>>Um, >>Welcome to common volt connections. My name is Dave Volante, and we're going to dig into the changing security landscape and look specifically at ransomware and what steps organizations can take to better protect their data, their applications, and their people. As you know, cyber threats continue to escalate in the past 19 months, we've seen a major shift in CSO strategies, tactics and actions as a direct result of the trend toward remote work, greater use of the cloud and the increased sophistication of cyber criminals. In particular, we've seen a much more capable well-funded and motivated adversary than we've ever seen before. Stealthy techniques like living off the land island, hopping through the digital supply chain, self forming malware and escalations in ransomware attacks, necessitate vigilant responses. And we're super pleased today to be joined by Dave Martin. Who's a global chief security officer at ADP. Dave. Welcome. Good to see you. >>Thanks for having me today. It's >>Our pleasure. Okay. Let's get right into it as a great topic. I mean, ADP, we're talking about people's money. I mean, it doesn't get more personal and sensitive than that maybe healthcare, but money is right there on the priority list, but maybe you could start by telling us a bit about your role at the company, how you fit into the organization with your colleagues like the, you know, the CIO, the CDO. Maybe describe that a bit if you would. >>Yeah, absolutely. So we're somewhat unusual in both banks structure and we, one of the ways is aware a I have a very converged organization. So my responsibility extends from both the physical protection of kind of buildings, our associates, um, travel safety through fraud that we see in, uh, attempted in our products all the way through to I'm more traditional, a chief security officer, um, in the cyberspace. And, uh, the other thing that's a little bit unusual is rather than reporting into a technology organization. I actually report into our chief administrative officer. So my peers in that organization now, our legal compliance, uh, so we, it's, it's a great position to be in the organization and I've had various different reports during my career. And there's always a lot of debate in, uh, in, uh, with my kids about where's the best place for the report. And I think they always come back to, it's not really where you report it's about those relationships that you mentioned. So how do you actually collaborate and work with the chief data officer, the CIO, the head of product, the product organization, and how do you use that to create this kind of very dynamic Angela falls to defend against the threats we face today? >>Yeah. Now, so let's just want to clarify for the audience. So when you talk about that converged structure, oftentimes if I, if I understand what your point is that the network team might be responsible for some of the physical security or the network security, that's all under one roof in your organization, is that correct? >>So a lot of the controls and operations, something like firewalls is out in the CIO organization. Um, but the, the core responsibility and accountability, whether it's protecting the buildings, the data centers, the, uh, the data in our applications, the, uh, kind of the back office of all the services that we use to, to deliver value to our clients and kind of the same things that everyone has, the, uh, the ERP environments. Now, all of that, the protecting those environments rolls up to my team from an accountability and governance. >>Got it. So, I mean, as I was saying upfront, I mean, the, the acceleration, we all talk about that acceleration that compression, the force March to digital and that that's solar winds hack. It was like a Stuxnet Stuxnet moment to me. Cause it's signaled almost this new level of excellent escalation by cybercriminals and that had to send a shockwave through your community. I wonder if you could talk about at a high level, how did that impact the way that CSOs think about cyber attacks or, or did it >>Well, I think we're, we're very used to watching the outside world kind of adversaries don't stand to sell our businesses. Don't stand still, so we're constantly having to evolve. So it's just another call to action. How do we think about what we just saw and then how do we kind of realign the controls that we have and then how do we think about our program there, food that we need to address? >>Yeah. So we've seen, uh, when we talk to other CSOs, your colleagues, we, we, they tell us we've made a big sort of budget allocation toward end point security cloud identity, access management, uh, and, and obviously focus on a flatter network. And of course, ransomware, how have you shifted priorities as a result of sort of the last, you know, the pandemic 19 months? >>Yeah, definitely seeing that shift in kind of the necessity of working from home and kind of thinking by what tools that we need to get to our associates, um, to really make them successful. And then also keep our, uh, the integrity of our data and the availability of our services in that new model. And so we've made that shift in technology and controls, reinforced a lot of things that we already had. One thing thinking about the supply chain change that we saw out of SolarWinds is thinking about ransomware defense prior to that was very much around, uh, aligning the defenses within the perimeter of your network, a within the cloud