(bright upbeat music) >> Welcome back, everybody, to the Supercloud 2. My name is Dave Vellante. And I'm pleased to welcome Nir Zuk. He's the founder and CTO of Palo Alto Networks. Nir, good to see you again. Welcome. >> Same here. Good to see you. >> So let's start with the right security architecture in the context of today's fragmented market. You've got a lot of different tools, you've got different locations, on-prem, you've got hardware and software. Tell us about the right security architecture from your standpoint. What's that look like? >> You know, the funny thing is using the word security in architecture rarely works together. (Dave chuckles) If you ask a typical information security person to step up to a whiteboard and draw their security architecture, they will look at you as if you fell from the moon. I mean, haven't you been here in the last 25 years? There's no security architecture. The architecture today is just buying a bunch of products and dropping them into the infrastructure at some relatively random way without really any guiding architecture. And that's a huge challenge in cybersecurity. It's always been, we've always tried to find ways to put an architecture into writing blueprints, whatever you want to call it, and it's always been difficult. Luckily, two things. First, there's something called zero trust, which we can talk a little bit about more, if you want, and zero trust among other things is really a way to create a security architecture, and second, because in the cloud, in the supercloud, we're starting from scratch, we can do things differently. We don't have to follow the way we've always done cybersecurity, again, buying random products, okay, maybe not random, maybe there is some thinking going into it by buying products, one of the other, dropping them in, and doing it over 20 years and ending up with a mess in the cloud, we have an opportunity to do it differently and really have an architecture. >> You know, I love talking to founders and particularly technical founders from StartupNation. I think I saw an article, I think it was Erie Levine, one of the founders or co-founders of Waze, and he had a t-shirt on, it said, "Fall in love with the problem, not the solution." Is that how you approached architecture? You talk about zero trust, it's a relatively new term, but was that in your head when you thought about forming the company? >> Yeah, so when I started Palo Alto Networks, exactly, by the way, 17 years ago, we got funded January, 2006, January 18th, 2006. The idea behind Palo Alto Networks was to create a security platform and over time take more and more cybersecurity functions and deliver them on top of that platform, by the way, as a service, SaaS. Everybody thought we were crazy trying to combine many functions into one platform, best of breed and defense in death and putting all your eggs in the same basket and a bunch of other slogans were flying around, and also everybody thought we were crazy asking customers to send information to the cloud in order to secure themselves. Of course, step forward 17 years, everything is now different. We changed the market. Almost all of cybersecurity today is delivered as SaaS and platforms are ruling more and more the world. And so again, the idea behind the platform was to over time take more and more cybersecurity functions and deliver them together, one brain, one decision being made for each and every packet or system call or file or whatever it is that you're making the decision about and it works really, really well. As a side effect, when you combine that with zero trust and you end up with, let's not call it an architecture yet. You end up with with something where any user, any location, both geographically as well as any location in terms of branch office, headquarters, home, coffee shop, hotel, whatever, so any user, any geographical location, any location, any connectivity method, whether it is SD1 or IPsec or Client VPN or Client SVPN or proxy or browser isolation or whatever and any application deployed anywhere, public cloud, private cloud, traditional data center, SaaS, you secure the same way. That's really zero trust, right? You secure everything, no matter who the user is, no matter where they are, no matter where they go, you secure them exactly the same way. You don't make any assumptions about the user or the application or the location or whatever, just because you trust nothing. And as a side effect, when you do that, you end up with a security architecture, the security architecture I just described. The same thing is true for securing applications. If you try to really think and not just act instinctively the way we usually do in cybersecurity and you say, I'm going to secure my traditional data center applications or private cloud applications and public cloud applications and my SaaS applications the same way, I'm not going to trust something just because it's deployed in the private data center. I'm not going to trust two components of an application or two applications talking to each other just because they're deployed in the same place versus if one component is deployed in one public cloud and the other component is deployed in another public cloud or private cloud or whatever. I'm going to secure all of them the same way without making any trust assumptions. You end up with an architecture for securing your applications, which is applicable for the supercloud. >> It was very interesting. There's a debate I want to pick up on what you said because you said don't call it an architecture yet. So Bob Muglia, I dunno if you know Bob, but he sort of started the debate, said, "Supercloud, think