(upbeat music) >> Hello and welcome back to theCUBE's coverage of Cloud Native SecurityCon North America 2023. Its first inaugural event. It's theCUBE's coverage. We were there at the first event for a KubeCon before CNCF kind of took it over. It was in Seattle. And so in Seattle this week is Cloud Native SecurityCon. Of course, theCUBE is there covering via our Palo Alto Studios and our experts around the world who are bringing in Bassam Tabbara who's the CEO and founder of upbound.io. That's the URL, but Upbound is the company. The creators of Crossplane. Really kind of looking at the Crossplane, across the abstraction layer, across clouds. A big part of, as we call supercloud trend. Bassam, great to see you. You've been legend in the open source community. Great to have you on. >> Thanks, John. Always good to be on theCUBE. >> I really wanted to bring you in 'cause I want to get your perspective. You've seen the movie, you've seen open source software grow, it continues to grow. Now you're starting to see the Linux Foundation, which has CNCF really expanding their realm. They got the CloudNativeCon, KubeCon, which is Kubernetes event. That's gotten so massive and so successful. We've been to every single one as you know. I've seen you there and all of them as well. So that's going great. Now they got this new event that's spins out dedicated to security. Everybody wants to know why the new event? What's the focus? Is it needed? What will they do? What's different from KubeCon? Where do I play? And so there's a little bit of a question mark in the ecosystem around this event. And so we've been reporting on it. Looking good so far. People are buzzing, again, they're keeping it small. So that kind of managing expectations like any good event would do. But I think it's been successful, which I wanted like to get your take on how you see it. Is this good? Are you indifferent? Are you excited by this? What's your take? >> I mean, look, it's super exciting to see all the momentum around cloud native. Obviously there are different dimensions of cloud native securities, an important piece. Networking, storage, compute, like all those things I think tie back together and in some ways you can look at this event as a focused event on the security aspect as it relates to cloud native. And there are lots of vendors in this space. There's lots of interesting projects in the space, but the unifying theme is that they come together and probably around the Kubernetes API and the momentum around cloud native and with Kubernetes at the center of it. >> On the focus on Kubernetes, it seems this event is kind of classic security where you want to have deep dives. Again, I call it the event operating system 'cause you decouple, make things highly cohesive, and you link them together. I don't see a problem with it. I kind of like this. I gave it good reviews if they stay focused because security is super critical. There was references to bind and DNS. There's a lot of things in the infrastructure plumbing that need to be looked at or managed or figured out or just refactored for modernization needs. And I know you've done a lot with storage, for instance, storage, networking, kernel. There's a lot of things in the old tech or tech in the cloud that needs to be kind, I won't say rebooted, but maybe reset or jump. Do you see it that way? Are there things that need to get done or is it just that there's so much complexity in the different cloud cluster code thing going on? >> It's obviously security is a very, very big space and there are so many different aspects of it that people you can go into. I think the thing that's interesting around the cloud native community is that there is a unifying theme. Like forget the word cloud native for a second, but the unifying theme is that people are building around what looks like a standardized play around Kubernetes and the Kubernetes API. And as a result you can recast a lot of the technologies that we are used to in the past in a traditional security sense. You can recast them on top of this new standardized approach or on Kubernetes, whether it's policy or protecting a supply chain or scanning, or like a lot of the access control authorization, et cetera. All of those things can be either revived to apply to this cloud native play and the Kubernetes play or creating new opportunities for companies to actually build new and interesting projects and companies around a standardized play. >> Do you think this also will help the KubeCon be more focused around the developer areas there and just touching on security versus figuring out how to take something so important in KubeCon, which the stakeholders in KubeCon have have grown so big, I can see security sucking a lot of oxygen out of the room there. So here you move it over, you keep it over here. Will anything change on the KubeCon site? We'll be there in in Amsterdam in April. What do you think the impact will be? Good? Is it good for the community? Just good swim lanes? What's your take? >> Yeah, I still think KubeCon will be an umbrella event for the whole cloud native community. I suspect that you'll see some of the same vendors and projects and everything else represented in KubeCon. The way I think about all the branched cloud native events are essentially a way to have a more focused discussion, get people together to talk about security topics or networking topics or things that are more focused way. But I don't think it changes the the effect of KubeCon being the umbrella around all of it. So I think you'll see the same presence and maybe larger presence going forward at Amsterdam. We're planning to be there obviously and I'm excited to be there and I think it'll be a big event and having a smaller event is not going to diminish the effect of KubeCon. >> And if you look at the developer community they've all been online for a long time, from IRC chat to now Slack and now new technologies and stuff like Discord out there. The event world has changed post-pandemic. So it makes sense. And we're seeing this with all vendors, by the way, and projects. The digital community angle is huge because if you have a big tent event like KubeCon you can make that a rallying moment in the industry and then have similar smaller events that are highly focused that build off that that are just connective tissue or subnets, if you will, or communities targeted for really deeper conversations. And they could be smaller events. They don't have to be monster events, but they're connected and traverse into the main event. This might be the event format for the future for all companies, whether it's AWS or a company that has a community where you create this network effect, if you will, around the people. >> That's right. And if you look at things like AWS re:Invent, et cetera, I mean, that's a massive events. And in some ways it, if it was a set of smaller sub events, maybe it actually will flourish more. I don't know, I'm not sure. >> They just killed the San Francisco event. >> That's right. >> But they have re:Inforce, all right, so they just established that their big events are re:Invent and re:Inforce as their big. >> Oh, I didn't hear about re:Inforce. That's news to me. >> re:Inforce is their third event. So they're doing something similar as CloudNativeCon, which is you have to have an event and then they're going to create a lot of sub events underneath. So I think they are trying to do that. Very interesting. >> Very interesting for sure. >> So let's talk about what you guys are up to. I know from your standpoint, you had a lot of security conversations. How is Crossplane doing? Obviously, you saw our Supercloud coverage. You guys fit right into that model where clients, customers, enterprises are going to want to have multiple cloud operating environments for whatever the use case, whether you're using ChatGPT, you got to get an Azure instance up and running for that. Now with APIs, we're hearing a lot of developers doing that. So you're going to start to see this cross cloud as VMware calls, what we call it supercloud. There's more need for Crossplane like thinking. What's the update? >> For sure, and we see this very clearly as well. So the fact that there is a standardization layer, there is a layer that lets you converge the different vendors that you have, the different clouds that you have, the different hype models that you have, whether it's hybrid or private, public, et cetera. The unifying theme is that you're literally bringing all those things under one control plane that enables you to actually centralize and standardize on security, access control, helps you standardize on cost control, quota policy, as well as create a self-service experience for your developers. And so from a security standpoint, the beauty of this is like, you could use really popular projects like open policy agent or Kyverno or others if you want to do policy and do so uniformly across your entire stack, your entire footprint of tooling, vendors, services and across deployment models. Those things are possible because you're standardizing and consolidating on a control plane on top of all. And that's the thing that gets our customers excited. That we're seeing in the community that they could actually now normalize standardize on small number of projects and tools to manage everything. >> We were talking about that in our summary of the keynote yesterday. Dave Vellante and I were talking about the idea of clients want to have a redo of their security. They've been, just the tooling has been building up. They got zero trust in place, maybe with some big vendor, but now got the cloud native opportunity to refactor and reset and reinvent their security paradigm. And so that's the positive thing we're hearing. Now we're seeing enterprises want this cross cloud capabilities or Crossplane like thinking that you guys are talking about. What are your customers telling you? Can you share from an enterprise perspective where they're at in this journey? Because part of the security problems that we've been reporting on has been because clients are moving from IT to cloud native and not everyone's moved over yet. So they're highly vulnerable to ransomware and all kinds of other crap. So another attacks, so they're wide open, But people who are moving into cloud native, are they stepping up their game on this Crossplane opportunity? Where are they at? Can you share data on that? >> Yeah, we're grateful to be talking to a lot of customers these days. And the interesting thing is even if you talked about large financial institutions, banks, et cetera, the common theme that we hear is that they bought tools for each of the different departments and however they're organized. Sometimes you see the folks that are running databases, networking, being separated from say, the computer app developers or they're all these different departments within an organization. And for each one of those, they've made localized decisions for tooling and services that they bought. What we're seeing now consistently is that they're all together, getting together, and trying to figure out how to standardize on a smaller one set of tooling and services that goes across all the different departments and all different aspects of the business that they're running. And this is where this discussion gets a lot very interesting. If instead of buying a different policy tool for each department, or once that fits it you could actually standardize on policy or the entire footprint of services that they're managing. And you get that by standardizing on a control plane or standardizing on effectively one point of control for everything that they're doing. And that theme is like literally, it gets all our customers excited. This is why they're engaging in all of this. It's almost the holy grail. The thing that I've been trying to do for a long time. >> I know. >> And it's finally happening. >> I know you and I have talked about this many times, but I got to ask you the one thing that jumps into everybody's head when you hear control plane is lock-in. So how do you discuss that lock-in, perception from the reality of the situation? How do you unpack that for the customer? 'Cause they want choice at the end of the day. There's the preferred vendors for sure on the hyperscale side and app side and open source, but what's the lock-in? What does the lock-in conversation look like? Or do they even have that conversation? >> Yeah. To be honest, I mean, so their lock-in could be a two dimensions here. Most of our customers and people are using Crossplane or using app on product around it. Most of our do, concentrated in, say a one cloud vendor and have others. So I don't think this is necessarily about multicloud per se or being locked into one vendor. But they do manage many different services and they have legacy tooling and they have different systems that they bought at different stages and they want to bring them all together. And by bringing them all together that helps them make choices about consulting or even replacing some of them. But right now everything is siloed, everything is separate, both organizationally as well as the code bases or investments and tooling or contracts. Everything is just completely separated and it requires humans to put them together. And organizations actually try to gather around and put them together. I don't know if lock-in is the driving goal for this, but it is standardization consolidation. That's the driving initiative. >> And so unification and building is the big driver. They're building out >> Correct, and you can ask why are they doing that? What does standardization help with? It helps them to become more productive. They can move faster, they can innovate faster. Not as a ton of, like literally revenue written all over. So it's super important to them that they achieved this, increase their pace of innovation around this and they do that by standardizing. >> The great point in all this and your success at Upbound and now CNCF success with KubeCon + CloudNativeCon and now with the inaugural event of Cloud Native SecurityCon is that the customers are involved, a lot of end users are involved. There's a big driver not only from the industry and the developers and getting architecture right and having choice. The customers want this to happen. They're leaning in, they're part of it. So that's a big driver. Where does this go? If you had to throw a dart at the board five years from now Cloud Native SecurityCon, what does it look like if you had to predict the trajectory of this event and community? >> Yeah, I mean, look, I think the trajectory one is that we have what looks like a standardization layer emerging that is all encompassing. And as a result, there is a ton of opportunity for vendors, projects, communities to build around within on top of this layer. And essentially create, I think you talked about an operating system earlier and decentralized aspect of this, but it's an opportunity to actually, what it looks like for the first time we have a convergence happening industry-wide and through open source and open source foundations. And I think that means that there'll be new opportunity and lots of new projects and things that are created in the space. And it also means that if you don't attach this space, you'll likely be left out. >> Awesome. Bassam, great to have you on, great expert commentary, obviously multi CUBE alumni and supporter of theCUBE and as you become successful we really appreciate your support for helping us get the content out there. And best of luck to your team and thanks for weighing in on Cloud Native SecurityCon. >> Awesome. It's always good talking to you, John. Thank you. >> Great stuff. This is more CUBE coverage from Palo Alto, getting folks on the ground on location, getting us the stories in Seattle. Of course, Cloud Native SecurityCon, the inaugural event, which looks like will be the beginning of a series of multi-year journey for the CNCF, focusing on security. Of course, theCUBE's here to cover it, every angle of it, and extract the signal from the noise. I'm John Furrier, thanks for watching. (upbeat music)

(upbeat music) >> Hello everyone, welcome back to theCUBE's coverage of Cloud Native SecurityCon North America 2023. Obviously, CUBE's coverage with our CUBE Center Report. We're not there on the ground, but we have folks and our CUBE Alumni there. We have entrepreneurs there. Of course, we want to be there in person, but we're remote. We've got Ben Hirschberg, CTO and Co-Founder of Armo, a cloud native security startup, well positioned in this industry. He's there in Seattle. Ben, thank you for coming on and sharing what's going on with theCUBE. >> Yeah, it's great to be here, John. >> So we had written on you guys up on SiliconANGLE. Congratulations on your momentum and traction. But let's first get into what's going on there on the ground? What are some of the key trends? What's the most important story being told there? What is the vibe? What's the most important story right now? >> So I think, I would like to start here with the I think the most important thing was that I think the event is very successful. Usually, the Cloud Native Security Day usually was part of KubeCon in the previous years and now it became its own conference of its own and really kudos to all the organizers who brought this up in, actually in a short time. And it wasn't really clear how many people will turn up, but at the end, we see a really nice turn up and really great talks and keynotes around here. I think that one of the biggest trends, which haven't started like in this conference, but already we're talking for a while is supply chain. Supply chain is security. I think it's, right now, the biggest trend in the talks, in the keynotes. And I think that we start to see companies, big companies, who are adopting themselves into this direction. There is a clear industry need. There is a clear problem and I think that the cloud native security teams are coming up with tooling around it. I think for right now we see more tools than adoption, but the adoption is always following the tooling. And I think it already proves itself. So we have just a very interesting talk this morning about the OpenSSL vulnerability, which was I think around Halloween, which came out and everyone thought that it's going to be a critical issue for the whole cloud native and internet infrastructure and at the end it turned out to be a lesser problem, but the reason why I think it was understood that to be a lesser problem real soon was that because people started to use (indistinct) store software composition information in the environment so security teams could look into, look up in their systems okay, what, where they're using OpenSSL, which version they are using. It became really soon real clear that this version is not adopted by a wide array of software out there so the tech surface is relatively small and I think it already proved itself that the direction if everyone is talking about. >> Yeah, we agree, we're very bullish on this move from the Cloud Native Foundation CNCF that do the security conference. Amazon Web Services has re:Invent. That's their big show, but they also have re:Inforce, the security show, so clearly they work together. I like the decoupling, very cohesive. But you guys have Kubescape of Kubernetes security. Talk about the conversations that are there and that you're hearing around why there's different event what's different around KubeCon and CloudNativeCon than this Cloud Native SecurityCon. It's not called KubeSucSecCon, it's called Cloud Native SecurityCon. What's the difference? Are people confused? Is it clear? What's the difference between the two shows? What are you hearing? >> So I think that, you know, there is a good question. Okay, where is Cloud Native Computing Foundation came from? Obviously everyone knows that it was somewhat coupled with the adoption of Kubernetes. It was a clear understanding in the industry that there are different efforts where the industry needs to come together without looking be very vendor-specific and try to sort out a lot of issues in order to enable adoption and bring great value and I think that the main difference here between KubeCon and the Cloud Native Security Conference is really the focus, and not just on Kubernetes, but the whole ecosystem behind that. The way we are delivering software, the way we are monitoring software, and all where Kubernetes is only just, you know, maybe the biggest clog in the system, but, you know, just one of the others and it gives great overview of what you have in the whole ecosystem. >> Yeah, I think it's a good call. I would add that what I'm hearing too is that security is so critical to the business model of every company. It's so mainstream. The hackers have a great business model. They make money, their costs are lower than the revenue. So the business of hacking in breaches, ransomware all over the place is so successful that they're playing offense, everyone's playing defense, so it's about time we can get focus to really be faster and more nimble and agile on solving some of these security challenges in open source. So I think that to me is a great focus and so I give total props to the CNC. I call it the event operating system. You got the security group over here decoupled from the main kernel, but they work together. Good call and so this brings back up to some of the things that are going on so I have to ask you, as your startup as a CTO, you guys have the Kubescape platform, how do you guys fit into the landscape and what's different from your tools for Kubernetes environments versus what's out there? >> So I think that our journey is really interesting in the solution space because I think that our mode really tries to understand where security can meet the actual adoption because as you just said, somehow we have to sort out together how security is going to be automated and integrated in its best way. So Kubescape project started as a Kubernetes security posture tool. Just, you know, when people are really early in their adoption of Kubernetes systems, they want to understand whether the installation is is secure, whether the basic configurations are look okay, and giving them instant feedback on that, both in live systems and in the CICD, this is where Kubescape came from. We started as an open source project because we are big believers of open source, of the power of open source security, and I can, you know I think maybe this is my first interview when I can say that Kubescape was accepted to be a CNCF Sandbox project so Armo was actually donating the project to the CNCF, I think, which is a huge milestone and a great way to further the adoption of Kubernetes security and from now on we want to see where the users in Armo and Kubescape project want to see where the users are going, their Kubernetes security journey and help them to automatize, help them to to implement security more fast in the way the developers are using it working. >> Okay, if you don't mind, I want to just get clarification. What's the difference between the Armo platform and Kubescape because you have Kubescape Sandbox project and Armo platform. Could you talk about the differences and interaction? >> Sure, Kubescape is an open source project and Armo platform is actually a managed platform which runs Kubescape in the cloud for you because Kubescape is part, it has several parts. One part is, which is running inside the Kubernetes cluster in the CICD processes of the user, and there is another part which we call the backend where the results are stored and can be analyzed further. So Armo platform gives you managed way to run the backend, but I can tell you that backend is also, will be available within a month or two also for everyone to install on their premises as well, because again, we are an open source company and we are, we want to enable users, so the difference is that Armo platform is a managed platform behind Kubescape. >> How does Kubescape differ from closed proprietary sourced solutions? >> So I can tell you that there are closed proprietary solutions which are very good security solutions, but I think that the main difference, if I had to pick beyond the very specific technicalities is the worldview. The way we see that our user is not the CISO. Our user is not necessarily the security team. From our perspective, the user is the DevOps and the developers who are working on the Kubernetes cluster day to day and we want to enable them to improve their security. So actually our approach is more developer-friendly, if I would need to define it very shortly. >> What does this risk calculation score you guys have in Kubscape? That's come up and we cover that in our story. Can you explain to the folks how that fits in? Is it Kubescape is the platform and what's the benefit, what's the purpose? >> So the risk calculation is actually a score we are giving to clusters in order for the users to understand where they are standing in the general population, how they are faring against a perfect hardened cluster. It is based on the number of different tests we are making. And I don't want to go into, you know, the very specifics of the mathematical functions, but in general it takes into account how many functions are failing, security tests are failing inside your cluster. How many nodes you are having, how many workloads are having, and creating this number which enables you to understand where you are standing in the global, in the world. >> What's the customer value that you guys pitching? What's the pitch for the Armo platform? When you go and talk to a customer, are they like, "We need you." Do they come to you? Is it word of mouth? You guys have a strategy? What's the pitch? What's so appealing to the customers? Why are they enthusiastic about you guys? >> So John, I can tell you, maybe it's not so easy to to say the words, but I nearly 20 years in the industry and though I've been always around cyber and the defense industry and I can tell you that I never had this journey where before where I could say that the the customers are coming to us and not we are pitching to customers. Simply because people want to, this is very easy tool, very very easy to use, very understandable and it very helps the engineers to improve security posture. And they're coming to us and they're saying, "Well, awesome, okay, how we can like use it. Do you have a graphical interface?" And we are pointing them to the Armor platform and they are falling in love and coming to us even more and we can tell you that we have a big number of active users behind the platform itself. >> You know, one of the things that comes up every time at KubeCon and Cloud NativeCon when we're there, and we'll be in Amsterdam, so folks watching, you know, we'll see onsite, developer productivity is like the number one thing everyone talks about and security is so important. It's become by default a blocker or anchor or a drag on productivity. This is big, the things that you're mentioning, easy to use, engineering supporting it, developer adoption, you know we've always said on theCUBE, developers will be the de facto standards bodies by their choices 'cause developers make all the decisions. So if I can go faster and I can have security kind of programmed in, I'm not shifting left, it's just I'm just having security kind of in there. That's the dream state. Is that what you guys are trying to do here? Because that's the nirvana, everyone wants to do that. >> Yeah, I think your definition is like perfect because really we had like this, for a very long time we had this world where we decoupled security teams from developers and even for sometimes from engineering at all and I think for multiple reasons, we are more seeing a big convergence. Security teams are becoming part of the engineering and the engineering becoming part of the security and as you're saying, okay, the day-to-day world of developers are becoming very tangled up in the good way with security, so the think about it that today, one of my developers at Armo is creating a pull request. He's already, code is already scanned by security scanners for to test for different security problems. It's already, you know, before he already gets feedback on his first time where he's sharing his code and if there is an issue, he already can solve it and this is just solving issues much faster, much cheaper, and also you asked me about, you know, the wipe in the conference and we know no one can deny the current economic wipe we have and this also relates to security teams and security teams has to be much more efficient. And one of the things that everyone is talking, okay, we need more automation, we need more, better tooling and I think we are really fitting into this. >> Yeah, and I talked to venture capitalists yesterday and today, an angel investor. Best time for startup is right now and again, open source is driving a lot of value. Ben, it's been great to have you on and sharing with us what's going on on the ground there as well as talking about some of the traction you have. Just final question, how old's the company? How much funding do you have? Where you guys located? Put a plug in for the company. You guys looking to hire? Tell us about the company. Were you guys located? How much capital do you have? >> So, okay, the company's here for three years. We've passed a round last March with Tiger and Hyperwise capitals. We are located, most of the company's located today in Israel in Tel Aviv, but we have like great team also in Ukraine and also great guys are in Europe and right now also Craig Box joined us as an open source VP and he's like right now located in New Zealand, so we are a really global team, which I think it's really helps us to strengthen ourselves. >> Yeah, and I think this is the entrepreneurial equation for the future. It's really great to see that global. We heard that in Priyanka Sharma's keynote. It's a global culture, global community. >> Right. >> And so really, really props you guys. Congratulations on Armo and thanks for coming on theCUBE and sharing insights and expertise and also what's happening on the ground. Appreciate it, Ben, thanks for coming on. >> Thank you, John. >> Okay, cheers. Okay, this is CUB coverage here of the Cloud Native SecurityCon in North America 2023. I'm John Furrier for Lisa Martin, Dave Vellante. We're back with more of wrap up of the event after this short break. (gentle upbeat music)

