>>Hey everyone. Welcome to the cubes presentation of the AWS startup showcase. I'm your host, Lisa Martin. This is season two, episode four of our ongoing series. That's covering exciting startups from the AWS ecosystem. This episode, we're talking about cybersecurity detect and protect against threats. I've got two guests with me here from sun re security, please. Welcome Eric Krosky it's chief information security officer and Denise Haman. It's chief revenue officer, guys. Welcome to the program. >>Ah, thank you. >>And I should say, thank you, Lisa. Welcome back to Denise. You were on at reinforced, which was just about a month or so ago. And from reinforced Denise, we heard a lot about security challenges, expansion of risks. What do you think? And I wanna get Eric's perspective as well. What do you think are the biggest challenges that CSOs are currently facing regardless of industry? >>Mm, well, I'm, I'm gonna narrow that question down to public cloud and cloud security, right? Because that's what the conference was about and that's where we're focused. So I get to do that, but from that perspective, right, the, the CISOs that I speak with on the regular, it, it is it's it's so there's so much chaos out there, right? About what they're trying to deal with. They're they're trying to take a look at all of the operational policies and pieces that they had put together in their on-prem world and trying to figure out how do those same things apply in the cloud. So that gets down to things like, how do I, how do I operationalize it? How do I make this work in a new environment? What tools do I need? What processes do I need? What types of people do I need? Right. It just, it, it threw up everything in the air and said, let's start over. Right? Just chaos. And many of them are doing a really awesome job at getting their arms around it by, you know, really hiring in the right people and looking at the way that development has run, right. To figure out what's important to these people in, in their clouds. Right? Cause it depends on what the, their own missions are. >>And Eric adding on to that from your seat as a CSO, what are some of the biggest challenges that your peers across industries are tackling? Obviously there's a, the environment is chaotic and that's probably gonna persist. >>Yeah. I mean, Denise mentioned a few things, you know, the biggest thing I talk to CISOs about, and it's, it's nice when you can have that CSO to CISO discussion, cuz they tend to open up a little bit more and you can, you can tell the stories and, and show the scars. And, and one of the things I hear a lot of is that, you know, the scale and the speed at which the cloud operates and how to operationalize security within that context is a big challenge that they're struggling with. And you know, not to mention the new paradigms and how they've sort of shifted from the data center into the, into the cloud world and you know, sometimes a lift and shift of your process or of your way that you did something before in the data center just doesn't work in the cloud. So helping them understand that. And then the big thing is it's almost like focus, you know, it's, there's a huge scale. It moves very quickly, but you really need to focus on what's most important. And that's really by putting like data security and identity security at the center of your cloud security strategy. That's one of the biggest things that I talk to a lot of CISOs about. >>So then Eric, how do you advise CISOs to think about cloud risks or to really be able to stack rank and adjust their security priorities as the environment is so dynamic? >>Well, it comes back to this, you know, CSOs are looking to protect or minimize risk to their organizations with their most valuable assets in this day and age that's data. And that starts with understanding not only where all of the data is in your cloud, but more importantly, understanding where the sensitive data is in your cloud, because you could spend a lot of time resource money, which nobody has an infinite supply of doing the wrong thing. So it's really targeting on where is my most sensitive data and then start wrapping security around that. And I talk about it as like the dual side of the coin. The other side of the coin is the identities, you know, in the data center days, we built networks and those became our security boundaries. And we put our tools at those boundaries and we watched what went in and out and we put our controls there that doesn't really exist in the cloud. So identities really have become those security boundaries. And so that's when I say put identity and data security at the heart of your strategy, that's what I'm talking about. You know, find your data, classify your data and then determine what has access to it. And then what are they doing with it? And if you start there, you've got a very focused view, but in a very important way, >>Denise ki, what are you hearing from customers as if, as Eric was saying, you know, he says, put data and identity at the center of your strategy. What are you hearing from customers in terms of their concerns? Where are they in terms of actually being able to make that happen? >>Yeah. I mean, this is every single one of them is struggling with this, right? They are, there's, there's just a staggering amount of things and data and processes that they need to figure out. Many of them in multi-cloud environments, sorry, AWS, but like not everyone is just AWS anymore and they have to protect, you know, workloads and services and people, identities, and non people identities. Right. Which is why we talk about it from the