(upbeat music) >> Live from San Francisco, it's theCUBE covering RSA Conference 2019. Brought to you by Forescout. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA North American conference in Moscone. They finally finished the remodel. We're excited to be here. We're in the Forescout Booth and our next guest is here. He's Scott Stevens, the SVP Global Systems Engineering for Palo Alto Networks. How're you doing? >> I'm doing well. How you doing? >> Good, so first impressions of the show. I mean, it always amazes me when we come to RSA. We go to a lot of shows but just the size and the scale and the buzz and the activity here is second to none. >> It's incredibly crowded. I've been trying to walk the halls here, is a bit of a mess, so yes. (both laughing) >> Well plus nobody can find their way through the new Moscone. Small detail. >> Well they're connected different now so it's pretty confusing. >> Right, all right, let's jump into it. As I look over your shoulder I see zero trust, I see zero trust. Everybody's about zero trust. We had Chason from Forescout last year. He was talking about zero trust. >> Yep. You guys are talking about zero trust. What is exactly is zero trust? And how should people be thinking about zero trust? >> Yeah it's kind of, it's become buzzword bingo along the way, hasn't it? >> Right, right, it has. >> Yeah, so yeah we've been working with Forescout here for about six years now looking at zero trust architectures. The way, I think the fundamental way you look at zero trust is it's an architectural approach to how do you secure your network focused on what's most important and so you focus on the data that's most, that's key to your business, and you build your security framework from the data out. And so there's all kinds of buzzword bingo we can play about what zero trust means, but what it allows us to do is to create the right segmentation strategy starting in the data center of the cloud and moving back towards those accessing the data and how do you segment and control that traffic 'cause fundamentally what we're dealing with in security is two basic problems that we have to there's many problems but two big problems we have to deal with. >> Right, right. First is credential based attacks and so do we have somebody with stolen credential in the network stealing our data? Or do we have an insider who has credentials but they're malicious, they're actually stealing content from the company. The second big problem is software based attacks. Malware, exploits, scripts right? And so how do we segment the network where we can enforce user behavior and we can watch for malicious software so we can prevent both of those occurrences through one architectural framework and I think zero trust gives us that template building block absent of the buzzword, on how we build out those networks 'cause everybody's enterprise network is a little bit different. >> Right, so it really goes back to kind of roles and access and those types of things 'cause the first one you describe a credential one if it's somebody in there they have every right to be there but they're doing behavior that's not necessarily what you expect them to do, what you want them to do is atypical, right? >> Right. >> So it's a kind of identity and rights management or is this a different approach or the most sophisticated approach? How's it been different before? >> No that's a great question. And we have to build those things together. So on the Palo Alto Networks side what we do is we do enforcement. Layer 7 enforcement based on identity. So based on who the user is and what their rights are we are able to control what they're allowed access to or what they're not allowed access to and of course if you've got a malicious insider. Or somebody that's logged in with stolen credentials we can prevent them from doing what they're not allowed to do. And working here with Forescout, we've done a lot of really good integration with them on that identity mapping constructs. So how do they help us understand all the identities and all the devices in the network so we can then map that to that user posture and control at Layer 7 what they're allowed to do or not allowed to do. >> Right, and then on the micro-segmentation, it's always a, how far you segment? You can segment to one that doesn't really do you much good right? (Scott laughing) It's just one. So what are some of the things people should think about in their segmentation strategy? >> Well again I think you need to start with what's most important and so if I take a cloud or a data center, clouds and data centers as a starting point or generally all the same. (Jeff laughing) Well and how we segment is actually the same. And so we have this, sometimes we think that clouds are more difficult to secure than data centers, they are the same basically we've got north-south traffic, or east-west traffic, how do we, how do we inspect them how do we, how do we segment that? But if you start with what's most important and work your way. If you tell somebody that you need to micro-segment their network they're going to be done in 14 years, alright? So how do we focus on what's the most important, critical data to their business? And if we stratify their datasets and their applications that access that data and then move down, we may have 50% of the applications in their cloud or data center that we don't micro-segment at all because they're not critical to the business. They're useful to the employees, but if something goes wrong there, no