(upbeat music) >> Hey everyone and welcome to theCUBE's coverage day one of CloudNativeSecurityCon '23. Lisa Martin here with John Furrier and Dave Vellante. Dave and John, great to have you guys on the program. This is interesting. This is the first inaugural CloudNativeSecurityCon. Formally part of KubeCon, now a separate event here happening in Seattle over the next couple of days. John, I wanted to get your take on, your thoughts on this being a standalone event, the community, the impact. >> Well, this inaugural event, which is great, we love it, we want to cover all inaugural events because you never know, there might not be one next year. So we were here if it happens, we're here at creation. But I think this is a good move for the CNCF and the Linux Foundation as security becomes so important and there's so many issues to resolve that will influence many other things. Developers, machine learning, data as code, supply chain codes. So I think KubeCon, Kubernetes conference and CloudNativeCon, is all about cloud native developers. And it's a huge event and there's so much there. There's containers, there's microservices, all that infrastructure's code, the DevSecOps on that side, there's enough there and it's a huge ecosystem. Pulling it as a separate event is a first move for them. And I think there's a toe in the water kind of vibe here. Testing the waters a little bit on, does this have legs? How is it organized? Looks like they took their time, thought it out extremely well about how to craft it. And so I think this is the beginning of what will probably be a seminal event for the open source community. So let's listen to the clip from Priyanka Sharma who's a CUBE alumni and executive director of the CNCF. This is kind of a teaser- >> We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right. The practitioners are leading the way. Having conversations that you need to have. That's all of you. This conference today and tomorrow is packed with 72 sessions for all levels of technologists to reflect the bottoms up, developer first nature of the conference. The co-chairs have selected these sessions and they are true blue practitioners. >> And that's a great clip right there. If you read between the lines, what she's saying there, let's unpack this. Solutions, we're going to fail, we're going to get better. Linux, the culture of iterating. But practitioners, the mention of practitioners, that was very key. Global community, 72 sessions, co-chairs, Liz Rice and experts that are crafting this program. It seems like very similar to what AWS has done with re:Invent as their core show. And then they have re:Inforce which is their cloud native security, Amazon security show. There's enough there, so to me, practitioners, that speaks to the urgency of cloud native security. So to me, I think this is the first move, and again, testing the water. I like the vibe. I think the practitioner angle is relevant. It's very nerdy, so I think this is going to have some legs. >> Yeah, the other key phrase Priyanka mentioned is bottoms up. And John, at our predictions breaking analysis, I asked you to make a prediction about events. And I think you've nailed it. You said, "Look, we're going to have many more events, but they're going to be smaller." Most large events are going to get smaller. AWS is obviously the exception, but a lot of events like this, 500, 700, 1,000 people, that is really targeted. So instead of you take a big giant event and there's events within the event, this is going to be really targeted, really intimate and focused. And that's exactly what this is. I think your prediction nailed it. >> Well, Dave, we'll call to see the event operating system really cohesive events connected together, decoupled, and I think the Linux Foundation does an amazing job of stringing these events together to have community as the focus. And I think the key to these events in the future is having, again, targeted content to distinct user groups in these communities so they can be highly cohesive because they got to be productive. And again, if you try to have a broad, big event, no one's happy. Everyone's underserved. So I think there's an industry concept and then there's pieces tied together. And I think this is going to be a very focused event, but I think it's going to grow very fast. >> 72 sessions, that's a lot of content for this small event that the practitioners are going to have a lot of opportunity to learn from. Do you guys, John, start with you and then Dave, do you think it's about time? You mentioned John, they're dipping their toe in the water. We'll see how this goes. Do you think it's about time that we have this dedicated focus out of this community on cloud native security? >> Well, I think it's definitely time, and I'll tell you there's many reasons why. On the front lines of business, there's a business model for security hackers and breaches. The economics are in favor of the hackers. That's a real reality from ransomware to any kind of breach attacks. There's corporate governance issues that's structural challenges for companies. These are real issues operationally for companies in the enterprise. And at the same time, on the tech stack side, it's been very slow movement, like glaciers in terms of security. Things like DNS, Linux kernel, there are a lot of things in the weeds in the details of the bowels of the tech world, protocol levels that just need to be refactored. And I think you're seeing a lot of that here. It was mentioned from Brian from the Linux Foundation, mentioned Dan Kaminsky who recently passed away who found that vulnerability in BIND which is a DNS construct. That was a critical linchpin. They got to fix these things and Liz Rice is talking about the Linux kernel with the extended Berkeley Packet Filtering thing. And so this is where they're going. This is stuff that needs to be paid attention to because if they don't do it, the train of automation and machine learning is going to run wild with all kinds of automation that the infrastructure just won't be set up for. So I think there's going to be root level changes, and I think ultimately a new security stack will probably be very driven by data will be emerging. So to me, I think this is definitely worth being targeted. And I think you're seeing Amazon doing the same thing. I think this is a playbook out of AWS's event focus and I think that's right. >> Dave, what are you thoughts? >> There was a lot of talk in, again, I go back to the progression here in the last decade about what's the right regime for security? Should the CISO report to the CIO or the board, et cetera, et cetera? We're way beyond that now. I think DevSecOps is being asked to do a lot, particularly DevOps. So we hear a lot about shift left, we're hearing about protecting the runtime and the ops getting much more involved and helping them do their jobs because the cloud itself has brought a lot to the table. It's like the first line of defense, but then you've really got a lot to worry about from a software defined perspective. And it's a complicated situation. Yes, there's less hardware, yes, we can rely on the cloud, but culturally you've got a lot more people that have to work together, have to share data. And you want to remove the blockers, to use an Amazon term. And the way you do that is you really, if we talked about it many times on theCUBE. Do over, you got to really rethink the way in which you approach security and it starts with culture and team. >> Well the thing, I would call it the five C's of security. Culture, you mentioned that's a good C. You got cloud, tons of issues involved in cloud. You've got access issues, identity. you've got clusters, you got Kubernetes clusters. And then you've got containers, the fourth C. And then finally is the code itself, supply chain. So all areas of cloud native, if you take out culture, it's cloud, cluster, container, and code all have levels of security risks and new things in there that need to be addressed. So there's plenty of work to get done for sure. And again, this is developer first, bottoms up, but that's where the change comes in, Dave, from a security standpoint, you always point this out. Bottoms up and then middle out for change. But absolutely, the imperative is today the business impact is real and it's urgent and you got to pedal as fast as you can here, so I think this is going to have legs. We'll see how it goes. >> Really curious to understand the cultural impact that we see being made at this event with the focus on it. John, you mentioned the four C's, five with culture. I often think that culture is probably the leading factor. Without that, without getting those teams aligned, is the rest of it set up to be as successful as possible? I think that's a question that's- >> Well to me, Dave asked Pat Gelsinger in 2014, can security be a do-over at VMWorld when he was the CEO of VMware? He said, "Yes, it has to be." And I think you're seeing that now. And Nick from the co-founder of Palo Alto Networks was quoted on theCUBE by saying, "Zero Trust is some structure to give to security, but cloud allows for the ability to do it over and get some scale going on security." So I think the best people are going to come together in this security world and they're going to work on this. So you're going to start to see more focus around these security events and initiatives. >> So I think that when you go to the, you mentioned re:Inforce a couple times. When you go to re:Inforce, there's a lot of great stuff that Amazon puts forth there. Very positive, it's not that negative. Oh, the world is falling, the sky is falling. And so I like that. However, you don't walk away with an understanding of how they're making the CISOs and the DevOps lives easier once they get beyond the cloud. Of course, it's not Amazon's responsibility. And that's where I think the CNCF really comes in and open source, that's where they pick up. Obviously the cloud's involved, but there's a real opportunity to simplify the lives of the DevSecOps teams and that's what's critical in terms of being able to solve, or at least keep up with this never ending problem. >> Yeah, there's a lot of issues involved. I took some notes here from some of the keynote you heard. Security and education, training and team structure. Detection, incidents that are happening, and how do you respond to that architecture. Identity, isolation, supply chain, and governance and compliance. These are all real things. This is not like hand-waving issues. They're mainstream and they're urgent. Literally the houses are on fire here with the enterprise, so this is going to be very, very important. >> Lisa: That's a great point. >> Some of the other things Priyanka mentioned, exposed edges and nodes. So just when you think we're starting to solve the problem, you got IOT, security's not a one and done task. We've been talking about culture. No person is an island. It's $188 billion business. Cloud native is growing at 27% a year, which just underscores the challenges, and bottom line, practitioners are leading the way. >> Last question for you guys. What are you hoping those practitioners get out of this event, this inaugural event, John? >> Well first of all, I think this inaugural event's going to be for them, but also we at theCUBE are going to be doing a lot more security events. RSA's coming up, we're going to be at re:Inforce, we're obviously going to be covering this event. We've got Black Hat, a variety of other events. We'll probably have our own security events really focused on some key areas. So I think the thing that people are going to walk away from this event is that paying attention to these security events are going to be more than just an industry thing. I think you're going to start to see group gatherings or groups convening virtually and physically around core issues. And I think you're going to start to see a community accelerate around cloud native and open source specifically to help teams get faster and better at what they do. So I think the big walkaway for the customers and the practitioners here is that there's a call to arms happening and this is, again, another signal that it's worth breaking out from the core event, but being tied to it, I think that's a good call and I think it's a well good architecture from a CNCF standpoint and a worthy effort, so I give it a thumbs up. We still don't know what it's going to look like. We'll see what day two looks like, but it seems to be experts, practitioners, deep tech, enabling technologies. These are things that tend to be good things to hear when you're at an event. I'll say the business imperative is obvious. >> The purpose of an event like this, and it aligns with theCUBE's mission, is to educate and inspire business technology pros to action. We do it in theCUBE with free content. Obviously this event is a for-pay event, but they are delivering some real value to the community that they can take back to their organizations to make change. And that's what it's all about. >> Yep, that is what it's all about. I'm looking forward to seeing over as the months unfold, the impact that this event has on the community and the impact the community has on this event going forward, and really the adoption of cloud native security. Guys, great to have you during this keynote analysis. Looking forward to hearing the conversations that we have on theCUBE today. Thanks so much for joining. And for my guests, for my co-hosts, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's day one coverage of CloudNativeSecurityCon '23. Stick around, we got great content on theCUBE coming up. (upbeat music)

(bright music) >> Hello everyone and welcome back to AWS re:Invent, here in wonderful Las Vegas, Nevada. We're theCUBE. I am Savannah Peterson. Joined with my co-host, Dave Vellante. Day four, you look great. Your voice has come back somehow. >> Yeah, a little bit. I don't know how. I took last night off. You guys, I know, were out partying all night, but - >> I don't know what you're talking about. (Dave laughing) >> Well, you were celebrating John's birthday. John Furrier's birthday today. >> Yes, happy birthday John! >> He's on his way to England. >> Yeah. >> To attend his nephew's wedding. Awesome family. And so good luck, John. I hope you feel better, he's got a little cold. >> I know, good luck to the newlyweds. I love this. I know we're both really excited for our next guest, so I'm going to bring out, Lena Smart from MongoDB. Thank you so much for being here. >> Thank you for having me. >> How's the show going for you? >> Good. It's been a long week. And I just, not much voice left, so. >> We'll be gentle on you. >> I'll give you what's left of it. >> All right, we'll take that. >> Okay. >> You had a fireside chat, at the show? >> Lena: I did. >> Can you tell us a little bit about that? >> So we were talking about the Rise, The developer is a platform. In this massive theater. I thought it would be like an intimate, you know, fireside chat. I keep believing them when they say to me come and do these talks, it'll be intimate. And you turn up and there's a stage and a theater and it's like, oh my god. But it was really interesting. It was well attended. Got some really good questions at the end as well. Lots of follow up, which was interesting. And it was really just about, you know, how we've brought together this developer platform that's got our integrated services. It's just what developers want, it gives them time to innovate and disrupt, rather than worry about the minutia of management. >> Savannah: Do the cool stuff. >> Exactly. >> Yeah, so you know Lena, it's funny that you're saying that oh wow, the lights came on and it was this big thing. When when we were at re:Inforced, Lena was on stage and it was so funny, Lena, you were self deprecating like making jokes about the audience. >> Savannah: (indistinct) >> It was hilarious. And so, but it was really endearing to the audience and so we were like - >> Lena: It was terrifying. >> You got huge props for that, I'll tell you. >> Absolutely terrifying. Because they told me I wouldn't see anyone. Because we did the rehearsal the day before, and they were like, it's just going to be like - >> Sometimes it just looks like blackness out there. >> Yeah, yeah. It wasn't, they lied. I could see eyeballs. It was terrifying. >> Would you rather know that going in though? Or is it better to be, is ignorance bliss in that moment? >> Ignorance is bliss. >> Yeah, yeah yeah. >> Good call Savannah, right? Yeah, just go. >> The older I get, the more I'm just, I'm on the ignorance is bliss train. I just, I don't need to know anything that's going to hurt my soul. >> Exactly. >> One of the things that you mentioned, and this has actually been a really frequent theme here on the show this week, is you said that this has been a transformative year for developers. >> Lena: Yeah. >> What did you mean by that? >> So I think developers are starting to come to the fore, if you like, the fore. And I'm not in any way being deprecating about developers 'cause I love them. >> Savannah: I think everyone here does. >> I was married to one, I live with one now. It's like, they follow me everywhere. They don't. But, I think they, this is my opinion obviously but I think that we're seeing more and more the value that developers bring to the table. They're not just code geeks anymore. They're not just code monkeys, you know, churning out lines and lines of code. Some of the most interesting discussions I've had this week have been with developers. And that's why I'm so pleased that our developer data platform is going to give these folks back time, so that they can go and innovate. And do super interesting things and do the next big thing. It was interesting, I was talking to Mary, our comms person earlier and she had said that Dave I guess, my boss, was on your show - >> Dave: Yeah, he was over here last night. >> Yeah. And he was saying that two thirds of the companies that had been mentioned so far, within the whole gamut of this conference use MongoDB. And so take that, extrapolate that, of all the developers >> Wow. >> who are there. I know, isn't that awesome? >> That's awesome. Congrats on that, that's like - >> Did I hear that right now? >> I know, I just had that moment. >> I know she just told me, I'm like, really? That's - >> That's so cool. >> 'Cause the first thing I thought of was then, oh my god, how many developers are we reaching then? 'Cause they're the ones. I mean, it's kind of interesting. So my job has kind of grown from, over the years, being the security geek in the back room that nobody talks to, to avoiding me in the lift, to I've got a seat at the table now. We meet with the board. And I think that I can see that that's where the developer mindset is moving towards. It's like, give us the right tools and we'll change your world. >> And let the human capital go back to doing the fun stuff and not just the maintenance stuff. >> And, but then you say that, you can't have everything automated. I get that automation is also the buzzword of the week. And I get that, trust me. Someone has to write the code to do the automation. >> Savannah: Right. >> So, so yeah, definitely give these people back time, so that they can work on ML, AI, choose your buzzword. You know, by giving people things like queriable encryption for example, you're going to free up a whole bunch of head space. They don't have to worry about their data being, you know harvested from memory or harvested while at rest or in motion. And it's like, okay, I don't have to worry about that now, let me go do something fun. >> How about the role of the developer as it relates to SecOps, right? They're being asked to do a lot. You and I talked about this at re:Inforce. You seem to have a pretty good handle on it. Like a lot of companies I think are struggling with it. I mean, the other thing you said said to me is you don't have a lack of talent at Mongo, right? 'Cause you're Mongo. But a lot of companies do. But a lot of the developers, you know we were just talking about this earlier with Capgemini, the developer metrics or the application development team's metrics might not be aligned with the CSO's metrics. How, what are you seeing there? What, how do you deal with it within Mongo? What do you advise your customers? >> So in terms of internal, I work very closely with our development group. So I work with Tara Hernandez, who's our new VP of developer productivity. And she and her team are very much interested in making developers more productive. That's her job. And so we get together because sometimes security can definitely be seen as a blocker. You know, funnily enough, I actually had a Slack that I had to respond to three seconds before I come on here. And it was like, help, we need some help getting this application through procurement, because blah, blah, blah. And it's weird the kind of change, the shift in mindset. Whereas before they might have gone to procurement or HR or someone to ask for this. Now they're coming to the CSO. 'Cause they know if I say yes, it'll go through. >> Talk about social engineering. >> Exactly. >> You were talking about - >> But turn it around though. If I say no, you know, I don't like to say no. I prefer to be the CSO that says yes, but. And so that's what we've done. We've definitely got that culture of ask, we'll tell you the risks, and then you can go away and be innovative and do what you need to do. And we basically do the same with our customers. Here's what you can do. Our application is secure out of the box. Here's how we can help you make it even more, you know, streamlined or bespoke to what you need. >> So mobile was a big inflection point, you know, I dunno, it seems like forever ago. >> 2007. >> 2007. Yeah, iPhone came out in 2007. >> You remember your first iPhone? >> Dave: Yeah. >> Yeah? Same. >> Yeah. It was pretty awesome, actually. >> Yeah, I do too. >> Yeah, I was on the train to Boston going up to see some friends at MIT on the consortium that I worked with. And I had, it was the wee one, 'member? But you thought it was massive. >> Oh, it felt - >> It felt big. And I remember I was sitting on the train to Boston it was like the Estella and there was these people, these two women sitting beside me. And they were all like glam, like you and unlike me. >> Dave: That's awesome. >> And they, you could see them like nudging each other. And I'm being like, I'm just sitting like this. >> You're chilling. >> Like please look at my phone, come on just look at it. Ask me about it. And eventually I'm like - >> You're baiting them. >> nonchalantly laid it on the table. And you know, I'm like, and they're like, is that an iPhone? And I'm like, yeah, you want to see it? >> I thought you'd never ask. >> I know. And I really played with it. And I showed them all the cool stuff, and they're like, oh we're going to buy iPhones. And so I should have probably worked for Apple, but I didn't. >> I was going to say, where was your referral kickback on that? Especially - >> It was a little like Tesla, right? When you first, we first saw Tesla, it was Ray Wong, you know, Ray? From Pasadena? >> It really was a moment and going from the Blackberry keyboard to that - >> He's like want to see my car? And I'm like oh yeah sure, what's the big deal? >> Yeah, then you see it and you're like, ooh. >> Yeah, that really was such a pivotal moment. >> Anyway, so we lost a track, 2007. >> Yeah, what were we talking about? 2007 mobile. >> Mobile. >> Key inflection point, is where you got us here. Thank you. >> I gotchu Dave, I gotchu. >> Bring us back here. My mind needs help right now. Day four. Okay, so - >> We're all getting here on day four, we're - >> I'm socially engineering you to end this, so I can go to bed and die quietly. That's what me and Mary are, we're counting down the minutes. >> Holy. >> That's so sick. >> You're breaking my heart right now. I love it. I'm with you, sis, I'm with you. >> So I dunno where I was, really where I was going with this, but, okay, there's - >> 2007. Three things happened. >> Another inflection point. Okay yeah, tell us what happened. But no, tell us that, but then - >> AWS, clones, 2006. >> Well 2006, 2007. Right, okay. >> 2007, the iPhone, the world blew up. So you've already got this platform ready to take all this data. >> Dave: Right. >> You've got this little slab of gorgeousness called the iPhone, ready to give you all that data. And then MongoDB pops up, it's like, woo-hoo. But what we could offer was, I mean back then was awesome, but it was, we knew that we would have to iterate and grow and grow and grow. So that was kind of the three things that came together in 2007. >> Yeah, and then Cloud came in big time, and now you've got this platform. So what's the next inflection point do you think? >> Oh... >> Good question, Dave. >> Don't even ask me that. >> I mean, is it Edge? Is it IOT? Is there another disruptor out there? >> I think it's going to be artificial intelligence. >> Dave: Is it AI? >> I mean I don't know enough about it to talk about it, to any level, so don't ask me any questions about it. >> This is like one of those ignorance is bliss moments. It feels right. >> Yeah. >> Well, does it scare you, from a security perspective? Or? >> Great question, Dave. >> Yeah, it scares me more from a humanity standpoint. Like - >> More than social scared you? 'Cause social was so benign when it started. >> Oh it was - >> You're like, oh - I remember, >> It was like a yearbook. I was on the Estella and we were - >> Shout out to Amtrak there. >> I was with, we were starting basically a wikibond, it was an open source. >> Yeah, yeah. >> Kind of, you know, technology community. And we saw these and we were like enamored of Facebook. And there were these two young kids on the train, and we were at 'em, we were picking the brain. Do you like Facebook? "I love Facebook." They're like "oh, Facebook's unbelievable." Now, kids today, "I hate Facebook," right? So, but social at the beginning it was kind of, like I say, benign and now everybody's like - >> Savannah: We didn't know what we were getting into. >> Right. >> I know. >> Exactly. >> Can you imagine if you could have seen into the future 20 years ago? Well first of all, we'd have all bought Facebook and Apple stock. >> Savannah: Right. >> And Tesla stock. But apart from, but yeah apart from that. >> Okay, so what about Quantum? Does that scare you at all? >> I think the only thing that scares me about Quantum is we have all this security in place today. And I'm not an expert in Quantum, but we have all this security in place that's securing what we have today. And my worry is, in 10 years, is it still going to be secure? 