I mean they go after the localities and the municipalities of making sure that they're going after. And they know that they're going to pay very quickly because of how incredibly important that data is to do that. And even some of the sitting talking to some of the customers here today. Manufacturing, you know? Just the ability to go in and steal the IP that they have to make their business a little bit unique. That's where the people are concentrating because they want to take that and find that uniqueness in that business. >> All right. Marty, want to give you the final word. WTG Transform 2019. Talk about the partnership, talk about the customers and final takeaways. >> So the partnership, I mean, obviously Scott and I have known each other for a long time. The entire sales team and I know Scott. Rick Gowan actually was a customer of ours at Travelers Insurance. Scott hires great people, great employees. They partner. They take care of their customers better than anybody that I know. I mean, I just love the passion. In fact, some of the customers that we started with back in 2004 are still here. Still using the same products. But they continue to look at what provides the most value for them. >> All right. Marty Sanders the CSSO of Arctic Wolf, thanks so much for joining us. ^- Thank you, Stu. >> And appreciate all the updates. >> Thank you. All right. Full day of coverage here in the shadow of Fenway Park, Boston, Massachusetts. The East Coast team's home game as we like to say. I'm Stu Miniman. Thanks so much for watching the Cube. (gentle techno music)

>> Live from Barcelona, Spain, it's theCUBE. Covering Cisco Live! Europe. Brought to you by Cisco and its ecosystem partners. >> Welcome back to Cisco Live! in Barcelona. I'm Dave Vellante with my cohost, Stu Miniman. You're watching theCUBE, the leader in live tech coverage. This is day one of a three day segments that we're doing here at Cisco Live Barcelona. Bret Hartman is here as the CTO of Cisco Security Group. And we think of CUBE alone from way back, Bret. >> Way back, way back. >> Great to see you again. >> You bet. >> Thanks for coming on. So we're here to talk about Workload Security. >> Yep. >> What is that? What is Workload Security? >> What is Workload Security? So it's really the whole idea of how people secure applications today because applications aren't built the way they used to be. It's not the idea that you have an application that's just sitting running on a server anymore. Applications are actually built out of lots and lots of components. Those components may run in a typical data center, they may run in a cloud, they may be part of a SaaS solution, so you got all these different components that need to be plugged together. So the question is how do you possibly secure that when you have all these pieces, containers, and virtualized workloads all working together? That's the big question. >> Written oftentimes by different people with different skillsets. >> Different people, different services, yeah, open source, right. So all that somehow has to come together and you have to figure out how to secure it. That's question. >> And so what did you used to do with applications security? You used to just kind of figure it out at the end and bolt it on, is that? >> Pretty much, I mean, historically, people would do their best to secure their application. It would be kind of monolithic or three-tier, the web tier, app tier, database and that sort of thing. And then you'd also depend a lot on the infrastructure. You'd depend on firewalls, you'd depend on things on the edge to protect the application. The problem is there's not so much of an edge anymore when in that world I described you can't really rely so much on that infrastructure anymore. That's the shift of the world we know of. >> So what's the prescription today? How do you solve that problem? >> You know, there's a lot of ad hoc work. And so this whole notion, a lot of people talk about devsecops these days or sometimes it's devopssec, or there's all these different versions of that. But the whole idea of the devops world, the way people build applications today, and the security world, the security ops world are either coming together or colliding or crashing, right. And so it's getting those things to work. So right now, the way devops and secops works today is not particularly well. Lot of manual work, a lot of kind ad hoc scripts. But I will say probably over the last year, there's a lot more awareness that we need to figure this out to be able to merge these two things together. That's kind of the next stage. >> Bret, bring us inside that a little bit because if you listen to the devops people it's we got to do CICD. >> Yep. >> We need to move fast. And there was the myth out there, oh well, am I fast or am I secure? >> Right. >> I was reading some research recently and they said actually that's false trade off. Actually you can move fast and be more secure. But you raised a risk because you said if these are two separate things, and they're not working in lob step and it's not secure every step of the way in that part of your methodology then you're definitely going to break security. >> That's exactly right, and there's a basic question of how much of a responsibility the developers have to provide security anyway? I mean, historically, we don't really necessarily trust developers to care that much about security. Now as to your point, these days without the way people develop software today, they need to care more about 'em. But typically, it was the security operations folks. That was their responsibility. The developers could do whatever they wanted and the security folks kept them safe. Well, again, as you said you can't do that anymore. So the developers have to pull security into their development processes. >> Yeah, when I go to some of the container shows or the serverless shows, the people in the security space are like chanting up on stage, security is everyone's responsibility. >> Right. >> Which hasn't traditionally been the case. >> It has not, and so it's really what companies are working on now is how do the security operations people fit into that development process? And what are the tools? And again, it's a long, complicated set of infrastructure and other sorts of tools, but that's sort of the point. At Cisco, we're really working on evolving the security products and technology, so exactly it fits into that process, that's the goal. >> So I'm sure there's a maturity model, or a spectrum >> Yeah >> When you go out and talk to customers. Maybe we could poke at that a little bit. >> Sure. >> Describe that. So you're really talking about a world where it's team a sport. The regime is everybody's got to be involved. But oftentimes they're working for different people. >> Yep. >> Some are working for the CIO maybe some the CTO, some the CSO, maybe some other line of business. >> Different companies, contractors, providers, all that. >> Yeah. Right, partners. So what does that spectrum look like, and how are you helping customers take that