standpoint of like, you can look at it from the outside in, or you look, you can look at it from the inside out. Right. So looking and our belief is that starting with the data and the identity pieces is the most important because, you know, I heard an analogy now this is maybe an old analogy a while ago. Right. But back in the day when there were bank robbers, you know, the, the bank robbers targeted those banks that had money that had lots of money in the Coffs, right. >>They weren't going after regular apartment buildings or, you know, seven elevens at the time. Right. They were going after where there was the most to lose. Right? So if you, if you take that same analogy and say out of all of this chaos, that there is out there and trying to figure out where to start, start by protecting the most sensitive pieces of your information, whether it's personal data, whether it's things that are critical to, you know, your crown jewels of your company, but starting there and then working outwards is the way that we address and advise all of our customers to start. >>Do you have a, a magic list of best practices? This is actually a question for both of you when you're in customer conversations that say, obviously protecting them in sensitive data, start making those important points kind of stacked rank. But do you, do you have any best practices that you share in terms of how they can actually make identity and data core to a cloud strategy in a timely fashion? Eric, we'll start with you. >>Yeah. I mean, this is one that, that really hits home to me and, and it goes like this. I'd like to break it down really simply. Number one, you need to understand where all of the data is in your cloud and it might sound easy, but it is not because data is everywhere. And there's so many fingers in the pie these days. Number two is classify your data, classify and tag your data. Again, it comes back to, there could be lots of data, but you need to find the stuff that's really, really important to you. So classify it, identify it, tag it. So you know, where it is. Number three is understand who or what can potentially access your data and what they can do with your data. So now we start to tie in the identities and then number four is you need to be continuously monitoring to understand what they're doing with that access. >>You know, Lisa might have the ability to access a piece of really sensitive data, but she might not even know that through, you know, a hop and a step and a lateral movement and this and that. But what happens if she does, someone's gotta be watching for that as well. And then again, it's that double sided coin. When you flip that over and look at the identity perspective, you need to understand what the identities are in your cloud and not just your users, which is your typical way of looking at it. You really have to understand your users, but your non people identities as well. And interesting fact is your non people identities. And in all of the customers that I see large and small, you know, fortune five to a startup in the cloud, their non-people identities outnumber their people identities by 10, 20, 30 times the number, but guess what not, everybody's looking at those. So identify them again, calculate their, their permissions, what they can do, understand what data they can access. And then it comes right back to where they kind of merge together. What are they doing with that access? And those are the, you know, the four steps on either side of the coin that we recommend to all of our customers and, and focusing into to protect their data in their cloud. >>And, and the only thing that I would add, the only thing I would add to that is we talk a lot about automation with our customers, right? Especially around remediation, right? Anything that you can automate from a remediation perspective or a discovery perspective or a monitoring perspective. Absolutely do it because the, you know, the clouds and privileges, right. What did we estimate there are, I think 35,000 privileges out there across the three clouds right now. And they're growing somewhere between 20 and 40 a day. So if you're not automated, right, you're trying to keep it up on your whiteboard or in a spreadsheet like you're behind the moment that you put it in there. So we recommend automating and especially around remediation, anything that you can automate is absolutely the way to go. >>Let's talk about now, the, the benefits in it for me, for if I'm an AWS customer, we mentioned at the beginning of the segment, Denise, you were on the cube at reinforced, which was just last month or so it's chief security officer, Steven Schmidt says, and he said this at reinforced, we're stronger together from an ecosystem perspective. Talk to me, Denise will get your perspective first on the Eric, yours SUNY, AWS, better together. What does that mean? What's in it for customers? >>Oh gosh. So first of all, we love our partnership with AWS and, and that's not just because we're on here because we are engaged with all different layers within AWS. And we love their culture, their drive on customers, like everything that they do to make sure that their customers are satisfied. It's just, it's a, it's an amazing place to follow along. Right. And the, the thing that we love about working on customers together is that they, you know, that their mission right, is to make the cloud accessible to everybody, right. And, and do it in an easy way. And our mission is to make sure that it's secure. So it's very compatible in terms of how we work together and they, because of their depth from a technical perspective, they totally