'Cause we're still going to be using that data in some way, shape, or form. And my question is to the quantum geniuses out there, what do we do in 10 years like to retrofit the stuff? >> Dave: Like a Y2K moment? >> Kind of. Although I think Y2K is coming in 2038, isn't it? When the Linux date flips. I'll be off the grid by then, I'll be living in Scotland. >> Somebody else's problem. >> Somebody else's problem. I'll be with the sheep in Glasgow, in Scotland. >> Y2K was a boondoggle for tech, right? >> What a farce. I mean, that whole - >> I worked in the power industry in Y2K. That was a nightmare. >> Dave: Oh I bet. >> Savannah: Oh my God. >> Yeah, 'cause we just assumed that the world was going to stop and there been no power, and we had nuclear power plants. And it's like holy moly. Yeah. >> More than moly. >> I was going to say, you did a good job holding that other word in. >> I think I was going to, in case my mom hears this. >> I grew up near Diablo Canyon in, in California. So you were, I mean we were legitimately worried that that exactly was going to happen. And what about the waste? And yeah it was chaos. We've covered a lot. >> Well, what does worry you? Like, it is culture? Is it - >> Why are you trying to freak her out? >> No, no, because it's a CSO, trying to get inside the CSO's head. >> You don't think I have enough to worry about? You want to keep piling on? >> Well if it's not Quantum, you know? Maybe it's spiders or like - >> Oh but I like spiders, well spiders are okay. I don't like bridges, that's my biggest fear. Bridges. >> Seriously? >> And I had to drive over the Tappan Zee bridge, which is one of the longest, for 17 years, every day, twice. The last time I drove over it, I was crying my heart out, and happy as anything. >> Stay out of Oakland. >> I've never driven over it since. Stay out of where? >> Stay out of Oakland. >> I'm staying out of anywhere that's got lots of water. 'Cause it'll have bridges. >> Savannah: Well it's good we're here in the desert. >> Exactly. So what scares me? Bridges, there you go. >> Yeah, right. What? >> Well wait a minute. So if I'm bridging technology, is that the scary stuff? >> Oh God, that was not - >> Was it really bad? >> It was really bad. >> Wow. Wow, the puns. >> There's a lot of seems in those bridges. >> It is lit on theCUBE A floor, we are all struggling. I'm curious because I've seen, your team is all over the place here on the show, of course. Your booth has been packed the whole time. >> Lena: Yes. >> The fingerprint. Talk to me about your shirt. >> So, this was designed by my team in house. It is the most wanted swag in the company, because only my security people wear it. So, we make it like, yeah, you could maybe have one, if this turns out well. >> I feel like we're on the right track. >> Dave: If it turns out well. >> Yeah, I just love it. It's so, it's just brilliant. I mean, it's the leaf, it's a fingerprint. It's just brilliant. >> That's why I wanted to call it out. You know, you see a lot of shirts, a lot of swag shirts. Some are really unfortunately sad, or not funny, >> They are. >> or they're just trying too hard. Now there's like, with this one, I thought oh I bet that's clever. >> Lena: It is very cool. Yes, I love it. >> I saw a good one yesterday. >> Yeah? >> We fix shit, 'member? >> Oh yeah, yeah. >> That was pretty good. >> I like when they're >> That's a pretty good one. >> just straightforward, like that, yeah yeah. >> But the only thing with this is when you're say in front of a green screen, you look as though you've got no tummy. >> A portal through your body. >> And so, when we did our first - >> That's a really good point, actually. >> Yeah, it's like the black hole to nothingless. And I'm like wow, that's my soul. >> I was just going to say, I don't want to see my soul like that. I don't want to know. >> But we had to do like, it was just when the pandemic first started, so we had to do our big presentation live announcement from home. And so they shipped us all this camera equipment for home and thank God my partner knows how that works, so he set it all up. And then he had me test with a green screen, and he's like, you have no tummy. I'm like, what the hell are you talking about? He's like, come and see. It's like this, I dunno what it was. So I had to actually go upstairs and felt tip with a magic marker and make it black. >> Wow. >> So that was why I did for two hours on a Friday, yeah. >> Couldn't think of another alternative, huh? >> Well no, 'cause I'm myopic when it comes to marketing and I knew I had to keep the tshirt on, and I just did that. >> Yeah. >> In hindsight, yes I could have worn an "I Fix Shit" tshirt, but I don't think my husband would've been very happy. I secure shit? >> There you go, yeah. >> There you go. >> Over to you, Savannah. >> I was going to say, I got acquainted, I don't know if I can say this, but I'm going to say it 'cause we're here right now. I got acquainted with theCUBE, wearing a shirt that said "Unfuck Kubernetes," 'cause it was a marketing campaign that I was running for one of my clients at Kim Con last year. >> That's so good. >> Yeah, so - >> Oh my God. I'll give you one of these if you get me one of those. >> I can, we can do a swapskee. We can absolutely. >> We need a few edits on this film, on the file. >> Lena: Okay, this is nothing - >> We're fallin' off the wheel. Okay, on that note, I'm going to bring us to our challenge that we discussed, before we got started on this really diverse discussion that we have had in the last 15 minutes. We've covered everything from felt tip markers to nuclear power plants. >> To the darkness of my soul. >> To the darkness of all of our souls. >> All of our souls, yes. >> Which is perhaps a little too accurate, especially at this stage in the conference. You've obviously seen a lot Lena, and you've been rockin' it, I know John was in your suite up here, at at at the Venetian. What's your 30 second hot take? Most important story, coming out of the show or for you all at Mongo this year? >> Genuinely, it was when I learned that two-thirds of the customers that had been mentioned, here, are MongoDB customers. And that just exploded in my head. 'Cause now I'm thinking of all the numbers and the metrics and how we can use that. And I just think it's amazing, so. >> Yeah, congratulations on that. That's awesome. >> Yeah, I thought it was amazing. >> And it makes sense actually, 'cause Mongo so easy to use. We were talking about Tengen. >> We knew you when, I feel that's our like, we - >> Yeah, but it's true. And so, Mongo was just really easy to use. And people are like, ah, it doesn't scale. It's like, turns out it actually does scale. >> Lena: Turns out, it scales pretty well. >> Well Lena, without question, this is my favorite conversation of the show so far. >> Thank you. >> Thank you so much for joining us. >> Thank you very much for having me. >> Dave: Great to see you. >> It's always a pleasure. >> Dave: Thanks Lena. >> Thank you. >> And thank you all, tuning in live, for tolerating wherever we take these conversations. >> Dave: Whatever that was. >> I bet you weren't ready for this one, folks. We're at AWS re:Invent in Las Vegas, Nevada. With Dave Vellante, I'm Savannah Peterson. You're washing theCUBE, the leader for high tech coverage.

(light music) (airy white noise rumbling) >> Hey everyone, welcome back to Las Vegas. It's theCUBE. We're here, day four of our coverage of AWS re:Invent 22. There's been about, we've heard, north of 55,000 folks here in person. We're seeing only a fraction of that but it's packed in the expo center. We're at the Venetian Expo, Lisa Martin, Dave Vellante. Dave, we've had such great conversations as we always do on theCUBE. With the AWS ecosystem, we're going to be talking with another partner on that ecosystem and what they're doing to innovate together next. >> Well, we know security is the number one topic on IT practitioners, mine, CIOs, CISOs. We also know that they don't have the bench strength, that's why they look to manage service providers, manage service security providers. It's a growing topic, we've talked about it. We talked about it at re:Inforce earlier this year. I think it was July, actually, and August, believe it or not, not everybody was at the Cape. It was pretty well attended conference and that's their security focus conference, exclusive on security. But there's a lot of security here too. >> Lot of security, we're going to be talking about that next. We have two guests from Capgemini joining us. Mike Wasielewski, the head of cloud security, and NextGen secure architectures, welcome Mike. Anne Saunders also joins us, the Director of Cybersecurity Technology Partnerships at Capgemini, welcome Anne. >> Thank you. >> Dave: Hey guys. >> So, day four of the show, how you feeling? >> Anne: Pretty good. >> Mike: It's a long show. >> It is a long, and it's still jamming in here. Normally on the last day, it dwindles down. Not here. >> No, the foot traffic around the booth and around the totality of this expo floor has been amazing, I think. >> It really has. Anne, I want to start with you. Capgemini making some moves in the waves in the cloud and cloud security spaces. Talk to us about what Cap's got going on there. >> Well, we actually have a variety of things going on. Very much partner driven. The SOC Essentials offering that Mike's going to talk about shortly is the kind of the starter offer where we're going to build from and build out from. SOC Essentials is definitely critical for establishing that foundation. A lot of good stuff coming along with partners. Since I manage the partners, I'm kind of keen on who we get involved with and how we work with them to build out value and focus on our overall cloud security strategy. Mike, you want to talk about SOC Essentials? >> Yeah, well, no, I mean, I think at Capgemini, we really say cybersecurity is part of our DNA and so as we look at what we do in the cloud, you'll find that security has always been an underpinning to a lot of what we deliver, whether it's on the DevSecOps services, migration services, stuff like that. But what we're really trying to do is be intentional about how we approach the security piece of the cloud in different ways, right? Traditional infrastructure, you mentioned the totality of security vendors here and at re:Inforce. We're really seeing that you have to approach it differently. So we're bringing together the right partners. We're using what's part of our DNA to really be able to drive the next generation of security inside those clouds for our clients and customers. So as Anne was talking about, we have a new service called the Capgemini Cloud SOC Essentials, and we've really brought our partners to bear, in this case Trend Micro, really bringing a lot of their intelligence and building off of what they do so that we can help customers. Services can be pretty expensive, right, when you go for the high end, or if you have to try to run one yourself, there's a lot of time, I think you mentioned earlier, right, the people's benches. It's really hard to have a really good cybersecurity people in those smaller businesses. So what we're trying to do is we're really trying to help companies, whether you're the really big buyers of the world or some of the smaller ones, right? We want to be able to give you the visibility and ability to deliver to your customers securely. So that's how we're approaching security now and we're cloud SOC Essentials, the new thing that we're announcing while we were here is really driving out of. >> When I came out of re:Invent, when you do these events, you get this Kool-Aid injection and after a while you're like hm, what did I learn? And one of the things that struck me in talking to people is you've got the shared responsibility model that the cloud has sort of created and I know there's complexities across cloud but let's just keep it at cloud generically for a moment. And then you've got the CISO, the AppDev, AppSecDev group is being asked to do a lot. They're kind of being dragged into security that's really not their wheelhouse and then you've got audit which is like the last line of defense. And so one of the things that struck me at re:Inforce is like, okay, Amazon, great job for their portion of the shared responsibility model but I didn't hear a lot in terms of making the CISO's life easier and I'm guessing that's where you guys come in. I wonder if you could talk about that trend, that conceptual layers that I just laid out and where you guys fit. >> Mike: Sure, so I think first and foremost, I always go back to a quote from, I think it's attributed to Peter Drucker, whether that's right or wrong, who knows? But culture eats strategy for breakfast, right? And I think what we've seen in our conversations with whether you're talking to the CISO, the application team, the AppDev team, wherever throughout the organization, we really see that culture is what's going to drive success or failure of security in the org, and so what we do is we really do bring that totality of perspective. We're not just cloud, not just security, not just AppDev. We can really bring across the totality of the Capgemini estate. So that when we go, and you're right, a CISO says, I'm having a hard time getting the app people to deliver what I need. If you just come from a security perspective, you're right, that's what's going to happen. So what we try to do is so, we've got a great DevSecOps service, for example in the cloud where we do that. We bring all the perspectives together, how do we align KPIs? That's a big problem, I think, for what you're seeing, making CISO's lives easier, is about making sure that the app team KPIs are aligned with the CISO's but also the CISO's KPIs are aligned with the app teams. And by doing that, we have had really great success in a number of organizations by giving them the tools then and the people on our side to be able to make those alignments at the business level, to drive the right business outcome, to drive the right security outcome, the right application outcome. That's where I think we've really come to play. >> Absolutely, and I will say from a partnering perspective, what's key in supporting that strategy is we will learn from our partners, we lean on our partners to understand what the trends they're seeing and where they're having an impact with regards to supporting the CISO and supporting the overall security strategy within a company. I mean, they're on the cutting edge. We do a lot to track their technology roadmaps. We do a lot to track how they build their buyer personas and what issues they're dealing with and what issues they're prepared to deal with regards to where they're investing and who's investing in them. A lot of strategy around which partner to bring in and support, how we're going to address the challenges, the CISO and the IT teams are having to kind of support that overall. Security is a part of everything, DNA kind of strategy. >> Yeah, do you have a favorite example, Anne, of a partner that came in with Capgemini, helped a customer really be able to do what Capgemini is doing and that is, have cybersecurity be actually part of their DNA when there's so many challenges, the skills gap. Any favorite example that really you think articulates how you're able to enable organizations to achieve just that? >> Anne: Well, actually the SOC Essentials offering that we're rolling out is a prime example of that. I mean, we work very, very closely with Trend on all fronts with regards to developing it. It's one of those completely collaborative from day one to going to the customer and that it's almost that seamless connectivity and just partnering at such a strategic level is a great example of how it's done right, and when it's done right, how successful it can be. >> Dave: Why Trend Micro? Because I mean, I'm sure you've seen, I think that's Optiv, has the eye test with all the tools and you talk to CISOs, they're like really trying to consolidate those tools. So I presume there's a portfolio play there, but tell us, tell the audience a little bit more about why Trend Micro and I mean your branding with them, why those guys? >> Well, it goes towards the technology, of course, and all the development they've done and their position within AWS and how they address assuring security for our clients who are moving onto and running their estates on AWS. There's such a long heritage with regards to their technology platform and what they've developed, that deep experience, that kind of the strength of the technology because of the longevity they've had and where they sit within their domain. I try to call partners out by their domain and their area of expertise is part of the reason, I mean. >> Yeah, I think another big part of it is Gartner is expecting, I think they published this out in the next three years, we expect to see another consolidation both inside of the enterprises as well as, I look back a couple years, when Palo Alto went on a very nice spending spree, right? And put together a lot of really great companies that built their Prisma platform. So what I think one of the reasons we picked Trend in this particular case is as we look forward for our customers and our clients, not just having point solutions, right? This isn't just about endpoint protection, this isn't just about security posture management. This is really who can take the totality of the customer's problems and deliver on the right outcomes from a single platform, and so when we look at companies like Trend, like Palo, some of the bigger partners for us, that's where we try to focus. They're definitely best in breed and we bring those to our customers too for certain things. But as we look to the future, I think really finding those partners that are going to be able to solve a swath of problems at the right price point for their customers, that is where I think we see the industry moving. >> Dave: And maybe be around as an independent company. Was that a factor as well? I mean, you see Thoma Bravo buying up all his hiring companies and right, so, and maybe they're trying to create something that could be competitive, but you're saying Trend Micros there, so. >> Well I think as Anne mentioned, the 30 year heritage, I think, of Trend Micro really driving this and I've done work with them in various past things. There's also a big part of just the people you like, the people that are good to work with, that are really trying to be customer obsessed, going back right, at an AWS event, the ones that get the cloud tend to be able to follow those Amazon LPs as well, right, just kind of naturally, and so I think when you look at the Trend Micros of the world, that's where that kind of cloud native piece comes out and I like working with that. >> In this environment, the macro environment, lets talk a bit, earning season, it's really mixed. I mean you're seeing some really good earnings, some mixed earnings, some good earnings with cautious guidance. So nobody really (indistinct), and it was for a period time there was a thinking that security was non-discretionary and it's clearly non-discretionary, but the CISO, she or he, doesn't have unlimited budgets, right? So what are you seeing in terms of how are customers dealing with this challenging macro environment? Is it through tools consolidation? Is that a play that's going on? What are you seeing in the customer base? >> Anne: I see ways, and we're working through this right now where we're actually weaving cybersecurity in at the very beginning of how we're designing offers across our entire offer portfolio, not just the cybersecurity business. So taking that approach in the long run will help contain costs and our hope, and we're already seeing it, is it's actually helping change the perception that security's that cost center and that final obstacle you have to get over and it's going to throw your margins off and all that sort of stuff. >> Dave: I like that, its at least is like a security cover charge. You're not getting in unless we do the security thing. >> Exactly, a security cover charge, that's what you should call it. >> Yeah. >> Like it. >> Another piece though, you mentioned earlier about making CISO's life easier, right? And I think, as Anne did a really absolutely true about building it in, not to the security stack but application developers, they want visibility they want observability, they want to do it right. They want CI/CD pipeline that can give them confidence in their security. So should the CISO have a budget issue, right? And they can't necessarily afford, but the application team as they're looking at what products they want to purchase, can I get a SaaS or a DaaS, right? The static or dynamic application security testing in my product up front and if the app team buys into that methodology, the CISO convinces them, yes, this is important. Now I've got two budgets to pull from, and in the end I end up with a cheaper, a lower cost of a service. So I think that's another way that we see with like DevSecOps and a few other services, that building in on day one that you mentioned. >> Lisa: Yeah. >> Getting both teams involved. >> Dave: That's interesting, Mike, because that's the alignment that you were talking about earlier in the KPIs and you're not a tech vendor saying, buy my product, you guys have deep consultancy backgrounds. >> Anne: And the customer appreciates that. >> Yeah. >> Anne: They see us as looking out for their best interest when we're trying to support them and help them and bringing it to the table at the very beginning as something that is there and we're conscientious of, just helps them in the long run and I think, they're seeing that, they appreciate that. >> Dave: Yeah, you can bring best practice around measurements, alignment, business process, stuff like that. Maybe even some industry expertise which you're not typically going to get from a product company. >> Well, one thing you just mentioned that I love talking about with Capgemini is the industry expertise, right? So when you look at systems integrators, there are a lot of really, really good ones. To say otherwise would be foolish. But Capgemini with our acquisition of Altran, a couple years ago, I think think it was, right? How many other GSIs or SIs are actually building silicon for IoT chips? So IoT's huge right now, the intelligent industry moving forward is going to drive a lot of those business outcomes that people are looking for. Who else can say we've built an autonomous vehicle, Capgemini can. Who can say that we've built the IoT devices from the ground up? We know not just how to integrate them into AWS, into the IoT services in the cloud, but to build and have that secure development for the firmware and all and that's where I think our customers really look to us as being those industry experts and being able to bring that totality of our business to bear for what they need to do to achieve their objectives to deliver to their customer. >> Dave: That's interesting. I mean, using silicon as a differentiator to drive a lot of business outcomes and security. >> Mike: Absolutely. >> I mean you see what Amazon's doing in silicon, Look at Apple. Look at what Tesla's doing with silicon. >> Dave: That's where you're seeing a lot of people start focusing 'cause not everybody can do it. >> Yeah. >> It's hard. >> Right. >> It's hard. >> And you'll see some interesting announcements from us and some interesting information and trends that we'll be driving because of where we're placed and what we have going around security and intelligent industry overall. We have a lot of investment going on there right now and again, from the partner perspective, it's an ecosystem of key partners that collectively work together to kind of create a seamless security posture for an intelligent industry initiative with these companies that we're working with. >> So last question, probably toughest question, and that's to give us a 30 second like elevator pitch or a billboard and I'm going to ask you, Anne, specifically about the SOC Essentials program powered by Trend Micro. Why should organizations look to that? >> Organizations should move to it or work with us on it because we have the expertise, we have the width and breadth to help them fill the gaps, be those eyes, be that team, the police behind it all, so to speak, and be the team behind them to make sure we're giving them the right information they need to actually act effectively on maintaining their security posture. >> Nice and then last question for you, Mike is that billboard, why should organizations in any industry work with Capgemini to help become an intelligent industrial player. >> Mike: Sure, so if you look at our board up top, right, we've got our tagline that says, "get the future you want." And that's what you're going to get with Capgemini. It's not just about selling a service, it's not just about what partners' right in reselling. We don't want that to be why you come to us. You, as a company have a vision and we will help you achieve that vision in a way that nobody else can because of our depth, because of the breadth that we have that's very hard to replicate. >> Awesome guys, that was great answers. Mike, Anne, thank you for spending some time with Dave and me on the program today talking about what's new with Capgemini. We'll be following this space. >> All right, thank you very much. >> For our guests and for Dave Vellante, I'm Lisa Martin, you're watching theCUBE, the leader in live enterprise and emerging tech coverage. (gentle light music)

