>>We're back with the cube at Falcon 2022, Dave ante and Dave Nicholson. We're at the aria. We do of course, a lot of events in Las Vegas. It's the, it's the place to do events. Dave, I think is my sixth or seventh time here this year. At least. I don't know. I lose track. Jeff Swain is here. He's the vice president of global programs store and tech alliances at CrowdStrike. Jeff. Good to see you again. We saw each other at reinvent in July in Boston. >>Yes. Yeah, it was great to see you again, Dave, thank >>Very much. And we talked about making this happen so thrilled to be here at, at, at CrowdStrike Falcon. We're gonna talk today about the CrowdStrike XDR Alliance partners. First of all, what's XDR >>Well, I hope you were paying attention to George's George's keynote this morning. I guess. You know, the one thing we know is that if you ask 10, five people, what XDR is you'll get 10 answers. >>I like this answer a holistic approach to endpoint security. I, that was, >>It was good. Simple. >>That was a good one at black hat. So, but tell us about the XDR Alliance partners program. Give us the update there. >>Yeah, so I mean, we spoke about it reinforced, you know, the XDR program is really predicated on having a robust ecosystem of partners to help us share that telemetry across all of the different parts of our customers' environment. So we've done a lot of work over the last few weeks and trying to bolster that environment specifically, putting a lot of focus on firewall. You'll see that Cisco and fortunate have both joined the XD XDR Alliance. So we're working on that right now. A lot of customer demand for firewall data into the telemetry set. You know, obviously it's a very rich data environment. There's a lot of logs on firewalls. And so it drives a lot of, of, of information that we can, we can leverage. So we're continuing to grow that. And what we're doing is building out different content packs that support different use cases. So firewall is one CAS B is another emails another and we're building, building out the, the partner set right across the board. So it's, it's, it's been a, a great set of >>Activity. So it's it's partners that have data. Yep. There's probably some, you know, Joe Tuchi year old boss used to say that that overlap is better than gaps. So there's sometimes there's competition, but that's from a customer standpoint, overlap is, is better than gaps. So as gonna mention Cisco forte and there are a number of others, they've got data. Yes. And they're gonna pump it into your system, our platform, and you've got the, your platform. You've got the ability to ingest. You've got the cloud native architecture, you've got the analytics and you've got the near real time analysis capability. Right, right. >>Augmented by people as well, which is a really important part of our value proposition. You know, we, it's not just relying purely on AI, but we have a human, a human aspect to it as well to make sure we're getting extremely accurate responses. And then there's the final phase is the response phase. So being able to take action on a CASB, for example, when we have a known bad actor operating in the cloud is a really important, easy action for our customer to take. That's highly valuable. You're >>Talking about your threat hunting capability, right? >>So it's threat hunting and our Intel capability as well. We use all of that information as well as the telemetry to make sure we're making good, actionable >>Decisions, Intel being machine intelligence or, or human and machine >>Human and human and machine intelligence that we have. We have a whole business that's out there gathering Intel. I believe you think to Adam Myers who runs that business. And you know, that Intel is critical to making good decisions for our customers. >>So the X and XDR is extended, correct. Extending to things like firewalls. That's pretty obvious in the security space. Are there some less obvious data sources that you look to extend to at some point? >>Yeah, I think we're gonna continually go with where the customer demand is. And firewalls is one of the first and is very significant. Other one, you'll see that we're announcing support for Microsoft 365 as well as part of this, this announcement, but then we'll still grow out into the other areas. NDR is, you know, a specific area where we've already got a number of partners in that, in that space. And, and we'll grow that as we go. I think one of the really exciting additional elements is the, the OCS F announcement that we made at at, at, at, at reinforced, which also is a shared data scheme across a number of vendors as well. So talking to Mike's point, Microsoft ST's point this morning in his keynote, it's really about the industry getting together to do better job for our customers. And XDR is the platform to do that. And crowd strikes it way of doing it is the only really true, visible way for a customer to get their hands on all that information, make the decision, see the good from the bad and take the action. So I feel like we're really well placed to help our customers in >>That space. Well, Kevin mania referenced this too today, basically saying the industry's doing a better job of collaborations. I mean, sometimes I'm skeptical because we've certainly seen people try to, you know, commercialize private information, private reports. Yeah. But, but, but you're talking about, you know, some of your quasi competitors cooperatives, you know, actually partnering with you now. So that's a, that's a good indicator. Yeah. I want to step back a little bit, talk about the macro, the big conversation on wall street. Everybody wants to talk about the macro of course, for obvious reasons, we just published our breaking analysis, talking about you guys potentially being a generational company and sort of digging into that a little bit. We've seen, you know, cyber investments hold up a little bit better, both in terms of customer spending and of course the stock market better than tech broadly. Yeah. So in that case it would, it would suggest that cyber investments are somewhat non-discretionary. So, but that is my question are cyber investments non-discretionary if, if so, how, >>You know, I think George George calls that out directly in our analyst reports as well that, you know, we believe that cyber is a non-discretionary spend, but I, I actually think it's more than that. I think in this current macro or economic environment where CIOs and CSOs are being asked to sweat their assets for significantly longer period of time, that actually creates vulnerabilities because they have older kit, that's running for a longer period that they normally, you know, round out or churn out of their environment. They're not getting the investment to replace those laptops. They're not getting the, I placement to replace those servers. We have to sweat them for a little bit longer, longer, which means they need to be on top of the security posture of those devices. So that means that we need the best possible telemetry that we can get to protect those in the best possible way. So I actually think not only is it makes it non-discretionary, it actually increases the, the business case for, for, for taking on a, a cyber project. >>And I buy that. I buy that the business case is better potentially for cyber business case. And cyber is about, about risk reduction, right? It's about, it's about reducing expected loss. I, I, I, I, but the same time CISOs don't have an open wallet. They have to compete with other P and L managers. I also think the advantage for CrowdStrike I'm, I'm getting deeper into the architecture and beginning to understand the power of a lightweight agent that can do handle. I think you're up to 22 modules now, correct? Yes. I've got questions on how you keep that lightweight, but, but nonetheless, if you can consolidate the point tools, which is, you know, one of the biggest challenges that, that SecOps teams face that strengthens the ROI as well. >>Absolutely. And if you look at what George was saying this morning in the keynote, the combination of being able to provide tools, not only to the SecOps team, but the it ops team as well, being able to give the it ops team visibility on how many assets they have. I mean, these simple, these are simple questions that we should be able to answer. But often when we ask, you know, an operations leader, can you answer it? It sometimes it's hard for them. We actually have a lot of that information. So we are able to bring that into the platform. We're able to show them, we're able to show them where the assets are, where the vulnerabilities are against those assets and help it ops do a better job as well as SecOps. So the, the strength, the case strengthens, as you said, the CSO can also be talking to the it ops budget. >>The edge is getting more real. We're certainly hearing a lot about it now we're seeing a lot more and you kind of got the, the near edge, like the home Depot and the lows, you know, stores. Yeah. Okay. That I, I can get a better handle on, okay. How do I secure that? I've got some standards, but that's the far edge. It's, it's the, the OT yes. Piece of it. That's sort of the brave new world. What are you seeing there? How do you protect those far flowing estates? >>I think this gets back to the question of what's what's new or what's coming and where do we see the, the next set of workloads that we have to tackle? You know, when we came along first instance, we were really doing a lot of the on-prem on-prem and, and, and known cloud infrastructure suites. Then we started really tackling the broader crowd market with tools and technology to give visibility and control of the overall cloud environment. OT represents that next big addressable market for us, because there are so many questions around devices where they are, how old they are, what they're running. So visibility into the OT network is extremely, extremely important. And, you know, the, the wall that has existed again between the CISO and the OT environments coming down, we're seeing that's closer, closer alignment between the security on both those worlds. So the announcement that we've made around extending our Falcon discover product, to be able to receive and understand device information from the OT network and bring it into the same console as the, the it and the OT in the same console to give one cohesive picture of, of visibility of all of our devices is a major step forward for our customers and for, for the industry as well. >>And we see that being, being able to get the visibility will then lead us to a place of being able to build our AI models, build our response frameworks. So then we can go to a full EDR and then beyond that, there's, you know, all the other things that CrowdStrike do so well, but this is the first step to really the first step on control is visibility. And >>The OT guys are engineers. So they're obviously conscious of this stuff. It's, it's more it's again, you're extending that culture, isn't >>It? Yeah, yeah, yeah. Now when you're looking at threats, great, you want to do things to protect against those threats, but how much, how much of CrowdStrike's time is spent thinking about the friction that's involved in transactions? If I wanna go to the grocery store, think of me as an end point. If I wanna go to the grocery store, if I had to drive through three DUI checkpoints or car safety inspections. Yeah. Every time I went to the grocery store, I wouldn't be happy as an end point as an end user in this whole thing. Ideally, we'd be able just to be authenticated and then not have to worry about anything moving forward. Do you see that as your role, reducing friction 1%, >>That's again, one of the core tenants of, of, of why George founded the company. I mean, he tells the story of sitting on an airplane and seeing an executive who was also on the airplane, trying to boot their machine up and try and get an email out before the plane took off and watching the scanning happen, you know, old school virus scanning happening on the laptop and, and that executive not making it because, and he is like in this day and age, how can we be holding people back with that much friction in their day to day life? So that's one of the, again, founding principles of what we do at CrowdStrike was the security itself needs to support business growth, support, user growth, and actually get out of the way of how people do things. And we've seen progression along that lines. I think the zero trust work that we're doing right now really helps with that as well. >>Our integrations into other companies that play within the zero trust space makes that frictionless experience for the user, because yeah, we, we, we want to be there. We want to know everything that's happening, but we don't wanna see where we always want control points, but that's the value of the telemetry we take. We're taking all the data so we can see everything. And then we pick what we want to review rather than having to do the, the checkpoint approach of stop here. Now, let me see your credentials. Stop here. Let me see your credentials because we have a full field of, of knowledge and information on what the device is doing and what the user is doing. We're able to then do the trust with verify style approach. >>So coming back to the, to the edge in IOT, you know, bringing that zero trust concept to the, to the edge you've got, you've got it. And OT. Okay. So that's a new constituency, but you're consolidating that view. Your job gets harder. Doesn't it? So, so, so talk about how you resolve that. Do do the, do the concepts that you apply to traditional it endpoints apply at the edge. >>So first things we have to do is gain the visibility. And, and so the way in which we're doing that is effectively drawing information out from the OT environment at, by, by having a collector that's sitting there and bringing that into our console, which then will give us the ability to run our AI models and our other, you know, indications of attack or our indicators of misconfiguration into the model. So we can see whether something's good or bad whilst we're doing that. Obviously we're also working on building specific senses that will then sit in OT devices down, you know, one layer down from rather being collected and pulled and brought into the platform, being collected at the individual sensor level when we have that completed. And that requires a whole different ecosystem for us, it means that we have to engage with organizations like Rockwell and Siemens and Schneider, because they're the people who own the equipment, right? Yeah. And we have to certify with them to make sure that when we put technology onto their equipment, we're not going to cause any kind of critical failure that, you know, that could have genuine real world physical disastrous consequences. So we have to be super careful with how we build that, which we're we're in the process of >>Doing are the IOA signatures indicator as a tax. So I don't have to throw a dollar in the jar. Are the IOA signatures substantially similar at, at the edge, or >>I think we learn as we go, you know, first we have to gain the information and understand what good and bad looks like, what the kind of behaviors are there. But what we will see is that, you know, as someone's trying to, there's an actor, you know, making an attack, you know, will be able to see how they're affecting each of those endpoints individually, whether they're trying to take some form of control, whether they're switching them on and off in the edge and the far edge, it's a little bit more binary in terms of the kind of function of the device. It is the valve open or is the valve closed? It's is the production line running or is the production not line running, not running. So we need to be able to see that it's more about protecting the outcomes there as well. But again, you know, it's about first, we have to get the information. That's what this product will help us do, get it into the platform, get our teams over the top of it, learn more about what's going on there and then be able to take action. >>But the key point is the architecture will scale. And that's where the cloud native things comes >>Into. Yeah, it'll, it'll it'll scale. But to your, to your point about the lack of investment and infrastructure means older stuff means potentially wider gaps, bigger security holes, more opportunity for the security sector. Yep. I buy that. That makes sense. I think if it's a valid argument, when you, when you, when you know, we, we loosely talk about internet of things, edge, a lot of those things on the edge, there's probably a trillion dollars worth of a hundred year old garbage, and I'm only slightly exaggerating on the trillion and the a hundred years old, a lot of those critical devices that need to be sensed that are controlling our, our, our, our electrical grid. For example, a lot of those things need to be updated. So, so as you're pushing into that frontier, are you, you know, are, are you extending out developer kits and APIs to those people as they're developing those new things? Well, because some of the old stuff will never work. >>And that's what we're we're seeing is that there is a movement within the industrial control side of things to actually start, you know, doing this. Some, some simple things like removing the air gap from certain systems because you, now we can build a system around it. That's trustable and supportable. So now we can get access there over, over and over a network over the internet to, to, to kind of control a valve set that's down a pipeline or something like that. So there is, there is, there is willingness within the ecosystem, the, the IOT provider ecosystem to give us access to some of those, those controls, which, which wasn't there, which has led to some of some of these issues. Are we gonna be able to get to all of them? No, we're gonna have to make decisions based on customer demand, based on where the big, the big rock lie. And, and so we will continue to do that based on customer feedback on again, on what we see >>And the legacy air gaps in the OT worlds were by design for security reasons, or just sort of >>Mostly because there was no way to, to do before. Right. So it was, was like black >>Connectivity is >>So, so, so it was, people felt more comfortable sending an engineer route to the field truck roll. Yeah, yeah, yeah. To do it rather than expensive, rather. And, and exactly that, again, going back to our macro economic situation, you know, it's a very expensive way of managing and maintaining your fleet if you have to send someone to it every time. So there is a lot of there's, there's a lot of customer demand for change, and we're engaging in that change. And we want, we see a huge opportunity there >>Coming back to the X XDR Alliance, cuz that's kind of where we started. Where do you wanna see that go? What's your vision for that? >>So the Alliance itself has been fundamental in terms of now where we go with the overall platform. We are always constantly looking for customer feedback on where we go next on what additional elements to add that the Alliance members have been this fantastic time and effort in terms of engaging with us so that we can build in responses to their platforms, into, you know, into, into what we do. And they're seeing the value of it. I, I feel that over the next, you know, over the next two year period, we're gonna see those, our XDR Alliance and other XDR alliances growing out to get to each other and they will they'll touch each other. We will have to do it like the OSF project at AWS. And as that occurs, we're gonna be able to focus on customer outcomes, which is, you know, again, if you listen to George, you listen to Mike protecting the customers, the mission of CrowdStrike. So I think that's core to that, to, to that story. What we will see now is it's a great vehicle for us to give a structured approach to partnership. So we'll continue to invest in that. We've, we've got, we've got a pipeline of literally hundreds of, of partners who want to join. We've just gotta do that in a way that's consumable for us and consumable for the customer. >>Jeff Swain. Thanks so much for coming back in the cube. It's great to have you. Yeah. Thanks guys. Thank you. Okay. And thank you for watching Dave Nicholson and Dave ante. We'll be back right after this short break. You're watching the cube from Falcon 22 in Las Vegas, right back.