environments. And I really thinking about where do I am inside that environment? Where do I exchange files from what connectivity do I have with partners and suppliers? What services do they provide, um, to support us as an enterprise and what's going to happen if they're not there at a minimum, but then what happens if they have a, some kind of a channel for that can actually drive some of this malware and spread into the network or via some of those file transfer, make sure we really sure shored up the controls in that area, but the, the response is actually part of that. >>How am I gonna react? When I hear from even applying, we're a very customer service focused company, we want to do whatever we can to help. And the instinct of one of our frontline associates, Hey, send, send me that Excel file. I'll take care of it. So now yet we still want to help that client through, but we want to think through a little bit more before we start sharing a, uh, an office file back and forth between two environments, one of which we know to be home, >>Right. That's interesting what you're saying about the change in just focus on the perimeter to the, the, the threats, you know, within, uh, without et cetera, because you don't even need a high school degree or, you know, gray diploma to be a ransomware attacker. These days, you could go on the dark or dark web, and if you're bad, bad person, you can hire ransomware as a service. If you have access to a server credentials, you know, you can do bad things and hopefully you'll end up in handcuffs, but, but that's a legitimate threat today, which is relatively new in the way in which people are escalating, whether it's, you know, crypto ransoms, et cetera, really do necessitate new thinking around or ransomware. So I wonder if you could talk a little bit more about, you know, the layered approach that you might take the air gapping, uh, be interested to understand where Convolt fits in to the, to the, to the portfolio, if you will. >>Sure. And really it's thinking about this in depth and you're not going to be able to, uh, to protect or recover everything. So really understanding, first of all, that, of what is most important to be able to maintain service, what data do you do you need to protect and have available armed with that? Now you can go through the rest of the nest cyber security framework and main things. You're doing the best for prevention, uh, for the detection and response in that area. And then kind of really, uh, interesting when we get to the recovery phase, both from a Convolt perspective and in many tanks where we really want to focus on prevention, but ultimately we'll likely to see a scenario. And even in some small part of our environment, whereas some kind of attack is effective and there, where we're back to that recovery step. >>And we don't want them to be the first time we're testing those backgrounds. We don't want to be the first time that we figured out that those backups have been on the network the whole time, and they can't be used for recovery. So partnering with everyone in the environment, it takes a village to defend against this kind of threat, getting everyone engaged the experts in each of these fields to make sure that we're thinking they understand that this threat and how real it is and what their role is going to be in setting up that protection and defense, and then calm that dark day that we all hope will never happen. What's the, when do you need them? When do you need them to be doing so that you can get back to a restoration and effective operation sooner possibly >>Yeah. Hope for the best plan for the worst. So it's a big part of that is education. Um, and of course the backup Corpus is an obvious target because everything's in there. Uh, but before we get into sort of the best practice around that, I wanted to ask you about your response, because one of the things that we've seen is that responses increasingly have to be stealthy, uh, so that you don't necessarily alert the, the attackers that you know, that they're inside. Is that sort of a new trend and how do you approach that? >>Yeah, I mean, it's always, it's always a balance depending on the type of data and the type of attack as to kind of heroine kind of violent and swept. And obviously you have to be to be able to protect the environment, protect the integrity of the data, and then also balance the games kind of tipping off the attacker, which could potentially make things worse. So always a conversation depending on the different threat type, um, you're going to have to go through. And it really helps to have some of those conversations up front to have tabletops, not just at a technical level to make sure that you're walking through the steps of a response to make it as seamless and quick and effective as possible, but also having that conversation with leadership team and even the board around the kind of decisions they're going to have to make and make sure that youth, that wherever possible use scenarios to, uh, to figure out what are some of those actions that are likely to be taken and also empower some teams. It's really important to be able to act autonomously and quickly you, uh, you don't want to be at 2:00 AM kind of looking for, uh, for the CEO or kind of the executive team to get them out there to make a decision. Some of these decisions need to be made very quickly and very effectively, and you can only do that with empowered upfront and