(upbeat music) >> Hello everyone, welcome back to the manager risk across the extended attack surface with Armis. I'm John Furrier, your host of theCUBE. Got the demo. Got here, Bryan Inman sales engineer at Armis. Bryan, thanks for coming on. We're looking forward to the demo. How you doing? >> I'm doing well, John, thanks for having me. >> We heard from Nadir describing Armis' platform, lot of intelligence. It's like a search engine meets data at scale, intelligent platform around laying out the asset map, if you will, the new vulnerability module among other things that really solves CISCO's problems. A lot of great customer testimonials and we got the demo here that you're going to give us. What's the demo about? What are we going to see? >> Well, John, thanks. Great question. And truthfully, I think as Nadir has pointed out what Armis as a baseline is giving you is great visibility into every asset that's communicating within your environment. And from there, what we've done is we've layered on known vulnerabilities associated with not just the device, but also what else is on the device. Is there certain applications running on that device, the versions of those applications, and what are the vulnerabilities known with that? So that's really gives you great visibility in terms of the devices that folks aren't necessarily have visibility into now, unmanaged devices, IoT devices, OT, and critical infrastructure, medical devices things that you're not necessarily able to actively scan or put an agent on. So not only is Armis telling you about these devices but we're also layering on those vulnerabilities all passively and in real time. >> A lot of great feedback we've heard and I've talked to some of your customers. Rhe agentless is a huge deal. The discoveries are awesome. You can see everything and just getting real time information. It's really, really cool. So I'm looking forward to the demo for our guests. Take us on that tour. Let's go with the demo for the guests today. >> All right. Sounds good. So what we're looking at here is within the Armis console is just a clean representation of the passive reporting of what Armis has discovered. So we see a lot of different types of devices from your virtual machines and personal computers, things that are relatively easy to manage. But working our way down, you're able to see a lot of different types of devices that are not necessarily easy to get visibility into, things like your up systems, IT cameras, dash cams, et cetera, lighting systems. And today's day and age where everything is moving to that smart feature, it's great to have that visibility into what's communicating on my network and getting that, being able to layer on the risk factors associated with it as well as the vulnerabilities. So let's pivot over to our vulnerabilities tab and talk about the the AVM portion, the asset vulnerability management. So what we're looking at is the dashboard where we're reporting another clean representation with customizable dashlets that gives you visuals and reporting and things like new vulnerabilities as they come in. What are the most critical vulnerabilities, the newest as they roll in the vulnerabilities by type? We have hardware. We have application. We have operating systems. As we scroll down, we can see things to break it down by vulnerabilities, by the operating system, Windows, Linux, et cetera. We can create dashlets that show you views of the number of devices that are impacted by these CVEs. And scrolling down, we can see how long have these vulnerabilities been sitting within my environment? So what are the oldest vulnerabilities we have here? And then also of course, vulnerabilities by applications. So things like Google Chrome, Microsoft Office. So we're able to give a good representation of the amount of vulnerabilities as they're associated to the hardware and applications as well. So we're going to dig in and take a a deeper look at one of these vulnerabilities here. So I'm excited to talk today about of where Armis AVM is, but also where it's going as well. So we're not just reporting on things like the CVSS score from NIST NVD. We're also able to report on things like the exploitability of that. How actively is this CVE being exploited in the wild? We're reporting EPSS scores. For example, we're able to take open source information as well as a lot of our partnerships that we have with other vendors that are giving us a lot of great value of known vulnerabilities associated with the applications and with hardware, et cetera. But where we're going with this is in very near future releases, we're going to be able to take an algorithm approach of, what are the most critical CVSS that we see? How exploitable are those? What are common threat actors doing with these CVEs? Have they weaponized these CVEs? Are they actively using those weaponized tools to exploit these within other folks' environments? And who's reporting on these? So we're going to take all of these and then really add that Armis flavor of we already know what that device is and we can explain and so can the users of it, the business criticality of that device. So we're able to pivot over to the matches as we see the CVEs. We're able to very cleanly view, what exactly are the devices that the CVE resides on. And as you can see, we're giving you more than just an IP address or a lot more context and we're able to click in and dive into what exactly are these devices. And more importantly, how critical are these devices to my environment? If one of these devices were to go down if it were to be a server, whatever it may be, I would want to focus on those particular devices and ensuring that that CVE, especially if it's an exploitable CVE were to be addressed earlier than say the others and really be able to manage and prioritize these. Another great feature about it is, for example, we're looking at a particular CVE in terms of its patch and build number from Windows 10. So the auto result feature that we have, for example, we've passively detected what this particular personal computer is running Windows 10 and the build and revision numbers on it. And then once Armis passively discovers an update to that firmware and patch level, we can automatically resolve that, giving you a confidence that that has been addressed from that particular device. We're also able to customize and look through and potentially select a few of these, say, these particular devices reside on your guest network or an employee wifi network where we don't necessarily, I don't want to say care, but we don't necessarily value that as much as something internally that holds significantly, more business criticality. So we can select some of these and potentially ignore or resolve for determining reasons as you see here. Be able to really truly manage and prioritize these CVEs. As I scroll up, I can pivot over to the remediation tab and open up each one of these. So what this is doing is essentially Armis says, through our knowledge base been