(upbeat music) >> Hello everyone, welcome back to our special presentation with TheCUBE and Horizon3.ai. I'm John Ferrier host of TheCUBE here in Palo Alto with the CEO and co-founder of Horizon3 Snehal Antani who's here with me to talk about the big news, we've been talking about your global expansion, congratulations on the growth, and international, and just overall success of, what looks like to be a very high margin, relevant business in the security space. >> Yeah, thank you John. Very excited to be here and especially this focus on partners, because partners in cyber security have such an important role and we've built a company that enables partners to grow with us. >> We had a chance to talk to some of your staff and some of the people in the industry around the channel. I mean the old school technology vendors would go in build channels and distributed resellers, VARs value added resellers, value added businesses all kinds of different ways to serve customers, indirectly. And then you got the direct sales force. You guys seem to have a perfect product for a hard, profitable, market where channels are starved for solutions in the security space. What did you guys find as you guys launched this? What was some of the feedback? What was some of the reasoning behind- obviously indirect sales helps your margins, you enable MSPs to sell for you, but what's the, what was the epiphany? >> So when you think about the telecommunications industry back in the two thousands, we always talked about the last mile in Telco, right? It was easy to get fiber run to the neighborhood but the last mile from the neighborhood to the house was very difficult. So what we found during Covid was, this was especially true in cybersecurity because in Covid you've got individuals that need security capabilities whether they are IT directors, barely treading water or CSOs and so on. And they needed these trusted relationships to decide what security technologies to use, how to improve their posture. And they're not going to go to just some website to learn. They've got years of relationships built with those regional partners, those regional resellers MSSPs, MSPs, IT consulting shops. So what we did over the past two years was embrace this idea that regional partners are the last mile of cybersecurity. So how do we build a product and a business model that enables those last miles channel partners to make even more revenue using us to underpin their offerings and services and get them to take advantage of the trust that they've built over many hard years and use that trust to not only improve the posture of their customers but have Horizon3 become a force enabler along the way. >> Yeah it's interesting you have that pre-built channel makeup, but also new opportunities for people to bring security 'cause you guys have the node zero capability. 'Cause pen testing is only one of the things you guys are starting to do now. And everyone knows, we've talked about this on our previous interviews, it's hard. People have, y'know, all kinds of AppSec review, application reviews, all the time. And if you're doing cloud native you're constantly pushing new code. So the need for a pen test is kind of a continuous thing. Okay, So I get that. The other thing that I found out on the interviews was, and I want to get your reaction to this, is that there's an existing channel of pen testers that are high IQ, high paid services. So it almost feels like you guys have created kind of like a way to automate some of the basic stuff but still enable the existing folks out there doing this work. I won't say it was below their pay grade but a lot of it was kind of, y'know remedial things, explain and react to that. Because I think that's a key nuance point to this expansion. >> Yeah, so the key thing is how do you run a security test at scale? So if you are a human pen tester maybe in a couple of weeks you could pen test 5,000 hosts. If you're really good, maybe 10,000 hosts. But when you've got a large manufacturer or a bank that's got hundreds of thousands or millions of hosts, there's no way a human's going to be able to do that. So for the really large shops, what we've found is this idea of human machine teaming. Where you run us to run infrastructure testing at scale we'll conduct reconnaissance, we'll do exploitation at scale, we'll find all the juicy interesting stuff. And then that frees up the time for the human to focus on the stuff humans are gifted at. And there's this joke that "Let us focus on all the things that will test at scale, so the human can focus on the problems that get them to speak at DEFCON and let them focus on the really hard interesting juicy stuff while we are executing tests. And at a large scale that's important but also think about Europe. In Germany there are less than 600 certified pen testers for the entire country, in Norway I think there's less than 85, in Estonia there's less than 20. There's just not enough supply of certified testers to be able to effectively meet the demand. >> It's interesting, when you ever have to see these inflection points in industries there's always a 10x multiple or some multiple inflection point that kicks up the growth. Google pioneered site reliability engineers you're seeing it now in cloud native with containers and Kubernetes writing scripts is now going to be more about architecture operating large scale systems. So instead of being a pen tester they're now a pen architect. >> Yeah, well in many ways it's a security by design philosophy which is, I would rather verify my architecture up front, verify my security posture up front, and not wait for the bad guys to show up to poke holes in my environment. And then even economically, the way we design the product most of our users are not pen testers they're actually IT admins, network engineers, people with the CISSP type certification and we give them superpowers. And there are, in back to 10x, for every one certified ethical hacker there are 10 to 20 certified CISSPs. So even the entire experience was designed around those types of security practitioners and network engineers versus the very exquisite pen test types. >> Yeah, it's a great market opportunity. I think this is going to be a big kind of a, an example of how scale works So congratulations. Couple questions I had for you for this announcement was, what are some of the obstacles that you see organizations facing that the channel partners can participate in? 'Cause again, more feet on the street, I get the expansion, but what problems are they solving? >> Yeah, when you think about, back when I was a CIO, there was a very well defined journey I went through. Assess my security posture, I have to assess it at least once or twice a year, I want to assess it as often as possible. From there, as I find problems, the hardest part of my job was deciding what not to fix. And I didn't have enough people to remediate all the issues. So the natural next step is how do I get surge expertise to remediate all of the findings from those assessments. From there, the next thing is, okay while I'm fixing those problems, did my security team or outsourced MSSP detect and respond to those attacks? Not, and if so, great, if not what are the blind spots in my detection response? And then the final step is being that trusted advisor to the executive team, the board, and the regulators around that virtual CISO or strategic security advice. So that is the spectrum of requirements that any customer has. Assess, remediate, verify your detections, and then strategic advice and guidance. Every channel partner has some aspect of those businesses within their portfolio and we enable revenue to be generated for our partners across every one of those. Use us to do assessments at scale, automatically generate the statement of work for everything that we've found, and then our partners make money fixing the issues that we've identified. Use us to audit the blind spots of your security stack and then finally use our results over time to provide strategic advice to the CISO, the board, and their regulators. >> Yeah, it's great, great gap you fill for sure. And with the op, the scale you give other pen testers a lot of growth there. The question that comes up though, I have to ask you and this is what's on people's minds, probably, 'cause it would be, first thing that I would ask Well you guys are kind of new and I get this thing. So what will make you an ideal partner? Why Horizon3.ai as the partner? What do you bring to the table? >> Yeah, I think there's a few things. One is we're approaching our three year anniversary, we've scaled very quickly, we've built a great team. But what differentiates us is our authenticity at scale, our transparency of how we work as a partner, and the fact that we've built a company, that very specifically enables partners to make money, high quality money. In my previous companies I've worked at, partners are kind of relegated to doing low level professional services type work. And if I'm a services shop, that's not going to be very valuable for me. That's a one and done come in, install a product, tune, and so on. What I want, if I'm a partner, is working with technology companies that care deeply about my growth as a partner and then is creating an offering that allows me to white label it, to build my own high margin business above it, give me predictable cost of goods sold so I can build and staff a high functioning organization. That's what we did at Horizon3 is we built the entire company around enabling MSSPs, MSPs, consulting shops, and so on. >> From day one. This is- >> From day one, that was the goal. And so the entire company's been designed you can white label the product, the entire experience can look like yours if you want it to be. The entire company was built from day one to be channel friendly >> This is again, a key point again, I want to double click on that because y'know, at the end of the day, money making's pretty big important thing. Partners don't, channel partners, and resellers, and partners don't want to lose their customer. Want to add value and make high margins. So is it easy to use? How do I consume it? How do I deploy it? You feel comfortable that you guys can deliver on that. >> Yeah, and in fact, a big cultural aspect of Horizon3 is we let our results do the talking. So I don't need to convince people through PowerPoint. What partners will do is they'll show up, they will run us for themselves, they'll run us against some trusted customers of theirs. They get blown away by the results. They get a Horizon3 tattoo at the end. >> Yeah. >> And then they become our biggest champions and advocates. >> And ultimately when you have that land and you can show results and it's a white label, it's an instant money maker. Right? For the partner. That's great Snehal, thanks so much for coming on. Really appreciate it. That's a wrap here, big news and the big news announcement around Horizon3.ai global expansion, new opportunities new channel partners, great product, good for the channel, makes money, helps customers. Can't beat that. I'm John Ferrier with TheCUBE. Thanks for watching. (upbeat music)

hello I'm John Furrier with thecube and welcome to this special presentation of the cube and Horizon 3.ai they're announcing a global partner first approach expanding their successful pen testing product Net Zero you're going to hear from leading experts in their staff their CEO positioning themselves for a successful Channel distribution expansion internationally in Europe Middle East Africa and Asia Pacific in this Cube special presentation you'll hear about the expansion the expanse partner program giving Partners a unique opportunity to offer Net Zero to their customers Innovation and Pen testing is going International with Horizon 3.ai enjoy the program [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're here with Jennifer Lee head of Channel sales at Horizon 3.ai Jennifer welcome to the cube thanks for coming on great well thank you for having me so big news around Horizon 3.aa driving Channel first commitment you guys are expanding the channel partner program to include all kinds of new rewards incentives training programs help educate you know Partners really drive more recurring Revenue certainly cloud and Cloud scale has done that you got a great product that fits into that kind of Channel model great Services you can wrap around it good stuff so let's get into it what are you guys doing what are what are you guys doing with this news why is this so important yeah for sure so um yeah we like you said we recently expanded our Channel partner program um the driving force behind it was really just um to align our like you said our Channel first commitment um and creating awareness around the importance of our partner ecosystems um so that's it's really how we go to market is is through the channel and a great International Focus I've talked with the CEO so you know about the solution and he broke down all the action on why it's important on the product side but why now on the go to market change what's the what's the why behind this big this news on the channel yeah for sure so um we are doing this now really to align our business strategy which is built on the concept of enabling our partners to create a high value high margin business on top of our platform and so um we offer a solution called node zero it provides autonomous pen testing as a service and it allows organizations to continuously verify their security posture um so we our company vision we have this tagline that states that our pen testing enables organizations to see themselves Through The Eyes of an attacker and um we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities so we created this partner program from a perspective of the partner so the partner's perspective and we've built It Through The Eyes of our partner right so we're prioritizing really what the partner is looking for and uh will ensure like Mutual success for us yeah the partners always want to get in front of the customers and bring new stuff to them pen tests have traditionally been really expensive uh and so bringing it down in one to a service level that's one affordable and has flexibility to it allows a lot of capability so I imagine people getting excited by it so I have to ask you about the program What specifically are you guys doing can you share any details around what it means for the partners what they get what's in it for them can you just break down some of the mechanics and mechanisms or or details yeah yep um you know we're really looking to create business alignment um and like I said establish Mutual success with our partners so we've got two um two key elements that we were really focused on um that we bring to the partners so the opportunity the profit margin expansion is one of them and um a way for our partners to really differentiate themselves and stay relevant in the market so um we've restructured our discount model really um you know highlighting profitability and maximizing profitability and uh this includes our deal registration we've we've created deal registration program we've increased discount for partners who take part in our partner certification uh trainings and we've we have some other partner incentives uh that we we've created that that's going to help out there we've we put this all so we've recently Gone live with our partner portal um it's a Consolidated experience for our partners where they can access our our sales tools and we really view our partners as an extension of our sales and Technical teams and so we've extended all of our our training material that we use internally we've made it available to our partners through our partner portal um we've um I'm trying I'm thinking now back what else is in that partner portal here we've got our partner certification information so all the content that's delivered during that training can be found in the portal we've got deal registration uh um co-branded marketing materials pipeline management and so um this this portal gives our partners a One-Stop place to to go to find all that information um and then just really quickly on the second part of that that I mentioned is our technology really is um really disruptive to the market so you know like you said autonomous pen testing it's um it's still it's well it's still still relatively new topic uh for security practitioners and um it's proven to be really disruptive so um that on top of um just well recently we found an article that um that mentioned by markets and markets that reports that the global pen testing markets really expanding and so it's expected to grow to like 2.7 billion um by 2027. so the Market's there right the Market's expanding it's growing and so for our partners it's just really allows them to grow their revenue um across their customer base expand their customer base and offering this High profit margin while you know getting in early to Market on this just disruptive technology big Market a lot of opportunities to make some money people love to put more margin on on those deals especially when you can bring a great solution that everyone knows is hard to do so I think that's going to provide a lot of value is there is there a type of partner that you guys see emerging or you aligning with you mentioned the alignment with the partners I can see how that the training and the incentives are all there sounds like it's all going well is there a type of partner that's resonating the most or is there categories of partners that can take advantage of this yeah absolutely so we work with all different kinds of Partners we work with our traditional resale Partners um we've worked we're working with systems integrators we have a really strong MSP mssp program um we've got Consulting partners and the Consulting Partners especially with the ones that offer pen test services so we they use us as a as we act as a force multiplier just really offering them profit margin expansion um opportunity there we've got some technology partner partners that we really work with for co-cell opportunities and then we've got our Cloud Partners um you'd mentioned that earlier and so we are in AWS Marketplace so our ccpo partners we're part of the ISP accelerate program um so we we're doing a lot there with our Cloud partners and um of course we uh we go to market with uh distribution Partners as well gotta love the opportunity for more margin expansion every kind of partner wants to put more gross profit on their deals is there a certification involved I have to ask is there like do you get do people get certified or is it just you get trained is it self-paced training is it in person how are you guys doing the whole training certification thing because is that is that a requirement yeah absolutely so we do offer a certification program and um it's been very popular this includes a a seller's portion and an operator portion and and so um this is at no cost to our partners and um we operate both virtually it's it's law it's virtually but live it's not self-paced and we also have in person um you know sessions as well and we also can customize these to any partners that have a large group of people and we can just we can do one in person or virtual just specifically for that partner well any kind of incentive opportunities and marketing opportunities everyone loves to get the uh get the deals just kind of rolling in leads from what we can see if our early reporting this looks like a hot product price wise service level wise what incentive do you guys thinking about and and Joint marketing you mentioned co-sell earlier in pipeline so I was kind of kind of honing in on that piece sure and yes and then to follow along with our partner certification program we do incentivize our partners there if they have a certain number certified their discount increases so that's part of it we have our deal registration program that increases discount as well um and then we do have some um some partner incentives that are wrapped around meeting setting and um moving moving opportunities along to uh proof of value gotta love the education driving value I have to ask you so you've been around the industry you've seen the channel relationships out there you're seeing companies old school new school you know uh Horizon 3.ai is kind of like that new school very cloud specific a lot of Leverage with we mentioned AWS and all the clouds um why is the company so hot right now why did you join them and what's why are people attracted to this company what's the what's the attraction what's the vibe what do you what do you see and what what do you use what did you see in in this company well this is just you know like I said it's very disruptive um it's really in high demand right now and um and and just because because it's new to Market and uh a newer technology so we are we can collaborate with a manual pen tester um we can you know we can allow our customers to run their pen test um with with no specialty teams and um and and then so we and like you know like I said we can allow our partners can actually build businesses profitable businesses so we can they can use our product to increase their services revenue and um and build their business model you know around around our services what's interesting about the pen test thing is that it's very expensive and time consuming the people who do them are very talented people that could be working on really bigger things in the in absolutely customers so bringing this into the channel allows them if you look at the price Delta between a pen test and then what you guys are offering I mean that's a huge margin Gap between street price of say today's pen test and what you guys offer when you show people that they follow do they say too good to be true I mean what are some of the things that people say when you kind of show them that are they like scratch their head like come on what's the what's the catch here right so the cost savings is a huge is huge for us um and then also you know like I said working as a force multiplier with a pen testing company that offers the services and so they can they can do their their annual manual pen tests that may be required around compliance regulations and then we can we can act as the continuous verification of their security um um you know that that they can run um weekly and so it's just um you know it's just an addition to to what they're offering already and an expansion so Jennifer thanks for coming on thecube really appreciate you uh coming on sharing the insights on the channel uh what's next what can we expect from the channel group what are you thinking what's going on right so we're really looking to expand our our Channel um footprint and um very strategically uh we've got um we've got some big plans um for for Horizon 3.ai awesome well thanks for coming on really appreciate it you're watching thecube the leader in high tech Enterprise coverage [Music] [Music] hello and welcome to the Cube's special presentation with Horizon 3.ai with Raina Richter vice president of emea Europe Middle East and Africa and Asia Pacific APAC for Horizon 3 today welcome to this special Cube presentation thanks for joining us thank you for the invitation so Horizon 3 a guy driving Global expansion big international news with a partner first approach you guys are expanding internationally let's get into it you guys are driving this new expanse partner program to new heights tell us about it what are you seeing in the momentum why the expansion what's all the news about well I would say uh yeah in in international we have I would say a similar similar situation like in the US um there is a global shortage of well-educated penetration testers on the one hand side on the other side um we have a raising demand of uh network and infrastructure security and with our approach of an uh autonomous penetration testing I I believe we are totally on top of the game um especially as we have also now uh starting with an international instance that means for example if a customer in Europe is using uh our service node zero he will be connected to a node zero instance which is located inside the European Union and therefore he has doesn't have to worry about the conflict between the European the gdpr regulations versus the US Cloud act and I would say there we have a total good package for our partners that they can provide differentiators to their customers you know we've had great conversations here on thecube with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company and honestly I can just Connect the Dots here but I'd like you to weigh in more on how that translates into the go to market here because you got great Cloud scale with with the security product you guys are having success with great leverage there I've seen a lot of success there what's the momentum on the channel partner program internationally why is it so important to you is it just the regional segmentation is it the economics why the momentum well there are it's there are multiple issues first of all there is a raising demand in penetration testing um and don't forget that uh in international we have a much higher level in number a number or percentage in SMB and mid-market customers so these customers typically most of them even didn't have a pen test done once a year so for them pen testing was just too expensive now with our offering together with our partners we can provide different uh ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with with a traditional manual paint test so and that is because we have our uh Consulting plus package which is for typically pain testers they can go out and can do a much faster much quicker and their pain test at many customers once in after each other so they can do more pain tests on a lower more attractive price on the other side there are others what even the same ones who are providing um node zero as an mssp service so they can go after s p customers saying okay well you only have a couple of hundred uh IP addresses no worries we have the perfect package for you and then you have let's say the mid Market let's say the thousands and more employees then they might even have an annual subscription very traditional but for all of them it's all the same the customer or the service provider doesn't need a piece of Hardware they only need to install a small piece of a Docker container and that's it and that makes it so so smooth to go in and say okay Mr customer we just put in this this virtual attacker into your network and that's it and and all the rest is done and within within three clicks they are they can act like a pen tester with 20 years of experience and that's going to be very Channel friendly and partner friendly I can almost imagine so I have to ask you and thank you for calling the break calling out that breakdown and and segmentation that was good that was very helpful for me to understand but I want to follow up if you don't mind um what type of partners are you seeing the most traction with and why well I would say at the beginning typically you have the the innovators the early adapters typically Boutique size of Partners they start because they they are always looking for Innovation and those are the ones you they start in the beginning so we have a wide range of Partners having mostly even um managed by the owner of the company so uh they immediately understand okay there is the value and they can change their offering they're changing their offering in terms of penetration testing because they can do more pen tests and they can then add other ones or we have those ones who offer 10 tests services but they did not have their own pen testers so they had to go out on the open market and Source paint testing experts um to get the pen test at a particular customer done and now with node zero they're totally independent they can't go out and say okay Mr customer here's the here's the service that's it we turn it on and within an hour you're up and running totally yeah and those pen tests are usually expensive and hard to do now it's right in line with the sales delivery pretty interesting for a partner absolutely but on the other hand side we are not killing the pain testers business we do something we're providing with no tiers I would call something like the foundation work the foundational work of having an an ongoing penetration testing of the infrastructure the operating system and the pen testers by themselves they can concentrate in the future on things like application pen testing for example so those Services which we we're not touching so we're not killing the paint tester Market we're just taking away the ongoing um let's say foundation work call it that way yeah yeah that was one of my questions I was going to ask is there's a lot of interest in this autonomous pen testing one because it's expensive to do because those skills are required are in need and they're expensive so you kind of cover the entry level and the blockers that are in there I've seen people say to me this pen test becomes a blocker for getting things done so there's been a lot of interest in the autonomous pen testing and for organizations to have that posture and it's an overseas issue too because now you have that that ongoing thing so can you explain that particular benefit for an organization to have that continuously verifying an organization's posture yep certainly so I would say um typically you are you you have to do your patches you have to bring in new versions of operating systems of different Services of uh um operating systems of some components and and they are always bringing new vulnerabilities the difference here is that with node zero we are telling the customer or the partner package we're telling them which are the executable vulnerabilities because previously they might have had um a vulnerability scanner so this vulnerability scanner brought up hundreds or even thousands of cves but didn't say anything about which of them are vulnerable really executable and then you need an expert digging in one cve after the other finding out is it is it really executable yes or no and that is where you need highly paid experts which we have a shortage so with notes here now we can say okay we tell you exactly which ones are the ones you should work on because those are the ones which are executable we rank them accordingly to the risk level how easily they can be used and by a sudden and then the good thing is convert it or indifference to the traditional penetration test they don't have to wait for a year for the next pain test to find out if the fixing was effective they weren't just the next scan and say Yes closed vulnerability is gone the time is really valuable and if you're doing any devops Cloud native you're always pushing new things so pen test ongoing pen testing is actually a benefit just in general as a kind of hygiene so really really interesting solution really bring that global scale is going to be a new new coverage area for us for sure I have to ask you if you don't mind answering what particular region are you focused on or plan to Target for this next phase of growth well at this moment we are concentrating on the countries inside the European Union Plus the United Kingdom um but we are and they are of course logically I'm based into Frankfurt area that means we cover more or less the countries just around so it's like the total dark region Germany Switzerland Austria plus the Netherlands but we also already have Partners in the nordics like in Finland or in Sweden um so it's it's it it's rapidly we have Partners already in the UK and it's rapidly growing so I'm for example we are now starting with some activities in Singapore um um and also in the in the Middle East area um very important we uh depending on let's say the the way how to do business currently we try to concentrate on those countries where we can have um let's say um at least English as an accepted business language great is there any particular region you're having the most success with right now is it sounds like European Union's um kind of first wave what's them yes that's the first definitely that's the first wave and now we're also getting the uh the European instance up and running it's clearly our commitment also to the market saying okay we know there are certain dedicated uh requirements and we take care of this and and we're just launching it we're building up this one uh the instance um in the AWS uh service center here in Frankfurt also with some dedicated Hardware internet in a data center in Frankfurt where we have with the date six by the way uh the highest internet interconnection bandwidth on the planet so we have very short latency to wherever you are on on the globe that's a great that's a great call outfit benefit too I was going to ask that what are some of the benefits your partners are seeing in emea and Asia Pacific well I would say um the the benefits is for them it's clearly they can they can uh talk with customers and can offer customers penetration testing which they before and even didn't think about because it penetrates penetration testing in a traditional way was simply too expensive for them too complex the preparation time was too long um they didn't have even have the capacity uh to um to support a pain an external pain tester now with this service you can go in and say even if they Mr customer we can do a test with you in a couple of minutes within we have installed the docker container within 10 minutes we have the pen test started that's it and then we just wait and and I would say that is we'll we are we are seeing so many aha moments then now because on the partner side when they see node zero the first time working it's like this wow that is great and then they work out to customers and and show it to their typically at the beginning mostly the friendly customers like wow that's great I need that and and I would say um the feedback from the partners is that is a service where I do not have to evangelize the customer everybody understands penetration testing I don't have to say describe what it is they understand the customer understanding immediately yes penetration testing good about that I know I should do it but uh too complex too expensive now with the name is for example as an mssp service provided from one of our partners but it's getting easy yeah it's great and it's great great benefit there I mean I gotta say I'm a huge fan of what you guys are doing I like this continuous automation that's a major benefit to anyone doing devops or any kind of modern application development this is just a godsend for them this is really good and like you said the pen testers that are doing it they were kind of coming down from their expertise to kind of do things that should have been automated they get to focus on the bigger ticket items that's a really big point so we free them we free the pain testers for the higher level elements of the penetration testing segment and that is typically the application testing which is currently far away from being automated yeah and that's where the most critical workloads are and I think this is the nice balance congratulations on the international expansion of the program and thanks for coming on this special presentation really I really appreciate it thank you you're welcome okay this is thecube special presentation you know check out pen test automation International expansion Horizon 3 dot AI uh really Innovative solution in our next segment Chris Hill sector head for strategic accounts will discuss the power of Horizon 3.ai and Splunk in action you're watching the cube the leader in high tech Enterprise coverage foreign [Music] [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're with Chris Hill sector head for strategic accounts and federal at Horizon 3.ai a great Innovative company Chris great to see you thanks for coming on thecube yeah like I said uh you know great to meet you John long time listener first time caller so excited to be here with you guys yeah we were talking before camera you had Splunk back in 2013 and I think 2012 was our first splunk.com and boy man you know talk about being in the right place at the right time now we're at another inflection point and Splunk continues to be relevant um and continuing to have that data driving Security in that interplay and your CEO former CTO of his plug as well at Horizon who's been on before really Innovative product you guys have but you know yeah don't wait for a breach to find out if you're logging the right data this is the topic of this thread Splunk is very much part of this new international expansion announcement uh with you guys tell us what are some of the challenges that you see where this is relevant for the Splunk and Horizon AI as you guys expand uh node zero out internationally yeah well so across so you know my role uh within Splunk it was uh working with our most strategic accounts and so I looked back to 2013 and I think about the sales process like working with with our small customers you know it was um it was still very siled back then like I was selling to an I.T team that was either using this for it operations um we generally would always even say yeah although we do security we weren't really designed for it we're a log management tool and we I'm sure you remember back then John we were like sort of stepping into the security space and and the public sector domain that I was in you know security was 70 of what we did when I look back to sort of uh the transformation that I was witnessing in that digital transformation um you know when I look at like 2019 to today you look at how uh the IT team and the security teams are being have been forced to break down those barriers that they used to sort of be silent away would not commute communicate one you know the security guys would be like oh this is my box I.T you're not allowed in today you can't get away with that and I think