>>Welcome back to Falcon 2022. This is Dave LAN. We get a special presentation segment for you today. This is Walter Wall day one of day two's cube coverage, JC Herrera. Here's my designated cohost. Who's the chief human resource officer at CrowdStrike. Craig Neri is to my left. He's the beneficiary and the beneficiary trustee and ambassador of, of operation Motorsport and former us air force. Thank you for your service. Thank you. And Deel Lauder, who is CEO and co-founder of operation Motorsport. Jen, welcome to the cube. Thanks so much for coming on. Great to be JC set this up for us. Explain your role, explain the corporate giving the whole student connection and the veterans take us through that. >>Yeah, sure. Yeah. So as, as head of HR, one of the, one of the things that we do is, is help manage part of the corporate giving strategy. And, and one of those things that, that we love to do is to also invest in students and in our veterans, it's just a part of our giving program. So this partnership with operation Motorsport is really critical to that. And if you want to dive a little bit deeper into that, we just see that there's a gigantic skills gap in cyber security. And so when we, when there's over millions of open roles around the world and 700,000 of 'em in the us alone, we've gotta go close that gap. And so our next gen scholarships that come out of the, that are giving funds are, are awarded to students who are studying cyber security or AI. And the other side of that is that this partnership with operation motor sport, then we get the opportunity to do some internships with veterans through operation motor sport as well, the >>Number 700,000 now, but pre pandemic. I remember number 3 50, 300 50,000. It's it's doubled now just in the us. Amazing. All right, diesel, tell us about the mission of operation motor sport, like who are the beneficiaries let's get into it. >>So operation motor sport engages ill, injured, wounded service members, those that are medically retiring from the service or disabled veterans, these individuals be taken out of their units. They lose their team identity, their purpose. And, and what we do is those that apply to the program and have a desire to work around shiny objects and fast cars and all the great smells or just car guys or gals that we have some of those as well. They, we, we bring them onto the teams as beneficiaries. So embed them into a race team and give them opportunity to find something new. We're a recovery program. We're not about, you know, finding jobs for these folks. It's about networking and getting outta that, you know, outta the dark places where some of them end up going, because this is a, a huge change for them. And, and in doing so, we now expose them to crowd strike. You know, that's, that's one of the new relationships that, that we have where potentially if they want to, they can pursue new opportunities in areas like cyber security. >>And they're chosen through an application process. You're I'm, I'm inferring. >>Yeah. They just go online and say, you know, through word of mouth or through a friend or through the, the USO and other organizations, they go online and they click the apply here and they fill it out. And our beneficiary trustee, Craig, and calls 'em up and says, Hey, tell me about what you're looking for. And, and we, we pair them up with the race team and Craig, >>You're also a, a beneficiary in addition to being the beneficiary trustee. So explain that, what's your story? >>Right. So I started in this organization as a beneficiary. I was the one that hit the button on the website. And, and then a few minutes later, I got a phone call from then Tiffany Lader, diesel's wife, who's our executive director in the organization. And, and I had that same conversation that I now have with beneficiaries today. I did a, I did a full season with them last year in 2021 as a beneficiary. But at the end I realized how big of an impact that this has with folks. Transition can be very difficult, especially if they're ill injured or wounded. And so I asked if I could help if I could give back, cuz it meant such it had such a big impact on me. I'd like to, to help other veterans as well. Can I >>Ask you what made you hit that button? What made you apply? >>That's a great question. So I was one of the very fortunate ones that had a transition coach. I was in the military for 29 years and had a lot of great connections in the military and, and was connected to a coach, a transition coach and just exploring, you know, what that, what that would look like. And she was the one who said, Hey, why don't we, why don't we explore this passion of Motorsports that you have? My family had been going to, to Motorsports events for, you know, 50 years. And so, so I thought back, all right, this is, I like this idea. Let's, let's pursue this. So a quick Google search and operation Motorsport popped up and I hit the button and >>What programs are available in operation >>Motorsport? Yeah. So diesel kind of outline outlined it. We have basically three different programs. We have the, our immersion program, which is exactly what diesel described, where we take that veteran. And we actually immerse them in a race team. They're doing the, exactly what I was doing, doing tires and fuel and whatever the team needs them to do. We also have our emo sports program where folks who can't do the immersion program, immersion program is takes a pretty big time commitment sometimes. And so they just don't have the capacity or abilities to be able to do those. We could put 'em in our emo sports program where they can do it all virtually we're actually, we have a season going on right now where we, we have veterans racing in that emo sports program. And then we have a, a diversionary therapy program where we have a, a Patriot car corral set up at all these tracks. So they can go out with like-minded individuals and spend the day out there with those folks, other veterans. And we do pit pit tours and, and we get 'em out on the track for a little bit of a, you know, highway speeds, nothing ridiculous. But we, we did doing some highway speeds. So we have a, a few, few different ways for them to be >>Involved. So, so the number three is like a splash in the pond, whereas number ones, the, to like full immersion. Right? Correct. And so what are you doing in the full immersion? What is, what is that like? I mean, you're literally changing tires and, and, and you're >>Yeah. You name it. You're >>In the you're you're you're in that sort of sphere of battle, if you will. Right. >>The beauty of this is we could take somebody's capabilities and skill set and we can match it to whatever that looks like on a race team. Some people come in and have no experience whatsoever. And so we find a team that needs, you know, that has a development opportunities where they could come in, their, their initial job might be to fuel fuel cans or, you know, take tires off the car, wipe the car down, it's little things in the beginning. And then slowly as they start to grow and learn, then they take on bigger roles. But we also have different positions. They can be immersed in, in teams, but they can also be immersed in the series. So we have folks that are doing like tech inspections. We have folks that are doing race control up in the, up in the tower, directing race operations. So we have lots of opportunities, tons of potential. We, we foster those relationships and take the folks, whatever their capabilities and, and abilities are and find the right position for >>'em think, thinking about your personal experience, how, how did it, how would you say it affected you? >>Yeah. To understand that you really have to understand military transition. And I think that's where a lot of the folks that have never experienced this really struggle transition from the military is really difficult. And it's really difficult, even if you're, if you're not broken or you don't have some kind of illness or injury, but you add that factor into at the same time and it could be extremely difficult. And that's why we see like the 22, a day suicide rates with veterans, it's very, very high. Right? And so when you, when you come into this program, it, it is a little bit of a leap of faith, right? This is very new experience for somebody, right? For somebody like myself who had 29 years of experience in the military, very senior person in the military. And now you're at the bottom of the totem pole and trying to figure it all out again, it's, it's a, it's a big jump. But what you realize really quickly is a lot of the things that you experience in the military, you experience in that Pata, same exact things, lots of small team environment, lots of diversity, lots of challenges, lots of roadblocks ups downs, you, you deploy just like you would deploy in, in the military, you bring the cars to a track, you execute a mission, then you pack it up and bring it home. So it's, there's so many similarities in >>The process. I mean, yeah. Diesel hearing Craig explained that there are the similarities sound very clear, but, but, but how did how'd you come up with this idea? It makes sense now in retrospect, but somebody just said, Hey, you know, we have this and we have this and we can marry him or no, not >>Really. And it it's a funny story because I always said, I, I, I don't believe in reinventing the wheel, I believe in stealing the car. And so there's a sister organization that we have in the UK called mission Motorsport. And, and, and they invented this five years before we did. And, and they were successful. And I was, you know, through, through friendships and opportunities, I got to witness it in, in 2016. So went over to, to Wales in the UK and, and watched it in action. And we were there for one race weekend, race of remembrance, which is where we go back to, we'll be going back to November, taking 13 beneficiaries over to race in our own race team for a 12 hour race. And that's a whole other story, but that's where it all started. You know, we, we saw the opportunities and said, wow, they're changing lives through recovery, you know, through motor sport and the similarities and what they were achieving. >>Our initial goal was let's just come back and do this again next year, because we need to bring north American transitioning members over to, to witness this and take part. And then fast forward, we said, why stop there? And we stood up an organization. Now I'll tell you that the organization is not what it was, the, the initial vision. This is not where, I mean, I never imagine that we get to this point this day, especially with the announcement this morning, you know, with the partnership with CrowdStrike, it it's huge for us, but we've evolved into something that was very similar to the initial vision. And that was helping, helping medically transitioning service members with their own personal struggles and recovery. You know, the reason we call it operation Motorsport is because operations have no beginning and no end and our, and what we do makes us so different in that we're not a one and done, we take care of these guys. Even when they become alumni, they, they still come back. They, they come back to volunteer, they come back to check in their friends and, and all kinds. It's really, really neat. And, >>And JC of course, CrowdStrike has an affinity for Motorsports, right? You got the logo on the Mercedes. You you've got the safety car at, this is, I think it's called the safety car. Right. That's it? Yeah. So, okay. So that's an obvious connection, but, but where did the idea germinate for this partnership? >>There's so many things, but first and foremost, I think that the, the values of CrowdStrike and those of operation motors were very much aligned. If you think about it, we, we focus a lot on teamwork. There's no way we do these jobs without the teamwork part. We all love data. These guys are all in the data all the time, trying to figure out, you know, what your adversaries are doing. So there's that kind of component to it. And I'd say the last bit is critical thinking. So when we think about our organizations and how well aligned they are, that was a, that was a no brainer. And into the other side of it, we get the opportunity to do mentorship programs. I mean, I think both ways, hopefully I get invited to the Patriot corral. At some point I can go, go work on a car, but we'll do those both ways or mentorship opportunities. If folks from operation motor sport win a team up with a crowd striker. So >>Do you ever get to drive the car? Or is that just an awful question? No, that's >>A good question. Actually I do from the, from the track to the pits, very slow >>Speeds. They don't let you out in the train. That's right. No, I don't get to go out on the track. Diesel, you ever, you ever drive one >>Of these? I, I, I I've been on, on the track on, on different cars, not in the race cars that, that, that, that are on the team, but something that's unique in the Patriot corral, for instance, because JC brought that up is that when we do these Patriot corrals, part of that program at lunchtime is, is taking the individuals and doing parade laps. And now, you know, a parade lap. Well, what's the fun in that, but you drive highway speeds on a racetrack and your own personal car, following a pace car. That's a pretty cool experience. Cool. >>Yeah, that's very cool guys. Congratulations on this program and all your success and all the, the giving that you do for the community and, and your peers really appreciate you guys coming on the cube and telling me great story. Thanks >>For having, thanks for the opportunity. You're very >>Welcome. All right. Keep it right there. Everybody. Dave ante and Dave Nicholson, we'll be back from Falcon 2022 at the area in Las Vegas. You watching the cube.

(upbeat music) >> Okay, we're back to wrap up Fal.con 2022 CrowdStrike's customer event. You're watching theCUBE. My name is Dave Vellante. My co-host, Dave Nicholson, is on injured reserve today, so I'm solo. But I wanted to just give the audience a census to some of my quick takeaways. Really haven't given a ton of thought on this. We'll do review after we check out the videos and the transcripts, and do what we do at SiliconANGLE and theCUBE. I'd say the first thing is, look CrowdStrike continues to expand it's footprint. And, it's adding the identity module, through the preempt acquisition. Working very closely with managed service providers, MSPs, managed security service providers. Having an SMB play. So CrowdStrike has 20,000 customers. I think it could, it could 10X that, you know, over some period of time. As I've said earlier, it's on a path by mid-decade to be a 5 billion company, in terms of revenue. At the macro level, security is somewhat, I'd say it's less discretionary than some other investments. You know, you can, you can probably hold off buying a new storage device. You can maybe clean that up. You know, you might be able to hold off on some of your analytics, but at the end of the day, security is not completely non-discretionary. It's competing. The CISO is competing with other budgets. Okay? So it's, while it's less discretionary, it is still, you know, not an open checkbook for the CISO. Now, having said that, from CrowdStrike standpoint it has an excellent opportunity to consolidate tools. It's one of the biggest problems in the security business Go to Optiv and check out their security taxonomy. It'll make your eyes bleed. There's so many tools and companies that are really focused on one specialization. But really, what CrowdStrike can do with its 22 modules, to say, hey, we can give you ROI and consolidate those. And not only is it risk reduction, it's lowering the labor cost and labor intensity, so you can focus on other areas and free up the biggest problem that CISOs have. It's the lack of enough talent. So, really strong business value and value proposition. A lot of that is enabled by the architecture. We've talked about this. You can check out my breaking analysis that I dropped last weekend, on CrowdStrike. And, you know, can it become a generational company. But it's really built on a cloud-native architecture. George Kurtz and company, they shunned having an on-premise architecture. Much like Snowflake Frank Slootman has said, we're not doing a halfway house. We're going to put all our resources on a cloud-native architecture. The lightweight agent that allows them to add new modules and collect more data, and scale out. The purpose-built threat graph and and time series database, and asset graph that they've built. And very strong use of AI, to not only stop known malware, but stop unknown malware. Identify threats. Do that curation. And really, you know, support the SecOp teams. Product wise, I think the big three takeaways, and there were others, but the big three for me is EDR extending into XDR. You know, X is the extending for, in really, the core of endpoint detection and response, extending that further. Well, it seems to be a big buzzword these days. CrowdStrike, I think, is very focused on making a more complete, a holistic offering, beyond endpoint. And I think it's going to do very well in that space. They're not alone. There are others. It's a very competitive space. The second is identity. Through the acquisition of Preempt. CrowdStrike building that identity module. Partnering with leaders like Okta, to really provide that sort of, treating identity, if you will, as an endpoint. And then sort of Humio is now Falcon Log Scale. Bringing together, you know, the data and the observability piece, and the security piece, is kind of the three big product trends that I saw. I think the last point I'll make, before we wrap, is the ecosystem. The ecosystem here is good. It reminds me, I said, a number of times this week, of ServiceNow in 2013 I think the difference is, CrowdStrike has an SMB play it can go after many more customers, and actually have an even broader platform. And I think it can accelerate its ecosystem faster than ServiceNow was able to do that. I mean, it's got to be, sort of, an open and collaborative sort of ecosystem. You know, ServiceNow is kind of, more of, a one-way street. And I think the other piece of that ecosystem, that we see evolving, into IOT, into the operations technology and critical infrastructure. Which is so important, because critical infrastructure of nations is so vulnerable. We're seeing this in the Ukraine. Security is a key component now of any warfare. And going forward, it's always going to be a key component. Nation states are going to go after trust, or secure infrastructure, or critical infrastructure. Try to disable that and disrupt that. So securing those operation assets is going to be very critical. Not just the refrigerator and the coffee maker, but really going after those critical infrastructures. (chuckles) Getting asked to break. And the last thing I'll say, is the developer platform. We heard from ML that, the opportunity that's there, to build out a PaaS layer, super PaaS layer, if you will, so that developers can add value. I think if that happens, this ecosystem, which is breaking down, will explode. This is Dave Vellante, wrapping up at CrowdStrike, Fal.con 2022, Fal.con 2022. Go to SiliconAngle.com, for all the news. Check out theCUBE.net. You'll see these videos on demand and many others. Check out (indistinct).com for all the research. And look for where we'll be next. Of course, re:Invent is the big fall event, but there are many others in between. Thanks for watching. We're out. (music plays out)

(intro music) >> Hi everybody. Dave Vellante, back with Day Two coverage, we're live at the ARIA Hotel in Las Vegas for fal.con '22. Several thousand people here today. The keynote was, it was a little light. I think people were out late last night, but the keynote was outstanding and it's still going on. We had to break early because we have to strike early today, but we're really excited to have Stephan Goldberg here, Vice President of Technology Alliances at Claroty. And we're going to talk about an extremely important topic, which is the internet of things, the edge, we talk about it a lot. We haven't covered securing the edge here at theCUBE this week. And so Stephan really excited to have you on. >> Thank you for having me. >> You're very welcome. Tell us more about Claroty, C-L-A-R-O-T-Y, a very interesting spelling, but what's it all about? >> Claroty is cybersecurity company that specializes in cyber physical systems, also known as operational technology systems and the extended internet of things. The difference between the traditional IoT and what what everyone calls an IoT in the cyber physical system is that an IoT device has anything connected on the network that traditionally cannot carry an agent, a security camera, a card reader. A cyber physical system is a system that has influence and operates in the physical world but is controlled from the cyberspace. An example would be a controller, a turbine, a robotic arm, or an MRI machine. >> Yeah, so those are really high-end systems, run, are looked after by engineers, not necessarily consumers. So what's what's happening in that world? I mean, we've talked a lot on theCUBE about the schism between OT and IT, they haven't really talked a lot, but in the last several years, they've started to talk more. You look at the ecosystem of IoT providers. I mean, it's companies like Hitachi and PTC and Siemens. I mean, it's the different names than we're used to in IT. What are the big trends that you're seeing the macro? >> So, first of all, traditionally, most manufacturers and environments that were heavy on operations, operational technology, they had the networks air-gapped, completely separated. You had your IT network for business administration, you had the OT network to actually build stuff. Today with emerging technologies and even modern switching architecture everything is being converged. You have the same physical infrastructure in terms of networking, that carries both networks. Sometimes a human error, sometimes a business logic that needs to interconnect these networks to transmit data from the OT side of the house, to the IT side of the house, exposes the OT environment to cyber threats. >> Was that air-gap by design or was it just that there wasn't connectivity? >> It was air-gap by design, due to security and operational reasons, and also ownership in these organizations. The IT-managed space was completely separate from the OT-managed space. So whoever built a network for the controllers to build a car, for example, was an automation engineer and the vendors, that have built these networks, were automation vendors, unlike the traditional Ciscos of the world, that we're specializing in IT. Today we're seeing the IT vendors on the OT side, and the OT vendors, they're worried about the IT side. >> But I mean, tradition, I mean, engineers are control freaks. No offense, but, I'm glad they are, I'm thankful for that. So there must have been some initial reticence to them connecting up these air-gap systems. They went wanted to make sure that they were secure, that they did it right, and presumably that's where you guys come in. What are the exposures and risks of these, of this critical infrastructure that we should be aware of? >> So you're completely right. And from an operational perspective let let's call it change control is very rigorous. So they did not want to go on the internet and just, we're seeing it with adoption of cloud technologies, for example. Cloud as in industry four ago, five ago, cloud as in cyber security. We all heard Amol's keynote from this morning talking about critical infrastructures and we'll touch upon our partnership in a second, but CrowdStrike, CrowdStrike being considered and deployed within these environments is a new thing. It's a new thing because the OT operation managers and the chief information security officers, they understand that air-gap is no longer a valid strategy. From a business perspective, these networks are already connected. We're seeing the trends of cyber attacks, IT cyber attacks, like not Patreon, I'm not talking about the Stoxnet, the targeted OT. I'm talking about WannaCry, EternalBlue, IT vulnerabilities that did not target OT, but due to the outdated and the specification of OT posture on the networks, they hit healthcare, they hit OT much harder than they did IT. >> Was Log4J, did that sleep into OT, or any IT that. >> So, absolutely. >> So Log4J right, which was so pervasive, like so many of these malwares. >> All these vulnerabilities that, it's a windows vulnerability, it has nothing to do with OT. But then when you stop and you say, hold on, my human machine interface workstation, although it has some proprietary software by Rockwell or Siemens running on it, what is the underlying operating system? Oh, hold on, it's Windows. We haven't updated that for like eight years. We were focused on updating the software but not the underlying operating system. The vulnerabilities exist to a greater extent on the OT side of the house because of the same characteristic of operational technology environments. >> So the brute force air-gap approach was no longer viable because the business imperative came in and said, no, we have to connect these systems to digitally transform, or advance our business, there's opportunities to monetize, whatever it was. The business laid that out as an imperative. So now OT engineers have to rethink how they secure it. So what are the steps that they're taking and how does Claroty help? Is there a sort of a playbook, a sequential playbook? >> Absolutely, so before we discussed the maturity curve of adopting an CPS security, or OT security technology, let's touch upon the characteristic of the space and what it led vendors like Claroty to build. So you have the rigorous chain control. You have the security in mind, operations, lowered the risk state of mind. That led vendors, likes of Claroty, to build a solution. And I'm talking about seven, eight years ago, to be passive, mostly passive or passive only to inspect network and to analyze network and focus on detection rather than taking action like response or preventative maintenance. >> Um-hmm. >> It made vendors to build on-prem solutions because of the cloud-averse state of mind of this industry. And because OT is very specific, it led vendors to focus only on OT devices, overlooking what we discussed as IoT, Unfortunately, besides HMI and PLC, the controller in the plant, you also have the security camera. So when you install an OT security solution I'm talking about the traditional ones, they traditionally overlook the security camera or anything that is not considered traditional OT. These three observations, although they were necessary in the beginning, you understand the shortcomings of it today. >> Um-hmm. >> So cloud-averse led to on-prem which leads to war security. It's like comparing CrowdStrike and one of its traditional competitors in the antivirus space. What CrowdStrike innovated is the SaaS first, cloud-native solution that is continuously being updated and provide the best in cloud security, right? And that is very much like what Claroty's building. We decided to go SaaS first and cloud-native solution. >> So, because of cloud-aversion, the industry shows somewhat outdated deployment models, on-prem, which limited scale and created greater diversity, more stovepipes, all the problems that we always talk about. Okay, and so is the answer to that, just becoming more cloud, having more of an affinity to cloud? That was a starting point, right. >> This is exactly it. Air-gap is perceived as secured, but you don't get updates and you don't really know what's going on in your network. If you have a Claroty or a crosswork installer, you have much higher probability detecting fast and responding fast. If you don't have it, you are just blind. You will be bridged, that's the. >> I was going to say, plus, air-gap, it's true, but people can get through air-gaps, too. I mean, it's harder, but Stoxnet. Yeah, look at Stoxnet right, oh, it's mopping the floor, boom, or however it happened, but so yeah. >> Correct. >> So, but the point being, you know, assume that breach, even though I know CrowdStrike thinks that the unstoppable breach is a myth, but you know, you talk to people like Kevin Mandia, it's like, we assume you're going to get breached, right? Let's make that assumption. Yeah, okay, and so that means you've got to have visibility into the network. So what are those steps that you would, what's that maturity model that you referenced before? >> So on top of these underlying principles, which is cloud-native, comprehensive, not OT only, but XIoT, and then bring that the verticalization and OT specificity. On top of that, you're exactly right. There is a maturity curve. You cannot boil the ocean, deploy protections, and change the environment within one day. It starts with discovering everything that is connected to your network. Everything from the traditional workstations to the cameras, and of course ending up with the cyber physical systems on the network. That discovery cannot be only a high level profile, it needs to be in depth to the level you need to know application versions of these devices. If you cannot tell the application version you cannot correlate it to a vulnerability, right? Just knowing that's an HMI or that's a PLC by Siemens is insufficient. You need to know the app version, then you can correlate to vulnerability, then you can correlate to risk. This is the next step, risk assessment. You need to put up a score basically, on each one of these devices. A vulnerability score, risk score, in order to prioritize action. >> Um-hmm. >> These two steps are discovery and thinking about the environment. The next two steps are taking action. After we have the prioritized devices discovered on your network, our approach is that you need to ladle in and deploy protections from a preventative perspective. Claroty delivers recommended policies in the form of access control lists or rules. >> Right. >> That can leverage existing infrastructure without touching a device without patching it, just to protect it. The next step would be detection and response. Once you have these policies deployed you also can leverage them to spot policy deviations. >> And that's where CrowdStrike comes in. So talk about how you guys partner with CrowdStrike, what that integration looks like and what the differentiation is. >> So actually the integration with CrowdStrike crosses the the entire customer journey. It starts with visibility. CrowdStrike and us exchange data on the asset level. With the announcement during FalCon, with Falcon Discover for IoT, we are really, really proud working on that with CrowdStrike. Traditionally CrowdStrike discovered and provided data about the IT assets. And we did the same thing with CPS and OT. Today with Falcon Discover for IoT, and us expanding to the XIoT space, both of us look at all devices but we can discover different things. When you merge these data sets you have an unparalleled visibility into any environment, and specifically OT. The integrations continue, and maybe the second spotlight I'll put, but without diminishing the other ones, is detection and response. It's the XDR Alliance. Claroty is very proud to be one of the first partners, XDR Alliance partners, for CrowdStrike, fitting in to the XDR, to CrowdStrike's XDR, the data that is needed to mitigate and respond and get more context about breaches in these OT environments, but also take action. Also trigger action, via Claroty and leverage Claroty's network-centric capabilities to respond. >> We hear a lot. We heard a lot in today's keynote note about the data, the importance of data, of the graph database. How unique is this Stephan, in the industry, in your view? >> The uniqueness of what exactly? >> Of this joint solution, if you will, this capability. >> I told my counterparts from CrowdStrike yesterday, the go-to market ones and the product management ones. If we are successful with Falcon Discover for IoT, and that product matures, as we plan for it to mature, it will change the industry, the OT security industry, for all of us. Not only for Claroty, for all players in this space. And this is why it's so important for us to stay coordinated and support this amazing company to enter this space and provide better security to organizations that really support our lives. >> We got to leave it there, but this is such an important topic. We're seeing in the war in Ukraine, there's a cyber component in the future of war. >> Yes. >> Today. And what do they do? They go after critical infrastructure. So protecting that critical infrastructure is so important, especially for a country like the United States, which has so much critical infrastructure and a lot to lose. So Stephan, thanks so much. >> Thank you. >> For the work that you're doing. It was great to have you on theCUBE. >> Thank you. >> All right, keep it right there. Dave Vellante for theCUBE. We'll be right back from fal.con '22. We're live from the ARIA in Las Vegas. (techno music)