(upbeat music) >> Hello, everyone and welcome back to fabulous Las Vegas, Nevada, where we are here on the show floor at AWS re:Invent. We are theCUBE. I am Savannah Peterson, joined with John Furrier. John, afternoon, day two, we are in full swing. >> Yes. >> What's got you most excited? >> Just got lunch, got the food kicking in. No, we don't get coffee. (Savannah laughing) >> Way to bring the hype there, John. >> No, there's so many people here just in Amazon. We're back to 2019 levels of crowd. The interest levels are high. Next gen, cloud security, big part of the keynote. This next segment, I am super excited about. CUBE Alumni, going back to 2013, 10 years ago he was on theCUBE. Now, 10 years later we're at re:Invent, looking forward to this guest and it's about security, great topic. >> I don't want to delay us anymore, please welcome Mark. Mark, thank you so much for being here with us. Massive day for you and the team. I know you oversee three different units at Amazon, Inspector, Detective, and the most recently announced, Security Lake. Tell us about Amazon Security Lake. >> Well, thanks Savannah. Thanks John for having me. Well, Security Lake has been in the works for a little bit of time and it got announced today at the keynote as you heard from Adam. We're super excited because there's a couple components that are really unique and valuable to our customers within Security Lake. First and foremost, the foundation of Security Lake is an open source project we call OCFS, Open Cybersecurity Framework Schema. And what that allows is us to work with the vendor community at large in the security space and develop a language where we can all communicate around security data. And that's the language that we put into Security Data Lake. We have 60 vendors participating in developing that language and partnering within Security Lake. But it's a communal lake where customers can bring all of their security data in one place, whether it's generated in AWS, they're on-prem, or SaaS offerings or other clouds, all in one location in a language that allows analytics to take advantage of that analytics and give better outcomes for our customers. >> So Adams Selipsky big keynote, he spent all the bulk of his time on data and security. Obviously they go well together, we've talked about this in the past on theCUBE. Data is part of security, but this security's a little bit different in the sense that the global footprint of AWS makes it uniquely positioned to manage some security threats, EKS protection, a very interesting announcement, runtime layer, but looking inside and outside the containers, probably gives extra telemetry on some of those supply chains vulnerabilities. This is actually a very nuanced point. You got Guard Duty kind of taking its role. What does it mean for customers 'cause there's a lot of things in this announcement that he didn't have time to go into detail. Unpack all the specifics around what the security announcement means for customers. >> Yeah, so we announced four items in Adam's keynote today within my team. So I'll start with Guard Duty for EKS runtime. It's complimenting our existing capabilities for EKS support. So today Inspector does vulnerability assessment on EKS or container images in general. Guard Duty does detections of EKS workloads based on log data. Detective does investigation and analysis based on that log data as well. With the announcement today, we go inside the container workloads. We have more telemetry, more fine grain telemetry and ultimately we can provide better detections for our customers to analyze risks within their container workload. So we're super excited about that one. Additionally, we announced Inspector for Lambda. So Inspector, we released last year at re:Invent and we focused mostly on EKS container workloads and EC2 workloads. Single click automatically assess your environment, start generating assessments around vulnerabilities. We've added Lambda to that capability for our customers. The third announcement we made was Macy sampling. So Macy has been around for a while in delivering a lot of value for customers providing information around their sensitive data within S3 buckets. What we found is many customers want to go and characterize all of the data in their buckets, but some just want to know is there any sensitive data in my bucket? And the sampling feature allows the customer to find out their sensitive data in the bucket, but we don't have to go through and do all of the analysis to tell you exactly what's in there. >> Unstructured and structured data. Any data? >> Correct, yeah. >> And the fourth? >> The fourth, Security Data Lake? (John and Savannah laughing) Yes. >> Okay, ocean theme. data lake. >> Very complimentary to all of our services, but the unique value in the data lake is that we put the information in the customer's control. It's in their S3 bucket, they get to decide who gets access to it. We've heard from customers over the years that really have two options around gathering large scale data for security analysis. One is we roll our own and we're security engineers, we're not data engineers. It's really hard for them to build these distributed systems at scale. The second one is we can pick a vendor or a partner, but we're locked in and it's in their schemer and their format and we're there for a long period of time. With Security Data Lake, they get the best of both worlds. We run the infrastructure at scale for them, put the data in their control and they get to decide what use case, what partner, what tool gives them the most value on top of their data. >> Is that always a good thing to give the customers too much control? 'Cause you know the old expression, you give 'em a knife they play with and they they can cut themselves, I mean. But no, seriously, 'cause what's the provisions around that? Because control was big part of the governance, how do you manage the security? How does the customer worry about, if I have too much control, someone makes a mistake? >> Well, what we finding out today is that many customers have realized that some of their data has been replicated seven times, 10 times, not necessarily maliciously, but because they have multiple vendors that utilize that data to give them different use cases and outcomes. It becomes costly and unwieldy to figure out where all that data is. So by centralizing it, the control is really around who has access to the data. Now, ultimately customers want to make those decisions and we've made it simple to aggregate this data in a single place. They can develop a home region if they want, where all the data flows into one region, they can distribute it globally. >> They're in charge. >> They're in charge. But the controls are mostly in the hands of the data governance person in the company, not the security analyst. >> So I'm really curious, you mentioned there's 60 AWS partner companies that have collaborated on the Security lake. Can you tell us a little bit about the process? How long does it take? Are people self-selecting to contribute to these projects? Are you cherry picking? What does that look like? >> It's a great question. There's three levels of collaboration. One is around the open source project that we announced at Black Hat early in this year called OCSF. And that collaboration is we've asked the vendor community to work with us to build a schema that is universally acceptable to security practitioners, not vendor specific and we've asked. >> Savannah: I'm sorry to interrupt you, but is this a first of its kind? >> There's multiple schemes out there developed by multiple parties. They've been around for multiple years, but they've been built by a single vendor. >> Yeah, that's what I'm drill in on a little bit. It sounds like the first we had this level of collaboration. >> There's been collaborations around them, but in a handful of companies. We've really gone to a broad set of collaborators to really get it right. And they're focused around areas of expertise that they have knowledge in. So the EDR vendors, they're focused around the scheme around EDR. The firewall vendors are focused around that area. Certainly the cloud vendors are in their scope. So that's level one of collaboration and that gets us the level playing field and the language in which we'll communicate. >> Savannah: Which is so important. >> Super foundational. Then the second area is around producers and subscribers. So many companies generate valuable security data from the tools that they run. And we call those producers the publishers and they publish the data into Security Lake within that OCSF format. Some of them are in the form of findings, many of them in the form of raw telemetry. Then the second one is in the subscriber side and those are usually analytic vendors, SIM vendors, XDR vendors that take advantage of the logs in one place and generate analytic driven outcomes on top of that, use cases, if you will, that highlight security risks or issues for customers. >> Savannah: Yeah, cool. >> What's the big customer focus when you start looking at Security Lakes? How do you see that planning out? You said there's a collaboration, love the open source vibe on that piece, what data goes in there? What's sharing? 'Cause a big part of the keynote I heard today was, I heard clean rooms, I've cut my antenna up. I'd love to hear that. That means there's an implied sharing aspect. The security industry's been sharing data for a while. What kind of data's in that lake? Give us an example, take us through. >> Well, this a number of sources within AWS, as customers run their workloads in AWS. We've identified somewhere around 25 sources that will be natively single click into Amazon Security Lake. We were announcing nine of them. They're traditional network logs, BBC flow, cloud trail logs, firewall logs, findings that are generated across AWS, EKS audit logs, RDS data logs. So anything that customers run workloads on will be available in data lake. But that's not limited to AWS. Customers run their environments hybridly, they have SaaS applications, they use other clouds in some instances. So it's open to bring all that data in. Customers can vector it all into this one single location if they decide, we make it pretty simple for them to do that. Again, in the same format where outcomes can be generated quickly and easily. >> Can you use the data lake off on premise or it has to be in an S3 in Amazon Cloud? >> Today it's in S3 in Amazon. If we hear customers looking to do something different, as you guys know, we tend to focus on our customers and what they want us to do, but they've been pretty happy about what we've decided to do in this first iteration. >> So we got a story about Silicon Angle. Obviously the ingestion is a big part of it. The reporters are jumping in, but the 53rd party sources is a pretty big number. Is that coming from the OCSF or is that just in general? Who's involved? >> Yeah, OCSF is the big part of that and we have a list of probably 50 more that want to join in part of this. >> The other big names are there, Cisco, CrowdStrike, Peloton Networks, all the big dogs are in there. >> All big partners of AWS, anyway, so it was an easy conversation and in most cases when we started having the conversation, they were like, "Wow, this has really been needed for a long time." And given our breadth of partners and where we sit from our customers perspective in the center of their cloud journey that they've looked at us and said, "You guys, we applaud you for driving this." >> So Mark, take us through the conversations you're having with the customers at re:Inforce. We saw a lot of meetings happening. It was great to be back face to face. You guys have been doing a lot of customer conversation, security Data Lake came out of that. What was the driving force behind it? What were some of the key concerns? What were the challenges and what's now the opportunity that's different? >> We heard from our customers in general. One, it's too hard for us to get all the data we need in a single place, whether through AWS, the industry in general, it's just too hard. We don't have those resources to data wrangle that data. We don't know how to pick schema. There's multiple ones out there. Tell us how we would do that. So these three challenges came out front and center for every customer. And mostly what they said is our resources are limited and we want to focus those resources on security outcomes and we have security engines. We don't want to focus them on data wrangling and large scale distributed systems. Can you help us solve that problem? And it came out loud and clear from almost every customer conversation we had. And that's where we took the challenge. We said, "Okay, let's build this data layer." And then on top of that we have services like Detective and Guard Duty, we'll take advantage of it as well. But we also have a myriad of ISV third parties that will also sit on top of that data and render out. >> What's interesting, I want to get your reaction. I know we don't have much time left, but I want to get your thoughts. When I see Security Data Lake, which is awesome by the way, love the focus, love how you guys put that together. It makes me realize the big thing in re:Invent this year is this idea of specialized solutions. You got instances for this and that, use cases that require certain kind of performance. You got the data pillars that Adam laid out. Are we going to start seeing more specialized data lakes? I mean, we have a video data lake. Is there going to be a FinTech data lake? Is there going to be, I mean, you got the Great Lakes kind of going on here, what is going on with these lakes? I mean, is that a trend that Amazon sees or customers are aligning to? >> Yeah, we have a couple lakes already. We have a healthcare lake and a financial lake and now we have a security lake. Foundationally we have Lake Formation, which is the tool that anyone can build a lake. And most of our lakes run on top of Lake Foundation, but specialize. And the specialization is in the data aggregation, normalization, enridgement, that is unique for those use cases. And I think you'll see more and more. >> John: So that's a feature, not a bug. >> It's a feature, it's a big feature. The customers have ask for it. >> So they want roll their own specialized, purpose-built data thing, lake? They can do it. >> And customer don't want to combine healthcare information with security information. They have different use cases and segmentation of the information that they care about. So I think you'll see more. Now, I also think that you'll see where there are adjacencies that those lakes will expand into other use cases in some cases too. >> And that's where the right tools comes in, as he was talking about this ETL zero, ETL feature. >> It be like an 80, 20 rule. So if 80% of the data is shared for different use cases, you can see how those lakes would expand to fulfill multiple use cases. >> All right, you think he's ready for the challenge? Look, we were on the same page. >> Okay, we have a new challenge, go ahead. >> So think of it as an Instagram Reel, sort of your hot take, your thought leadership moment, the clip we're going to come back to and reference your brilliance 10 years down the road. I mean, you've been a CUBE veteran, now CUBE alumni for almost 10 years, in just a few weeks it'll be that. What do you think is, and I suspect, I think I might know your answer to this, so feel free to be robust in this. But what do you think is the biggest story, key takeaway from the show this year? >> We're democratizing security data within Security Data Lake for sure. >> Well said, you are our shortest answer so far on theCUBE and I absolutely love and respect that. Mark, it has been a pleasure chatting with you and congratulations, again, on the huge announcement. This is such an exciting day for you all. >> Thank you Savannah, thank you John, pleasure to be here. >> John: Thank you, great to have you. >> We look forward to 10 more years of having you. >> Well, maybe we don't have to wait 10 years. (laughs) >> Well, more years, in another time. >> I have a feeling it'll be a lot of security content this year. >> Yeah, pretty hot theme >> Very hot theme. >> Pretty odd theme for us. >> Of course, re:Inforce will be there this year again, coming up 2023. >> All the res. >> Yep, all the res. >> Love that. >> We look forward to see you there. >> All right, thanks, Mark. >> Speaking of res, you're the reason we are here. Thank you all for tuning in to today's live coverage from AWS re:Invent. We are in Las Vegas, Nevada with John Furrier. My name is Savannah Peterson. We are theCUBE and we are the leading source for high tech coverage. (upbeat music)

(upbeat music) >> Hello, and welcome to this CUBE Conversation. I'm John Furrier, host of theCUBE here in Palo Alto, California for a great remote interview with Ameya Talwalkar, CEO of Cequence Security. Protecting APIs is the name of the game. Ameya thanks for coming on this CUBE Conversation. >> Thank you, John. Thanks for having us. >> So, I mean, obviously APIs, cloud, it runs everything. It's only going to get better, faster, more containers, more Kubernetes, more cloud-native action, APIs are at the center of it. Quick history, Cequence, how you guys saw the problem and where is it today? >> Yeah, so we started building the company or the product, the first product of the company focused on abuse or business logic abuse on APIs. We had design partners in large finance FinTech companies that are now customers of Cequence that were sort of API first, if you will. There were products in the market that were, you know, solving this problem for them on the web and in some cases mobile applications, but since these were API first very modern FinTech and finance companies that deal with lot of large enterprises, merchants, you have it, you name it. They were struggling to protect their APIs while they had protection on web and mobile applications. So that's the genesis. The problem has evolved exponentially in terms of volume size, pain, the ultimate financial losses from those problems. So it has, it's been a interesting journey and I think we timed it perfectly in terms of when we got started with the problem we started with. >> Yeah, I'm sure if you look at the growth of APIs, they're just exponentially growing because of the development, cloud-native development wave plus open source driving a lot of action. I was talking to a developer the other day and he's like, "Just give me a bag of Lego blocks and I'll build whatever application." I mean, this essentially- >> Yeah. >> API first is, has got us here, and that's standard. >> Yeah. >> Everyone's building on top of APIs, but the infrastructure going cloud-native is growing as well. So how do you secure APIs without slowing down the application velocity? Which everyone's trying to make go faster. So you got faster velocity on the developer side and (chuckles) more APIs coming. How do you secure the API infrastructure without slowing down the apps? >> Yeah, I'll come to the how part of it but I'll give you a little bit of commentary on what the problem really is. It's what has happened in the last few years is as you mentioned, the sort of journey to the cloud whether it's a public cloud or a private cloud, some enterprises have gone to a multi-cloud strategy. What really has happened is two things. One is because of that multi-environment deployment there is no defined parameter anymore to your applications or APIs. And so the parameter where people typically used to have maybe a CDN or WAF or other security controls at the parameter and then you have your infrastructure hosting these apps and APIs is completely gone away, that just doesn't exist anymore. And even more so for APIs which really doesn't have a whole lot of content to be cashed. They don't use CDN. So they are behind whatever API gateways whether they're in the cloud or whatever, they're hosting their APIs. And that has become your micro parameter, if you will, as these APIs are getting spread. And so the security teams are struggling with, how do I protect such a diverse set of environments that I am supposed to manage and protect where I don't have a unified view. I don't have even, like a complete view, if you will, of these APIs. And back in the days when phones or the modern iPhones and Android phones became popular, there used to be a sort of ad campaign I remember that said, "There is an app for that." >> Yeah. >> So the fast forward today, it's like, "There's an API for that." So everything you wanted to do today as a consumer or a business- >> John: Yeah. >> You can call an API and get your business done. And that's the challenge that's the explosion in APIs. >> Yeah. >> (laughs) Go ahead. >> It's interesting you have the API life cycle concept developing. Now you got, everyone knows- >> Right. >> The application life cycle, you know CI/CD pipelining, shifting left, but the surface area, you got web app firewalls which everyone knows is kind of like outdated, but you got API gateways. >> Yep. >> The surface area- >> Yeah. >> Is only increasing. So I have to ask you, do the existing API security tools out there bring that full application- >> Yeah. >> And API life cycle together? 'Cause you got to discover- >> Yep. >> The environment, you got to know what to protect and then also net new functionality. Can you comment? >> Right. Yeah. So that actually goes to your how question from, you know, previous section which is really what Cequence has defined is a API protection life cycle. And it's this concrete six-step process in which you protect your APIs. And the reason why we say it's a life cycle is it's not something that you do once and forget about it. It's a continuous process that you have to keep doing because your DevOps teams are publishing new APIs almost every day, every other day, if you will. So the start of that journey of that life cycle is really about discovering your external facing API attack surface which is where we highlight new hosting environments. We highlight accidental exposures. People are exposing their staging APIs. They might have access to production data. They are exposing Prometheus or performance monitoring servers. We find PKCS 7 files. We find Log4j vulnerabilities. These are things that you can just get a view of from outside looking in and then go about prioritizing which API environments you want to protect. So that's step number one. Step number two, really quick is do an inventory of all your APIs once you figure out which environments you want to protect or prioritize. And so that inventory includes a runtime inventory. Also creating specifications for these APIs. In lot of places, we find unmanaged APIs, shadow APIs and we create the API inventory and also push them towards sort of a central API management program. The third step is really looking at the risk of these APIs. Make sure they are using appropriate security controls. They're not leaking any sensitive information, PCI, PHI, PII, or other sort of industry-specific sensitive information. They are conforming to their schema. So sometimes the APIs dba.runtime from their schema and then that can cause a risk. So that's the first, sort of first half of this life cycle, if you will, which is really making sure your APIs are secure, they're using proper hygiene. The second half is about attack detection and prevention. So the fourth step is attack detection. And here again, we don't stop just at the OWASP Top 10 category of threats, a lot of other vendors do. They just do the OWASP API Top 10, but we think it's more than that. And we go deeper into business logic abuse, bots, and all the way to fraud. And that's sort of the attack detection piece of this journey. Once you detect these attacks, you start about, think about prevention of these attacks, also natively with Cequence. And the last step is about testing and making sure your APIs are secure even before they go live. >> What's- >> So that's a journey. Yeah. >> What's the secret sauce? What makes you different? 'Cause you got two sides to that coin. You got the auditing, kind of figure things out, and then you got the in-built attacks. >> Yeah. >> What makes you guys different? >> Yeah. So the way we are different is, first of all, Cequence is the only vendor that can, that has all these six steps in a single platform. We talked about security teams just lacking that complete view or consistent and uniform view of all your, you know, parameter, all your API infrastructure. We are combining that into a single platform with all the six steps that you can do in just one platform. >> John: Yeah. >> Number two is the outside looking in view which is the external discovery. It's something Cequence is unique in this space, uniquely doing this in this space. The third piece is the depth of our detection which is we don't just stop at the OWASP API Top 10, we go to fraud, business logic abuse, and bot attacks. And the mitigation, this will be interesting to you, which is a lot of the API security vendors say you come into existence because your WAF is not protecting your APIs, but they turn around when they detect the attacks to rely on a WAF to mitigate this or prevent these threats. And how can you sort of comprehend all that, right? >> Yeah. >> So we are unique in the sense we can prevent the attacks that we detect in the same platform without reliance on any other third-party solution. >> Yeah, I mean we- >> The last part is, sorry, just one last. >> Go ahead. Go ahead. >> Which is the scale. So we are serving largest of the large Fortune 100, Fortune 50 enterprises. We are processing 6 billion API calls per day. And one of the large customers of ours is processing 1 billion API calls per day with Cequence. So scale of APIs that we can process and how we can scale is also unique to Cequence. >> Yeah, I think the scale thing's a huge message. There, just, I put a little accent on that. I got to comment because we had an event last week called Supercloud which we were trying to talking about, you know, as clouds become more multicloud, you get more super capabilities. But automation, with super cloud comes super hackers. So as things advance, you're seeing the step function, the bad guys are getting better too. You mentioned bots. So I have to ask you what are some of the sophisticated attacks that you see that look like legitimate traffic or transactions? Can you comment on what your scale and your patterns are showing? Because the attacks are coming in fast and furious >> Correct. So APIs make the attack easier because APIs are well documented. So you want your partners and, you know, programmers to use your API ecosystem, but at the same time the attackers are getting the same information and they can program against those APIs very easily which means what? They are going to write a bunch of bots and automation to cause a lot of pain. The kind of sophistication we have seen is I'll just give a few examples. Ulta Beauty is one of our customers, very popular retailer in the US. And we recently found an interesting attack. They were selling some high-end hair curling high ends which are very high-end demand, very expensive, very hard to find. And so this links sort of physical path to API security, think about it, which is the bad guys were using a bot to scrape a third-party service which was giving local inventory information available to people who wanted to search for these items which are high in demand, low in supply. And they wrote a bot to find where, which locations have these items in supply, and they went and sort of broke into these showrooms and stole those items. So not only we say are saving them from physical theft and all the other problems that they have- >> Yeah. >> But also, they were paying about $25,000 per month extra- >> Yeah. >> For this geo-location service that was looking at their inventory. So that's the kind of abuse that can go on with APIs. Even when the APIs are perfectly secure, they're using appropriate security controls, these can go on. >> You know, that's a really great example. I'm glad you brought that up because I observed at AWS re:Inforce in Boston that Steven Schmidt has changed his title from chief information security officer to just chief security officer, to the point when asked he said, "Physical security is now tied together with the online." So to your point- >> Yeah. >> About the surveillance and attack setup- >> Yeah. >> For the physical, you got warehouses- >> Yep. >> You've got brick and mortar. This is the convergence of security. >> Correct. Absolutely. I mean, we do deal with many other, sort of a governance case. We help a Fortune 50 finance company which operates worldwide. And their gets concern is if an API is hosted in a certain country in Europe which has the most sort of aggressive data privacy and data regulations that they have to deal with, they want to make sure the consumer of that API is within a certain geo location whereby they're not subject to liabilities from GDPR and other data residency regulation. And we are the ones that are giving them that view. And we can have even restrict and make sure they're compliant with that regulation that they have to sort of comply with. >> I could only imagine that that geo-regional view and the intelligence and the scale gives you insights- >> Yeah. >> Into attacks that aren't really kind of, aren't supposed to be there. In other words, if you can keep the data in the geo, then you could look- >> Yep. >> At anything else as that, you know, you don't belong here kind of track. >> You don't belong here. Exactly. Yeah, yeah. >> All right. So let's get to the API. >> Yeah, I mean- >> So the API visibility is an issue, right? So I can see that, check, sold me on that, protection is key, but if, what's the current security team makeup? Are they buying into this or are they just kind of the hair on fire? What are security development teams doing? 