able to work with the vendors and pull down the patches associated with these. And within the remediation portion, we're able to view, for example, if we were to pull down the patch from this particular vendor and apply it to these 60 devices that you see here, right now we're able to view which patches are going to gimme the most impact as I prioritize these and take care of these affected devices. And lastly, as I pivot back over. Again, where we're at now is we're able to allow the users to customize the organizational priority of this particular CVE to where in terms of, this has given us a high CVSS score but maybe for whatever reasons it may be, maybe this CVE in terms of this particular logical segment of my network, I'm going to give it a low priority for whatever the use case may be. We have compensating controls set in place that render this CVE not impactful to this particular segment of my environment. So we're able to add that organizational priority to that CVE and where we're going as you can see that popped up here but where we're going is we're going to start to be able to apply the organizational priority in terms of the actual device level. So what we'll see is we'll see a column added to here to where we'll see the the business impact of that device based on the importance of that particular segment of your environment or the device type, be it critical networking device or maybe a critical infrastructure device, PLCs, controllers, et cetera, but really giving you that passive reporting on the CVEs in terms of what the device is within your network. And then finally, we do integrate with your vulnerability management and scanners as well. So if you have a scanner actively scanning these, but potentially they're missing segments of your net network, or they're not able to actively scan certain devices on your network, that's the power of Armis being able to come back in and give you that visibility of not only what those devices are for visibility into them, but also what vulnerabilities are associated with those passive devices that aren't being scanned by your network today. So with that, that concludes my demo. So I'll kick it back over to you, John. >> Awesome. Great walk through there. Take me through what you think the most important part of that. Is it the discovery piece? Is it the interaction? What's your favorite? >> Honestly, I think my favorite part about that is in terms of being able to have the visibility into the devices that a lot of folks don't see currently. So those IoT devices, those OT devices, things that you're not able to run a scan on or put an agent on. Armis is not only giving you visibility into them, but also layering in, as I said before, those vulnerabilities on top of that, that's just visibility that a lot of folks today don't have. So Armis does a great job of giving you visibility and vulnerabilities and risks associated with those devices. >> So I have to ask you, when you give this demo to customers and prospects, what's the reaction? Falling out of their chair moment? Are they more skeptical? It's almost too good to be true and end to end vulnerability management is a tough nut to crack in terms of solution. >> Honestly, a lot of clients that we've had, especially within the OT and the medical side, they're blown away because at the end of the day when we can give them that visibility, as I've said, Hey, I didn't even know that those devices resided in that portion, but not only we showing them what they are and where they are and enrichment on risk factors, et cetera, but then we show them, Hey, we've worked with that vendor, whatever it may be and Rockwell, et cetera, and we know that there's vulnerabilities associated with those devices. So they just seem to be blown away by the fact that we can show them so much about those devices from behind one single console. >> It reminds me of the old days. I'm going to date myself here. Remember the old Google Maps mashup days. Customers talk about this as the Google Maps for their assets. And when you have the Google Maps and you have the Ubers out there, you can look at the trails, you can look at what's happening inside the enterprise. So there's got to be a lot of interest in once you get the assets, what's going on those networks or those roads, if you will, 'cause you got in packet movement. You got things happening. You got upgrades. You got changing devices. It's always on kind of living thing. >> Absolutely. Yeah, it's what's on my network. And more importantly at times, what's on those devices? What are the risks associated with the the applications running on those? How are those devices communicating? And then as we've seen here, what are the vulnerabilities associated with those and how can I take action with them? >> Real quick, put a plug in for where I can find the demo. Is it online? Is it on YouTube? On the website? Where does someone see this demo? >> Yeah, the Armis website has a lot of demo content loaded. Get you in touch with folks like engineers like myself to provide demos whenever needed. >> All right, Bryan, thanks for coming on this show. Appreciate, Sales Engineer at Armis, Bryan Inman. Given the demo God award out to him. Good job. Thanks for the demo. >> Thanks, thanks for having me. >> Okay. In a moment, we're going to have my closing thoughts on this event and really the impact to the business operations side, in a moment. I'm John Furrier of theCUBE. Thanks for watching. (upbeat music)

>> Live from Boston, Massachusetts, it's The Cube, covering AWS re:Inforce 2019. Brought to you by Amazon web services and its ecosystem partners. >> Hey, welcome back everyone. It's The Cube's live coverage here in Boston, Massachusetts for AWS re:Inforce. This is Amazon web services' inaugural security conference around Cloud security. I'm John Furrier. My host Dave Vellante. We've got special guest, we've got another CSO, Dan Meacham, VP of Security and Operations at Legendary Entertainment. Great to see you. Thanks for coming on The Cube. >> Oh, thank you. It's a very pleasure to be here. >> We had some fun time watching the Red Socks game the other night. It was the best night to watch baseball. They did win. >> Was it ever. >> Always good to go to Fenway Park, but we were talking when we were socializing, watching the Red Socks game at Fenway Park about your experience. You've seen a lot of waves of technology you've been involved in. >> Yes, yes. >> Gettin' dirty with your hands and gettin' coding and then, but now running VP of Security, you've seen a lot of stuff. >> Oh. >> You've seen the good, bad, and the ugly. (laughing) >> Yeah, fun business. >> It is. >> You guys did Hangover, right? >> Yes. >> Dark Knight. >> Yes. >> Some really cool videos. >> Good stuff there, yeah. And it's just amazing cause, you know, how much technology has changed over the years and starting back out in the mid-eighties and early nineties. Sometimes I'm just like, oh, if I could only go back to the IPXSX days and just get rid of botnets and