(gentle music) >> Hi everybody, this is Dave Vellante of TheCUBE. This is day two of Fal.Con 2022, CrowdStrike's big customer event. Over 2000 people here, a hundred sessions, a lot of deep security talk. Amol Kulkarni is here. He's the chief product and engineering officer at CrowdStrike, and we're going to get into it. Amol, thanks for coming to theCUBE. >> Great to be here. >> I enjoyed your keynote today. It was very informative. First of all, how's the show going for you? >> It's going fantastic. I mean, first and foremost, like to be having everyone here in person, after three years, that's just out the world, right? So great to meet and a lot of great conversations across the board with customers, partners. It's been fantastic. >> Yeah, so I want to start with Cloud Native, it's kind of your dogma. This whole, the new acronym is CNAP Cloud Native Application Protection Platform. >> Amol: That's right. >> There's a mouthful. What is that? How does it relate to what you guys are doing? >> Yeah, so CNAP is what Gartner has coined as the term for covering entire cloud security. And they have identified various components in it. The first and foremost is the runtime protection, cloud workload protection, as we call it. Second is posture management. That's CSBM cloud security posture management. Third is CIEM, which we announced today. And then the fourth is shift left, kind of Dev SecOps part of cloud security. And all together Gartner coins that as a solution or a suite, if you will, to cover various aspects of cloud security. >> Okay, so shift left and then shield right. You still got to shield right. Is that where network security comes in? Which is not your main focus, but okay. So now it explains... Gartner is an acronym. Now I get it. But the CIEM announcement cloud infrastructure entitlement management. So you're managing identities. Is that right? Explain that in more detail. >> So, yeah, so I mean, as in the on-premise world, but even more exacerbated in the crowd world you have lots and lots of identities, both human identities and service accounts that are accessing cloud services. And lot of the time the rigor is not there in terms of what permissions those identities are provisioned with. So are they over provisioned? Do they have lots of rights that they should not have? Are they able... Are services able to connect to resources that they should not be able to connect to all of that falls under the entitlement management, the identity entitlement management part. And that's where CIEM comes in. So what we said is, we have a great identity security story for on-premise, right? And now we are applying that to understand identities, the entitlements they have, secrets that are lying around, maybe leaked, or just, available for adversaries to exploit in the cloud security world. So taking all of that into account and giving you... Giving customers a snapshot view of one single view to say; these are the identities, these are their permissions, this is where you can trim them down because these are the dependencies that are present across services. And you see something that's not right from a dependency perspective, you can say, okay, this connection doesn't make sense. There's something malicious going on here. So there's a lot that you can do by having that scope of identities. Be very narrowed down. It's a first step in the zero trust journey for the cloud infrastructure. >> So I have to ask you when you now extend this conversation to the edge, and operations technology. Traditionally the infrastructure has been air gapped by, you know, brute force air gap. Don't worry about it. And maybe hasn't had to worry so much about the hygiene. So now as you... as the business drives and forces essentially digital connect... Digital transformation and connectivity >> Connectivity. Yeah. >> I mean, wow, that's a playground for the hackers. >> You absolutely nailed it. So most of these infrastructure was not designed with security in mind, unfortunately, right? As you said, most of it was air-gapped, disconnected. And now everything is getting to be connected because the updates are being pushed rapidly changes are happening. So, and that really, in some sense has changed the environment in which these devices are operating. The operational technology, industrial control. We had the colonial pipeline breach last year. And, that really opened people's eyes like, Hey, nation state adversaries are going to come after critical infrastructure. And that can... That is going to cause impact directly to the end end users, to the citizens. So we have to protect this infrastructure. And that's why we announced discover for IOT as a new module that looks at and understands all the IOT and industrial control systems assets. >> So that didn't require an architectural change though. Right? That was a capability that you introduced with partners. Right? Am I right about that? You don't have to re-architect anything. It's just... Your architecture fits perfectly into those scenarios. >> Absolutely, absolutely. Yeah, yeah, yeah. You actually... While the pace of change is there, architectural change is almost very difficult, because these are very large systems. They are built up over time. It take an industrial control system. The tracing speed is very different from a laptop. So yeah, you can't impose any architectural change. It has to be seamless from what the customers have. >> You were talking, I want to go back to CNAP. You were talking about the protecting the run time. You can do that with an agent. You had said agent... In your keynote. Agentless solutions don't give you runtime security protection. Can you double click on that and just elaborate? >> Yeah, absolutely. So what agentless solutions today are doing they're essentially tapping into APIs from AWS or Azure CloudTrail, for example and looking at misconfigurations. So that is indeed a challenge. So that is one part of the story, but that only gives you a partial view. Let's say that an attacker attacks and uses a existing credential. A legitimate credential to access one of the cloud services. And from there they escalate the privileges and then now start branching off the, the CSP, and the agentless-only solutions will not catch that. Right? So what you need is you, you need this agentless part but you have to couple that with; seeing the activity that's actually happening the living of the land attacks that cannot be caught by the CSP end-piece. So you need a combination of agentless and agent runtime to give that overall protection. >> What's the indicator of attack for a hacker that's living off the land, meaning using your own tools against you. >> That's right. So the indicators of attack are saying accessing services, for example, that are not normally accessed or escalating privileges. So you come in as a normal user, but then suddenly you have admin privileges because you have escalated those privileges, or you are moving laterally very rapidly from one place to another, or spraying across a lot of services in order to do reconnaissance and understand what is out there. So it's almost like looking for what is an abnormal attack path, abnormal behavior compared to what is normal and the good part is cloud. There's a lot that is normal, right? It's fairly constrained. It's not like a end user who is downloading stuff from the internet. And like doing all sorts of things. Cloud services are fairly constrained, so you can profile and you can figure out where there is a drift from the normal. And that's really the indicator of attack. In some sense, from cloud services >> In a previous life I want to change subjects. In a previous life. I spent a lot of time with CIOs. Helping them look at their application portfolio, understanding what to rationalize, what to get rid of, what to invest in, you know, bringing in new projects, cause you know, it's just you never throw a stuff away in IT. >> There is no obsolescence >> Right. So, but they wanted to... Anytime you go through these rationalization exercises change management is everything. And one of the hardest things to do was to map and understand the business impact of all the dependencies across the portfolio. Cause when application A needs this dataset. If you retire it, you're going to... It has ripple effects. And you talked about that in a security context today when you were talking about the asset graph and the threat graphs giving you the ability to understand those dependencies. Can you add some color to that? >> Absolutely. Absolutely. So what we've done with the asset graph; It's a fundamental piece of technology that we've been building now for some time that complements the thread graph. And the asset graph looks at: Assets, identities, applications, and configuration. All of those aspects. And the interconnections between them. So if a user is accessing an application on a server, all those, and in what role, all of that relationship is tied together in the asset graph. So what that does now is, it gives you an ability to say this application connects to this application. And that's the dependency on that port, for example. So you can now build up a dependency map and then the thread graph, what it does, it looks at the continuous activity that's happening. So if you now take the events that are coming into the thread graph and the graphical representation of those, combine it with the asset graph, you get that full dependency map. And now you can start doing that impact analysis that you talked about. Which is... It's an unsolved problem, right? And that's why security as I said in my keynote is most people do not have their security tools enabled to the highest level or they don't have full coverage just because the pace of change is so rapid. They cannot keep up with it. So we want to enable change management, at a rapid pace where businesses and customers can say; we are confident about the change management, about the change we are going to implement. Because we know what the potential impact would be. We can validate, test it in a smaller subset and then roll it out quickly. And that's the journey we are on. Sort of the theme of my talk was to make IT and security friends again. >> Right, you talked about that gap and bringing those two together. You also had a great quote in there; 'The pace of change and securities is insane.' And so this assets graph capability, dependencies and the threat graph, help you manage that accelerating pace of change. Before I forget, I want to ask you about your interview with Girls Who Code. What was that like? Who'd you interview? I unfortunately couldn't see it. I apologize. >> Yeah, fantastic. So, Reshma Saujani she heads Girls Who Code and she first off had a very very powerful talk just from her own own experiences. And essentially, like, what do we need to do to get more women into computer science first, but then within that, into cybersecurity. and what all have they done with Girls Who Code. So very, I mean, we were very touched at the audience was like super into her talk. And then I had a chance to chat with her for a few minutes, ask her a few questions. Just my view was more like, okay. What can we do together? What can CrowdStrike do in our position, in to attract more women? We've done a lot in terms of tailoring our job descriptions to make sure it's more... Remove the biases. Tuning the interview processes to be more welcoming and Reshma gave an example saying; 'Hey, many of these interviews, they start with a baseball discussion.' And I mean, some women may maybe interested in it but may not all maybe. And so is that the right? Is it a gender kind-of affirming or gender neutral kind-of discussion or do you want to have other topics? So a lot of that is about training the interviewers because most of the interviewers are men, unfortunately. That's the mix we have. And it was a great discussion. I mean, just like very practical. She's very much focused on increasing the number of people and increasing the pipeline which is honestly the biggest problem. Because if we have a lot of candidates we would definitely hire them and essentially improve the diversity. And we've done a great job with our intern program, for example, which has helped significantly improve the diversity on our workforce. >> And, but the gap keeps getting bigger in terms of unfulfilled jobs. That leads me to developers as a constituency. Because you guys are building the security cloud. You're on a mission to do that. And to me, if you have a security cloud, it's got to be programmable. You're going to have developers there. You don't... From what I can tell you have a specific developer platform, but it's organic. It's sort of happening out there. What's the strategy around, I mean, the developer today is so critical in terms of implementing a lot of security strategy and putting it into action. They've got to secure the run time. They got to worry about the APIs. They got to secure the PaaS. They got to secure the containers. Right, and so what's your developer strategy. >> Yeah, so within cloud security, enabling developers to implement DevSecOps as a as a philosophy, as a strategy, is critical. And so we, we have a lot of offerings there on the shift-left side, for example, you talked about securing containers. So we have container image assessment where we plug in into the container repositories to check for vulnerabilities and bad configuration in the container images. We then complement that with the runtime side where our agent can protect the container from runtime violations, from breakouts, for example. So it's a combination. It's a full spectrum, right? From the developer building an application, all the way to the end. Second I'd say is, we are a very much an API first company. So all of the things that you can do from a user interface perspective, you can do from APIs what is enable that is a bunch of partners a rich partner ecosystem that is building using those APIs. So the developers within our partners are leveraging those APIs to build very cool applications. And the manifestation of that is CrowdStrike store where essentially we have as Josh mentioned, in his ski-notes, we have a agent cloud architecture that is very rich. And we said, okay, why can't we open that up for partners to enable them to leverage that architecture for their scenarios? So we have a lot of applications that are built on the CrowdStrike store, leveraging our platform, right. Areas that we are not in, for example. >> And here, describe it. Is there a PaaS layer that's purpose-built for CrowdStrike so that developers can build applications? >> That's a great question. So I'll say that we have a beginnings of a PaaS layer. We definitely talked about CrowdStrike store as being passed for cybersecurity but there's a lot more to do. And we are in the process of building up an application platform so that customers can build the applications for their SOC workflow or IT workflow and and Falcon Fusion is a key part of that. So Falcon Fusion is our automation platform built right into the security cloud. And what that enables customers to do is to define... Encode their business process the way they want and leverage the platform the way they want. >> It seems like a logical next step. Because you're going to enable a consistent experience across the board. And fulfill your promise, your brand promise, and the capabilities that you bring. And this ecosystem will explode once you announce that. >> And that's the notion we talk about of being the sales force of security. >> Right, right. Yeah. That's the next step. Amol, thank you so much. I got to run and wrap. We really appreciate you coming on theCUBE. >> Thank you very much. >> Congratulations on your keynote and all the success and great event. >> Appreciate it. Thank you very much for the time and great chatting with you. >> You're very welcome. All right, keep it right there. We'll be back very shortly to wrap up from Fal.Con 2022. This is Dave Vellante for theCUBE. (soft electronic music)

>>All we're back. We're wrapping up day two at Falcon 22 from the area in Las Vegas, CrowdStrike CrowdStrike. The action is crazy. Second day, a keynotes. Sean Henry is back. He's the chief security officer at CrowdStrike. He did a keynote today. Sean. Good to see you. Thanks for coming >>Back. Good. See you, Dave. Thanks for having me. >>So, unfortunately, I wasn't able to see your keynote cuz I had to come do cube interviews. You interviewed Kimbo Walden from, from, you know, white house, right? >>National cyber security >>Director. We're gonna talk about that. We're gonna talk about Overwatch, your threat hunting report. I want to share the results with our audience, but start with your, well actually start with the event. We're now in day two, you've had a good chance to talk to customers and partners. What are, what are your observations? Yeah, >>It's first of all, it's been an amazing event over 2200 attendees here. It's really taking top three floors at the area hotel and we've got partners and customers, employees, and to see the excitement and the level of collaboration here is absolutely phenomenal. All these different organizations that are each have a piece of cyber security to see them coming together, all in support of how do you stop breaches? How do you work together to do it? It's really been absolutely phenomenal. You're >>Gonna love the collaboration. We kind of talked about this on our earlier segment is the industry has to do a better job and has been doing a better job. You know, I think you and Kevin laid that out pretty well. So tell me about the interview with the fireside chat with Kimba. What was that like? What topics came up? >>Yeah. Kimba is the principal, deputy national cyber security advisor. She's been there for just four months. She spent over 10 years at DHS, but she most recently came from the private sector in cybersecurity. So she's got that the experience as a private sector expert, as well as a public sector expert and to see her come together in that position. It was great. We talked a lot about some of the strategies the white house is looking to put forth in their new cybersecurity strategy. There was recently an executive order, right? That the, the president put forth that talks about a lot of the things that we're doing here. So for example, the executive order talks about a lot of the legacy type of capabilities being put to pasture and about the government embracing cloud, embracing threat, hunting, embracing EDR, embracing zero trust and identity protection. Those are all the things that the private sector has been moving towards over the last year or two. That's what this is all about here. But to see the white house put that out, that all government agencies will now be embracing that I think it puts them on a much shorter footing and it allows the government to be able to identify vulnerabilities before they get exploited. It allows them to much more quickly identify, have visibility and respond to, to threats. So the government in infrastructure will be safer. And it was really nice to hear her talk about that and about how the private sector can work with the government. >>So you know how this works, you know, having been in the bureau. But so it's the, these executive orders. A lot of times people think, oh, it's just symbolic. And there are a couple of aspects of it. One is president Biden really impressed upon the private sector to, you know, amp it up to, to really focus and do a better job. But also as you pointed out that executive order can adjudicate what government agencies must do must prioritize. So it's more than symbolic. It's actually taking action. Isn't >>It? Yeah. I, I, I think it, I think it's both. I think it's important for the government to lead in this area because while a, a large portion of infrastructure, major companies, they understand this, there is still a whole section of private sector organizations that don't understand this and to see the white house, roll it out. I think that's good leadership and that is symbolic. But then to your second point to mandate that government agencies do this, it really pushes those. That might be a bit reluctant. It pushes them forward. And I think this is the, the, the type of action that as it starts to roll out and people become more comfortable and they start to see the successes. They understand that they're becoming safer, that they're reducing risk. It really is kind of a self-fulfilling prophecy and we see things become much safer. Did, >>Did you guys talk about Ukraine? Was that, was that off limits or did that come up at all? >>It wasn't, it wasn't off limits, but we didn't talk about it because there are so many other things we were discussing. We were talking about this, the cyber security workforce, for example, and the huge gap in the number of people who have the expertise, the capability and the, and the opportunities to them to come into cyber security technology broadly, but then cyber security as a sub sub component of that. And some of the programs, they just had a big cyber workforce strategy. They invited a lot of people from the private sector to have this conversation about how do you focus on stem? How do you get younger people? How do you get women involved? So getting maybe perhaps to the untapped individuals that would step forward and be an important stop gap and an important component to this dearth of talent and it's absolutely needed. So that was, was one thing. There were a number of other things. Yeah. >>So I mean, pre pandemic, I thought the number was 350,000 open cybersecurity jobs. I heard a number yesterday just in the us. And you might have even told me this 7, 7 50. So it's doubled in just free to post isolation economy. I don't know what the stats are, but too big. Well, as a, as a CSO, how much can automation do to, to close that gap? You know, we were talking earlier on the cube about, you gotta keep the humans in the loop, you, you, the, the, the, the Nirvana of the machines will just take care of everything is just probably not gonna happen anytime in the near term, even midterm or long term, but, but, but how can automation play and help close that gap? So >>The, the automation piece is, is what allows this to scale. You know, if we had one company with a hundred endpoints and we had a couple of folks there, you could do it with humans. A lot of it when you're talking about hundreds of millions of endpoints spread around the globe, you're talking about literally trillions of events every week that are being identified, evaluated and determined whether they're malicious or not. You have to have automation and to have using the cloud, using AI, using machine learning, to sort through, and really look for the malicious needle in a stack of needle. So you've gotta get that fidelity, that fine tune review. And you can only do that with automation. What you gotta remember, Dave, is that there's a human being at the end of every one of these attacks. So we've got the bad guys, have humans there, they're using the technology to scale. We're using the technology to scale to detect them. But then when you get down to the really malicious activity, having human beings involved is gonna take it to another level and allow you to eradicate the adversaries from the environment. >>Okay. So they'll use machines to knock on the door when that door gets opened and they're in, and they're saying, okay, where do we go from here? And they're directing strategy. Absolutely. I, I spent, I think gave me a sta I, I wonder if I wrote it down correctly, 2 trillion events per day. Yeah. That you guys see is that I write that down. Right? >>You did. It changes just like the number of jobs. It changes when I started talking about this just a, a year and a half ago, it was a billion a day. And when you look at how it's multiplied exponentially, and that will continue because of the number of applications, because of the number of devices as that gets bigger, the number of events gets bigger. And that's one of the problems that we have here is the spread of the network. The vulnerability, the environment is getting bigger and bigger and bigger as it gets bigger, more opportunities for bad guys to exploit vulnerabilities. >>Yeah. And we, we were talking earlier about IOT and extending, you know, that, that threats surface as well, talk about the Overwatch threat hunting report. What is that? How, how often have you run it? And I'd love to get into some of the results. Yeah. >>So Overwatch is a service that we offer where we have 24 by seven threat hunters that are operating in our customer environments. They're hunting, looking for, looking for malicious activity, malicious behavior. And to the point you just made earlier, where we use automation to sort out and filter what is clearly bad. When an adversary does get what we call fingers on the keyboard. So they're in the box and now a human being, they get a hit on their automated attack. They get a hit that, Hey, we're in, it's kind of the equivalent of looking at the Bober while you're fishing. Yeah. When you see the barber move, then the fisherman jumps up from his nap and starts to reel it in similar. They jump on the keyboard fingers on the keyboard. Our Overwatch team is detecting them very, very quickly. So we found 77,000 potential intrusions this past year in 2021, up to the end of June one, one every seven minutes from those detections. >>When we saw these detections, we were able to identify unusual adversary behavior that we'd not necessar necessarily seen before we call it indicators of attack. What does that mean? It means we're seeing an adversary, taking a new action, using a new tactic. Our Overwatch team can take that from watching it to human beings. They take it, they give it to our, our engineering team and they can write detections, which now become automated, right? So you have, you have all the automation that filters out all the bad stuff. One gets through a bad guy, jumps up, he's on the keyboard. And now he's starting to execute commands on the system. Our team sees that pulls those commands out. They're unusual. We've not seen 'em before we give it to our engineering team. They write detections that now all become automated. So because of that, we stopped over with the 77,000 attacks that we identified. We stopped over a million new attacks that would've come in and exploited a network. So it really is kind of a big circle where you've got human beings and intelligence and technology, all working together to make the system smarter, to make the people smarter and make the customers safer. And you're >>Seeing new IAS pop up all the time, and you're able to identify those and, and codify 'em. Now you've announced at reinforced, I, I, in July in Boston, you announced the threat hunting service, which is also, I think, part of your you're the president as well of that services division, right? So how's that going? What >>What's happening there? What we announced. So we've the Overwatch team has been involved working in customer environments and working on the back end in our cloud for many years. What we've announced is this cloud hunting, where, because of the adoption of the cloud and the movement to the cloud of so many organizations, they're pushing data to the cloud, but we're seeing adversaries really ramp up their attacks against the cloud. So we're hunting in Google cloud in Microsoft Azure cloud in AWS, looking for anomalous behavior, very similar to what we do in customer environments, looking for anomalous behavior, looking for credential exploitation, looking for lateral movement. And we are having a great success there because as that target space increases, there's a much greater need for customers to ensure that it's protected. So >>The cloud obviously is very secure. You got some of the best experts in the planet inside of hyperscale companies. So, and whether it's physical security or logical security, they're obviously, you know, doing a good job is the weakness, the seams between where the cloud provider leaves off and the customer has to take over that shared responsibility model, you know, misconfiguring and S3 bucket is the, you know, the common one, but I'm so there like a zillion others, where's that weakness. Yeah. >>That, that's exactly right. We see, we see oftentimes the it piece enabling the cloud piece and there's a connectivity there, and there is a seam there. Sometimes we also see misconfiguration, and these are some of the things that our, our cloud hunters will find. They'll identify again, the equivalent of, of walking down the hallway and seeing a door that's unlocked, making sure it's locked before it gets exploited. So they may see active exploitation, which they're negating, but they also are able to help identify vulnerabilities prior to them getting exploited. And, you know, the ability for organizations to successfully manage their infrastructure is a really critical part of this. It's not always malicious actors. It's identifying where the infrastructure can be shored up, make it more resilient so that you can prevent some of these attacks from happening. I >>Heard, heard this week earlier, something I hadn't heard before, but it makes a lot of sense, you know, patch Tuesday means hack Wednesday. And, and so I, I presume that the, the companies releasing patches is like a signal to the bad guys that Hey, you know, free for all go because people aren't necessarily gonna patch. And then the solar winds customers are now circumspect about patches. The very patches that are supposed to protect us with the solar winds hack were the cause of the malware getting in and, you know, reforming, et cetera. So that's a complicated equation. Yeah. >>It, it certainly is a couple, couple parts there to unwind. First, when you, you think about patch Tuesday, there are adversaries often, not always that are already exploiting some of those vulnerabilities in the wild. So it's a zero day. It's not yet been patched in some cases hasn't yet been identified. So you've got people who are actively exploiting. It we've found zero days in the course of our threat hunting. We report them in a, in a, in a responsible way. We've gone to Microsoft. We've told them a couple times in the last few months that we found a zero day and give them an opportunity to patch that before anybody goes public with it, because absolutely right when it does go public, those that didn't know about it before recognize that there will be millions of devices depending on the, the vulnerability that are out there and exploitable. And they will absolutely, it will tell everybody that you can now go to this particular place. And there's an opportunity to gain access, to exploit privileges, depending on the criticality of the patch. >>I, I don't, I, I don't, I'm sorry to generalize, but I wanna ask you about the hacker mindset. Let's say that what you just described a narrow set of hackers knows that there's an unpatched, you know, vulnerability, and they're making money off of that. Will they keep that to themselves? Will they share that with other folks in the net? Will they sell that information? Or is it, is it one of those? It depends. It, >>I was just gonna say, it depends you, you beat me to it. It absolutely depends. All of, all of the above would be the answer. We certainly see organ now a nation state for example, would absolutely keep that to themselves. Yeah. Right. Their goal is very different from an organized crime group, which might sell access. And we see them all the time in the underground selling access. That's how they make money nation states. They want to keep a zero day to themselves. It's something they're able to exploit in some cases for months or years, that that, that vulnerability goes undetected. But a nation state is aware of it and exploiting it. It's a, it's a dangerous game. And it just, I think, exemplifies the importance of ensuring that you're doing everything you can to patch in a timely matter. Well, >>Sean, we appreciate the work that you've done in your previous role and continuing to advance education, knowledge and protection in our industry. Thank you for coming on >>You. Thank you for having me. This is a fantastic event. Really appreciate you being here and helping to educate folks. Yeah. >>You guys do do a great job. Awesome. Set that you built and look forward to future events with you guys. My >>Friends. Thanks so much, Dave. Yeah. Thank >>You. Bye now. All right. Appreciate it. All right, keep it right there. We're gonna wrap up in a moment. Live from Falcon 22. You're watching the cube.