of it as a platform, not an architecture." And there are others that are saying, "No, no, if we do that, then we're going to have a bunch of more stove pipes. So there needs to be standard, almost a purist view. There needs to be a supercloud architecture." So how do you think about it? And it's a bit academic, I know, but do you think of this idea of a supercloud, this layer of value on top of the hyperscalers, do you think of that as a platform approach that each of the individual vendors are responsible for the architecture? Or is there some kind of overriding architecture of standards that needs to emerge to enable the supercloud? >> So we can talk academically or we can talk practically. >> Yeah, let's talk practically. That's who you are. (Dave laughs) >> Practically, this world is ruled by financial interests and none of the public cloud providers, especially the bigger they are has any interest of making it easy for anyone to go multi-cloud, okay? Also, on top of that, if we want to be even more practical, each of those large cloud providers, cloud scale providers have engineers and all these engineers think they're the best in the world, which they are and they all like to do things differently. So you can't expect things in AWS and in Azure and GCP and in the other clouds like Oracle and Ali and so on to be the same. They're not going to be the same. And some things can be abstracted. Maybe cloud storage or bucket storage can be abstracted with the layer that makes them look the same no matter where you're running. And some things cannot be abstracted and unfortunately will not be abstracted because the economical interest and the way engineers work won't let it happen. We as a third party provider, cybersecurity provider, and I'm sure other providers in other areas as well are trying or we're doing our best. We're not trying, we are doing our best, and it's pretty close to being the way you describe the top of your supercloud. We're building something that abstracts the underlying cloud such that securing each of these clouds, and by the way, I would add private cloud to it as well, looks exactly the same. So we use, almost always, whenever possible, the same terminology, no matter which cloud we're securing and the same policy and the same alerts and the same information and so on. And that's also very important because when you look at the people that actually end up using the product, security engineers and more importantly, SOC, security operations center analysts, they're not going to study the details of each and every cloud. It's just going to be too much. So we need to abstract it for them. >> Yeah, we agree by the way that the supercloud definition is inclusive of on-prem, you know, what you call private cloud. And I want to pick up on something else you said. I think you're right that abstracting and making consistent across clouds something like object storage, get put, you know, whether it's an S3 bucket or an Azure Blob, relatively speaking trivial. When you now bring that supercloud concept to something more complex like security, first of all, as a technically feasible and inferring the answer there is yes, and if so, what do you see as the main technical challenges of doing so? >> So it is feasible to the extent that the different cloud provide the same functionality. Then you step into a territory where different cloud providers have different paths services and different cloud providers do things a little bit differently and they have different sets of permissions and different logging that sometimes provides all the information and sometimes it doesn't. So you end up with some differences. And then the question is, do you abstract the lowest common dominator and that's all you support? Or do you find a way to be smarter than that? And yeah, whatever can be abstracted is abstracted and whatever cannot be abstracted, you find an easy way to represent that to your users, security engineers, security analysts, and so on, which is what I believe we do. >> And you do that by what? Inventing or developing technology that presents that experience to users? Could you be more specific there? >> Yeah, so different cloud providers call their storage in different names and you use different ways to configure them and the logs come out the same. So we normalize it. I mean, the keyword is probably normalization. Normalize it. And we try to, you know, then you have to pick a winner here and to use someone's terminology or you need to invent new terminology. So we try to use the terminology of the largest cloud provider so that we have a better chance of doing that but we can't always do that because they don't support everything that other cloud providers provide, but the important thing is, with or thanks to that normalization, our customers both on the engineering side and on the user side, operations side end up having to learn one terminology in order to set policies and understand attacks and investigate incidents. >> I wonder if I could pick your brain on what you see as the ideal deployment model to achieve this supercloud experience. For example, do you think instantiating your stack in multiple regions and multiple clouds is the right way to do it? Or is building a single global instance on top of the clouds a more preferable way? Are maybe other models we should consider? What do you see as the trade off of these different deployment models and which one is ideal in your view? >> Yeah, so first, when you deploy cloud security, you have to decide whether you're going to use agents or not. By agents, I mean something working, something running inside the workload. Inside