things like that. (laughing) That'd be so much easier. Right? >> The big conversation we're having here, obviously, is Amazon's Security Conference. What's your take on it? Again, security's not new, but their trying to bring this vibe of shared responsibility. Makes sense because they've got half of the security equation, but you're seeing a lot of people really focusing on security. What's your take of, so far, as an attendee? >> Well, as we look and, cause I like to go to these different things. One, first to thank everybody for coming because it's a huge investment of time and money to be at these different shows, but I go to every single booth to kind of take a look to see where they are cause sometimes when we look at some of the different technology, they may have this idea of what they want the company to be and they're maybe only a couple years old, but we may see it as a totally different application and like to take those ideas and innovate them and steer them in another direction that kind of best suits our needs. But a lot of times you see a lot of replay of the same things over and over again. A lot of folks just kind of miss some of the general ideas. And, um, this particular floor that we have, there's some interesting components that are out there. There's a lot of folks that are all about configuration management and auto correction of misconfigured environments and things like that. Which is good, but I think when we look at the shared responsibility model and so forth, there's some components that a lot of folks don't really understand they really have to embrace in their environment. They think, oh it's just a configuration management, it's just a particular checklist or some other things that may fix something, but we really got to talk about the roots of some of the other things because if it's not in your data center and it's out somewhere else, doesn't mean you transfer the liability. You still have the ownership, there's still some practice you got to focus on. >> Take us through the Cloud journey with Legendary. You put some exchange service out there. Continue. >> Yes, and so as we started bringing these other different SaaS models because we didn't want to have the risk of if something went down we lost everything, but as we did that and started embracing Shadow IT, because if this worked for this particular department, we realized that there wasn't necessarily a applicable way to manage all of those environments simultaneous. What we mean after the standpoint, like we mentioned before, the MFA for each of these different components of the Cloud applications. So that naturally led us into something like single sign-on that we can work with that. But as we started looking at the single sign-on and the device management, it wasn't so much that I can't trust you devices, it's how do I trust your device? And so that's when we created this idea of a user-centric security architecture. So it's not necessarily a zero trust, it's more of a, how can I build a trust around you? So, if your phone trusts you based off of iometrics, let me create a whole world around that, that trust circle and build some pieces there. >> Okay, so, let me just interrupt and make sure we understand this. So, you decided to go Cloud-First. You had some stuff in colo and then said, okay, we need to really rethink how we secure our operations, right? So, you came up with kind of a new approach. >> Correct. >> Cloud approach. >> Absolutely. And it's Cloud and so by doing that then, trying to focus in on how we can build that trust, but also better manage the applications because, say for example, if I have a collaboration tool where all my files are, I may want to have some sort of protection on data loss prevention. Well, that Cloud application may have its own piece that I can orchestrate with, but then so does this one that's over here and this one over here and so now I've got to manage multiple policies in multiple locations, so as we were going down that piece, we had to say, how do we lasso the security around all these applications? And so, in that particular piece, we went ahead and we look forward at where is the technology is, so early on, all we had were very advanced sims where if I get reporting on user activity or anomalies, then I had limited actions and activities, which is fine, but then the CASB world ended up changing. Before, they were talking about Shallow IT, now they actually do policy enforcement, so then that allowed us to then create a lasso around our Cloud applications and say, I want to have a data loss prevention policy that says if you download 5,000 files within one minute, take this action. So, before, in our sim, we would get alert and there were some things we could do and some things we couldn't, but now in the CASB I can now take that as a piece. >> So more refined >> Exactly. >> in policy. Now, did you guys write that code? Did you build it out? Did you use Cloud? >> We work with a partner on help developing all this. >> So, when you think about where the CASBs were five years ago or so, it was all about, can we find Shadow IT? Can we find where social security numbers are? Not necessarily can I manage the environment. So, if you were take a step back to back in the old days when you had disparate in network architecture equipment, right? And you wanted to manage all your switches and firewalls, you had to do console on each and every one. Over time as it progressed, we now had players out there that can give you a single console that can get in and manage the entire network infrastructure, even if it's disparate systems. This is kind of what we're seeing right now within the Cloud, where on the cusp of it, some of then are doing really good and some of them still have a lot of things to catch up to do, but we're totally stoked about how this is working in this particular space. >> So, talk about, like, um, where you are now and the landscape that you see in front of you. Obviously, you have services. I know you. We met through McAfee, you have other, some fenders. You have a lot of people knocking on your doors, telling you stuff. You want to be efficient with your team. >> Yes. >> You want to leverage the Cloud. >> Yes. >> As you look at the landscape and a future scape as well, what're you thinking about? What's on your mind? What's your priorities? How're you going to navigate that? What're some of the things that's driving you? >> (sighing) It's a cornucopia of stuff that's out there. (laughing) Depending on how you want to look at it. And you can specialize in any particular division, but the biggest things that we really want to focus on is we have to protect out data, we have to protect our devices, and we have to protect our users. And so that's kind of that mindset that we're really focused on on how we integrate. The biggest challenges that we have right now is not so much the capability of the technology, because that is continually to evolve and it's going to keep changing. The different challenges