>>Okay. We're back at the area in Las Vegas, Falcon 22. You're watching the cube. My name is Dave Valante. Michael cent is here. He's the chief technology officer at CrowdStrike. Michael. Good to see you. Thanks. Thanks >>For >>Having me. Yeah. So this is your first time I think, on the cube. It is, and, and it's really a pleasure. I've been following you, watching you very closely. You're, you know, quite prominent and, and, you know, very articulate. I loved your keynote talking about what is XDR. I think you guys are gonna do really well in that space, cuz you've got clarity of vision and execution. Talk about some of the announcements that you made this week, particularly interested in, in insight. XDR what's that all about? >>Yeah. So I've been talking about XDR for a while and trying to help push the right narrative. There's a lot of marketing in the industry with XDR. So we've been talking a lot about what it, what it means that the benefit that it provides from a technology perspective, what you need in the architecture. So we firmly believe it's a philosophy and we build all of our technology to work together, but it's bringing in third parties. And that was really a lot of the, the announcements. My keynote was to show everybody the work that we've been doing to bring in data from Zscaler and Proofpoint. And we talked about bringing in data from a whole range of different vendors, firewall vendors, and we've been doing XDR use cases for a long time. So a big part of our strategy is to make security easy. And we've been doing a lot of XDR use cases with our Falcon insight module. So the announcement that I made was to relaunch Falcon insight as insight XDR and it means all of our close to 20,000 customers have access to the product. >>So that gets bundled right in it's like SAS automatically part of the portfolio >>Log off on Friday, come back on Monday and you're good to go. >>And then, and you, you just, you just called out Zscaler and Proofpoint you, I think you also mentioned Palo Alto network, Cisco for net as well. You're pulling in telemetry from, yeah, >>We've got a, we got a long map of, of people that we're integrating with. We talked about Cisco, we talked about for drop and for net, we announced that we're gonna be pulling in telemetry from, from Palo and a range of other vendors, Microsoft and others. And that's what XDR is about. It's about first party and third party integration and making all of the telemetry work together. >>I was talking to George about this yesterday is I think there's a lot of confusion. Sometimes when you have the dogma of cloud native, you know, snowflake, same thing, no, we're not doing OnPrem. This is hybrid. People think that that you're excluding on-prem data, but you're not, you can ingest on-prem data, right? >>We absolutely are not excluding on-prem. We will support and, and secure every workload, whether it's on-prem or in the cloud, whether it's connected to the internet or offline, a lot of the, the indicators of attack and the, and the detection techniques that we have are on the sensor itself. So you don't have to be connected anywhere for that capability to work. You get the benefit when you connect to the cloud of the additional visibility, the additional protection, but the core capabilities on the sensor that we have >>Given that you guys started 11 years ago, plus two days now, and you had that dogma cloud cloud, first cloud cloud, only Nate cloud native. Was there ever a point where you're like, you know, boy, we might be missing some of the market, you know? And, and you, you, you held true to your principles. Two part question. Did you ever question that and by focusing all your resources on cloud, what, what has that given you? >>It's there's been a Eliza focus on having a, a native cloud platform. It's easy to say cloud native. And if you look at a lot of the vendors in the industry today, if you are a, a customer and you ask them, Hey, can you gimme an on-premise product? I'm not gonna buy your product. They've got an on premise product. The problem is when you have two different versions, you end up having compromise. You have to manage two code bases, impact to your engineering team. Their features are different customers. Ultimately are the ones that miss out because if I have the on-prem version or if the cloud version, I may not get the same capability for us, it's been very clear. It's been a laser focus to be a cloud and cloud only from day one. >>You've renamed humo. I gotta stop using humo. I guess it's not called log scale, Falcon, complete log scale. You're bringing together security and observability. Although you're not doing the full spectrum of observability, you're just sort of focusing on, you know, part of it. Can you explain that? >>Yeah. So first of all, we did rebrand and bring the homeo brand closer to a crowd strike by renaming it Falcon log scale. And just to be clear, it's not just the rebranding of the name. We've been spending a lot of time. We made that acquisition in March of, of last year, and we've been doing a lot of work on the technology. We built out long, the Falcon long term retention. We built a whole bunch of capability into the product. So now was the right time to rebrand it as Falcon log scale. And at the same time, we also announced Falcon complete log scale. And it's part of the complete franchise. And that's where customers can get the value and the benefit of log scale, but they don't have to set it up. They don't have to manage it. They leave that to us. >>So you get pretty much involved in, in the, the M and a activity. You talked on stage yesterday about reify and, and what's going on there. You guys got, obviously gotta, still do that. You, but you made investments this week. You announced investments in salt security, the API specialist, and, and also Vanta compliance automation. What's the thinking behind that, you know, explain actually the fund that you guys are sprinkling around as a strategic investor and why those companies. Yeah. >>So there's two, two parts that, that I'm involved in on that part of my team. One is the M and a team. And one is the Falcon fund side of the business. Obviously two very different things. The, the M and a part of CrowdStrike, we're always looking to see for every technology space that we want to get into, you know, what is the best option build by a partner? Sometimes it's built sometimes it's a, it's a hybrid approach of build and partner. Other times we go down the path of M and a, and I was super excited about reify, great company, great technology. And as you said, we made announcements to we're investing as part of the fund into, into van and salt. We, we, we are very blessed. We're very fortunate to have achieved a lot of success in a short period of time. And we think we've got an opportunity to help fledgling companies to help them guide through the process of setting up the company, helping them with engineering principles and guidelines, helping them with the go to market perspective. So the fund is really about that. It's finding the next cybersecurity company working closely together, and it's been a huge success. You had banter and salt on earlier, and there's so much excitement about what they do. >>Yeah. I mean, it's clear, clear, compliment to what you guys are doing. I want to ask you about your lightweight agent. There, there are other firms that say they have a lightweight agent too. You know, what, what makes your lightweight agent so different? So special? >>Yeah. I've never seen a PowerPoint presentation. That's wrong. It's very easy to, to say your lightweight agent is, is, you know, super lightweight. And many times when you look at them, they're, they're not lightweight. They take a lot of effort to install. They need reboots. If you've got security, that's part of the operating system. If you've got security that requires to reboot, you can't go to a bank and say, Hey, you've got a hundred thousand machines. We're gonna install all of this technology, but you've gotta reboot it once, twice, three times. So what ends up happening is you see deployment cycles that go on for 12 months. I've spoken to organizations here this week that said we had budgeted to roll out your product in 18 months because of what we experienced in the past. And we did it in seven weeks. That's a lightweight agent with no reboot. And then you look at the updates. You look at the CPU resource utilization. So again, very easy to say lightweight. I haven't seen anything like what we've built at crowd strike. >>How do you keep an agent lightweight when you're both acquiring in companies and adding modules? I think you're, you're over 20 modules now. How, how is it that the, the agent can remain so lightweight? >>So we spent a lot of time building out the agent cloud architecture that we have, the, the concept of our agent is very different. It's not collecting data, storing it, trying to sell, send it up. We have a smart agent with smart filtering built in. So we're very careful in terms of the data that we collect, but think of the aperture on a camera. You know, if you wanna let more light in you, you widen the aperture. It's the same as our, our agent. If we wanna bring in more telemetry, we, we widen that aperture. So we're very efficient on the network. And we collect data. When machine process runs, we collect that telemetry. We use it in different ways, but we collect once and reuse it many times. So it's the same agent for NextGen AV for EDR, for our spotlight vulnerability management module. And when we're looking at M M and a, so coming back to your, your question, we will look at technology. And if we can't bring that technology and incorporate it into the agent that we already have, we won't acquire it. Worst thing in security is complexity. When you give an organization, 1, 2, 3, 5 plus agents, and then they have 3, 4, 5 plus management consoles. It's too hard when they're under attack. >>Well, it's like my, my business partner co-host John furrier says is that as an industry, we tend to solve complexity with more complexity. And it's, that's problematic. Can you talk about your, your threat graph? Like, what is that? Is it a, is it a graph database? Is it a purpose built? Is it a time series, database, a combination? What, what is >>That? Yeah, it is a graph database. When we, when, when the company was started, obviously the vision was to crowdsource telemetry from so many machines from millions of devices around the world. And the thesis at the time was as that capability scales out, there's nothing commercially available that will be able to ingest all of that data. And today we are processing over 7 trillion events every single week. We, we can't go and get something off the shelf. So we've had to build the, the technology from the ground up. That's the first part. Secondly, there is a temporal element to this. There's a time element. And we, we have an ontology built where we track the relationship between all the telemetry that we get. The reason why I believe we stand alone in EDI is because of that time element, the relationship that we have, and we just have so much context that makes it easy for the threat hunter speed and, and ease of use is critical in cyber. >>So you see in data in the database world, everything's kind of converging with all this function, you know, 11 years ago, these were pretty rudimentary. I shouldn't say rudimentary, but immature markets they've come a long way. If you had to start, if, if those capabilities that are there today with graph databases and time series databases were available in, in 2010, would you have used off the shelf technology, or would you have still developed your >>Own? We would've done the same thing that we've done today. >>And, and why can you explain what that, what that is it a performance thing? Is it just control? >>Yeah, look, it, it, it's everything that I talked about before, the, the benefit that you get from the approach that we've taken and the scalability that the requirements that we need, we still today, there's nothing that we can, we can go and get off the shelf that can scale and give us the performance that we need that can give us the ability to, to have that relationship data, the ontology of, of what we have in the platform and the way that we inter operate with all of the different modules that just wouldn't exist. We wouldn't have that capability. And what you'd find is we'd be pretty much the same as every other vendor where they have on-prem solutions, they have hybrid hosted solutions. And when you have those trade offs, you see it in the product. >>Yeah. So the, the point is you're very focused on the purpose of your, your proprietary technology. You're not trying to serve the all things to all people. You used the term yesterday in your keynote, which it, it caught my attention. You used the term ground truth, and it has very specific meaning. Can you explain what you meant by what is ground truth, you know, in the world? And what, what, what does it mean to CrowdStrike? Yeah, >>I was talking about ground truth as it relates to the acquisition of reify and the big thing for us, we wanted to bring additional capability to the platform, to give our customers external and internal visibility of all their assets and all their vulnerabilities. What's important with us, with our agent is today, we give you a single source of truth. When we put that agent onto a device, we tell you everything about the hardware. We tell you everything about who's logged in. We tell you everything about the applications that are running the relationships between the, of the device and the application. We're not a CMDB. We feed CMDB with information that is instant, that is live. And when we look at reify, it broadens again, I'll use the same word. It broadens the aperture. It gives us more visibility around what's going on. So we're, we're super excited about that because having information about all of your assets, all of your users, the applications they use, whether they're vulnerable, how you need to protect them, having it at your finger fingertips, it's a game changer >>Contract, can CrowdStrike be a generational company. And what do you have to do to ensure that that outcome occurs? We, >>We, I think we absolutely are. And, and we're we're path paving a path to, you know, really continuing to build out that platform. I said, in my keynote that I think we're at an early innings. I, if you buy, for example, as a customer, our insight module, cuz you wanna start with EDR, you've got 21 modules to go yesterday. Today we, we talked about discover 2.0, we talked about discover for IOT. I talked about the, the repository acquisition, a whole range of technology built on that single cloud agent architecture. And we've heard the success stories here this week from customers that have just gotten so much benefit. They've rolled out one agent and they've turned off eight or nine from other security vendors. So absolutely we can be a generational company with what we're doing. What >>Are the blockers to customers turning on those additional modules? Cause not, not all customers are using our modules. Is it that they've made an investment in an alternative technology and they're sort of hugging onto it or are there other technical blockers? Yes. >>It many times it's the investment, right? So if you've made a, an investment in the company, you've got a year to go, you might wanna sweat that asset. But typically what we find is the benefit that we have. It's a very simple conversation. If we can give people a cost and a technology benefit, they're gonna make the transition to move. There's so many technical benefits. We talked about the single agent, but the actual features of the modules themselves. But the big thing for us is we've done over 4,700 business value assessments where we sit down with an organization and we look at what they have. We look at what their spend is. We look at their FTEs, we look at the security outcomes that they get. And then we come out with a model that shows them technology and business value. And that's what really drives them to make the switch. >>So the business value in that VVA is not just a, a reduction in expected loss. That's part of it, better security you're gonna, you know, be, be, be lower your risk. But you're saying it's also the labor associated with that. Yeah, >>Absolutely. It's it's how do you operationalize the solution? How many people do you need? How long does it take you to respond? You know, how do you interact with third parties with your suppliers is taking in all of that data. We've spent a long time building out that model and it's, it's proving to be very successful customers. Love it. Is >>That, is that sort of novel ROI thinking in the security business or I'm trying to think of, I mean, I know for years it would watch art. Coviello stand up at RSA and tell us how, how this year's worse than last year. And so, but, but, but I never really heard, you know, a strong business case that would resonate with the, with the P and L manager, other than, you know, we gotta do this or we're gonna get hacked and you're gonna be screwed. Is that new thinking? Or am I, did I just miss it? >>I don't know if I wanna size new thinking. I think what happened, what changed was 10, 15 years ago at a conference you'd stand up and everybody would tell you ransomwares up and fishing is up. And at the end of it, people are trying to work out. Is that good? Or is that bad? It went up 20% based off what that doesn't work anymore. Everyone, you know, got tired of that. And a few of us have been doing it for a while. I I'm, I'm sort of two and a half decades into this. And if you, if you try to use that model of scaring people, they switch off, they want to understand the benefit. You know, the break in the car is so you can go and stop safely when you need it. And I look at security the same way we want to accelerate the company. We want to help companies do their job, but security is there to make sure they don't get into trouble. >>Yeah. It's like having two security guards by your side, right? I mean, they're gonna help you get through the crowd and move forward. So Michael, thanks so much for coming to the cube. Thanks for having me your time. You're you're very welcome. All right. Keep it right there. After this short break, Dave ante will be back with the cube live coverage from Falcon 22 at the area in Las Vegas.