sometimes even automated processes to do them. >>Dave, describe what you mean by tabletops. I presume you're talking to a top-down view versus sort of being in the weeds, but that's some color to that, please. Yeah, >>Yeah, definitely. It literally is kind of getting everyone around the table and at ADP, at least once per year, we actually get the full executive team together and challenge them with a scenario, making sure that they're working through the problem. They know what each of their roles are at the table. And I am lucky to have a fantastic leadership team. We're actually very practiced. We've done this often enough now that they really pull apart really hard problems and think about what that decision is going to mean to me. So come that dark day, if it ever does, then they're not kind of challenged by the never thought they don't they've understand the technical background of why being asked to make a decision to the limitations of what they're responsive to may be. >>So a lot of people in process goes into this, always the case, but let's talk a little bit about the tech. Eventually the backup Corpus is an obvious target before. What are some of the best tech practices in terms of protecting, whether it's that backup Corpus other data, uh, air gaps, maybe you could give us some guidance on that front. >>Sure. Hey, we're not going to be able to protect our things or focus on those favorite children is the, uh, the best advice up front to think about the, uh, the critical components that enabled me to bring things up easy, to go focus on that critical data and that most important half that everyone in the company understands, but all that cannot even start. If you don't have the foundation, the network's not up and running your authentication. So it's good to get a focus, some elements and practice that technical tabletop setting of what, how do you go through recovering an active directory forest bank to a known, trusted state because that's one of the foundations you're going to need to build. Anything else back off on the backup side is made sure that you don't use the same credentials that the, your backup administrators use everyday make. >>There's only the smallest number of people have access to be able to control the backpacks if at all possible and, uh, combo and many backup solutions in there and make sure they're using a second factor authentication to be able to get into those systems and also make sure that some of the backups that you have are kind of offline air gaps can be touched. Uh, and then also think about the duration, talk about the attack, being very smart and determined. They know how enterprises prepare and respond. So think about the, uh, how long you're retaining them, where you're retaining some of the backups, not just incremental is to be able to phone you restore a system, basically from ban that whole from backslide. >>And you're using Convolt software to manage some of this, this, this capability is that right? I'm sure you have a bevy of tooling, but yeah, >>We have a wide range of toning >>And somebody said, consultants said to me the day, you know, Dave, I'm thinking about advising my clients that their air gap process should be air gapped. In other words, they should have him as sort of a separate, you know, remote removed from the mainstream process, just for extra protection. And I was like, okay, that's kind of interesting, but at the same time then do they have the knowledge to get back to, you know, a low RPO state? What do you think about about that? >>So the challenges of any kind of recovery and control design is like making sure that you're make, not making things overly complex and introducing other issues. And also other exposures you're moving out of your normal control environment that you have a 24 by 7, 365 set of monitoring. The more creative you get and you prance are in danger of kind of having control erosion and visibility to that other state. Um, but it is really important to think about even at the communication level, um, is in this kind of attack, you may not be able to rely on email kind of teams, all the common services you have. So how are you actually going to communicate with this village? It's going to take, to recover, to be able to, uh, work through the process. So that's definitely an area that I would advocate for having offline capabilities to be able to have people react, gather, respond, plan, and control the recovery. Even though the, uh, the main enterprise may not be currently function. >>I wonder if I could pick your brain on another topic, which is, you know, zero trust prior to the pandemic. A lot of times people would roll their eyes. Like it's a buzzword, but it's kind of become a mandate where people are now talking about, you know, eliminating credentials to talking about converging identity, access management and governance and privilege access, access management. I mean, what are those, some of the sea changes you see around so-called zero trust. >>Yeah. I think kind of zero trust has become that kind of call to action buzzword. But these concepts that are embodied in zero trust journey are ones that have been around for forever least privilege. And it's how we think about that. You can't go buy a product that I like. I'm just implemented zero trust. How do you think strategically about way you take your starting point and then go on this journey to kind of increase the, uh, the various tools that start