big deal. >> Right. No impact to the business. >> Right. And so micro-segmentation isn't just a conversation of where we have to do things, but it's a conversation contextually in terms of what's relevant, where it is important to do that. >> Right. And then where do we, where do you do a much less robust job. >> Right. You always have to have inspection and visibility but there are parts of your network where you're going to be somewhat passive about it. But there're parts of your network you're going to be very aggressive, multi-factor authentication, tight user identity mapping, all of the different aspects. How do we watch for malware? How do we watch for exploits? >> Curious on doing that segmentation on the value of the dataset 'cause there's some obvious ones that jumps to the top of the list but I'm just curious if customers get into a situation where they really haven't thought about it once you get ten steps down the list from the top ones or if you do a force priority? >> Yep. >> And then the other thing I just think is really interesting the time we live today is that a lot of the hackers are not necessarily motivated by personal information or trying to suck a little bit of money out of your bank account, but other types of data that they want to use for other types of actions like we saw in the election and some of these other >> Right. >> kind of, I want to say softer, kind of softer uses of softer data for different types of activity than the traditional ransomware or malware. And how does that map back to, oh I didn't necessarily think that was an important piece of data but that's a shifting landscape in that part of organization . >> Certainly, yeah you need to take a look at what's most important. You can stratify into a couple tiers so you're going to have the top ten applications and datasets that are critical to the business. And we know if something happens there we have to publicly announce. Okay there, that you're going to do a really nice segmentation strategy and implement a full zero trust where we're controlling user access, doing full malware inspection, everything there. You're going to have a second tier of data which kind of gets into your soft target conversation where maybe we're a little less robust with some of the user segmentation and the application controls but we're as aggressively robust on the malware and software based threats. And frankly being able to inspect and control, find malware, find commander control, find exploits in, going in or out of those parts of the network, that is very simple to do and zero trust helps us to find where are those locations on the data center cloud side but also throughout the enterprise and where should we have those sensors that are enforcing that behavior. >> Right, just traffic is exploding right? Everything's connected. Billions of billions of devices, et cetera, et cetera. We don't need to go through the numbers It's big. So clearly automation is more and more important as we go forward. Lot of buzz about machine learning artificial intelligence applying it. Both the bad guys have it and the good guys have it. A lot of interesting kind of subtopics in terms of training models and how do you train models and the other right type of data. But as you kind of sit where you're sitting and net, net is just a lot more traffic going through the network >> Yep. >> whether it's good, bad, or otherwise. How do you guys kind of look at automation? How are you kind of looking forward for using artificial intelligence and some of these newer techniques to help just basically get through, get through the mass if you will? >> So I think there's two ways to think about artificial intelligence, machine learning, big data analytics, All those, >> All those good ones. >> Now we run another buzzword bingo right? >> Right, right (laughs) >> But the first is if we're looking at how are we dealing with malware and finding undone malware in blocking it, we've been doing that for years. And so the platform we have uses big data analytics and machine learning in the cloud to process and find all of the unknown malware, make it known and be able to block it. So we find 20 to 30 thousand brand new pieces of malware every day and within five minutes of finding them, >> finding 30,000 >> every day. So analyzing millions and millions of files every day to figure out which ones are malicious. And once we know within five minutes, we're updating the security posture for all of our connected security devices globally. So whether it's endpoint software or it's our inline next gen firewalls, we're updating all of our, all of our signatures so that the unknown is now known and the known can be blocked. And so that's whether we're watching the block the malware coming in, or the command-and-control it's using via DNS and URL to communicate and start whatever it's going to do, and you mentioned crypto lockers and all kinds of things that can happen. And so that's one vector of using ML, AI and ML, to prevent the ability for these attacks to succeed. Now the other side of it I think you're alluding to a little bit more is how do we then take some of the knowledge and the lessons we've learned for what we've been doing now for many years in discovering malware and apply that same AI and ML locally to that customer so that they can detect very creative attacks. Very evasive attacks. Or that insider threat, that employee who's behaving inappropriately but quietly. And so we've announced over the last week what we call the