(upbeat music) (logo crystals tingle) >> Hi, everybody, welcome back to FalCon22, I'm Dave Vellante and you're watching theCube's continuous coverage, this is day two. We live in an API economy, but APIs, you know, they're sometimes vulnerable, Michael Nicosia is here, he's the Chief Operating Officer and co-founder of Salt Security, API Security Specialist, Michael, welcome to theCUBE, thanks for coming on. >> Thank you so much, Dave, glad to be here. >> You're very welcome. Why did you and your co-founder, is it Roy? >> Yeah. >> Why did you guys start Salt Security? >> So really easy, I mean, as you mentioned, the proliferation of APIs constantly is growing on a year to year basis. So in 2015, when he and I met, we had this idea that it was going to continue to grow and APIs were going to be critical to every organization from an innovation perspective, from a safety perspective and we thought that current tools out there couldn't protect against the new threat vector that we thought was going to happen. And, you know, you fast forward to 2022 and here we are, it's the largest growing threat vector from an API perspective because APIs are just growing like crazy. >> Right. Well, let's talk about the news, CrowdStrike made an investment in your company. >> Michael: Yes. >> Congratulations. >> Michael: Thank you. >> Tell us about that, why it's important, and to have a strategic partner like that. >> Yeah, so first of all, we're super thrilled about the partnership, I mean, it's amazing. And not only the partnership, the strategic investment for us just signifies the importance of our two companies in terms of what we want to do in the field together or in the market together. So the strategic investment is amazing, the partnership is even more amazing just because it's kind of like, you know, the first in its class from an API security perspective, we've got partners from the cloud providers and then the only other partnerships really have is with API Management vendors. So this is unique in that it goes outside the security ecosystem to provide this partnership and the nice thing about it is it's exclusive, excuse me, and it just continues to validate the leadership where we have an API security, as well as obviously a leadership that CrowdStrike has. >> Exclusive in the sense that CrowdStrike's not going to invest in another API competitor and you're not going to take investment from an endpoint- >> Michael: Exactly. >> Or something like that. >> Endpoint or, you know, really cloud workload situation. >> Anything within that vastly expanding portfolio. >> Michael: Exactly. >> So pretty much anybody. >> Michael: Exactly. >> Except network security, from what I saw in the keynote yesterday, that's sort of on the table, for now. So, okay, so why should customers care about this? What's the benefit to them? >> Yeah, so if you think about, the security profile of organizations and where they seem to have potential risk, threat vectors, you know, endpoint, you know, Cloud obviously API becomes a bigger, threat vector as well. So I think the partnership just solidifies the fact that we want to create a better security profile for organizations and we want to make it safe for them to innovate and continue to do what they do. So I think that's the importance and when you put the two together it just creates a larger value proposition, more stickiness from end point to cloud, to APIs. >> So we have a partner, theCUBE, and in New York city and it's called ETR and they do quarterly surveys of CISOs, CIOs, IT buyers, about 12 to 1500 a quarter. And so I was chatting with those guys last week, they knew we were going to be at CrowdStrike and so they ran some data for all the API security vendors and you guys were, you know they had like the Gartner Magic Quadrant but it's not, you know, vision and execution, it's spending momentum and like presence in their survey, it's like market share, mind share. >> Sure. >> You guys were up and to the right, like, way, way, way ahead, I presume that's why you got the attention of CrowdStrike. I found their data set to be incredibly good, that's how we found CrowdStrike years ago, like, "Wow, who's this company?" >> Yeah. >> You know, companies like CrowdStrike, Okta, Zscaler, Snowflake Off The Charts, but you guys were really noticeable. Talk about the spending momentum you're seeing with customers, where's that coming from? >> Yeah, I mean look, for us it's a continuing growing market, it's accelerating and we're still in the, you know, early stages of the market, which is amazing. But if you think about what organizations do, they innovate, right, they innovate through, you know, software, through applications or APIs. So if you think about, you know, how do they continue to innovate safely? They need a solution, like Salt Security to protect from any bad actors that could potentially create any breaches, vulnerabilities. So I think that that's why CISOs in particular are super excited about talking to us, making sure that they have all of their bases covered especially when it comes to applications that they have within their organization, which continues to grow. >> And not to not to be a methodology geek, but the methodology they use is to essentially say, is a customer spending more or less, they subtract the lesses from the mores and that's what you're left with. And one of the lesses is churn, and if you have high churn, you're spending momentum, >> you know- >> Micheal: Yeah. >> In their methodology goes into the tank. So you have obviously admitted you have very low churn is that what you're saying in the field? >> Micheal: Absolutely. >> Why is that? >> Yeah, I mean, again, I think it's, it goes back to the value that we bring to customers. I think, you know, our solution works, we're the only AI/ML-based solution with deep context so we can really take a closer granular look at the APIs, model those APIs, create a baseline and really protect against them. So I mean, our solution works and it works really well and I think we provide value in that, you know, CISOs don't have to worry about any bad actors trying to infiltrate their applications 'cause they know that Salt Security is there protecting them. >> I know you're not the tech guy but you're the founder, co-founder of a technology company so you got to be conversant in the tech, 'cause this is the way it is in our business, so tell us about the tech, what's so cool about it? What's the differentiation? >> Yeah, I guess, and I mentioned that it's really AI/ML based, you know, we leverage big data and it's really the context associated to that, which means that, you know, we can get into granular details of really baselining the API itself. And what we do really well is, because these are unique attacks and these attacks could be days, weeks, months and we're the only vendor that, that can really correlate across that timeline because of the context-based big data that we leverage to be able to, you know, spot these potential bad actors that we look for. >> And all this happens in the cloud or? >> Absolutely, it's all... >> You have a server in your office? >> No, no, it's all it's a hundred percent SaaS-based, Cloud-based solution, I think that's one of the reasons why the partnership with CrowdStrike is so amazing as well. >> Talk a little bit more about the synergies between CrowdStrike and Salt Security. >> Tons of synergies, I mean, if you think about from, you know, from the part of being a little fluffy culture, the two companies have similar cultures, we go after similar you know, first Cloud, innovative companies. If you think about kind of the technology that CrowdStrike has put forth, revolutionized the endpoint security, and now moving into the Cloud, you know, leveraging AI and ML, we're doing the exact same thing so I think there's a lot of synergies associated with that. And again, the final point that I'll make is that you know, we think together the, you know, better together story is, resonates just because if you think about all of the areas that you know have potential breaches, these threats, we kind of cover 'em all with the partnership. >> When I talk to a founding, you know, co-founder, who's a go to market pro, I like to ask them how did you know when to scale? I mean, you got to have product market fit, I see so many companies failing because they try to go to market before they have, they try to scale go to market before they have product market, but how did you do it? How did you know when to scale? >> You know, it's tricky, and you got to look at a couple of, you know, factors, you got to look at the market, you got to look at, you know, how much potential opportunity exists and you really need to look at, the momentum that is being established. You know, when you talk to CISOs, kind of, you know, talking to them about projects and how, how they prioritize projects and where API security fits, you know, once it begins to be the top three and you start that momentum and obviously you bringing in the revenue. I think that those are signs that we see, that we say, "Okay, we need to double down on making sure we've got coverage across the world in order for us to support demand." >> And you were the first sales rep, right? >> Michael: Yeah. >> Okay. >> Roy and I, I was the first AE, here was the first SE. >> Okay, but your early go-to market pros are probably different than what you're bringing in today, you didn't have, you know, a lot of BDRs at the time, but you guys were hands on consultants- >> Absolutely. >> Like sort of process consultants, sales folks, right? And then you codify that when you're ready to scale and now you're, is that kind of a, what you're doing? >> Absolutely, I mean, you nailed it, I mean, it's in the early stages, it's validating that there's a problem that exists in the market and how important is that problem, you know, to CISOs. So when we first started we met probably about 50 CISOs where we just had that conversation, not about sales, it was more about, "Hey we just want to talk to you about a problem we think exists in the market, love to get your reaction on that problem and then obviously how you're solving that problem and how much of a priority is that problem," How important is it to you? And then once you have those discussions then you can really find those individuals, early adopters if you will, that are ready to buy and then it kind of proliferates from there. >> And then you have a CRO , I presume, right? So what was that like finding him or her, is a really important first sales hire. >> Super important, yeah. >> How did you go about that? How long did it take? >> Yeah so it took about six to eight months and you know it's really tough because, you know, we look at cultural fit, above everything else. So it's not, that, "Can they do the job?" it's culturally, do they fit in? And you know, how much can that individual scale the organization? So there's a lot of factors associated, there's a lot of individuals associated to, you know with the interview process. So that's how we looked at it and obviously we wanted somebody that had experience in a company our size, was able to scale it and so on. The one tricky thing is, and I'll tell you this, is, you know, for Roy and I, you kind of have to let go a little bit, that was really tough, so knowing that you need to do that is something that- >> A little bit of founderitis? >> Micheal: Yeah. >> Dave: It's hard, right? >> Micheal: It's hard. >> Dave: Yeah, it's your baby. >> It's like, whaat? >> I get it, Michael, thanks so much for coming to theCUBE, congratulations on the news- >> Thank you Dave. >> The investment and good luck. >> Awesome, thank you so much, appreciate it. >> You're really welcome. All right, keep it right there, we'll be back right after this short break. Dave Vellante for theCUBE at FalCon22, CrowdStrike's big user event, we'll be right back. (cheerful bouncy music)

>>Hi, we're back day two of Falcon, 2022. We're live from the area in Las Vegas, Silicon angles, the queue. My name is Dave Lanta and Rob Picard is here. He's the security lead for Vanta a company that CrowdStrike just made an investment in. Rob. Thanks for coming to the cube. >>Thank you very much. Happy to be here. So >>That's big news. You know, you got a, a big name, like CrowdStrike strategic investment. Tell us about that. >>Yeah, it's very exciting because CrowdStrike obviously is, you know, a major name in the security space and Vanta is a really leading the way in a lot of the compliance automation, but being able to sort of dip into that, that security space more and more having crowd strike behind us is huge. >>What is compliant? Compliance automation. Tell us more about what Vanta does. Yeah. >>So Vanta ultimately is a tool that gives you an automatic way to prepare for your SOC two audit or your ISO 27 0 1 audit or, you know, insert long list of dozens of standards we're working on here. But in the olden days you would provide a thousand screenshots to an auditor that proves that for the past year, past six months, you've been doing what you say you're doing, Banta just plugs directly into your systems and proves that evidence to them without the need for all of >>That. Okay. So software's a service and you yeah. Software charge monthly or okay. >>Yeah, something like that. >>Educate me if I'm cloud first or cloud only can't I just pull a SOC report off of AWS and send that to the auditors and say, here you go, >>That'll help. Right? Like if you, if you do that, if you're in AWS and you pull their, you know, I think their security hub, you can pull some of these controls in. Right. But the question is, what do you do then about your endpoints, right? What do you do about, Hey, did we off board everybody from all of the systems we have enabled, right? All of the SAS systems we use. And so what van does is we integrate with AWS, but we also integrate with every other system you're using, including your HR system and your identity provider, to make sure that, Hey, you know, all of these things are, are working in sync to ensure your compliance. So >>You're relatively new parent, but you ever, you know, the book, if you give a mouse, a cookie, you will, you will, the whole thing is you give a mouse, a cookie, and then 8 million things happen, all these other dependencies. And it goes around and around and around. Yes. He's gonna want some milk. Okay. I feel like it's the same thing in your world, right? I mean, there is, is, is there an end, when do you know you're done? >>Yeah. I mean, ultimately, you know, you're done when the O auditor hands you, your sock to report, you know, you have your at stage, you say, Hey, I'm sock too compliant. Or, you know, your ISO cert, but even then it's gonna keep going. Right. I think the tricky part is there are some key systems that you, you want to have, you know, your eyes on and you wanna be monitoring and making sure that Hey, in a year from now, when that audit happens, I'm not gonna be surprised at what they find. Right. And those are gonna be your cloud provider. Right. Those are gonna be your HR system telling you when people joined, when people left, and those are gonna be your identity provider and your endpoints, right. >>Are you guys obviously compliance experts? Is, is it really a matter of sort of codifying that expertise? Or is there a machine intelligence component involved, you know, discovery? How does it work? >>That's a great question, actually. And I think part of it is, you know, encoding that expertise in the product and making sure that, you know, there's not necessarily, you know, if you ask any given sock to auditor for like, Hey, what controls should I be using that you're gonna audit me against? And it's your job to come up with the control. So they'll provide you some, you know, their set, but it's gonna be different between them, right? The standard itself is not a list of controls, but what we can do is we can provide you that list of controls and say like, Hey, we've actually worked with a ton of auditors and they've worked with us and we can say, this is what you need to do to get started here. And then if you have custom controls to add later, you want you, you can do that. >>But so there's part of that's encoding the expertise, but then part of it is just understanding the world of, of the auditors enough that we can help guide you through it. Because, you know, like you said, you can go to AWS, you can get download a report, right. That says, look, I have, you know, these, so two controls past right now, but the question is, you know, you still have to then go hand that to an auditor, have conversations with them, get through all of their questions back to you. And that can get really, really in the weeds. So we have like teams of experts who sit on calls with auditors and customers and help them through this stuff when needed. Right. And hopefully it's not needed as much when you're, you know, automating most of it. So >>That's a, a component of your offering is, is a services capability. Is that part of the offering? Is that a for pay service? >>Yeah. So, you know, you have to talk to the sales team to understand how they bundle it all, but, you know, essentially we have these professional services teams and these partners that jump in, I think a lot of times it really is just, Hey, like the auditor asks this question. We don't know how to answer it. We'll send somebody to jump on, >>Let's jump on a call. Exactly. But if you need more intense, you >>Know, work services, then maybe that's available. Yeah. >>Okay. And, and is there a privacy aspect of your software? >>Yeah. So Vanta software does actually also support GDPR and CCPA to kind of help you. You know, it's hard to get your head around that stuff. You wanna talk about like encoding expertise, you know, having people inside Vanta who can talk through the product and say like, Hey, this is what we need to test for in a customer's environment. And this is what we need to point to that maybe, you know, you can't automatically test for, but we can give them some template policies or, or procedures for them to have in their company. And we can provide all of that to try to, to help you feel good about, Hey, we're, we're compliant with GDPR or we're compliant with CCPA and we're not gonna have problems here. And, >>And da is data, data sovereignty I presume is, is part of that. Like, >>You know, data sovereignty, man. I'm not the expert on data sovereignty. I'll tell you that. But I know that is definitely a part of that. I don't know, you know, how deep it goes when it comes to, you know, the requirements of any given company. >>Well, it's tricky because a lot of it hasn't been tested in the, in courts of law. That's just sort of guidelines there. Yeah. And then a lot of times you don't, how do you really know where the data is? Right. I mean, you kind of can infer it, but, >>And you can get real clever. You can start encrypting data that sits somewhere here, but you have the keys over here and say, no, no, no, the keys are in the right country. You know, that counts, >>Right. It gets real tricky. It's not really been tested that the logic of that, what are the hard parts of what you guys do and, and, and what makes you different from everybody else out there? >>Yeah. I mean, I think I'd say a couple things are, are really hard about what we do, right. One is maintaining good reputations with auditors because the goal is ultimately that an auditor sees Vanta and they say, okay, Vanta says that checkbox is checked. I don't have to worry about it. And that's where we are with so many auditors today. Right. But that wasn't like that in the beginning, in the beginning, it was, you know, Hey, we're showing you the code that actually looks and checks that box. Right. But the other hard part is just integrating with the long tail of systems that every customer needs, right? Like if you use a certain HR system and we don't support it, then that's gonna really dampen your value that you get outta the product. So the engineering challenges, maintaining a reliable set of both high quality tests and high quality integrations with these surfaces, >>What are the synergies with, with CrowdStrike kind of, you know, it's, maybe it seems obvious, but explain where you pick up and where they leave off. >>Yeah. I think that's a, that's a great point. So, you know, we have a very, like a very, a very simple agent that will run. If you need something on your laptop that says, Hey, look, this laptop, the disc is encrypted, right? The screen lock is set appropriately for my controls, right? So we have some, some basic capabilities it's based on OS query for, for those interested, but it's not a full fledged endpoint protection platform. Right. And that's where something like CrowdStrike can come in where we can integrate with them and say, okay, Hey, if you're ready to move on to something, that's, that's a little bit more full-fledged and a little bit more of a, you know, gonna protect you against malware and that sort of thing. Then you can move onto CrowdStrike and we can integrate directly with them and we can pull all the information we need and we can check all those boxes for you that say, Hey, you have appropriate malware protection, you have discs encrypted, you have whatever it may be. Right. We can pull that information from them. And we can also help you make sure that the people have access to CrowdStrike itself in your company are the right set of people. >>Who do you sell to, do you sell to the audit function within a company? Or do you sell directly to big auditors? Both. >>So it's, we're mainly selling to the whoever's responsible for getting that. So to getting that ISO, getting GDPR, you know, all these sorts of things at a company, right? So for a small business, right, a startup that's like two people could >>Be the developer >>Team. Exactly. We're selling either to the founders or developers or something like that. And we're saying, Hey, you don't wanna think about this at all. We can get you like 80% of the way there without having to send a single screenshot. And then there's like 20% of like, all right, we'll help you, you know, partner you with the right auditor. That's good for your company and, and get you over the line. But then as we go and we sell to a mid-market company, or, you know, even potentially an enterprise, we're talking to people who have very specific expertise in either security or compliance, who also don't wanna have to do all this manual work. >>And it's a pure SAS model. It runs in the cloud. How does it work? I just pointed at whatever software I want to, to, to, to get, you know, certified >>That's exactly right. It's, it's pure SAS. You go to, you know, the app do vanda.com. You log in and then you go to the integrations page, right. You're, you're starting fresh. And you say, okay, well, AWS, here's how you integrate AWS. Right? We use there assume role functionality and stuff like that to pull in, you know, read only data from AWS. And then you can also go to your Okta and you can say, okay, well, I can connect here through Okta, through, you know, an Okta app or I can connect to my Google through an oof that has the right permissions. So we try to just limit the amount of permissions we have or the scope of our, our, you know, roles. But really it's just, you know, it's all API based integrations that we then just pull the data. We need to prove that you're doing what you say you're doing all >>Well, Rob, congratulations on the funding and the activity here at, at CrowdStrike. Good show. So, you know, good luck to you in the future. >>Thank you very much. All right. >>You're very welcome. All right. Keep it right there, Dave. Valante for the cube. We'll be right back, but right after this strip break from Falcon 22, live from the area in Las Vegas,