'Cause they're under a lot of pressure to do the hardcore security work. And APIs, again, surface area's wide open, they're part of everyone's access. >> Yeah. So I mentioned about the six-step journey of the life cycle. Right? We see customers come to us with very acute pain point and they say, "Our hair is on, our hair on fire. (John laughing) Solve this problem for us." Like one large US telco company came to us to, just a simple problem, do the inventory and risk assessment of all our APIs. That's our number one pain point. Ended up starting with them on those two pain points or those two stops on their life cycle. And then we ended up solving all the six steps with them because once we started creating an inventory and looking at the risk profile, we also observed that these same APIs were target by bots and fraudsters doing all kinds of bad things. So once we discovered those problems we expanded the scope to sort of have the whole life cycle covered with the Cequence platform. And that's the typical experience which is, it's typically the security team. There are developer communities that are coming to us with sort of the testing aspect of it which integrated into DevOps toolchains and CI/CD pipelines. But otherwise, it's all about security challenges, acute pain points, and then expanding into the whole journey. >> All right. So you got the detection, you got the alerting, you got the protection, you got the mitigation. What's the advice- >> Yeah. >> To the customer or the right approach to set up with Cequence so that they can have the best protection. What the motion? What's the initial engagement look like? How do they engage? How do they operationalize? >> Yeah. >> You guys take me through that. >> Yeah. The simple way of engaging with Cequence is get that external assessment which will map your APIs for you, it'll create a assessment for you. We'll present that assessment, you know, to your security team. And like 90% of the times customers have an aha moment, (John chuckles) that they didn't know something that we are showing them. They find APIs that were not supposed to be public. They will find hosting environments that they didn't know about. They will find API gateways that were, like not commissioned, but being used. And so start there, start their journey with an assessment with Cequence, and then work with us to prioritize what problems you want to solve next once you have that assessment. >> So really making sure that their inventory of API is legit. >> Yep. Yep, absolutely. >> It's basically- >> Yep. >> I mean, you're starting to see more of this in the cloud-native, you know, Sbot, they call 'em, you know, (indistinct) materials. >> (Ameya faintly speaking). What do you got out there, kind of full understanding of what's being instrumented out there, big time. >> Yeah. The thing is a lot of analysts say that APIs is the number one attack vector this year and going forward, but you'll be surprised to see that it's not the APIs that get targeted that are poorly secured. Actually, the APIs that are completely not secured are the ones that are attacked the most because there are plenty of them. So start with the assessment, figure out the APIs that are out there and then start your journey. That's sort of my recommendation. >> So based on your advice what you're saying is there's a, most people make the mistake of having a lot of undocumented or unauthorized APIs out there that are unsecured. >> Yeah. And security teams are unaware of those APIs. So how do you protect something that you don't know even exists? >> Yeah. >> Right? So that's the challenge. >> Okay. You know, the APIs have to be secure. And as applications connect too, there's the other side of the APIs, whether that's credential passing, so much is at stake here relative to the security. It's not just access it's what's behind it. There's a lot of trust coming in. So, you know, I got to ask you a final question. You got zero trust and you got trust kind of coming together. What's (laughs), how do you respond to that? >> Yeah. Zero trust is part of it in the sense that you have to not trust sort of any API consumer as a completely trusted entity. Just like I gave you the Ultra Beauty example. They had trusted this third party to be absolutely safe and secure, you know, no controls necessary to sort of monitor their traffic, whereas they can be abused by their end consumers and cause you a lot of pain. So there is a sort of a linkage between zero trust. Never trusts anybody until you verify, that's the sort of angle, that's sort of the connection between APIs security and zero trust. >> Ameya, thank you for coming on theCUBE. Really appreciate the conversation. I'll give you the final word. What should people know about Cequence Security? How would you give the pitch? You go, you know, quick summary, what's going on? >> Yeah. So very excited to be in this space. We sort of are the largest security of API security vendor in the space in terms of revenue, the largest volume of API traffic that we process. And we are just getting started. This is a exciting journey we are on, we are very happy to serve the, you know, Fortune 50, you know, global 200 customers that we have, and we are expanding into many geographies and locations. And so look for some exciting updates from us in the coming days. >> Well, congratulations on your success. Love the approach, love the scale. I think scale's a new competitive advantage. I think that's the new lock-in if you're good, and your scaling providing a lot of benefits. So Ameya, thank you for coming, sharing the story. Looking forward to chatting again soon. >> Thank you very much. Thanks for having us. >> Okay. This is a CUBE Conversation. I'm John Furrier, here at Palo Alto, California. Thanks for watching. (cheerful music)

>> Announcer: From theCUBE studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is "Breaking Analysis" with Dave Vellante. >> The rapid pace of cloud adoption has changed the way organizations approach cybersecurity. Specifically, the cloud is increasingly becoming the first line of cyber defense. As such, along with communicating to the board and creating a security aware culture, the chief information security officer must ensure that the shared responsibility model is being applied properly. Meanwhile, the DevSecOps team has emerged as the critical link between strategy and execution, while audit becomes the free safety, if you will, in the equation, i.e., the last line of defense. Hello, and welcome to this week's, we keep on CUBE Insights, powered by ETR. In this "Breaking Analysis", we'll share the latest data on hyperscale, IaaS, and PaaS market performance, along with some fresh ETR survey data. And we'll share some highlights and the puts and takes from the recent AWS re:Inforce event in Boston. But first, the macro. It's earning season, and that's what many people want to talk about, including us. As we reported last week, the macro spending picture is very mixed and weird. Think back to a week ago when SNAP reported. A player like SNAP misses and the Nasdaq drops 300 points. Meanwhile, Intel, the great semiconductor hope for America misses by a mile, cuts its revenue outlook by 15% for the year, and the Nasdaq was up nearly 250 points just ahead of the close, go figure. Earnings reports from Meta, Google, Microsoft, ServiceNow, and some others underscored cautious outlooks, especially those exposed to the advertising revenue sector. But at the same time, Apple, Microsoft, and Google, were, let's say less bad than expected. And that brought a sigh of relief. And then there's Amazon, which beat on revenue, it beat on cloud revenue, and it gave positive guidance. The Nasdaq has seen this month best month since the isolation economy, which "Breaking Analysis" contributor, Chip Symington, attributes to what he calls an oversold rally. But there are many unknowns that remain. How bad will inflation be? Will the fed really stop tightening after September? The Senate just approved a big spending bill along with corporate tax hikes, which generally don't favor the economy. And on Monday, August 1st, the market will likely realize that we are in the summer quarter, and there's some work to be done. Which is why it's not surprising that investors sold the Nasdaq at the close today on Friday. Are people ready to call the bottom? Hmm, some maybe, but there's still lots of uncertainty. However, the cloud continues its march, despite some very slight deceleration in growth rates from the two leaders. Here's an update of our big four IaaS quarterly revenue data. The big four hyperscalers will account for $165 billion in revenue this year, slightly lower than what we had last quarter. We expect AWS to surpass 83 billion this year in revenue. Azure will be more than 2/3rds the size of AWS, a milestone from Microsoft. Both AWS and Azure came in slightly below our expectations, but still very solid growth at 33% and 46% respectively. GCP, Google Cloud Platform is the big concern. By our estimates GCP's growth rate decelerated from 47% in Q1, and was 38% this past quarter. The company is struggling to keep up with the two giants. Remember, both GCP and Azure, they play a shell game and hide the ball on their IaaS numbers, so we have to use a survey data and other means of estimating. But this is how we see the market shaping up in 2022. Now, before we leave the overall cloud discussion, here's some ETR data that shows the net score or spending momentum granularity for each of the hyperscalers. These bars show the breakdown for each company, with net score on the right and in parenthesis, net score from last quarter. lime green is new adoptions, forest green is spending up 6% or more, the gray is flat, pink is spending at 6% down or worse, and the bright red is replacement or churn. Subtract the reds from the greens and you get net score. One note is this is for each company's overall portfolio. So it's not just cloud. So it's a bit of a mixed bag, but there are a couple points worth noting. First, anything above 40% or 40, here as shown in the chart, is considered elevated. AWS, as you can see, is well above that 40% mark, as is Microsoft. And if you isolate Microsoft's Azure, only Azure, it jumps above AWS's momentum. Google is just barely hanging on to that 40 line, and Alibaba is well below, with both Google and Alibaba showing much higher replacements, that bright red. But here's the key point. AWS and Azure have virtually no churn, no replacements in that bright red. And all four companies are experiencing single-digit numbers in terms of decreased spending within customer accounts. People may be moving some workloads back on-prem selectively, but repatriation is definitely not a trend to bet the house on, in our view. Okay, let's get to the main subject of this "Breaking Analysis". TheCube was at AWS re:Inforce in Boston this week, and we have some observations to share. First, we had keynotes from Steven Schmidt who used to be the chief information security officer at Amazon on Web Services, now he's the CSO, the chief security officer of Amazon. Overall, he dropped the I in his title. CJ Moses is the CISO for AWS. Kurt Kufeld of AWS also spoke, as did Lena Smart, who's the MongoDB CISO, and she keynoted and also came on theCUBE. We'll go back to her in a moment. The key point Schmidt made, one of them anyway, was that Amazon sees more data points in a day than most organizations see in a lifetime. Actually, it adds up to quadrillions over a fairly short period of time, I think, it was within a month. That's quadrillion, it's 15 zeros, by the way. Now, there was drill down focus on data protection and privacy, governance, risk, and compliance, GRC, identity, big, big topic, both within AWS and the ecosystem, network security, and threat detection. Those are the five really highlighted areas. Re:Inforce is really about bringing a lot of best practice guidance to security practitioners, like how to get the most out of AWS tooling. Schmidt had a very strong statement saying, he said, "I can assure you with a 100% certainty that single controls and binary states will absolutely positively fail." Hence, the importance of course, of layered security. We heard a little bit of chat about getting ready for the future and skating to the security puck where quantum computing threatens to hack all of the existing cryptographic algorithms, and how AWS is trying to get in front of all that, and a new set of algorithms came out, AWS is testing. And, you know, we'll talk about that maybe in the future, but that's a ways off. And by its prominent presence, the ecosystem was there enforced, to talk about their role and filling the gaps and picking up where AWS leaves off. We heard a little bit about ransomware defense, but surprisingly, at least in the keynotes, no discussion about air gaps, which we've talked about in previous "Breaking Analysis", is a key factor. We heard a lot about services to help with threat detection and container security and DevOps, et cetera, but there really wasn't a lot of specific talk about how AWS is simplifying the life of the CISO. Now, maybe it's inherently assumed as AWS did a good job stressing that security is job number one, very credible and believable in that front. But you have to wonder if the world is getting simpler or more complex with cloud. And, you know, you might say, "Well, Dave, come on, of course it's better with cloud." But look, attacks are up, the threat surface is expanding, and new exfiltration records are being set every day. I think the hard truth is, the cloud is driving businesses forward and accelerating digital, and those businesses are now exposed more than ever. And that's why security has become such an important topic to boards and throughout the entire organization. Now, the other epiphany that we had at re:Inforce is that there are new layers and a new trust framework emerging in cyber. Roles are shifting, and as a direct result of the cloud, things are changing within organizations. And this first hit me in a conversation with long-time cyber practitioner and Wikibon colleague from our early Wikibon days, and friend, Mike Versace. And I spent two days testing the premise that Michael and I talked about. And here's an attempt to put that conversation into a graphic. The cloud is now the first line of defense. AWS specifically, but hyperscalers generally provide the services, the talent, the best practices, and automation tools to secure infrastructure and their physical data centers. And they're really good at it. The security inside of hyperscaler clouds is best of breed, it's world class. And that first line of defense does take some of the responsibility off of CISOs, but they have to understand and apply the shared responsibility model, where the cloud provider leaves it to the customer, of course, to make sure that the infrastructure they're deploying is properly configured. So in addition to creating a cyber aware culture and communicating up to the board, the CISO has to ensure compliance with and adherence to the model. That includes attracting and retaining the talent necessary to succeed. Now, on the subject of building a security culture, listen to this clip on one of the techniques that Lena Smart, remember, she's the CISO of MongoDB, one of the techniques she uses to foster awareness and build security cultures in her organization. Play the clip >> Having the Security Champion program, so that's just, it's like one of my babies. That and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the Security Champion program is purely purely voluntary. We have over 100 members. And these are people, there's no bar to join, you don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually, people grade themselves when they join us. We give them a little tick box, like five is, I walk on security water, one is I can spell security, but I'd like to learn more. Mixing those groups together has been game-changing for us. >> Now, the next layer is really where it gets interesting. DevSecOps, you know, we hear about it all the time, shifting left. It implies designing security into the code at the dev level. Shift left and shield right is the kind of buzz phrase. But it's getting more and more complicated. So there are layers within the development cycle, i.e., securing the container. So the app code can't be threatened by backdoors or weaknesses in the containers. Then, securing the runtime to make sure the code is maintained and compliant. Then, the DevOps platform so that change management doesn't create gaps and exposures, and screw things up. And this is just for the application security side of the equation. What about the network and implementing zero trust principles, and securing endpoints, and machine to machine, and human to app communication? So there's a lot of burden being placed on the DevOps team, and they have to partner with the SecOps team to succeed. Those guys are not security experts. And finally, there's audit, which is the last line of defense or what I called at the open, the free safety, for you football fans. They have to do more than just tick the box for the board. That doesn't cut it anymore. They really have to know their stuff and make sure that what they sign off on is real. And then you throw ESG into the mix is becoming more important, making sure the supply chain is green and also secure. So you can see, while much of this stuff has been around for a long, long time, the cloud is accelerating innovation in the pace of delivery. And so much is changing as a result. Now, next, I want to share a graphic that we shared last week, but a little different twist. It's an XY graphic with net score or spending velocity in the vertical axis and overlap or presence in the dataset on the horizontal. With that magic 40% red line as shown. Okay, I won't dig into the data and draw conclusions 'cause we did that last week, but two points I want to make. First, look at Microsoft in the upper-right hand corner. They are big in security and they're attracting a lot of dollars in the space. We've reported on this for a while. They're a five-star security company. And every time, from a spending standpoint in ETR data, that little methodology we use, every time I've run this chart, I've wondered, where the heck is AWS? Why aren't they showing up there? If security is so important to AWS, which it is, and its customers, why aren't they spending money with Amazon on security? And I asked this very question to Merrit Baer, who resides in the office of the CISO at AWS. Listen to her answer. >> It doesn't mean don't spend on security. There is a lot of goodness that we have to offer in ESS, external security services. But I think one of the unique parts of AWS is that we don't believe that security is something you should buy, it's something that you get from us. It's something that we do for you a lot of the time. I mean, this is the definition of the shared responsibility model, right? >> Now, maybe that's good messaging to the market. Merritt, you know, didn't say it outright, but essentially, Microsoft they charge for security. At AWS, it comes with the package. But it does answer my question. And, of course, the fact is that AWS can subsidize all this with egress charges. Now, on the flip side of that, (chuckles) you got Microsoft, you know, they're both, they're competing now. We can take CrowdStrike for instance. Microsoft and CrowdStrike, they compete with each other head to head. So it's an interesting dynamic within the ecosystem. Okay, but I want to turn to a powerful example of how AWS designs in security. And that is the idea of confidential computing. Of course, AWS is not the only one, but we're coming off of re:Inforce, and I really want to dig into something that David Floyer and I have talked about in previous episodes. And we had an opportunity to sit down with Arvind Raghu and J.D. Bean, two security experts from AWS, to talk about this subject. And let's share what we learned and why we think it matters. First, what is confidential computing? That's what this slide is designed to convey. To AWS, they would describe it this way. It's the use of special hardware and the associated firmware that protects customer code and data from any unauthorized access while the data is in use, i.e., while it's being processed. That's oftentimes a security gap. And there are two dimensions here. One is protecting the data and the code from operators on the cloud provider, i.e, in this case, AWS, and protecting the data and code from the customers themselves. In other words, from admin level users are possible malicious actors on the customer side where the code and data is being processed. And there are three capabilities that enable this. First, the AWS Nitro System, which is the foundation for virtualization. The second is Nitro Enclaves, which isolate environments, and then third, the Nitro Trusted Platform Module, TPM, which enables cryptographic assurances of the integrity of the Nitro instances. Now, we've talked about Nitro in the past, and we think it's a revolutionary innovation, so let's dig into that a bit. This is an AWS slide that was shared about how they protect and isolate data and code. On the left-hand side is a classical view of a virtualized architecture. You have a single host or a single server, and those white boxes represent processes on the main board, X86, or could be Intel, or AMD, or alternative architectures. And you have the hypervisor at the bottom which translates instructions to the CPU, allowing direct execution from a virtual machine into the CPU. But notice, you also have blocks for networking, and storage, and security. And the hypervisor emulates or translates IOS between the physical resources and the virtual machines. And it creates some overhead. Now, companies like VMware have done a great job, and others, of stripping out some of that overhead, but there's still an overhead there. That's why people still like to run on bare metal. Now, and while it's not shown in the graphic, there's an operating system in there somewhere, which is privileged, so it's got access to these resources, and it provides the services to the VMs. Now, on the right-hand side, you have the Nitro system. And you can see immediately the differences between the left and right, because the networking, the storage, and the security, the management, et cetera, they've been separated from the hypervisor and that main board, which has the Intel, AMD, throw in Graviton and Trainium, you know, whatever XPUs are in use in the cloud. And you can see that orange Nitro hypervisor. That is a purpose-built lightweight component for this system. And all the other functions are separated in isolated domains. So very strong isolation between the cloud software and the physical hardware running workloads, i.e., those white boxes on the main board. Now, this will run at practically bare metal speeds, and there are other benefits as well. One of the biggest is security. As we've previously reported, this came out of AWS's acquisition of Annapurna Labs, which we've estimated was picked up for a measly $350 million, which is a drop in the bucket for AWS to get such a strategic asset. And there are three enablers on this side. One is the Nitro cards, which are accelerators to offload that wasted work that's done in traditional architectures by typically the X86. We've estimated 25% to 30% of core capacity and cycles is wasted on those offloads. The second is the Nitro security chip, which is embedded and extends the root of trust to the main board hardware. And finally, the Nitro hypervisor, which allocates memory and CPU resources. So the Nitro cards communicate directly with the VMs without the hypervisors getting in the way, and they're not in the path. And all that data is encrypted while it's in motion, and of course, encryption at rest has been around for a while. We asked AWS, is this an, we presumed it was an Arm-based architecture. We wanted to confirm that. Or is it some other type of maybe hybrid using X86 and Arm? They told us the following, and quote, "The SoC, system on chips, for these hardware components are purpose-built and custom designed in-house by Amazon and Annapurna Labs. The same group responsible for other silicon innovations such as Graviton, Inferentia, Trainium, and AQUA. Now, the Nitro cards are Arm-based and do not use any X86 or X86/64 bit CPUs. Okay, so it confirms what we thought. So you may say, "Why should we even care about all this technical mumbo jumbo, Dave?" Well, a year ago, David Floyer and I published this piece explaining why Nitro and Graviton are secret weapons of Amazon that have been a decade in the making, and why everybody needs some type of Nitro to compete in the future. This is enabled, this Nitro innovations and the custom silicon enabled by the Annapurna acquisition. And AWS has the volume economics to make custom silicon. Not everybody can do it. And it's leveraging the Arm ecosystem, the standard software, and the fabrication volume, the manufacturing volume to revolutionize enterprise computing. Nitro, with the alternative processor, architectures like Graviton and others, enables AWS to be on a performance, cost, and power consumption curve that blows away anything we've ever seen from Intel. And Intel's disastrous earnings results that we saw this past week are a symptom of this mega trend that we've been talking about for years. In the same way that Intel and X86 destroyed the market for RISC chips, thanks to PC volumes, Arm is blowing away X86 with volume economics that cannot be matched by Intel. Thanks to, of course, to mobile and edge. Our prediction is that these innovations and the Arm ecosystem are migrating and will migrate further into enterprise computing, which is Intel's stronghold. Now, that stronghold is getting eaten away by the likes of AMD, Nvidia, and of course, Arm in the form of Graviton and other Arm-based alternatives. Apple, Tesla, Amazon, Google, Microsoft, Alibaba, and others are all designing custom silicon, and doing so much faster than Intel can go from design to tape out, roughly cutting that time in half. And the premise of this piece is that every company needs a Nitro to enable alternatives to the X86 in order to support emergent workloads that are data rich and AI-based, and to compete from an economic standpoint. So while at re:Inforce, we heard that the impetus for Nitro was security. Of course, the Arm ecosystem, and its ascendancy has enabled, in our view, AWS to create a platform that will set the enterprise computing market this decade and beyond. Okay, that's it for today. Thanks to Alex Morrison, who is on production. And he does the podcast. And Ken Schiffman, our newest member of our Boston Studio team is also on production. Kristen Martin and Cheryl Knight help spread the word on social media and in the community. And Rob Hof is our editor in chief over at SiliconANGLE. He does some great, great work for us. Remember, all these episodes are available as podcast. Wherever you listen, just search "Breaking Analysis" podcast. I publish each week on wikibon.com and siliconangle.com. Or you can email me directly at David.Vellante@siliconangle.com or DM me @dvellante, comment on my LinkedIn post. And please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights, powered by ETR. Thanks for watching. Be well, and we'll see you next time on "Breaking Analysis." (upbeat theme music)

