>> Live from Barcelona, Spain. It's the cue covering Sisqo. Live Europe. Brought to you by Cisco and its ecosystem partners. >> Welcome back to sunny Barcelona. Everybody watching the Cube, the leader and live tech coverage. We go out to the events, we extract the signal from the noise we hear There's our third day of coverage that Sisqo live. Barcelona David Lot. John Furrier. This here stew Minutemen all week. John, we've been covering this show. Walter Wall like a canon ae is here is a distinguished engineer and product line. CTO for Cisco Analytics. Welcome to the Cube. You see you again. Welcome back to the Cube. I should say thank you very much. So tell us about your role. You're focused right now on malware encryption. We want to get into that, but but set it up with your roll >> first. Well, I'm trying to raise the cost to the bad guy's hiding in your network. I mean, basically it's it. It it's an economics thing because one there's a lot of places for them to hide. And and they they are innovating just as much as we are. And so if I can make it more expensive for them to hide and operate. Then I'm doing my job. And and that means not only using techniques of the past but developing new techniques. You know, Like I said, it's It's really unlike a regular job. I'm not waiting for the hard drive to fail or a power supply to fail. I have an active adversary that's smart and well funded. So if I if I shipped some innovation, I forced them to innovate and vice versa. >> So you're trying to reduce their our ally and incentives. >> I want to make it too expensive for them to do business. >> So what's the strategy there? Because it's an arms race. Obviously wanted one one. You know, Whitehead over a black hat, kind of continue to do that. Is it decentralized to create more segments? What is the current strategies that you see to make it more complex or less economically viable to just throw resource at a port or whatever? >> There's sort of two dimensions that are driving change one. You know they're trying to make a buck. Okay? And and, you know, we saw the ransomware stuff we saw, you know, things that they did to extract money from a victim. Their latest thing now is they've They've realized that Ransomware wasn't a recurring revenue stream for them. Right? And so what's called crypto jacking is so they essentially have taking the cost structure out of doing crypto mining. You know, when you do crypto mining, you'll make a nickel, maybe ten cents, maybe even twenty cents a day. Just doing this. Mathematical mining, solving these puzzles. And if you had to do that on your own computer, you'd suck up all this electricity and thing. You'd have some cost structure, right and less of a margin. But if you go on, you know, breach a thousand computers, maybe ten thousand, maybe one hundred thousand. Guess what, right you? Not one you're hiding. So guess what? Today you make a nickel tomorrow, you make another nickel. So, you know, if you if you go to the threat wall here, you'd be surprised this crypto mining activity taking place here and nobody knows about it. We have it up on the threat wall because we can detect its behavior. We can't see the actual payload because all encrypted. But we have techniques now. Advanced Analytics by which we can now call out its unique behaviour very distinctly. >> Okay, so you're attacking this problem with with data and analytics. Is that right? What? One of the ingredients of your defense? >> Yeah. I mean, they're sort of Ah, three layer cake There. You first. You have? You know, I always say all telemetry is data, but not all data. Is telemetry. All right? So when you when you go about looking at an observation or domain, you know, Inhumans, we have sight. We have hearing these air just like the network or the endpoint. And there's there's telemetry coming out of that, hopefully from the network itself. Okay, because it's the most pervasive. And so you have this dilemma tree telling you something about the good guys and the bad guys and you, you perform synthesis and analytics, and then you have an analytical outcome. So that's sort of the three layer cake is telemetry, analytics, analytical outcome. And what matters to you and me is really the outcome, right? In this case, detecting malicious activity without doing decryption. >> You mentioned observation. Love this. We've been talking to Cuba in the past about observation space. Having an observation base is critical because you know, people don't write bomb on a manifest and ship it. They they hide it's it's hidden in the network, even their high, but also the meta data. You have to kind extract that out. That's kind of where you get into the analytics. How does that observation space gets set up? Happened? Someone creating observation special? They sharing the space with a public private? This becomes kind of almost Internet infrastructure. Sound familiar? Network opportunity? >> Yeah. You know, there's just three other. The other driver of change is just infrastructure is changing. Okay. You mean the past? Go back. Go back twenty years, you had to rent some real estate. You gotto put up