>> We're back in Las Vegas at the ARIA for Fal.Con 22, CrowdStrike's big user conference. I'm Dave Vellante and you're watching the cube. Sven Krasser is here as the senior vice president and chief scientist at CrowdStrike and we're going to get a masterclass in AI for security, Sven. Thanks for coming on. Appreciate it. >> Thanks for having me. >> So I love the title. I just, I'm excited to have you on, I understand you were like employee number two or, you know, really early on >> Among the initial nine. Yeah. >> 11 years ago and I think two days you started. >> Yes. >> What was that like? You know, was that, you know, did you know George beforehand or you kind of? >> Yeah, I, I knew I knew George before, like not as well as I know him now. >> Yeah. >> And it, it sounded like a pretty good proposition about what he was having in mind. Like things security wise didn't really work that well back in the day. And we wanted to try something new, like cloud native, data driven, AI, and use that to stop, to stop breaches. So yeah, like it was very exciting. Like you go there, you have nothing there. First day, you open your laptop and you try to reinvent security. >> Yeah. So, I mean, I know he never, he talks about this. I never said we're going to be an AV company. But of course, you know, you start with antivirus and when at an endpoint and known malware, okay. But unknown malware at the time wasn't really being addressed. And if I understand it you guys brought in machine intelligence from the start. Explain that. >> That's that's right. And like, the way we, we looked at it is like, back then we said, you don't have a malware problem. You have an adversary problem. Just like recognizing that it's not malware but there's people behind it that act on objectives that you need to, that you need to counter and you don't want to run after them. You want to be ahead of them. Like that was, that was the approach, like at a very high level that we were taking and you know, now we have it a little bit more summed up and we say, we stop breaches. So like, that's, that's the end result. >> So how do you specifically leverage AI? Which parts of the portfolio, is it across the portfolio and you know, where did it start? How did it evolve? >> Yeah, we are very, we're very data driven. So we are working hard to use the, the proper tools to work with data wherever we can. And AI being one of these, these tools that we like to bring to bear. The, the cloud, the CrowdStrike security cloud at the moment we're doing about roughly 2 trillion events, with a T, per day. Like that, that volume of data, like going through our platform, that that's not something that you can, that you can work with manually, right? So we need, we need to bring the heavy machinery, like that's, that's how we're bringing AI to bear. >> 2 trillion events per day. I mean, there aren't a lot of organizations that see that many events a day. I mean, maybe, maybe some of the hyperscalers possibly. I don't know. That's a... >> Yeah. I think, I think it really allows us to get unprecedented insights into what's actually going on out there in the, in, in the landscape. And, you know, it's, it's like, it's like with a camera or a telescope, the bigger your aperture the fainter signals you can detect. And that's why like, that's why the volume is, is critical. And that's why we, that's why we from the get go, set out to build a cloud native platform so that we can actually aggregate this type of data and analyze it in one spot, basically where where everything comes together that we can draw these connections. >> Will we ever see security without humans? >> I don't, I don't think so. This, this, this notion that machine intelligence is so intelligent that it just takes these jobs over. To me it's more like a tool, right? Like these, these algorithms, they do need to learn from something they need to learn from human expertise. The way at CrowdStrike we have things set up is like our, our human teams our threat hunters, our MDR staff, our incident responders, like whatever they do, we, we are taking these insights and we're feeding them into the AI algorithms. So if there's, if there's a new type of attack and we have an incident response team on the ground and they find something, that gets leveraged put into a database and our AI can learn from that. I, I, I really like that in the keynote, Kevin Mandia actually talked to that, you know. Like get the incident responders out there, get their knowledge, bake it into products. And that that's, that's the approach that we're taking with, with with our AI. >> So in my head, I'm thinking okay, what do humans do better than machines? I mean, humans are creative, right? Machines really aren't creative, right? I mean, and adversaries are very creative. So, so I guess flip side question, what is, what does AI do? What does the machine intelligence do that that humans can't do? Is it scale? Is it just massive volumes? Help us understand what humans do well and machines do well and how they compliment each other. >> Yeah. So AI is, is very good at working with extremely large amounts of data. Again, like cloud native platform, like that's where you get this AI advantage. It can work with data that is a lot more complex like more facets of data. So we talked about XDR here at Fal.Con a lot, right? Like you get data from all these different products, from all these different angles. Like the more different facets you add to that like it becomes overwhelming for the human mind. It's just like so much complexity that a human can put together in their brain. With AI you don't have these limitations. It's just math. It's just like multiplying big matrices and you can work with a lot larger data sets, like those 2 trillion events that we do per day on the on the CrowdStrike security cloud. But also data that is a lot more complex, that has more facets, looks at the problem from different angles. That's where AI is especially useful. >> I want to ask you as a topic I haven't asked anybody this week and I've been meaning to, is, you know there's this concept of, of living off the land, right? Using your own tools against you. How are you able to detect that? Is that cuz of lateral movement or, I mean I'm sure there are many, many factors, but but how are you addressing that problem? That kind of stealthy using your tools against you? >> Yeah, so adversaries, this is, again there's motivated humans behind that. They figured if they drop a malware file on the machine that's an artifact, an indicator of compromise, right? And that can be detected. So they're avoiding dropping files on disc that could be detected or to bring their to bring their own tools. They try to work with the tools that they find on the machines. They need to act on objective though. There's something they want to accomplish. Like they're not, they're not logging in just to, you know, like do nothing. And this is where indicators of attack come in, right? Like we know what their objectives are and we're trying to capture this. We're describing this in an abstract way. What is it that they try to accomplish? That's what indicators of attack describe and when they act on these objectives then we can catch them. >> So I, I think that the the term indicators of attack, I, I, you may have coined it. I'm, I'm not sure. I think it was you announcement at, at black hat. Those indicators are not static, right? To your point, the humans on the other end are motivated. Are you a can, can AI help predict future indicators of attack maybe working with, with humans? >> Yeah, this is, this is something that we recently rolled out where we are connecting our AI intelligence to our indicator of attack framework. Where basically the AI crunches the big data and then the indicators, the, the knowledge that the AI generates, understanding the context of the situation, can feed into the indicators of attack that we're evaluating to see if an adversary is acting on a specific objective. And then if an IOA triggers, that can feed back into the AI and the AI can use that information to derive for more precise results. We have a good feedback loop between these two, these two systems and they're more tightly integrated now. >> As a, as an AI expert, I want to ask you, is is the intelligence, is AI actually artificial? Or is it, is it real? >> Well, it, it is artificial cause I guess we, we build it right? Like it's a human made. I, I think a lot of people get hung up on the term intelligent and it, it's not really intelligent in the say, in the sense that it acts on agency with, with agency like you would look at a problem, right? It's good at solving specific types of tasks and problems that we can define in ways that these algorithms work on it. But it is not the same level of creative thinking that a human brings to the problem. And this is, going back to the beginning of the conversation, this is where we like to have humans involved in the teaching of the AI. The AI connect autonomously in real time stopping threats. But there's humans that take a look at what is going on to give the AI input and feedback and, and improvements because we are up against other humans, right? You don't want to have a human kind of press the buttons of the AI until they found a way around it. But that's called adversarial machine learning. Very real threat as well. Like we are, we're looking at the problem as humans against humans. Like what, what tools do we need to bring to the battle to keep the adversaries out of our customer's networks? >> Okay. So my follow up is, but there are systems of agency for our detection is a, as an example. But your, I think your point is that that never would've been possible without humans. Is that right? Or... >> Yeah, like on, on the one hand, these systems get trained with human knowledge. On the other hand, there, there are humans that take a look at, if the systems give the right responses. Like there, there isn't like if you talk to your smart speaker, like, like for me, like I'm, I'm asking my smart speaker to turn a specific light on in my living room and it, it, half the time doesn't work, right? Like that, that wouldn't happen with a human. There's like a lot more context and understanding and humans are more robust. Like it's, it's harder to fool a human. The limitation that we humans have is complexity, complexity and volume. So we're trying to make like a peanut butter and cookie approach, a peanut butter and chocolate approach rather, where we want to use the human creativity alongside the AI, which can handle scale complexity and volume at unprecedented, unprecedented scales. >> And when you bring it out to the edge, we, we were just talking to Stefan Goldberg about IOT and extended IOT. When you think about, you know, AI, a lot of lot of AI today is modeling that's done in the cloud and then applied. But when you go out to the edge, you you're starting to see more AI inferencing and near realtime, or even real time. Will that change the equation? What's the future of, of, of AI and cyber look like? >> I think, I, I think it would be pervasively applied. So we are using it already on the edge, on our sensors, but also in the cloud, right? On the sensor, we want to be able to act very quickly on the endpoint, want to be able to act very quickly without any delay with local inflammation. Or if the system is offline for a period of time, right? So we have AI models running there. In the cloud, we have the advantage of being able to work with vast amounts of data without slowing down our customer's machines. So like models will be applied everywhere where there's data, like that's kind of the name of the game. Like let's bring, let's bring this, this type of artificial intelligence, this type of, of like refined digested expertise, wherever the data sits on the end point, in the clouds, where you have it. >> And CrowdStrike doesn't care, right? I mean, it's... >> We care about stopping the breaches. >> Yeah. But you're agnostic to the physical location of >> That, that's correct. >> The activity. So last question is, how should we as humans prepare for the future of AI in, in cyber? >> That's a, that's a good question. I, I would say like, stay, stay creative and like figure out how we can get that knowledge that you have like formalized into, into databases, right? AI, the way I look at it is an amplifier of human expertise. You do something at a small scale as a human, the AI system can do it at a big scale, right? Like it's kind of like digging with a spoon whether it's digging with an excavator, with a, with a backhoe. So I I'd say stay, stay creative and see how we can take things that we do as humans in the small scale and let's do it in the cloud, like with with large data volumes. >> Great advice, creativity, I think is, is a key. Sven, thanks so much for coming on the cube. Really appreciate your time. >> Thanks for having me. >> You're very welcome. Okay. Keep it right there. Listen, by, by the way, I meant to to tell our audience a lot of resources at siliconangle.com, thecube.net, wikibon.com, has a ton of research all available at for no charge. No, no, no password needed. Just access that. Check it out. We're live from the ARIA hotel in Las Vegas, Fal.Con 22, Dave Vellante for the cube. We'll be back after this short break. (calming xylophone music)

hi everybody this is dave vellante and this is day two of the cube's coverage of falcon 2022 we're live from the aria in las vegas everybody was out last night at the brooklyn bowl awesome band customers were dancing a lot of fun a lot of business going on here todd crosley's here he's to my left he's the senior director of cloud partnerships at crowdstrike and patrick mcdowell is the global technical lead for security partners at aws these guys have been partnering for a long time and we're going to dig into that partnership gents welcome to the cube thanks for having us thanks happy birthday you're very welcome todd talk about the the history of the relationship you guys are kind of bet business on each other but take us back sure thing so you know yesterday or the day before the company turned 11 years old or so i think george talked a lot about that the other day but uh we've actually been working closely with the amazon team for more than five years at this point and it's really evolved into a strategic collaboration really so uh from an executive on down into field alignment channel alignment uh the marketing team and and the build team where we we work with patrick and his extended team on different service integrations and different uh you know effectively positive security outcomes for the customers together i mean patrick if you think about the history of aws it's like you guys realized you had lightning in a bottle and then also realized wow and ecosystem play is the way to go and when you go to re invent it's palpable the the ecosystem innovation and the the flywheel effect that you've created but what's aws's perspective on the partnership with crowdstrike yeah it's essential to us and our customers right so we've been doing deep integrations probably since i think the first big one of crowdstrike was with guard duty amazon guard duty which is our uh easy to use threat detection service in aws one click on and their threat intelligence actually build is built directly into that service so an aws customer turns on guard duty it's automatically uh being uh enhanced and enriched with falcon x threat intelligence uh by default yeah so the cloud has become the first line of defense for a lot of the csos that i talk to you know everybody's cloud first cloud first and it's like okay that's awesome because cloud has really good security but then it's okay but if there's some differences i got there's a shared security model that i have to understand and and so when you guys talk to customers i know it's you know one of the leadership principles is you got to be focused you know insanely focused on customers crowdstrike very customer focused as well that's how you sort of created this company that is doing such innovative things what are customers telling you um about how they want you to work together what kind of feedback are you getting any other examples that you might have in the future yeah sure thing i'll go first so that well so they they depend on uh the like you said this shared security model but there's ample opportunity where vendors like crowdstrike and we've worked with patrick's team extensively to to pinpoint areas where we can provide so examples of that would be like on the in compute so like you recently released the graviton processors we've had a recent success with a customer where uh they've walked down their digital transformation journey they had they were looking to switch over to the graviton processors and we work closely with patrick's team to say okay we're going to certify our sensor uh on that particular area of compute so the customer continue to enjoy crowdstrike in our single-platform cloud-first native platform to say okay you've got skill sets on the on-prem environment your endpoint environment and good news you're switching to graviton no problem we still support that and we've been able to do that by working closely with each other inclusive not just the architects but the product teams work closely together as well yeah in this customer case um you know uh crowdstrike already supported for amazon linux but this customer a very large customer of ours need to move 10 000 ec2 instances to graviton on red hat linux not amazon linux so we got crowdstrike engineering our engineering our architects and we were able to get this customer red hat support for graviton within two months right in production ready to go and unblock this migration so i love the graviton example so what i always default to when somebody says oh we're cloud native i'd say are you running on graviton uh because because graviton is is is uh amazon's custom silicon that complements what you're doing with intel what you're doing with amd and they're all kinds of different instant types but it's based on an arm system and it's delivering new levels of performance and and an energy reduction if i can use that term um and and it's on a new curve yeah and so tremendous cost savings as well right i think out of the box with no change in the application you're getting 20 and that's and i i don't even think you're really driving it as hard as you can is my assessment but you gotta be considerate of these days so but that's an example of of how you're using from a technology standpoint cloud native and then and then sort of partnering does this you know graviton one graviton true graviton three i'm sure there'll be graviton 10 someday no doubt i think it's a good example of us working closely together paying attention to the customer's needs and making sure they don't they don't miss a step and and still stop the breach and pay attention to their security needs so you're part of the apn the amazon partner network yep what do you got to do to be like certified at an elite level there you probably have to go through a lot of hoops and maybe you could describe what you guys do there and how you work together to ensure that a company is adequate and more than adequate for its customers yeah sure thing so we we've participated in and we're certified in for example the security competency area which elevates us amongst other security isvs we're one of the few that have that um we have the well we participate in the well architected program which means that we've demonstrated a common set of criteria and customer references i mean that's a example um another area where we've participated quite a bit is in in the land of digital supply chains notably aws marketplace where we've uh latched on to many of their features and capabilities and participated in strategic programs whether it be um you know including the channel partner or taking a look at traditional private offers or taking a look at like the looping in the entire ecosystem to make sure the customer gets what they need so how do you integrate with things like control tower where where are the seams and how do you make that as seamless as possible for customers or maybe you can explain what control power yeah so uh they have multiple integrations for control tower for their cspm horizon uh it automatically onboards new aws accounts so uh you know as you're vending accounts you're giving to more devops teams horizon is automatically deploying and being protected those accounts so it has those guard rails in place for customers in a nice easy to use deployment model that you don't have to think about right so control tower in general is uh it kind of gives customers guard rails an easy button if you're new to aws i'm migrating hey aws can you just tell me the best practices how should i set up my accounts i need a landing zone i'm doing migration so it's really like a wizard for getting started in aws and crowdstrike integrates that with falcon discover and as well as falcon horizon and your age so yeah you guys really don't compete um you know maybe there's some overlap overlap is better than than gaps but you know when you when you take something like you know network firewalls and things like that amazon brings that to the table and then crowdstrike will build on top of that is that correct yeah i'll take this one uh so george has said it crowdstrike is not a network security company right however they have an integration using their threat intelligence on on our amazon network firewall so aws amazon and crouchstrike coming together actually have a joint offering for customers in a space that crowdstrike has never been in before itself so i think that's very exciting so yeah yeah all those integrations that pat's talking about we've actually cataloged the whole thing on a github page where we find that's where customers go they took a look at the integration and the supporting documentation we're like okay yeah this makes sense this these two companies augment each other well and it turns out to be a good outcome and you check you'll take telemetry data from the aws cloud you can take it from you know any your agents can run anywhere right and then you bring that in to the or i guess you sort of you index it i in my term in in the aws cloud enables that because you've got virtually unlimited scaling capability and that's kind of where you guys started yeah cloud native dogma that's right yeah it's a competitive differentiator for us uh i we think it's nice we're a market leader in our space and amazon's a market leader in their space and and we've got a lot of synergy together where do you guys last question where do you guys respectively want to see the the relationship go if you had to put on your binoculars or even telescope where do you want to see this go well i think we're i think we're all in the business of accelerating positive security outcomes for the customer and the what we're doing is we're spending a lot of time educating our respective fields and respective customers to know that these these integrations do in fact exist uh they absolutely complement each other we were in a meeting uh you know maybe six ten months ago we're in a cio said i didn't know that the two that the two products work so well together speaking about the control tower and horizon particular example had i known that i would have bought it uh a lot quicker this is this is a great outcome and the fact that you're working with amazon together is a bit of a relief so that was nice yeah i'm gonna echo what george kirk said in his keynote yesterday that like security's a journey xdr is a journey and i think the work that we did on the open cyber security schema framework which is an open source common uh security language that all vendors can use including aws and crowdstrike i think that is where we're going to see uh the the industry rally around in the upcoming year there's so much security data there's a common uh now language that all products and clouds could talk to each other that's right tell tell me more about it ocsf is that right where did that come from and yeah so um it's it's a it's an open source framework and you know both crowdstrike aws and other uh you know players in the industry are like there's a common problem none of our products talk together it's all about customer benefit right so what can we do to democratize security data make things talk well play together everyone wants to do more analytics on lots of data lakes so this is where it's all coming together yeah better collaboration in industry obviously is is needed and then the other piece is education you guys both sort of refer to that that's what i when i come to conferences like this and reinforce as well as a lot of it i mean i remember the first reinforcement was like explaining the shared responsibility model now of course a lot of people understood it but a lot of people didn't when you fast forward to 2022 and reinvent it was a lot more focused on how to really exploit the capabilities that aws has and then here at crowdstrike it's like okay helping practitioners really understand how to take advantage of the full platform and and that's to your point patrick the journey all right guys hey we got to go thanks so much you for having us all right keep it right there fast and furious day two from crowdstrike's falcon 2022. you're watching thecube [Music] you

(upbeat music) >> Welcome back to The Cube's coverage of Fal.Con 22. I'm Dave Vellante with Dave Nicholson. This is day one of our coverage. We had the big keynotes this morning. Derek Jeter was one of the keynotes. We have a big Yankee fan here: George Kurtz is the co-founder and CEO of CrowdStrike. George, thanks for coming on The Cube. >> It's great to be here. >> Boston fan, you know, I tweeted out Derek Jeter. He broke my heart many times, but I can't hate on Jeter. You got to have respect for the guy. >> Well, I still remember I was in Japan when Boston was down you know, by three games and came back to win. So I've got my own heartbreak as well. >> It did heal some wounds, but it almost changed the rivalry, you know? I mean, >> Yeah. >> Once, it's kind of neutralized it, you know? It's just not as interesting. I mean, I'm a season ticket holder. I go to all the games and Yankee games are great. A lot of it used to be, you would never walk into Fenway park with, you know pin stripes, when today there's as many Yankee fans as there are... >> I know. >> Boston fans. Anyway, at Fenway, I mean. >> Yeah. >> Why did you start CrowdStrike? >> Biggest thing for me was to really change the game in how people were looking at security. And at my previous company, I think a lot of people were buying security and not getting the outcome that they wanted. Not- I got acquired by a company, not my first company. So, to be clear, and before I started CrowdStrike, I was in the antivirus world, and they were spending a lot of money with antivirus vendors but not getting the outcome I thought they should achieve, which is to stop the breach, not just stop malware. And for me, security should be outcome based not sort of product based. And the biggest thing for us was how could we create the sales force of security that was focused on getting the right outcome: stopping the breach. >> And the premise, I've seen it, the unstoppable breach is a myth. No CSOs don't live by that mantra, but you do. How are you doing on that journey? >> Well I think, look, there's no 100% of anything in security, but what we've done is really created a platform that's focused on identifying and stopping breaches as well as now, extending that out into helping IT identify assets and their hygiene and basically providing more visibility into IT assets. So, we talked about the convergence of that. Maybe we'll get into it, but. >> Dave Vellante: Sure. >> We're doing pretty well. And from our standpoint, we've got a lot of customers, almost 20,000, that rely on us day to day to help stop the breach. >> Well, and when you dig into the CrowdStrike architecture, what's so fascinating is, you know, Dave, we've talked about this: agent bad. Well, not necessarily, if you can have a lightweight agent that can scale and support a number of modules, then you can consolidate all these point tools out there. You talked about in your keynote, your pillars, workloads, which really end points >> Right. >> ID, which we're going to talk about. Identity data and network security. You're not a network security specialist, >> Right. >> But the other three, >> Yes. >> You're knocking down. >> Yeah. >> You guys went deep into that today. Talk about that. >> We did, most folks are going to know us for endpoint and Cloud workload protection and visibility. We did an acquisition almost two years to the day on preempt. And that was our identity play, identity threat protection and detection. And that really turned out to be a smart move, because it's the hottest topic right now. If you look at all the breaches over the last couple years, it's all identity based. Big, big talking points in our keynotes today. >> Dave Vellante: Right. >> And then the third area is on data, and data is really the you know, the new currency that people trade in. So how do you identify and protect endpoints and workloads? How do you tie that together with identity, as well as understanding how you connect the dots and the data and where data flows? And that's really been our focus and we continue to deliver on that for customers. >> And you've had a real dogma, I'll call it, about Cloud Native. I've had this conversation with Frank Slootman, "No we're not going to do a halfway house." You, I think, said it really well today. I think it was you who said it. If you've got On-Prem and Cloud, you got two code bases, >> George Kurtz: Right. >> That you got to maintain. >> That's it, yeah. >> And that means you're taking away resources from one or the other. >> That's exactly right. And what a lot of our competitors have done is they started On-Prem as an AV vendor, and then they took what they had and they basically put it in a Cloud instance called a Cloud, which doesn't really scale. And then, you know, where they need to, they basically still keep their On-Prem, and that just diffuses your engineering team. And most of the On-Prem stuff doesn't even have the features of what they're trying to offer from the Cloud. So either you're Cloud Native or you're not. You can't be halfway. >> But it doesn't mean that you can't include and ingest On-Prem data- >> Well, absolutely. >> into your platform, and that's what I think most people just some reason don't seem to understand. >> Well our agents run wherever. They certainly run On-Prem. >> Dave Vellante: Right. Right. >> And they run in the Cloud, they run wherever. But the crowd in