a virtual machine on the container host attached to function, serverless function and so on and I, of course, recommend using agents because that enables prevention, it enables functionality you cannot get without agents but you have to choose that. Now, of course, if you choose agent, you need to deploy AWS agents in AWS and GCP agents in GCP and Azure agents in Azure and so on. Of course, you don't do it manually. You do it through the CICD pipeline. And then the second thing that you need to do is you need to connect with the consoles. Of course, that can be done over the internet no matter where your security instances is running. You can run it on premise, you can run it in one of the other different clouds. Of course, we don't run it on premise. We prefer not to run it on premise because if you're secured in cloud, you might as well run in the cloud. And then the question is, for example, do you run a separate instance for AWS for GCP or for Azure, or you want to run one instance for all of them in one of these clouds? And there are advantages and disadvantages. I think that from a security perspective, it's always better to run in one place because then when you collect the information, you get information from all the clouds and you can start looking for cross-cloud issues, incidents, attacks, and so on. The downside of that is that you need to send all the information to one of the clouds and you probably know that sending data out of the cloud costs a lot of money versus keeping it in the cloud. So theoretically, you can build an architecture where you keep the data for AWS in AWS, Azure in Azure, GCP in GCP, and then you try to run distributed queries. When you do that, you find out you'd end up paying more for the compute to do that than you would've paid for sending all the data to a central location. So we prefer the approach of running in one place, bringing all the data there, and running all the security, the machine learning or whatever, the rules or whatever it is that you're running in one place versus trying to create a distributed deployment in order to try to save some money on the data, the network data transfers. >> Yeah, thank you for that. That makes a lot of sense. And so basically, should we think about the next layer building security data lake, if you will, and then running machine learning on top of that if I can use that term of a data lake or a lake house? Is that sort of where you're headed? >> Yeah, look, the world is headed in that direction, not just the cybersecurity world. The world is headed from being rule-based to being data-based. So cybersecurity is not different and what we used to do with rules in the past, we're now doing with machine learning. So in the past, you would define rules saying, if you see this, this, and this, it's an attack. Now you just throw the data at the machine, I mean, I'm simplifying it, but you throw data at a machine. You'll tell the machine, find the attack in the data. It's not that simple. You need to build the right machine learning models. It needs to be done by people that are both cybersecurity experts and machine learning experts. We do it mostly with ex-military offensive people that take their offensive knowledge and translate it into machine learning models. But look, the world is moving in that direction and cybersecurity is moving in that direction as well. You need to collect a lot of data. Like I said, I prefer to see all the data in one place so that the machine learning can be much more efficient, pay for transferring the data, save money on the compute. >> I think the drop the mic quote it ignite that you had was within five years, your security operation is going to be AI-powered. And so you could probably apply that to virtually any job over the next five years. >> I don't know if any job. Certainly writing essays for school is automated already as we've seen with ChatGPT and potentially other things. By the way, we need to talk at some point about ChatGPT security. I don't want to think what happens when someone spends a lot of money on creating a lot of fake content and teaches ChatGPT the wrong answer to a question. We start seeing ChatGPT as the oracle of everything. We need to figure out what to do with the security of that. But yeah, things have to be automated in cybersecurity. They have to be automated. They're just too much data to deal with and it's just not even close to being good enough to wait for an incident to happen and then going investigate the incident based on the data that we have. It's better to look at all the data all the time, millions of events per second, and find those incidents before they happen. There's no way to do that without machine learning. >> I'd love to have you back and talk about ChatGPT. I know they're trying to put in some guardrails but there are a lot of unintended consequences, aren't there? >> Look, if they're not going to have a person filtering the data, then with enough money, you can create thousands or tens of thousands of pieces of articles or whatever that look real and teach the machine something that is totally wrong. >> We were talking about the hyper skills before and I agree with you. It's very unlikely they're going to get together, band together, and create these standards. But it's not a static market. It's a moving train, if you will. So assuming you're building this cross cloud experience which you are, what do you want from the hyperscalers? What do you want them to bring to the table? What is a technology supplier like Palo Alto Networks bring? In other words, where do you see ongoing as your unique value add and that moat that you're building