some rocks, some air conditioning, and you were running on raw iron. Then the hyper visors came. Okay, well, I need another observation. A ll. You know, I meet eyes and ears on this hyper visor you got urbanity is now you've got hybrid Cloud. You have even serve Ellis computing, right? These are all things I need eyes and ears. Now, there that traditional methods don't don't get me there so again, being able to respect the fact that there are multiple environments that my digital business thrives on. And it's not just the traditional stuff, you know, there's there's the new stuff that we need to invent ways by which to get the dilemma tree and get the analytical >> talkabout this dynamic because we're seeing this. I think we're just both talking before we came on camera way all got our kind of CS degrees in the eighties. But if you look at the decomposition of building blocks with a P, I's and clouds, it's now a lot of moving to spare it parts for good reasons, but also now, to your point, about having eyes and ears on these components. They're all from different vendors, different clouds. Multi cloud creates Mohr opportunities. But yet more complexity. Software abstractions will help manage that. Now you have almost like an operating system concept around it. How are you guys looking at this? I'll see the intent based networking and hyper flex anywhere. You seeing that vision of data being critical, observation space, etcetera. But if you think about holistically, the network is the computer. Scott McNealy once said. Yeah, I mean, last week, when we are this is actually happening. So it's not just cloud a or cloud be anon premise and EJ, it's the totality of the system. This is what's happening >> ways. It's it's absolutely a reality. And and and the sooner you embrace that, the better. Because when the bad guys embrace it verse, You have problems, right? And and you look at even how they you know how they scale techniques. They use their cloud first, okay, that, you know their innovative buns. And when you look at a cloud, you know, we mentioned the eyes and ears right in the past. You had eyes and ears on a body you own. You're trying to put eyes in here on a body you don't own anymore. This's public cloud, right? So again, the reality is somebody you know. These businesses are somewhere on the journey, right? And the journey goes traditional hyper visor. You have then ultimately hybrid multi clouds. >> So the cost issue comes back. The play of everything sass and cloud. It's just You start a company in the cloud versus standing up here on the check, we see the start of wave from a state sponsored terrorist organization. It's easy for me to start a threat. So this lowers the cost actually threat. So that lowers the IQ you needed to be a hacker. So making it harder also helps that this is kind of where you're going. Explain this dynamic because it's easy to start threats, throw, throw some code at something. I could be in a bedroom anywhere in the world. Or I could be a group that gets free, open source tools sent to me by a state and act on behalf of China. Russia, >> Of course, of course, you know, software, software, infrastructures, infrastructure, right? It's It's the same for the bad guys, the good guys. That's sort of the good news and the bad news. And you look at the way they scale, you know, techniques. They used to stay private saying, You know, all of these things are are valid, no matter what side of the line you sit on, right? Math is still math. And again, you know, I just have Ah, maybe a fascination for how quickly they innovate, How quickly they ship code, how quickly they scale. You know, these botnets are massive, right? If you could get about that, you're looking at a very cloud infrastructure system that expands and contracts. >> So let's let's talk a little more about scale. You got way more good guys on the network than bad guys get you. First of all, most trying to do good and you need more good guys to fight the bad guys up, do things. Those things like infrastructure is code dev ops. Does that help the good guys scale? And and how so? >> You know it does. There's a air. You familiar with the concept called The Loop Joe? It was It was invented by a gentleman, Colonel John Boyd, and he was a jet fighter pilot. Need taught other jet fighter pilots tactics, and he invented this thing called Guadalupe and it's it's o d a observe orient decide. And at all right. And the quicker you can spin your doodle ooh, the more disoriented your adversary ISS. And so speed speed matters. Okay. And so if you can observe Orient, decide, act faster, then your adversary, you created almost a knowledge margin by which they're disoriented. And and the speed of Dev ops has really brought this two defenders. They can essentially push code and reorient themselves in a cycle that's frankly too small of a window for the adversary to even get their bearings right. And so speed doesn't matter. And this >> changing the conditions of the test, if you will. How far the environment, of course, on a rabbit is a strategy whether it's segmenting networks, making things harder to get