to limit improve the segmentation, not only from a network standpoint, from a service standpoint, from an identity standpoint and make sure you're embracing concepts like persona so that you start to break up the, uh, may not get to zero trust anytime soon, but you're able to get less and less trust in that model and to think about it in many different worlds. >>Think about your product access. If you're a service provider company, like we are as well as kind of the internal employee, uh, context. So there's many, um, elements, it's a complex journey. It's not something you're going to buy off the shelf and go implement. But it's one that you're going to have to, again, partner with those other stakeholders that you have because there's user experience and client experience components of this journey, some of which are actually quite positive. Uh, you mentioned penciled us as one of those components in the gym. Certainly something that actually has a better user experience and also can offer a, a better security and freedom from the traditional passwords that you've come to love to hate >>Dave. I know you're tight on time. I got two more questions for you. One is what is the CSOs number one challenge. >>Wow, that's a getting enough slate now. Um, and then he is just staying current with that business environment, that threat environment and the available tool sets and making sure that we're constantly working with those partners that we keep describing to chart that course to the future. So that we're, this is a race that doesn't have a finish line. The marathon gets a little bit longer every year and bringing my peers on and making them understand that it's easy to get fatigued and say, ah, don't worry. Tell me what I've done when we finished this initiative. It's just keeping everyone's energy up and focus on a very long then >>One a and that question, if I may, is, is many organizations lack the talent to be able to do that. You may not, you may, you may have a firmer, but the industry as a whole really lacks the skills and the talent, and really, that's why they're looking to automation. How acute do you see that talent shortage? >>It's definitely there. And I think it's important to realize that the, uh, back to that village concept, everybody has a play here. So what is a smaller, uh, available talent born in the, uh, the security industry is we've really got to be that call to action. We've got to explain why this is important. We've got to be the consultants that have lead brew. What changes are we going to need to make, to be successful? It's tempting to say, oh, they'll never do that. And they're like, we've got to do it ourselves. We will never be successful. And just being the security team that tries to do everything, it's bringing everyone along for the journey. And part of that is just going to be this constant socialization and education of what they need to do and why it's so important. And then you really will build a great partnership. >>My last question, I was kind of been keeping a list of Dave's best practice. I say, obviously, the layered approach you want to get to that NIST framework. There's a lot of education involved. You've got to partner with your colleagues that tabletops executive visibility. So everybody knows what their role is. Kind of the do your job. You've got to build zero trust. You can't just buy zero trust off the shelf. And, and, and, uh, so that is my kind of quick list. Am I missing anything? >>I think that's pretty good. And then I'm just in that partnership, you guys have it, this is a tiring, a hard thing to do and kind of just bringing everyone along or they, they, they can help you do so much, especially if you explained to them how it's going to make that product better. That was going to make that client experience better. How it's going to mean for the CIO, the internal associate experience about it, that this isn't just a Byron adding friction into a, an already challenging environment, >>You know, like frontline healthcare workers, the SecOps pros are heroes. Day-to-day, you don't necessarily hear a lot about the work they're doing, but, uh, but Dave, we really appreciate you coming on and sharing some of the best practices. And thank you for the great work that you guys are doing out there. And best of luck. Thanks for the exchange has been a pleasure. All right. And thank you for watching everybody. This is Dave Volante for the cube. Keep it right there.

(upbeat music) >> Announcer: From our studios, in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. >> Hello, everyone. Welcome to this CUBE Conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE. We're here with David Martin who's the senior director, project management threat response at Open Systems. Dave, thanks for coming in. >> Thanks, John, very much for having me. >> So we were talking before we came on camera. We've both been around the industry for a while, seen a lot of different waves of innovation. Security is the top one. We're seeing it being a really important, not just part of IT, and we want to get into a deep dive on the complexities or on the security architecture versus cloud architecture. And it's just not another IT, so I want to dig deep with you. Before we start, talk about your product. You're the senior director product management. You get the keys to the kingdom. You're working on the positioning, the next generation. Take a minute to just to talk about