and how will that evolve over time vis-a-vis the hyperscaler evolution? >> Yeah, look, we need APIs. The more data we have, the more access we have to more data, the less restricted the access is and the cheaper the access is to the data because someone has to pay today for some reason for accessing that data, the more secure their customers are going to be. So we need help and are helping by the way a lot, all of them in finding easy ways for customers to deploy things in the cloud, access data, and again, a lot of data, very diversified data and do it in a cost-effective way. >> And when we talk about the edge, I presume you look at the edge as just another data center or maybe it's the reverse. Maybe the data center is just another edge location, but you're seeing specific edge security solutions come out. I'm guessing that you would say, that's not what we want. Edge should be part of that architecture that we talked about earlier. Do you agree? >> Correct, it should be part of the architecture. I would also say that the edge provides an opportunity specifically for network security, whereas traditional network security would be deployed on premise. I'm talking about internet security but half network security market, and not just network security but also the other network intelligent functions like routing and QS. We're seeing a trend of pushing those to the edge of the cloud. So what you deploy on premise is technology for bringing packets to the edge of the cloud and then you run your security at the edge, whatever that edge is, whether it's a private edge or public edge, you run it in the edge. It's called SASE, Secure Access Services Edge, pronounced SASE. >> Nir, I got to thank you so much. You're such a clear thinker. I really appreciate you participating in Supercloud 2. >> Thank you. >> All right, keep it right there for more content covering the future of cloud and data. This is Dave Vellante for John Furrier. I'll be right back. (bright upbeat music)

okay we're back live here inside the cube rounding out day one of exclusive coverage of IBM information on demand I'm John further the founder SiliconANGLE enjoy my co-host Davey lonte we're here in heat you saw who's the vice president I said that speaks that you know I think you always get promoted you've been on the cube so many times you doing so well it's all your reason tatian was so amazing I always liked SVP the cute good things happen that's exactly why i be MVP is a big deal unlike some of the starters where everyone gets EVP all these other titles but welcome back thank you so the storytelling has been phenomenal here although murs a little bit critical some of the presentations earlier from gardner but the stories higher your IBM just from last year take us through what's changed from iod last year to this year the story has gotten tighter yes comprehensive give us the quick okay quick view um okay here's the point of view here's the point of view first you got to invest in a platform which we've all talked about and i will tell you it's not just us saying it i would say other vendors are now copying what we're saying cuz if you went to strata yes which you were there we were there probably heard some of the messages that's right why everybody wants to be a platform okay one two elevated risk uncertainty governance I think privacy privacy security risk this is what people are talking about they want to invest in a more why because you know what the decisions matter they want to make bigger beds they want to do more things around customer experience they want to improve products they want to improve pricing the third area is really a cultural statement like applying analytics in the organization because the people and the skills I would say the culture conversation is happening a lot more this year than it was a year ago not just at IOD but in the industry so I think what you're seeing here at IOD is actually a reflection of what the conversations are happening so our organizations culturally ready for this I mean you guys are going to say yes and everybody comes on says oh yes we're seeing it all over the place but are they really ready it depends I think some are some are absolutely ready some are not and probably the best examples are and it really depends on the industry so I'll give you a few examples so in the government area I think people see the power of applying things like real-time contextual insight leveraging stream computing why because national security matters a lot of fraudulent activity because that's measurable you can drive revenue or savings healthcare people know that a lot of decision-making is being made without a comprehensive view of the analytics and the data now the other area that's interesting is most people like to talk about text analytics unstructured data a lot of social media data but the bulk of the data that's actually being used currently in terms of big data analytics is really transactional data why because that's what's maintained in most operational systems where health systems so you're going to see a lot more data warehouse augmentation use cases leverage you can do on the front end or the back end you're going to see kind of more in terms of comprehensive view of the customer right augmenting like an existing customer loyalty or segmentation data with additional let's say activity data that they're interacting with and that was the usta kind of demo showing social data cell phone metadata is that considered transactional you know it is well call me to record right CDR call detail records well the real time is important to you mentioned the US open just for folks out there was a demo on