journey? >> Yeah, so not surprisingly, companies that are born in the cloud, they're like this is old news. It's like this how they deal with it every day. A lot of those companies have the lower risk deployments anyway. The organizations that are really early days on this are the ones that have lots of existing investment in all that data center stuff. And they're trying to figure out how this is going to work. You talk to a typical bank, for example, their core business processes of how they protect money, they're not going to move to the cloud, right? So how did they evolve? And they, by the way, they have to deal with compliance requirements on all this other stuff. They can't play too fast and loose. So that's an example of something that's early days. But they are also working a lot in terms of evolving, moving to the cloud and having to be able to support that too. >> So when you engage with clients, I presume you try to assess kind of where they're at. >> Yep. >> And then figure out where they want to go and then how to best get 'em there. So what is Cisco's role in helping them get there? >> And so first of all, of course I represent the business group that builds the security products, right. So a lot of this and the reason why my group is so interested in this, and our security group at Cisco is so interested, is this really represents the future of security. This idea of having it much more embedded into the applications as opposed to purely being in the infrastructure. So what we're seeing for typical customers, like if I roll the clock back a year ago, and we talked about things like devsecops, they were like yeah, kind of an interesting problem, the one we just talked about, but it's like not quite ready for it. Now this is, I think every CSO, Chief Security Office, I talked to, very aware, have active engagements about how they're working with their devops groups. And are actively seeking for tools and technology to support them. So to me that's a good sign that it's... The world is moving in this direction. And as a security vendor, we need to evolve too. So that means things like evolving the way firewalls work, for example. It's not just about firewalls sitting at the edge. It means distributing firewall functionality. It means moving functionality into the pubic cloud, like AWS, and Google, and Azure. It means moving security up into the application itself. So it's a very different world than just a box sitting on the edge. That's the journey, and we're on that journey, too. And the industry is. I mean, it's not a solved problem for exactly how to do that. >> If we go back the early days, we were talking about that when theCUBE started in 2010, security really wasn't a board level topic back then. >> True. Or at least not for every company. There was certainly some companies >> Yeah, for sure. >> But now it's like you're right, every company cares about it. >> Right, and it comes up at every quarterly meeting, certainly every annual meeting. So what should ... How should the technical C side, the CIO, CTO, if they're invited into the board meeting, how should they be communicating to the board about security? >> That's a tough one. >> What should be the key messages? >> And to your point, I mean typically these days for most major corporations in the world, the Chief Security Officer is often presenting at every board meeting because cyber risk is such a big, big part of that risk. And this is a challenge, right, because to try to communicate all the tech required to manage that risk to a board, not so easy, right. It's like trying count how many malware threats stopped. It's like what'll they do with that? If you talk to our Chief Security Officer, Steve Martino here at Cisco, I mean, he talks a lot about first of all, having visibility. Being able to show how much visibility. How much can we see? And then how much can we control and show that the organization is making more and more progress in terms of just seeing what's out there so you don't have broke devices, and then putting controls in place. So you need some pretty big animal pictures, communication of being able to manage that, but you can never come in and say, yep guaranteed, we're secure. Or give it a number, it kind of has no meaning. >> But strategy, visibility, response mechanisms, preparedness, what the response protocol is that's the level of, it sounds like >> It's showing maturity of the >> level of communications. >> processes, really, and the ability to take that on as opposed to getting into the weeds of all the metrics that, it just don't. >> So, Bret, we've had multi vendors for a long time and even in the network space there's a lot of different pieces of the environment. How is multi cloud different from a security standpoint? >> Yeah, so the issue there, and kind of what I was hinting at, we talk about the way people build applications is that all those vendors, they all do security differently. Every one does security differently. It's all good, I mean. And for example, Amazon, Google, Microsoft, they're all making massive investments to secure their own clouds, which is awesome, but they're all also different. And then you have the SaaS vendors. You talk to Salesforce, Dropbox and Box, they have different security mechanisms. And then, of course, you have different ones in the enterprise. So from a Chief Security Officer's standpoint, reporting to the board, they want one policy. We want to protect sensitive corporate data. And then you have maybe 100 different security policies across all this mess. That's why it's different. Trying to manage the complexity and get the policies to work and get, of course all those platforms, you can't force it all to be the same. So a lot of what we're working on are really tools to do that. So you can, fitting back into that devops process, you can define high-level policies of how do you control that data and then map it to all those different platforms. That's the goal, that's how we get there, make progress. >> So you had a picture up in the keynotes today. It had users, devices kind of on one side of the network. And then applications and data on the other side of the network. And then the network in the middle and all those pieces fitting in. How does that affect how you think about security? We've talked a lot about applications, securing the applications. Are you thinking similarly about the data, or the devices, or even the users? Bad user behavior will trump great security every time. Where do those other pieces fit into the context? >> Well, of course, that's a big reason why we just acquired Duo Security. >> Yikes. >> Very significant acquisition there, which is exactly around trust of human beings as well as the devices. A key component that Cisco didn't have before that and fits in exactly to that point. I was a key strategic piece of that, of trust, defining trust. And yeah, that fits in. Obviously we already do lots on the device side. We do things like the Identity Service Engine to enforce access with the network. We have more and more on the applications