the product. >> Sure, happy to share the product. Starting point is Open Systems in general. We're a global provider of secure SD-WAN, and essentially we deliver that as a service. So we deliver the connectivity and all of the security that you need to make sure you can conduct business reliably and safely. I'm personally responsible for some of our managed services, managed continuous monitoring services, and essentially what we're doing is looking for advanced threats that have bypassed whatever a company's existing security controls are in an effort to identify those and then ultimately contain them. >> We were at the Amazon Web Services first cloud security conference, Re:Inforce, and it was interesting 'cause it wasn't like your traditional industry event like RSA, Black Hat or DEF CON. It was really more of a cloud security, so it was really more of the folks thinking about the impact of cloud and what that means. So cloud certainly is relevant. It's expanding capabilities with application. The on-premises piece really is the hybrid. And obviously, every company pretty much has multiple clouds, that's multi-cloud. But hybrid really is the top conversation. It's been really kind of on the table since 2013 timeframe, but now more than ever it's actually part of the operational thinking around architecting next generation infrastructure systems. >> Yes. >> How does security fit into those two things? Because you've got to have the on-premise operational model. You've got to have the cloud operational model. They've got to be seamless through working together. How does security fit within cloud and hybrid from you guys' perspective? >> That's a great question, and certainly introducing the cloud into the equation adds complexity to the overall issue. And as you've highlighted, companies are now operating in a hybrid mode. They have assets on-premise. They have assets in the cloud, and security teams, certainly over the course of time, as this business transformation has happened, had to rethink how are we going to approach and secure these assets correctly. And it is non-trivial, and the key is that you want to get telemetry from all your potential attack surfaces. And you want to be thoughtful about how you're pulling in this data. This is a mistake that we unfortunately see a lot of customers making which is in a rush to provide visibility, they just aggregate and accept all log data from all different sources without much thought into what is the security-relevant data there, and what are my default rule sets going to be? How am I going to use this data in a threat-detection kind of a capacity? And these are kind of the typical pitfalls that a lot of companies make, but to kind of bring it back to your point-- >> Hold on, I just want to get that one point. They take in too much data, or they're just ingesting way too much? Is that the issue? >> It's not necessarily the volume. It's more about the quality of what they're getting, and a lot of the vendors, there's a product many interviewers will see, SSIM, essentially is a log collector, and security teams use this piece of software to try and identify threats. And of course for compliance and other reasons, a common thing to do is just throw data at the SSIM so you could start collecting it. And that makes sense if you're just trying to store data, but when you're trying to actually figure out has someone infiltrated my network, that really a nightmare because you're sort of inundated. And you've heard terms like the work fatigue and so on, and this is what happens. And so we have a practice that we're essentially when you bring in and ingest a log source, do some upfront work about that log source and how are you going to use the data. What are the relevant fields that you're going to parse out and index on? And have a purpose for doing that versus just sort of throwing it out there. >> Yeah, I mean data quality and data cleaning and going into a pile of data versus a front-end kind of vetting process, being intelligent about it. >> That's right, that's right. Yeah, and it's a tough thing, right, because all the vendors in that space, they want you to use the tool. Enterprises have made this investment. But we find that a lot of companies aren't getting the value out of some of their security tools because it's sort of a broader design. What is the architecture of the detection we're going to use to cover our potential attack surfaces? >> Yeah, that comes up a lot in our data science conversations, and you hear correlation versus causation. A lot of data science naturally love correlation. They love the data. They get knee-deep in the data. But then they can correlate, but they might not be understanding actually what's going on. This is highlighted with threat response because the acute nature of what a threat means to the business is not just knowing how to have the right ad serve up or some sort of retail sales proposition. Threat detection and threat response is super critical to the business because if you miss it, there's some consequences and you eventually go out of business. So that's really kind of a key focus. How do you guys do that? How do you work with customers? Because that's the core issue, how do I get the best data, the fastest way in? How do I identify the threats first and fast? >> Yeah, I think you're on an incredibly important point which is as an industry, we have to ask ourselves why do damaging breaches continue