stage when you guys open data yeah at all the trend sentiment data the social data but that's people's thoughts right so you can see what people are doing now that's big yeah you know what's amazing about that just one second which is what we were doing was we were predicting it based on the past but then we were modifying it based on real time activity and conversation so let's say something hot happened and all of a sudden it was interesting when Brian told me this he was like oh yeah Serena's average Twitter score was like 2,200 twit tweets a day and then if some activity were to happen let's say I don't know she didn't he wrote she had got into a romance or let's say she decided to launch a new product then all of a sudden you'd see an accused spike rate in activity social activity that would then predict how they wanted to operate that environment that's amazing and you know we you know we love daily seen our our crowd spots be finder we have the new crowd chat one and this idea of connecting consumers is loose data it's ephemeral data it's transient data but it's now capture will so people can have a have fun into tennis tournament and then it's over they go back home to work you still have that metadata we do that's very kind of its transient and ephemeral that's value so you know Merv was saying also that your groups doing a lot of value creation let's talk about that for a second business outcomes what do you what's the top conversation when you walk into a customer that says hey you know here's point a point B B's my outcome mm-hmm one of those conversations like I mean what are they what are some of the outcomes you just talked to use case you tell customers but like what did some of the exact you know what I'll tell you one use case so and this was actually in the healthcare hotel you won healthcare use case in one financial services use case both conversations happened actually in the last two weeks so in the healthcare use case there's already let's say a model that's happening for this particular hospital now they have a workflow process typically in a workflow process you you're applying capabilities where you've modeled out your steps right you do a before be before see and you automate this leveraging BPM type capabilities in a data context you don't actually start necessarily with knowing what the workflow is you kind of let the data determine what the workflow should be so in the this was in an ICU arena historically if you wanted to decide who was the healthiest of the patients in the ICU because you had another trauma coming in there was a workflow that said you had to go check the nurses the patient's profile and say who gets kicked out of what bed or moved because they're most likely to be in a healthy state that's a predefined workflow but if you're applying streams for example all the sudden you could have real-time visibility without necessarily a nurse calling a doctor who that calls the local staff who then calls the cleaning crew rate you could actually have a dashboard that says with eighty percent confidence beds2 and ate those patients because of the following conditions could be the ones that you are proactive in and saying oh you know what not only can they be released but we have this degree of confidence around them being because of the days that it's coming obvious information that changes then potentially you know the way your kind of setting your rules and policies around your workflow another example which was really a government use case was think about in government security so in security scenarios and national security state there is you never quite know exactly what people are intended to do other than you know they're intending something bad right and they're intentionally trying not to be found so human trafficking it's an ugly topic but I want to bring it up for a second here what you're doing is you're actually looking at data compositions and and different patterns and resolving entities and based on that that will dictate kind of potentially a whole new flow or a treatment or remediation or activity or savior which is not the predefined workflow it's you're letting the data actually all of a sudden connect to other data points that then you're arriving at the insight to take the action where is completely different I wanna go back to sleep RFI course not healthcare examples yeah so where are we today is that something that's actually being implemented is that something they sort of a proof of concept well that's actually being done at it's being done in a couple different hospitals one of which is actually in hospital in Canada and then we're also leveraging streams in the emory university intensive Timothy Buckman on you did earlier oh yeah the ICU of the future right absolutely brilliant trafficking example brings up you know Ashley that's the underbelly of the world in society but like data condition to Jeff Jonas been on the queue as you know many times and he talks with his puzzle pieces in a way that the data is traveling on a network a network that's distributed essentially that's network computing I mean estate management so look at network management you can look at patterns right so so that's an interesting example so that begs the next question what is the craziest most interesting use case you seen oh my gosh okay now i got i think about oh yes and you can talk about and i can talk about that creates business value or society value oh you know I okay um for you are putting me on the spot the craziest one so 3 we could be great could be g-rated don't you know they go to 2k yeah you know what I participated three weeks ago tiaa-cref actually