that we have when we look in some of these different spaces is the accountability and the incorporation and cooperation because a incident's going to happen. How are you going to engage in that particular incident and how are you going to take action? Just because we put something in the Cloud doesn't mean it was a set and forget kind of thing. Because if it was in my data center, then I know I have to put perimeter around it, I know I got to do back-ups, I know I got to do patch management, but if I put it in the Cloud, I don't have to worry about it. That is not the case. So, what we're finding a lot is, some of these different vendors are trying to couch that as, hey we'll take care of that for you, but in fact, reality is is you got to stay on top of it. >> Yeah. And then you got to make sure all the same security practices are in there. So, the question I have for you is: what's the security view of the Cloud versus on premise (muttering) the data's in the perimeter, okay that's kind of an older concept, but as your thinking about security in Cloud, Cloud security versus on premise, what's the difference? What's the distinction? What's the nuances? >> Well, if we go old-school versus new-school, old-school would say, I can protect every thing that's on prem. That's not necessarily the case that we see today because you have all this smart technology that's actually coming in and is eliminating your perimeter. I mean, back in the day you could say, hey, look, we're not going to allow any connections, inbound or outbound, to only outside the United States cause we're just a U.S.-based company. Well, that's a great focus, but now when you have mobile devices and smart technology, that's not what's happening. So, in my view, there's a lot of different things that you may actually be more secure in the Cloud than you are with things that are on prem based off of the architectural design and the different components that you can put in there. So, if you think about it, if I were to get a CryptoLocker in house, my recovery time objective, recovery point objective is really what was my last back-up. Where if I look at it in the Cloud perspective, it's where was my last snapshot? (stuttering) I may have some compliance competes on there that records the revision of a file up to 40 times or 120 times, so if I hit that CryptoLocker, I have a really high probability of being able to roll back in the Cloud faster than I could if I lost something that was in prem. So, idly, there's a lot more advantages in going with the Cloud than on prem, but again, we are a Cloud-First company. >> Is bad user behavior still your biggest challenge? >> Is it ever! I get just some crazy, stupid things that just happen. >> The Cloud doesn't change that, right? >> No! (laughing) No, you can't change that with technology, but a lot of it has to be with education and awareness. And so we do have a lot of very restrictive policies in our workforce today, but we talk to our users about this, so they understand. And so when we have things that are being blocked for a particular reason, the users know to call us to understand what had happened and in many cases it's, you know, they clicked on a link and it was trying to do a binary that found inside of a picture file of all things on a web browser. Or they decided that they wanted to have the latest Shareware file to move mass files and then only find out that they downloaded it from an inappropriate site that had binaries in it that were bad and you coach them to say, no this is a trusted source, this is the repository where we want you to get these files. But my favorite though is, again, being Cloud-First, there's no reason to VPN into our offices for anything because everything is out there and how we coordinate, right? But we do have VPN set up for when we travel to different countries with regards to, as a media company, you have to stream a lot of different things and, so, if we're trying to pitch different pieces that we may have on another streaming video-on-demand service, some of those services and some of those programmings may not be accessible into other countries or regions of the world. So, doing that allows us to share that. So, then, a lot of times, what we find is we have offices and users that're in different parts of the world that will download a free VPN. (laughing) Because they want to to be able to get to certain types of content. >> Sounds good. >> And then when you're looking at that VPN and that connection, you're realizing that that VPN that they got for free is actually be routed through a country that is not necessarily friendly to the way we do business. They're like, okay, so you're pushing all of our data through that, but we have to work through that, there's still coaching. But fortunately enough, by being Cloud-First, and being how things are architected, we see all that activity, where if was all in prem, we wouldn't necessarily know that that's what they were doing, but because of how the user-centric piece is set-up, we have full visibility and we can do some coaching. >> And that's the biggest issue you've got. Bigtime, yes? Visibility. >> What's a good day for a security practitioner? >> (laughing) A good day for a security practitioner. Well, you know, it's still having people grumpy at you because if they're grumpy at you, then you know you're doing you job, right? Because if everybody loves the security guy, then somebody's slipping something somewhere and it's like, hey, wait a minute, are you really supposed to be doing that? No, not necessarily. A good day is when your users come forward and say, hey, this invoice came in and we know that this isn't out invoice, we want to make sure we have it flagged. And then we can collaborate and work with other studios and say, hey, we're seeing this type of vector of attack. So, a good day is really having our users really be a champion of the security and then sharing that security in a community perspective with the other users inside and also communicating back with IT. So, that's the kind of culture we want to have within out organization. Because we're not necessarily trying to be big brother, we want to make it be able to run fast because if it's not easy to do business with us, then you're not going to do business with us. >> And you guys have a lot of suppliers here at the re:Inforce conference. Obviously, Amazon, Cloud. What other companies you working with? That're here. >> That're here today? Well, CrowdStrike is a excellent partner and a lot of things. We'll have to talk on that a little bit. McAfee, with their MVISION, which was originally sky-high, has just been phenomenal in our security architecture as we've gone through some of the other pieces. We do have Alert Logic and also Splunk. They're here as well, so some great folks. >> McAfee, that was the sky-high acquisition. >> That is correct and now it's MVISION. >> And that's the Cloud group within McAfee. What do they do that you like? >> They brought forth the Cloud access