the CrowdStrike is the fact that we can crowdsource this threat information at scale into our threat graph, which gives us unique insight, 7 trillion events per week. And you can't do that if you're not Cloud Native. And that crowd gives the, we call, community immunity. We see all kinds of attacks across 176 different countries. That benefit accrues to all of our customers. >> But how do you envision and maintain and preserve a lightweight agent that can support so many modules? As you do more acquisitions and you knock down new areas and bring in new functionality, go after things like operations technology, how is it that you're able to keep that agent lightweight? >> Well, we started as a platform company, meaning that the whole idea was we're going to build a lightweight agent. First iteration had no security capabilities. It was collect data, get it into a common data architecture or threat graph, in one spot. And then once we had the data then we applied AI to it and we created different workflows. So, the first incarnation was get data into the Cloud at scale. And that still holds true today. So if you think about why we can actually have all these different modules without an impact on the performance, it's we collect data one time. It's a threat data, you know? We're not collecting user data, but threat data collection mechanism. Once we have all that data, then we can slice and dice and create other modules. So the new modules never have to even touch the agent 'cause we've already collected the data. >> I'm going to just keep going, Dave, unless you shove your way in. >> No, no, go ahead. No, no, no. I'm waiting to pounce. >> But okay, so, I think, George, but George, I need to ask you about a comment that you made about we're not just shoving it into a data lake. But you are collecting all the data. Can you explain that nuance? >> Yeah. So there's a difference between a collect and forward agent. It means they just collect a bunch of data. They'll probably store it in a lot of space on the endpoint. It's slow and cumbersome, and then they'll forward it up into another data lake. So you have no context going into no context. Our agent is a smart agent, which actually allows us to always track the context of all these processes in what's happening on the endpoint. And it's a mini graph, meaning we keep track of the relationships. And as we ship that contextual information to the Cloud, we never lose that context. And then it goes into the bigger graph database, always with the same level of context. So, we keep the context of each individual workload or endpoint, and then across the Cloud, we have the context of all of those put together. It's massive. And that allows us to create different insights rather than a data lake, which is, you know, you're looking for, you're creating a bigger needle stack looking for needles. >> And I'm envisioning almost an index that is super, super fast. I mean, you're talking about sub, well second kind of near real time responses, correct? >> Absolutely. So a lot of what we do in terms of protection is already pushed down to the endpoint , 'cause it has intelligence and the AI model. And then again, the Cloud is always looking for different anomalies, not only on each individual endpoint or workload, but across the entire spectrum of our customer base. And that's all real time. It continually self-learns from all the data we collect. >> So when, yeah, when you've made these architectural decisions over time, there was a time when saying that you needed to run an agent could be a deal killer somewhere for people who argued against that. >> George Kurtz: Right. >> You've made the right decision there, clearly. Having everything be crowdsourced into Cloud makes perfect sense. Has that, though, posed a challenge from a sovereignty perspective? If you were deploying stuff On-Prem all over the place, you don't need to worry about that. Everything is here >> George Kurtz: Yeah. >> in a given country. How do you address the challenges of sovereignty when these agents are sending data into some sort of centralized Cloud space that crosses boundaries? >> Well, yeah, I guess what we would, let me go back to the beginning. So I started company in 2011 and I had to convince people that delivering endpoint security from the Cloud was going to be a good thing. >> Dave Vellante: Right. (chuckles) >> You know, you go into a Swiss bank and a bunch of other places and they're like, you're crazy. Right? >> Dave Nicholson: Right. >> They all became customers afterwards, right? And you have to just look at what they're doing. And the question I would have in the early days is, well, let me ask you are you using Dropbox, Box? Are you using a Microsoft? You know, what are you using? Well, they're all sending data to the Cloud. So good news! You already have a model, you've already approved that, right? So let's talk about our benefit. And you know, you can either have an adversary steal your data or you can send threat data to our Cloud, which by the way is in a lot of sovereign Clouds that are out there. And when you actually break it down to what we're sending to the Cloud, it's threat data, right? It isn't user files and documents and stuff. It's threat data. So, we work through all of that. And the Cloud is bigger than CrowdStrike. So you look at Sales Force, Service Now, Workday, et cetera. That's being used all over the place, Box, Dropbox. We just tagged onto it. Like why shouldn't security be the platform of record, and why shouldn't CrowdStrike be the platform of record and be the pillar of Cloud security? >> Explain your observability strategy, 'cause you acquired Humio for, I mean, I think it was $400 million, which is a song. >> Yeah. >> And then Reposify is the latest acquisition. I see that as an extension, 'cause it gives you visibility. Is that part of your security, of your observability play? Explain where you do play and don't play. >> Sure. Well observability is a big, you know, fluffy word. Where we play is in probably the first two areas of observability, right? There's five, kind of, pillars. We're focused on event collection. Let's get events from the endpoints. Let's get events from really anywhere in the network. And we can do that with Humio is now log scale. And then the second piece is with our agents, let's get an understanding of their, the asset itself. What is the asset? What state is it in? Does it have vulnerabilities? Does it have, you know, is it running out of disc space? Is it have, does it have a performance issue? Those are really the first two, kind of, areas of observability. We're not in application performance, we're in let's collect data from the endpoint and other sources, and let's understand if the thing is working, right? And that's a huge value for customers. And we can do that because we already have a privileged spot on the endpoint with our agent. >> Got it. Question on the TAM. Like I look at your TAMs, your charts, I love it. You know, generally do. Were you taking known data from you know, firms like IDC >> George Kurtz: Yeah. >> and saying, okay we're going to play there, now we're made this acquisition. We're new modules, now we're playing there. Awesome. I think you got a big TAM. And I guess that's, that's the point. There's no lack of market for you. >> George Kurtz: Right. >> But I do feel like there's this unknown unquantifiable piece of your TAM. IDC can't see it, 'cause they're kind of looking back >> George Kurtz: Right. >> seein' what the market do last year and we'll forecast it out. It's almost, you got to be a futurist to see it. How do you think about your total available market and the opportunity that's out there? >> Well, it's well in excess of 120 billion and we've actually updated that recently. So it's even beyond that. But if you look at all the modules each module has a discreet TAM and again, for what, you know, what we're focused on is how do you give an outcome to a customer? So a lot of the modules map back into specific TAM and product categories. When you add 'em all up and when you look at, you know, some of the new things that we're coming out with, again, it's well in excess of 120 billion. So that's why we like to say like, you know, we're not an endpoint company. We're really, truly a security platform company that was born in the Cloud. And I think if you see the growth rates, and one of the things that we've talked about, and I think you might have pointed out in prior podcasts, is we're the second fastest company to 2 billion dollars in annual recurring revenue, only behind Zoom. And you know I would argue- great company, by the way, a customer- but that was a black Swan event in a pandemic, right? >> Dave Vellante: I'll say! >> Yeah. >> So we are rarefied air when you think about the capabilities that we have and the performance and the TAM that's available to us. >> The other thing I said in my breaking analysis was 'cause you guys aspire to be a generational company. And I think you got a really good shot at being one, but to be a generational company, you have to have an ecosystem. So I'd love you to talk about the ecosystem, but where you want to see it in five years. >> Well, it really is a good point and we are a partner first company. Ecosystem is really important. Cameras probably can't see all the vendors that are here that are our partners, right? It's a big part of this show that we're at. You see a lot of, well, you see some vendors behind us. >> Yep. >> We have to realize in 2022, and I think this is something that we did well and it's my philosophy, is we are not the only game in town. We like to be, and we are, for many companies the security platform on record, but we don't do everything. We talked about network in other areas. We can't do everything. You can't be good and try to do everything. So, for customers today, what they're looking at is best of platform. And in the early days of security, I've been in it over 30 years, it used to be best of breed products, then it was best of suite, now it's best of platform. So what do I mean by that? It means that customers don't want to engineer their own solution. They, like Lego blocks, they want to pull the platforms, and they want to stitch 'em together via API. And they want to say, okay, CrowdStrike works with Okta, works with Zscaler, works with Proofpoint, et cetera. And that's what customers want. So, ecosystem is incredibly important for us. >> Explain that. You mentioned Okta, I had another question for you. I was at Reinforce, and I saw this better together presentation, CrowdStrike and Okta talking about identity. You've got an identity module. Explain to people how you're not competing with Okta. You guys complement each other, there. >> Well, an identity kind of broker, if you will, is basically what Okta does in others, right? So you log in single sign on and you get access. They broker access to all these other applications. >> Dave Vellante: Right. >> That's not what we do. What we do is we look at those endpoints and workloads and domain controllers and directory services and we figure out, are there vulnerabilities and are there threats associated with them? And we call that out. The second piece, which is critical, is we prevent lateral movement. So if credentials are stolen we can prevent those credentials from being laundered or used and moved laterally, which is a key part of how breaches happen. We then create a trust score on those endpoints and workloads. And we basically say, okay, do we think the trust on the endpoint and workload is high or low? Do we think the identity, you know, is it George on the endpoint, or not? We give that a score. And we pass that along to Okta or Ping or whoever, and they then use that as part of their calculus in how they broker access to other resources. So it really is better together. >> So your execution has been stellar. This is my competition question. You obviously have competition out there. I think architecturally, you've got some advantages. You have a great relationship with AWS. I don't know what's going on with Google, but Kevin's up on stage. >> George Kurtz: Yeah. >> They're now part of Google. >> George Kurtz: We have a great relationship with them. >> Microsoft obviously, a competitor. You obviously do some things in, >> Right. >> in Azure. Are you building the security Cloud? >> We are. We think we are, because when you look at the amount of data that we actually ingest, when you look at companies using us for critical decisions and critical protection, not only on their On-Prem, but also in their Cloud environment, and the knowledge we have, we think it is a security Cloud. You know, you had, you had Salesforce and Workday and ServiceNow and each of them had their respective Clouds. When I started the company, there was no security Cloud. You know, it wasn't any of the companies that you know. It wasn't the firewall companies, wasn't the AV companies. And I think we really defined ourselves as the security Cloud. And the level of knowledge and insights we have in our Cloud, I think, are world class. >> But you know, it's a difference of being those- 'cause you mentioned those other, you know, seminal Clouds. They, like Salesforce, Workday, they're building their own Clouds. Maybe not so much Workday, but certainly Salesforce and ServiceNow built their own >> Yeah. >> Clouds, their own data centers. You're building on top of hyperscalers, correct? >> Well, >> Well you have your own data centers, too. >> We have our own data centers, yeah. So when we first started, we started in AWS as many do, and we have a great relationship there. We continue to build out. We are a huge customer and we also have, you know, with data sovereignty and those sort of things, we've got a lot of our sort of data that sits in our private Cloud. So it's a hybrid approach and we think it's the best of both worlds. >> Okay. And you mean you can manage those costs and it's, how do you make the decision? Is it just sovereignty or is it cost as well? >> Well, there's an operational element. There's cost. There's everything. There's a lot that goes into it. >> Right. >> And at the end of the day we want to make sure that we're using the right technology in the right Clouds to solve the right problem. >> Well, George, congratulations on being back in person. That's got to feel good. >> It feels really good. >> Got a really good audience here. I don't know what the numbers are but there's many thousands here, >> Thousands, yeah. >> at the ARIA. Really appreciate your time. And thanks for having The Cube here. You guys built a great set for us. >> Well, we appreciate all you do. I enjoy your programs. And I think hopefully we've given the audience a good idea of what CrowdStrike's all about, the impact we have and certainly the growth trajectory that we're on. So thank you. >> Fantastic. All right, George Kurtz, Dave Vellante for Dave Nicholson. We're going to wrap up day one. We'll be back tomorrow, first thing in the morning, live from the ARIA. We'll see you then. (calm music)

>>Hi, we're back. We're watching, you're watching the cube coverage of Falcon 2022 live from the aria in Las Vegas, Dave Valante with Dave Nicholson and we, yes, folks, there are females in the cyber security industry. Amanda Adams is here. So the vice president of America Alliance at CrowdStrike. Thanks for coming on. >>Thank you so much for having me. >>We it's, it's fantastic to, to actually, as I was starting to wonder, but we >>Do have females in leadership. >>Wait, I'm just kidding. There are plenty of females here, but this cybersecurity industry in general, maybe if we have time, we can talk about that, but I wanna talk about the, the Alliance program, but before I do, yeah. You know, you, you got a nice career here at CrowdStrike, right? You've kind of seen the ascendancy, the rocket ship you've been on it for five years. Yep. So what's that been like? And if you had to put on the binoculars and look five years forward, what can you tell us in that 10 year span? Oh >>My goodness. What a journey it's been over the last five, six years. I've been with CrowdStrike almost six years and really starting with our first core group of partners and building out the alliances, seen obviously the transformation with our sales organization. And as we scaled, I think of our, of our technology. We started with, I think, two products at that time, we were focused on reinventing how our customers thought about NextGen AB but also endpoint detection response. From there, the evolution is really driving towards that cloud security platform, right? How our partners fit into that. And, and how we've evolved is it's not just resell. It's not just focusing on the margin and transactions. We really have focused on building the strategic relationships with our partners, but also our customers and fitting them in that better together story with that CrowdStrike platform. It's been the biggest shift. Yeah. >>And you've got that. The platform chops for that. It's just, I think you're up to 22 modules now. So you're not a point product. You guys make that, that, that point lot now in terms of the, the partners and the ecosystem, you know, it's, it's, it's good here. I mean, it's, this it's buzzing. I've said it's like service. I've said, number of times, it's like service. Now back in 2013, I was there now. They didn't have the down market, the SMB that you have that's right. And I think you you're gonna have an order. You got 20,000 customers. That's right. I predict CrowdStrike's gonna have 200,000. I, I'm not gonna predict when I need to think about that. But, but in thinking about the, the, the co your colleagues and the partners and the skill sets that have evolved, what's critical today. And, and, and what do you see as critical in the future? >>So from a skill set standpoint, if I'm a partner and engaging with CrowdStrike and our customers, if you think about, again, evolving away from just resell, we have eight routes to market. So while that may sound complicated, the way that I like to think about it is that we truly flex to our partners, go to market their business models of what works best for their organization, but also their customers. The way that they've changed, I think from a skillset standpoint is looking beyond just the technology from a platform, building a better together story with our tech Alliance partners or store, if thinking about the XDR Alliance, which we are focusing on, there's so much great value in bringing that to our customers from a skillset standpoint, beyond those services services, we've talked about every day. I know that this is gonna be a top topic for the week yesterday through our partner summit, George, our CEO, as well as Jim Cidel, that's really the opportunity as we expand in new modules. If you think about humo or log scale identity, and then cloud our partners play a critical role when it comes into the cloud migration deployment integration services, really, we're not gonna get bigger from a services organization. And that's where we need our partners to step in. >>Yeah. And, you know, we we've talked a lot about XDR yeah. Already in day one here. Yeah. With, with the X extending into other areas. That's right. I think that services be, would become even more critical at that point, you know, as you spread out into the, really the internet of things that's right. Especially all of the old things that are out there that maybe should be on the internet, but aren't yet. Yeah. But once they are security is important. So what are you doing in that arena from a services perspective to, to bolster that capability? Is it, is it, is it internally, or is it through partners generally? >>It's definitely, I think we look to our partners to extend beyond the core of what we do. We do endpoint really well, right? Our services is one of the best in the business. When you look at instant response, our proactive services, supporting our customers. If you think to XDR of integration, building out those connect air packs with our customers, building the alliances, we really do work with our partners to drive that successful outcome with our customers. But also too, I think about it with our tech alliances of building out the integration that takes a lot of effort and work. We have a great team internally, which will help guide those services to be, to be built. Right. You have to have support when you're building the integrations, which is great, but really from like a tech Alliance and store standpoint, looking to add use cases, add value to more store apps for our customers, that's where we're headed. Right. >>What about developers? Do you see that as a component of the ecosystem in the future? Yeah, >>Without a doubt. I mean, I think that as our partner program evolves right now working with our, our developers, I mean, there's different personas that we work with with our customer standpoint, but from a partner working with them to build our new codes, the integration that's gonna be pretty important. >>So we were, we sort of tongue in cheek at the beginning of this interview yeah. With women in tech. And it's a, it's a topic that, on the cube that we've been very passionate about since day one yep. On the cube. So how'd you get in to this business? H how did your, your career progress, how did you get to where you are? >>You know, I have been incredibly fortunate to have connections, and I think it's who, you know, and your network, not necessarily what, you know, to a certain extent, you have to be smart to make it long term. Right. You have to have integrity. Do what you're saying. You're gonna do. I first started at Cisco and I had a connection of, it was actually a parent of somebody I grew up with. And they're like, you would fit in very nicely to Cisco. And I started with their channel marketing team, learned a ton about the business, how to structure, how to support. And that was the first step into technology. If you would've asked me 20 years ago, what did I wanna do? I actually wanted to be a GM of an organization. And I was coming outta I come on, which is great, which I'm, it really is right up. >>If you knew me, you're like, that actually makes a lot of sense. But coming outta college, I had an opportunity. I was interviewing with the golden state warriors in California, and I was interviewing with Cisco and that I had two ops and I was living in San Jose at the time. The golden state warriors of course paid less. It was a better opportunity in sales, but it was obviously where I wanted to go from athletics. And I grew up in athletics, playing volleyball. Cisco paid me more, and it was in San Jose. And really the, the golden state warriors seemed that I was having that conversation. They said, one year community is gonna be awful. It's awful from San Jose to Oakland, but also too, like you have more money on the table. Go take that. And so I could have very much ended up in athletics, most likely in the back office, somewhere. Like I would love that. And then from there, I went from Cisco. I actually worked for a reseller for quite some time, looking at, or selling into Manhattan when I moved from California to Manhattan, went to tenable. And that was when I shifted really into channel management. I love relationships, getting snow people, building partnerships, seeing that long term, that's really where I thrive. And then from there came to CrowdStrike, which in itself has been an incredible journey. I bet. Yeah. >>Yeah. I think there's an important thread there to pull on. And that is, we, we put a lot of emphasis on stem, which people, some sometimes translate into one thing, writing code that's right. There are, but would you agree? There are many, many, many opportunities in tech that aren't just coding. >>Absolutely. >>And I think I, as a father of three daughters, it's, it's a message that I have shared with them. Yeah. They are not interested in the coding part of things, but still, they need to know that there are so many opportunities and, and it's always, sometimes it's happenstance in terms of finding the opportunity in your case, it was, you know, cosmic connection that's right. But, but that's, you know, that's something that we can foster is that idea that it's not just about the hardcore engineering and coding aspect, it's business >>That's right. So if, if there was one thing that I can walk away from today is I say that all the time, right? If you look at CrowdStrike in our mission, we really don't have a mission statement. We stop breaches every single day. When I come to work and I support our partners, I'm not super technical. I obviously know our technology and I, I enable and train our partners, but I'm not coding. Right. And I make an impact to our business, our partners, more importantly, our customers, every single day, we have folks that you can come from a marketing operations. There is legal, there's finance. I deal with folks all across the business that aren't super technical, but are making a huge impact. And I, I don't think that we talk about the opportunities outside of engineering with the broader groups. We talk about stem a lot, but within college, and I look to see like getting those early in career folks, either through an intern program could be sales, but too, if they don't like, like sales, then they shift into marketing or operations. It's a great way to get into the industry. >>Yeah. But I still think you gotta like tech to be in the tech business. Oh, you >>Do? Yeah. You do. I'm >>Not saying it's like deep down is like, not all of us, but a lot of us are kind of just, you know, well, at least you, >>At least you can't hate it. >>Right. Okay. But so women, 50% of the population, I think the stat is 17% in the technology. Yeah. Industry, maybe it's changed a little bit, but you know, 20% or, or less, why do you think that is? >>I, you know, I always go back to within technology, people hire from their network and people that they know, and usually your network are people that are very like-minded or similar to you. I have referred females into CrowdStrike. It's a priority of mine. I also have a circle that is also men, but also too, if you look at the folks that are hired into CrowdStrike, but also other technology companies, that's the first thing that I go to also too. I think it's a little bit intimidating. Right. I have a very strong personality and I'm very direct, but also too, like I can keep up with our industry when it comes to that stereotypes essentially. And some people maybe are introverted and they're not quite sure where they fit in. Right. Whether it's marketing operations, et cetera. So they, they're not sure of the opportunities or even aware of where to get started. You know what I mean? >>Yeah. I mean, I think there is a, a, a stereotype today, but I'm not sure why it's, is it unique to the, to the technology industry? No. Is it not? Right? It happens >>Thinking, I mean, there's so many industries where healthcare, >>Maybe not so much. Right. Because you know, >>You have nurses versus doctors. I feel like that is flipped. >>Yeah. That's true. Nurses versus doctors. Right. Well, I, I know a lot of women doctors though, but >>Yeah. That's kind of flipped. It's better. >>Yeah. Says >>Flipped over. Yeah. I think it's more women in medical school now, but than than men. But, >>And, and