that the value that we bring to you know and of course Splunk has been a huge leader in that space and continues to do Innovation across the board but I think what we've we're seeing in the space and I was talking with Patrick Coughlin the SVP of uh security markets about this is that you know what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data so Splunk itself is ulk know it's an ingest engine right the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it but without data it doesn't do anything right so how do you drive and how do you bring more data in and most importantly from a customer perspective how do you bring the right data in and so if you think about what node zero and what we're doing in a horizon 3 is that sure we do pen testing but because we're an autonomous pen testing tool we do it continuously so this whole thought I'd be like oh crud like my customers oh yeah we got a pen test coming up it's gonna be six weeks the week oh yeah you know and everyone's gonna sit on their hands call me back in two months Chris we'll talk to you then right not not a real efficient way to test your environment and shoot we saw that with Uber this week right um you know and that's a case where we could have helped oh just right we could explain the Uber thing because it was a contractor just give a quick highlight of what happened so you can connect the doctor yeah no problem so um it was uh I got I think it was yeah one of those uh you know games where they would try and test an environment um and with the uh pen tester did was he kept on calling them MFA guys being like I need to reset my password we need to set my right password and eventually the um the customer service guy said okay I'm resetting it once he had reset and bypassed the multi-factor authentication he then was able to get in and get access to the building area that he was in or I think not the domain but he was able to gain access to a partial part of that Network he then paralleled over to what I would assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains and So within minutes they had access and that's the sort of stuff that we do you know a lot of these tools like um you know you think about the cacophony of tools that are out there in a GTA architect architecture right I'm gonna get like a z-scale or I'm going to have uh octum and I have a Splunk I've been into the solar system I mean I don't mean to name names we have crowdstriker or Sentinel one in there it's just it's a cacophony of things that don't work together they weren't designed work together and so we have seen so many times in our business through our customer support and just working with customers when we do their pen tests that there will be 5 000 servers out there three are misconfigured those three misconfigurations will create the open door because remember the hacker only needs to be right once the defender needs to be right all the time and that's the challenge and so that's what I'm really passionate about what we're doing uh here at Horizon three I see this my digital transformation migration and security going on which uh we're at the tip of the spear it's why I joined sey Hall coming on this journey uh and just super excited about where the path's going and super excited about the relationship with Splunk I get into more details on some of the specifics of that but um you know well you're nailing I mean we've been doing a lot of things on super cloud and this next gen environment we're calling it next gen you're really seeing devops obviously devsecops has already won the it role has moved to the developer shift left is an indicator of that it's one of the many examples higher velocity code software supply chain you hear these things that means that it is now in the developer hands it is replaced by the new Ops data Ops teams and security where there's a lot of horizontal thinking to your point about access there's no more perimeter huge 100 right is really right on things one time you know to get in there once you're in then you can hang out move around move laterally big problem okay so we get that now the challenges for these teams as they are transitioning organizationally how do they figure out what to do okay this is the next step they already have Splunk so now they're kind of in transition while protecting for a hundred percent ratio of success so how would you look at that and describe the challenge is what do they do what is it what are the teams facing with their data and what's next what are they what are they what action do they take so let's use some vernacular that folks will know so if I think about devsecops right we both know what that means that I'm going to build security into the app it normally talks about sec devops right how am I building security around the perimeter of what's going inside my ecosystem and what are they doing and so if you think about what we're able to do with somebody like Splunk is we can pen test the entire environment from Soup To Nuts right so I'm going to test the end points through to its I'm going to look for misconfigurations I'm going to I'm going to look for um uh credential exposed credentials you know I'm going to look for anything I can in the environment again I'm going to do it at light speed and and what what we're doing for that SEC devops space is to you know did you detect that we were in your environment so did we alert Splunk or the Sim that there's someone in the environment laterally moving around did they more importantly did they log us into their environment and when do they detect that log to trigger that log did they alert on us and then finally most importantly for every CSO out there is going to be did they stop us and so that's how we we do this and I think you when speaking with um stay Hall before you know we've come up with this um boils but we call it fine fix verifying so what we do is we go in is we act as the attacker right we act in a production environment so we're not going to be we're a passive attacker but we will go in on credentialed on agents but we have to assume to have an assumed breach model which means we're going to put a Docker container in your environment and then we're going to fingerprint the environment so we're going to go out and do an asset survey now that's something that's not something that Splunk does super well you know so can Splunk see all the assets do the same assets marry up we're going to log all that data and think and then put load that into this long Sim or the smoke logging tools just to have it in Enterprise right that's an immediate future ad that they've got um and then we've got the fix so once we've completed our pen test um we are then going to generate a report and we can talk about these in a little bit later but the reports will show an executive summary the assets that we found which would be your asset Discovery aspect of that a fix report and the fixed report I think is probably the most important one it will go down and identify what we did how we did it and then how to fix that and then from that the pen tester or the organization should fix those then they go back and run another test and then they validate like a change detection environment to see hey did those fixes taste play take place and you know snehaw when he was the CTO of jsoc he shared with me a number of times about it's like man there would be 15 more items on next week's punch sheet that we didn't know about and it's and it has to do with how we you know how they were uh prioritizing the cves and whatnot because they would take all CBDs it was critical or non-critical and it's like we are able to create context in that environment that feeds better information into Splunk and whatnot that brings that brings up the efficiency for Splunk specifically the teams out there by the way the burnout thing is real I mean this whole I just finished my list and I got 15 more or whatever the list just can keeps growing how did node zero specifically help Splunk teams be more efficient like that's the question I want to get at because this seems like a very scale way for Splunk customers and teams service teams to be more so the question is how does node zero help make Splunk specifically their service teams be more efficient so so today in our early interactions we're building customers we've seen are five things um and I'll start with sort of identifying the blind spots right so kind of what I just talked about with you did we detect did we log did we alert did they stop node zero right and so I would I put that you know a more Layman's third grade term and if I was going to beat a fifth grader at this game would be we can be the sparring partner for a Splunk Enterprise customer a Splunk Essentials customer someone using Splunk soar or even just an Enterprise Splunk customer that may be a small shop with three people and just wants to know where am I exposed so by creating and generating these reports and then having um the API that actually generates the dashboard they can take all of these events that we've logged and log them in and then where that then comes in is number two is how do we prioritize those logs right so how do we create visibility to logs that that um are have critical impacts and again as I mentioned earlier not all cves are high impact regard and also not all or low right so if you daisy chain a bunch of low cves together boom I've got a mission critical AP uh CPE that needs to be fixed now such as a credential moving to an NT box that's got a text file with a bunch of passwords on it that would be very bad um and then third would be uh verifying that you have all of the hosts so one of the things that splunk's not particularly great at and they'll literate themselves they don't do asset Discovery so dude what assets do we see and what are they logging from that um and then for from um for every event that they are able to identify one of the cool things that we can do is actually create this low code no code environment so they could let you know Splunk customers can use Splunk sword to actually triage events and prioritize that event so where they're being routed within it to optimize the Sox team time to Market or time to triage any given event obviously reducing MTR and then finally I think one of the neatest things that we'll be seeing us develop is um our ability to build glass cables so behind me you'll see one of our triage events and how we build uh a Lockheed Martin kill chain on that with a glass table which is very familiar to the community we're going to have the ability and not too distant future to allow people to search observe on those iocs and if people aren't familiar with it ioc it's an instant of a compromise so that's a vector that we want to drill into and of course who's better at Drilling in the data and smoke yeah this is a critter this is an awesome Synergy there I mean I can see a Splunk customer going man this just gives me so much more capability action actionability and also real understanding and I think this is what I want to dig into if you don't mind understanding that critical impact okay is kind of where I see this coming got the data data ingest now data's data but the question is what not to log you know where are things misconfigured these are critical questions so can you talk about what it means to understand critical impact yeah so I think you know going back to the things that I just spoke about a lot of those cves where you'll see um uh low low low and then you daisy chain together and they're suddenly like oh this is high now but then your other impact of like if you're if you're a Splunk customer you know and I had it I had several of them I had one customer that you know terabytes of McAfee data being brought in and it was like all right there's a lot of other data that you probably also want to bring but they could only afford wanted to do certain data sets because that's and they didn't know how to prioritize or filter those data sets and so we provide that opportunity to say hey these are the critical ones to bring in but there's also the ones that you don't necessarily need to bring in because low cve in this case really does mean low cve like an ILO server would be one that um that's the print server uh where the uh your admin credentials are on on like a printer and so there will be credentials on that that's something that a hacker might go in to look at so although the cve on it is low is if you daisy chain with somebody that's able to get into that you might say Ah that's high and we would then potentially rank it giving our AI logic to say that's a moderate so put it on the scale and we prioritize those versus uh of all of these scanners just going to give you a bunch of CDs and good luck and translating that if I if I can and tell me if I'm wrong that kind of speaks to that whole lateral movement that's it challenge right print serve a great example looks stupid low end who's going to want to deal with the print server oh but it's connected into a critical system there's a path is that kind of what you're getting at yeah I use Daisy Chain I think that's from the community they came from uh but it's just a lateral movement it's exactly what they're doing in those low level low critical lateral movements is where the hackers are getting in right so that's the beauty thing about the uh the Uber example is that who would have thought you know I've got my monthly Factor authentication going in a human made a mistake we can't we can't not expect humans to make mistakes we're fallible right the reality is is once they were in the environment they could have protected themselves by running enough pen tests to know that they had certain uh exposed credentials that would have stopped the breach and they did not had not done that in their environment and I'm not poking yeah but it's an interesting Trend though I mean it's obvious if sometimes those low end items are also not protected well so it's easy to get at from a hacker standpoint but also the people in charge of them can be fished easily or spearfished because they're not paying attention because they don't have to no one ever told them hey be careful yeah for the community that I came from John that's exactly how they they would uh meet you at a uh an International Event um introduce themselves as a graduate student these are National actor States uh would you mind reviewing my thesis on such and such and I was at Adobe at the time that I was working on this instead of having to get the PDF they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2008 time frame there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it and John that's or LinkedIn hey I want to get a joke we want to hire you double the salary oh I'm gonna click on that for sure you know yeah right exactly yeah the one thing I would say to you is like uh when we look at like sort of you know because I think we did 10 000 pen tests last year is it's probably over that now you know we have these sort of top 10 ways that we think and find people coming into the environment the funniest thing is that only one of them is a cve related vulnerability like uh you know you guys know what they are right so it's it but it's it's like two percent of the attacks are occurring through the cves but yeah there's all that attention spent to that and very little attention spent to this pen testing side which is sort of this continuous threat you know monitoring space and and this vulnerability space where I think we play a such an important role and I'm so excited to be a part of the tip of the spear on this one yeah I'm old enough to know the movie sneakers which I loved as a you know watching that movie you know professional hackers are testing testing always testing the environment I love this I got to ask you as we kind of wrap up here Chris if you don't mind the the benefits to Professional Services from this Alliance big news Splunk and you guys work well together we see that clearly what are what other benefits do Professional Services teams see from the Splunk and Horizon 3.ai Alliance so if you're I think for from our our from both of our uh Partners uh as we bring these guys together and many of them already are the same partner right uh is that uh first off the licensing model is probably one of the key areas that we really excel at so if you're an end user you can buy uh for the Enterprise by the number of IP addresses you're using um but uh if you're a partner working with this there's solution ways that you can go in and we'll license as to msps and what that business model on msps looks like but the unique thing that we do here is this C plus license and so the Consulting plus license allows like a uh somebody a small to mid-sized to some very large uh you know Fortune 100 uh consulting firms use this uh by buying into a license called um Consulting plus where they can have unlimited uh access to as many IPS as they want but you can only run one test at a time and as you can imagine when we're going and hacking passwords and um checking hashes and decrypting hashes that can take a while so but for the right customer it's it's a perfect tool and so I I'm so excited about our ability to go to market with uh our partners so that we understand ourselves understand how not to just sell to or not tell just to sell through but we know how to sell with them as a good vendor partner I think that that's one thing that we've done a really good job building bring it into the market yeah I think also the Splunk has had great success how they've enabled uh partners and Professional Services absolutely you know the services that layer on top of Splunk are multi-fold tons of great benefits so you guys Vector right into that ride that way with friction and and the cool thing is that in you know in one of our reports which could be totally customized uh with someone else's logo we're going to generate you know so I I used to work in another organization it wasn't Splunk but we we did uh you know pen testing as for for customers and my pen testers would come on site they'd do the engagement and they would leave and then another release someone would be oh shoot we got another sector that was breached and they'd call you back you know four weeks later and so by August our entire pen testings teams would be sold out and it would be like well even in March maybe and they're like no no I gotta breach now and and and then when they do go in they go through do the pen test and they hand over a PDF and they pack on the back and say there's where your problems are you need to fix it and the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations and then once you've fixed everything you just go back and run another pen test it's you know for what people pay for one pen test they can have a tool that does that every every Pat patch on Tuesday and that's on Wednesday you know triage throughout the week green yellow red I wanted to see the colors show me green green is good right not red and one CIO doesn't want who doesn't want that dashboard right it's it's exactly it and we can help bring I think that you know I'm really excited about helping drive this with the Splunk team because they get that they understand that it's the green yellow red dashboard and and how do we help them find more green uh so that the other guys are in red yeah and get in the data and do the right thing and be efficient with how you use the data know what to look at so many things to pay attention to you know the combination of both and then go to market strategy real brilliant congratulations Chris thanks for coming on and sharing um this news with the detail around the Splunk in action around the alliance thanks for sharing John my pleasure thanks look forward to seeing you soon all right great we'll follow up and do another segment on devops and I.T and security teams as the new new Ops but and super cloud a bunch of other stuff so thanks for coming on and our next segment the CEO of horizon 3.aa will break down all the new news for us here on thecube you're watching thecube the leader in high tech Enterprise coverage [Music] yeah the partner program for us has been fantastic you know I think prior to that you know as most organizations most uh uh most Farmers most mssps might not necessarily have a a bench at all for penetration testing uh maybe they subcontract this work out or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult for us this was a differentiator a a new a new partner a new partnership that allowed us to uh not only perform services for our customers but be able to provide a product by which that they can do it themselves so we work with our customers in a variety of ways some of them want more routine testing and perform this themselves but we're also a certified service provider of horizon 3 being able to perform uh penetration tests uh help review the the data provide color provide analysis for our customers in a broader sense right not necessarily the the black and white elements of you know what was uh what's critical what's high what's medium what's low what you need to fix but are there systemic issues this has allowed us to onboard new customers this has allowed us to migrate some penetration testing services to us from from competitors in the marketplace But ultimately this is occurring because the the product and the outcome are special they're unique and they're effective our customers like what they're seeing they like the routineness of it many of them you know again like doing this themselves you know being able to kind of pen test themselves parts of their networks um and the the new use cases right I'm a large organization I have eight to ten Acquisitions per year wouldn't it be great to have a tool to be able to perform a penetration test both internal and external of that acquisition before we integrate the two companies and maybe bringing on some risk it's a very effective partnership uh one that really is uh kind of taken our our Engineers our account Executives by storm um you know this this is a a partnership that's been very valuable to us [Music] a key part of the value and business model at Horizon 3 is enabling Partners to leverage node zero to make more revenue for themselves our goal is that for sixty percent of our Revenue this year will be originated by partners and that 95 of our Revenue next year will be originated by partners and so a key to that strategy is making us an integral part of your business models as a partner a key quote from one of our partners is that we enable every one of their business units to generate Revenue so let's talk about that in a little bit more detail first is that if you have a pen test Consulting business take Deloitte as an example what was six weeks of human labor at Deloitte per pen test has been cut down to four days of Labor using node zero to conduct reconnaissance find all the juicy interesting areas of the of the Enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at understand and determine where to probe deeper so what you see in that pen test Consulting business is that node zero becomes a force multiplier where those Consulting teams were able to cover way more accounts and way more IPS within those accounts with the same or fewer consultants and so that directly leads to profit margin expansion for the Penn testing business itself because node 0 is a force multiplier the second business model here is if you're an mssp as an mssp you're already making money providing defensive cyber security operations for a large volume of customers and so what they do is they'll license node zero and use us as an upsell to their mssb business to start to deliver either continuous red teaming continuous verification or purple teaming as a service and so in that particular business model they've got an additional line of Revenue where they can increase the spend of their existing customers by bolting on node 0 as a purple team as a service offering the third business model or customer type is if you're an I.T services provider so as an I.T services provider you make money installing and configuring security products like Splunk or crowdstrike or hemio you also make money reselling those products and you also make money generating follow-on services to continue to harden your customer environments and so for them what what those it service providers will do is use us to verify that they've installed Splunk correctly improved to their customer that Splunk was installed correctly or crowdstrike was installed correctly using our results and then use our results to drive follow-on services and revenue and then finally we've got the value-added reseller which is just a straight up reseller because of how fast our sales Cycles are these vars are able to typically go from cold email to deal close in six to eight weeks at Horizon 3 at least a single sales engineer is able to run 30 to 50 pocs concurrently because our pocs are very lightweight and don't require any on-prem customization or heavy pre-sales post sales activity so as a result we're able to have a few amount of sellers driving a lot of Revenue and volume for us well the same thing applies to bars there isn't a lot of effort to sell the product or prove its value so vars are able to sell a lot more Horizon 3 node zero product without having to build up a huge specialist sales organization so what I'm going to do is talk through uh scenario three here as an I.T service provider and just how powerful node zero can be in driving additional Revenue so in here think of for every one dollar of node zero license purchased by the IT service provider to do their business it'll generate ten dollars of additional revenue for that partner so in this example kidney group uses node 0 to verify that they have installed and deployed Splunk correctly so Kitty group is a Splunk partner they they sell it services to install configure deploy and maintain Splunk and as they deploy Splunk they're going to use node 0 to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment so it's a way of doing QA or verifying that Splunk has been configured correctly and that's going to be internally used by kidney group to prove the quality of their services that they've just delivered then what they're going to do is they're going to show and leave behind that node zero Report with their client and that creates a resell opportunity for for kidney group to resell node 0 to their client because their client is seeing the reports and the results and saying wow this is pretty amazing and those reports can be co-branded where it's a pen testing report branded with kidney group but it says powered by Horizon three under it from there kidney group is able to take the fixed actions report that's automatically generated with every pen test through node zero and they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified fixing l11r misconfigurations fixing or patching VMware or updating credentials policies and so on so what happens is node 0 has found a bunch of problems the client often lacks the capacity to fix and so kidney group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services and finally based on the findings from node zero kidney group can look at that report and say to the customer you know customer if you bought crowdstrike you'd be able to uh prevent node Zero from attacking and succeeding in the way that it did for if you bought humano or if you bought Palo Alto networks or if you bought uh some privileged access management solution because of what node 0 was able to do with credential harvesting and attacks and so as a result kidney group is able to resell other security products within their portfolio crowdstrike Falcon humano Polito networks demisto Phantom and so on based on the gaps that were identified by node zero and that pen test and what that creates is another feedback loop where kidney group will then go use node 0 to verify that crowdstrike product has actually been installed and configured correctly and then this becomes the cycle of using node 0 to verify a deployment using that verification to drive a bunch of follow-on services and resell opportunities which then further drives more usage of the product now the way that we licensed is that it's a usage-based license licensing model so that the partner will grow their node zero Consulting plus license as they grow their business so for example if you're a kidney group then week one you've got you're going to use node zero to verify your Splunk install in week two if you have a pen testing business you're going to go off and use node zero to be a force multiplier for your pen testing uh client opportunity and then if you have an mssp business then in week three you're going to use node zero to go execute a purple team mssp offering for your clients so not necessarily a kidney group but if you're a Deloitte or ATT these larger companies and you've got multiple lines of business if you're Optive for instance you all you have to do is buy one Consulting plus license and you're going to be able to run as many pen tests as you want sequentially so now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three and as you grow your business you start to run multiple pen tests concurrently so in week one you've got to do a Splunk verify uh verify Splunk install and you've got to run a pen test and you've got to do a purple team opportunity you just simply expand the number of Consulting plus licenses from one license to three licenses and so now as you systematically grow your business you're able to grow your node zero capacity with you giving you predictable cogs predictable margins and once again 10x additional Revenue opportunity for that investment in the node zero Consulting plus license my name is Saint I'm the co-founder and CEO here at Horizon 3. I'm going to talk to you today about why it's important to look at your Enterprise Through The Eyes of an attacker the challenge I had when I was a CIO in banking the CTO at Splunk and serving within the Department of Defense is that I had no idea I was Secure until the bad guys had showed up am I logging the right data am I fixing the right vulnerabilities are my security tools that I've paid millions of dollars for actually working together to defend me and the answer is I don't know does my team actually know how to respond to a breach in the middle of an incident I don't know I've got to wait for the bad guys to show up and so the challenge I had was how do we proactively verify our security posture I tried a variety of techniques the first was the use of vulnerability scanners and the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable I might have a hundred thousand findings from my scanner of which maybe five or ten can actually be exploited in my environment the other big problem with scanners is that they can't chain weaknesses together from machine to machine so if you've got a thousand machines in your environment or more what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two but what they can tell you is that an attacker could use a load from machine one plus a low from machine two to equal to critical in your environment and what attackers do in their tactics is they chain together misconfigurations dangerous product defaults harvested credentials and exploitable vulnerabilities into attack paths across different machines so to address the attack pads across different machines I tried layering in consulting-based pen testing and the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment human-based pen testing simply doesn't scale to test an infrastructure of that size moreover when they actually do execute a pen test and you get the report oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem and so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale and then to mitigate that problem I tried using breach and attack simulation tools and the struggle with these tools is one I had to install credentialed agents everywhere two I had to write my own custom attack scripts that I didn't have much talent for but also I had to maintain as my environment changed and then three these types of tools were not safe to run against production systems which was the the majority of my attack surface so that's why we went off to start Horizon 3. so Tony and I met when we were in Special Operations together and the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the the power of a 20-year pen testing veteran into the hands of an I.T admin a network engineer in just three clicks and the whole idea is we enable these fixers The Blue Team to be able to run node Zero Hour pen testing product to quickly find problems in their environment that blue team will then then go off and fix the issues that were found and then they can quickly rerun the attack to verify that they fixed the problem and the whole idea is delivering this without requiring custom scripts be developed without requiring credential agents be installed and without requiring the use of external third-party consulting services or Professional Services self-service pen testing to quickly Drive find fix verify there are three primary use cases that our customers use us for the first is the sock manager that uses us to verify that their security tools are actually effective to verify that they're logging the right data in Splunk or in their Sim to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their slas or that the sock understands how to quickly detect and respond and measuring and verifying that or that the variety of tools that you have in your stack most organizations have 130 plus cyber security tools none of which are designed to work together are actually working together the second primary use case is proactively hardening and verifying your systems this is when the I that it admin that network engineer they're able to run self-service pen tests to verify that their Cisco environment is installed in hardened and configured correctly or that their credential policies are set up right or that their vcenter or web sphere or kubernetes environments are actually designed to be secure and what this allows the it admins and network Engineers to do is shift from running one or two pen tests a year to 30 40 or more pen tests a month and you can actually wire those pen tests into your devops process or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment the third primary use case is for those organizations lucky enough to have their own internal red team they'll use node zero to do reconnaissance and exploitation at scale and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at Defcon and so these are the three primary use cases and what we'll do is zoom into the find fix verify Loop because what I've found in my experience is find fix verify is the future operating model for cyber security organizations and what I mean here is in the find using continuous pen testing what you want to enable is on-demand self-service pen tests you want those pen tests to find attack pads at scale spanning your on-prem infrastructure your Cloud infrastructure and your perimeter because attackers don't only state in one place they will find ways to chain together a perimeter breach a credential from your on-prem to gain access to your cloud or some other permutation and then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore they know we've built vulnerability Management Programs to reduce those vulnerabilities so attackers have adapted and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults with exploitable vulnerabilities and through the collection of credentials through a mix of techniques at scale once you've found those problems the next question is what do you do about it well you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data the second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to where is your crown jewels data is in the cloud is it on-prem has it been copied to a share drive that you weren't aware of if a domain user was compromised could they access that crown jewels data you want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure and then finally as you fix these problems you want to quickly remediate and retest that you've actually fixed the issue and this fine fix verify cycle becomes that accelerator that drives purple team culture the third part here is verify and what you want to be able to do in the verify step is verify that your security tools and processes in people can effectively detect and respond to a breach you want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations you also want to make sure that your environment is adhering to the best practices around systems hardening in cyber resilience and finally you want to be able to prove your security posture over a time to your board to your leadership into your regulators so what I'll do now is zoom into each of these three steps so when we zoom in to find here's the first example using node 0 and autonomous pen testing and what an attacker will do is find a way to break through the perimeter in this example it's very easy to misconfigure kubernetes to allow an attacker to gain remote code execution into your on-prem kubernetes environment and break through the perimeter and from there what the attacker is going to do is conduct Network reconnaissance and then find ways to gain code execution on other machines in the environment and as they get code execution they start to dump credentials collect a bunch of ntlm hashes crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment and then as they loudly maneuver they can reuse those credentials and use credential spraying techniques and so on to compromise your business email to log in as admin into your cloud and this is a very common attack and rarely is a CV actually needed to execute this attack often it's just a misconfiguration in kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization here's another example of an internal pen test and this is