security broker, the CASB product, and one of the things that has just been fascinating and phenomenal in working with them is when we were in evaluation mode a couple of years ago and were using the product, we're like, hey, this is good, but we'd really like to use it in this capacity. Or we want to have these artifacts of this intelligence come out of the analytics and, I kid you not, two weeks later the developers would put it out there in the next update and release. And it was like for a couple of months. And we're like, they're letting us use this product for a set period of time, they're listening to what we're asking for, we haven't even bought it, but they're very forward-thinking, very aggressive and addressing the specific needs from the practitioner's view that they integrated into the product. It was no-brainer to move forward with them. And they continue to still do that with us today. >> So that's a good experience. I always like to ask practitioners, what're some things that vendors are doing that either drive your crazy or they shouldn't be doing? Talk to them and say, hey, don't do this or do this better. >> Well, when you look at your stop-doing and your start doing list and how do you work through that? What really needs to be happening is you need your vendor and your account manager to come out on-site once a quarter to visit with you, right? You're paying for a support on an annual basis, or however it is, but if I have this Cloud application and that application gets breached in some way, how do I escalate that? I know who my account manager is and I know the support line but there needs to be an understanding and an integration into my incidents response plan as when I pick up the phone, what' the number I dial? And then how do we engage quickly? Because now where we are today, if I were to have breach, a compromised system administrator account, even just for 20 minutes, you can lose a lot of data in 20 minutes. And you think about reputation, you think about privacy, you think about databases, credit cards, financials. It can be catastrophic in 20 minutes today with the high-speed rates we can move data. So, my challenge back to the vendors is once a quarter, come out and visit me, make sure that I have that one sheet about what that incident response integration is. Also, take a look at how you've implemented Am I still on track with the artchitecture? Am I using the product I bought from you effectively and efficiently? Or is there something new that I need to be more aware of? Because a lot of times what we see is somebody bought something, but they never leveraged the training, never leveraged the support. And they're only using 10% of the capability of the product and then they just get frustrated and then they spend money and go to the next product down the road, which is good for the honeymoon period, but then you run into the same process again. So, a lot of it really comes back to vendor management more so than it is about the technology and the relationship. >> My final question is: what tech are you excited about these days? Just in general in the industry. Obviously security, you've got the Cloud, you're Cloud-First, so you're on the cutting edge, you've got some good stuff going on. You've got a historical view. What's exciting you these days from a tech perspective? >> Well, over the last couple of years, there's been two different technologies that have really started to explode that I really am excited about. One was leveraging smart cameras and facial recognition and integrating physical stock with cyber security stock. So, if you think about from another perspective, Cameras, surveillance today is, you know, we rewind to see something happen, maybe I can mark something. So, if somebody jumped over a fence, I can see cause it crossed the line. Now the smart cameras over the last three or four or five years have been like, if I lost a child in a museum, I could click on child, it tells me where it is. Great. Take that great in piece and put it in with your cyber, so now if you show up on my set or you're at one of our studios, I want the camera to be able to look at your face, scrub social media and see if we can get a facial recognition to know who you are and then from that particular piece, say okay, has he been talking trash about our movies? Is he stalking one of our talent? From those different perspectives. And then, moreover, looking at the facial expression itself. Are you starstruck? Are you angry? Are you mad? So, then that way, I know instantly in a certain period of time what the risk is and so I can dispatch appropriately to have security there or just know that this person's just been wandering around because they're a fan and they want to know something. So, maybe one of those things where we can bring them a t-shirt and they'll move on onto their way and they're happy. Versus somebody that's going to show up with a weapon and we have some sort of catastrophic event. Now, the second technology that I'm really pretty excited about. Is when we can also talk a little about with the Five G technology. So, when everybody talk about FIJI, you're like, oh, hey, this is great. This is going to be faster, so why are we all stoked about things being super, super fast on cellular? That's the technical part. You got to look at the application or the faculty of things being faster. To put it into perspective, if you think about a few years ago when the first Apple TV came out, everybody was all excited that I could copy my movies on there and then watch it on my TV. Well, when internet and things got faster, that form factor went down to where it was just constantly streaming from iTunes. Same thing with the Google Chrome Cast or the Amazon Fire Stick. There's not a lot of meat to that, but it's a lot of streaming on how it works. And so when you think about the capability from that perspective, you're going to see technology change drastically. So, you're smartphone that holds a lot of data is actually probably going to be a lot smaller because it doesn't have to have all that weight to have all that stuff local because it's going to be real-time connection, but the fascinating thing about that, though, is with all that great opportunity also comes great risk. So, think about it, if we were to have a sphere and if we had a sphere and you had the diameter of that sphere was basically technology capability. As that diameter grows, the volume of the technology that leverages that grows, so all the new things that come in, he's building. But as that sphere continue to grow, what happens is the surface is your threat. Is your threat vector. As it continue to grow, that's going to continue to grow. (stuttering) There's a little but of exponential components, but there's also a lot of mathematical things on how those things relate and so with Five G, as we get these great technologies inside of our sphere, that threat scape on the outside is also going to grow. >> Moore's law in reverse, basically. >> Yeah. >> Surface