(upbeat music) >> Hi, everybody. We're wrapping up day two of AWS Re:Inforce 2022. This is theCUBE, my name is Dave Vellante. And one of the folks that we featured, one of the companies that we featured in the AWS startup showcase season two, episode four, was Illumio. And of course their here at the security theme event. PJ Kerner is CTO and Co-Founder of Illumio. Great to see you, welcome back to theCUBE. >> Thanks for having me. >> I always like to ask co-founders, people with co-founder in their titles, like go back to why you started the company. Let's go back to 2013. Why'd you start the company? >> Absolutely. Because back in 2013, one of the things that we sort of saw as technology trends, and it was mostly AWS was, there were really three things. One was dynamic workloads. People were putting workloads into production faster and faster. You talk about auto scale groups and now you talk about containers. Like things were getting faster and faster in terms of compute. Second thing was applications were getting more connected, right? The Netflix architecture is one define that kind of extreme example of hyper connectivity, but applications were, we'd call it the API economy or whatever, they were getting more connected. And the third problem back in 2013 was the problems around lateral movement. And at that point it was more around nation state actors and APTs that were in those environments for a lot of those customers. So those three trends were kind of, what do we need to do in security differently? And that's how Illumio started. >> So, okay, you say nation state that's obviously changed in the ROI of for hackers has become pretty good. And I guess your job is to reduce the ROI, but so what's the relationship PJ between the API economy, you talked about in that lateral movement? Are they kind of go hand in hand? >> They do. I think one thing that we have as a mission is, and I think it's really important to understand is to prevent breaches from becoming cyber disasters, right? And I use this metaphor around kind the submarine. And if you think about how submarines are built, submarines are built with water tight compartments inside the submarine. So when there is a physical breach, right, what happens? Like you get a torpedo or whatever, and it comes through the hall, you close off that compartment, there are redundant systems in place, but you close off that compartment, that one small thing you've lost, but the whole ship hasn't gone down and you sort of have survived. That's physical kind of resiliency and those same kind of techniques in terms of segmentation, compartmentalization inside your environments, is what makes good cyber resiliency. So prevent it from becoming a disaster. >> So you bring that micro segmentation analogy, the submarine analogy with micro segmentation to logical security, correct? >> Absolutely, yes. >> So that was your idea in 2013. Now we fast forward to 2022. It's no longer just nation states, things like ransomware are top of mind. I mean, everybody's like worried about what happened with solar winds and Log4j and on and on and on. So what's the mindset of the CISO today? >> I think you said it right. So ransomware, because if you think about the CIA triangle, confidentiality, integrity, availability, what does ransomware really does? It really attacks the availability problem, right? If you lock up all your laptops and can't actually do business anymore, you have an availability problem, right. They might not have stole your data, but they locked it up, but you can't do business, maybe you restore from backups. So that availability problem has made it more visible to CEOs and board level, like people. And so they've been talking about ransomware as a problem. And so that has given the CISO either more dollars, more authority to sort of attack that problem. And lateral movement is the primary way that ransomware gets around and becomes a disaster, as opposed to just locking up one machine when you lock up your entire environment, and thus some of the fear around colonial pipeline came in, that's when the disaster comes into play and you want to be avoiding that. >> Describe in more detail what you mean by lateral movement. I think it's implied, but you enter into a point and then instead of going, you're saying necessarily directly for the asset that you're going after, you're traversing the network, you're traversing other assets. Maybe you could describe that. >> Yeah, I mean, so often what happens is there's an initial point of breach. Like someone has a password or somebody clicked on a phishing link or something, and you have compromise into that environment, right? And then you might be compromised into a low level place that doesn't have a lot of data or is not worthwhile. Then you have to get from that place to data that is actually valuable, and that's where lateral movement comes into place. But also, I mean, you bring up a good point is like lateral movement prevention tools. Like, one way we've done some research around if you like, segmentation is, imagine putting up a maze inside your data center or cloud, right. So that, like how the attacker has to get from that initial breach to the crown jewels takes a lot longer when you have, a segmented environment, as opposed to, if you have a very flat network, it is just go from there to go find that asset. >> Hence, you just increase the denominator in the ROI equation and that just lowers the value for the hacker. They go elsewhere. >> It is an economic, you're right, it's all about economics. It's a time to target is what some our research like. So if you're a quick time to target, you're much easier to sort of get that value for the hacker. If it's a long time, they're going to get frustrated, they're going to stop and might not be economically viable. It's like the, you only have to run faster than the-- >> The two people with the bear chasing you, right. (laughs) Let's talk about zero trust. So it's a topic that prior to the pandemic, I think a lot of people thought it was a buzzword. I have said actually, it's become a mandate. Having said that others, I mean, AWS in particular kind of rolled their eyes and said, ah, we've always been zero trust. They were sort of forced into the discussion. What's your point of view on zero trust? Is it a buzzword? Does it have meaning, what is that meaning to Illumio? >> Well, for me there's actually two, there's two really important concepts. I mean, zero trust is a security philosophy. And so one is the idea of least privilege. And that's not a new idea. So when AWS says they've done it, they have embraced these privileges, a lot of good systems that have been built from scratch do, but not everybody has least privilege kind of controls everywhere. Secondly, least privilege is not about a one time thing. It is about a continuously monitoring. If you sort of take, people leave the company, applications get shut down. Like you need to shut down that access to actually continuously achieve that kind of least privilege stance. The other part that I think is really important that has come more recently is the assume breach mentality, right? And assume breach is something where you assume the attacker is, they've already clicked on, like stop trying to prevent. Well, I mean, you always still should probably prevent the people from clicking on the bad links, but from a security practitioner point of view, assume this has already happened, right. They're already inside. And then what do you have to do? Like back to what I was saying about setting up that maze ahead of time, right. To increase that time to target, that's something you have to do if you kind of assume breach and don't think, oh, a harder shell on my submarine is going to be the way I'm going to survive, right. So that mentality is, I will say is new and really important part of a zero trust philosophy. >> Yeah, so this is interesting because I mean, you kind of the old days, I don't know, decade plus ago, failure meant you get fired, breach meant you get fired. So we want to talk about it. And then of course that mentality had to change 'cause everybody's getting breached and this idea of least privilege. So in other words, if someone's not explicitly or a machine is not explicitly authorized to access an asset, they are not allowed, it's denied. So it's like Frank Slootman would say, if there's doubt, there's no doubt. And so is that right? >> It is. I mean, and if you think about it back to the disaster versus the breach, imagine they did get into an application. I mean, lamps stacks will have vulnerabilities from now to the end of time and people will get in. But what if you got in through a low value asset, 'cause these are some of the stories, you got in through a low value asset and you were sort of contained and you had access to that low value data. Let's say you even locked it up or you stole it all. Like it's not that important to the customer. That's different than when you pivot from that low value asset now into high value assets where it becomes much more catastrophic for those customers. So that kind of prevention, it is important. >> What do you make of this... Couple things, we've heard a lot about encrypt everything. It seems like these days again, in the old days, you'd love to encrypt everything, but there was always a performance hit, but we're hearing encrypt everything, John asked me the day John Furrier is like, okay, we're hearing about encrypting data at rest. What about data in motion? Now you hear about confidential computing and nitro and they're actually encrypting data in the flow. What do you make of that whole confidential computing down at the semiconductor level that they're actually doing things like enclaves and the arm architecture, how much of the problem does that address? How much does it still leave open? >> That's a hard question to answer-- >> But you're a CTO. So that's why I can ask you these questions. >> But I think it's the age old adage of defense in depth. I mean, I do think equivalent to what we're kind of doing from the networking point of view to do network segmentation. This is another layer of that compartmentalization and we'll sort of provide similar containment of breach. And that's really what we're looking for now, rather than prevention of the breach and rather than just detection of the breach, containment of that breach. >> Well, so it's actually similar philosophy brought to the wider network. >> Absolutely. And it needs to be brought at all levels. I think that's the, no one level is going to solve the problem. It's across all those levels is where you have to. >> What are the organizational implications of, it feels like the cloud is now becoming... I don't want to say the first layer of defense because it is if you're all in the cloud, but it's not, if you're a hybrid, but it's still, it's becoming increasingly a more important layer of defense. And then I feel like the CISO and the development team is like the next layer maybe audit is the third layer of defense. How are you seeing organizations sort of respond to that? The organizational roles changing, the CISO role changing. >> Well there's two good questions in there. So one is, there's one interesting thing that we are seeing about people. Like a lot of our customers are hybrid in their environment. They have a cloud, they have an on-prem environment and these two things need to work together. And in that case, I mean, the massive compute that you can be doing in the AWS actually increases the attack surface on that hybrid environment. So there's some challenges there and yes, you're absolutely right. The cloud brings some new tools to play, to sort of decrease that. But it's an interesting place we see where there's a attack surface that occurs between different infrastructure types, between AWS and on-prem of our environment. Now, the second part of your question was really around how the developers play into this. And I'm a big proponent of, I mean, security is kind of a team sport. And one of the things that we've done in some of our products is help people... So we all know the developers, like they know they're part of the security story, right? But they're not security professionals. They don't have all of the tools and all of the experience. And all of the red teaming time to sort of know where some of their mistakes might be made. So I am optimistic. They do their best, right. But what the security team needs is a way to not just tell them, like slap on the knuckles, like developer you're doing the wrong thing, but they really need a way to sort of say, okay, yes, you could do better. And here's some concrete ways that you can do better. So a lot of our systems kind of look at data, understand the data, analyze the data, and provide concrete recommendations. And there's a virtual cycle there. As long as you play the team sport, right. It's not a us versus them. It's like, how can we both win there? >> So this is a really interesting conversation because the developer all of a sudden is increasingly responsible for security. They got to worry about they're using containers. Now they got to worry about containers security. They got to worry about the run time. They got to worry about the platform. And to your point, it's like, okay, this burden is now on them. Not only do they have to be productive and produce awesome code, they got to make sure it's secure. So that role is changing. So are they up for the task? I mean, I got to believe that a lot of developers are like, oh, something else I have to worry about. So how are your customers resolving that? >> So I think they're up for the task. I think what is needed though, is a CISO and a security team again, who knows it's a team sport. Like some technologies adopted from the top down, like the CIO can say, here's what we're doing and then everybody has to do it. Some technologies adopted from the bottom up, right. It's where this individual team says, oh, we're using this thing and we're using these tools. Oh yeah, we're using containers and we're using this flavor of containers. And this other group uses Lambda services and so on. And the security team has to react because they can't mandate. They have to sort of work with those teams. So I see the best groups of people is where you have security teams who know they have to enable the developers and the developers who actually want to work with the security team. So it's the right kind of person, the right kind of CISO, right kind of security teams. It doesn't treat it as adversarial. And it works when they both work together. And that's where, your question is, how ingrained is that in the industry, that I can't say, but I know that does work. And I know that's the direction people are going. >> And I understand it's a spectrum, but I hear what you're saying. That is the best practice, the right organizational model, I guess it's cultural. I mean, it's not like there's some magic tool to make it all, the security team and the dev team collaboration tool, maybe there is, I don't know, but I think the mindset and the culture has to really be the starting point. >> Well, there is. I just talk about this idea. So however you sort of feel about DevOps and DevSecOps and so on, one core principle I see is really kind of empathy between like the developers and the operations folks, so the developers and the security team. And one way I actually, and we act like this at Illumio but one thing we do is like, you have to truly have empathy. You kind have to do somebody else's job, right. Not just like, think about it or talk about it, like do it. So there are places where the security team gets embedded deep in the organization where some of the developers get embedded in the operations work and that empathy. I know whether they go back to do what they were doing, what they learned about how the other side has to work. Some of the challenges, what they see is really valuable in sort of building that collaboration. >> So it's not job swapping, but it's embedding, is maybe how they gain that empathy. >> Exactly. And they're not experts in all those things, but do them take on those summer responsibilities, be accountable for some of those things. Now, not just do it on the side and go over somebody's shoulder, but like be accountable for something. >> That's interesting, not just observational, but actually say, okay, this is on you for some period of time. >> That is where you actually feel the pain of the other person, which is what is valuable. And so that's how you can build one of those cultures. I mean, you do need support all the way from the top, right. To be able to do that. >> For sure. And of course there are lightweight versions of that. Maybe if you don't have the stomach for... Lena Smart was on this morning, CISO of Mongo. And she was saying, she pairs like the security pros that can walk on water with the regular employees and they get to ask all these Colombo questions of the experts and the experts get to hear it and say, oh, I have to now explain this like I'm explaining it to a 10 year old, or maybe not a 10 year old, but a teenager, actually teenager's probably well ahead of us, but you know what I'm saying? And so that kind of cross correlation, and then essentially the folks that aren't security experts, they absorb enough and they can pass it on throughout the organization. And that's how she was saying she emphasizes culture building. >> And I will say, I think, Steve Smith, the CISO of AWS, like I've heard him talk a number of times and like, they do that here at like, they have some of the spirit and they've built it in and it's all the way from the top, right. And that's where if you have security over and a little silo off to the side, you're never going to do that. When the CEO supports the security professionals as a part of the business, that's when you can do the right thing. >> So you remember around the time that you and you guys started Illumio, the conversation was, security must be a board level topic. Yes, it should be, is it really, it was becoming that way. It wasn't there yet. It clearly is now, there's no question about it. >> No, ransomware. >> Right, of course. >> Let's thank ransomware. >> Right. Thank you. Maybe that's a silver lining. Now, the conversation is around, is it a organizational wide issue? And it needs to be, it needs to be, but it really isn't fully. I mean, how many organizations actually do that type of training, certainly large organizations do. It's part of the onboarding process, but even small companies are starting to do that now saying, okay, as part of the onboarding process, you got to watch this training video and sure that you've done it. And maybe that's not enough, but it's a start. >> Well, and I do think that's where, if we get back to zero trust, I mean, zero trust being a philosophy that you can adopt. I mean, we apply that kind of least privilege model to everything. And when people know that people know that this is something we do, right. That you only get access to things 'cause least privileges, you get access to absolutely to the things you need to do your job, but nothing more. And that applies to everybody in the organization. And when people sort of know this is the culture and they sort of work by that, like zero trust being that philosophy sort of helps infuse it into the organization. >> I agree with that, but I think the hard part of that in terms of implementing it for organizations is, companies like AWS, they have the tools, the people, the practitioners that can bring that to bear, many organizations don't. So it becomes an important prioritization exercise. So they have to say, okay, where do we want to apply that least privilege and apply that technology? 'Cause we don't have the resources to do it across the entire portfolio. >> And I'll give you a simple example of where it'll fail. So let's say, oh, we're least privilege, right. And so you asked for something to do your job and it takes four weeks for you to get that access. Guess what? Zero trust out the door at that organization. If you don't have again, the tools, right. To be able to walk that walk. And so it is something where you can't just say it, right. You do have to do it. >> So I feel like it's pyramid. It's got to start. I think it's got to be top down. Maybe not, I mean certainly bottom up from the developer mindset. No question about that. But in terms of where you start. Whether it's financial data or other confidential data, great. We're going to apply that here and we're not going to necessarily, it's a balance, where's the risk? Go hard on those places where there's the biggest risk. Maybe not create organizational friction where there's less risk and then over time, bring that in. >> And I think, I'll say one of the failure modes that we sort of seen around zero trust, if you go too big, too early, right. You actually have to find small wins in your organization and you pointed out some good ones. So focus on like, if you know where critical assets are, that's a good place to sort of start. Building it into the business as usual. So for example, one thing we recommend is people start in the developing zero trust segmentation policy during the development, or at least the test phase of rolling out a new application as you sort of work your way into production, as opposed to having to retro segment everything. So get it into the culture, either high value assets or work like that, or just pick something small. We've actually seen customers use our software to sort of like lock down RDP like back to ransomware, loves RDP lateral movement. So why can we go everywhere to everywhere with RDP? Well, you need it to sort of solve some problems, but just focus on that one little slice of your environment, one application and lock that down. That's a way to get started and that sort of attacks the ransomware problem. So there's lots of ways, but you got to make some demonstrable first steps and build that momentum over time to sort of get to that ultimate end goal. >> PJ Illumio has always been a thought leader in security generally in this topic specifically. So thanks for coming back on theCUBE. It's always great to have you guys. >> All right. Thanks, been great. >> All right. And thank you for watching. Keep it right there. This is Dave Vellante for theCUBE's coverage of AWS re:Inforce 2022 from Boston. We'll be right back. (upbeat music)

>>Okay. We're back in Boston covering AWS reinvent 2022. This is our second live reinvent. We've done the other ones, uh, in between as digital. Uh, my name is Dave Lanta and you're watching the cube. Peter McKay is here. He's the CEO of sneaking ad Shani is the chief technical officer guys. Great to see you again. Awesome. Being here in Boston >>In July. It is Peter. You can't be weather's good weather. Yeah, red SOS. Aren't good. But everything else >>Is SOS are ruin in our sub, you know, >>Hey, they're still in the playoff, the hunt, you >>Know, all you gotta do is make it in. Yes. >>Right. And there's a new season. Simple >>Kinda like hockey, but you know, I'm worried they're gonna be selling at the trading >>Deadline. Yeah. I think they should be. I think it's you think so it's not looking good. Oh, >>You usually have a good angle on this stuff, but uh, well, Hey, we'll see. We'll go. I got a lot of tickets. We'll go and see the Yankees at least we'll see a winning team. Anyway, we last talked, uh, after your fundraising. Yeah. You know, big, big round at your event last night, a lot of buzz, one of the largest, I think the largest event I saw around here, a lot of good customers there. >>It's great. Great time. >>So what's new. Give us the update. You guys have made some, an acquisition since then. Integration. We're gonna talk >>About that. Yeah. It's been, uh, a lot has happened. So, uh, the business itself has done extremely well. We've been growing at 170% year, over year, a hundred percent growth in our number of customers added. We've done six acquisitions. So now we have, uh, five products that we've added to the mix. We've tripled the size of the company. Now we're 1300 people, uh, in the organization. So quite a bit in a very short period of time. >>Well, and of course my, in my intro, I, I said, reinvent, I'm getting ahead of myself. Right. >>Of course we'll >>Reinforced. We'll be at reinve >>In November. Are that's the next one at >>Reinforced. We've done a lot of reinvents by the way, you know? >>So there's a lot, lot of reinvention >>Here. So of course, well, you're reinventing security, right? Yes. So, you know, I try to, I think about when I go to these events, like, what's the takeaway, what's the epiphany. And we're really seeing the, the developer security momentum, and it's a challenge. They gotta worry about containers. They gotta worry about run time. They gotta worry about platform. Yeah. You guys are attacking that problem. Maybe describe that a >>Little bit for us. Yeah. I mean, for years it was always, um, you know, after the fact production fixing security in run time and billions and billions of dollars spent in fixing after the fact. Right. And so the realization early on with the was, you know, you gotta fix these issues earlier and earlier, we started with open source was the first product at wait. Then six, six years ago, then we added container security and we added infrastructure's code. We added code security. We added, um, most recently cloud security with the F acquisition. So one platform, one view that a developer can look at to fix all the issues through the, be from the beginning, all the way through the software development life cycle. So we call it developer security. So allowing developers to develop fast, but stay secure at the same time. >>So I like the fact that you're using some of your capital to do acquisitions. Yeah. Now a lot of M and a is, okay, we're gonna buy this company. We're gonna leave them alone. You guys chose to integrate them. Maybe describe what that process was like. Yeah. Why you chose that. Yeah. How hard it was, how long it took. Take us through that. >>Yeah. Yeah. I'll give, uh, two examples, maybe one on sneak, which was an acquisition of, of the company that was focused on, uh, code analysis, actually not for security. And we have identified the merit of what we need in terms of the first security solution, not an ability to take a security product and put it in the end of developer, but rather build something that will build into the dev motion, which means very fast, very accurate things that it can rely on source and not just on the build code and so on. And we have built that into the platform and by that our customers can gain all of their code related issues together with all of their ISE related issues together with all of the container issues in one platform that they can prioritize accordingly. >>Yeah. Okay. So, so talk more about the, the, the call, the few, the sneak cloud, right? Yeah. So the few name goes away. I presume, right. Or yes, it does. Okay. So you retire that and bring it in the brand is sneak. Yeah. Right. So talk about the cloud, what it does, what problems >>It's solving. Yeah. Awesome. And, and this goes exactly the same. As we mentioned on, on the code, we have looked at the, the, the cloud security solutions for a while now. And what we loved about the few team is that they were building their product with their first approach. Okay. So the notion is as followed as you are, you know, you're a CSO, you have your pro you have your program, you're looking, you have different types of controls and capabilities. And your team is constantly looking for threats. When we are monitoring your cloud environment, we can detect problems like, you know, your FL bucket is not exposing the right permissions and is exposed to the world or things like that. But from a security perspective, it might be okay to stop there. But if you're looking at an operation perspective, you need to know who needs to fix, how do they need to fix it? >>Where do they need to fix it? What will the be the impact if they would fix it? So what do we actually doing is we are connecting all the dots of the platform. So on one end, you know, the actual resources that are running and what's the implication in the actual deployed environment. On the other end, we get correlation back to the actual code that generates that. And then I can give that context both to the security person, the context of how it affects the application. But more importantly, the context for the developer is required to fix the problem. What's the context of the cloud. Yeah. And a lot of things are being exposed this way. And we can talk about that. Uh, >>So this is really interesting because, and look, I love AWS to do an amazing job. One of the other things I really like about 'em is it seems like they're not trying to go hard and monetize their security products. Mm-hmm, they're leaving that to the ecosystem, which I like. Yeah. Microsoft taken a little different approach, right? Yeah, yeah, yeah. Ton a lot. But this, this, this example you're giving ad about the S3 bucket. So we heard in the keynotes yesterday about, you know, reasoning, AI reasoning, they said, we can say, is this S3 bucket exposed to the public? We can do that with math. Right. Yeah. But you're what I'm inferring is you don't stop there. Yeah. Yeah. There's a lot of other stuff that has to, >>And sometimes have to, not as simple, just as a configuration change, sometimes the correlation between what your application is doing affects what is the resulted experience of, you know, the remote user or in this case, the attacker, right. I mean, >>The application has access, who has access to the application, is this, this the chain. >>So propagates, you have to, you have to have a, a solution that looks both at have very good understanding of the application context. A very good understanding of what we refer to as the application graph, like understanding how it works, being able to analyze that and apply the same