from an actual customer they had 5 000 hosts within their environment they had EDR and uba tools installed and they initiated in an internal pen test on a single machine from that single initial access point node zero enumerated the network conducted reconnaissance and found five thousand hosts were accessible what node 0 will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the Cyber terrain map and that cyber Terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment so what node zero will do is they'll try to find ways to get code execution reuse credentials and so on in this customer example they had Fortinet installed as their EDR but node 0 was still able to get code execution on a Windows machine from there it was able to successfully dump credentials including sensitive credentials from the lsas process on the Windows box and then reuse those credentials to log in as domain admin in the network and once an attacker becomes domain admin they have the keys to the kingdom they can do anything they want so what happened here well it turns out Fortinet was misconfigured on three out of 5000 machines bad automation the customer had no idea this had happened they would have had to wait for an attacker to show up to realize that it was misconfigured the second thing is well why didn't Fortinet stop the credential pivot in the lateral movement and it turned out the customer didn't buy the right modules or turn on the right services within that particular product and we see this not only with Ford in it but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping the next story I'll tell you is attackers don't have to hack in they log in so another infrastructure pen test a typical technique attackers will take is man in the middle uh attacks that will collect hashes so in this case what an attacker will do is leverage a tool or technique called responder to collect ntlm hashes that are being passed around the network and there's a variety of reasons why these hashes are passed around and it's a pretty common misconfiguration but as an attacker collects those hashes then they start to apply techniques to crack those hashes so they'll pass the hash and from there they will use open source intelligence common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords so here node 0 automatically collected hashes it automatically passed the hashes to crack those credentials and then from there it starts to take the domain user user ID passwords that it's collected and tries to access different services and systems in your Enterprise in this case node 0 is able to successfully gain access to the Office 365 email environment because three employees didn't have MFA configured so now what happens is node 0 has a placement and access in the business email system which sets up the conditions for fraud lateral phishing and other techniques but what's especially insightful here is that 80 of the hashes that were collected in this pen test were cracked in 15 minutes or less 80 percent 26 of the user accounts had a password that followed a pretty obvious pattern first initial last initial and four random digits the other thing that was interesting is 10 percent of service accounts had their user ID the same as their password so VMware admin VMware admin web sphere admin web Square admin so on and so forth and so attackers don't have to hack in they just log in with credentials that they've collected the next story here is becoming WS AWS admin so in this example once again internal pen test node zero gets initial access it discovers 2 000 hosts are network reachable from that environment if fingerprints and organizes all of that data into a cyber Terrain map from there it it fingerprints that hpilo the integrated lights out service was running on a subset of hosts hpilo is a service that is often not instrumented or observed by security teams nor is it easy to patch as a result attackers know this and immediately go after those types of services so in this case that ILO service was exploitable and were able to get code execution on it ILO stores all the user IDs and passwords in clear text in a particular set of processes so once we gain code execution we were able to dump all of the credentials and then from there laterally maneuver to log in to the windows box next door as admin and then on that admin box we're able to gain access to the share drives and we found a credentials file saved on a share Drive from there it turned out that credentials file was the AWS admin credentials file giving us full admin authority to their AWS accounts not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment and so what do you do step one patch the server step two delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login the final story I'll tell is a typical pattern that we see across the board with that combines the various techniques I've described together where an attacker is going to go off and use open source intelligence to find all of the employees that work at your company from there they're going to look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user all it takes is one employee to reuse a breached password for their Corporate email or all it takes is a single employee to have a weak password that's easily guessable all it takes is one and once the attacker is able to gain domain user access in most shops domain user is also the local admin on their laptop and once your local admin you can dump Sam and get local admin until M hashes you can use that to reuse credentials again local admin on neighboring machines and attackers will start to rinse and repeat then eventually they're able to get to a point where they can dump lsas or by unhooking the anti-virus defeating the EDR or finding a misconfigured EDR as we've talked about earlier to compromise the domain and what's consistent is that the fundamentals are broken at these shops they have poor password policies they don't have least access privilege implemented active directory groups are too permissive where domain admin or domain user is also the local admin uh AV or EDR Solutions are misconfigured or easily unhooked and so on and what we found in 10 000 pen tests is that user Behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work and also it becomes very difficult to find that Baseline of normal usage versus abnormal usage of credential login another interesting Insight is there were several Marquee brand name mssps that were defending our customers environment and for them it took seven hours to detect and respond to the pen test seven hours the pen test was over in less than two hours and so what you had was an egregious violation of the service level agreements that that mssp had in place and the customer was able to use us to get service credit and drive accountability of their sock and of their provider the third interesting thing is in one case it took us seven minutes to become domain admin in a bank that bank had every Gucci security tool you could buy yet in 7 minutes and 19 seconds node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations in lateral movement and so on to become domain admin if it's seven minutes today we should assume it'll be less than a minute a year or two from now making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack so that's in the find it's not just about finding problems though the bulk of the effort should be what to do about it the fix and the verify so as you find those problems back to kubernetes as an example we will show you the path here is the kill chain we took to compromise that environment we'll show you the impact here is the impact or here's the the proof of exploitation that we were able to use to be able to compromise it and there's the actual command that we executed so you could copy and paste that command and compromise that cubelet yourself if you want and then the impact is we got code execution and we'll actually show you here is the impact this is a critical here's why it enabled perimeter breach affected applications will tell you the specific IPS where you've got the problem how it maps to the miter attack framework and then we'll tell you exactly how to fix it we'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important the next part is accurate prioritization the hardest part of my job as a CIO was deciding what not to fix so if you take SMB signing not required as an example by default that CVSs score is a one out of 10. but this misconfiguration is not a cve it's a misconfig enable an attacker to gain access to 19 credentials including one domain admin two local admins and access to a ton of data because of that context this is really a 10 out of 10. you better fix this as soon as possible however of the seven occurrences that we found it's only a critical in three out of the seven and these are the three specific machines and we'll tell you the exact way to fix it and you better fix these as soon as possible for these four machines over here these didn't allow us to do anything of consequence so that because the hardest part is deciding what not to fix you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible and then once you fix these three you don't have to re-run the entire pen test you can select these three and then one click verify and run a very narrowly scoped pen test that is only testing this specific issue and what that creates is a much faster cycle of finding and fixing problems the other part of fixing is verifying that you don't have sensitive data at risk so once we become a domain user we're able to use those domain user credentials and try to gain access to databases file shares S3 buckets git repos and so on and help you understand what sensitive data you have at risk so in this example a green checkbox means we logged in as a valid domain user we're able to get read write access on the database this is how many records we could have accessed and we don't actually look at the values in the database but we'll show you the schema so you can quickly characterize that pii data was at risk here and we'll do that for your file shares and other sources of data so now you can accurately articulate the data you have at risk and prioritize cleaning that data up especially data that will lead to a fine or a big news issue so that's the find that's the fix now we're going to talk about the verify the key part in verify is embracing and integrating with detection engineering practices so when you think about your layers of security tools you've got lots of tools in place on average 130 tools at any given customer but these tools were not designed to work together so when you run a pen test what you want to do is say did you detect us did you log us did you alert on us did you stop us and from there what you want to see is okay what are the techniques that are commonly used to defeat an environment to actually compromise if you look at the top 10 techniques we use and there's far more than just these 10 but these are the most often executed nine out of ten have nothing to do with cves it has to do with misconfigurations dangerous product defaults bad credential policies and it's how we chain those together to become a domain admin or compromise a host so what what customers will do is every single attacker command we executed is provided to you as an attackivity log so you can actually see every single attacker command we ran the time stamp it was executed the hosts it executed on and how it Maps the minor attack tactics so our customers will have are these attacker logs on one screen and then they'll go look into Splunk or exabeam or Sentinel one or crowdstrike and say did you detect us did you log us did you alert on us or not and to make that even easier if you take this example hey Splunk what logs did you see at this time on the VMware host because that's when node 0 is able to dump credentials and that allows you to identify and fix your logging blind spots to make that easier we've got app integration so this is an actual Splunk app in the Splunk App Store and what you can come is inside the Splunk console itself you can fire up the Horizon 3 node 0 app all of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool and what you'll show you as I skip forward is hey there's a pen test here are the critical issues that we've identified for that weaker default issue here are the exact commands we executed and then we will automatically query into Splunk all all terms on between these times on that endpoint that relate to this attack so you can now quickly within the Splunk environment itself figure out that you're missing logs or that you're appropriately catching this issue and that becomes incredibly important in that detection engineering cycle that I mentioned earlier so how do our customers end up using us they shift from running one pen test a year to 30 40 pen tests a month oftentimes wiring us into their deployment automation to automatically run pen tests the other part that they'll do is as they run more pen tests they find more issues but eventually they hit this inflection point where they're able to rapidly clean up their environment and that inflection point is because the red and the blue teams start working together in a purple team culture and now they're working together to proactively harden their environment the other thing our customers will do is run us from different perspectives they'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access what could they do and then from there they'll run us within a specific Network segment okay from within that segment could the attacker break out and gain access to another segment then they'll run us from their work from home environment could they Traverse the VPN and do something damaging and once they're in could they Traverse the VPN and get into my cloud then they'll break in from the outside all of these perspectives are available to you in Horizon 3 and node zero as a single SKU and you can run as many pen tests as you want if you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior you can then inject their credentials and actually show the end-to-end story of how an attacker fished gained credentials of an intern and use that to gain access to sensitive financial data so what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time I'll leave you two things one is what is the AI in Horizon 3 AI those knowledge graphs are the heart and soul of everything that we do and we use machine learning reinforcement techniques reinforcement learning techniques Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs we also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations so the more pen tests we run the smarter we get and all of that is based on our knowledge graph analytics infrastructure that we have finally I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy what I cared about was coverage I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production I want to be able to do that as often as I wanted I want to be able to run pen tests in hours or days not weeks or months so I could accelerate that fine fix verify loop I wanted my it admins and network Engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agent and not have to write custom scripts and finally I didn't want to get nickeled and dimed on having to buy different types of attack modules or different types of attacks I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my Trends in directions over time so I hope you found this talk valuable uh we're easy to find and I look forward to seeing seeing you use a product and letting our results do the talking when you look at uh you know kind of the way no our pen testing algorithms work is we dynamically select uh how to compromise an environment based on what we've discovered and the goal is to become a domain admin compromise a host compromise domain users find ways to encrypt data steal sensitive data and so on but when you look at the the top 10 techniques that we ended up uh using to compromise environments the first nine have nothing to do with cves and that's the reality cves are yes a vector but less than two percent of cves are actually used in a compromise oftentimes it's some sort of credential collection credential cracking uh credential pivoting and using that to become an admin and then uh compromising environments from that point on so I'll leave this up for you to kind of read through and you'll have the slides available for you but I found it very insightful that organizations and ourselves when I was a GE included invested heavily in just standard vulnerability Management Programs when I was at DOD that's all disa cared about asking us about was our our kind of our cve posture but the attackers have adapted to not rely on cves to get in because they know that organizations are actively looking at and patching those cves and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment a concrete example is by default vcenter backups are not encrypted and so as if an attacker finds vcenter what they'll do is find the backup location and there are specific V sender MTD files where the admin credentials are parsippled in the binaries so you can actually as an attacker find the right MTD file parse out the binary and now you've got the admin credentials for the vcenter environment and now start to log in as admin there's a bad habit by signal officers and Signal practitioners in the in the Army and elsewhere where the the VM notes section of a virtual image has the password for the VM well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMS that are unencrypted find the note section and pull out the passwords for those images and then reuse those credentials across the board so I'll pause here and uh you know Patrick love you get some some commentary on on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is uh is rolled through a little bit more on what do you do about it yeah yeah no I love it I think um I think this is pretty exhaustive what I like about what you've done here is uh you know we've seen we've seen double-digit increases in the number of organizations that are reporting actual breaches year over year for the last um for the last three years and it's often we kind of in the Zeitgeist we pegged that on ransomware which of course is like incredibly important and very top of mind um but what I like about what you have here is you know we're reminding the audience that the the attack surface area the vectors the matter um you know has to be more comprehensive than just thinking about ransomware scenarios yeah right on um so let's build on this when you think about your defense in depth you've got multiple security controls that you've purchased and integrated and you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together so when you run a pen test what you want to ask yourself is did you detect node zero did you log node zero did you alert on node zero and did you stop node zero and when you think about how to do that every single attacker command executed by node zero is available in an attacker log so you can now see you know at the bottom here vcenter um exploit at that time on that IP how it aligns to minor attack what you want to be able to do is go figure out did your security tools catch this or not and that becomes very important in using the attacker's perspective to improve your defensive security controls and so the way we've tried to make this easier back to like my my my the you know I bleed Green in many ways still from my smoke background is you want to be able to and what our customers do is hey we'll look at the attacker logs on one screen and they'll look at what did Splunk see or Miss in another screen and then they'll use that to figure out what their logging blind spots are and what that where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base and you'll get all of the pen test results right there in the Splunk console and from that Splunk console you're gonna be able to see these are all the pen tests that were run these are the issues that were found um so you can look at that particular pen test here are all of the weaknesses that were identified for that particular pen test and how they categorize out for each of those weaknesses you can click on any one of them that are critical in this case and then we'll tell you for that weakness and this is where where the the punch line comes in so I'll pause the video here for that weakness these are the commands that were executed on these endpoints at this time and then we'll actually query Splunk for that um for that IP address or containing that IP and these are the source types that surface any sort of activity so what we try to do is help you as quickly and efficiently as possible identify the logging blind spots in your Splunk environment based on the attacker's perspective so as this video kind of plays through you can see it Patrick I'd love to get your thoughts um just seeing so many Splunk deployments and the effectiveness of those deployments and and how this is going to help really Elevate the effectiveness of all of your Splunk customers yeah I'm super excited about this I mean I think this these kinds of purpose-built integration snail really move the needle for our customers I mean at the end of the day when I think about the power of Splunk I think about a product I was first introduced to 12 years ago that was an on-prem piece of software you know and at the time it sold on sort of Perpetual and term licenses but one made it special was that it could it could it could eat data at a speed that nothing else that I'd have ever seen you can ingest massively scalable amounts of data uh did cool things like schema on read which facilitated that there was this language called SPL that you could nerd out about uh and you went to a conference once a year and you talked about all the cool things you were splunking right but now as we think about the next phase of our growth um we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding and as you look at the as you look at the role of the ciso it's mind-blowing to me the amount of sources Services apps that are coming into the ciso span of let's just call it a span of influence in the last three years uh you know we're seeing things like infrastructure service level visibility application performance monitoring stuff that just never made sense for the security team to have visibility into you um at least not at the size and scale which we're demanding today um and and that's different and this isn't this is why it's so important that we have these joint purpose-built Integrations that um really provide more prescription to our customers about how do they walk on that Journey towards maturity what does zero to one look like what does one to two look like whereas you know 10 years ago customers were happy with platforms today they want integration they want Solutions and they want to drive outcomes and I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape and what I would say is the maturing needs of the customer in that environment yeah for sure I think especially if if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere while the security budgets are not going to ever I don't think they're going to get cut they're not going to grow as fast and there's a lot more pressure on organizations to extract more value from their existing Investments as well as extracting more value and more impact from their existing teams and so security Effectiveness Fierce prioritization and automation I think become the three key themes of security uh over the next 18 months so I'll do very quickly is run through a few other use cases um every host that we identified in the pen test were able to score and say this host allowed us to do something significant therefore it's it's really critical you should be increasing your logging here hey these hosts down here we couldn't really do anything as an attacker so if you do have to make trade-offs you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end so you've got that level of of um justification for where to increase or or adjust your logging resolution another example is every host we've discovered as an attacker we Expose and you can export and we want to make sure is every host we found as an attacker is being ingested from a Splunk standpoint a big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were Rogue Raspberry Pi's on the network or if a new box was installed and whether Splunk was installed on it or not so now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from uh finally or second to last use case here on the Splunk integration side is for every single problem we've found we give multiple options for how to fix it this becomes a great way to prioritize what fixed actions to automate in your soar platform and what we want to get to eventually is being able to automatically trigger soar actions to fix well-known problems like automatically invalidating passwords for for poor poor passwords in our credentials amongst a whole bunch of other things we could go off and do and then finally if there is a well-known kill chain or attack path one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise and now you've got a great starting point for glass tables and iocs for actual kill chains that we know are exploitable in your environment and that becomes some super cool Integrations that we've got on the roadmap between us and the Splunk security side of the house so what I'll leave with actually Patrick before I do that you know um love to get your comments and then I'll I'll kind of leave with one last slide on this wartime security mindset uh pending you know assuming there's no other questions no I love it I mean I think this kind of um it's kind of glass table's approach to how do you how do you sort of visualize these workflows and then use things like sore and orchestration and automation to operationalize them is exactly where we see all of our customers going and getting away from I think an over engineered approach to soar with where it has to be super technical heavy with you know python programmers and getting more to this visual view of workflow creation um that really demystifies the power of Automation and also democratizes it so you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team is seeing yeah I think that between us being able to visualize the actual kill chain or attack path with you know think of a of uh the soar Market I think going towards this no code low code um you know configurable sore versus coded sore that's going to really be a game changer in improve or giving security teams a force multiplier so what I'll leave you with is this peacetime mindset of security no longer is sustainable we really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are are working or not and the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past uh nine months due to the Ukrainian War there you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint and this is no longer about financial extortion that is ransomware this is about punishing and destroying companies and you can punish any one of these companies by going after them directly or by going after their suppliers and their Distributors so suddenly your attack surface is no more no longer just your own Enterprise it's how you bring your goods to Market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit if I can get those trucks stuck at the border I can increase spoilage and have the same effect and what we should expect to see is this idea of cyber-enabled economic Warfare where if we issue a sanction like Banning the Russians from traveling there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database that is below the threshold of War that's not going to trigger the 82nd Airborne to be mobilized but it's going to achieve the right effect ban the sale of luxury goods disrupt the supply chain and create shortages banned Russian oil and gas attack refineries to call a 10x spike in gas prices three days before the election this is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture verify it see yourself Through The Eyes of the attacker build that incident response muscle memory and drive better collaboration between the red and the blue teams your suppliers and Distributors and your information uh sharing organization they have in place and what's really valuable for me as a Splunk customer was when a router crashes at that moment you don't know if it's due to an I.T Administration problem or an attacker and what you want to have are different people asking different questions of the same data and you want to have that integrated triage process of an I.T lens to that problem a security lens to that problem and then from there figuring out is is this an IT workflow to execute or a security incident to execute and you want to have all of that as an integrated team integrated process integrated technology stack and this is something that I very care I cared very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board so Patrick I'll leave you with the last word the final three minutes here and I don't see any open questions so please take us home oh man see how you think we spent hours and hours prepping for this together that that last uh uh 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now uh and I think nist has done some really interesting work here around building cyber resilient organizations that have that has really I think helped help the industry see that um incidents can come from adverse conditions you know stress is uh uh performance taxations in the infrastructure service or app layer and they can come from malicious compromises uh Insider threats external threat actors and the more that we look at this from the perspective of of a broader cyber resilience Mission uh in a wartime mindset uh I I think we're going to be much better off and and will you talk about with operationally minded ice hacks information sharing intelligence sharing becomes so important in these wartime uh um situations and you know we know not all ice acts are created equal but we're also seeing a lot of um more ad hoc information sharing groups popping up so look I think I think you framed it really really well I love the concept of wartime mindset and um I I like the idea of applying a cyber resilience lens like if you have one more layer on top of that bottom right cake you know I think the it lens and the security lens they roll up to this concept of cyber resilience and I think this has done some great work there for us yeah you're you're spot on and that that is app and that's gonna I think be the the next um terrain that that uh that you're gonna see vendors try to get after but that I think Splunk is best position to win okay that's a wrap for this special Cube presentation you heard all about the global expansion of horizon 3.ai's partner program for their Partners have a unique opportunity to take advantage of their node zero product uh International go to Market expansion North America channel Partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyber security world we live in and hope you enjoyed this program all the videos are available on thecube.net as well as check out Horizon 3 dot AI for their pen test Automation and ultimately their defense system that they use for testing always the environment that you're in great Innovative product and I hope you enjoyed the program again I'm John Furrier host of the cube thanks for watching

(radio calls) >> Announcer: From around the globe, its theCUBE covering Space & Cybersecurity Symposium 2020, hosted by Cal poly. Hello, welcome back to theCUBE virtual coverage with Cal Poly for the Space and Cybersecurity Symposium, a day four and the wrap up session, keynote session with the Lieutenant Governor of California, Eleni Kounalakis. She's here to deliver her keynote speech on the topic of California's role in supporting America's Cybersecurity future. Eleni, take it away. >> Thank you, John, for the introduction. I am Lieutenant Governor Eleni Kounalakis. It is an honor to be part of Cal Poly Space and Cybersecurity Symposium. As I speak kind of Pierre with the governor's office of business and economic development is available on the chat, too ready to answer any questions you might have. California and indeed the world are facing significant challenges right now. Every day we are faced with the ongoing COVID-19 pandemic and the economic downturn that is ensued. We have flattened the curve in California and are moving in the right direction but it is clear that we're not out of the woods yet. It is also impossible right now to escape the reality of climate change from the fire sparked by exceptionally rare, dry lightening events to extreme heat waves threatening public health and putting a strain on our electricity grid. We see that climate change is here now. And of course we've been recently confronted with a series of brutal examples of institutionalized racism that have created an awakening among people of all walks of life and compelled us into the streets to march and protest. In the context of all this, we cannot forget that we continue to be faced with other less visible but still very serious challenges. Cybersecurity threats are one of these. We have seen cities, companies and individuals paralyzed by attacks costing time and money and creating an atmosphere of uncertainty and insecurity. Our state agencies, local governments, police departments, utilities, news outlets and private companies from all industries are target. The threats around cybersecurity are serious but not unlike all the challenges we face in California. We have the tools and fortitude to address them. That is why this symposium is so important. Thank you, Cal Poly and all the participants for being here and for the important contributions you bring to this conference. I'd like to also say a few words about California's role in America's future in space. California has been at the forefront of the aerospace industry for more than a century through all the major innovations in aerospace from wooden aircraft, to World War II Bombers, to rockets and Mars rovers. California has played a pivotal role. Today, California is the number one state in total defense spending, defense contract spending and total number of personnel. It is estimated the Aerospace and Defense Industry, provides $168 billion in economic impact to our state. And America's best trained and most experienced aerospace and technology workforce lives here in California. The fact that the aerospace and defense sector, has had a strong history in California is no accident. California has always had strong innovation ecosystem and robust infrastructure that puts many sectors in a position to thrive. Of course, a big part of that infrastructure is a skilled workforce. And at the foundation of a skilled workforce is education. California has the strongest system of public higher education in the world. We're home to 10 university of California campuses, 23 California State university campuses and 116 California Community Colleges. All told nearly 3 million students are enrolled in public higher education. We also have world renowned private universities including the California Institute of Technology and Stanford University numbers one and three in the country for aerospace engineering. California also has four national laboratories and several NASA facilities. California possesses a strong spirit of innovation, risk taking and entrepreneurship. Half of all venture capital funding in the United States, goes to companies here in California. Lastly, but certainly no less critical to our success, California is a diverse state. 