area is just balloon to be huge. That just kills the perimeter argument right there. >> It does. >> Wow. And then we heard from Steve and Schmidt on the keynote. They said 90% of IOT data, thinking about cameras, is HTTP, plain text. >> Exactly. And it's like, what're you-- >> Oh, more good news! >> Yeah. (laughing) >> At least you'll always have a job. >> Well, you know, someday-- >> It's a good day in security. Encrypt everywhere, we don't have time to get into the encrypt everywhere, but quick comment on this notion of encrypting everything, what's your thoughts? Real quick. (sighing) >> All right, so. >> Good, bad, ugly? Good idea? Hard? >> Well, if we encrypt everything, then what does it really mean? What're we getting out? So, you remember when everybody was having email and you had, back in the day, you had your door mail, netscape navigator and so forth, and thought, oh, we need to have secure email. So then they created all these encryption things in the email, so then what happens? That's built into the applications, so the email's no longer really encrypted. >> Yeah. >> Right? So I think we're going to see some things like that happening as well. Encryption is great, but then it also impedes progress when it comes to forensics, so it's only good until you need it. >> Awesome. >> Dan, thanks so much here on the insights. Great to have you on The Cube, great to get your insights and commentary. >> Well, thank you guys, I really appreciate it. >> You're welcome. >> All right, let's expecting to steal is from noise, talking to practitioner CSOs here at re:Inforce. Great crowd, great attendee list. All investing in the new Cloud security paradigm, Cloud-First security's Cube's coverage. I'm John Furrier, Dave Vellante. Stay tuned for more after this short break. (upbeat music)

>> Announcer: Live from Orlando, Florida. It's the CUBE. Covering Grace Hopper Celebration of Women in Computing. Brought to you by Silicon Angle Media. >> Welcome back everybody. Jeff Frick here with the Cube. We are winding down day three of the Grace Hopper Celebration of Women in Computing in Orlando. It's 18,000, mainly women, a couple of us men hangin' out. It's been a phenomenal event again. It always amazes me to run into first timers that have never been to the Grace Hopper event. It's a must do if you're in this business and I strongly encourage you to sign up quickly 'cause I think it sells out in about 15 minutes, like a good rock concert. But we're excited to have our next guest. She's Rachel Faber Tobac, UX Research at Course Hero. Rachel, great to see you. >> Thank you so much for having me on. >> Absolutely. So, Course Hero. Give people kind of an overview of what Course Hero is all about. >> Yup. So we are an online learning platform and we help about 200 million students and educators master their classes every year. So we have all the notes, >> 200 million. >> Yes, 200 million! We have all the notes, study guides, resources, anything a student would need to succeed in their classes. And then anything an educator would need to prepare for their classes or connect with their students. >> And what ages of students? What kind of grades? >> They're usually in college, but sometimes we help high schoolers, like AP students. >> Okay. >> Yeah. >> But that's not why you're here. You want to talk about hacking. So you are, what you call a "white hat hacker". >> White hat. >> So for people that aren't familiar with the white hat, >> Yeah. >> We all know about the black hat conference. What is a white hat hacker. >> So a "white hat hacker" is somebody >> Sounds hard to say three times fast. >> I know, it's a tongue twister. A white hat hacker is somebody who is a hacker, but they're doing it to help people. They're trying to make sure that information is kept safer rather than kind of letting it all out on the internet. >> Right, right. Like the old secret shoppers that we used to have back in the pre-internet days. >> Exactly. Exactly. >> So how did you get into that? >> It's a very non-linear story. Are you ready for it? >> Yeah. >> So I started my career as a special education teacher. And I was working with students with special needs. And I wanted to help more people. So, I ended up joining Course Hero. And I was able to help more people at scale, which was awesome. But I was interested in kind of more of the technical side, but I wasn't technical. So my husband went to Defcon. 'cause he's a cyber security researcher. And he calls me at Defcon about three years ago, and he's like, Rach, you have to get over here. I'm like, I'm not really technical. It's all going to go over my head. Why would I come? He's like, you know how you always call companies to try and get our bills lowered? Like calling Comcast. Well they have this competition where they put people in a glass booth and they try and have them do that, but it's hacking companies. You have to get over here and try it. So I bought a ticket to Vegas that night and I ended up doing the white hat hacker competition called The Social Engineering Capture the Flag and I ended up winning second, twice in a row as a newb. So, insane. >> So you're hacking, if I get this right, not via kind of hardcore command line assault. You're using other tools. So like, what are some of the tools that are vulnerabilities that people would never think about. >> So the biggest tool that I use is actually Instagram, which is really scary. 60% of the information that I need to hack a company, I find on Instagram via geolocation. So people are taking pictures of their computers, their work stations. I can get their browser, their version information and then I can help infiltrate that company by calling them over the phone. It's called vishing. So I'll call them and try and get them to go to a malicious link over the phone and if I can do that, I can own their company, by kind of presenting as an insider and getting in that way. (chuckling) It's terrifying. >> So we know phishing right? I keep wanting to get the million dollars from the guy in Africa that keeps offering it to me. >> (snickers) Right. >> I don't whether to bite on that or. >> Don't click the link. >> Don't click the link. >> No. >> But that interesting. So people taking selfies in the office and you can just get a piece of the browser data and the background of that information. >> Yep. >> And that gives you what you need to do. >> Yeah, so I'll find a phone number from somebody. Maybe they take a picture of their business card, right? I'll call that number. Test it to see if it works. And then if it does, I'll call them in that glass booth in front of 400 people and attempt to get them to go to malicious links over the phone to own their company or I can try and get more information about their work station, so we could, quote unquote, tailor an exploit for their software. >> Right. Right. >> We're not actually doing this, right? We're white hat hackers. >> Right. >> If we were the bad guys. >> You'd try to expose the vulnerability. >> Right. The