policies, both at development time, as well as run time. >>So there's, there's human to app. There's also a machine to machine. Can you guys help with that problem as well? Or is that sort of a futures thing or >>Could you, I'm not sure. I understand what >>Referring, so machines talking to machines, right. I mean, there's data flowing. Yep. You know, between those machines, right. It's not just the humans interacting with the application. Is that a trend that you see and is that something that you guys can solve? >>So at, at the end of the day, there is a lot of automation that happens both for, by humans for good reasons, as well as by humans for bads. Right. <laugh> and, and the notion is that we are really trying to focus on what matters to the developer as they're trying to improve their business around that. So both improves making sure they know, you know, quality problems or things of this kind. But as part of that, more importantly, when we're looking at security as a quality problem, making sure that we have a flow in the development life cycle that streamline what the developer is expecting to do as they're building the solution. And if every single point, whether it's the ID, whether it's the change management, whether it's the actual build, whether it's the deployed instance on the cloud, making sure that we identify with that and connect that back to the code. >>Okay. So if there's machine automation coming in, that shouldn't be there, you can sort of identify that and then notify remediate or whatever action should be >>Taken. Yeah. Identify, identify remediate. Yep. >>Yeah. We, we really focus on making sure that we help developers build better products. So our core focus is identify areas where the product is not built way in a good way, and then suggest the corrective action that is required to make that happen. >>And I think part of this is the, you know, just, uh, the speed of the software development today. I mean, you look at developers are constantly and not just look at sneak you're, you're trying to get so much more productivity outta the developers that you have. Every company is trying to get more productivity out of developers, incredible innovation, incredible pace, get those is a competitive advantage. And so what we're trying to do is we make it easier for developers to go fast innovate, but also do it securely and embed it without slowing them down, develop fast and secure. >>So again, I love, I love AWS love what they're doing. We heard, uh, yesterday from, from CJ, you know, a lot of talk about, you know, threat detection and, you know, some talk about DevOps, et cetera. But yeah, I, I, I didn't hear a lot about how to reduce the complexity for the CSO. And the reason I bring this up is it feels like the cloud is now the first level of defense and the CISO is, is becoming the next level, which is on the developer. So the developer is becoming responsible for security at a whole shift left, maybe shield. Right. But, but shift left is becoming critical. Seems like your role and maybe others in the ecosystem is to address my concern about simplifying the life of the CISO. Is that a reasonable way to think about it? I >>Think it's changing the role of the CISO. How so? You know, really it's, I, I think it's before it, in this, in the security organization and D you should chime in here is, you know, it used to be, I did, I owned all application security, I owned the whole thing and they couldn't keep up. Like, I think it's just every security organization is totally overwhelmed. And so they have to share the responsibility. They have to get that fix the issues earlier and earlier, because it's waiting too long. It's after the fact. And then you gotta throw this over the fence and developers have to fix it. So they've gotta find a new way because they're the bottleneck they're slowing down the company from, in innovating and bringing these applications to market. So we are the kind of this bridge between the security teams that wanna make sure the, that we're staying secure and the development organizations and engineering and CEOs go fast. We need you guys to go faster and faster. So we, we tend to be the bridge between the two of them. >>One of the things I really love happening these days is that we change the culture of the organization from a culture where the CSO is trying to, you know, push and enforce and dictate the policy, which, which they should, but they really wanna see the development team speak up like that. The whole motion of DevOps is that we are empowering them to make the decisions that are right for the business, right? And then there is a gap because on one hand, this is always like, you need to do this, you need to do this. You need to do that. And the dev teams don't understand how that impacts their business. Good enough. And they don't have the tools and, you know, the ability to add a source problem. So with the solution liken, we really empower the developers to bake security as part of their cycle, which is what was done in many other fields, quality, other things, everything, it, everything moves into development already, right? So we're doing that. And the entire discussion now changes into an enablement discussion. >>So interesting. Cause you saw, this is the role of the CSOs changing. How so? I see that in a way like frees, sneak the CSO with the cloud is becoming a compliance officer. Like you do this, you do this, you do this, you do this, you third >>One would take a responsibility >>Trying. Yeah. Right, right. And so you're flipping that equation saying, Hey, we're gonna actually make this an accelerant to your business. >>So, so set the policy, determine compliance, but make sure that the teams, the developers are building applications in compliance with your policy. Right. So make sure and, and don't allow them to do something. If they're doing, if they're developing an application with a number of vulnerabilities, you can stop that from happening so you can oversee it, but you don't have to be the one who owns it all the way through from beginning to, >>Or, or get it before it's deployed. So you don't have to go back after the fact and, and remediate it with, you know, but, >>But think about deploy, they're deploying apps today. I mean, they're updating by the hour, right? Where, you know, six years ago, five years ago, two years ago was every six to nine months. Right? So the pace of this innovation from developers is so fast that the old way of doing security can't keep up. Like they're built for six month release cycles. This is six hour release cycles. And so we had to, it has to change security. Can't stay the way it is. So what we've been doing for se seven years for application security is exactly what we're doing for cloud security is moving all that earlier. All these products that we've been building over the years is really taking these afterthought security components and bringing 'em all earlier, you know, bringing everything like cloud security is done after the fact. Now we can take those issues and bring 'em right to the developers who created that and can fix the issues. So it's code to cloud back to code in a very automated fashion. So doesn't slow developers down. >>Okay. So what's the experience. We all know there's, everybody has more than one cloud. What's the experience across clouds. Can you create a consistent, continuous experience, cloud agnostic, >>Agnostic, cloud agnostic, uh, development environment, agnostic, you know, language agnostic. So that's kind of the beauty oft where you have maybe other certain tools for certain clouds, uh, or certain languages or certain development environments, but you have to learn different tools, you know, and, and they all roll up to security in a different way. And so what we have done is consolidated all that spend for open source security, container security infrastructure, now, cloud security, all that spend and all that fragmentation all under one platform. So it's one company that brings all those pieces >>Together. So it's a single continuous experience. Yeah. The developer experience you're saying is identical. Yes. >>Actually one product >>It's entitlement that we're getting. Yes. So you're hiding the underlying complexities of the respective clouds and those primitives developer doesn't have to worry about them. No, I call that a super cloud super >>Cloud. >>Okay. But no, but essentially that's what you're, you're building, building on the, on this ed Walsh would say on the shoulders of giants. Yeah, exactly. You know, you don't have to worry about the hyperscale infrastructure. Yep. Right. That you're building a layer of value on top of that. Yes. Is, is that essentially a PAs layer or is it, is it, can I think of it that way or is it not? Hmm. Is it platform? I >>Mean, yeah. I, I, I would say that at the end of the day, the, the way developers want to use a security tool is the same. Right. So we expose our functionality to them in those ways, if you're using, you know, uh, uh, one GI repository or another, if you're using one cloud or we, we are agnostic to data, don't, it's not, it doesn't really affect us in that manner. Um, I want to add another thing about the, the experience and associated with the consolidation that Peter referred to, uh, earlier, when you have a motion that automatically assess, you know, uh, problems that the developer is putting as part of the change management, as example, you do creating pool request. Now adding more capabilities into that motion is easy. So from enablement of the team, you can add another functionality, add cloud at ISC, add code and so on like that, because you already, you already made the decisions on how you are looking at that. And now you're integrated at, into your developer workflows, >>Right? So it's, it's already, it's already integrated for open source, adding container and ISD is real easy. It's all, you've already done all the integrations. And so for us going to five products and eventually 6, 7, 8, all, all based on the integrations that you already have in the same workflows that developers have become a use accustomed >>To. And that's what we, a lot of work from the company perspective. Right. >>I can ask you about another sort of trend we're seeing where you see Goldman Sachs last reinvent announced a cloud product, essentially bringing their data, their tools, their software. They're gonna run it on AWS at the snowflake summit, uh, capital one announced the service running on snowflake, Oracle by Cerner, right? Yeah. You know, they're gonna be, do something on OCI. Of course, make 'em do that. But it's, it's a spin on Andreessens every company's a software company. It's like every company's now becoming digital, a software company building their own SAS, essentially building their own clouds, or maybe, maybe something they'll be super clouds. Are you seeing industry come to sneak and say, Hey, help us build products that we can monetize >>There companies. So, first off, I think kind of the first iteration is, you know, all these industries of becoming software driven, like you said, and more software is more software risk. And so that kind of led us down this journey of now financial services, you know, tech, you know, media and entertainment, financial services, healthcare. Now it's this long tail of, of low tech. Yeah. Within those companies, they are offering services to the other parts of the organization. We have >>So far, mostly >>Internal, mostly internal, other than the global SI. And some of the companies who do that for a living, you know, they build the apps for companies and they are offering a sneak service. So before I give you these, I update these applications. I'm gonna make sure I'm running. I'm, I'm, I'm signifying those applications to make sure that they're secure before you get them. And so that now a company like a capital one coming to us saying, I wanna offer this to others. I think that's a, that's a leap because you know, companies are taking on security of someone else's and I think that's a, that's not there yet. It may be, >>Do you think it'll happen? >>We do have the, uh, uh, threat Intel that we, we have a very, a very strong security group that constantly monitors and analyzing the threat. And we create this vulnerability database. So in open sources, an example, we're the fact of standard, uh, in the field. So many of our partners are utilizing the threat Intel feed of snake as part of their offering. Okay. If you go to dock as an example, you can scan with, with snake intelligence immediately out of the gate over there, right? Yeah. >>And tenable, rapid seven trend micro. They all use the vulnerability database as well. Okay. So a lot of financial institutions use it because they had, they'd have seven, 10 people doing re security research on their own. And now they can say, well, I don't have to have those seven. I've got the industry standard for vulnerability database from Steve. >>And they don't have to throw out their existing tool sets where they have skills. >>Yes, exactly. >>Peter bring us homes, give us the bumper sticker, summarize, you know, reinforce and kind what we can expect going forward. >>Yeah, no, I mean, we're gonna continue the pace. We don't see anything slowing, slowing us down in terms of, um, just the number of customers that are, that are shifting left. Everybody's talking about, Hey, I need to embed this earlier and earlier. And I think what they're finding is this, this need to rein reinnovate like get innovation back into their business. And a lot of it had to slow down because, well, you know, you, we can't let developers develop an app without it going through security. And that takes time. It slows you down and allows you not to like slow the pace of innovation. And so for us, it's it help developers go fast, incredibly, you know, quickly, aggressively, creatively, but do it in a secure way. And I think that balance, you know, making sure that they're doing what they're doing, they're increasing developer productivity, increasing the amount of innovation that developers are trying to do, but you gotta do it securely. And that's where we compliment really what every CEO is pushing companies. I need more productivity. I need more aggressive creativity, innovation, but you better be secure at the same time. And that's what we bring together for our customers. >>And you better do that without slowing us down. That's >>Don't trade off, slow >>Us down. Always had to make. Yes, guys. Thanks so much for coming to the cube. Thanks, David. Always great to see you guys see ID. Appreciate it. All right. Keep it right there. This is the Cube's coverage of reinforced 2022 from Boston. We'll be right back right after the short break.

(upbeat music) >> Welcome back to Boston. The CUBE's coverage of AWS Re-inforce 2022. This is our second live Re-inforce. We did two in the middle that were all digital. Aaron Brown is here as US AWS cyber leader for Deloitte and Ryan Orsi the cloud foundation leader for partners for Amazon Web Services. Jen, welcome to The CUBE. >> Thanks for having us. >> Thanks. >> Nice to see you. Tell us about the story of Deloitte in cyber and then we'll get it to Deloitte cyber on AWS, or maybe even start there. >> Yeah, sure. I mean, obviously Deloitte, one of the largest cyber consultancies in the world, we've been working with AWS for a very long time. 2013, I was involved with, you know, the first Alliance agreement with them. And then we've been in cloud managed services about five years delivering workloads for clients. We have over 200 clients on that platform and then about a year and a half ago or so, the MSSP program came and it made a ton of sense to us, right? To really level the playing field and gave us a chance to really come out and demonstrate, you know, our capability around MSSP. >> The MSSP program, I saw a slide yesterday in keynote and in the analyst program was, you know, there's technology partners, there's MSSP partners. Explain the MSSP partner. >> Sure, sure. So at the Database Partner Network, we break it down. The program is called the level one MSSP Competency Program. And it is for both those companies that are sort of more of a software company with a managed service and those that are more of a pure service company, it's for both, but it's the general concept, it hosts the community of partners like Deloitte with a concentrated talent pool around 24 by 7 monitoring and response of AWS security events. >> So what is Deloitte? Deloitte's not a pure software play. It's not a pure services play anymore. It's sort of a mixture. >> Yeah, you know, asset enabled services, right? It's the way that we look at it. So, yeah, we're definitely not trying to compete with software companies out there, but we do have assets, right? So we do everything as infrastructure as code and that allows us to deploy our solutions into client environments really quickly. So where you might spend months on third party tool integrations, we leverage all native AWS tools in our standard offering and we can deploy into a client and get those services up and running in a couple of weeks. >> So you sell your software as an integrated service, is that correct? You don't- >> It's service, it's really is service. We sell a metered service. >> You don't sell your software separately? >> No. >> I should say it differently. You include your software as part of the service, is that right? >> Yeah, it is. But actually there's another element. There are obviously some clients who don't want to be in a managed service in perpetuity. And so those same assets that I talked about that we use for MSSP, you know, for the right clients, we don't just give away everything to anybody but for the right clients, for the right engagement, we will work with clients to help them build the capability that they need to run it themselves. And our solution is built in a way where they can do that. Right? We have a base component and a variable component to the solution and we will impart those assets to a client, you know, if the situation is right. >> Okay. So you'll actually transfer the software, but would you charge for that? >> Yeah, certainly, but there's obviously a big service component that goes into it. Right? >> And that's really where your expertise is. >> Yeah, we don't have like a standard, you know, list price but we'll work with clients to basically help them build out that capability because frankly the the market moves so fast that you need a constant capability and engine to update that solution. It's not something that, you know, you're going to sell and someone's just going to use that out of the box for the next five years. >> But a lot of the value that seems that Deloitte brings is you don't run from customization. You welcome that. You, you know, if a client says, hey, I need this special and that special, or whatever it is you'll go attack. You have the staff, the talent to attack that problem. And you use software in areas where you can have repeatability and it helps you scale and be more productive. Is that a fair way to think about it? >> Yeah, that's right. I mean, I guess one of the phrases that we use is we like big hairy problems, right? That's sort of our sweet spot. The, you know, the very simple, hey, I need a couple of guys to do a couple of things, typically, we're not the right firm for that. So, yes, we use the assets cause we realize like, hey, you know, out of everything that needs to be done, there's a significant portion of this that everybody needs more or less the same way. And then we build that, we build the automation to get it in and then we have that variable component working with clients to say, hey, let's make this work in your environment. We use a combination of AWS Native services, but then, you know, some clients have investments in third party tools and we can work with that. >> So it's a perfect match for AWS cause you guys are all about providing tools for builders and here's some primitives, some APIs and Go, we don't want that highly customized snowflake for every single client. >> Exactly. I mean, that's what I feel like the partnership with Deloitte is really bringing to the table for everybody and our mutual customers and builders out there that we both work with is again, they don't run from complexity or customization that security can be complex. It can be hard, Deloitte's helping making it much easier. The AWS partner network is helping kind of bring the ecosystem together and of software service, architectures that AWS recommend for like a security best practice around what to monitor, how to respond, what kind of enriched data should be added to that security finding and kind of pushing that out through our partnerships with it such as Deloitte. >> One of the things that, I mean, certainly big takeaway from this event, the security tracks that reinvent, previous Re-inforce events is AWS imparting, educating its customers on best practice and how tos and things that they should be thinking about, you know, do this, don't do that. In 2019, it was a lot about, hey guys, there's this shared responsibility model and kind of explaining that, we're way, way beyond that now, should we think about Deloitte sort of as an extension of that best practice AWS expertise that can be applied at your clients? I'll go to Deloitte because I don't have the talent to deal with that. I mean, I got talented people, but I just don't have enough of them. >> Exactly. Yeah. Yeah. And that's really, you know, our offerings tend to be comprehensive across all the domains. And like I said, the full life cycle of security operations all the way from, you know, identify the issue to resolve it and recover from it. And, you know, when we look at the shared responsibility model, you know, we like to say, hey, we will take you really far up that stack, that customer responsibility area, you know, for our service, we cover a significant portion of that landscape on our client's behalf cause, you know, what do they care about? Deploying workloads, getting the application running, right? Security is just another one of those important, necessary things, but it just sort of standing between you and the business value of your workload. >> And your ideal target customer would be a large medium up to a large enterprise or is all exclusively large or? >> Definitely not exclusively large. You know, the fact that we have all the automation that we do, we have a significant portion of our security operations folks are offshore allows us to be really competitive. And so we're able to serve clients that maybe, you know, in years past wouldn't have been what you'd think of as traditional. So like clients leveraging the marketplace, you know, we're able to serve that market segment. >> So billion dollar up kind of revenue? Odes that sound about right? >> Yeah. Even south of that a bit. >> Okay. So maybe half a billion or 500 million up. >> Yeah. >> Okay. So thinking about that ideal sort of profile, if you don't know, you don't know, I'm going to ask you to guess. >> Yeah. >> What percent of those target companies, enterprises, have a SOC? Is it 100%, 50%, you know, or are you- >> 75, 75% most so. >> Okay. So let's say 3/4. >> Yeah. >> So you compliment the SOC, right? You're not the SOC, but you may be in some cases? >> Depending, now we're talking about it's a function of what their IT enterprise landscape looks like. If they're 100% AWS, yeah. If you're born in the cloud startup and, you know, you don't do anything else and we have, you know, we have a few of those. Right. And they want to give us everything. They're like, you know, our security guys just going to kind of understand what you guys are doing and feel good about it. Yeah. We do that. But for the most, there is an existing SOC. Right. And so what we do is we leverage, you know, an ITSM software to e-bond with our clients service management functions so that when we're generating tickets, they have full visibility to what's going on. We're still resolving things on their behalf, we need to communicate with some clients, right? Cause a lot of security issues that need to get resolved require engagement with the asset owner. So we're not just a black box. So we do have to talk to folks on the ground at the client to resolve issues. >> And that's actually one thing that really impressed me to getting to know Aaron and his team more and more throughout this journey together in the partnership is they're not throwing alerts over the fence to the customers SOC team saying, well, here's some recommended remediation steps, they're actually rolling up their sleeves and doing some remediation themselves and informing the customer. This was taken care of for you. I think that's really unique. >> Yeah. In addition to, you know, our solution obviously has a bunch of auto-remediations, you know, that we do as part of the solution. >> So what's the engagement like? What's the conversation like when people come to you? Say I have a problem, it's blank, right? What are the typical blank- >> You know, a lot of it has been organizations where there's either a business unit that has kind of maybe off run and doing their own thing. And, you know, it's only sort of come to light with the compliance and security organization inside the client that like, hey, these guys maybe need some help. And boy, we're really strapped. We don't have the people cause talent's so tight to go help these guys and make them get it right. We're going to go ahead and keep them kind of off to the side. And you know, we'll do this managed service to help get that addressed. And then another typical scenario is when companies are acquired. So, you know, organization buys a company and they've got a preexisting. Again, they look under the covers and they're like, oh, these guys really need some help because of the way that we deploy everything as infrastructure as code really very quickly, it's a great way to just kind of get it sorted. It's a metered service. So it's not some massive investment that they have to make. We could just get it sorted out until maybe they get a chance to process and actually onboard that new entity into their enterprise structure. So as part of the MSSP program within AWS, you got to be really good at understanding how to utilize the AWS portfolio of cyber security services natively. So you do that, does that check the box on everything you need or do clients typically say, no, no, you got to integrate with all this other mess that I have there. Can you sweep that mess aside and say, hey, I can do this all in the cloud or what's that dynamic like? >> The answer is, yes, both. Right? So, you know, typically clients will have significant investments in existing third party tools and then either politically because of the investment or from a practical standpoint it makes sense to integrate those. Now that does slow down, you know, the deployment and the customization a bit, but, you know, and a lot of times that makes sense for the client. >> Well, it gets hairy. Like you said, you love these kind of hairy problems, right? >> Yeah, that's right. >> You run towards that. >> That's right. We run towards fire >> And, Ryan, your focus on partners is all partners or is it really the MSSPs or? >> All partners, all kinds of partners in the security space, right? >> Right, right. Yeah. Of course. >> Software companies, professional services, managed services. And we're focused on trying to make the security easier for both of our mutual customers here. Right? So that what you mentioned about best practices and, you know, how do you tell what best practices are per AWS service or third party software that's operating in an AWS environment? That's part of what our team does is we create these partner programs. There's a very detailed, very prescriptive technical checklist that out internal security experts are going through with Deloitte folks, for example, as a part of their membership and the level one MSSP program to make sure that, right? Those best practices which could be fresh off the AWS documentation truck are built into their services. And the reason those best practices exist is for a for a good reason. They're built, tried and tested, you know, in our own environments before they reach the documentation website. But all of that is incorporated into that whole kind of