27% of all Californians are foreign born, 27% more than one in four of our population of 40 million people are immigrants from another country, Europe central and South America, India, Asia, everywhere. Our rich cultural diversity is our strength and helps drive our economy. As I look to the future of industries like cybersecurity and the growing commercial space industry, I know our state will need to work with those industries to make sure we continue to train our workforce for the demands of an evolving industry. The office of the lieutenant governor has a unique perspective on higher education and workforce development. I'm on the UC Board of Regents, the CSU Board of Trustees. And as of about two weeks ago, the Community Colleges Board of Governors. The office of the lieutenant governor is now the only office that is a member of every governing board, overseeing our public higher education system. Earlier in the symposium, we heard a rich discussion with Undersecretary Stewart Knox from the California Labor and Workforce Development Agency about what the state is doing to meet the needs of space and cybersecurity industries. As he mentioned, there are over 37,000 job vacancies in cybersecurity in our state. We need to address that gap. To do so, I see an important role for public private partnerships. We need input from industry and curriculum development. Some companies like Lockheed Martin, have very productive partnerships with universities and community colleges that train students with skills they need to enter aerospace and cyber industries. That type of collaboration will be key. We also need help from the industry to make sure students know that fields like cybersecurity even exist. People's early career interests are so often shaped by the jobs that members of their family have or what they see in popular culture. With such a young and evolving field like cybersecurity, many students are unaware of the job opportunities. I know for my visits to university campuses that students are hungry for STEM career paths where they see opportunities for good paying jobs. When I spoke with students at UC Merced, many of them were first generation college students who went through community college system before enrolling in a UC and they gravitated to STEM majors. With so many job opportunities available to STEM students, cybersecurity ought to be one that they are aware of and consider. Since this symposium is being hosted by Cal Poly, I wanted to highlight the tremendous work they're doing as leaders in the space and cybersecurity industry. Cal Poly California Cybersecurity Institute, does incredible work bringing together academia, industry and government training the next generation of cyber experts and researching emerging cybersecurity issues. As we heard from the President of Cal Poly, Jeff Armstrong the university is in the perfect location to contribute to a thriving space industry. It's close to Vandenberg Air Force Base and UC Santa Barbara and could be home to the future permanent headquarters of US Space Command. The state is also committed to supporting this space industry in the Central Coast. In July, the State of California, Cal poly US-based force and the others signed a memorandum of understanding to develop a commercial space port at Vandenberg Air Force Base and to develop a master plan to grow the commercial space industry in the region. Governor Newsom has made a commitment to lift up all regions of the state. And this strategy will position the Central Coast to be a global leader in the future of the space industry. I'd like to leave you with a few final thoughts, with everything we're facing. Fires, climate change, pandemic. It is easy to feel overwhelmed but I remain optimistic because I know that the people of the State of California are resilient, persistent, and determined to address our challenges and show a path toward a better future for ourselves and our families. The growth of the space industry and the economic development potential of projects like the Spaceport at Vandenberg Air Force Base, our great example of what we can look forward to. The potential for the commercial space industry to become a $3 trillion industry by mid century, as many experts predict is another. There are so many opportunities, new companies are going to emerge doing things we never could have dreamed of today. As Lieutenant General John Thompson said in the first session, the next few years of space and cyber innovation are not going to be a pony ride at the state fair, they're going to be a rodeo. We should all saddle up. Thank you. >> Okay, thank you very much, Eleni. I really appreciate it. Thank you for your participation and all your support to you and your staff. You guys doing a lot of work, a lot going on in California but cybersecurity and space as it comes together, California's playing a pivotal role in leading the world and the community. Thank you very much for your time. >> Okay, this session is going to continue with Bill Britton. Who's the vice president of technology and CIO at Cal Poly but more importantly, he's the director of the cyber institute located at Cal Poly. It's a global organization looking at the intersection of space and cybersecurity. Bill, let's wrap this up. Eleni had a great talk, talking about the future of cybersecurity in America and its future. The role California is playing, Cal Poly is right in the Central Coast. You're in the epicenter of it. We've had a great lineup here. Thanks for coming on. Let's put a capstone on this event. >> Thank you, John. But most importantly, thanks for being a great partner helping us get this to move forward and really changing the dynamic of this conversation. What an amazing time we're at, we had quite an unusual group but it's really kind of the focus and we've moved a lot of space around ourselves. And we've gone from Lieutenant General Thompson and the discussion of the opposition and space force and what things are going on in the future, the importance of cyber in space. And then we went on and moved on to the operations. And we had a private company who builds, we had the DOD, Department Of Defense and their context and NASA and theirs. And then we talked about public private partnerships from President Armstrong, Mr. Bhangu Mahad from the DOD and Mr. Steve Jacques from the National Security Space Association. It's been an amazing conference for one thing, I've heard repeatedly over and over and over, the reference to digital, the reference to cloud, the reference to the need for cybersecurity to be involved and really how important that is to start earlier than just at the employment level. To really go down into the system, the K through 12 and start there. And what an amazing time to be able to start there because we're returning to space in a larger capacity and it's now all around us. And the lieutenant governor really highlighted for us that California is intimately involved and we have to find a way to get our students involved at that same level. >> I want to ask you about this inflection point that was a big theme of this conference and symposium. It was throughout the interviews and throughout the conversations, both on the chat and also kind of on Twitter as well in the social web. Is that this new generation, it wasn't just space and government DOD, all the normal stuff you see, you saw JPL, the Hewlett Foundation, the Defense Innovation Unit, Amazon Web Services, NASA. Then you saw entrepreneurs come in, who were doing some stuff. And so you had this confluence of community. Of course, Cal Poly had participated in space. You guys does some great job, but it's not just the physical face-to-face show up, gets to hear some academic papers. This was a virtual event. We had over 300 organizations attend, different organizations around the world. Being a virtual event you had more range to get more people. This isn't digital. This symposium isn't about Central California anymore. It's global. >> No, it really has gone. >> What really happened to that? >> It's really kind of interesting because at first all of this was word of mouth for this symposium to take place. And it just started growing and growing and the more that we talk to organizations for support, the more we found how interconnected they were on an international scale. So much so that we've decided to take our cyber competition next year and take it globally as well. So if in fact as Major General Shaw said, this is about a multinational support force. Maybe it's time our students started interacting on that level to start with and not have to grow into it as they get older, but do it now and around space and around cybersecurity and around that digital environment and really kind of reduce the digital dividing space. >> Yeah, General Thompson mentioned this, 80 countries with programs. This is like the Olympics for space and we want to have these competitions. So I got great vision and I love that vision, but I know you have the number... Not number, the scores and from the competition this year that happened earlier in the week. Could you share the results of that challenge? >> Yeah, absolutely. We had 83 teams participate this year in the California Cyber Innovation Challenge. And again, it was based around a spacecraft scenario where a spacecraft, a commercial spacecraft was hacked and returned to earth. And the students had to do the forensics on the payload. And then they had to do downstream network analysis, using things like Wireshark and autopsy and other systems. It was a really tough competition. The students had to work hard and we had middle school and high school students participate. We had an intermediate league, new schools who had never done it before or even some who didn't even have STEM programs but were just signing up to really get involved in the experience. And we had our ultimate division which was those who had competed in several times before. And the winner of that competition was North Hollywood. They've been the winning team for four years in a row. Now it's a phenomenal program, they have their hats off to them for competing and winning again. Now what's really cool is not only did they have to show their technical prowess in the game but they also have to then brief and out-brief what they've learned to a panel of judges. And these are not pushovers. These are experts in the field of cybersecurity in space. We even had a couple of goons participating from DefCon and the teams present their findings. So not only are we talking technical, we're talking about presentation skills. The ability to speak and understand. And let me tell you, after reading all of their texts to each other over the weekend adds a whole new language they're using to interact with each other. It's amazing. And they are so more advanced and ready to understand space problems and virtual problems than we are. We have to challenge them even more. >> Well, it sounds like North Hollywood got the franchise. It's likethe Patriots, the Lakers, they've got a dynasty developing down there in North Hollywood. >> Well, what happens when there's a dynasty you have to look for other talent. So next year we're going global and we're going to have multiple states involved in the challenge and we're going to go international. So if North Hollywood pulls it off again next year, it's going to be because they've met the best in the world than defeated >> Okay, the gauntlet has been thrown down, got to take down North Hollywood from winning again next year. We'll be following that. Bill, great to get those results on the cyber challenge we'll keep track and we'll put a plug for it on our site. So we got to get some press on that. My question to you is now as we're going digital, other theme was that they want to hire digital natives into the space force. Okay, the DOD is looking at new skills. This was a big theme throughout the conference not just the commercial partnerships with government which I believe they had kind of put more research and personally, that's my personal opinion. They should be putting in way more research into academic and these environments to get more creative. But the skill sets was a big theme. What's your thoughts on how you saw some of the highlight moments there around skill sets? >> John, it's really interesting 'cause what we've noticed is in the past, everybody thinks skill sets for the engineering students. And it's way beyond that. It's all the students, it's all of them understanding what we call cyber cognizance. Understanding how cybersecurity works whatever career field they choose to be in. Space, there is no facet of supporting space that doesn't need that cyber cognizance. If you're in the back room doing the operations, you're doing the billing, you're doing the contracting. Those are still avenues by which cybersecurity attacks can be successful and disrupt your space mission. The fact that it's international, the connectivities, all of those things means that everyone in that system digitally has to be aware of what's going on around them. That's a whole new thought process. It's a whole new way of addressing a problem and dealing with space. And again it's virtual to everyone. >> That's awesome. Bill, great to have you on. Thank you for including theCUBE virtual, our CUBE event software platform that we're rolling out. We've been using it for the event and thank you for your partnership in this co-creation opening up your community, your symposium to the world, and we're so glad to be part of it. I want to thank you and Dustin and the team and the President of Cal Poly for including us. Thank you very much. >> Thank you, John. It's been an amazing partnership. We look forward to it in the future. >> Okay, that's it. That concludes the Space and Cybersecurity Symposium 2020. I'm John Furrier with theCUBE, your host with Cal Poly, who put on an amazing virtual presentation, brought all the guests together. And again, shout out to Bill Britton and Dustin DeBrum who did a great job as well as the President of Cal poly who endorsed and let them do it all. Great event. See you soon. (flash light sound)

>> Announcer: From around the globe, it's theCUBE, covering Space and Cybersecurity Symposium 2020, hosted by Cal Poly. >> Everyone, welcome to this special presentation with Cal Poly hosting the Space and Cybersecurity Symposium 2020 virtual. I'm John Furrier, your host with theCUBE and SiliconANGLE here in our Palo Alto studios with our remote guests. We couldn't be there in person, but we're going to be here remote. We got a great session and a panel for one hour, topic preparing students for the jobs of today and tomorrow. Got a great lineup. Bill Britton, Lieutenant Colonel from the US Air Force, retired vice president for information technology and CIO and the director of the California Cybersecurity Institute for Cal Poly. Bill, thanks for joining us. Dr. Amy Fleischer, who's the dean of the College of Engineering at Cal Poly, and Trung Pham, professor and researcher at the US Air Force Academy. Folks, thanks for joining me today. >> Our pleasure. >> Got a great- >> Great to be here. >> Great panel. This is one of my favorite topics. >> Thank you for the opportunity. >> Preparing students for the next generation, the jobs for today and tomorrow. We got an hour. I'd love you guys to start with an opening statement to kick things off. Bill, we'll start with you. >> Well, I'm really pleased to be, to start on this as the director for the Cybersecurity Institute and the CIO at Cal Poly, it's really a fun, exciting job, because as a polytechnic, technology has such a forefront in what we're doing, and we've had a wonderful opportunity being 40 miles from Vandenberg Air Force Base to really look at the nexus of space and cybersecurity. And if you add into that both commercial, government, and civil space and cybersecurity, this is an expanding wide open time for cyber and space. In that role that we have with the Cybersecurity Institute, we partner with elements of the state and the university, and we try to really add value above our academic level, which is some of the highest in the nation, and to really merge down and go a little lower and start younger. So we actually are running the week prior to this showing a cybersecurity competition for high schools and middle schools in the state of California. That competition this year is based on a scenario around hacking of a commercial satellite and the forensics of the payload that was hacked and the networks associated with it. This is going to be done using products like Wireshark, Autopsy, and other tools that will give those high school students what we hope is a huge desire to follow up and go into cyber and cyberspace and space and follow that career path and either come to Cal Poly or some other institution that's going to let them really expand their horizons in cybersecurity and space for the future of our nation. >> Bill, thanks for that intro. By the way, I just want to give you props for an amazing team and job you guys are doing at Cal Poly, the DxHub and the efforts you guys are having with your challenge. Congratulations on that great work. >> Thank you. It's a rock star team. It's absolutely amazing to find that much talent at one location. And I think Amy's going to tell you, she's got the same amount of talent in her staff, so it's a great place to be. >> Dr. Amy Fleischer. You guys have a great organization down there, amazing curriculum, amazing people, great community. Your opening statement. >> Hello everybody. It's really great to be a part of this panel on behalf of the Cal Poly College of Engineering. Here at Cal Poly, we really take preparing students for the jobs of today and tomorrow completely seriously, and we can claim that our students really graduate so they're ready day one for their first real job. But that means that in getting them to that point, we have to help them get valuable and meaningful job experience before they graduate, both through our curriculum and through multiple internship or summer research opportunities. So we focus our curriculum on what we call a learn by doing philosophy. And this means that we have a combination of practical experience and learn by doing both in and out of the classroom. And we find that to be really critical for preparing students for the workforce. Here at Cal Poly, we have more than 6,000 engineering students. We're one of the largest undergraduate engineering schools in the country. And US News ranks us the eighth best undergraduate engineering program in the country and the top ranked state school. We're really, really proud that we offer this impactful hands-on engineering education that really exceeds that of virtually all private universities while reaching a wider audience of students. We offer 14 degree programs, and really, we're talking today about cyber and space, and I think most of those degree programs can really make an impact in the space and cybersecurity economy. And this includes not only things like aero and cyber directly, but also electrical engineering, mechanical engineering, computer engineering, materials engineering, even manufacturing, civil, and biomedical engineering, as there's a lot of infrastructure needs that go into supporting launch capabilities. Our aerospace program graduates hundreds of aerospace engineers and most of them are working right here in California with many of our corporate partners, including Northrop Grumman, Lockheed, Boeing, Raytheon, SpaceX, Virgin Galactic, JPL, and so many other places where we have Cal Poly engineers impacting the space economy. Our cybersecurity focus is found mainly in our computer science and software engineering programs, and it's really a rapidly growing interest among our students. Computer science is our most popular major, and industry interests and partnerships are integrated into our cyber curriculum, and we do that oftentimes through support from industry. So we have partnerships with Northrop Grumman for professorship in a cyber lab and from PG&E for critical infrastructure cybersecurity lab and professorship. And we think that industry partnerships like these are really critical to preparing students for the future as the field is evolving so quickly and making sure we adapt our facilities and our curriculum to stay in line with what we're seeing in industry is incredibly important. In our aerospace program, we have an educational partnership with the Air Force Research Labs that's allowing us to install new high-performance computing capabilities and a space environments lab that's going to enhance our satellite design capabilities. And if we talk about satellite design, Cal Poly is the founding home of the CubeSat program, which pioneered small satellite capabilities, And we remain the worldwide leader in maintaining the CubeSat standard, and our student program has launched more CubeSats than any other program. So here again we have this learn by doing experience every year for dozens of aerospace, electrical, computer science, mechanical engineering students, and other student activities that we think are just as important include ethical hacking through our white hat club, Cal Poly Space Systems, which does really, really big rocket launches, and our support program for women in both of these fields, like WISH, which is Women In Software and Hardware. Now, you know, really trying to bring in a wide variety of people into these fields is incredibly important, and outreach and support to those demographics traditionally underrepresented in these fields is going to be really critical to future success. So by drawing on the lived experiences by people with different types of backgrounds will we develop the type of culture and environment where all of us can get to the best solution. So in terms of bringing people into the field, we see that research shows we need to reach kids when they're in late elementary and middle schools to really overcome that cultural bias that works against diversity in our fields. And you heard Bill talking about the California Cybersecurity Institute's yearly cyber challenge, and there's a lot of other people who are working to bring in a wider variety of people into the field, like Girl Scouts, which has introduced dozens of new badges over the past few years, including a whole cybersecurity series of badges in concert with Palo Alto Networks. So we have our work cut out for us, but we know what we need to do, and if we're really committed to properly preparing the workforce for today and tomorrow, I think our future is going to be bright. I'm looking forward to our discussion today. >> Thank you, Dr. Fleischer, for a great comment, opening statement, and congratulations. You got the right formula down there, the right mindset, and you got a lot of talent, and community, as well. Thank you for that opening statement. Next up, from Colorado Springs, Trung Pham, who's a professor and researcher at the US Air Force Academy. He's doing a lot of research around the areas that are most important for the intersection of space and technology. Trung. >> Good afternoon. First I'd like to thank Cal Poly for the opportunity. And today I want to go briefly about cybersecurity in space application. Whenever we talk about cybersecurity, the impression is that it's a new field that is really highly complex involving a lot of technical area. But in reality, in my personal opinion, it is indeed a complex field because it involves many disciplines. The first thing we think about is computer engineering and computer networking, but it's also involving communication, sociology, law practice. And this practice of cybersecurity doesn't only involve computer expert, but it's also involve everybody else who has a computing device that is connected to the internet, and this participation is obviously everybody in today's environment. When we think about the internet, we know that it's a good source of information but come with the convenience of information that we can access, we are constantly facing danger from the internet. Some of them we might be aware of. Some of them we might not be aware of. For example, when we search on the internet, a lot of time our browser will be saying that this site is not trusted, so we will be more careful. But what about the sites that we trusted? We know that those are legitimate sites, but they're not 100% bulletproof. What happen if those site are attacked by a hacker and then they will be a silent source of danger that we might not be aware of. So in the reality, we need to be more practicing the cybersecurity from our civil point of view and not from a technical point of view. When we talk about space application, we should know that all the hardware are computer-based or controlled by by computer system, and therefore the hardware and the software must go through some certification process so that they can be rated as airworthy or flightworthy. When we know that in the certification process is focusing on the functionality of the hardware and software, but one aspect that is explicitly and implicitly required is the security of those components. And we know that those components have to be connected with the ground control station, and the communication is through the air, through the radio signal, so anybody who has access to those communication radio signal will be able to control the space system that we put up there. And we certainly do not want our system to be hijacked by a third party. Another aspect of cybersecurity is that we try to design the space system in a very strong manner so it's almost impossible to hack in. But what about some other weak system that might be connected to the strong system? For example, the space system will be connected to the ground control station, and on the ground control station, we have the human controller, and those people have cell phone. They are allowed to use cell phone for communication. But at the same time, they are connected to the internet through the cell phone, and their cell phone might be connected to the computer that control the flight software and hardware. So what I want to say is we try to build strong system and we've protected them, but there will be some weaker system that we could not intended but exists to be connected to our strong system, and those are the points the hacker will be trying to attack. If we know how to control the access to those weak points, we will be having a much better system for the space system. And when we see the cybersecurity that is requiring the participation everywhere it's important to notice that there is a source of opportunity for students who enter the workforce to consider. Obviously students in engineering can focus their knowledge and expertise to provide technological solution to protect the system that we view. But we also have students in business who can focus their expertise to write business plan so that they can provide a pathway for the engineering advances to reach the market. We also have student in law who can focus their expertise in policy governing the internet, governing the cybersecurity practice. And we also have student in education who can focus their expertise to design how to teach cybersecurity practice, and student in every other discipline can focus their effort to implement security measure to protect the system that they are using in their field. So it's obvious that cybersecurity is everywhere and it implies job opportunity everywhere for everybody in every discipline of study. Thank you. >> Thank you, Trung, for those great comments. Great technology opportunities. But interesting, as well, is the theme that we're seeing across the entire symposium and in the virtual hallways that we're hearing conversations, and you pointed out some of them. Dr. Fleischer did, as well. And Bill, you mentioned it. It's not one thing. It's not just technology. It's different skills. And Amy, you mentioned that computer science is the hottest degree, but you have the hottest aerospace program in the world. I mean, so all this is kind of balancing. It's interdisciplinary. It's a structural change. Before we get into some of the, how they prepare the students, can you guys talk about some of the structural changes that are modern now in preparing in these opportunities, because societal impact is a, law potentially impact, it's how we educate. There's now cross-discipline skill sets. It's not just get the degree, see you out in the field. Bill, you want to start? >> Well, what's really fun about this job is that in the Air Force, I worked in the space and missile business, and what we saw was a heavy reliance on checklist format, security procedures, analog systems, and what we're seeing now in our world, both in the government and the commercial side, is a move to a digital environment, and the digital environment is a very quick and adaptive environment, and it's going to require a digital understanding. Matter of fact, the undersecretary of Air Force for acquisition recently referenced the need to understand the digital environment and how that's affecting acquisition. So as both Amy and Trung said, even business students are now in the cybersecurity business. And so again, what we're seeing is the change. Now, another phenomenon that we're seeing in the space world is there's just so much data. One of the ways that we addressed that in the past was to look at high-performance computing. There was a lot stricter control over how that worked. But now what we're seeing is adaptation of cloud, cloud technologies in space support, space data, command and control. And so what we see is a modern space engineer who has to understand digital, has to understand cloud, and has to understand the context of all those with a cyber environment. That's really changing the forefront of what is a space engineer, what is a digital engineer, and what is a future engineer, both commercial or government. So I think the opportunity for all of these things is really good, particularly for a polytechnic, Air Force Academy, and others that are focusing on a more widened experiential level of cloud and engineering and other capabilities. And I'll tell you the part that as the CIO I have to remind everybody, all this stuff works with the IT stuff. So you've got to understand how your IT infrastructures are tied and working together. As we noted earlier, one of the things is that these are all relays from point to point, and that architecture is part of your cybersecurity architecture. So again, every component has now become a cyber aware, cyber knowledgeable, and what we like to call as a cyber cognizant citizen where they have to understand the context. (speaking on mute) >> (indistinct) software Dr. Fleischer, talk about your perspective, 'cause you mentioned some of the things about computer science. I remember in the '80s when I got my computer science degree, they called us software engineers and then you became software developers. And then, so again, engineering is the theme. If you're engineering a system, there's now software involved, and there's also business engineering, business models. So talk about some of your comments, 'cause you mentioned computer science is hot. You got the aerospace. You got these multi-disciplines. You got definitely diversity, as well, brings more perspectives in, as well. Your thoughts on these structural interdisciplinary things? >> I think this is really key to making sure that students are prepared to work in the workforce is looking at the blurring between fields. No longer are you just a computer scientist. No longer are you just an aerospace engineer. You really have to have an expertise where you can work with people across disciplines. All of these fields are just working with each other in ways we haven't seen before. And Bill brought up data. You know, data science is something that's cross-cutting across all of our fields. So we want engineers that have the disciplinary expertise that they can go deep into these fields, but we want them to be able to communicate with each other and to be able to communicate across disciplines and to be able to work in teams that are across disciplines. You can no longer just work with other computer scientists or just work with other aerospace engineers. There's no part of engineering that is siloed anymore. So that's how we're changing. You have to be able to work across those disciplines. And as you, as Trung pointed out, ethics has to come into this. So you can no longer try to fully separate what we would traditionally have called the liberal arts and say, well, that's over there in general education. No, ethics is an important part of what we're doing and how we integrate that into our curriculum. So is communication. So is working on public policy and seeing where all these different aspects tie together to make the impact that we want to have in the world. So you no longer can work solo in these fields. >> That's great point. And Bill also mentioned the cloud. One thing about the cloud that's showed us is horizontal scalability has created a lot of value, and certainly data is now horizontal. Trung, you mentioned some of the things about cryptography for the kids out there, I mean, you can look at the pathway for career. You can do a lot of tech, but you don't have to go deep sometimes. You can as deep as you want, but there's so much more there. What technology do you see that's going to help students, in your opinion? >> Well, I'm a professor in computer science, so I like to talk a little bit about computer programming. Now we are working in complex projects. So most of the time we don't design a system from scratch. We build it from different components, and the components that we have, either we get it from vendors or sometimes we get it from the internet in the open source environment. It's fun to get the source code and then make it work to our own application. So now when we are looking at cryptology, when we talk about encryption, for example, we can easily get the source code from the internet. And the question, is it safe to use those source code? And my question is maybe not. So I always encourage my students to learn how to write source code the traditional way that I learned a long time ago before I allow them to use the open source environment. And one of the things that they have to be careful especially with encryption is the code that might be hidden in the source that they downloaded. Some of the source might be harmful. It might open up back gate for a hacker to get in later. We've heard about these back gates back then when Microsoft designed the operating system with the protection of encryption, and it is true that is existing. So while open source code is a wonderful place to develop complex system, but it's also a dangerous place that we have to be aware of. >> Great point. Before we get into the comments, one quick thing for each of you I'd like to get your comments on. There's been a big movement on growth mindset, which has been a great big believer in having a growth mindset and learning and all that good stuff. But now when you talk about some of these things we're mentioning about systems, there's a new trend around a systems mindset, because if everything's now a system, distributed systems now you have space and cybersecurity, you have to understand the consequences of changes. And you mention some of that, Trung, in changes in the source code. Could you guys share your quick opinions on the of systems thinking? Is that a mindset that people should be looking at? Because it used to be just one thing. Oh, you're a systems guy or gal. There you go. You're done. Now it seems to be in social media and data, everything seems to be systems. What's your take? Dr. Fleischer, we'll start with you. >> I'd say it's another way of looking at not being just so deep in your discipline. You have to understand what the impact of the decisions that you're making have on a much broader system. And so I think it's important for all of our students to get some exposure to that systems level thinking and looking at the greater impact of the decision that they're making. Now, the issue is where do you set the systems boundary, right? And you can set the systems boundary very close in and concentrate on an aspect of a design, or you can continually move that system boundary out and see where do you hit the intersections of engineering and science along with ethics and public policy and the greater society. And I think that's where some of the interesting work is going to be. And I think at least exposing students and letting them know that they're going to have to make some of these considerations as they move throughout their career is going to be vital as we move into the future. >> Bill, what's your thoughts? >> I absolutely agree with Amy. And I think there's a context here that reverse engineering and forensics analysis and forensics engineering are becoming more critical than ever. The ability to look at what you have designed in a system and then tear it apart and look at it for gaps and holes and problem sets. Or when you're given some software that's already been pre-developed, checking it to make sure it is really going to do what it says it's going to do. That forensics ability becomes more and more a skillset that also you need the verbal skills to explain what it is you're doing and what you found. So the communication side, the systems analysis side, the forensics analysis side, these are all things that are part of system approach that I think you could spend hours on and we still haven't really done a great job on it. So it's one of my fortes is really the whole analysis side of forensics and reverse engineering. >> Trung, real quick, systems thinking, your thoughts. >> Well, I'd like to share with you my experience when I worked in the space station program at NASA. We had two different approaches. One is a compound approach where we design it from the system general point of view where we put components together to be a complex system. But at the same time, we have the (indistinct) approach where we have an engineer who spent time and effort building individual component and they have to be expert in those tiny component that general component they deliver. And in the space station program, we bring together the (indistinct) engineer who designed everything in detail and the system manager who managed the system design from the top down, and we meet in the middle, and together we compromised a lot of differences and we delivered the space station that we are operating today. >> Great insight. And that's the whole teamwork collaboration that Dr. Fleischer was mentioning. Thanks so much for that insight. I wanted to get that out there because I know myself as a parent, I'm always trying to think about what's best for my kids and their friends as they grow up into the workforce. I know educators and leaders in industry would love to know some of the best practices around some of the structural changes. So thanks for that insight. But this topic's about students and helping them prepare. So we heard be multiple discipline, broaden your horizons, think like systems, top down, bottom up, work together as a team, and follow the data. So I got to ask you guys, there's a huge amount of job openings in cybersecurity. It's well-documented. And certainly with the intersection of space and cyber, it's only going to get bigger, right? You're going to see more and more demand for new types of jobs. How do we get high school and college students interested in security as a career? Dr. Fleischer, we'll start with you on this one. I would say really one of the best ways to get students interested in a career is to show them the impact that it's going to have. There's definitely always going to be students who are going to want to do the technology for the technology's sake, but that will limit you to a narrow set of students, and by showing the greater impact that these types of careers are going to have on the types of problems that you're going to be able to solve and the impact you're going to be able to have on the world around you, that's the word that we really need to get out. And a wide variety of