side. Not so much in the data side yet. I mean, but as we move up the stack into the application it'll be around data too. But the network is a natural conversions point there. And the whole idea of having security embedded right into that network is of course why I'm at Cisco, right. That security is a critical thing that needs to be embedded in everything that Cisco does. >> Well, you've got an advantage in that you can do the ePacket inspection, you're in the network. I mean, that's fundamental. >> Security is really all about visibility. You don't have visibility, you have nothing. And Cisco has this incredible footprint, incredible telemetry across the world. I mean, all the statistics around Talos you probably seen. It's huge, right. And that's a big advantage that we have to really provide security. >> Awesome. Well, Brent, thank you for coming back on theCUBE. It's great to see you again. >> My pleasure. >> 'Preciate the update. >> Glad to see you again. >> All right, keep it right there everybody. Stu Miniman and Dave Vellante. You're watching theCUBE from Cisco Live! Barcelona. Stay right there, we'll be right back. (upbeat music)

>> Live from Washington DC, it's theCUBE. Covering AWS Public Sector Summit 2018. Brought to you by Amazon Web Services and it's ecosystem partners. >> Hey, welcome back everyone. This is theCUBE's exclusive coverage live in Washington DC at Amazon Web Services AWS Public Sector Summit. I mean, it's so jam-packed you can't even move. This is like the re:Invent for Public Sector even though it's a summit for Amazon Web Services. I'm here with Dave Vellante, my co-host. Our next guest is John Wood, Chairman and CEO of Telos, and Rick Tracy, Chief Security Officer and the co-inventor of Xacta, it's hot technology. John, great to see you, welcome to theCUBE. >> Thanks guys. >> Thanks for having us. >> I love to get the brain trust here, John you're, like, probably one of the most experienced cyber security gurus in the DC area still standing. (laughing) As we said last time on theCUBE. >> Always, always. >> Okay. (laughing) And you've got some patents here, with some core technology, so first of all, I want to, before we get into some of the cool features of the products, talk about the dynamic of public sector, because Amazon has these summits, and they're kind of like a recycled re:Invent. Small scale, still packed. Talk about what Public Sector Summit is, because this is a completely different ballgame in this world. >> Sure, it's a perfect age for the cloud, and what this summit does, is it provides a great venue for people to come, learn about what works, get best practices, find use cases and just see what the ecosystem's all about in terms of how to make it work with the cloud. >> Rick, so what's your take? >> Well, if there's any doubt about it, what, is it double the size of last year? I think there were 7,000 people here last year and Teresa said today 14,500. So, yeah, I mean, it suits us perfectly because this is our sweet spot. >> So, Dave and I are always amazed by Amazon in general, the slew of announcements, Teresa Carlson picking the reins up where Andy Jassy does that Amazon re:Invent which is just tons of content, so many new announcements. What's your guys take on the hot news for you guys, because you guys are a major sponsor and you're in the ecosystem, you've been doing a lot of business with Amazon. >> Sure. >> What's going on in the business? What's happening with Telos? Why is it so booming right now for you guys? >> Well, I think people realize that there is a way to use automation where security can help drive cloud adoption. So, Rick and I co-authored an article back in 2011 that talked about why the cloud was more secure and it went over kind of like a lead ballon. And then back in 2014 the agency made the decision, the CIA made the decision, arguably the most security conscious organization in the world, to go to the cloud. And so that was a big, big, big, deal. But what we do is we help drive the security automation and orchestration stuff so you can reduce the time it takes to get what's called your authority to operate. And so I think that's a big deal now. The use of automation is being used to enhance the mission, so that the mission owners can get to their mission using the cloud, much more quickly. >> And we heard from the most powerful sentence in the keynote this morning was, "The cloud on it's weakest day is more secure than Client Service Solutions." This is a practitioner saying that, a leader of an agency saying that, not Amazon or not Telos. >> Absolutely. >> And it's because of that automation, right? I mean, that's really a key factor. >> It's because of the automation. It's also because the cloud providers are making sure that they lock down their physical infrastructure. Guards, gates, guns. All of the physical infrastructure and the virtual infrastructure, they do a really good job of that. If you think about it, the US government, unfortunately, 80% of their spend is around maintaining old systems. Well, the cloud providers are keeping modern. Those old systems have a lot of weaknesses from a standpoint of cyber security flaws. So, with a modern technology like the cloud, there's a lot more you can do around automation to lock down much more quickly. >> And the standardization that you get with a cloud makes it's easier as well, because there's not so many variations of things that you have to figure out how to protect. So, the standardized services that everything's built on really helps. >> Yeah, and people are adopting cloud in kind of different ways, which makes it harder, too. But you get the benefits of scale and speed, certainly. But I got to just pick up on some big news that's happened just last night and today. Microsoft Azure suffered an 11 hour downtime across Europe. 11 hours Azure's down, Microsoft Azure. This is a huge concern. Downtime, security, these are issues, I mean, this is just like, so, what's going on with this? >> Well, the truth of the matter is, if you think about where Amazon is today, Amazon is light years ahead of the rest of the cloud guys. The reason for that is they made the decision early on to take the risk around cloud. As a result of that, they have so many lessons learned that are beyond all of the other cloud providers, that that wouldn't happen to Amazon today, because they'll be able to back up, replication and duplication if they have, and their environments. >> How big do you think that lead is? You know, there's a lot of debate in the industry that other guys are catching up. The other side of the coin is, no, actually the flywheel effect is a lot like Secretariat in the stretch run of the Belmont, you were talking about racing before. What's your sense of that lead, even subjectively. >> I think it's between 5 and 10 years. There was a, it was crickets in this world, in the public sector world for cloud up until, literally, the agency decided to adopt. So the CIA made that decision, that was, sort of, the shot heard around the world as it relates to cloud adoption. Not