to happen despite best efforts, right? There's very knowledge, talented people. There's a lot of money being spent. There's over $100 billion per year as an industry spent on security and security-related software, and yet these damaging breaches continue to occur. And I think a big challenge, a big reason for this is that as an industry we've pursued a technology-driven security model. And for years, we've sort of had the idea that if we purchased the latest anti-virus or the latest IDS or web proxy or now we're starting to shift into ML and AI and sort of more higher-level things that we'll be protected. That was sort of the idea and the promise. And I think that in general, people are realizing that that is a failed model, and that really, the best way to minimize risk is to combine those types of technology with continuous monitoring. And obviously we're in that business. We monitor people's networks. But there are many companies that do that, and security's a very complex system that doesn't have a feedback loop without continuous monitoring. And just like in life, any complex system should have a feedback loop to have it operating properly. >> Well, let's talk about that complex system. So I want to spend the next couple minutes with you talking about the security architecture versus cloud architecture. We cover a lot of experts talking about cloud architecture. Here's how you architect for cloud. Here's how you architect for hybrid and so on. And it's super important. You've got the data layer. You've got to understand how data moves, when to move compute versus data, all kinds of things that are factoring in. Essentially, it's like an operating system kind of design. So it's distributed computing, and everyone kind of knows that that's in the business. But when you add in security as now the key driver, security architecture might supersede cloud architecture and/or distributed architecture. So I got to ask you, if security is a complex system and not just an IT purchase, what is the customer's ideal configuration? How do they either replatform or course correct what they're currently doing? What's your thoughts on that? >> Sure. >> Well, do you agree that it's a complex system? It's not just another IT procurement. >> Absolutely, I think it's a great way to say that, and that really is the way that sort of forward-thinking companies think about minimizing risk is they look at it for exactly as kind of you characterized it. And I think the key is to essentially look at your individual technology. Today they're in silos, largely, and you need continuous monitoring to kind of pool all of that data that you're getting together and then use that to adjust policy. And you need to do that continually over time. I like to say security's a journey, not a destination, right? You're sort of never done if you're doing it well because threat actors evolve their techniques and the detection needs to evolve, too, right along with that. And so getting into that practices is good practice to do to minimize your risk >> And CISOs are now being established, either working directly peering with the CIO or for the CIO or vice versa. They're becoming more prominent, so the role of security, I'll say agree, it's always on. It's never off 'cause it's never going to stop. But the question is how do you implement that because if I have continuous monitoring, which I see as clearly valuable, do I have one firm for that? Can I have multiple firms for that? And then of the tools, if I'm the CISO, I'm probably trying to downshift into only a handful, not dozens of companies. >> No, you're absolutely right. >> Shrinkage, better monitoring, it's the trend. What's your response? >> Yeah, no, you're absolutely right. I think there's been studies that have shown the average large enterprise has about 32 security vendors that they have to deal with. And so certainly from a CISO perspective, a lot of the ones that I speak to are in the mode where they're trying to consolidate and simplify that landscape 'cause it just makes things a lot easier. But I think in terms of the cloud and that whole piece, I'll give you one practical example. All these cloud vendors have APIs, administrative APIs, and certainly you can monitor who's accessing the cloud. But you can also deduce things from these APIs. You can look for signs that the infrastructure may have been compromised, instances stopping and starting, certificates that have been uploaded. So even though you may not have complete visibility, and by the way, it's getting better. All three major infrastructure as service providers are starting to provide access to packet data which is helpful in this context. But even just looking at it from the outside, the administrative layer, there are things, abnormal behaviors with the way that infrastructure's working that you can use to indicate that yeah, there might be an issue here. And then you'll want to go and use other data to figure that out, for sure. >> You got to really dig into it, and so again, on the technology side, you guys had success with a product. You guys are not a new company. You've been around for decades. Great reviews on the product side, so congratulations. >> David: Thank you. >> What makes the product so successful? What are some of the notable highlights? Can you share the most successful pieces of the products? Why are people liking it so much? >> Sure, sure, well, I mean all of the reasons why people look