students really respond to these messages. So I think it's really kind of reaching out at the elementary, the middle school level, and really kind of getting this idea that you can make a big difference, a big positive difference in the field with some of these careers, is going to be really critical. >> Real question to follow up. What do you think is the best entry point? You mentioned middle. I didn't hear elementary school. There's a lot of discussions around pipelining, and we're going to get into women in tech and underrepresented minorities later. But is it too early, or what's your feeling on this? >> My feeling is the earlier we can normalize it, the better. If you can normalize an interest in computers and technology and building in elementary school, that's absolutely critical. But the drop-off point that we're seeing is between what I would call late elementary and early middle school. And just kind of as an anecdote, I for years ran an outreach program for Girl Scouts in grades four and five and grade six, seven, and eight. And we had 100 slots in each program. And every year the program would sell out for girls in grades four and five, and every year we'd have spots remaining in grades six, seven, and eight. And that's literally where the drop-off is occurring between that late elementary and that middle school range. So that's the area that we need to target to make sure we keep those young women involved and interested as we move forward. >> Bill, how are we going to get these kids interested in security? You mentioned a few programs you got. >> Yeah. >> I mean, who wouldn't want to be a white hat hacker? I mean, that sounds exciting. >> So yeah, great questions. Let's start with some basic principles, though, is let me ask you a question, John. Name for me one white hat, good person hacker, the name, who works in the space industry and is an exemplar for students to look up to. >> You? >> Oh man, I'm feeling really... >> I'm only, I can't imagine a figure- >> (indistinct) the answer because the answer we normally get is the cricket sound. So we don't have individuals we've identified in those areas for them to look up to. >> I was going to be snarky and say most white hackers won't even use their real name, but... >> Right, so there's an aura around their anonymity here. So again, the real question is how do we get them engaged and keep them engaged? And that's what Amy was pointing out to exactly, the engagement and sticking with it. So one of the things that we're trying to do through our competition on the state level and other elements is providing connections. We call them ambassadors. These are people in the business who can contact the students that are in the game or in that challenge environment and let 'em interact and let 'em talk about what they do and what they're doing in life. But give them a challenging game format. A lot of computer-based training, capture the flag stuff is great, but if you can make it hands-on, if you can make it a learn by doing experiment, if you can make it personally involved and see the benefit as a result of doing that challenge and then talk to the people who do that on a daily basis, that's how you get them involved. The second part is part of what we're doing is we're involving partnership companies in the development of the teams. So this year's competition that we're running has 82 teams from across the state of California. Of those 82 teams at six students a team, middle school, high school, and many of those have company partners, and these are practitioners in cybersecurity who are working with those students to participate. It's that adult connectivity. It's that visualization. So at the competition this year, we have the founder of Defcon Red Flag is a participant to talk to the students. We have Vint Cerf, who is, of course, very well-known for something called the internet, to participate. It's really getting the students to understand who's in this, who can I look up to, and how do I stay engaged with them? >> There's definitely a celebrity aspect of it, I will agree. I mean, the influencer aspect here with knowledge is key. Can you talk about these ambassadors, and how far along are you on that program? First of all, the challenge stuff is, anything gamification-wise, we've seen that with hackathons, it just really works well. Creates bonding. People who create together can get sticky and get very high community aspect to it. Talk about this ambassador thing. What is that, industry, is that academic? >> Yeah, absolutely. >> What is this ambassador thing? >> Industry partners that we've identified, some of which, and I won't hit all of 'em, so I'm sure I'll short change this, but Palo Alto, Cisco, Splunk, many of the companies in California, and what we've done is identified schools to participate in the challenge that may not have a strong STEM program or have any cyber program. And the idea of the company is they look for their employees who are in those school districts to partner with the schools to help provide outreach. It could be as simple as a couple hours a week, or it's a team support captain or it's providing computers and other devices to use. And so again, it's really about a constant connectivity and trying to help where some schools may not have the staff or support units in an area to really provide them what they need for connectivity. What that does is it gives us an opportunity to not just focus on it once a year, but throughout the year. So for the competition, all the teams that are participating have been receiving training and educational opportunities in the gamification side since they signed up to participate. So there's a website, there's learning materials, there's materials provided by certain vendor companies like Wireshark and others. So it's a continuum of opportunity for the students. >> You know, I've seen, just randomly, just got a random thought. Robotics clubs are moving then closer into that middle school area, Dr. Fleischer, and in certainly in high schools, it's almost like a varsity sport. E-sports is another one. My son just called me. "I made the JV at the college team." It's big and serious, right? And it's fun. This is the aspect of fun. It's hands-on. This is part of the culture down there. Learn by doing. Is there, like, a group? Is it, like, a club? I mean, how do you guys organize these bottoms-up organically interest topics? >> So here in the college of engineering, when we talk about learn by doing, we have learned by doing both in the classroom and out of the classroom. And if we look at these types of out of the classroom activities, we have over 80 clubs working on all different aspects, and many of these are bottom-up. The students have decided what they want to work on and have organized themselves around that. And then they get the leadership opportunities. The more experienced students train the less experienced students. And it continues to build from year after year after year with them even doing aspects of strategic planning from year to year for some of these competitions. Yeah, it's an absolutely great experience. And we don't define for them how their learn by doing experiences should be. We want them to define it. And I think the really cool thing about that is they have the ownership and they have the interest and they can come up with new clubs year after year to see which direction they want to take it, and we will help support those clubs as old clubs fade out and new clubs come in. >> Trung, real quick, before we go on the next talk track, what do you recommend for middle school, high school, or even elementary? A little bit of coding, Minecraft? I mean, how do you get 'em hooked on the fun and the dopamine of technology and cybersecurity? What's your take on that? >> On this aspect, I'd like to share with you my experience as a junior high and high school student in Texas. The university of Texas in Austin organized a competition for every high school in Texas in every field from poetry to mathematics to science, computer engineering. But it's not about the University of Texas. The University of Texas is only serving as a center for the final competition. They divide the competition to district and then regional and then state. At each level, we have local university and colleges volunteering to host the competition and make it fun for the student to participate. And also they connected the students with private enterprises to raise fund for scholarship. So student who see the competition is a fun event for them, they get exposed to different university hosting the event so that they can see different option for them to consider college. They also get a promise that if they participate, they will be considered for scholarship when they attend university and college. So I think the combination of fun and competition and the scholarship aspect will be a good thing to entice the student to commit to the area of cybersecurity. >> Got the engagement, the aspiration, scholarship, and you mentioned a volunteer. I think one of the things I'll observe is you guys are kind of hitting this as community. I mean, the story of Steve Jobs and Woz building the Mac, they called Bill Hewlett up in Palo Alto. He was in the phone book. And they scoured some parts from him. That's community. This is kind of what you're getting at. So this is kind of the formula we're seeing. So the next question I really want to get into is the women in technology, STEM, underrepresented minorities, how do we get them on cybersecurity career path? Is there a best practices there? Bill, we'll start with you. >> Well, I think it's really interesting. First thing I want to add is, if I could, just a clarification. What's really cool, the competition that we have and we're running, it's run by students from Cal Poly. So Amy referenced the clubs and other activities. So many of the organizers and developers of the competition that we're running are the students, but not just from engineering. So we actually have theater and liberal arts majors and technology for liberal arts majors who are part of the competition, and we use their areas of expertise, set design and other things, visualization, virtualization. Those are all part of how we then teach and educate cyber in our gamification and other areas. So they're all involved and they're learning, as well. So we have our students teaching other students. So we're really excited about that. And I think that's part of what leads to a mentoring aspect of what we're providing where our students are mentoring the other students. And I think it's also something that's really important in the game. The first year we held the game, we had several all-girl teams, and it was really interesting because A, they didn't really know if they could compete. I mean, this is their reference point. We don't know if. They did better than anybody. I mean, they just, they knocked the ball out of the park. The second part, then, is building that confidence level that can, going back and telling their cohorts that, hey, it's not this obtuse thing you can't do. It's something real that you can compete and win. And so again, it's building that camaraderie, that spirit, that knowledge that they can succeed. And I think that goes a long way. And Amy's programs and the reach out and the reach out that Cal Poly does to schools to develop, I think that's what it really is going to take. It is going to take that village approach to really increase diversity and inclusivity for the community. >> Dr. Fleischer, I'd love to get your thoughts. You mentioned your outreach program and the drop-off, some of those data. You're deeply involved in this. You're passionate about it. What's your thoughts on this career path opportunity for STEM? >> Yeah, I think STEM is an incredible career path opportunity for so many people. There's so many interesting problems that we can solve, particularly in cyber and in space systems. And I think we have to meet the kids where they are and kind of show them what the exciting part is about it, right? But Bill was alluding to this when he was talking about trying to name somebody that you can point to. And I think having those visible people where you can see yourself in that is absolutely critical, and those mentors and that mentorship program. So we use a lot of our students going out into California middle schools and elementary schools. And you want to see somebody that's like you, somebody that came from your background and was able to do this. So a lot of times we have students from our National Society of Black Engineers or our Society of Hispanic Professional Engineers or our Society of Women Engineers, which we have over 1,000 members, 1,000 student members in our Society of Women Engineers who are doing these outreach programs. But like I also said, it's hitting them at the lower levels, too, and Girl Scouts is actually distinguishing themselves as one of the leading STEM advocates in the country. And like I said, they developed all these cybersecurity badges starting in kindergarten. There's a cybersecurity badge for kindergartener and first graders. And it goes all the way up through late high school. The same thing with space systems. And they did the space systems in partnership with NASA. They did the cybersecurity in partnership with Palo Alto Networks. And what you do is you want to build these skills that the girls are developing, and like Bill said, work in girl-led teams where they can do it, and if they're doing it from kindergarten on, it just becomes normal, and they never think, well, this is not for me. And they see the older girls who are doing it and they see a very clear path leading them into these careers. >> Yeah, it's interesting, you used the word normalization earlier. That's exactly what it is. It's life, you get life skills and a new kind of badge. Why wouldn't you learn how to be a white hat hacker or have some fun or learn some skills? >> Amy: Absolutely. >> Just in the grind of your fun day. Super exciting. Okay, Trung, your thoughts on this. I mean, you have a diverse, diversity brings perspective to the table in cybersecurity because you have to think like the other guy, the adversary. You got to be the white hat. You can't be a white hat unless you know how black hat thinks. So there's a lot of needs here for more points of view. How are we going to get people trained on this from underrepresented minorities and women? What's your thoughts? >> Well, as a member of the IEEE Professional Society of Electrical and Electronic Engineers, every year we participate in the engineering week. We deploy our members to local junior high school and high school to talk about our project to promote the study of engineering. But at the same time, we also participate in the science fair that the state of Texas is organizing. Our engineer will be mentoring students, number one, to help them with the project, but number two, to help us identify talent so that we can recruit them further into the field of STEM. One of the participation that we did was the competition of the, what they call Future City, where students will be building a city on a computer simulation. And in recent year, we promote the theme of smart city where city will be connected the individual houses and together into the internet. And we want to bring awareness of cybersecurity into that competition. So we deploy engineer to supervise the people, the students who participate in the competition. We bring awareness not in the technical detail level, but in what we've call the compound level so student will be able to know what required to provide cybersecurity for the smart city that they are building. And at the same time, we were able to identify talent, especially talent in the minority and in the woman, so that we can recruit them more actively. And we also raise money for scholarship. We believe that scholarship is the best way to entice student to continue education at the college level. So with scholarship, it's very easy to recruit them to the field and then push them to go further into the cybersecurity area. >> Yeah, I mean, I see a lot of the parents like, oh, my kid's going to go join the soccer team, we get private lessons, and maybe they'll get a scholarship someday. Well, they only do half scholarships. Anyway. I mean, if they spent that time doing these other things, it's just, again, this is a new life skill, like the Girl Scouts. And this is where I want to get into this whole silo breaking down, because Amy, you brought this up, and Bill, you were talking about it, as well. You got multiple stakeholders here with this event. You've got public, you've got private, and you've got educators. It's the intersection of all of them. It's, again, if those silos break down, the confluence of those three stakeholders have to work together. So let's talk about that. Educators. You guys are educating young minds. You're interfacing with private institutions and now the public. What about educators? What can they do to make cyber better? 'Cause there's no real manual. I mean, it's not like this court is a body of work of how to educate cybersecurity. Maybe it's more recent. There's cutting edge best practices. But still, it's an evolving playbook. What's your thoughts for educators? Bill, we'll start with you. >> Well, I'm going to turn to Amy and let her go first. >> Let you go. >> That's fine. >> I would say as educators, it's really important for us to stay on top of how the field is evolving, right? So what we want to do is we want to promote these tight connections between educators and our faculty and applied research in industry and with industry partnerships. And I think that's how we're going to make sure that we're educating students in the best way. And you're talking about that inner, that confluence of the three different areas. And I think you have to keep those communication lines open to make sure that the information on where the field is going and what we need to concentrate on is flowing down into our educational process. And that works in both ways, that we can talk as educators and we can be telling industry what we're working on and what types of skills our students have and working with them to get the opportunities for our students to work in industry and develop those skills along the way, as well. And I think it's just all part of this really looking at what's going to be happening and how do we get people talking to each other? And the same thing with looking at public policy and bringing that into our education and into these real hands-on experiences. And that's how you really cement this type of knowledge with students, not by talking to them and not by showing them, but letting them do it. It's this learn by doing and building the resiliency that it takes when you learn by doing. And sometimes you learn by failing, but you just pick up and you keep going. And these are important skills that you develop along the way. >> You mentioned sharing, too. That's the key. Collaborating and sharing knowledge. It's an open world and everyone's collaborating. Bill, private-public partnerships. I mean, there's a real, private companies, you mentioned Palo Alto Networks and others. There's a real intersection there. They're motivated. They could, there's scholarship opportunities. Trung points to that. What is the public-private educator view there? How do companies get involved and what's the benefit for them? >> Well, that's what a lot of the universities are doing is to bring in as part of either their cyber centers or institutes people who are really focused on developing and furthering those public-private partnerships. That's really what my role is in all these things is to take us to a different level in those areas, not to take away from the academic side, but to add additional opportunities for both sides. Remember, in a public-private partnership, all entities have to have some gain in the process. Now, what I think is really interesting is the timing on particularly this subject, space and cybersecurity. This has been an absolute banner year for space. The standup of Space Force, the launch of commercial partnership, you know, commercial platforms delivering astronauts to the space station, recovering them, and bringing them back. The ability of a commercial satellite platform to be launched. Commercial platforms that not only launch but return back to where they're launched from. These are things that are stirring the hearts of the American citizens, the kids, again, they're getting interested. They're seeing this and getting enthused. So we have to seize upon that and we have to find a way to connect that. Public-private partnerships is the answer for that. It's not one segment that can handle it all. It's all of them combined together. If you look at space, space is going to be about commercial. It's going to be about civil. Moving from one side of the Earth to the other via space. And it's about government. And what's really cool for us, all those things are in our backyard. That's where that public-private comes together. The government's involved. The private sector's involved. The educators are involved. And we're all looking at the same things and trying to figure out, like this forum, what works best to go to the future. >> You know, if people are bored and they want to look for an exciting challenge, you couldn't have laid it out any clearer. It's the most exciting discipline. It's everything. I mean, we just talk about space. GPS is, everything we do is involved, has to do with satellites. (laughs) >> I have to tell you a story on that right? We have a very unique GPS story right in our backyard. So our sheriff is the son of the father of GPS for the Air Force. So you can't get better than that when it comes to being connected to all those platforms. So we really want to say, you know, this is so exciting for all of us because it gives everybody a job for a long time. >> You know, the kids that think TikTok's exciting, wait till they see what's going on here with you guys, this program. Trung, final word on this from the public side. You're at the Air Force. You're doing research. Are you guys opening it up? Are you integrating into the private and educational sectors? How do you see that formula playing out? And what's the best practice for students and preparing them? >> I think it's the same in every university in the engineering program will require our students to do the final project before graduation. And in this kind of project, we send them out to work in the private industry, the private company that sponsor them. They get the benefit of having an intern working for them and they get the benefit of reviewing the students as the prospective employee in the future. So it's good for the student to gain practical experience working in this program. Sometimes we call that a co-op program. Sometimes we call that a capstone program. And the company will accept the student on a trial basis, giving them some assignment and then pay them a little bit of money. So it's good for the student to earn some extra money, to have some experience that they can put on their resume when they apply for the final, for the job. So the collaboration between university and private sector is really important. When I join a faculty normally there already exist that connection. It came from normally, again, from the dean of engineering, who would wine and dine with companies, build up relationship, and sign up agreement. But it's us professor who have to do the (indistinct) approach to do a good performance so that we can build up credibility to continue the relationship with those company and the student that we selected to send to those company. We have to make sure that they will represent the university well, they will do a good job, and they will make a good impression. >> Thank you very much for a great insight, Trung, Bill, Amy. Amazing topic. I'd like to end this session with each of you to make a statement on the importance of cybersecurity to space. We'll go Trung, Bill, and Amy. Trung, the importance of cybersecurity to space, brief statement. >> The importance of cybersecurity, we know that it's affecting every component that we are using and we are connecting to, and those component, normally we use them for personal purpose, but when we enter the workforce, sometimes we connect them to the important system that the government or the company are investing to be put into space. So it's really important to practice cybersecurity, and a lot of time, it's very easy to know the concept. We have to be careful. But in reality, we tend to forget to to practice it the way we forget how to drive a car safely. And with driving a car, we have a program called defensive driving that requires us to go through training every two or three years so that we can get discount. Every organization we are providing the annual cybersecurity practice not to tell people about the technology, but to remind them about the danger of not practicing cybersecurity and it's a requirement for every one of us. >> Bill, the importance of cybersecurity to space. >> It's not just about young people. It's about all of us. As we grow and we change, as I referenced it, we're changing from an analog world to a digital world. Those of us who have been in the business and have hair that looks like mine, we need to be just as cognizant about cybersecurity practice as the young people. We need to understand how it affects our lives, and particularly in space, because we're going to be talking about people, moving people to space, moving payloads, data transfer, all of those things. And so there's a whole workforce that needs to be retrained or upskilled in cyber that's out there. So the opportunity is ever expansive for all of us. >> Amy, the importance of cybersecurity in space. >> I mean the emphasis of cybersecurity is space just simply can't be over emphasized. There are so many aspects that are going to have to be considered as systems get ever more complex. And as we pointed out, we're putting people's lives at stake here. This is incredibly, incredibly complicated and incredibly impactful, and actually really exciting, the opportunities that are here for students and the workforce of the future to really make an enormous impact on the world around us. And I hope we're able to get that message out to students and to children today, that these are really interesting fields that you need to consider. >> Thank you very much. I'm John Furrier with theCUBE, and the importance of cybersecurity and space is the future of the world's all going to happen in and around space with technology, people, and society. Thank you to Cal Poly, and thank you for watching the Cybersecurity and Space Symposium 2020. (bright music)

(upbeat music) >> Announcer: From New York, it's The Cube. Covering ESCAPE/19. (upbeat music) >> Welcome back to The Cube coverage New York City for the inaugural multi-cloud conference. The first one ever in the industry. It's called Escape 2019. We're in New York so escaping from New York, escaping from cloud, that's the conversation. All the thought leaders are here and executives. People thinking about the next generation architecture and talk tracks are all here. Fritz Wetschnig who's the Chief Information Security Officer for Flextronics. >> Flex, yes. >> Flex, thank you for coming on. Love to have CISOs on because security seems to be always the top conversation. You got a very busy job. >> I do yes. (laughing) >> You're under a lot of pressure all the time >> It's fun, it's still fun for me. So, yeah, a CISO, it's always like security's top in mind, right, of everyone now these days. But it's still one of the most interesting jobs. The most interesting for my job is, I learn so much about our business and to have insight into so many things that's actually really great. >> You know, one of the things I was just talking about on a Cube conversation was, you know, how data is a really important part of it and how data backup and recovery was built on old thinking around, you know, data centers failing, floods, hurricanes, electricity gets outages, but the biggest disruption in business today is security, security threats and so that's cybersecurity pressure is causing CISOs to be mindful of the best architecture the best platform. Do we have the right tools? So I want to get your thoughts. How are you thinking about that as an organization, because are you building in-house developers? Are you, how are you organizing, how are you gearing up to fight the battles that need to be fought? >> So, I am with the company, So Flex is a big manufacturing company, right. 26 billion, so we have a lot of P2P business not consumer business, which is I believe a different perspective of security versus actually like a consumer company facing, so and I'm in a security team for 15 years, so we built it up like security operations and all those kind of things we do, right. >> You're old school. >> I am old school learned everything and that, right? >> But you're lot are IOT, I mean, you're Industrial IOT. >> Oh yeah, Industrial IOT it's one of the topics but coming back to you, you're right, data is actually the center even for our business, data is getting more and more center, right. You collect data from the machine, you collect data actually for the business actually to do make more decisions, right. And it could be predictive maintenance, could be inventory management. There could be a lot of things, right. You have to think about it. So, and the funny thing is, I'm real, I'm the CISO now for 5 years, 15 years with the security team, 20 years with the company, So I rebuilt the team always like every three, four years like as a kind of rebirth of the team. We renew, we add new skills, right. And cloud is one of the things, which I think it's a fundamental change and the change is actually, it's actually on the development side. What it means with that is the security team has to move to serve the developers. And the problem with the old school was always like it's afterthought. So why is security such an issue? Because we had to do patching after we found vulnerabilities, right. And then old network is not secure you need to wrap something around it like we did firewalls. So it was always an afterthought. Now with the cloud, it's changing because you have a lot of different things to do but basically we need to enable developers to be very quick and deploy their software very quickly, so I think it's a fundamental change in the way you have to think about security. >> And yeah, that brings up the good question I would love to ask you 'cause you've given, again you're not a consumer, like Capital One with in-house, they had their own channel, they weren't hacked. Amazon, actually the firewall was misconfigured, on an SV Bucket but that's a consumer company. You have data though, you're an industrial company, got a lot of industrial IOT. Ransomware folks are targeting data. >> Yes. >> And everyone's a target. Your service area is large. But you probably lock that down in the past. So how are you thinking about all this new stuff? >> So yeah, I mean, IOT it's, I mean, IOT's a problem, as you said, the industrial right. And it's not solved yet completely, right. Because they still have to rethink a lot of the vendors providing this machinery, which you purchase for twenty five, thirty years, right. They still are old school, right, sometimes, like, the one on Windows you can't upgrade or whatever. So it's basic things they're lacking actually in terms of security. There's still, has to be a shift in this, not just in industry but in a general thinking, how you do that. Yes, I have a big environment, so we locked it down, we use a lot of innovative technologies, actually preventive measurements plus also detective measurements. And you need to create kind of mightily a concept where you actually start, okay, what is if this fails? How we test it? Okay, this fails, do we have other measurements where we can try to prevent, stop those kind of things, right. But ransom is a big one. There's other things, as you know, like hacking, I mean, like Capitol One. >> Malware's a big problem. >> The Capital One was an interesting one in my belief and that's for the cloud is configuration issues, right, which I think it comes with cloud security. It's about policy and configuration management, right. How you manage that and how you think about it, but it's not, it's was not that. >> Automation could have solve that, I mean, that's an open S3 bucket, that's trivial. It wasn't a big, technical. >> Yes and no, if you look at that it was a little bit more in detail, >> Okay. >> So it was actually, their back firewall was misconfigured, which is about security running on a back check, but the misconfiguration was actually is, as (mumbles) force request issue, which means, like, you tricked this firewall into giving you information you shouldn't give information, right. >> John: Okay, so it was a little bit more. So, it was a little bit more granular as people think it was, right. Just as 3-pocket configuration. So it was a little bit more granular, but I think that's the really difficultly comes about whichever security. It's a complex program, right. It's mainly things you have. >> But it was a configuration error? >> It was a configuration. >> It wasn't as dumb as an S3 bucket. >> No, it wasn't dumb. >> But it was a bit more sophisticated, but not that sophisticated, was it? On a scale of 1 to 10. >> It was not sophisticated, but something, it's not easy to solve. So you have to think about it, but you're right, it's still something. >> John: It's an exploit from a corner case. >> Yeah, it's still something you could have. I mean, I'm careful to say you could have avoided it, yes you could, because that's for sure, but I know it's a complex environment, right. >> It's a human, there's humans involved. >> And I don't know the details exactly, we only know that what was published, right, so it's very hard to check. >> Well, it brings up cloud security, so let me ask you, on multi-cloud, this is a multi-cloud conference. What's your definition of multi-cloud? How do you look at the multiple-clouds? >> For me, multiple-cloud is, actually it doesn't matter. We had a good keynote words, it's a bunch of servers, right. That's how I see multi-cloud. It's a bunch of servers. Could be my data centers in a public cloud data centers with different vendors, that's what a cloud is. Where I move my services should be actually independent from the public hyper on premise, whatever it is, right. That's basically how I see it. >> So it doesn't matter, it's infrastructure. >> Yeah. >> On demand, leverage it. >> Leverage it, it could be say, hey today, I spin of this test server, but you know what, today it seems to be a bit cheaper running on (mumbles) verses GBC, let's do it here. Next day, next week we might do it somewhere else, whatever you trigger, whatever what is your requirements. >> So if going to look at that resource at like that, how do you think about the cloud security then, because the configurations, compliance, how do you, how do you stay on top of that? >> So, that's an interesting thing because we have begun to prioritize but we, as you said, no consumer business, so our problem is to find the right skill set, to attract the right people to our company to do that right because this is our, we have some cloud, but it's not yet, there's a journey we are trying to do, as most of the enterprise, so we're looking into startups, manage services, We say, okay what are gaps that we have to maybe have to outsource some of the things and gaps where we need to get internal source of supply. >> What's you're advice to other CISOs out there that are in the B2B space of don't have to deal with the consumer but have to get serious, that is now becoming more industrialized on the IOT side because you guys have been, you know, been there, done that, you have a big footprint on the IOT, 'cause you have a history. But as people get more facilities and they have more virtual offices, more people working, the edge is extending. What's your advice to those CISOs who have to deal with this industrial end IOT edge? >> I think you have to, visibility is the key ingredient is first, right. If you don't know what you have, it's very hard to understand what's a risk portfolio, right. So, you need to find the right toolset, and don't believe you know what you have. It's fantastic what you see when you use the right tool what distance everything is connected. I mean, basically even, like, I found like, this coffee mug, you know. I connect it to devices, right. It's like, not like everyone, not just that they don't understand my coffee mug is connected to (laughing). >> That light bulb's got multithreaded processor. What is that doing? >> So, so there's concerns, I may, but visibility is a key ingredient you have to understand. And then you have to look into how you mitigate a risk. What is a risk about it, right. I mean, if the government goes down, I don't really care, but if my testos goes down and does shut down the production, I really care about that. So you need to understand that the risk and say, how can I mitigate the risk? >> So while I got you here, what's you final question? What's your message to suppliers out there that all want to sell you something? Want to sell you another tool, you know. Want another tool? You know, I got a platform. I got a tool. Buy from me. >> You mean, to sell 750 watches (drowned out by laughter) If you go to ISA conferences, unbelievable, right. >> I want to sell you something. You're the top dog, I promise. >> Don't send me an email. >> Don't send them an email. Are you shrinking suppliers down? Are you looking at some kind of standard API way to deal with them? >> Yes. >> Because, you know, you're probably thinking about platforming, and date of visibility's critical. >> Yes. >> What's you philosophy on how to support video suppliers? >> So usually, honestly, the most time I really go it so for in the weight of technology we built in our company is called the Strategic Partnership Program where we can get for startups, and most of the time we engage, we startups overseas, or as through other channels, right. Where you get introduced, and you review, with the proof of work concept or value, the technology, and we try to keep it like a mini product, very short time, and say, okay, let's show what you can, where your gaps are, and can we get with you guys and can we get you. But don't send me an email, don't call me because I usually not react. I have a job to do. (laughing) >> Yeah, exactly. >> So that's most of the time, whatever we sees, what comes or if, a guy said hey, I found another CISOs tell me there's great technology, you should leap into that. >> And what shows do you go to? What events do you hang out in? What are good events for you in the space, RSA, Red Hat, Black Defcon? Are there certain events you go to that you think are valuable? >> I mean, as a CISO, I go to the RSA Conference, which I should because it's actually very close to me as well, and being part, being out of San Jose, I recommend the BSides, actually. I like the BSides. >> John: The BSides are great. >> The BSides are great. I think they are real, really. And then I try to smaller circles, right. We have our personal round tables. >> BSides for folks watching is an alternative group of community, industry participants, they have kind of a B-side, an A-side, like an album. But it's such a community event. They do hacker funds and a variety of other cool things where people get together, very unstructured kind of, cool conference, in addition to bigger conferences. >> I can recommend this. >> Yeah, awesome. Fritz, thanks for coming on and sharing your insights. >> Thanks. >> Been a pleasure. The Cube coverage in New York City, we're not escaping from New York but this is the Escape Conference, the first multi-cloud conference in the industry, we'll see how it goes. If they're successful, they might be back next year. If not, they won't be. But I think multi-cloud's going to stay. What do you think? >> I am think so too, yes. >> Okay, Fritz, thanks for coming on. I'm John Furrier, thanks for watching. (upbeat music)