risk. >> And what is your best ruse to get 'em to. Who are you representing yourself as? >> Yeah, so. The representation thing is called pre-texting. It's who you're pretending to be. If you've ever watched like, Catch Me If You Can. >> Right. Right. >> With Frank Abagnale Jr. So for me, the thing that works the best are low status pretext. So as a woman, I would kind of use what we understand about society to kind of exploit that. So you know, right now if I'm a woman and I call you and I'm like, I don't know how to trouble shoot your website. I'm so confused. I have to give a talk, it's in five minutes. Can you just try my link and see if it works on your end? (chuckling) >> You know? Right? You know, you believe that. >> That's brutal. >> Because there's things about our society that help you understand and believe what I'm trying to say. >> Right, right. >> Right? >> That's crazy and so. >> Yeah. >> Do you get, do you make money white hacking for companies? >> So. >> Do they pay you to do this or? Or is it like, part of the service or? >> It didn't start that way. >> Right. >> I started off just doing the Social Engineering Capture the Flag, the SECTF at Defcon. And I've done that two years in a row, but recently, my husband, Evan and I, co-founded a company, Social Proof Security. So we work with companies to train them about how social media can impact them from a social engineering risk perspective. >> Right. >> And so we can come in and help them and train them and understand, you know, via a webinar, 10 minute talk or we can do a deep dive and have them actually step into the shoes of a hacker and try it out themselves. >> Well I just thought the only danger was they know I'm here so they're going to go steal my bike out of my house, 'cause that's on the West Coast. I'm just curious and you may not have a perspective. >> Yeah. >> 'Cause you have niche that you execute, but between say, you know kind of what you're doing, social engineering. >> Yeah. >> You know, front door. >> God, on the telephone. Versus kind of more traditional phishing, you know, please click here. Million dollars if you'll click here versus, you know, what I would think was more hardcore command line. People are really goin' in. I mean do you have any sense for what kind of the distribution of that is, in terms of what people are going after? >> Right, we don't know exactly because usually that information's pretty confidential, >> Sure. when a hack happens. But we guess that about 90% of infiltrations start with either a phishing email or a vishing call. So they're trying to gain information so they can tailor their exploits for your specific machine. And then they'll go in and they'll do that like actual, you know, >> Right. >> technical hacking. >> Right. >> But, I mean, if I'm vishing you right and I'm talking to you over the phone and I get you to go to a malicious link, I can just kind of bypass every security protocol you've set up. I don't even a technical hacker, right? I just got into your computer because. >> 'Cause you're in 'Cause I'm in now, yup. >> I had the other kind of low profile way and I used to hear is, you know, you go after the person that's doin' the company picnic. You know Wordpress site. >> Yes. >> That's not thinking that that's an entry point in. You know, kind of these less obvious access points. >> Right. That's something that I talk about a lot actually is sometimes we go after mundane information. Something like, what pest service provider you use? Or what janitorial service you use? We're not even going to look for like, software on your machine. We might start with a softer target. So if I know what pest extermination provider you use, I can look them up on LinkedIn. See if they've tagged themselves in pictures in your office and now I can understand how do they work with you, what do their visitor badges look like. And then emulate all of that for an onsite attack. Something like, you know, really soft, right? >> So you're sitting in the key note, right? >> Yeah. >> Fei-Fei Li is talking about computer visualization learning. >> Right. >> And you know, Google running kagillions of pictures through an AI tool to be able to recognize the puppy from the blueberry muffin. >> Right. >> Um, I mean, that just represents ridiculous exploitation opportunity at scale. Even you know, >> Yeah. >> You kind of hackin' around the Instagram account, can't even begin to touch, as you said, your other thing. >> Right. >> You did and then you did it at scale. Now the same opportunity here. Both for bad and for good. >> I'm sure AI is going to impact social engineering pretty extremely in the future here. Hopefully they're protecting that data. >> Okay so, give a little plug so they'll look you up and get some more information. But what are just some of the really easy, basic steps that you find people just miss, that should just be, they should not be missing. From these basic things. >> The first thing is that if they want to take a picture at work, like a #TBT, right? It's their third year anniversary at their company. >> Right. Right. >> Step away from your work station. You don't need to take that picture in front of your computer. Because if you do, I'm going to see that little bottom line at the bottom and I'm going to see exactly the browser version, OS and everything like that. Now I'm able to exploit you with that information. So step away when you take your pictures. And if you do happen to take a picture on your computer. I know you're looking at computer nervously. >> I know, I'm like, don't turn my computer on to the cameras. >> Don't look at it! >> You're scarin' me Rachel. >> If you do take a picture of that. Then you don't want let someone authenticate with that information. So let's say I'm calling you and I'm like, hey, I'm with Google Chrome. I know that you use Google Chrome for your service provider. Has your network been slow recently? Everyone's network's been slow recently, right? >> Right. Right. >> So of course you're going to say yes. Don't let someone authenticate with that info. Think to yourself. Oh wait, I posted a picture of my work station recently. I'm not going to let them authenticate and I'm going to hang up. >> Interesting. All right Rachel. Well, I think the opportunity in learning is one thing. The opportunity in this other field is infinite. >> Yeah. >> So thanks for sharing a couple of tips. >> Yes. >> And um. >> Thank you for having me. >> Hopefully we'll keep you on the good side. We won't let you go to the dark side. >> I won't. I promise. >> All right. >> Rachel Faber Tobac and I'm Jeff Frick. You're watchin the Cube from Grace Hopper Celebration Women in Computing. Thanks for watching. (techno music)