to outsource things, certainly we provide the value, less cost, more responsive. But I think what's unique about what we do is our delivery model. There's a very popular DevOps sort of model in fashion these days where essentially you have developers and QA people testing together and there's various definitions. But from a network operations perspective, the people that run our network and our SOC are the developers. They're the ones writing and optimizing our platform. And so when there are issues, customers talk to knowledge people about that. It's not a traditional call center model. And then the other thing from a threat detection perspective is we're working on a model where we have essentially security analysts responsible for some number of customers. And they get to know that environment really well. And that really informs the quality of the threat detection because the better you know the environment that you're monitoring, the better the accuracy of the threat detection's going to be. And as an outsource provider, a lot of companies don't do this. It's an expensive thing to do, but it does result in a better product. So that's one thing to focus on. >> Awesome, I want to ask you, Dave, about AI. I'm a huge fan of AI, love it because unlike IOT, which I love that too 'cause it's a exciting area, my kids aren't talking about IOT at the dinner table, but AI, the young people are getting energized and really it's attracting a lot of people to the computer industry, which I think is awesome. But also, AI is not really as big as people think it is. Certainly, it's going to be important. AI's machine learning with some bells and whistles. But most people say, "I'll just throw AI at the problem." AI is not that yet advanced, I mean, what AI really, truly can become. So I want to get your thoughts around that classic, knee-jerk response that a customer might get fed from a supplier. "Hey, we have AI Ops, so we're an AI-driven company." What the hell does that even mean? I mean, why is it important, and where does it really matter? Where are people using technology that is going to be a road map for AI? Is it machine learning? How do you guys see that customer equation? What's the snake oil pitch from others? What's real, what's not? >> Sure, yeah, I often tell customers that I wouldn't want to be in their shoes 'cause it's very confusing. All the vendors throw around the terms ML and AI with the promise that's it's going to cure all problems. And it's really difficult to tell the value that you're going to get from those technologies. And so I'll share with you my perspective on that which is that certainly there's a legitimate technology there, but I think we are in this kind of hype cycle where there's an overpromise of what it can deliver. And in a security context, I think techniques like machine learning and AI can be used to reduce noise and amplify signal. And I think the mistake a lot of people make is let's take the human out of the equation here. And I have to tell you that the human is fantastic in the little gray areas that threat actors love to exploit. Looking and saying this doesn't look quite right to me because I know this environment and this is not usually here. And you'd get that by working with the data, but in order to position yourself for success on that, you have to use sort of this technology you're highlighting to take care of the commodity kind of things that would otherwise create it. >> So augment, do the non-differentiated stuff. It's like heavy lifting that you want to assist the human. >> You want to assist the human in the process. That's exactly right. >> That's not replacement of the human. >> That's right, and I think a lot of companies go wrong thinking that AI can replace this wholly. And maybe there's some very specific applications where that's true, but in general where you're managing very large, diverse environments, you need to use these type of technologies, to again, reduce noise and amplify the signal for the human part of it. >> One of the things we've been riffing on theCUBE, certainly we can talk about it on another topic on another time is that this whole movement of using machine learning and the AI infrastructure that's developing really fast which is really exciting is that's going to create a whole new creative class within IT and security where the creativity of the human becomes the intellectual property for the opportunity. >> Dave: Absolutely. >> Do you see that? >> I do, I think that's fair. I mean, I think we're kind of early on in the development cycle of these types of technologies, and they show a lot of promise. And it's the classic don't overindex on it. And again, even in the security context, you have a lot of SSIM vendors now, essentially adding analytics modules and AI. And, again, these can be helpful, but don't count on them to solve all the problems. They need to be rationalized and purposeful. >> Well, certainly security is really growing from a discipline within an enterprise to a much more holistic feel, the aperture, whether it's management, the technology experts and practitioners, it's expanding rapidly. >> David: Yeah. >> David, thanks so much for coming on theCUBE. Dave Martin, senior director product management threat response at Open Systems, breaking down their opportunity in security and talking about some of the trends here on theCUBE, CUBE Conversation. I'm John Furrier, thanks for watching. (upbeat music)