just for public sector but for commercial as well, 'cause if you look at Amazon's ramp up, right after that decision was made, their ramp up has been amazing. >> That was a watershed event, for sure. >> It was, and it was very well documented, I mean, I read the judges ruling on that when IBM tried to stop them and the judge eviscerated IBM. And of course IBM had no cloud at the time, they had to go out and spend two billion dollars on software. John has lots of opinions on that, but okay, so that leaves-- >> I'm on the right side of history on that call. >> I think you are, it was a pretty good call. What about, what should be practitioners be thinking about? You talked about the standardization. Where should they be focused? Is it on response, is it on analytics, is it on training? What should it be? >> Well, from our perspective it is, a lot of the focus is on analytics, right? So, a lot of data that we've helped our customers collect over time for this ATO process that John previously mentioned, our goal with IO, Xacta IO, is to help organizations leverage that data to do more through analytics, so there's this dashboard with ad hoc reporting and analytic capability that's going to allow them to blend asset data with risk-to-threat data, with other sorts of data that they're collecting for ATO, specifically for the ATO process, that they can use now for more robust cyber risk management. So, for me, analytics is huge moving forward. >> And that's a prioritization tool so they can focus on the things that matter, or maybe double-click on that? >> It could be, it could be a prioritization tool, but it could also be a tool that you use to anticipate what might happen, right? So, some analytics will help you determine this asset is vulnerable for these variety of reasons, therefore it has to go to the top of the sack for remediation. But also, using that data over time might help you understand that this plus this plus this is an indication that this bad thing is going to happen. And so, analytics, I think, falls into both categories. Probably it's more the forecasting and predictive is something that's going to come later but as you unmask more data and understand how to apply rules to that data, it will naturally come. So, Rick and I have worked together for many, many years and, over a quarter of a century, so the way I would say it is like this. Xacta 360 helps you to accelerate your authority to operate, but that's a point in time. The holy grail for us as security practitioners is all around continuous monitoring of your underlying risk. So, the data analytics that he's talking about, is where we come about and looking at Xacta IO. So, Xacta IO helps fulfill that mission of continuous compliance, which means that the ATO is no longer just relevant at that moment in time because we can do continuous monitoring now at scale, in hybrid environments, in the cloud, on prem. 'Cause our clients are huge, so they're going to be a combination of environments that they're sitting in, and they need to understand their underlying risk posture. They need to have, they're going to have all kinds of scanners, so we don't really care, we can ingest any kind of scanner that you have with Exact IO. As a result of that, the security professional can spend their time on the analysis and not the pedestrian stuff that's just kind of wasting time, like documentation and all that stuff. >> Yeah, for us, data's a means to an end, right? It's either to get an ATO or to help you understand where you need to be focusing your resources to remediate issues. So, for us, leveraging the data that's produced by many companies that are at this show. Their data is a means to help us get our job done. >> Were you able to have, one follow up, if I may, were you able to have an impact, to me, even, again, subjectively, on that number, whatever that number is, that we get infiltrated, the customer gets infiltrated, it's 300 days before they even realize it. Are you seeing an impact on that as a result of analytics, or is it too early days? >> I would say it's still early. But it's reasonable to expect that there will be benefits in terms of faster detection. And maybe it's not even detection at some point, hopefully, it's anticipating so that you're not detecting something bad already happened, it's avoiding it before it happens. >> Yeah, and let me say it this way, too. You know, if you listen to John Edwards, the CIO from the CIA, he talks about how the reason he loves the cloud is because it used to take the agency about a year to provision a server, now it's a few minutes, right? Well that's great, but if you can't get your authority to operate, 'cause that can take another 18 months, you're not going to get the benefit of the cloud, right? So what we do, is we help accelerate how fast you can get to that ATO so that guys like the agency and anybody else that wants to use the cloud can use it much more quickly, right? >> Yeah, and the continuous integration and all that monitoring is great for security but I've got to ask you a question. Analytics are super important, we all know data analysis now is in the center of the value proposition across the board, horizontally. Not just data warehousing, analytics that are used as instrumentation and variables into critical things like security. So, with that being said, if you believe that, the question is, how does that shape the architecture, if I'm in an agency or I'm a customer, I want to build a cloud architecture that's going to scale and do all those things, be up, not go down, and have security. How does the architecture change with the cloud formula for the decision maker? Because right now they're like, "Oh, should I do multi-cloud, should I just Amazon" So, the data is a critical architectural decision point. How do you guys see that shaping, what's your advice to practitioners around designing the cloud architecture for data in mind. Just use Amazon? (laughs) >> Well, yes. (laughs) Just use Amazon. I mean, all the tools that you need exist here, right, and so-- >> If all the tools you need in the cloud exist here. >> Alright, so rephrase another way. >> But John, the issue is you're not going to have all your stuff in the cloud if you're the air force or if you're the army, because you have 75 years of data that you got to push in. So over the next 10 years there's going to be this "hybrid" environment where you'll have some stuff in the cloud, some stuff in a hybrid world, some stuff on prem, right? >> How I secured that, so that's a great point. So, data's everywhere, so that means you're going to need to collect it and then measure certain things. What's the best way to secure it and then is that where Xacta fits in? I'm trying to put that together if I'm going to design my architecture and then go to procurement, whether it's on premise or multi-cloud. >> Well, there are lots of security products that people use to secure, whether you're on prem or whether you're in the cloud and our platform leverages that information to determine whether things are secure