(upbeat funky music) >> From our studios, in the heart of Silicon Valley, Palo Alto, California. This is a CUBE conversation. >> Okay, welcome back everyone, we're here at theCUBE studios in Palo Alto for a special CUBE conversation. Talking security, talking about the internet and cloud computing. Martin Bosshardt is the CEO of Open Systems. Martin, great to see you. Last time we chatted was in December you were in Vegas, we had a little on the ground, great to meet your team. Welcome back to theCUBE. >> Thank you so much. It's great to be here. >> So exciting things going on, I want to get a state of the Open Systems and the industry, obviously security's a really big big thing, a lot stuff going on in the industry. Black Hat. Defcon. Amazon had a big event called re:Inforce, which was really kind of the first cloud securities show. Which brings the whole, your kind of value proposition to the table but, you guys have a new office here in Silicon Valley. I saw a video on the internet, trending. >> Yeah. >> Pretty nice place work. Give us the update on the current office and Silicon Valley presence. >> Yeah we are, you know, we are really happy to be now here in the U.S. headquarters in Redwood City and Silicon Valley. So, this really helps us also to be closer to the talents, to be closer to all the going to market activities and also to understand the market better. So, it's really exciting to be here and obviously also our, I mean the people love to work here in Silicon Valley. Weather is always great. >> Yeah, weathers always great and the office has got that good working vibe there. Take a minute to explain Open Systems real quick for the folks not familiar with the video 'cause we did last December in Vegas with your team. Tell them what your companies value propositions is and some of the growth you're experiencing. >> Right, so, Open Systems really is, you know, we operate SD-WAN in a secure way for our customer, so it's really focusing on making a relatively complicated technology, from operational point of view, very easy to consume for our customers. So this is, I think, something we started more than 15 years ago in Europe and I would say Open Systems is very much comparable, or at least the going to market part, is very much comparable to an organic farms. We have a wonderful ecosystems in Switzerland, especially in the financial services industry and our customers just love the way we provided those services and told their neighbors and friends and this is really how we grew on a global scale. Currently Open Systems is operating in more than 180 countries, SD-WAN and security infrastructure for customers and protect approximately 2.5 to three million in users globally. And when we started to enter the U.S. market, we learned that the way we provide SD-WAN in a secure way, really resonates a lot with the U.S. market because we can make complex infrastructures, especially projects going to the cloud, very easy to consume for our customers. So, we are really exciting on the growth side right now, we grow super fast in the U.S., we have been very successful in latest customers, we won Chemers, we won Chemit... >> So you're winning a lot of business. >> We are winning a lot of business and what's exciting about it is those customers give us really very valuable feedback on the difference how we provided services is really exciting... >> You know Martin, I was observing and talking to your team in December when we first met you guys for the first time and you just briefly touched on it on your description of the company success. A lot of the early success and continued success has been word of mouth. >> Right. >> With the organic, not like big marketing splash in the pool, kind of like, you know, banging the drum hard, although you are doing some marketing now but and being in the U.S. That word of mouth has been really a testament to the quality of the product, so I got to ask you, what are they happy about? What's the problem that you're solving? What's the big buzz? Why are they so excited to share, to their peers and colleagues about Open Systems? What's the big revelation? >> Thank you for the credit. I think, you know, everybody goes to the cloud and what you really need is an SD-WAN to access the cloud. What that also means for all those companies, they have to rethink their security posture. So if you add now all those products and then you try to operate those products, it turns out it's relatively complicated compared to an old school MPLS Network we used to operate in the past. So, this is really where Open Systems comes in and helps customers to operate that in very easy ways. So we integrate, all those products needed, to operate the global SD-WAN in a secure way, on a single delivery platform and that allows customers to consume that entire suite in a very very easy way. >> I want to get your vision on the future of Open Systems. I know you guys call it secure SD-WAN. I'm a little bit more radical and controversial in the sense. I think SD-WAN is kind of passe term, I think, it's really cloud connectivity work anywhere, people are working at home more than ever, cloud computing has brought in essentially enterprise cloud. We're calling it cloud 2.0, where, it's not just public cloud and having workloads in there, taking advantage of the greatest of cloud 1.0. It's enterprises, this is hybrid, it's multi-cloud, you seeing a, really a distributed computing, a networking problem and a security problem being at the center of this new work environment. >> Yeah. >> Essentially, people connected to something. >> Right. >> It's cloud right, I mean. We can call it SD-WAN because it used to be an office, campus, remote office, very static dynamic. What's your vision? >> You're absolutely right. I mean, this is really where it all goes. Let's say, a network was a network and it was very clear what a network does, right now it's more like, we want to just connect users to cloud services and it's not so clear where those services are coming from and it's not so clear where those users are sitting, where you consume from. And, it results in a phenomenal opportunity to be much more agile, much more, much faster, also to set-up new services, but it also is a challenge for IT operations. Because you know, you might have a group of users saying, well this and this service doesn't work well and now you have to debug. Why is not performing, why isn't Germany maybe, a service coming from the U.S., not performing well? Or you have an IoT device suddenly not really collecting data in a right way and this is really where SD-WAN becomes an orchestration layer. SD-WAN really helps you to orchestrate all those services and make sure you have the SLA available, at all times, everywhere. And also, understand if it's not delivering right and this is really rare where I believe... Ya, we need new solutions to make these easy because... >> You know, a lot of companies talk about digital transformation, that becomes the office, you know, the top CEO, board conversation, let's transform and be digital. But the underlying infrastructure, which is very complex, you can talk about distributing computing, you got networking, all these things in place and old, new, all kind of mashed together with cloud. It's easy to say digital transformation but you're talking about digital transformation of the business on top of existing complex hardware, which comes out the networking, moving packets from A to B, storing it on drives and now you have people working at home, so you have people working globally. >> Right. >> It's not that simple. >> No. >> It's complicated. >> It is really... >> It's not just a U.S. problem, it's like a have a team in, an engineering team in the U.K. and Germany, wherever, business... So it's a global problem. >> Exactly and also it's about, you know, how do you process all the data in an efficient way. And where we see a lot of iteration power released is right now in the Cloud. It's really exciting how easy it gets to consume all that computing power out of the cloud but you need to make sure it is available and you need to understand what is happening if it's not available and how to fix that. And this is really where, I think networking became more demanding, more challenging but also, obviously offers a tremendous opportunity for innovation. >> And I think the security industry has gotten much broader scope to it, used to be, hey you know, I'm a nerd, I'm Black Hat, I'm a blue team, red team, secure the environment, get a perimeter and okay that's gone, we'll take care of threats, malware, all this stuff's going on. But when you think about like cloud 2.0, cloud 1.0 is compute storage, great applications can load up at the cloud, all this great stuffs happening, hooray, yeah, rah-rah. Now cloud 2.0 is networking and security. >> Right. >> Independent of everything right so, what's your take on that? How is Open Systems, you know, helping companies? And what do you say to your customers when you say, hey, you know, compute networking, the storage is good, the cloud on premise no problem, there's operating models for that but you got networking and you got security to deal with on top of all the complexity. What's your story? >> I think the most important thing is, you know, we have to live with the fact that some device system tools are not secure. So I think IoT's a very good example. If you want to have all those sensors out there and be close to the customer, be close to some business processes, you need IoT. But, it's just not possible to have these very cheap devices built in a secure way. So, it's a lot about how do you design a network, to design it in a resilient secure way and that means that you have to think in cells, you have to think in compartments and that makes it relatively easy, secure again, but, it is from operational point of view, quite a challenge because you do not operate any more one network, you suddenly operate maybe any networks. >> On that point, just to kind of wrap up here. The the security challenges around IoT, Machine Learning and AI, which is clearly becoming part of the fabric of, a company's going to leverage that... >> Right. What are some of the big challenges that companies are having and what do you do to solve it? >> You know, in the old network world, you had a network where everything was connected based on one network. So, when you introduce SD-WAN and you introduce all these capabilities, it is very dangerous if you think just, in the old school of one network because suddenly you have IoT working on the same network as maybe your finance department. Or you have productivity facilities working the same network as your network department. So, it just doesn't make sense to have those very different functionalities on exactly the same network because if you have a compromised situation, you suddenly have your entire company compromised and this is really where compartments become very very important. I think this also something you in every industry, historically as well. Security and safety starts also with compartments. So, if you think fire, fire security, it has a lot to do with fire compartments. In case you have a fire, you don't lose the entire building or the same goes with ship building. I mean, Titanic was the last very big ship that sunk but the reason was the compartments haven't been pressurized. A modern ship doesn't sink anymore. And I think this really what we have to do now also in IT. We have to think in compartments. We have to think in layers and that's easy to do with SD-WAN but it's not so easy to operate. >> Final question for you real quick, you know, people talk about hybrid cloud, multi-clouds, the big conversation in this cloud 2.0. But you guys as being successful in outside the United States and now in the U.S., there's also multi-geo work environment. >> Right. What should people think about when they kind of want to frame that debate or conversation? I'm a multinational, I'm operating in the U.S., now I have regions, clouds have regions. There's also all kind of of now regulatory pressure coming across those areas. >> I would say around 2,000 companies really started to globalize their value chains. You know, in the past, maybe you had a production facility in one country and then you sold your products globally but if you want to be competitive, you have to globalize your value chain. So it doesn't make sense to produce everything in one place. Your product usually, or your service, is produced on a global scale and that means that networks also have to help you to really produce that global value chain. But, it means also that you are operating in different jurisdictions, in different regions and you have to respect those different regulations and laws. And this is, obviously then and also a challenge for network operators because privacy in Germany is different than in the U.S., access rights are different, China's again very different, but all those multinationals, we operate in all those countries and we have to respect the local law. >> And the provide the security they need. >> Exactly. >> Martin, thanks for coming in and sharing your insights. Appreciate, good to see you, we'll follow up with and keep of the progress. Thanks for coming in. >> Thank so much. >> I'm John Furrier for CUBE Conversation in Palo Alto, at theCUBE Studios, thanks for watching. (upbeat funky music)

live from Las Vegas it's the cube covering AWS reinvents 2018 brought to you by Amazon Web Services inhale and their ecosystem partners hey welcome back everyone this the cube live day 3 coverage of Amazon Web Services AWS reinvent 2018 we're here with two cents Dave six years we've been covering Amazon every single reinvent since they've had this event except for the first year and you know we've been following AWS really since its inception one of my startup said I was trying to launch and didn't ever got going years ago and he went easy to launch was still command-line and so we know all about it but what's really exciting is the global expansion of Amazon Web Services the impact that not only the commercial business but the public sector government changing the global landscape and the person who I've written about many times on Forbes and unhooking angle Theresa Carlson she's the chief a public sector vice president of Amazon Web Services public sector public sector great to see you hi hi John I checked great to be here again as always so the global landscape mean public sector used to be this a we talk to us many times do this do that yeah the digital environment and software development growth is changing all industries including public sector he's been doing a great job leading the charge the CIA one of the most pivotal deals when I asked Andy jassie directly and my one-on-one with them that this proudest moments one of them is the CIA deal when I talked to the top execs in sales Carla and other people in Amazon they point to that seminal moment with a CIA deal happen and now you got the DoD a lot of good stuff yeah what's do how do you top that how do you raise the bar well you know it still feels like day one even with all that work in that effort and those customers kind of going back to go forward in 2013 when we won the CIA opportunity they are just an amazing customer the entire community is really growing but there's so much more at this point that we're doing outside of that work which is being additive around the world and as you've always said John that was kind of a kind of a pivotal deal but now we're seeing so many of our government customers we now have customers at a hundred and seventy four countries and I have teams on the ground in 28 countries so we're seeing a global mood but you know at my breakfast this week we talked a lot about one of the big changes I've seen in the last like 18 months is state and local government where we're seeing actually states making a big move California Arizona New York Ohio Virginia so we're starting to see those states really make big moves and really looking at applications and solutions that can change that citizen services engagement and I achieve in these state local governments aren't real I won't say their course they're funded but they're not like funded like a financial services sector but that's women money they got to be very efficient clouds a perfect opportunity for them because they can be more productive I do a lot of good things I can and there's 20 new governor's coming on this year so we've had a lot of elections lots of new governors lots of new local council members coming in but governor's a lot of times you'll see a big shift when a governor comes in and takes over or if there's one that stays in and maintains you'll see kind of that program I was just in Arizona a couple weeks ago and the governor of Arizona has a really big fish toward modernization and utilization of information technology and the CIO of the state of Arizona is like awesome they're doing all this work transformative work with the government and then I was at Arizona State University the same day where we just announced a cloud Innovation Center for smart cities and I went around their campus and it's amazing they're using IOT everywhere you can go in there football stadium and you can see the movement of the people how many seats are filled where the parking spaces are how much water's been used where Sparky is their their backside I've got to be Sparky which was fed but you're seeing these kind of things and all of that revs on AWS and they're doing all the analytics and they're gonna continue to do that one for efficiency and knowledge but to also to protect their students and citizens and make them safer through the knowledge of data analytics you know to John's point about you know funding and sometimes constricted funding at state and local levels and even sometimes the federal levels yeah we talked about this at the public sector summit I wonder if you could comment Amazon in the early days help startups compete with big companies it gave them equivalent resources it seems like the distance between public sector and commercial is closing because of the cloud they're able to take advantage of resources at lower cost that they weren't able to before it's definitely becoming the new normal in governments for sure and we are seeing that gap closing this year 2018 for me was a year that I saw kind of big moves to cloud because in the early days it was website hosting kind of dipping their toes in this year we're talking about massive systems that are being moved to the cloud you know big re-architecting and design and a lot of people say well why do they do that that costs money well the reason is because they may have to Rio architect and design but then they get all the benefits of cloud through the things that examples this week new types of storage new types of databases at data analytics IOT machine learning because in the old model they're kind of just stagnated with where they were with that application so we're seeing massive moves with very large applications so that's kind of cool to see our customers and public sector making those big moves and then the outputs the outcome for citizens tax payers agencies that's really the the value and sometimes that's harder to quantify or justify in public sector but over the long term it's it's going to make a huge difference in services and one of the things I now said the breakfast was our work and something called helping out the agents with that ATO process the authority to operate which is the big deal and it cost a lot of money a lot of times long time and processes and we've been working with companies like smartsheet which we helped them do this less than 90 days to get go plow so now working with our partners like Talos and Rackspace and our own model that's one of the things you're also gonna see check and Jon you're taking your knowledge of the process trying to shrink that down could time wise excessive forward to the partners yes to help them through the journey these fast move fast that kind of just keep it going and that's really the goal because they get very frustrated if they build an application that takes forever to get that security that authority to operate because they can't really they can't move out into full production unless that's completed and this could make or break these companies these contracts are so big oh yeah I mean it's significant and they want to get paid for what they're doing and the good work but they also want to see the outcome and the results yeah I gotta ask you what's new on the infrastructure side we were in Bahrain for the region announcement exciting expansion there you got new clouds gov cloud east yeah that's up and running no that's been running announced customers are in there they're doing their dr their coop running applications we're excited yes that's our second region based on a hundred and eighty five percent year-over-year growth of DEFCON region west so it's that been rare at reading I read an article that was on the web from general Keith Alexander he wrote an op-ed on the rationale that the government's taking in the looking at the cloud and looking at the military look at the benefits for the country around how to do cloud yes you guys are also competing for the jet idea which is now it's not a single source contract but they want to have one robust consistent environment yeah a big advantage new analytics so between general Keith Alexander story and then the the public statement around this was do is actually outlined benefits of staying with one cloud how is that going what how's that Jedi deal going well there's there's two points I'd like to make them this first of all we are really proud of DoD they're just continuing to me and they're sticking with their model and it's not slowing them down everything happening around Jedi so the one piece yes Jedi is out there and they need to complete this transaction but the second part is we're just we're it's not slowing us down to work with DoD in fact we've had great meetings with DoD customers this week and they're actually launching really amazing cloud workloads now what's going to be key for them is to have a platform that they can consistently develop and launch new mission applications very rapidly and because they were kind of behind they their model right now is to be able to take rapid advantage of cloud computing for those warriors there's those war fighters out in the field that we can really help every day so I think general Alexander is spot on the benefits of the cloud are going to really merit at DoD I have to say as an analyst you know you guys can't talk about these big deals but when companies you know competitors can test them information becomes public so in the case of CI a IBM contested the judge wheeler ruling was just awesome reading and it underscored Amazon's lead at the time yeah at Forrest IBM to go out and pay two billion dollars for software the recent Oracle can contestant and the GAO is ruling there gave a lot of insights I would recommend go reading it and my takeaway was the the DoD Pentagon said a single cloud is more secure it's going to be more agile and ultimately less costly so that's that decision was on a very strong foundation and we got insight that we never would have been able to get had they not tested well and remember one of the points we were just talking earlier was the authority to operate that that ability to go through the security and compliance to get it launched and if you throw a whole bunch of staff at an organization if they they're struggling with one model how are they gonna get a hundred models all at once so it's important for DoD that they have a framework that they can do live in real first of all as a technical person and an operating system which is kind of my background is that it makes total sense to have that cohesiveness but the FBI gave a talk at your breakfast on Tuesday morning Christene Halverson yeah she's amazing and she pointed out the problems that they're having keep up with the bad actors and she said quote we are FBI is in a data crisis yes and she pointed out all the bad things that happened in Vegas the Boston Marathon bombing and the time it took to put the puzzle pieces together was so long and Amazon shrinks that down if post-event that's hard imagine what the DoD is to do in real time so this is pointing to a new model it's a new era and on that well and we you know one of the themes was tech4good and if you look at the FBI example it's a perfect example of s helping them move faster to do their mission and if they continue to do what they've always done which is use old technologies that don't scale buying things that they may never use or being able to test and try quickly and effectively test Belfast recover and then use this data an FBI I will tell you it is brilliant how they're the name of this program sandcastle one Evan that they've used to actually do all this data and Linux and she talked about time to mission time to catch the bad guys time to share that analysis and data with other groups so that they could quickly disseminate and get to the heart of the matter and not sit there and say weight on it weight on this bad guy while we go over here and change time to value completely being that Amazon is on whether it's commercial or government I talk about values great you guys could have a short term opportunity to nail all these workloads but in the Amazon fashion there's always a wild card no I was so excited Dave and I interviewed Lockheed Martin yesterday yeah and this whole ground station thing is so cool because it's kind of like a Christopher Columbus moment yeah because the world isn't flat doesn't have an edge no it's wrong that lights can power everything there's spaces involved there's space company yes space force right around the corner yep you're in DC what's the excitement around all this what's going on we surprised a lot of with that announcement Lockheed Martin and DigitalGlobe we even had DigitalGlobe in with Andy when we talked about AWS ground station and Lockheed Martin verge and the benefit of this is two amazing companies coming together a tub yes that knows cloud analytics air storage and now we're taking a really hard problem with satellites and making it almost as a service as well as Lockheed doing their cube stats and making sure that there is analysis of every satellite that moves that all points in time with net with no disruption we're going to bring that all together for our customers for a mission that is so critical at every level of government research commercial entities and it's going to help them move fast and that is the key move very fast every mission leader you talk to you that has these kind of predators will say we have to move faster and that's our goal bringing commercial best practices I know you got a run we got less than a minute left but I want you to do a quick plug in for the work you're doing around the space in general you had a special breakout ibrehem yours public sector summit not going on in the space area that your involvement give it quick yeah so we will have it again this year winner first ever at the day before our public sector summit we had an Earth and space day and where we really brought together all these thought leaders on how do we take advantage of that commercial cloud services that are out there to help both this programs research Observatory in any way shape app data sets it went great we worked with NASA while we were here we actually had a little control center with that time so strip from NASA JPL where we literally sat and watched the Mars landing Mars insight which we were part of and so was Lockheed Martin and so his visual globe so that was a lot of fun so you'll see us continue to really expand our efforts in the satellite and space arena around the world with these partnership well you're super cool and relevant space is cool you're doing great relevant work with Amazon I wish we had more time to talk about all the mentoring you're doing with women you're doing tech4good so many great things going on I need to get you guys and all my public sector summits in 2019 we're going to have eight of them around the world and it was so fantastic having the Cuban Baja rain this year I mean it was really busy there and I think we got to see the level of innovation that's shaping up around the world with our customers well thanks to the leadership that you have in the Amazon as a company in the industry is changing the cube will be global and we might see cube regions soon if Lockheed Martin could do it the cube could be there and they have cube sets yes thank you for coming on theresa carlson making it happen really changing the game and raising the bar in public sector globally with cloud congratulations great to have you on the cube as always more cube covers Andy Jasmine coming up later in the program statements for day three coverage after this short break [Music]

>> From the Hard Rock Hotel in Las Vegas, It's theCUBE, covering HoshoCon 2018. Brought to you by Hosho. >> Okay, welcome back everyone. We're here for CUBE's live coverage here in Las Vegas for HoshoCon. This is the first industry conference where the smartest people in security are together talking about blockchain security. That's all they're talking about here. It's a bridge between multiple diverse communities from developers, white hat hackers, technologist, the business people all kind of coming together. This is theCUBE's coverage, I'm John, for our next guest Anand Prakash, who's the founder for AppSecure. He's also the number one bounty hunter in the world. He's hacked everything you could think of; exchanges, crypto exchanges, Facebook, Twitter, Uber. Welcome to theCUBE, thanks for joining me. >> Uh, thank you John. >> So, you've hacked a lot of people, so let's, before we get started, who have you hacked? You've hacked an exchange. >> Yeah. >> Exchanges plural? >> Most of the exchanges. >> Mostly the exchanges? >> Yeah, ICOs. >> ICOs? >> Yeah, and bunch of other MNCs. >> Twitter, Facebook? >> Twitter, Uber, Facebook, and then Tinder. Yeah. >> A lot. >> Yeah, a lot. I cannot say the name. >> You're the number one bounty hunter. Just to clarify you're a white hat hacker, which means you go out and you do a service for companies. And it's well known that Facebook has put bounties out there. So, you take them up on their offer, or-- >> Yeah, so basically companies say us, hack us, and we'll pay you. So, we go and try to hack their systems, and say this is how we are able to discover a vulnerability, and this is how it can be exploited against your users to steal data, to hack your systems. And then they basically say, this is how much we are going to pay you for this exploit. How did you get into this, how did you get started? >> So, it started with a simple Phishing hack in 2008. It was an Orkut phishing hack, and one of my friend telling me to hack his Orkut account. And I Googled, how to hack Orkut account, and I wasn't having any technical knowledge at that point of time. No coding, no knowledge, nothing. I just Googled it and found ten steps, and I followed that ten steps. Created a fake page, I sent it to my friend, and he basically clicked on it, and there it is, username and password. (laughs) >> He fell for the trap >> Definitely, >> right away. >> Yeah. >> So, quick Google kiddie script kind of thing going on there, which is cool. Okay, now you're doing it full-time, and it's interesting here, this is the top security conference. Those are big names up there, Andreas was giving keynote. But I was fascinated by your two discussion panels, or sessions. Yesterday you talked about hacking an exchange, and today it was about how to hack Facebook, Twitter, these guys as part of the bounties. This is fascinating because everyone's getting hacked. I mean you see the numbers. >> Yeah. >> I mean, half a billion dollars, 60 million here, 10 million. So, people are vulnerable and it's pretty easy. So, first question for you is how easy is it these days and how hard is it to protect yourself? >> So, the attacks, the technologies, and then attacks are getting more sophisticated, and hackers are trying newer and newer exploits. So, it's good for companies and descryptpexion just to employ ethical hackers, white hat hackers, and moodapentas, and bunch of other stuff to secure their assets. So, it's, you wouldn't say for companies not doing security, then it's very easy for someone like us to hack their systems, but there were companies doing Golden Security. They are already have an internal security team, external folks securing their systems, then it's difficult. But, it's not that difficult. Let's talk about your talk yesterday about the exchange. Take us through what you talked about there that got some rave reviews. How did you attack the exchange? What did you learn? Take us through some of the exchanges you hacked and how, and why the outcome? >> Yeah, so, we have been auditing bunch of ISOs and exchanges from past two months, and quite a good number. So, what we see is most of them, don't have security, basic security text in place. So I can log into anyone's account. They have a password screen on the UA, but I can simply type it in without, without no indication or alteration, I can just log into anyone's account, and then I can get fund's out of their system. Very similar to, one issue which we found in talk in sale, was we were able to see PIA information of all the users. All the passwords details and everything, who has done KYC. So, there are lot of information disclosures in the API. And the main thing which we hackers do is we try to test this systems manually instead of going more into an automated kind of approach, running some scanner to figure out sets of hues. So, scanners are, sorry. Scanners are obviously good, but they're not that much good in finding out all the logical loopholes. >> So, you manually go in there, brute force, kind of thing? >> Yeah, not exactly, not that brute forcing, >> Not brute force. >> but of our own ways of doing things, and there are lot of good bounty hunters or white hat hackers, who are better than me and who are doing things. So, it becomes more and more sophisticated. We don't know when you get hacked. >> So, when the bounties are out there, does Facebook just say, hey, go to town? Or they give you specific guidance, so, you just, they say go at us? What do you do? >> Yeah, so basically the publicist sends some kind of legal documentation around it, and some kind of scoping on the top targets to hack. And then, they basically publish their reward size, and everything, and the policy and everything around. And then we just go through it. We try to hack it and then we report it to their team, via channel, and then they fix it, and then they come back to us saying, this is how we fixed it and this is what the impact was, and this is how much we're going to pay you. >> And then they just they pay you. >> Yeah, my yesterday's talk was mainly focused on hacking these ICOs, and descryptpexion in the past. Some of the case studies which we have done in the past, and obviously we can't disclose customer names, but we directed some of the information, and showed them how we helped them. >> What should ICO's learn, what should exchanges learn from your experience? What's the walkaway for them? Besides being focused on security. What specifically do you share? >> Yeah, so to be very frank, I know few of the companies and bunch of companies who don't appreciate white hat hackers at all. So, these are ICOs and crypexinges. So, the first and foremost