hosted a fraud summit where it was all investigators like they were doing crime investigation so more than sixty percent of the guys in the room carried weapons because they were Security Intelligence they were pleased they were DA's they repented I was not packing anyway and there was about so 60-plus percent were those right and then only about thirty percent in the room were what i would consider the data scientists in the room like these are the guys are trying to decide which claims are not true or false so forth there were at least like three or four use cases in that discussion that came out they were unbelievable so one is in the fraud area in particular and in crime they're luring the data there what does luring the data they're taking location-based data for geographic region they're putting crime data on top of that right historical like drug rings and even like datasets in miami-dade county the DA told me they were doing things where rather than looking at people that are doing the drugs they they realize people that had possession of a drug typically purchased within a certain location and they had these abandoned properties and were able to identify entire rings based on that another one this is also semi drug-related is in the energy utility space there was in the middle part of the United States houses in Nice urban areas where they were completely torn apart on the interior and build into marijuana houses and so of course they're utilizing high levels of gas and electricity in order to maintain the water fertilization everything else well what happens is it drives peaks in the way that the energy utility looks on a given day pattern so based on that they're able to detect how inappropriate activities are happening and whether it's a single opportunistic type activity whether it's saying this was doing laundry or irrigating the Erie hey we well you know what's interesting about electricity to is especially someone's using electricity but no one's like using any of the gas you're like home but no one's cooking you know something's a little long but it was fascinating i mean really fascinating there were like several other crime scenarios in terms of speed i actually did not know the US Postal Service is like the longest running federal institution that actually tracked like mail fraud and one of the use cases i'm sure jeff has talked about here on the cube is probably a moneygram use case but we talked about that we talked I mean it the stories were unreal because I was spending time with forensic scientists as well as forensic investigators and that's a completely do we're getting we're getting the few minutes need for a platform to handle all this diversity so that's the security risk the governance everything you gotta go cuz your star for the analyst me I can't watch this conversation one final question one of the best yet as we get drugs in there we got other things packing guns guns and drugs you in traffic you know tobacco if you go / news / tobacco well write the knowledge worker all right final question for I know you gotta go this big data applications were you know the guys in the mailroom the guys work for the post office are now unable to actually do this kind of high-level kind of date basically data science yeah if you will or being an analyst so that what I want you to share the folks your vision of the definition of the knowledge worker overused word that's been kicked around for the PC generates but now with handheld with analytical real-time with streaming all this stuff happening at the edge how is it going to change that the knowledge work or the person in the trenches it could be person the cubicle the person on the go the mobile sales person or anyone you know I some people feel threatened when they hear that you're going to apply data and analytics everywhere because you're it implies that you're automating things but that's actually not the value the real value is the insight so that you can double down on the decisions you want to make so if you're more confident you're going to take bigger bets right and decision-making historically has been I think reserved for a very elite few and what we're talking about now is a democratization of that insight and with that comes a lot of empowerment a lot empowerment for everyone and you don't have to be a data scientist be able to be able to make decisions and inform decisions if anything you know actually Tim Buckman I had a good conversation about them as a professional you know what I if I was a physician I'd want to work at the hospital that has the advanced capabilities why because it allows me as a professional physician to then be able to do what I was trained to do not to detect and have to pay attention to all these alarms going off you know I want to work at the institutions and organizations that are investing appropriately because it pushes the caliber of the work I get to do so I think it just changes the dynamics for everyone tim was like a high-priced logistics manager you want to work with people want to work with leaders and now we're in a modern era this new wave is upon us who care and they want to improve and this is about continuing to improve Dave and I always talk about the open source world that those principles are going mainstream to every aspect of business collaboration openness transparency not controlled absolutely absolutely Indy thanks so much for coming in the queue and know you're busy think of your time we are here live in the cube getting all the signal from the noise and some good commentary at the end a one we have one more guest ray way right up next stay tuned right back the queue