enough. So there's a distinction between cyber risk management and actually securing a database, right? So, there's so many granular point products that exist for different points along the security chain, lifecycle chain, if you will, that our objective is to ingest as much of that information and purpose it in a way that allows someone to understand whether they're actually secure or not. And so it's understanding your security posture, transforming that security information to risk so that you can prioritize, as you were talking about before. >> You're taking a platform mentality as opposed to a point product. >> We're taking an enterprise view of risk. So, the enterprise is, remember, it's on prem, and hybrid and cloud. If all your stuff is in the cloud, Amazon has the answer for you. None of our customers are in that situation. If you're a start up, Amazon's the way to go, period. But all of our customers have legacy. As a result of that it's an enterprise view of risk. That's why companies like Telos partner so well with Amazon because they're all about being close to the customer, they're all about using automation. We are as well. >> Alright, talk about the news you guys have, Xacta IO, you're the co-inventor of it, Jack. Talk about this product. What's the keys, what does it do, where's it applied to, you mentioned a little bit of getting past the authority time point there. What's the product about? The product is about ingesting massive amounts of information to facilitate the ATO process, one, but managing cyber risk more generically because not everybody has an ATO requirement. So, you asked a few seconds ago about, so you're taking a platform approach. Yes, we're blending three separate products that we currently have, taking that functionality and putting it on a very, very, robust platform that can exist on prem, it can exist in the cloud. To enable organizations to manage their cyber risk and if they choose, or they have a requirement, to deal with things like FedRAMP and risk management framework and cyber security framework and iso certification and things of that nature. The point is, not everyone has an ATO requirement but everyone has a need to manage their risk posture. So we're using our ability to ingest lots and lots of data from lots and lots of different sources. We're organizing that data in ways that allow an organization to understand compliance and/or risk and/or security, and visualize all that through some dashboard with ad hoc reporting that let's them blend that data across each other to get better insights about risk posture. >> And to visualize it in a way that makes sense to the user. >> Yes, so, if you're the CEO, you're going to want to see it a certain way. If you're the IT manager, you're going to want to see it a certain way. If you're a risk assessor, you're going to want to see it a different way. So that's kind of what we're talking about. >> I got to ask you one question, I know we got to go, but, a hardcore security practitioner once said to me that hardcore security practitioners, like you guys, when they were kids they used to dream about saving the world. So, I want to know, who's your favorite superhero? >> Superman. >> Superman? >> Spiderman. >> Alright, awesome. (laughing) >> That was a basic question for you guys. >> Thank you very much >> Yeah, that's the hardest question, see they're fast, they know. Star Trek or Star Wars? (laughing) >> Depends on the generation. >> We won't go there. theCUBE have 15 more minutes today. Okay, final question, what's this going to do for your business now you have new, opened up new windows with the new product integration. How's that going to change Telos, what does it do for you guys from a capabilities standpoint? >> Well, the big thing I'd suggest your listeners and your watchers to consider is, there's a new case study that just came out, it's published jointly by the CIA, Amazon and Telos, talking about why working together is really, really, really groundbreaking in terms of this movement to the cloud. 'Cause your public sector listeners and viewers are going to want to know about that because this ATO thing is really a problem. So this addresses a massive issue inside of the public sector. >> And final question, while you're here, just to get your thoughts, obviously there's a big change of the guard, if you will, from old guard to new guard, that's an Amazon term Andy Jassy uses. Also, we all saw the DOD deal, JEDI's right there on the table, a lot of people jockeying, kind of old school policy, lobbying, sales is changing. How is the landscape, from a vendor-supplies to the agencies changed and/or changing with this notion of how things were done in the past and the new school? So, three points, legislatively there's top cover, they understand the need to modernize, which is great. The executive branch understands the need to modernize through the IT modernization act as well as the cyber security executive order. And then lastly, there are use cases now that can show the way forward. Here's the problem. The IT infrastructure out there, the IT guys out there that do business in the government, many of them are not paid to be efficient, they're paid cost plus, they're paid time and material, that's no way to modernize. So, fundamentally, I think our customers understand that and they're going to revolutionize the move forward. >> And the rules are changing big time. Sole source, multi-source, I mean, Amazon's on record, I've got Teresa on record saying, "Look, if we don't want a sole source requirement, let everyone bid fairly." Let's see who wins. Who can bring a secret cloud to the table? No one else has that. >> In terms of past performance and customer use cases they're pretty much in the head, for sure. >> Great, Amazon kicking butt here, Telos, congratulations for a great event, thanks for coming on. >> Thanks a lot guys. >> I appreciate it. >> Alright, CUBE coverage here in DC, this is theCUBE, I'm John Furrier with Dave Vellante. Stay with us, we have more great interviews stacked up all day and all day tomorrow. Actually you have half day tomorrow until two 'o clock Eastern. Stay with us for more, we'll be right back. (upbeat music)