thing they should do is, if they are not having any internal, external, if they are having any internal security team right now, then they should go further back down the program to make sure people like us, or people like other white hat hackers, go and hack their systems and tell them ethically. >> How does a bounty, how does someone set that up? >> So, uh-- >> Have you helped people do that? >> Yeah, so, our company does that. We help them setting up a bug bounty program from scratch, and we manage it by our typewriting platforms, and we invite private, and we do it privately, and we invite ethical hackers to hack into their systems ethically. And then we do have arguments with bunch of them, and that's how they're going to secure. >> So, how does that work, they call you up on the phone? Or they send you an email? They send you a telegram? How do they get in touch with, the website? They do face-to-face with you? They have to do it electronically? What's the process? >> For the bounty hunting? >> Yeah, for setting up a bounty program. >> Yeah, for setting up a bounty program with our company, we basically get on Skype call with them, we explain them what is going to be their budget and everything. How good their security team is, and if they are not having any internal security team, what I know, then we never suggest them going for the bounty program because they may end up paying huge amount of money. (John laughs) So, then we basically sell our pen testing services to them, and say, this is, you should go out for a pen testing service first, and then you should go for a bounty program. >> Because they could be paying way too much in bounties. >> Yeah, yeah. >> Yeah, 'cause they don't know what their exposure is. So, you do some advisory, consulting, get them set up, help them scale up their security practice basically. >> Yes, yes, yes. Their entire security team. >> So what was the questions at the sessions? What were some of the things the audience was asking you? Did any good questions come out that you were surprised by, or you expected? >> No, so, all of, so, for the very first talk, about the hacking the crypexion and all, all of them were surprised. They thought putting up a two-factor authentication, or something like that, makes their account secure. But it's not like that. (both laughing) We hack on the APIs. So, it's very, very, very super easy for us most of the time. >> So, the APIs are where the vulnerabilities are? >> Yeah. >> Mainly. >> The APIs, the URLs. >> Yeah. So, you guys use cloud computing at all? Do you use extra resource? I saw a bunch of stories out there about quantum computers, and that makes things better on the encryption side. What's your thoughts on all that, and hubbub? >> Yeah, so mainly we use anomaly intercepting proxy to intercept these calls, which are going on a straight to PS outputting, out of our own SSLP, 'cause the safety we get, and then trusting it. So, we try to plane to the APIs and them doing stuff. We don't need a big, high-end machine to hack into services. >> Gotcha, so you're dealing with them in the wire transmission. So, what do you, tell me about the conference here, what of some of the hallway conversations you've had? What's your observation? The folks that could not make it here, what's it like? What's the vibe like? What's it like here? >> So, they missed lot of things. (both laughing) And um, it was first Blockchain Security Conference, and I've been flying from all over doing the art, to just attend this conference. I was here one month back for Defcon and Black Hat, and for some other hacking event. >> So, you wanted to come here? >> Yeah. >> Yeah, I meet a lot of cool people here. I met so many great people. >> I planned it out even before Defcon Black Hat. (laughs) >> Okay, go 'head. >> I had to go to Hosho. (giggles) >> I think this is an important event 'cause I think it's like a new kind of black hat. Because it's a new culture, new architecture. Blockchain's super important, there's a lot of interest. And there's a lot of immature companies out there that are building fast, and they need to ramp up. And they're getting ICO money, which is like going public, so, it's like being grown-up before you're grown-up. And you got to get there faster. And I mean, that seems to be, do you agree with that? >> Um, yeah, definitely so. A lot of people love putting money into ICOs then what if they go tag, then people don't know about security that much, so, it's a big-- >> So, what are you excited about? Stepping back from the bounty hunter that you are, as you look at the tech industry, security, and blockchain in general, what are you most excited about? What are you working on? >> So, frankly saying, so, I'm looking forward to hack, articulately hack more and more exchanges, and uh, I believe none of them should die the legal tag, but, that's where most of the money is going to be in the future. So, that's the most interesting thing. Blockchain security is the most-- >> Yeah, that's where the money is. >> Yeah, yeah, yeah. >> The modern day bank robbery. It's happening. Global, modern, bank robbery. (Anand laughs) Andreas is right, by the way. (Anand giggles) He talked about that today. It's not like the old machine gun, give me the teller way. Give me your cash drawer, on, it's-- >> That was a very nice talk. >> It's other people from other banks with licenses. >> Yup. >> The new bank robbers. Well, thanks for coming on theCUBE, sharing your story, appreciate it. >> Thank you. >> Great to have you on. >> Thank you for inviting me. >> You're a real big celebrity in the space, and your work's awesome, and love the fact that you're ethically hacking. >> Yeah, by the way, I'm not the world's number one bounty hunter. I'm just-- >> Number two. >> Not number two, maybe, there are lot people out there. >> You're up there. >> I'm just learning and-- >> We could do a whole special or a Netflix series on the bounty hunting. >> Yeah, yeah. (laughs) >> And follow you around. (both laughing) And now, thanks for coming out, appreciate it. >> Thank you. >> Good to see you. >> Good to see-- >> All right. More CUBE coverage after this short break, stay with us. Here, live, in HoshoCon. First security conference around Blockchain. I'm John Furrier, thanks for watching. (upbeat techno music)

>> Live, from Toronto Canada, it's the CUBE! Covering Blockchain Futurist Conference 2018. Brought to you by the CUBE. >> Hello everyone and welcome back. This is the CUBE's exclusive coverage here in Toronto for the Blockchain Futurist Conference, we're here all week. Yesterday we were at the Global Cloud and Blockchain Summit put on by DigitalBits and the community, here is the big show around thought leadership around the future of blockchain and where it's going. Certainly token economics is the hottest thing with blockchain, although the markets are down the market is not down when it comes to building things. I'm John Furrier with Dave Vellante, here with CUBE alumni and special guest Hartej Sawhney who is the founder of Hosho doing a lot of work on security space and they have a conference coming up that the CUBE will be broadcasting live at, HoshoCon this coming fall, it's in October I believe, welcome to the CUBE. >> Thank you so much for having me. >> Always great to see you man. >> What's the date of the event, real quick, what's the date on your event? >> It's October 9th to the 11th, Hard Rock Hotel & Casino, we rented out the entire property, we want everyone only to bump into the people that we're inviting and they're coming. And the focus is blockchain security. We attend over 130 conferences a year, and there's never enough conversation about blockchain security, so we figured, y'know, Defcon is still pure cybersecurity, Devcon from Ethereum is more for Ethereum developers only, and every other conference is more of a traditional blockchain conference with ICO pitch competitions. We figured we're not going to do that, and we're going to try to combine the worlds, a Defcon meets Devcon vibe, and have hackers welcome, have white hat hackers host a bug bounty, invite bright minds in the space like Max Keiser and Stacy Herbert, the founder of the Trezor wallet, RSA, y'know we've even invited everyone from our competitors to everyone in the media, to everyone that are leading the blockchain whole space. >> That's the way to run an event with community, congratulations. Mark your calendar we've got HoshoCon coming up in October. Hartej, I want to ask you, I know Dave wants to ask you your trip around the world kind of questions, but I want to get your take on something we're seeing emerging, and I know you've been talking about, I want to get your thoughts and reaction and vision on: we're starting to see the world, the losers go out of the market, and certainly prices are down on the coins, and the coins are a lot of tokens out there, >> Too many damn tokens! (laughing) >> The losers are the only ones who borrowed money to buy bitcoin. >> (laughs) Someone shorted bitcoin. >> That's it. >> But there's now an emphasis on builders and there's always been an entrepreneurial market here, alpha entrepreneurs are coming into the space you're starting to see engineers really building great stuff, there's an emphasis on builders, not just the quick hit ponies. >> Yep. >> So your thoughts on that trend. >> It's during the down-market that you can really focus on building real businesses that solve problems, that have some sort of foresight into how they're going to make real money with a product that's built and tested, and maybe even enterprise grade. And I also think that the future of fundraising is going to be security tokens, and we don't really have a viable security exchange available yet, but giving away actual equity in your business through a security token is something very exciting for sophisticated investors to participate in this future tokenized economy. >> But you're talking about real equity, not just percentage of coin. >> Yeah, y'know, actual equity in the business, but in the form of a security token. I think that's the future of fundraising to some extent. >> Is that a dual sort of vector, two vectors there, one is the value of the token itself and the equity that you get, right? >> Correct, I mean you're basically getting equity in the company, securitized in token form, and then maybe a platform like Securitize or Polymath, the security exchanges that are coming out, will list them. And so I think during the down-markets, when prices are down, again I said before the joke but it's also the truth: the only people losing in this market are the ones who borrowed to buy bitcoin. The people who believe in the technology remain to ignore the price more or less. And if you're focused on building a company this is the time to focus on building a real business. A lot of times in an up-market you think you see a business opportunity just because of the amount of money surely available to be thrown at any project, you can ICO just about any idea and get a couple a million dollars to work on it, not as easy during a down-market so you're starting to take a step back, and ask yourself questions like how do we hit $20,000 of monthly recurring revenue? And that shouldn't be such a crazy thing to ask. When you go to Silicon Valley, unless you're two-time exited, or went to Stanford, or you were an early employee at Facebook, you're not getting your first million dollar check for 15 or 20 percent of your business, even, until you make 20, 25K monthly recurring revenue. I say this on stage at a lot of my keynotes, and I feel like some people glaze their eyes over like, "obviously I know that", the majority are running an ICO where they are nowhere close to making 20K monthly recurring and when you say what's your project they go, "well, our latest traction is that we've closed about "1.5 million in our private pre-sale." That's not traction, you don't have a product built. You raised money. >> And that's a dotcom bubble dynamic where the milestone of fundraising was the traction and that really had nothing to do with building a viable business. And the benefit of blockchain is to do things differently, but achieve the same outcome, either more efficient or faster, in a new way, whether it's starting a company or achieving success. >> Yep, but at the same time, blockchain technology is relatively immature for some products to go, at least for the Fortune 500 today, for them to take a blockchain product out of R&D to the mainstream isn't going to happen right now. Right now the Fortune 500 is investing into blockchain tech but it's in R&D, and they're quickly training their employees to understand what is a smart contract?, who is Nick Szabo?, when did he come up with this word smart contracts? I was just privy to seeing some training information for multiple Fortune 500 companies training their employees on what are smart contracts. Stuff that we read four or five years ago from Nick Szabo's essays is now hitting what I would consider the mainstream, which is mid-level talent, VP-level talent at Fortune 500 companies, who know that this is the next wave. And so when we're thinking about fundraising it's the companies who raise enough money are going to be able to survive the storm, right? In this down-market, if you raised enough money in your ICO, for this vision that you have that's going to be revolutionary, a lot of times I read an ICO's white paper and all I can think is well I hope this happens, because if it does that's crazy. But the question is, did they raise enough money to survive? So that's kind of another reason why people are raising more money than they need. Do people need $100 million to do the project? I don't know. >> It's an arm's race. >> But they need to last 10 years to make this vision come true. >> Hey, so, I want to ask you about your whirlwind tour. And I want to ask in the context of something we've talked about before. You've mentioned on the CUBE that Solidity, very complex, there's a lot of bugs and a lot of security flaws as a result in some of the code. A lot of the code. You're seeing people now try to develop tooling to open up blockchain development to Java programmers, for example, which probably exacerbates the problem. So, in that context, what are you seeing around the world, what are you seeing in terms of the awareness of that problem, and how are you helping solve it? >> So, starting with Fortune 500 companies, they have floors on floors around the world full of Java engineers. Full Stack Engineers who, of course, know Java, they know C#, and they're prepared to build in this language. And so this is why I think IBM's Hyperledger went in that direction. This is why even some people have taken the Ethereum virtual machine and tried to completely rebuild it and rewrite it into functional programming languages like Clojure and Scala. Just so it's more accessible and you can do more with the functional programming language. Very few lines of code are equivalent to hundreds of lines of code in linear languages, and in functional programming languages things are concurrent and linear and you're able to build large-scale enterprise-grade solutions with very small lines of code. So I'm personally excited, I think, about seeing different types of blockchains cater more towards Fortune 500 companies being able to take advantage, right off the bat, of rooms full of Java engineers. The turn to teaching of Solidity, it's been difficult, at least from the cybersecurity perspective we're not looking for someone who's a software engineer who can teach themselves Solidity really fast. We're looking for a cybersecurity, QA-minded, quality-assurance mindset, someone who has an OPSEC mindset to learn Solidity and then audit code with the cybersecurity mindset. And we've found that to be easier than an engineer who knows Java to learn Solidity. Education is hard, we have a global shortage of qualified engineers in this space. >> So cybersecurity is a good cross-over bridge to Solidity. Skills matters. >> If you're in cybersecurity and you're a full sec engineer you can learn just about any language like anyone else. >> The key is to start at the core. >> The key is to have a QA mindset, to have the mindset of actually doing quality assurance, on code and finding vulnerabilities. >> Not as an afterthought, but as a fundamental component of the development process. >> I could be a good engineer and make an app like Angry Birds, upload it, and even before uploading it I'll get it audited by some third party professional, and once it's uploaded I can fix the bugs as we go and release another version. Most smart contracts that have money behind them are written to be irreversible. So if they get hacked, money gets stolen. >> Yeah, that's real. >> And so the mindset is shifting because of this space. >> Alright, so on your tour, paint a picture, what did you see? >> First of all, how many cities, how long? Give us the stats. >> I just did about 80 days and I hit 10 countries. Most of it was between Europe and Asia. I'll start with saying that, right now, there's a race amongst smaller nations, like Malta, Bermuda, Belarus, Panama, the island nations, where they're racing to say that "we have clarity on regulation when it comes to "the blockchain cryptocurrency industries," and this is a big deal, I'd say, mainly for cryptocurrency exchanges, that are fleeing and navigating global regulation. Like in India, Unocoin's bank has been shutdown by the RBI. And they're going up against the RBI and the central government of India because, as an exchange, their banks have been shut down. And they're being forced to navigate waters and unique waves around the world globally. You have people like the world's biggest exchange, at least by volume today is Binance. Binance has relocated 100 people to the island of Malta. For a small island nation that's still technically a part of the European Union, they've made significant progress on bringing clarity on what is legal and what is not, eventually they're saying they want to have a crypto-bank, they want to help you go from IPO to ICO from the Maltese stock exchange. Similarly also Gibraltar, and there's a law firm out there, Hassans, which is like the best law firm in Gibraltar, and they have really led the way on helping the regulators in Gibraltar bring clarity. Both Gibraltar and Malta, what's similar between them is they've been home to online gambling companies. So a lot of online casinos have been in both of their markets. >> They understand. >> They've been very innovative, in many different ways. And so even conversations with the regulators in both Malta and Gibraltar, you can hear their maturity, they understand what a smart contract is. They understand how important it is to have a smart contract audited. They already understand that every exchange in their jurisdiction has to go through regular penetration testing. That if this exchange changes its code that the code opens it up to vulnerabilities, and is the exchange going through penetration testing? So the smaller nations are moving fast. >> But they're operationalizing it faster, and it's the opportunity for them is the upside. >> My only fear is that they're still small nations, and maybe not what they want to hear but it's the truth. Operating in larger nations like the United States, Canada, Germany, even Japan, Korea, we need to see clarity in much larger nations and I think that's something that's exciting that's going to happen possibly after we have the blueprint laid out by places like Malta and Gibraltar and Bermuda. >> And what's the Wild West look like, or Wild East if you will in Asia, a lot of activity, it's a free-for-all, but there's so much energy both on the money-making side and on the capital formation side and the entrepreneurial side. Lay that out, what's that look like? >> By far the most exciting thing in Asia was Korea, Seoul, out of all the Asian tiger countries today, in August 2018, Seoul, Korea has a lot of blockchain action going on right now. It feels like you're in the future, there's actually physical buildings that say Blockchain Academy, and Blockchain Building and Bitcoin Labs, you feel like you're in 2028! (laughs) And today it's 2018. You have a lot of syndication going on, some of it illegal, it's illegal if you give a guarantee to the investor you're going to see some sort of return, as a guarantee. It's not illegal if you're putting together accredited investors who are willing to do KYC and AML and be interested in investing a couple of hundred ETH in a project. So, I would say today a lot of ICOs are flocking to Korea to do a quick fundraising round because a lot of successful syndication is happening there. Second to Korea, I would say, is a battle between Singapore and Hong Kong. They're both very interesting, It's the one place where you can find people who speak English, but also all four of the languages of the tiger nations: Japanese, Mandarin, Cantonese, Korean, all in one place in Hong Kong and Singapore. But Singapore, you still can't get a bank account as an ICO. So they're bringing clarity on regulation and saying you can come here and you can get a lawyer and you can incorporate, but an ICO still has trouble getting a bank account. Hong Kong is simply closer in proximity to China, and China has a lot of ICOs that cannot raise money from Chinese citizens. So they can raise from anybody that's not Chinese, and they don't even have a white paper, a website, or even anybody in-house that can speak English. So they're lacking English materials, English websites, and people in their company that can communicate with the rest of the world in other languages other than Mandarin or Cantonese. And that's a problem that can be solved and bridges need to be built. People are looking in China for people to build that bridge, there's a lot of action going on in Hong Kong for that reason since even though technically it's a part of China it's still not a part of China, it's a tricky gray line. >> Right, in Japan a lot going on but it's still, it's Japan, it's kind of insulated. >> The Japanese government hasn't provided clarity on regulation yet. Just like in India we're waiting for September 11th for some clarity on regulation, same way in Japan, I don't know the exact date but we don't have enough clarity on regulation. I'm seeing good projects pop up in Korea, we're even doing some audits for some projects out of Japan, but we see them at other conferences outside of Japan as well. Coming up in Singapore is consensus, I'm hoping that Singapore will turn into a better place for quality conferences, but I'm not seeing a lot of quality action out of Singapore itself. Y'know, who's based in Singapore? Lots of family funds, lots of new exchanges, lots of big crypto advisory funds have offices there, but core ICOs, there was still a higher number of them in Korea, even in Japan, even. I'm not sure about the comparison between Japan and Singapore, but there is definitely a lot more in Korea. >> What about Switzerland, do you have any visibility there? Did you visit Switzerland? >> I was Zug, I was in Crypto Valley, visited Crypto Valley labs... >> What feels best for you? >> I don't know, Mother Earth! (laughs) >> All of the above. >> The point of bitcoin is for us to start being able to treat this earth as one, and as you navigate through the crypto circuit one thing as that is becoming more visible is the power of China partnering up with the Middle East and building a One Belt, One Road initiative. I feel like One Belt, One Road ties right into the future of crypto, and it's opening up the power of markets like the Philippines, Thailand, Malaysia, Singapore. >> What Gabriel's doing in the Caribbean with Barbados. >> Gabriel from Bit, yeah. >> Yeah, Bit, he's bringing them all together. >> Yeah, I mean the island nations are open arms to companies, and I think they will attract a lot of American companies for sure. >> So you're seeing certainly more, in some pockets, more advanced regulatory climates, outside of the United States, and the talent pool is substantial. >> So then, when it comes to talent pools, I believe it was in global commits for the language of Python, China is just on the verge of surpassing the United States, and there's a lot of just global breakthroughs happening, there's a large number of Full Stack engineers at a very high level in countries like China, India, Ukraine. These are three countries that I think are outliers in that a Full Stack Engineer, at the highest level in a country like India or Ukraine for example, would cost a company between $2,000 to $5,000 a month, to employ full time, in a country where they likely won't take stock to work for your company. >> Fifteen years ago those countries were outsource, "hey, outsource some cheap labor," no, now they're product teams or engineers, they're really building value. >> They're building their own things, in-house. >> And the power of new markets are opening up as you said, this is huge, huge. OK, Hartej, thanks so much for coming on, I know you got to go, you got your event October 9th to 11th in Las Vegas, Blockchain Security Conference. >> The CUBE will be there. >> I look forward to having you there. >> You guys are the leader in Blockchain security, congratulations, hosho.io, check it out. Hosho.io, October 9th, mark your calendars. The CUBE, we are live here in Toronto, for the Blockchain Futurist Conference, with our good friend, CUBE alumni Hartej. I'm John Furrier, Dave Vellante, be right back with more live coverage from the Untraceable event here in Toronto, after this short break.

>> Announcer: Live from the Computer History Museum in Mountain View, California, it's theCUBE, covering DevNet Create 2018. Brought to you by Cisco. (jingle) >> Hi, welcome back to theCUBE. My name is Lauren Cooney, and I'm here today with Matt Johnson who is a technologist at Cisco, with Cisco DevNet. Hi Matt. >> Hi, how's it going? Good to see you again. >> Pretty good. Good to see you again too. So what's going on here? What's going on with the show and what are you working on? >> Oh, sure. So the show in general is just this ability for us, you know, Cisco DevNet have always had quite a large and a growing presence at Cisco Live, kind of Cisco's, Europe and US yearly conferences. But this is the second year we've done Create, and it's really an opportunity to kind of take the real developer angle, the makers, the API integrators, kind of the real, kind of developer ecosystem that's going around Cisco's products and our APIs, and just kind of focus on that audience. So, you know, all the content here is developer for developer. And so it's just really nice to be able to experiment in a bit more of an open format. >> Yeah, exactly. So it's kind of that DIY environment of developers that are coming in and really doing all this stuff and starting to innovate on their own. >> Yeah, absolutely. And what I'm really excited about here we have the, we had kind of a two-day hackathon running at the same time as the event, and so, instead of that just being a little bit of time spent between sessions, these are teams that have already kind of been working behind the scenes on the run-up to the event, so they've already kind of met each other virtually through collaboration, they've already worked out what kind of problem space they want to solve, they've already started working on kind of sample and PLC code, so the idea that at the end of a two-day conference we could actually see some working solutions to real problems that our partners and our customer ecosystem is seeing, I think that's quite-- >> That's great. >> An exciting idea. >> Yeah, Mandy Whalen was just on with us. >> Oh, fantastic. >> And she actually talked a little bit about that, and you know, so these guys will be up for 24 hours hacking on stuff. Hopefully we'll see some great solutions come the end and you know, we'll talk about it here on theCUBE. >> Yeah. >> So tell me about what you're doing today at Cisco DevNet. >> Sure, so from one style of hacking to another, we are actually running this demo called the Black Hat White Hat Challenge. And I went to, I've always been a bit of a kind of hobbyist pentester. >> Lauren: Never, no. >> I liked breaking things from a young age. And I got to attend my first Defcon in Las Vegas last year, and coming from an evangelism background, coming from kind of doing workshops and talks and demos, I was absolutely amazed at the interactivity of pretty much everything that goes on at the black hat hacking conference, sorry the Defcon hacking conference. My apologies. They have, you know, hands-on IoT villages where you can go and try hacking against all the hardware, there is kind of labs and tutorials for people that are maybe just getting into kind of that side of hacking and penetration testing. So I kind of brought that back and I've always had a passion for security, and IoT nowadays, we are in a situation where a lot of these devices we are starting to bring into our homes and our businesses and things, are built to a budget. They are built cheap, they're not security devices. People aren't thinking of security, they're thinking of functionality when they're building those, so someone that makes fridge freezers isn't going to be thinking about the 10 year security roadmap for that fridge freezer. They're going to be thinking about selling the latest smart freezer. >> Lauren: Exactly. >> And so I wanted to kind of bring some of that hands-on Defcon-style hacking into a real-world scenario. So at security conferences and at developer conferences, we always talk about things being insecure, and we talk about needing to think about security. But what we have is a booth here where we actually take off-the-shelf IoT devices, and in a curated path we are getting attendees with no background in kind of pen testing to use real-world hacking tools and real exploits against those devices, to build their access into that network and eventually get to the goal, which is getting into an electrical safe with like a price inside. And all of that is real off-the-shelf IoT. It's real security. And the aim of that is to kind of-- >> So they are actually cracking the safe. >> They are cracking the safe, they are cracking into Wi-Fi. They're getting onto the guest Wi-Fi and then finding a vulnerability in the router which gets them onto the wired network, so that'd be like a guest network in a corporate environment or a guest network in a hotel, getting you onto the hotel's infrastructure network and then to a camera. >> So this is like straight up hacker one. >> Straight up, yeah, exactly, right? Which is perfect. >> Lauren: This is great. >> Yeah, exactly. So that's what we're doing and the idea is to just to kind of stop talking about it and start showing. This is not stuff you need to be super good at. This is stuff you can Google. The tools are out there, the tools are getting more and more easy to use. And also vulnerabilities are becoming more and more common because of the growth of IoT. There were double the number of CVE, like known vulnerabilities in the wild in 2017 than there were in 2016. >> Okay. >> And that's because of this constant pace of new devices. So we're kind of showing that these are really crackable by anyone with a bit of time and research. And then also showing kind of what can be done about that. And, you know, even without kind of the proactive and firewalls and things like that, just getting a developer audience thinking about this stuff, getting them, you know, fresh in their mind, you know, these are the kind of places we should be focusing on IoT security because it's these developers that will be writing code and those products today-- >> I think that's great. And I think security is so important today with everything going on, and then there's Facebook and testimonies that are happening today, and you know, lots of different things. Now, what are you using to actually kind of fill these holes, fill these kind of security vulnerabilities that you're using with these off-the-shelf IoT devices? >> Sure, so what we are showing is how kind of, if you know if you have these devices on your network, obviously layering things like Cisco's net-gen firewalls in line with those devices, has signatures that will detect. It's not going to patch the device itself, 'cause that might be from another vendor or an IoT camera or a light switch or something, but it's going to detect the malicious traffic trying to attack that device and drop it. So you're kind of protecting your perimeter, you're stopping a vulnerable device becoming an actual hack. Alternatively from a personal perspective, as we start looking at how we consume hardware in our homes and businesses, I actually really like kind of the Meraki model and the Nest Cam model, and you know, all the other camera vendors which charge you with subscription, 'cause if you buy hardware one-off, you have no idea whether that price for that hardware allotted budget for the development team to keep thinking about security or whether that team doesn't exist anymore and they're off building their next product. >> Lauren: Yup. >> Whereas if you're buying something on kind of a subscription basis, even though the hardware is in your home, you know that their profit is based on them keeping your product up-to-date. >> Lauren: Definitely. >> So you expect, you know, real-time updates, you expect timely security updates. And so I think that kind of a software as a service style delivery of on-prem hardware is definitely a more secure approach. >> Yeah, and the Meraki model is definitely moving forward as one of the prevalent models that we, you know, Cisco has. >> Exactly. Yeah. >> And it's, you know, that plug and play, easy-to-use, get it up and running, et cetera. >> Exactly, and then on the back of that you know that there's people working on those security things, which isn't something that you think about when you buy it for its APIs and its plug-and-play in its ease-of-use, but just knowing that that is there and, you know, you're paying for that development, is a good thing. >> Where do you see most of these vulnerabilities, and I know you have a lot of background in cloud computing and you know, in these arenas, but where do you see most of these vulnerabilities? >> Matt: So-- >> It's a big question. >> Yeah. I mean a lot of the, hackers are going to wherever, you know, is easiest for the amount of time and effort. Certainly when we see kind of malicious actors kind of looking for a large footprints, large, building botnets et cetera. There could be a very, very clever attack that requires a lot of time and effort, or there could be an IoT device that you know there's going to be 4 million of them sold online, they're going to go for those. And like I said, these devices are low-power, built to a budget. You can get them into your hands and like SaaS service online. So people can take them apart, they can have a look at the code inside of them. They can have a look at the operating system. So it's quite easy to find vulnerabilities on these IOT devices. >> Lauren: Oh yeah. >> So that is definitely a growing area. Also the level for harm on those kind of vulnerabilities, if we are talking about Internet-connected healthcare, Internet-connected hospital equipment, you know, control valves for factories that may or may not be dealing with certain kind of materials. That is definitely a focus both from a security industry perspective, and also kind of where we are seeing hackers targeting. >> That's great. So tell me a little bit about what else you're working on right now. I think, I always find it interesting to hear from you what you're kind of hacking with and-- >> Yeah, sure. So that's my, that's my kind of security hobby-cum-part time role I guess within DevNet. >> Lauren: Love it. >> I quite like that kind of hands-on security evangelism. A lot of other stuff I'm doing is all around kind of open source and micro services and containers. So we're doing lots of work internally with Kubernetes Right now. Proof of concepting, some new user space networking code. >> Lauren: Oh great. >> Which would allow basically the network your traffic takes from your application in the container, write out to the network card, to be a user space app. So, you know, you're not stuck with the networking that a cloud provider gives you. If you want to test your application fully like packet to app back to the wire, and know that that network is also going to go with you when you deploy anywhere, we're going to be able to do that. >> That's fabulous. >> And there's also some real performance benefits to kind of not going in and out of the Linux kernel, so we can kind of saturate 40 gigabits a second from a container, straight down to the wire on kind of commodity compute like UCS what like any x86 service. So really excited about that. It's in development at the moment. That's all open source. >> Lauren: It will be all open source. >> It's all open source already under the FD.io project, FD dot io. >> Oh. >> The integration into Kubernetes is ongoing. And obviously will be open sourced as it gets developed. But that's super exciting. Also just the whole Merakifi, Merakification if I can say that. This idea of turning on-prem devices into kind of black box, you know, cloud managed, cloud updated. You have an IT team. They're just remote and kind of paid for in a SaaS model rather than having to manage and patch those devices on-prem. >> Lauren: Oh yeah. >> You know, we currently do that with switches and routers and cameras as I'm sure you know that the Meraki product portfolio, I don't see why we don't do that with on-prem compute. Why don't we do that with on-prem, you know, Kubernetes clusters. Why should a Kubernetes cluster, just because it sat in your data center, be any different in terms of usability, billing, management, than the one you get from Google Cloud platform or Azure or AWS? It should have the same user experience. So across those two areas, yeah, that's where I'm spending most of my time at the moment. >> Great, well, we're kind of wrapping up here. Tell me, what is the most exciting thing for you that's coming down the path in the next six months or so? >> Um. >> Can you tell us? >> I cannot tell you the most exciting thing, I'm afraid. It has to do with everything I'm talking about, kind of the networking, the as a service, super excited about user space networking. We have customers that looking to do kind of real-time video pipelines for a broadcast in containers. And being able to do that on-prem or in cloud or wherever, and this FD.io VPP technology, I think will really unlock that. >> Lauren: That's great. >> So real use cases, and yeah, super excited. >> Great. Matt, thank you so much for coming on today. >> It's been pleasure. >> Yeah, my pleasure as well. This is Lauren Clooney and we'll be right back from the show here at Cisco DevNet Create. (jingle)