I do think in our industry, you know, when you look at companies like IBM, HPE, Cisco, Dell, and, and, and many others. Yeah. They are making a concerted effort for on round diversity. They typically have somebody who's in charge of diversity. They report, you know, maybe not directly to the CEO, but they certainly have a seat at the table. That's right. And you know, maybe you call it, oh, it's quotas. Maybe the, the old white guys feel, you know, a little slighted, whatever. It's like, nobody's crying for us. I mean, it's not like we got screwed. >>See, I know problema we can do this in Spanish. Oh, oh, >>Oh, you're not a old white guy. Sorry. We can do >>This in Spanish if you want. >>Okay. Here we go. So, no, but, but, but I, so I do think that, that the industry in general, I talked to John Chambers about this recently and he was like, look, we gotta do way better. And I don't disagree with that. But I think that, I think the industry is doing better, but I wonder if like a rocket ship company, like CrowdStrike who has so many other things going on, you know, maybe they gotta get you a certain size. I mean, you've reached escape velocity. You're doing obviously a lot of corporate, you know, good. Yeah. You know, and, and, and, and we just had earlier on we, you know, motor motor guides was very cool. Yeah. So maybe it's a maturity thing. Maybe these larger companies with you crowd size $40 billion market cap, but maybe the, the hundred plus billion dollar market cap companies. I don't know. I don't know. You guys got a bigger market cap than Dell. So >>I, I don't think it's necessarily related to market cap. I think it's the size of the organization of how many roles are open that we currently write. So we're at just over 6,000 employees. If you look at Cisco, how many thousands of employees they have there's >>Right. Maybe a hundred thousand employees. >>That's right. There's >>More opportunities. How many, what's a headcount of crowd strike >>Just over 6,000, >>6,000. So, okay. But >>If you think about the, the areas of opportunity for advancement, and we were talking about this earlier, when you look at early and career or entry level, it's actually quite, even right across the Americas of, we do have a great female population. And then as progression happens, that's where it, it tees off from a, a female in leadership. And we're doing, we're focusing on that, right? Under JC Herrera's leadership, as well as with George. One of the things that I always think is important though, is that you're mindful as, as the female within the organization and that you're out seeking somebody, who's not only a mentor, but is a direct champion for you when you're not in the room. Right. This is true of CrowdStrike. It's true of every organization. You're not gonna be aware of the opportunities as the roles are being created. And really, as the roles are being created, they probably have somebody in mind. Right. And so if you have somebody that's in that room says, you know what, Amanda Adams would be perfect for that. Let's go talk to her about it. You have to have somebody who's your champion. Yeah. >>There there's, there's, there's a saying that 80% of the most important moments in your life happen in your absence. Yeah. And that's exactly right. You know, when they're, when someone needs to be there to champion, you, >>Did that happen for you? >>Yes. I have a very strong champion. >>So I mean, I, my observation is if, if you are a woman in tech and you're in a senior leadership position, like you are, or you're a, you're a general manager or a P and L manager or a CEO, you have to be so incredibly talented because all things being equal, maybe it's changing somewhat in some of those companies I talked about, but for the last 30 years, all takes be equal. A, a, a woman is gonna lose out to a man who is as qualified. And, and I think that's maybe slowly changing. Maybe you agree with that, maybe you don't. And maybe that's, some people think that's unfair, but you know, think about people of color. Right. They, they, they, they grew up with less op opportunities for education. And this is just the statistics that's right. Right. So should society overcompensate for that? I personally think, yes, the, the answer is just, they should, there should still be some type of meritocracy that's right. You know, but society has a responsibility to, you know, rise up all ships. >>I think there's a couple ways that you can address that through Falcon funds, scholarship programs, absolutely. Looking at supporting folks that are coming outta school, our internship program, providing those opportunities, but then just being mindful right. Of whether or not you publish the stats or not. We do have somebody who's responsible for D I, within CrowdStrike. They are looking at that and at least taking that step to understand what can we do to support the advancement across minorities. But also women is really, really important. >>Did you not have a good educational opportunity when you were growing up where you're like you had to me? Yeah, no, seriously, >>No. Seriously. I went to pretty scary schools. Right. >>Okay. So you could have gone down a really bad path. >>I, a lot of people that I grew up with went down really, really bad paths. I think the inflection point at, at least for me what the inflection point was becoming aware of this entire universe. Yeah. I was, I was headed down a path where I wasn't aware that any of this existed, when I got out of college, they were advertising in the newspaper for Cisco sales engineers, $150,000 a year. We will train. I'm a smart guy. I had no idea what that meant. Right. I could have easily gone and gotten one of those jobs. It was seven or eight years before I intersected with the tech world again. And so, you know, kind of parallel with your experience with you had someone randomly, it's like, you'd be great at Cisco. Yeah. But if, if you're not around that, and so you take people in different communities who are just, this might as well be a different planet. Yes. Yeah. The idea of eating in a restaurant where someone is serving you, food is uncomfortable, right? The idea of checking into a hotel, the idea of flying somewhere on an airplane, we talk about imposter syndrome. That's right. There are deep seated discomfort levels that people have because they just, this is completely foreign, but >>You're saying you could have foreign, you could have gone down a path where selling drugs or jacking cars was, was, was lucrative. >>I had, I had, yeah. I mean, we're getting, we're getting like deep into societal things. I was, I was very lucky. My parents were very, very young, but they're still together to this day. I had loving parents. We were very, very poor. We were surrounded by really, really, really bad stuff. So. >>Okay. So, so, okay. So this, >>I, I don't, I don't compare my situation to others. >>White woman. That's I guess this is my point. Yeah. The dynamic is different than, than a kid who grew up in the inner city. Yes. Right. And, and, and they're both important to address, but yeah. I think you gotta address them in different ways. >>Yes. But if they're, but if they're both completely ignorant of this, >>They don't know it. So it's lack of >>A, they'll never be here. >>You >>Never be here. And it's such a huge, this is such a huge difference from the rest of the world and from the rest, from the rest of our economy. >>So what would you tell a young girl? My daughters, aren't interested in tech. They want to go into fashion or healthcare, whatever Dave's daughters maybe would be a young girl, preteen, maybe teen interested in, not sure which path, why tech, what would advice would you give? >>I think just understanding what you enjoy about life, right? Like which skills are you great at? What characteristics about roles and not really focusing on a specific product. Definitely not cybersecurity versus like the broader network. I mean, literally what do you enjoy doing? And then the roles of, you know, from the skillset that's needed, whether that be marketing, and then you can start to dive into, do I wanna support marketing for a corporate environment for retail, for technology like that will come and follow your passion, which I know is so easy to say, right? But if you're passionate about certain things, I love relationships. I think that holding myself from integrity standpoint, leading with integrity, but building strong relationships on trust, that's something I take really pride in and what I get enjoyment with. It's >>Obviously your superpower. >>It, >>It is. >>But >>Then it will go back to OST too, just being authentic in the process of building those relationships, being direct to the transparency of understanding, like again, knowing what you're good at and then where you can fit into an organization, awareness of technology opportunities, I think will all lend that to. But I also wouldn't worry, like when I was 17 year old, I, I thought I would be playing volleyball in college and then going to work for a professional sports team. You know, life works out very differently. Yeah. >>Right. And then, and for those of you out there, so I love that. Thank you for that great interview. Really appreciate letting us go far field for those of you might say, well, I don't know, man. I don't know what my passion is. I'll give you a line from my daughter, Alicia, you don't learn a lot for your kids. She said, well, if you don't know what your passion is, follow your curiosity. That's great. There you go. Amanda Adams. Thanks so much. It was great to have you on. Okay. Thank you. Keep it right there. We're back with George Kurtz. We're to the short break. Dave ante, Dave Nicholson. You watching the cube from Falcon 22 in Las Vegas.

>> We're back at the ARIA Las Vegas. We're covering CrowdStrike's Fal.Con 22. First one since 2019. Dave Vellante and Dave Nicholson on theCUBE. Adam Meyers is here, he is the Senior Vice President of Intelligence at CrowdStrike. Adam, thanks for coming to theCUBE. >> Thanks for having me. >> Interesting times, isn't it? You're very welcome. Senior Vice President of Intelligence, tell us what your role is. >> So I run all of our intelligence offerings. All of our analysts, we have a couple hundred analysts that work at CrowdStrike tracking threat actors. There's 185 threat actors that we track today. We're constantly adding more of them and it requires us to really have that visibility and understand how they operate so that we can inform our other products: our XDR, our Cloud Workload Protections and really integrate all of this around the threat actor. >> So it's that threat hunting capability that CrowdStrike has. That's what you're sort of... >> Well, so think of it this way. When we launched the company 11 years ago yesterday, what we wanted to do was to tell customers, to tell people that, well, you don't have a malware problem, you have an adversary problem. There are humans that are out there conducting these attacks, and if you know who they are what they're up to, how they operate then you're better positioned to defend against them. And so that's really at the core, what CrowdStrike started with and all of our products are powered by intelligence. All of our services are our OverWatch and our Falcon complete, all powered by intelligence because we want to know who the threat actors are and what they're doing so we can stop them. >> So for instance like you can stop known malware. A lot of companies can stop known malware, but you also can stop unknown malware. And I infer that the intelligence is part of that equation, is that right? >> Absolutely. That that's the outcome. That's the output of the intelligence but I could also tell you who these threat actors are, where they're operating out of, show you pictures of some of them, that's the threat intel. We are tracking down to the individual persona in many cases, these various threats whether they be Chinese nation state, Russian threat actors, Iran, North Korea, we track as I said, quite a few of these threats. And over time, we develop a really robust deep knowledge about who they are and how they operate. >> Okay. And we're going to get into some of that, the big four and cyber. But before we do, I want to ask you about the eCrime index stats, the ECX you guys call it a little side joke for all your nerds out there. Maybe you could explain that Adam >> Assembly humor. >> Yeah right, right. So, but, what is that index? You guys, how often do you publish it? What are you learning from that? >> Yeah, so it was modeled off of the Dow Jones industrial average. So if you look at the Dow Jones it's a composite index that was started in the late 1800s. And they took a couple of different companies that were the industrial component of the economy back then, right. Textiles and railroads and coal and steel and things like that. And they use that to approximate the overall health of the economy. So if you take these different stocks together, swizzle 'em together, and figure out some sort of number you could say, look, it's up. The economy's doing good. It's down, not doing so good. So after World War II, everybody was exuberant and positive about the end of the war. The DGI goes up, the oil crisis in the seventies goes down, COVID hits goes up, sorry, goes down. And then everybody realizes that they can use Amazon still and they can still get the things they need goes back up with the eCrime index. We took that approach to say what is the health of the underground economy? When you read about any of these ransomware attacks or data extortion attacks there are criminal groups that are working together in order to get things spammed out or to buy credentials and things like that. And so what the eCrime index does is it takes 24 different observables, right? The price of a ransom, the number of ransom attacks, the fluctuation in cryptocurrency, how much stolen material is being sold for on the underground. And we're constantly computing this number to understand is the eCrime ecosystem healthy? Is it thriving or is it under pressure? And that lets us understand what's going on in the world and kind of contextualize it. Give an example, Microsoft on patch Tuesday releases 56 vulnerabilities. 11 of them are critical. Well guess what? After hack Tuesday. So after patch Tuesday is hack Wednesday. And so all of those 11 vulnerabilities are exploitable. And now you have threat actors that have a whole new array of weapons that they can deploy and bring to bear against their victims after that patch Tuesday. So that's hack Wednesday. Conversely we'll get something like the colonial pipeline. Colonial pipeline attack May of 21, I think it was, comes out and all of the various underground forums where these ransomware operators are doing their business. They freak out because they don't want law enforcement. President Biden is talking about them and he's putting pressure on them. They don't want this ransomware component of what they're doing to bring law enforcement, bring heat on them. So they deplatform them. They kick 'em off. And when they do that, the ransomware stops being as much of a factor at that point in time. And the eCrime index goes down. So we can look at holidays, and right around Thanksgiving, which is coming up pretty soon, it's going to go up because there's so much online commerce with cyber Monday and such, right? You're going to see this increase in online activity; eCrime actors want to take advantage of that. When Christmas comes, they take vacation too; they're going to spend time with their families, so it goes back down and it stays down till around the end of the Russian Orthodox Christmas, which you can probably extrapolate why that is. And then it goes back up. So as it's fluctuating, it gives us the ability to really just start tracking what that economy looks like. >> Realtime indicator of that crypto. >> I mean, you talked about, talked about hack Wednesday, and before that you mentioned, you know, the big four, and I think you said 185 threat actors that you're tracking, is 180, is number 185 on that list? Somebody living in their basement in their mom's basement or are the resources necessary to get on that list? Such that it's like, no, no, no, no. this is very, very organized, large groups of people. Hollywood would have you believe that it's guy with a laptop, hack Wednesday, (Dave Nicholson mimics keyboard clacking noises) and everything done. >> Right. >> Are there individuals who are doing things like that or are these typically very well organized? >> That's a great question. And I think it's an important one to ask and it's both it tends to be more, the bigger groups. There are some one-off ones where it's one or two people. Sometimes they get big. Sometimes they get small. One of the big challenges. Have you heard of ransomware as a service? >> Of course. Oh my God. Any knucklehead can be a ransomwarist. >> Exactly. So we don't track those knuckleheads as much unless they get onto our radar somehow, they're conducting a lot of operations against our customers or something like that. But what we do track is that ransomware as a service platform because the affiliates, the people that are using it they come, they go and, you know, it could be they're only there for a period of time. Sometimes they move between different ransomware services, right? They'll use the one that's most useful for them that that week or that month, they're getting the best rate because it's rev sharing. They get a percentage that platform gets percentage of the ransom. So, you know, they negotiate a better deal. They might move to a different ransomware platform. So that's really hard to track. And it's also, you know, I think more important for us to understand the platform and the technology that is being used than the individual that's doing it. >> Yeah. Makes sense. Alright, let's talk about the big four. China, Iran, North Korea, and Russia. Tell us about, you know, how you monitor these folks. Are there different signatures for each? Can you actually tell, you know based on the hack who's behind it? >> So yeah, it starts off, you know motivation is a huge factor. China conducts espionage, they do it for diplomatic purposes. They do it for military and political purposes. And they do it for economic espionage. All of these things map to known policies that they put out, the Five Year Plan, the Made in China 2025, the Belt and Road Initiative, it's all part of their efforts to become a regional and ultimately a global hegemon. >> They're not stealing nickels and dimes. >> No they're stealing intellectual property. They're stealing trade secrets. They're stealing negotiation points. When there's, you know a high speed rail or something like that. And they use a set of tools and they have a set of behaviors and they have a set of infrastructure and a set of targets that as we look at all of these things together we can derive who they are by motivation and the longer we observe them, the more data we get, the more we can get that attribution. I could tell you that there's X number of Chinese threat groups that we track under Panda, right? And they're associated with the Ministry of State Security. There's a whole other set. That's too associated with the People's Liberation Army Strategic Support Force. So, I mean, these are big operations. They're intelligence agencies that are operating out of China. Iran has a different set of targets. They have a different set of motives. They go after North American and Israeli businesses right now that's kind of their main operation. And they're doing something called hack and lock and leak. With a lock and leak, what they're doing is they're deploying ransomware. They don't care about getting a ransom payment. They're just doing it to disrupt the target. And then they're leaking information that they steal during that operation that brings embarrassment. It brings compliance, regulatory, legal impact for that particular entity. So it's disruptive >> The chaos creators that's.. >> Well, you know I think they're trying to create a they're trying to really impact the legitimacy of some of these targets and the trust that their customers and their partners and people have in them. And that is psychological warfare in a certain way. And it, you know is really part of their broader initiative. Look at some of the other things that they've done they've hacked into like the missile defense system in Israel, and they've turned on the sirens, right? Those are all things that they're doing for a specific purpose, and that's not China, right? Like as you start to look at this stuff, you can start to really understand what they're up to. Russia very much been busy targeting NATO and NATO countries and Ukraine. Obviously the conflict that started in February has been a huge focus for these threat actors. And then as we look at North Korea, totally different. They're doing, there was a major crypto attack today. They're going after these crypto platforms, they're going after DeFi platforms. They're going after all of this stuff that most people don't even understand and they're stealing the crypto currency and they're using it for revenue generation. These nuclear weapons don't pay for themselves, their research and development don't pay for themselves. And so they're using that cyber operation to either steal money or steal intelligence. >> They need the cash. Yeah. >> Yeah. And they also do economic targeting because Kim Jong Un had said back in 2016 that they need to improve the lives of North Koreans. They have this national economic development strategy. And that means that they need, you know, I think only 30% of North Korea has access to reliable power. So having access to clean energy sources and renewable energy sources, that's important to keep the people happy and stop them from rising up against the regime. So that's the type of economic espionage that they're conducting. >> Well, those are the big four. If there were big five or six, I would presume US and some Western European countries would be on there. Do you track, I mean, where United States obviously has you know, people that are capable of this we're out doing our thing, and- >> So I think- >> That defense or offense, where do we sit in this matrix? >> Well, I think the big five would probably include eCrime. We also track India, Pakistan. We track actors out of Columbia, out of Turkey, out of Syria. So there's a whole, you know this problem is getting worse over time. It's proliferating. And I think COVID was also, you know a driver there because so many of these countries couldn't move human assets around because everything was getting locked down. As machine learning and artificial intelligence and all of this makes its way into the cameras at border and transfer points, it's hard to get a human asset through there. And so cyber is a very attractive, cheap and deniable form of espionage and gives them operational capabilities, not, you know and to your question about US and other kind of five I friendly type countries we have not seen them targeting our customers. So we focus on the threats that target our customers. >> Right. >> And so, you know, if we were to find them at a customer environment sure. But you know, when you look at some of the public reporting that's out there, the malware that's associated with them is focused on, you know, real bad people, and it's, it's physically like crypted to their hard drive. So unless you have sensor on, you know, an Iranian or some other laptop that might be target or something like that. >> Well, like Stuxnet did. >> Yeah. >> Right so. >> You won't see it. Right. See, so yeah. >> Well Symantec saw it but way back when right? Back in the day. >> Well, I mean, if you want to go down that route I think it actually came from a company in the region that was doing the IR and they were working with Symantec. >> Oh, okay. So, okay. So it was a local >> Yeah. I think Crisis, I think was the company that first identified it. And then they worked with Symantec. >> It Was, they found it, I guess, a logic controller. I forget what it was. >> It was a long time ago, so I might not have that completely right. >> But it was a seminal moment in the industry. >> Oh. And it was a seminal moment for Iran because you know, that I think caused them to get into cyber operations. Right. When they realized that something like that could happen that bolstered, you know there was a lot of underground hacking forums in Iran. And, you know, after Stuxnet, we started seeing that those hackers were dropping their hacker names and they were starting businesses. They were starting to try to go after government contracts. And they were starting to build training offensive programs, things like that because, you know they realized that this is an opportunity there. >> Yeah. We were talking earlier about this with Shawn and, you know, in the nuclear war, you know the Cold War days, you had the mutually assured destruction. It's not as black and white in the cyber world. Right. Cause as, as Robert Gates told me, you know a few years ago, we have a lot more to lose. So we have to be somewhat, as the United States, careful as to how much of an offensive posture we take. >> Well here's a secret. So I have a background on political science. So mutually assured destruction, I think is a deterrent strategy where you have two kind of two, two entities that like they will destroy each other if they so they're disinclined to go down that route. >> Right. >> With cyber I really don't like that mutually assured destruction >> That doesn't fit right. >> I think it's deterrents by denial. Right? So raising the cost, if they were to conduct a cyber operation, raising that cost that they don't want to do it, they don't want to incur the impact of that. Right. And think about this in terms of a lot of people are asking about would China invade Taiwan. And so as you look at the cost that that would have on the Chinese military, the POA, the POA Navy et cetera, you know, that's that deterrents by denial, trying to, trying to make the costs so high that they don't want to do it. And I think that's a better fit for cyber to try to figure out how can we raise the cost to the adversary if they operate against our customers against our enterprises and that they'll go someplace else and do something else. >> Well, that's a retaliatory strike, isn't it? I mean, is that what you're saying? >> No, definitely not. >> It's more of reducing their return on investment essentially. >> Yeah. >> And incenting them- disincening them to do X and sending them off somewhere else. >> Right. And threat actors, whether they be criminals or nation states, you know, Bruce Lee had this great quote that was "be like water", right? Like take the path of least resistance, like water will. Threat actors do that too. So, I mean, unless you're super high value target that they absolutely have to get into by any means necessary, then if you become too hard of a target, they're going to move on to somebody that's a little easier. >> Makes sense. Awesome. Really appreciate your, I could, we'd love to have you back. >> Anytime. >> Go deeper. Adam Myers. We're here at Fal.Con 22, Dave Vellante, Dave Nicholson. We'll be right back right after this short break. (bouncy music plays)