>> Narrator: Live from New York City, it's the CUBE covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Okay welcome back everyone. This is the CUBE's live coverage in New York City exclusively with the CyberConnect 2017, it's an inaugural event presented by Centrify. It's not a Centrify event. Centrify one of the fastest growing security startups in Silicon Valley and around the world. It is underwriting this great event bringing industry, government and practitioners together to add value on top of the great security conversations. I'm John Furrier, your host with Dave Vellante, my co-host, my next guest is Bill Mann who's the Chief Product Officer with Centrify. Welcome back to the CUBE, great to see you. >> Hey, great to be here. >> Thanks and congratulations for you guys doing what I think is a great community thing, underwriting an event, not just trying to take the event, make it about Centrify, it's really an organically driven event with the team of customers you have, and industry consultants and practitioners, really, really great job, congratulations. >> Bill: Thank you. >> Alright so now let's get down to the meat of the conversation here at the show in the hallways is general's conversation, General Alexander talking about his experience at the NSA and the Fiber Command Center. Really kind of teasing out the future of what cyber will be like for an enterprise whether it's a slow moving enterprise or a fast moving bank or whatever, the realities are this is the biggest complexity and challenge of our generation. Identity's at the heart of it. You guys were called the foundational element of a new solution that has people have to coming together in a community model sharing data, talking to each other, why did he call you guys foundational? >> I think he's calling us foundational because I think he's realizing that having strong identity in an environment is kind of the keys to getting yourself in a better state of mind and a better security posture. If we look at the kind of the foundational principles of identity, it's really about making sure you know who the people are within your organization, by doing identity assurance so that's a foundational principle. The principle of giving people the least amount of access within an organization, that's a foundational principle. The principle of understanding what people did and then using that information and then adjusting policy, that's a foundational principle. I think that's the fundamental reason why he talks about it as a foundational principle and let's face it, most organizations are now connected to the Cloud, they've got mobile user, they've got outsourced IT so something's got to change, right. I mean the way we've been running security up until now. If it was that great, we wouldn't have had all the threats, right? >> And all kinds of silver bullets have been rolling out, Dave and I were commenting and Dave made a point on our intro today that there's no silver bullet in security, there's a lot of opportunities to solve problems but there's no, you can't buy one product. Now identity is a foundational element. Another interesting thing I want to get your reaction to was on stage was Jim from Aetna, the Chief Security Officer and he was kind of making fun with himself by saying I'm not a big computer science, I was a history major and he made a comment about his observation that when civilizations crumble, it's because of trust is lost. And kind of inferring that you can always connect the dots that trust in fundamental and that email security and most of the solutions are really killing the trust model rather than enhancing it and making it more secure so a holistic view of trust stability and enhancement can work in security. What's your reaction to that? >> So it's a complicated area. Trust is complicated let me just kind of baseline that for the moment. I think that we unfortunately, need to have better trust but the way we're approaching trust at the moment is the wrong way so let me give you a simple example. When we go, when we're at home and we're sleeping in our homes and the doors and windows are closed, we inherently trust the security of our environment because the doors and windows are closed but reality is the doors and windows can be really easily opened right, so we shouldn't be trusting that environment at all but we do so what we need to instead do is get to a place where we trust the known things in our environment very, very well and understand what are the unknown things in our environment so the known things in our environment can be people right, the identity of people, can be objects like knowing that this is really Bill's phone, it's a registered phone and it's got a device ID is better than having any phone being used for access so like I said, trust, it's complicated. >> John: But we don't know it has malware on there though. You could have malware. >> You could have malware on there but look, then you've got different levels of trust, right. You've got zero trust when you don't know anything about it. You've got higher levels of trust when you know it's got no malware. >> So known information is critical. >> Known information is critical and known information can then be used to make trust decisions but it's when we make decisions on trust without any information and where we infer that things are trustworthy when they shouldn't be like the home example where you think the doors are closed but it's so easy to break through them, that's when we infer trust so trust is something that we need to build within the environment with information about all the objects in the environment and that's where I think we can start building trust and that's I think how we have to approach the whole conversation about trust. Going back to your example, when you receive an email from somebody, you don't know if it came from that person right. Yet I'm talking to you, I trust that I'm talking to you, right, so that's where the breakdown happens and once we have that breakdown, society can breakdown as well. >> But going back to your device example so there are situations today. I mean you try to log on to your bank from your mobile device and it says do you want to remember this device, do you want to trust this device? Is that an example of what you're talking about and it might hit me a text with a two factor authentication. >> That's an example, that's absolutely an example of trust and then so there's a model in security called the zero trust model and I spoke about it earlier on today and that model of security is the foundational principles of that is understanding who the user is, understanding what endpoint or device they're coming from and that's exactly what you've described which is understanding the context of that device, the trustworthy of the device, you know the location of that device, the posture of that device. All of those things make that device more trustworthy than knowing nothing about that device and those are the kind of fundamental constructs of building trust within the organization now as opposed to what we've got at the moment is we're implying trust without any information about really trust right. I mean most of us use passwords and most of us use password, password so there's no difference between both of you, right and so how can I trust-- >> I've never done that. >> I know but how can we trust each other if we're using you know, data like that to describe ourselves. >> Or using the data in your Linkedin profile that could be socially engineered. >> Bill: Exactly. >> So there's all kinds of ways to crack the passwords so you brought up the trust so this is a, spoofing used to be a common thing but that's been resolved that some, you know same calling some techniques and other things but now when you actually have certificates being compromised, account compromised, that's where you know, you think you know who that person is but that's not who it