(click) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at Node Summit 2017 in San Francisco at the Mission Bay Convention Center. We've been coming here for years. A really active community, a lot of good mojo, about 800 developers here. About to the limits that the Mission Bay center can hold. Now we're excited to have our next guest. He just came off a panel. It's Jacob Groundwater. He's an engineering manager for Electron at Github. Jacob, welcome. >> Thank you, it's great to be here. >> So really interesting panel, Electron. I hadn't heard about Electron before, I was kind digging in a little bit while the panel was going on, but for the folks that aren't familiar, what is Electron? >> Yeah. Electron, there's a good chance that people who haven't even heard of it might already be using it. >> (chuckles) That's always a good thing. >> Yeah. Electron is a project that's started by Github and it's open source and you can use it to build desktop applications but with web technologies. We're leveraging the Google Chrome project to do a lot of that. And Node. And Node. Node.js is a big part of it as well. >> So build desktop apps using web technologies. >> Yep. >> And why would somebody want to do that? >> You know, I think at the root of that question, it's always the same answer which is just economics right now. Developers are in demand, software developers are in demand. The web is taking over and the web is becoming the most common skillset that people have. So you get a few benefits by using Electron. You get to distribute to three platforms automatically, you get Linux, Mac, and Windows. Sometimes it's like super easy. Sometimes you do a little bit of building to get that to happen, but it's, you know, you could cut your team size down by maybe two thirds if you do it that way. >> Wow, that's a pretty significant cut. Now you said one 1.0 released year, and how's the, how's the adoption? >> I actually can't even keep up with the number of applications that are being published on top of Electron. I'm often surprised, I'll go to a company and I'll say, oh I work on Electron at Github. And they'll be like, oh we're developing an Electron app, or we're working on an Electron app. So it, it's kind of unreal. Like I've never really been in this situation before where something that I'm working on is being used so much. I think it's out, it's out there, it's in production, it's running in millions of laptops and desktops. >> Yeah. That's great though, 'cause that's the whole promise of software, right? That's why people want to get into software. >> Yeah. >> 'Cause you can actually write something that people use and you can change the world. It could be distributed all over the world with millions of users before you even know it. >> There's this wonderful thought of like writing something once and then it running in millions of places potentially. I just love it. I love it. I think it's super cool. Yeah. So as it's grown what have been some of the main kind of concerns, issues, what are some of the things you're managing within that growth that's not pure technical? >> Yeah. That's a great question. One of the biggest things that I found interesting is when I got on our website and check the analytics, it's almost uniform across the globe. People are interested in it from everywhere. So there's challenges like, right now I had to set up a core meeting to talk about some of the like, updates to Electron and that had to be at midnight pacific time because we had to include the Prague time zone, Tokyo time zone, and Chennai in India. And we're trying to see if we can squeeze in someone from Australia. And just the global distributive nature of Electron, like people around the world are working on this and using it. >> Right. The other part you mentioned in the session, was the management of the community. And you made an interesting, you know, we go to a lot of conferences, everyone's got their code of conduct published these days which is kind of sad. It's good, but it's kind of sad that people don't have basic manners it seems like anymore. We've covered a lot of opensource communities. One that jumps to mind is OpenStack and watch that evolve over time and there's kind of community management issues that come up as these things grow. And you brought up, kind of an interesting paradigm, if you've got a great technical contributor who's just not a good person for, I don't know you didn't really define kind of the negative side but got some issues that may impact the cohesiveness of the community going forward, especially because community is so important in these projects. But if you got a great technical mind, I never really heard that particular challenge. >> I think it comes up a lot more than people realize. And it's something that I think about a lot. And one thing I want to focus on is, what we're really zeroing in on is bad behavior. >> Bad behavior. That was the word. >> And not a bad person. >> Right, right. >> One of the best ways to, to maybe get around that happening is to set an expectation early about what is acceptable behavior and alert people early when they're doing things that are going to cause harm to the community or cause harm to others. And also frame it in a way where they know, we're trying to keep other people safe, but we're also trying to keep those offenders, give them the space to change. If you choose not to change, that's a whole different story. So I think that by keeping the community strong, we encourage people around the globe to work on this project and we've already seen great returns by doing this far, so that's why I'm really focused on keeping it, keeping it a place where you know you can come and show up and do your work and do your best work. >> Right. Right. Well hopefully that's not taking too many of your cycles, you don't got too many of those, of those characters. >> Every hour I put in, I get like 10s and 20, like hours and hours back in return from the people who give back. So it's well worth it. It's the best use of my time. >> Alright good. So great growth over the year. As you look forward to next calendar year, kind of what are some of your priorities? What are some of the community's priorities? Where is Electron going? And if we touch base a year from now, what are we going to be talking about? >> Excellent question. So strengthening, formalizing some aspects of the community that we have so far, it's a little ad hoc, would be great. We want to look to having people outside of Github that feel more ownership over the project. For example, we have contributors who probably should be reviewing and committing code on their own, without necessarily needing to loop in someone from my team. So really turning this into a community project. In addition, we are focusing up on what might go into a version 2 release. And we're really focusing on security as a key feature in version two. >> Yeah, security's key and it's got to be baked in all the way to the bottom. >> Yeah. >> Alright Jacob, well it sounds like you've got your work cut out for you >> Thank you. and it should be an exciting year. >> Yeah, thanks very much. >> Alright. He's Jacob Groundwater. He's from the Electron project at Github. I'm Jeff Frick. You're watching theCUBE. We'll see you next time. Thanks for watching. (sharp music)