>> Narrator: Live from Nassau in the Bahamas. It's The Cube! Covering PolyCon 18. Brought to you by PolyMath. >> Welcome back everyone, we're live here in the Bahamas with The Cube's exclusive coverage of PolyCon 18, I'm John Furrier with my co-host Dave Vellante, both co-founders of SiliconANGLE. We start our coverage of the crypto-currency ICO, blockchain, decentralized world internet that it is becoming. It's the beginning of our tour, 2018. Our next guest is Hartej Sawhney who's the advisor at Pink Sky Capital, but also the co-founder of Hosho.io. Welcome to The Cube. >> Thank you so much. >> Hey thanks for coming on. Thanks for coming on. >> Thanks guys. >> We had a great chat last night, and you do some real good work. You're one of the smartest guys in the business. Got a great reputation. A lot of good stuff going on. So, take a minute to talk about who you are, what you're working on, what you're doing, and the projects you're involved in. >> So first of all, thank you so much for having me, it's really exciting to see the progress of high-quality content being created in the space. So my name is Hartej Sawhney. We have a team based in Las Vegas. I've been based in Las Vegas for about five years. But I was born and raised in central New Jersey, in Princeton. And my co-founder is Yo Sup Quan. We started this company about seven months ago and my co-founder's background was he's the co-founder of Coin Sighter in Exchange out of New York, which exited to Kraken. After that he started Launch Key which exited to Iovation. And prior to this company, my previous company was Zuldi, Z-U-L-D-I .com where we had a mobile point of sale system specifically for high volume food and beverage companies and businesses. So we were focused on Fintech and mobile point of sale and payment processing. So both of us have a unique background in both Fintech and cyber-security and my co-founder Yo, he's a managing partner of a crypto hedge fund named Pink Sky Capital. And he was doing diligence for Pink Sky, and he realized that the quality of the smart contracts he was seeing for deals that he wanted to participate as an investor in, and I'm an advisor in that hedge fund, we both realized that essentially the quality of these smart contracts is extremely low. And that there was nobody in this space that we saw laser focused on just blockchain security. And all the solutions that would be entailed in there. And so we began focusing on just auditing smart contracts, doing a line-by-line code review of each smart contract that's written, conducting a GAS analysis, and conducting a static analysis, making sure that the smart contract does what the white paper says, and then putting a seal of approval on that smart contract to mitigate risk. So that the code has not been changed once we've done an analysis of it, that there's no security vulnerabilities in this code, and that we can mitigate the risks for exchanges and for investors that someone has done a thorough code analysis of this. That there's no chance that this is going to be hacked, that money won't be stolen, money won't be lost, and that there's no chance of a security vulnerability on this. And we put our company's name and reputation on this. >> And what was the problem that is the alternative to that? Was there just poorly written code? Was it updated code? Was it gas was too expensive? They were doing off-chain transactions. I mean what are some of the dynamics that lead you guys down this path? I mean this makes sense. You're kind of underwriting the code, or you're ensuring it or I don't know what you call it, but essentially verifying it. What was the problem? And what were some of the use cases of problems? >> I would say that the underlying problem today in this whole industry, of the blockchain space, is that the most commonly found blockchain is Ethereum. The language behind Ethereum is called Solidity. Solidity is a brand new software language that very few people in the world are sufficient programmers in Solidity. On top of that, Solidity is updated, as a language on a weekly basis. So there are a very limited number of engineers in the world who are full-stack engineers, that have studied and understand Solidity, that have a security background, and have a QA mindset. Everything that I just said does exist on this Earth today and if it does, there's a chance that that person has made too much money to want to get out of bed. Because Ethereum's price has gone up. So the quality of smart contracts that we're seeing being written by even development shops, the developers building them are actually not full-stack engineers, they're web developers who have learned the language Solidity and so thus we believe that the quality of the code has been significantly low. We're finding lots of critical vulnerabilities. In fact, 100% of the time that Hosho has audited code for a smart contract, we have found at least a couple of vulnerabilities. Even as a second or the third auditor after other companies conduct an audit, we always find a vulnerability. >> And is it correct that Solidity is much more easy to work with than say, Bitcoin scripting language, so you can do a lot more with it, so you're getting a lot more, I don't want to say rogue code, but maybe that's what it is. Is that right? Is that the nature of the theory? >> Compared to Bitcoin script, yes. But compared to JavaScript, no. Because Fortune 500 companies have rooms full of Java engineers, Java developers. And now the newer blockchains are being written, are being written on in block JavaScript, right? So you have IBM's Hyperledger program, you have EOS, you have ICX, Cardano, Stellar, Waves, Neo, there's so many new projects that are coming, that all of them are flexing about the same thing. Including Rootstock, RSK. RSK is a project where they're allowing smart contracts to be tied to the Bitcoin blockchain for the first time ever. Right, so Fortune 500 companies may take advantage of the fact that they have Java developers to take advantage of already, that already work for them, who could easily write to a new blockchain, and possibly these new blockchains are more enterprise grade and able to take more institutional capital. But only time will tell. And us as the auditor, we want to see more code from these newer blockchains, and we want to see more developers actually put in commits. Because it's what matters the most, is where are the developers putting in commits and right now maximum developers are on the Ethereum blockchain. >> Is that, the numbers I mean. Just take a step there. So the theory of blockchain. Percentage of developers vis-a-vis other platforms percentages-- >> By far the most is on developed on Ethereum. >> And in terms of code, obviously the efficiencies that are not yet realized, 'cause there's not enough cycles of coding going on, it's evolution, right? >> Yes. >> Seems to be the problem, wouldn't you say? So a combination of full-stack developer requirements, >> Yes. >> To people who aren't proficient in all levels of the stack. >> Yes. >> Just are inefficient in the coding. It's not a ding on the developers, it's just they're writing code and they miss something, right? Or maybe they're not sufficient in the language-- >> It's a new language. The functions are being updated on a weekly basis, so sometimes you copied and pasted a part of another contract, that came from a very sophisticated project, so they'll say to us, well we copied and pasted this portion from EOS, so it should be great. But what that's leading to is either A, they're using a function that's now outdated, or B, by copying and pasting someone else's code from their smart contract, this smart contract is no longer doing what you intended it to do. >> So now Hartej, how much of your capability is human versus machine? >> Yeah I was going to ask that. >> ML, AI type stuff? >> So we're increasingly becoming automated, but because of the over, there's so much demand in the space. And we've had so much demand to consistently conduct audits, it's tough to pull my engineers away from conducting an audit to work on the tooling to automate the audit, right? And so we are building a lot of proprietary tooling to speed up the process, to automate conducting a GAS analysis, where we make sure you're not clogging up the blockchain by using too much GAS. Static analysis, we're trying to automate that as fast as possible. But what's a bit more difficult to automate, at least right now, is when we have a qualified full-stack engineer read the white paper or the source of truth and make sure the smart contract actually does it, that is, it's a bit longer tail where you're leveraging machine learning and AI to make that fully automated. (talking over each other) >> But maybe is that, I'm sorry John. Is that the long term model or do you think you can actually, I mean there's people that say augmented intelligence is going to be a combination of humans and machines, what do you think? >> I think it's going to be a combination for a long time. Every single day that we audit code, our process gets faster and faster and faster because once we find a vulnerability, finding that same vulnerability next time will be faster and easier and faster and easier. And so as time goes on, we see it as, since the bundle of our work today is ICOs, token generation events, there are ERC 20 tokens on the Ethereum blockchain. And we don't know how long this party will last. Like maybe in a couple years or a couple months, we have a big twist in the ICO space that the numbers will drastically go down. The long tail of Hosho's business for us, is to keep track of people writing smart contracts, period. But we think they are going to become more functional smart contracts where the entire business is on a smart contract and they've cut out sophisticated middle men. Right and it may be less ICOs, and in those cases I mean, if you're a publicly traded company, and you're going from R&D phase where you wrote a smart contract and now actually going to deploy it, I think the publicly traded company's going to do three to five audits. They're going to do multiple audits and take security as a very major concern. And in the space today, security is not being discussed nearly as much as it should. We have the best hedge funds cutting checks into companies, before the smart contract is even written, let alone audited. And so we're trying to partner with all the biggest hedge funds and tell the hedge funds to mandate that if you cut a check into a company that is going to do a token generation event, that they need to guarantee that they're going to at least value security, both in-house for the company and for the smart contract that's going to be written. >> How much do you charge for this? I mean just ballpark. Is it a range of purchase price, sales price? What's the average engagement go for, is it on a scope of work? Statement of work? Or is it license? I mean how does it work? >> So first it depends is it a penetration test of the website or the exchange? Penetration testing of exchanges are far more complex than just a website. Or if it's a smart contract audit, is it an ICO or is it a functional smart contract? In either case for the smart contract audit, we have to build a long set of custom tooling to attack each and every smart contract. So it's definitely very case-by-case. But a ballpark that we could maybe give is somewhere around the lines of 10 to 15 thousand dollars per 100 lines of functional code. And we ask for about three weeks of lead time for both a smart contract audit and a penetration test. And surprisingly in this space, some of the highest caliber companies and high caliber projects with the best teams, are coming to us far too late to get a security audit and a penetration test. So after months of fundraising and a private pre-sale and another pre-sale, and going and throwing parties and events and conferences to increase the excitement for participating in their token sale, what we think is the most important part, the security audit for a smart contract is left to the last week before your ICO. And a ridiculous number of companies are coming to us within seven days of the token sale, >> John: Scrambling. >> Scrambling, and we're saying but we've seen you at seven conferences, I think that we need to delay your ICO by two or three weeks. We can assure you that all of your investors will say thank you for valuing security, because this is irreversible. Once this goes live and the smart contract is deployed. >> Horse is out of the barn. >> It's irreversible. >> Right right. >> And once we seal the code, no one should touch it. >> It's always the case with security, it's bolted on at the last minute. >> It's like back road recovery too, oh we'll just back it up. It's an architectural decision we should have made that months ago. So question for you, the smart contract, because again I'm just getting my wires crossed, 'cause there's levels of smart contracts. So if we, hypothetical ICO or we're doing smart contracts for our audience that's going to come out soon. But see that's more transactional. There's security token sales, >> Yes. >> That are essentially, can be ERC 20 tokens, and that's not huge numbers. It could be big, but not massive. Not a lot transaction costs. That's a contract, right? That's a smart contract? >> People are writing smart contracts to conduct a token generational event, most commonly for an ERC 20 token, that's correct. >> Okay so that's the big, I call that the big enchilada. That's the big-- >> Right now that is the most important, the most common. >> Okay so as you go in the future, I can envision a day where in our community, people going to be doing smart contracts peer-to-peer. >> Sure. >> How does that work? Is that a boiler plate? Is is audited, then it's going to be audited every time? Do the smart contracts get smaller? I mean what's your vision on that? Because we are envisioning a day where people in our audience will say hey Hartej, let's do a white paper together, let's write it together, have a handshake, do a smart contract click, click. Lock it in. And charge a dollar a download, get a million downloads, we split it. >> I envision a day where you can have a more drag and drop smart contract and not need a technical developer to be a full-stack engineer to have to write your smart contract. Yes I totally envision that day. >> John: But that's not today. >> We are very far from that today. >> Dave, kill that project. >> We're so far, we're very far from that. We're light years far from that. >> Okay well look. If we can't eliminate the full-stack engineers, I'm okay with that. Can we eliminate the lawyers? At least minimize them. >> We can minimize them possibly, but we have five stacks of lawyers for our company, I don't see them going anywhere. We need lawyers all the time. >> I see that in the press sometimes, yeah it's going to get disrupted. I don't see it happening. Okay we were having a great conversation off-camera about what makes a good ICO. You see, you have a huge observation space. And you were very opinionated. A lot of companies are out there just floating a token because they're trying to raise money. And they could do the same thing with Ethereum or Bitcoin. >> That's correct. >> Your thoughts? >> My thoughts are that it's very important for companies who are sophisticated, I think, to start by giving away a little bit of equity in the business. And that if you want to be in the blockchain space, and you really firmly believe you have a model to have a token within a decentralized application, I would still start by finding quality investors in the space, in the world. They might be still in Silicon Valley. Silicon Valley didn't just disappear overnight now that the blockchain is out. I am all for the fact that Silicon Valley no longer has as much of a grip on tech because of their blockchain world. And they're not seeing as much deal flow, and there's not as much reliance on venture capitalists, that's exciting to me. But let's not forget the value, that top-tier VCs like Andreessen Horowitz and Vinod Khosla. and Fintech VCs like Commerce Ventures and Nyca Partners in New York, Propel VC, these are good Fintech VC arms that continue to time and time again add immense value to companies. >> And they have networks. They add value. >> They have strong-valued networks, but they're just not going to disappear. And those VCs, if they've invested into a company, took a board seat, fostered their growth, taught them what it means to actually be a real business that's growing at 7-15% week over week, maybe two years down the line, after they've given away a board seat to someone like Nyca Partners, I would be interested in understanding what your token economics look like. Now that you have a revenue generating business, how you've placed a token model into this already running business that makes 25 to 50 grand a month and you have a team of 10, self-sustaining themselves off of revenue. Much more intriguing of a conversation. What's happening today in the space is, hey my buddy Jim and Steve and I came up with an idea for this business. There's going to be a token, and we're starting a private pre-sale tomorrow. I'm going to give you 300% bonus and will you be my advisor? And they're going to start raising capital because of an idea. You know what we used to say in the Silicon Valley startup world, you can raise on just a PowerPoint. I think in the blockchain world, you could raise on just an idea? And then maybe a white paper? And the white paper is one page? And so you've raised a bunch of capital, you have a white paper. >> Now you got to build it. >> Now you got to build, you got to write a smart contract, you got to build it, you got to do it, and then everyone loses excitement and it goes back to our previous conversation the development talent. So, another thing not being discussed in the space is company employee retention, right? So if you have a growing number of ICOs, that have very large budgets because investors have found a way to sink millions of dollars into a company early, you've got $5 million in the hands of a company to start, well this company can afford to pay someone a very ridiculous salary to come join them to write the smart contract now. So they could offer an engineer 500 Eth a month to come join them for three months. So you have good engineers just bouncing from one ICO to the next and as soon as the ICO goes live, they quit. This is a problem to companies who are-- >> It's migration, out migration. >> How do you retain, even capital? >> Companies like Hosho, ShapeShift, companies that are selling picks and shovels of the industry, that want to be household names in the space, we have to really think about how we're going to retain our employees in the space. >> So the recruitment and bringing on the new generation, we were also talking off camera about Bill Tye and the younger generation and kind of riffing on the notion that, because there is a new set of mission-driven developers and builders, on the business side as well. Your thoughts and reaction to what you see and what you see that's good and what you see that we need more of? >> So the most powerful thing in the blockchain space that I think is so exciting is that you have a lot of people between the age of 25 and 35 that don't come from money, that didn't go to Stanford, didn't go to Y Combinator, they're probably not white, from-- >> John: Ivy League schools. >> Ivy League schools. I'm not trying to make it about race, but if you're a white male and went to Stanford and went to Y Combinator, chances of you raising VC money on sand hill are a lot higher, right? And you have a guy looking like me who didn't go to Stanford, doesn't come from money, running up and down sand hill, I have personally faced that battle and it wasn't easy. And we were based in Vegas and so being based in Vegas, I'd also have to deal with so why do you live in Vegas? When are you going to move to Silicon Valley? And if we invest in you, you're going to open an office in sand hill right? And now in the blockchain world, what's exciting is you have so many heavy-hitters running as founders, some of the most successful companies in the space, who don't come from money and a big prestigious background, but they're honest, they're hard-working, they're putting in 12 to 15 hours of work every single day, seven days a week. And to space, six weeks is like six years. And we all have a level of trust that goes back to times when we were all running struggling startups. And so our bond is, to me, even more significant than what must have been between Keith Rabois and Peter Thiel in the PayPal Mafia. We have our own mafias being formed of much stronger bonds of younger people who will be able to share much more significant deal flow so if the PayPal Mafia was able to join forces to punch out companies like eBay and Square, wait 'til companies in this space, we have young, heavy-hitters right now who are non-reliant on some of the more traditional older folks. Wait 'til you see what happens in the next couple years. >> Hartej, great conversation. And I want to get one more question in. We've seen Keiretsu Forum, mafias, teams more than ever as community becomes an integral part of vetting and by the way trust, you have unwritten rules. I mean baseball, Dave and I used to do sports analogies. >> Self-governance. >> Reggie Jackson talked about unwritten rules and it works. If you beam the batter, the other guy, your best star, your side's going to get beamed. That's an unwritten rule. These are what keeps things going, balanced through the course of a season. What are the unwritten rules in the Ethos right now? >> Honesty, transparency, and that's the key. We need self-governance. This is a very unregulated market. There's rules being broken by people who are ignorant to the rules. The most common rule I've seen being broken is by people who are not broker dealers, running around fundraising capital, they don't even know what an institutional advisor license is. They don't know what a Series 7 and a Series 63 is. I asked a guy just last night, he said I'm pooling capital, I'm syndicating, let me know if you want in on the deal. And I said when did you take your Series 7? He goes what's that? Get away from me. You're an American, you need to look up what US securities laws are and make sure that you're playing by the rules and if someone who doesn't know the rules has entered our inner circle of investors, of advisors, of people sharing deal flow, we have a good network of people that are closing the loop for companies, whether it's lawyers, investors, exchanges, security auditors, people who write smart contracts, dev shops, people who write white papers, PR marketing, people who do the road show, there's a full circle-- >> So people are actually doing work to put into the community, to know your neighbor if you will, know the deals that are going down, to identify potential trip wires that are being established by either bad actors or-- >> KYC, AML, this is a new space that's also attracting people that have a criminal background. Right? And that's just a harsh reality of the space. That in the United States if you have a felony on your record, maybe getting a job has become really difficult and you figured let's do an ICO, no one's going to check my record. That is a reality of the space. Another reality is the money that was invested into this entire ICO clean. Right, that's a massive issue for the US government right now. It's been less than 15 hours since the SEC has issued actually subpoenas to people on this exact topic, today. >> This is a great topic, we'd like to do more on. >> Dozens of them. >> We'd like to continue to keep in touch with you on The Cube. Obviously you're welcome anytime, loved your insight. Certainly we'd love to have you be an advisor on our mission, you're welcome anytime. >> For sure, let's talk about it. Come out to Las Vegas. Hosho's always happy to host you. >> John And Dave: We're there all the time. >> The Cube lives at the sands. >> It's our second home. >> Come by Hosho's office and let us know. Vegas is our home. We are hosting a conference in Vegas after DEFCON. So DEFCON is the biggest security conference in the world. You have the best black hats and white hats show up as security experts in Vegas and right on the tail end of it, Hosho's going to host a very exclusive invite-only conference. >> What's it called? Just Hosho Conference? >> Just Blockchain. It'll be called the just, it'll be by the Just Blockchain Group and Hosho's the main backer behind it. >> Well we appreciate your integrity and your sharing here on The Cube, and again you're paying it forward in the community, that's great. Ethos we love that. That's our mission here, paying it forward content. Here in the Bahamas. Live coverage here at PolyCon 18. We're talking about securitized token, a decentralized future for awesome things happening. I'm Jeff Furrier, Dave Vellante. We'll be back with more after this short break. (upbeat music)

>> Announcer: Live from Orlando, Florida. It's the CUBE. Covering Grace Hopper Celebration of Women in Computing. Brought to you by Silicon Angle Media. >> Welcome back everybody. Jeff Frick here with the Cube. We are winding down day three of the Grace Hopper Celebration of Women in Computing in Orlando. It's 18,000, mainly women, a couple of us men hangin' out. It's been a phenomenal event again. It always amazes me to run into first timers that have never been to the Grace Hopper event. It's a must do if you're in this business and I strongly encourage you to sign up quickly 'cause I think it sells out in about 15 minutes, like a good rock concert. But we're excited to have our next guest. She's Rachel Faber Tobac, UX Research at Course Hero. Rachel, great to see you. >> Thank you so much for having me on. >> Absolutely. So, Course Hero. Give people kind of an overview of what Course Hero is all about. >> Yup. So we are an online learning platform and we help about 200 million students and educators master their classes every year. So we have all the notes, >> 200 million. >> Yes, 200 million! We have all the notes, study guides, resources, anything a student would need to succeed in their classes. And then anything an educator would need to prepare for their classes or connect with their students. >> And what ages of students? What kind of grades? >> They're usually in college, but sometimes we help high schoolers, like AP students. >> Okay. >> Yeah. >> But that's not why you're here. You want to talk about hacking. So you are, what you call a "white hat hacker". >> White hat. >> So for people that aren't familiar with the white hat, >> Yeah. >> We all know about the black hat conference. What is a white hat hacker. >> So a "white hat hacker" is somebody >> Sounds hard to say three times fast. >> I know, it's a tongue twister. A white hat hacker is somebody who is a hacker, but they're doing it to help people. They're trying to make sure that information is kept safer rather than kind of letting it all out on the internet. >> Right, right. Like the old secret shoppers that we used to have back in the pre-internet days. >> Exactly. Exactly. >> So how did you get into that? >> It's a very non-linear story. Are you ready for it? >> Yeah. >> So I started my career as a special education teacher. And I was working with students with special needs. And I wanted to help more people. So, I ended up joining Course Hero. And I was able to help more people at scale, which was awesome. But I was interested in kind of more of the technical side, but I wasn't technical. So my husband went to Defcon. 'cause he's a cyber security researcher. And he calls me at Defcon about three years ago, and he's like, Rach, you have to get over here. I'm like, I'm not really technical. It's all going to go over my head. Why would I come? He's like, you know how you always call companies to try and get our bills lowered? Like calling Comcast. Well they have this competition where they put people in a glass booth and they try and have them do that, but it's hacking companies. You have to get over here and try it. So I bought a ticket to Vegas that night and I ended up doing the white hat hacker competition called The Social Engineering Capture the Flag and I ended up winning second, twice in a row as a newb. So, insane. >> So you're hacking, if I get this right, not via kind of hardcore command line assault. You're using other tools. So like, what are some of the tools that are vulnerabilities that people would never think about. >> So the biggest tool that I use is actually Instagram, which is really scary. 60% of the information that I need to hack a company, I find on Instagram via geolocation. So people are taking pictures of their computers, their work stations. I can get their browser, their version information and then I can help infiltrate that company by calling them over the phone. It's called vishing. So I'll call them and try and get them to go to a malicious link over the phone and if I can do that, I can own their company, by kind of presenting as an insider and getting in that way. (chuckling) It's terrifying. >> So we know phishing right? I keep wanting to get the million dollars from the guy in Africa that keeps offering it to me. >> (snickers) Right. >> I don't whether to bite on that or. >> Don't click the link. >> Don't click the link. >> No. >> But that interesting. So people taking selfies in the office and you can just get a piece of the browser data and the background of that information. >> Yep. >> And that gives you what you need to do. >> Yeah, so I'll find a phone number from somebody. Maybe they take a picture of their business card, right? I'll call that number. Test it to see if it works. And then if it does, I'll call them in that glass booth in front of 400 people and attempt to get them to go to malicious links over the phone to own their company or I can try and get more information about their work station, so we could, quote unquote, tailor an exploit for their software. >> Right. Right. >> We're not actually doing this, right? We're white hat hackers. >> Right. >> If we were the bad guys. >> You'd try to expose the vulnerability. >> Right. The risk. >> And what is your best ruse to get 'em to. Who are you representing yourself as? >> Yeah, so. The representation thing is called pre-texting. It's who you're pretending to be. If you've ever watched like, Catch Me If You Can. >> Right. Right. >> With Frank Abagnale Jr. So for me, the thing that works the best are low status pretext. So as a woman, I would kind of use what we understand about society to kind of exploit that. So you know, right now if I'm a woman and I call you and I'm like, I don't know how to trouble shoot your website. I'm so confused. I have to give a talk, it's in five minutes. Can you just try my link and see if it works on your end? (chuckling) >> You know? Right? You know, you believe that. >> That's brutal. >> Because there's things about our society that help you understand and believe what I'm trying to say. >> Right, right. >> Right? >> That's crazy and so. >> Yeah. >> Do you get, do you make money white hacking for companies? >> So. >> Do they pay you to do this or? Or is it like, part of the service or? >> It didn't start that way. >> Right. >> I started off just doing the Social Engineering Capture the Flag, the SECTF at Defcon. And I've done that two years in a row, but recently, my husband, Evan and I, co-founded a company, Social Proof Security. So we work with companies to train them about how social media can impact them from a social engineering risk perspective. >> Right. >> And so we can come in and help them and train them and understand, you know, via a webinar, 10 minute talk or we can do a deep dive and have them actually step into the shoes of a hacker and try it out themselves. >> Well I just thought the only danger was they know I'm here so they're going to go steal my bike out of my house, 'cause that's on the West Coast. I'm just curious and you may not have a perspective. >> Yeah. >> 'Cause you have niche that you execute, but between say, you know kind of what you're doing, social engineering. >> Yeah. >> You know, front door. >> God, on the telephone. Versus kind of more traditional phishing, you know, please click here. Million dollars if you'll click here versus, you know, what I would think was more hardcore command line. People are really goin' in. I mean do you have any sense for what kind of the distribution of that is, in terms of what people are going after? >> Right, we don't know exactly because usually that information's pretty confidential, >> Sure. when a hack happens. But we guess that about 90% of infiltrations start with either a phishing email or a vishing call. So they're trying to gain information so they can tailor their exploits for your specific machine. And then they'll go in and they'll do that like actual, you know, >> Right. >> technical hacking. >> Right. >> But, I mean, if I'm vishing you right and I'm talking to you over the phone and I get you to go to a malicious link, I can just kind of bypass every security protocol you've set up. I don't even a technical hacker, right? I just got into your computer because. >> 'Cause you're in 'Cause I'm in now, yup. >> I had the other kind of low profile way and I used to hear is, you know, you go after the person that's doin' the company picnic. You know Wordpress site. >> Yes. >> That's not thinking that that's an entry point in. You know, kind of these less obvious access points. >> Right. That's something that I talk about a lot actually is sometimes we go after mundane information. Something like, what pest service provider you use? Or what janitorial service you use? We're not even going to look for like, software on your machine. We might start with a softer target. So if I know what pest extermination provider you use, I can look them up on LinkedIn. See if they've tagged themselves in pictures in your office and now I can understand how do they work with you, what do their visitor badges look like. And then emulate all of that for an onsite attack. Something like, you know, really soft, right? >> So you're sitting in the key note, right? >> Yeah. >> Fei-Fei Li is talking about computer visualization learning. >> Right. >> And you know, Google running kagillions of pictures through an AI tool to be able to recognize the puppy from the blueberry muffin. >> Right. >> Um, I mean, that just represents ridiculous exploitation opportunity at scale. Even you know, >> Yeah. >> You kind of hackin' around the Instagram account, can't even begin to touch, as you said, your other thing. >> Right. >> You did and then you did it at scale. Now the same opportunity here. Both for bad and for good. >> I'm sure AI is going to impact social engineering pretty extremely in the future here. Hopefully they're protecting that data. >> Okay so, give a little plug so they'll look you up and get some more information. But what are just some of the really easy, basic steps that you find people just miss, that should just be, they should not be missing. From these basic things. >> The first thing is that if they want to take a picture at work, like a #TBT, right? It's their third year anniversary at their company. >> Right. Right. >> Step away from your work station. You don't need to take that picture in front of your computer. Because if you do, I'm going to see that little bottom line at the bottom and I'm going to see exactly the browser version, OS and everything like that. Now I'm able to exploit you with that information. So step away when you take your pictures. And if you do happen to take a picture on your computer. I know you're looking at computer nervously. >> I know, I'm like, don't turn my computer on to the cameras. >> Don't look at it! >> You're scarin' me Rachel. >> If you do take a picture of that. Then you don't want let someone authenticate with that information. So let's say I'm calling you and I'm like, hey, I'm with Google Chrome. I know that you use Google Chrome for your service provider. Has your network been slow recently? Everyone's network's been slow recently, right? >> Right. Right. >> So of course you're going to say yes. Don't let someone authenticate with that info. Think to yourself. Oh wait, I posted a picture of my work station recently. I'm not going to let them authenticate and I'm going to hang up. >> Interesting. All right Rachel. Well, I think the opportunity in learning is one thing. The opportunity in this other field is infinite. >> Yeah. >> So thanks for sharing a couple of tips. >> Yes. >> And um. >> Thank you for having me. >> Hopefully we'll keep you on the good side. We won't let you go to the dark side. >> I won't. I promise. >> All right. >> Rachel Faber Tobac and I'm Jeff Frick. You're watchin the Cube from Grace Hopper Celebration Women in Computing. Thanks for watching. (techno music)