understand what we do and how important it is. Right. And they, again, their customer obsessed. So they make sure that their customers get the best things available to them, which is why they bring us to the table. So we, you know, we love that about them. It's a, it's a, just a fantastic partnership. >>Sounds like Denise, that SUNY and AWS share this passion for customer obsession, >>I would say so. Yes, >>Eric, from your seat as the CISO SUNY plus AWS, better together, how does that enable you to do your job and, and take the steps that you said would advise other CISOs to do? >>I think there's a number of ways to do this. If I put on sort of my business hat here for a second, you know, the way that they talk about security as a risk is part of the business. They really are trying to bring it to the forefront. That it's not just some it technical thing off in the corner that, that you have to think about that it is a business risk. So they're really big at, at promoting that and talking about that, they're also really big at helping CISOs and security leaders get there. You know, a lot of security leaders and CISOs came up through the technical ranks and, but getting that seat at the table and we're hearing about how CISO should be on boards and all these other things. And, and they're, they're big at that. And then of course from the technology perspective, I think I've, you know, I've said it already is that speed and scale, you know, what is AWS brought to the world? >>It's the speed and the scale of releasing solutions to the market, to customers, and then delivering them faster and better and better every single day, every single week. And, and what have you. And so it's also about doing security at speed and scale, and they're enabling organizations like SUNY to do that. So Denise talked about using automations and workflows. That's critical to solving the security challenges in the cloud. And Amazon really provides a platform on which, you know, tools like ourselves or individuals can go out and do that. And again, solve their security challenges at speed and scale, to be able to keep up with the, with the pace of the cloud, >>Absolutely critical to solve those security challenges at speed and scale. Of course, it's, it's so much more challenging and it sounds easier, sad than done, but to Denise, I'd love for you to share a customer story that you think really demonstrates the value that SUNY and AWS are delivering to customers. And then maybe comment on maybe from a target market perspective, what are some particular organizations that could benefit from the partnership with AWS, the integrations? What are your thoughts? >>Yeah, sure. So gosh, lots of customers that are in the midst of this transition, right? We, we see a lot of customers who are Eric and I were talking about talking about this actually right before we started, because every single customer seems to have a different use case, right. Everyone is going about it, you know, at a, at, from a different place or a different scenario, but lots of them moving from data center to cloud, as you might imagine, right. That is a, that is a key use case. The other thing that we're seeing in a lot of financial customers is that they, you know, when, when cloud first became available, a lot of them went private cloud, right. And they, they went about it from the standpoint of like, let's just take the same controls, right. And get our arms around it from a private perspective and now via acquisitions or via workloads that they need in the cloud, they are actually moving to the public cloud in many, many cases. >>So where we have the strong partnership around financials, especially right. Because they know that if those customers don't see security on the way in to the cloud, that they will never expand. Right. Because it's just, it's a part of their DNA, right. That they, they have to make sure that there's their sensitive information is, is taken care of. So we have a, I mean, just a breadth of customers across manufacturing and airlines and financials and insurance. Like if you're moving to the cloud, you need to make sure that you're protecting it in the right way >>Across industries. This is a pan industry problem. Every customer, regardless of location has to address us. Have you seen Denise sticking with you, the acceleration of the, the cloud adoption and migration we've seen the last couple of years? Have you seen any industries in particular, you mentioned financial services. I kind think of healthcare manufacturing as some industries that really are prime for coming to sun, help us figure this out. We're losing time. >>You know, I, I can't limit myself to any industry. Cause I mean, seriously that I know that sounds like a silly answer, but from the standpoint of what's going on out there, that I, I mean, every industry that is moving to the public cloud needs to be looking at this, the ones that, you know, again, I mentioned those ones that are going through transitions. We, we also see obviously software companies or companies that were built in the cloud, right. Are just, they're just at this point now where they're understanding, gosh, you know, we need to be well, like, you know, we've kind of got this hardened environment and we've got our policies and procedures down. Now they're worried about things like exfiltration of the cloud, or they're worried about lateral movement, right. Where, you know, somebody could get access to a role or a privilege and then move within the organization. >>So they're, they're looking at it at a deeper, more advanced level, which we love working with them on