is so this is a new dynamic and was pointed out in one of the sessions that this account, real compromises of identity is a huge issue. What are you guys doing to solve that problem? Have you solved that problem? >> We're addressing parts of solving that problem and the part of the problem that we're trying to solve is increasing the posture of multi factor authentication of that user so you know more certainty that this is really who that person is. But the fact of the matter is like you said earlier on, trying to reduce the risk down to zero is almost impossible and I think that's what we have to be all clear about in this market, this is not about reducing risk to zero, it's about getting the risk down to something which is acceptable for the type of business you are trying to work on so implementing MFA is a big part of what Centrify advocates within organizations. >> Explain MFA real quick. >> Oh, multi factor authentication. >> Okay, got it. >> Something that we're all used to when we're using, doing online banking at the moment but unfortunately most enterprises don't implement MFA for all the use cases that they need to be able to implement before. So I usually describe it as MFA everywhere and the reason I say MFA everywhere, it should be for all users, not a subset of the users. >> Should be all users, yeah. >> And it should be for all the accesses when they're accessing salesforce.com for concur so all the application, all the servers that they access, all the VPNs that they access, all the times that they request any kind of privilege command, you should reauthenticate them as well at different points in time. So implementing MFA like that can reduce the risk within the organization. >> So I buy that 100% and I love that direction, I'd ask you then a hard question. Anyone who's an Apple user these days knows how complicated MFA could be, I get this iCloud verification and it sends me a code to my phone which could be hacked potentially so you have all these kinds of complexities that could arise depending upon how complicated the apps are. So how should the industry think about simplifying and yet maintaining the security of the MFA across workloads so application one through n. >> So let me kind of separate the problems out so we focus on the enterprise use case so what you're describing is more the consumer use case but we have the same problem in the enterprise area as well but at least in the enterprise area I think that we're going to be able to address the problems sooner in the market. >> John: Because you have the identity baseline? >> One, we have the identity and there's less applications that the enterprise is using. >> It's not Apple. >> It's not like endpoints. >> But take Salesforce, that's as much of a pain, right. >> But with applications like Salesforce, and a lot of the top applications out there, the SaaS applications out there, they already support SAML as a mechanism for eliminating passwords altogether and a lot of the industry is moving towards using API mechanisms for authentication. Now your example for the consumer is a little bit more challenging because now you've got to get all these consumer applications to tie in and so forth right so that's going to be tougher to do but you know, we're focused on trying to solve the enterprise problem and even that is being a struggle in the industry. It's only now that you're seeing standards like SAML and OWASP getting implemented whereby we can make assertions about an identity and then an application can then consume that assertion and then move forward. >> Even in those situations if I may Bill, there's take the trust to another level which is there's a trusted third party involved in those situations. It might be Twitter, Linkedin, Facebook or Google, might be my bank, it might be RSA in some cases. Do you envision a day where we can eliminate the trusted third party with perhaps blockchain. >> Oh I actually do. Yeah, no, I do, I think the trusted third party model that we've got is broken fundamentally because if a break in to the bank, that's it, you know the third party trust but I'm a big fan of blockchain mainly because it's going to be a trusted end party right so there's going to be end parties that are vouching for Bill's identity on the blockchain so and it's going to be harder to get to all those end minors and convince them that they need to change their or break into them right. So yeah I'm a big fan of the trust model changing. I think that's going to be one of the biggest use cases for blockchain when it comes to trust and the way we kind of think about certificates and browsers and SSL certificates and so forth. >> I think you're right on the money and what i would add to that is looking at this conference, CyberConnect, one theme that I see coming out of this is I hear the word reimagining the future here, reimagining security, reimagining DNS, reimagining so a lot of the thought leaders that are here are talking about things like okay, here's what we have today. I'm not saying throwing it away but it's going to be completely different in the new world. >> Yeah and I think you know the important thing about the past is got to learn from the past and we got to apply some of the lessons to the future and things are just so different now. We know with microservices versus monolithic application architectures you know security used to be an afterthought before but you know, you talk to the average developer now, they want to add security in their applications, they realize that right so, and that's going to, I mean, maybe I'm being overly positive but I think that's going to take us to a better place. >> I think we're in a time. >> We need to be overly positive Bill. >> You're the chief officer, you have to have a 20 mouth stare and I think you know legacy always has been a thing we've heard in the enterprise but I just saw a quote on Twitter on the internet and it was probably, it's in quotes so it's probably right, it's motivating, a motivating quote. If you want to create the future, you've got to create a better version of the past and they kind of use taxis versus Uber obviously to answer of a shift in user behavior so that's happening in this industry. There's a shift of user experience, user expectations, changing internet infrastructure, you mentioned blockchain, a variety of other things so we're actually in a time where the better mouse trap actually will work. If you could come out with a great product that changes the economics and the paradigm or use case of an old legacy. So in a way by theory if you believe that, legacy shouldn't be a problem. >> You know and I certainly believe that. Having a kid who's in middle school at the moment, and the younger generation, to understand security way more than we ever used to and you know, this generation, this coming generation understands the difference between a password and a strong password and mobile be used as a second factor authentication so I think that the whole tide will rise here from a security perspective. I firmly believe that. >> Dave: You are an optimist. >> Well about government 'cause one thing that I liked about the talk here from the general was he was pretty straight talk and one of his points, I'm now generalizing and extrapolating out is that the HR side of government has to change in other words the organizational behavior of how people look at things but also the enterprise, we've heard that a lot in our Cloud coverage. Go back eight years when the Clouderati hit, oh DevOps is great but I can't get it through 'cause I've got to change my behavior of my existing staff. So the culture of the practitioners have to change. >> Bill: Yes, absolutely. >> 'Cause the new generation's coming. >> Oh absolutely, absolutely. I was speaking to a customer this morning who I won't mention and literally they told me that their whole staff has changed and they had to change their whole staff on this particular project around security because they found that the legacy thinking was there and they really wanted to move forward at a pace and they wanted to make changes that their legacy staff just wouldn't let 'em move forward with so basically, all of their staff had been changed and it was a memorable quote only because this company is a large organization and it's struggling with adopting new technologies and it was held back. It was not held back because of product or strategies, >> John: Or willingness. >> Or willingness. It was held back by people who were just concerned and wanted to stick to the old way of doing things and that has to change as well so I think you know, there's times will change and I think this is one of those times where security is one of those times where you got to push through change otherwise I mean I'm also a believer that security is a competitive advantage for an organization as well and if you stick with the past, you're not going to be able to compete in the future. >> Well, and bad user behavior will always trump good security. It was interesting to hear Jim Routh today talk about unconventional message and I was encouraged, he said, you know spoofing, we got DMARC, look alike domains, we got sink holes, display name deception, we've got, you know we can filter the incoming and then he talked about compromised accounts and he said user education and I went oh, but there's hope as an optimist so you've got technologies on the horizon to deal with that even right so you. >> I'm also concerned that the pace at which the consumer world is moving forward on security, online banking and even with Google and so forth that the new generation will come into the workforce and be just amazed how legacy the environments are right, 'cause the new generation is used to using you know, Google Cloud, Google Mail, Google everything and everything works, it's all integrated already and if they're coming to the workplace and that workplace is still using legacy technologies right, they're not going to be able to hire those people. >> Well I'll give you an example. When I went to college, I was the first generation, computer science major that didn't have to use punch cards and I was blown away like actually people did that like what, who the hell would ever do that? And so you know, I was the younger guy coming up, it was like, I was totally looking down. >> Dave: That's ridiculous. >> I would thank God I don't do that but they loved it 'cause they did it. >> I mean I've got the similar story, I was the first generation in the UK. We were the first Mac-Lab in the UK, our university had the first large Mac, Apple Macintosh Lab so when I got into the workplace and somebody put a PC in front of me, I was like hold on, where's the mouse, where's the windows, I couldn't handle it so I realized that right so I think we're at that kind of junction at the moment as well. >> We got two minutes left and I want to ask you kind of a question around the comment you just made a minute ago around security as a competitive advantage. This is really interesting, I mean you really can't say security is a profit center because you don't sell security products if you're deploying state of the art security practices but certainly it shouldn't be a cost center so we've seen on our CUBE interviews over the past year specifically, the trend amongst CCOs and practitioners is when pressed, they say kind of, I'm again generalizing the trend, we're unbundling the security department from IT and making it almost a profit center reporting to the board and or the highest levels, not like a profit center but in a way, that's the word they use because if we don't do that, our ability to make a profit is there so you've brought up competitive strategy, you have to have a security and it's not going to be underneath an IT umbrella. I'm not saying everyone's doing it but the trend was to highlight that they have to break out security as a direct report as if it was a profit center because their job is so critical, they don't want to be caught in an IT blanket. Do you see that trend and your comment and reaction to that statement? >> I see that trend but I see it from a perspective of transparency so I think that taking security out of the large umbrella of IT and given its own kind of foundation, own reporting structure is all about transparency and I think that modern organizations understand now the impact a breach can have to a company. >> John: Yeah, puts you out of business. >> Right, it puts you out of business right. You lose customers and so forth so I think having a security leader at the table to be able to describe what they're doing is giving the transparency for decision makers within the organization and you know, one of my other comments about it being a competitive advantage, I personally think let's take the banking arena, it's so easy to move from bank A to bank B and I personally think that people will stay with a certain bank if that bank has more security features and so forth. I mean you know, savings, interest rates going to be one thing and mortgage rates are going to be one thing but if all things are even. >> It's a product feature. >> It's a product feature and I think that again, the newer generation is looking for features like that, because they're so much more aware of the threat landscape. So I think that's one of the reasons why I think it's a competitive advantage but I agree with you, having more visibility for an organization is important. >> You can't make a profit unless the lights are on, the systems are running and if you have a security hack and you're not running, you can't make a profit so it's technically a profit center. Bill I believe you 100% on the competitive strategy. It certainly is going to be table stakes, it's part of the product and part of the organization's brand, everything's at stake. Big crisis, crisis of our generation, cyber security, cyber warfare for the government, for businesses as a buzz thing and business, this is the Centrify presented event underwritten by Centrify here in New York City. CyberConnect 2017, the CUBE's exclusive coverage. More after this short break. (electronic jingle)