at. So in a way, complexity is better for security because it's more complex. It costs more to penetrate complex to whom to the adversary of the machine, trying very central data base. Second, just hack in, get all the jewels >> leave. That's right, >> that's right. And and again. You know, I think that all of this new technology and and as you mentioned new processes around these technologies, I think it's it's really changing the game. The things that are very deterministic, very static, very slow moving those things. They're just become easy targets. Low cost targets. If you will >> talk about the innovation that you guys are doing around the encryption detecting malware over encrypted traffic. Yeah, the average person Oh, encrypted traffic is totally secure. But you guys have a method to figure out Mel, where behavior over encrypted, which means the payload can't be penetrated or it's not penetrated. So you write full. We don't know what's in there but through and network trav explain what you're working on. >> Yeah. The paradox begins with the fact that everybody's using networks now. Everything, even your thermostat. You're probably your tea kettle is crossing a network somewhere. And and in that reality, that transmission should be secure. So the good news is, I no longer have to complain as much about looking at somebody's business and saying, Why would you operate in the clear? Okay, now I say, Oh, my God, you're business is about ninety percent dot Okay, when I talked about technology working well for everyone, it works just as well for the bad guys. So I'm not going to tell this this business start operating in the clear anymore, so I can expect for malicious activity. No, we have to now in for malicious activity from behavior. Because the inspection, the direct inspection is no longer available. So that we came up with a technique called encrypted Traffic analytics. And again, we could have done it just in a product. But what we did that was clever was we went to the Enterprise networking group and said, if I could get of new telemetry, I can give you this analytical outcome. Okay? That'll allow us to detect malicious activity without doing decryption. And so the network as a sensor, the routers and switches, all of those things are sending me this. Richard, it's Tellem aji, by which I can infer this malicious activity without doing any secret. >> So payload and network are too separate things contractually because you don't need look at the payload network. >> Yeah. I mean, if you want to think about it this way, all encrypted traffic starts out unencrypted. Okay, It's a very small percentage, but everything in that start up is visible. So we have the routers and switches are sending us that metadata. Then we do something clever. I call it Instead of having direct observation, I need an observational derivative. Okay, I need to see its shape and size over time. So at minute five minute, fifteen minute thirty, I can see it's timing, and I can model on that timing. And this is where machine learning comes in because it's It's a science. That's just it's day has come for behavioral science, so I could train on all this data and say, If this malware looks like this at minute, five minute, ten minute fifteen, then if I see that exact behavior mathematically precise behaviour on your network, I can infer that's the same Mallory >> Okay, And your ability you mentioned just you don't have to decrypt that's that gives you more protection. Obviously, you're not exposed, but also presumably better performance. Is that right, or is that not affected? >> A lot? A lot better performance. The cryptographic protocols themselves are becoming more and more opaque. T L s, which is one of the protocols used to encrypt all of the Web traffic. For instance, they just went through a massive revision from one dot two two version one not three. It is faster, It is stronger. It's just better. But there's less visible fields now in the hitter. So you know things that there's a term being thrown around called Dark Data, and it's getting darker for everyone. >> So, looking at the envelope, looking at the network of fact, this is the key thing. Value. The network is now more important than ever explain why? Well, >> it connects everything right, and there's more things getting connected. And so, as you build, you know you can reach more customers. You can You can operate more efficiently, efficiently. You can. You can bring down your operational costs. There's so many so many benefit. >> FBI's also add more connection points as well. Integration. It's Metcalfe's law within a third dimension That dimension data value >> conductivity. I mean, the message itself is growing exponentially. Right? So that's just incredibly exciting. >> Super awesome topic. Looking forward to continuing this conversation. Great. Great. Come. Super important, cool and relevant and more impactful. A lot more action happening. Okay, Thanks for sharing that. Great. It's so great to have you on a keeper. Right, everybody, we'll be back to wrap Day three. Francisco live Barcelona. You're watching the Cube. Stay right there.