Cortex XDR set of offerings that involves allowing the customer to build an aggregated data lake which uses the zero trust framework which tells us how to segment, also put sensors and all the places of the network both network sensors and endpoint as we look at how do you secure the endpoint as well as how do you secure the network links, and using those together we're able to stitch those logs together in the data lake. That machine learning can now be applied to on a customer by customer basis, to find maybe somebody was able to evade 'cause they're very creative, or that insider threat again, who isn't breaking security rules but they're being evasive? We can now find them through machine learning. >> Right. >> And the cool thing about zero trust is the prevention architecture that we needed for zero trust becomes the sensor architecture for this machine learning engine. You get dual purpose use out of the architecture of zero trust to solve both the inline prevention and their response architecture that you need. >> Right. >> It's a long answer, I know. >> It's a crazy space, I mean, it's just fast. I mean the numbers in the mass of just throughput in this area is just fascinating. >> Yes. >> And so we're here in the Forescout booth and they've got a unique take on all the objects and everything is connected to the networks. We've heard from people earlier today is 50, 60, 70% more things connected than they ever even, than they ever even thought. Most of them not malicious but just people plug it in at various remote offices and that and that. >> Yeah, well IoT, the next buzzword bingo >> Right, right, right, there you go. We'll hit them all. (both laughing) what are we missing? So how are you guys working with Forescout, how do the two solutions work together to get a one plus one makes three? >> Yeah, as we were talking a little bit before getting that concept of what are all these connected devices. What is the device itself and who are the users attached to those devices? Forescout has that insight. So we don't do, I always look at that is identity assertion. Device aware identity assertion so how do we define what they are and who they are. What we do then is in working with Forescout we take that knowledge that they have and that turns into identity and device enforcement. And that's how we enforce those postures so that I know employee A isn't allowed to the intellectual property datasets. Employee B is. Well in the old world of security you just have a rule for how do you get to that. In what we do now with layers with user based and application controls, I can, on a user by user basis determine what they're allowed to do, and not allowed to do. Forescout gives us that insight so that we are able to enforce. They handle making sure they know exactly who it is so we enforce it properly. >> Right, and for the devices, right? 'cause you basically assigned almost like an identity and a role to a device. >> Exactly, and then you don't end up with this weird spaghetti network topology where okay, we have to put all of our IoT devices on these 14 VLANs and we're going to extend them all across our enterprise not, all that goes away. >> All kinds of natural acts. >> Right. All right, so Scott, I'll give you the last word before you sign off. As we look forward to 2019, and I can't believe it's March already, (Scott laughing) Scary. What's some of your priorities? What are you working on? What's the rest of the year look like for you? >> I think, you're back to buzzword bingo, we're spending a lot of time right now looking at how do we help our customers with that generating that data lake so they can help figure out what's happening within their infrastructure. And as you pivot from the security posture which of course is where we're always going to pay attention and you help them think about operationalizing that. And how do we help the Sec Ops, or the SOC, figure out what's going on in their network. The data they're dealing with is massive. And so they're looking at haystacks and haystacks and haystacks. >> Right. >> And part of the goal of what we're trying to do is help them burn down those haystacks and hand them needles 'cause in the end all they care about is the needles. The hay is getting in the way. And so there's a lot of work that we're doing around machine learning, around optimizing workloads and automation so that we can reduce that complexity. We've been doing it for the last 10 years for network security. How do we take the complexity of all the things we used to do separate and simplify them and automate so we've automated the feedback loops for network security, for the next gen firewall. We've simplified what you can do on the endpoint for traps and how we protect that. We've done with the integration with Forescout we're simplifying how you map that identity back and forth. And I think for the rest of the year it's really about simplifying operations and helping quickly determine when something is wrong in the network so you can fix it fast. >> Right. >> Before you're dealing with an exfiltration problem. >> Not 150 days or whatever the >> Way too long. >> crazy average stat is. >> |How about four hours. What if we try for four hours? >> Yeah that's better. more better, more better. (laughing) All right, Scott, thanks for sharing the insight. >> Thanks for your time. >> Let's go burn some haystacks. He's Scott, I'm Jeff. You're watching theCUBE. We're at RSA 2019 in San Francisco. Thanks for watching. We'll be right back. (upbeat music)