that. Like I said, the financials kind of moving from private to public now is the perfect time to, to build it in alongside us healthcare. We've seen a recent increase of healthcare, which sort of surprised me. I, I've not seen healthcare spending a lot of money in this particular area. And we've seen actually just in the last month or so a big uptick there, which is just interesting. We'll see, we'll see if it continues. You know, like I said, we see it across industries, not so much at the very, very low end, but we're seeing kind of mid-level enterprises and large enterprises >>And there's definite commonalities there. I'm sure across the folks that you speak to in terms of the challenges that they have, what they're looking to SUNY to help them resolve. Erica, do wanna ask you a question about, we talk about the cyber security skills gap. It's huge. It's not gonna go away overnight. A lot of organizations have different initiatives aimed at helping to reduce it. But talk to me about SUNY from a technology perspective, how will it help organizations to mitigate some of the risks that they face because of that skills gap? >>Yeah, absolutely. I mean, first and foremost, I gotta reiterate your point. It's not going away and it's not gonna be solved anytime soon. And then you talk about, we get right back to speed and the scale, the cloud moves very quickly and the scale increases over time and that's not going to stop as well. So it creates this perfect storm. And I'm gonna say a word again, that, that some people are probably gonna cringe at, but it comes back to automations and workflows. I know in the security industry, especially in rather large enterprises, sometimes they're a little bit hesitant to, to implement these tools because they're worried about what's going to happen. But the question I ask CISOs all the time is are you keeping up with it today? And the answer is no. So then I say, well, what are you what's going to happen if you don't do it. >>And that's what it comes down to. You're never gonna be able to find enough staff enough people in this area. So invest in automations and workflows in the areas that you're you're comfortable with. So that guess what somebody in your organization doesn't have to do that job anymore. And then that person can be trained and grow into the roles where you need them in these, in these more specific roles. And so that's how you need to do it. It's almost like investing in automation and workflows, just isn't making you more secure, which is your goal, but it's also helping to get your employees to where they need to be, to be more knowledgeable in the cloud. Because if they're only ever looking at very basic things and, and basically whacking it out and pulling whackable to solve basic problems, they are never gonna up their scales. And you can't just give your employees six months off to go become a cloud expert. So again, it comes back to, to stay with the speed and the scale of security in the cloud, it's automations and workflows, and you just have to get comfortable doing it. And if you're not, you really need to think about your strategy, cuz my opinion is you're doing it wrong. >>Wow. Those are some important words there Denise's last question for you with respect to what Eric just said about what companies need to be doing. The, you need to embrace automation. What are you hearing from customers, especially after they've deployed SUNY? What are they coming to you saying we had these challenges and thanks to SUNY we've. We are on our way to reducing a lot of the risks that were in our environment. >>Yeah. So not only are they reducing the risks, but they're able to do it with less people or put it this way, not adding additional people, which is the worry, right? Whenever you, whenever you bring on a new solution, the, the question is always, gosh, we're gonna need to hire a team to be able to manage this, or can we utilize the team that we have? So there's a, there's a huge ROI around bringing the summary solution in where they're, they are able to take advantage of resources that they currently have and just making them more productive. Again, we keep saying the same words, but remediation automation, operationalizing it, right? Creating these workflows is the key. And, and it's a key piece of what summary offers to them to make sure that they can take advantage of this. And, and I, I think that's, that's a really, really, really big statement because the, the, the way that I see this is the, the vision and the promise of what summary brings to the table is that security teams need us for an oversight perspective, but they're actually able to leverage their development teams to be able to do the fixes and the workflows and the operational pieces that we've been talking about. >>So you don't have to hire new people. You can take advantage of the resources that you have. Again, that's the, that's the promise of summary, >>A lot of efficiencies, operational, et cetera, that can be gained from what sun is able to deliver to customers. Thank you both so much for joining me today, talking about what it is that you're delivering, the challenges that you're helping, CISOs and security operations folks meet and, and mitigate with the solutions. We appreciate your insights and your time. Thank you, Lisa. Thanks, Lisa. My pleasure for Eric Krosky and Denise Haman, who we wanna thank for partnering with the cube for this season. We wanna thank you for watching season two, episode four of our ongoing series of the AWS startup showcase. Don't go away, keep it right here from more action on the cube, your leader in tech coverage.