validated checklist that we do together. So it's a great way to make sure that operations from partners like Deloitte, software delivered, customization delivered, aligns with what we're able to see from just our Amazon culture of being so customer obsessed and really listening to all of those very specific challenges they might have that the customer will have at different points in their cloud journey. Those challenges are baked directly into key technical requirement criteria that Deloitte's teamed up with us to go achieve. >> What are you seeing at the macro, Aaron? When we talked to practitioners where we'll survey, we have a survey partner called ETR and they'll do spending surveys coming into the year of CIOs and IT buyers, we're expecting 8%, eight to 8 1/2% budget growth, post Ukraine, inflation, Fed tightening, you know, the tech lash, all that. It's dialed down a bit, it's still pretty robust it's 6% and security still remains the number one priority. And we've seen a little bit of momentum deceleration even in security spend across the board, but not anything, you know, tragic. Are you seeing the same or are you seeing security budgets kind of where they were expected to be at the beginning of the year? >> Yeah, you know, I haven't seen it decline. I mean, I think the fact of the matter is for all the things that we talked about before, right? Basically the skill shortages and just the coordination with other cloud programs, there's a tremendous backlog of stuff that needs to be done. And, you know, enterprises have more appreciation now for the need for all, you know, all the various, you know, ransomware things that have happened and others that, hey, they need to get a handle on the security and their environment. And so I think a lot of what's been going on in the last year, the reason it hasn't been faster, hasn't been for a lack of appetite. It's just been a lack of skills and process to do it. >> Has the business case changed? And the variables maybe the same, but it used to be, hey, if you don't do this, you're exposed. Okay. Here's the fear of getting, you know, infiltrated and then it's going to became if you want to quantify it, it's like, okay, what's the expected loss with, and without, you know, the kind of think of insurance terms. Is the business case shifting with digital toward this is a fundamental component of monetization in order to be able to monetize, you have to ensure this level security. Are we there yet? >> Yeah, I think so. I don't think anyone's arguing whether it's, you know, needed or not. Right. So now it's a question of, hey, and I think CJ Moses had a good slide in the opening yesterday where he was saying, you know, was it, make the secure path, the path of least resistance. Right? And so that's a big part of, you know, how we deliver our solution. We really want to make it easy for the enterprise to absorb the security services that we have. Right? And that's really critical. I think that's where the focus is, is make it easier to do security because the value comes right along with it. >> All right. I'll give you each the final word, Ryan, you go first then Aaron kind of put a bumper sticker on Re-inforce 2022. >> It's not slowing down. It's only picking up in terms of innovation, software tools, operational processes, and some of the unique ways that all these tools are tied together. Third party, Native AWS, consulting, the way these services come together, it's only accelerating. It's been pretty exciting to see some of the innovation here this time at this Re-inforce. >> Right, Aaron, what do you say? >> Yeah, I would agree. I mean, just the breadth of capabilities, the new announcements by AWS of the capabilities in their solution stack. I mean, for me, you know, I just kind of wonder like when does it narrow or when does it settle down and I know that that's not now. >> Keep waiting. >> Yeah. >> But, yeah, I think, you know, we will continue to see you know, just rapid acceleration and new features and services that... >> I often say the next decade at cloud ain't going to to be like the last. So gentlemen, thanks for coming on The CUBE. It's great to see you. >> Thanks for having us. Thank you everything. >> All right, thank you for watching. Keep it right there. This is Dave Vellante for The CUBE. We'll be back right after this short break from Boston AWS Re-inforce 2022. (soft music)

(upbeat music) >> We're back in Boston, theCUBE's coverage of Re:Inforce 2022. My name is Dave Vellante. Dave Hatfield is here. He's the co-CEO of Lacework. Dave, great to see again. Hat. >> Thanks Dave. >> Do you still go by Hat? >> Hat is good for me. (Dave V laughing) >> All right cool. >> When you call me David, I'm in trouble for something. (Dave V Laughing) So just call me Hat for now. >> Yeah, like my mom, David Paul. >> Exactly. >> All right. So give us the update. I mean, you guys have been on a tear. Obviously the Techlash, >> Yep. >> I mean, a company like yours, that has raised so much money. You got to be careful. But still, I'm sure you're not taking the foot off the gas. What's the update? >> Yeah no. We were super focused on our mission. We want to de deliver a cloud security for everybody. Make it easier for developers and builders, to do their thing. And we're fortunate to be in a situation, where people are in the early innings of moving into the cloud, you know. So our customers, largely digital natives. And now increasingly cloud migrants, are recognizing that in order to build fast, you know, in the cloud, they need to have a different approach to security. And, you know, it used to be that you're either going be really secure or really fast. And we wanted to create a platform that allowed you to have both. >> Yeah. So when you first came to theCUBE, you described it. We are the first company. And at the time, I think you were the only company, thinking about security as a data problem. >> Yeah. >> Explain what that means. >> Well, when you move to the cloud, you know, there's literally a quintillion data sets, that are out there. And it's doubling every several days or whatever. And so it creates a massive problem, in that the attack surface grows. And different than when you're securing a data center or device, where you have a very fixed asset, and you kind of put things around it and you kind of know how to do it. When you move to the shared ephemeral massive scale environment, you can't write rules, and do security the way you used to do it, for a data centers and devices. And so the insight for us was, the risk was the data, the upside was the data, you know? And so if you can harness all of this data, ingest it, process it, contextualize it, in the context of creating a baseline of what normal is for a company. And then monitor it constantly in real time. Figure out, you know, identify abnormal activity. You can deliver a security posture for a company, unlike anything else before. Because it used to be, you'd write a rule. You have a known adversary or a bad guy that's out there, and you constantly try and keep up with them for a very specific attack service. But when you move to the cloud, the attack service is too broad. And so, the risk of the massive amount of data, is also the solution. Which is how do you harness it and use it with machine learning and AI, to solve these problems. >> So I feel like for CISOs, the cloud is now becoming the first line of defense. >> Yep. The CISOs is now the second line. Maybe the auditing is the third line. I don't know. >> Yeah. >> But, so how do you work with AWS? You mentioned, you know, quadrillion. We heard, I think it was Steven Schmidt, who talked about in his keynote. A quadrillion, you know, data points of a month or whatever it was. That's 15 zeros. Mind boggling. >> Yeah. >> How do you interact with AWS? You know, where's your data come from? Are you able to inspect that AWS data? Is it all your own kind of first party data? How does that all work? >> Yeah, so we love AWS. I mean we ultimately, we started out our company building our own service, you know, on AWS. We're the first cloud native built on the cloud, for the cloud, leveraging data and harnessing it. So AWS enabled us to do that. And partners like Snowflake and others, allowed us to do that. But we are a multi-cloud solution too. So we allow builders and customers, to be able to have choice. But we'd go deep with AWS and say, the shared responsibility model they came up with. With partners and themselves to say, all right, who ultimately owns security? Like where is the responsibility? And AWS does a great job on database storage, compute networking. The customer is responsible for the OS, the platform, the workloads, the applications, et cetera, and the data. And that's really where we come in. And kind of help customers secure their posture, across all of their cloud environments. And so we take a cloud trail data. We look at all of the network data. We look at configuration data. We look at rules based data and policies, that customers might have. Anything we can get our hands on, to be able to ingest into our machine learning models. And everybody knows, the more data you put into a machine learning model, the finer grain it's going to be. The more insightful and the more impactful it's going to be. So the really hard computer science problem that we set out to go do seven years ago, when we founded the company, was figure out a way to ingest, process, and contextualize mass amounts of data, from multiple streams. And the make sense out of it. And in the traditional way of protecting customers' environments, you know, you write a rule, and you have this linear sort of connection to alerts. And so you know, if you really want to tighten it down and be really secure, you have thousands of alerts per day. If you want to move really fast and create more risk and exposure, turn the dial the other way. And you know, we wanted to say, let's turn it all the way over, but maintain the amount of alerts, that really are only the ones that they need to go focus on. And so by using machine learning and artificial intelligence, and pulling all these different disparate data systems into making sense of them, we can take, you know, your alert volume from thousands per day, to one or two high fidelity critical alerts per day. And because we know the trail, because we're mapping it through our data graph, our polygraph data platform, the time to remediate a problem. So figure out the needle in the haystack. And the time to remediate is 90, 95% faster, than what you have to do on your own. So we want to work with AWS, and make it really easy for builders to use AWS services, and accelerate their consumption of them. So we were one of the first to really embrace Fargate and Graviton. We're embedded in Security Hub. We're, you know, embedded in all of the core platforms. We focus on competencies, you know. So, you know, we got container competency. We've got security and compliance competencies. And we really just want to continue to jointly invest with AWS. To deliver a great customer outcome and a really integrated seamless solution. >> I got a lot to unpack there. >> Okay. >> My first question is, what you just described, that needle in the haystack. You're essentially doing that in near real time? >> Yep. >> Or real time even, with using AI inferencing. >> Yeah. >> Describe it a little better. >> You're processing all of this data, you know, how do you do so efficiently? You know. And so we're the fastest. We do it in near real time for everything. And you know, compared to our competitors, that are doing, you know, some lightweight side scanning technology, and maybe they'll do a check or a scan once a day or twice a day. Well, the adversaries aren't sleeping, you know, over the other period of time. So you want to make it as near real time as you can. For certain applications, you know, you get it down into minutes. And ideally over time, you want to get it to actual real time. And so there's a number of different technologies that we're deploying, and that we're putting patents around. To be able to do as much data as you possibly can, as fast as you possibly can. But it varies on the application of the workload. >> And double click in the technology. >> Yeah. >> Like tell me more about it. What is it? Is it a purpose-built data store? >> Yeah. Is it a special engine? >> Yeah. There's two primary elements to it. The first part is the polygraph data platform. And this is this ingestion engine, the processing engine, you know, correlation engine. That has two way APIs, integrates into your workflows, ingests as much data as we possibly can, et cetera. And unifies all the data feeds that you've got. So you can actually correlate and provide context. And security now in the cloud, and certainly in the future, the real value is being able to create context and correlate data across the board. And when you're out buying a bunch of different companies, that have different architectures, that are all rules based engines, and trying to stitch them together, they don't talk to each other. And so the hard part first, that we wanted to go do, was build a cloud native platform, that was going to allow us to build applications, that set on top of it. And that, you know, handled a number of different security requirements. You know, behavior based threat detection, obviously is one of the first services that we offered, because we're correlating all this data, and we're creating a baseline, and we're figuring out what normal is. Okay, well, if your normal behavior is this. What's abnormal? So you can catch not only a known bad threat, you know, with rules, et cetera, that are embedded into our engines, but zero day threats and unknown unknowns. Which are the really scary stuff, when you're in the cloud. So, you know, we've got, you know, application, you know, for behavioral threat detection. You have vulnerability management, you know. Where you're just constantly figuring out, what vulnerabilities do I have across my development cycle and my run time cycle, that I need to be able to keep up on, and sort of patch and remediate, et cetera. And then compliance. And as you're pulling all these data points in, you want to be able to deliver compliance reports really efficiently. And the Biden Administration, you know, is issuing, you know, all of these, you know, new edicts for regulations. >> Sure. Obviously countries in, you know, in Europe. They have been way ahead of the US, in some of these regulations. And so they all point to a need for continuous monitoring of your cloud environment, to ensure that you're, you know, in real time, or near real time complying with the environments. And so being able to hit a button based on all of this data and, you know, deliver a compliance report for X regulation or Y regulation, saves a lot of time. But also ensures customers are secure. >> And you mentioned your multi-cloud, so you started on AWS. >> Yeah. >> My observation is that AWS isn't out trying to directly, I mean, they do some monetization of their security, >> Yep. >> But it's more like security here it is, you know. Use it. >> Yeah. >> It comes with the package. Whereas for instance, take Microsoft for example, I mean, they have a big security business. I mean, they show up in the spending surveys. >> Yeah. >> Like wow, off the charts. So sort of different philosophies there. But when you say you're Multicloud, you're saying, okay, you run on AWS. Obviously you run on Azure. You run on GCP as well. >> Yeah. Yep. >> We coin this term, Supercloud, Dave. It's it's like Multicloud 2.0. The idea is it's a layer above the clouds, that hides the underlying complexity. >> Yep. >> You mentioned Graviton. >> Yep. >> You worry about Graviton. Your customer don't, necessarily. >> We should be able to extract that. >> Right. But that's going to be different than what goes on Microsoft. With Microsoft primitives or Google primitives. Are you essentially building a Supercloud, that adds value. A layer, >> Yeah. >> on top of those Hyperscalers. >> Yeah. >> Or is it more, we're just going to run within each of those individual environments. >> Yeah. No we definitely want to build the Security OS, you know, that sort of goes across the Supercloud, as you talk about. >> Yeah. >> I would go back on one thing that you said, you know, if you listen to Andy or Adam now, talk about AWS services, and all the future growth that they have. I mean, security is job one. >> Yeah. Right, so AWS takes security incredibly seriously. They need to. You know, they want to be able to provide confidence to their customers, that they're going to be able to migrate over safely. So I think they do care deeply it. >> Oh, big time. >> And are delivering a number of services, to be able to do it for their customers,. Which is great. We want to enhance that, and provide Multicloud flexibility, deeper dives on Kubernetes and containers, and just want to stay ahead, and provide an option for companies. You know, when you're operating in AWS, to have better or deeper, more valuable, more impactful services to go layer on top. >> I see. >> And then provide the flexibility, like you said, of, hey look, I want to have a consistent security posture across all of my clouds. If I choose to use other clouds. And you don't, the schema are different on all three. You know, all of the protocols are different, et cetera. And so removing all of that complexity. I was just talking with the CISO at our event last night, we had like 300 people at this kind of cocktail event. Boston's pretty cool in the summertime. >> Yeah. Boston in July is great. >> It's pretty great. They're like going, look, we don't want to hire a Azure specialist, and a AWS specialist, and you know, a GCP specialist. We don't want to have somebody that is deep on just doing container security, or Kubernetes security. Like we want you to abstract all of that. Make sense of it. Stay above it. Continue to innovate. So we can actually do what we want to do. Which is, we want to build. We want to build fast. Like the whole point here, is to enable developers to do their job without restriction. And they intuitively want to have, and build secure applications. And, you know, because they recognize the importance of it. But if it slows them down. They're not going to do it. >> Right. >> And so we want to make that as seamless as possible, on top of AWS. So their developers feel confident. They can move more and more applications over. >> So to your point about AWS, I totally agree. I mean, security's job one. I guess the way I would say it is, from a monetization standpoint. >> Yeah. >> My sense is AWS, right now anyway, is saying we want the ecosystem, >> Yeah. >> to be able to monetize. >> Yeah. >> We're going to leave that meat on the bone for those guys. Whereas Microsoft is, they sometimes, they're certainly competitive with the ecosystem, sometimes. End point. >> Yeah. >> They compete with CrowdStrike. There's no question about it. >> Yeah. >> Are they competitive with you in some cases? Or they're not there yet. Are you different. >> Go talk to George, about what he thinks about CrowdStrike and I, versus Microsoft. (Dave V laughing) >> Well, yeah. (Dave H laughing) A good point in terms of the depth of capability. >> Yeah. >> But there's definitely opportunities for the ecosystem there as well. >> Yeah. But I think on certain parts of that, there are more, there's higher competitiveness, than less. I think in the cloud, you know, having flexibility and being open, is kind of core to the cloud's premise. And I think all three of the Hyperscalers, want to provide a choice for customers. >> Sure. >> And they want to provide flexibility. They obviously, want to monetize as much as they possibly can too. And I think they have varying strategies of those. And I do think AWS is the most open. And they're also the biggest. And I think that bodes well for what the marketplace really wants. You know, if you are a customer, and you want to go all in for everything, with one cloud. All right, well then maybe you use their security stack exclusively. But that's not the trend on where we're going. And we're talking about a $154 billion market, growing at, you know, 15% for you. It's a $360 billion market. And one of the most fragmented in tech. Customers do want to consolidate on platforms. >> Absolutely. >> If they can consolidate on CSPs, or they consolidate on the Supercloud, I'm going to steal that from you, with the super cloud. You know, to be able to, you know, have a consistent clarity posture, for all of your workloads, containers, Kubernetes, applications, across multiple clouds. That's what we think customers want. That's what we think customers need. There's opportunity for us to build a really big, iconic security business as well. >> I'm going to make you laugh. Because, so AWS doesn't like the term Supercloud. And the reason is, because it implies that they're the infrastructure, kind of commodity layer. And my response is, you'll appreciate this, is Pure Storage has 70% gross margin. >> Yeah. Yep. >> Right. Look at Intel. You've got Graviton. You control, you can have Intel, like gross margin. So maybe, your infrastructure. But it's not necessarily commodity, >> Yeah. >> But it leaves, to me, it leaves the ecosystem value. Companies like Lacework. >> Amazon offers 220 something services, for customers to make their lives easier. There's all kinds of ways, where they're actually focusing on delivering value, to their customers that, you know, is far from commodity and always will be. >> Right. >> I think when it comes to security, you're going to have, you're going to need security in your database. Your storage. Your network compute. They do all of that, you know, monetize all of that. But customers also want to, you know, be able to have a consistent security posture, across the Supercloud. You know, I mean, they don't have time. I think security practitioners, and security hiring in general, hasn't had unemployment for like seven or 10 years. It's the hardest place to find quality people. >> Right. >> And so our goal, is if we can up level and enable security practitioners, and DevSecOps teams, to be able to do their job more efficiently, it's a good thing for them. It's a win for them. And not having to be experts, on all of these different environments, that they're operating in. I think is really important. >> Here's the other thing about Supercloud. And I think you'll appreciate this. You know, Andreesen says, all companies are software companies. Well, all companies are becoming SAS and Cloud companies. >> Yeah. >> So you look at Capital One. What they're doing with on Snowflake. You know, Goldman what they're doing with AWS. Oracle by Cerner, you know that. So industries, incumbents, are building their own Superclouds. They don't want to deal with all this crap. >> Yeah. >> They want to add their own value. Their own tools. Their own software. And their own data. >> Yeah. >> And actually serve their specific vertical markets. >> Yeah. A hundred percent. And they also don't want tools, you know. >> Right. >> I think when you're in the security business. It's so fragmented, because you had to write a rule for everything, and they were super nuanced. When you move to a data driven approach, and you actually have a platform, that removes the need to actually have very nuanced, specific expertise across all these different. Because you're combining it into your baseline and understanding it. And so, customers want to move from, you know, one of the biggest banks in North America, has 550 different point solutions for security. Thousands of employees to go manage all of this. They would love to be able to consolidate around a few platforms, that integrate the data flows, so they can correlate value across it. And this platform piece is really what differentiates our approach. Is that we already have that built. And everybody else is sort of working backwards from Legacy approaches, or from a acquired companies. We built it natively from the ground up. Which we believe gives us an advantage for our customers. An advantage of time to market speed, efficacy, and a much lower cost. Because you can get rid of a bunch of point solutions in the process. >> You mentioned Devs. Did you, you know, that continuous experience across clouds. >> Yep. >> Do you have like the equivalent of a Super PAs layer, that is specific to your use case? Or are you kind of using, I mean, I know you use off the shelf tooling, >> Yep. >> you allow your developers to do so, but is, is the developer experience consistent across the clouds? That's really what I'm asking? >> Well, I think it is. I mean, I was talking to another CEO of a company, you know, on the floor here, and it's focusing on the build side. You know we focus on both the build and the run time. >> Right. >> And we were talking about, you know, how many different applications, or how fragmented the developer experience is, with all the different tools that they have. And it's phenomenal. I mean, like this, either through acquisition or by business unit. And developers, like to have choice. Like they don't like to be told what to do or be standardized, you know, by anybody. Especially some compliance organization or security organization. And so, it's hard for them to have a consistent experience, that they're using a bunch of different tools. And so, yeah. We want to be able to integrate into whatever workload, a workflow a customer uses, in their Dev cycle, and then provide consistent security on top of it. I mean, for our own company, you know, we got about a thousand people. And a lot of them are developers. We want to make it as consistent as we possibly can, so they can build code, to deliver security efficacy, and new applications and new tools for us. So I think where you can standardize and leverage a platform approach, it's always going to be better. But the reality is, especially in large existing companies. You know, they've got lots of different tools. And so you need to be able to set above it. Integrate with it and make it consistent. And security is one of those areas, where having a consistent view, a consistent posture, a consistent read, that you can report to the board, and know that your efficacy is there. Whatever environment you're in. Whatever cloud you're on. Is super, super critical. >> And in your swim lane, you're providing that consistency, >> Yep. >> for Devs. But you're right. You've got to worry about containers. You got to worry about the run time. You got to worry about the platform. The DevSecOps team is, you know, becoming the new line of defense, right? I mean, security experts. >> Absolutely. Well, we have one customer, that we just have been working with for four years ago. And it's, you know, a Fortune, a Global 2000 company. Bunch of different industries grew through acquisition, et cetera. And four years ago, their CTO said, we're moving to the cloud. Because we want to drive efficiency and agility, and better service offerings across the board. And so he has engineering. So he has Dev, you know. He has operations. And he has security teams. And so organizationally, I think that'll be the model, as companies do follow entries in to sort of, you know, quote. Become software companies and move on their digital journeys. Integrating the functions of DevSecOps organizationally, and then providing a platform, and enabling platform, that makes their jobs easier for each of those personas. >> Right. >> Is what we do. You want to enable companies to shift left. And if you can solve the problems in the code, on the front end, you know, before it gets out on the run time. You're going to solve, you know, a lot of issues that exist. Correlating the data, between what's happening in your runtime, and what's happening in your build time, and being able to fix it in near realtime. And integrate with those joint workflows. We think is the right answer. >> Yeah. >> Over the long haul. So it's a pretty exciting time. >> Yeah. Shift left, ops team shield right. Hat, great to see you again. >> Good to see you, Dave. >> Thanks so much for coming on theCUBE. >> Thanks a lot. >> All Right. Keep it right there. We'll be back. Re:Inforce 2022. You're watching theCUBE from Boston. (calming music)

(upbeat music) >> Welcome back to Boston, everybody. This is the birthplace of theCUBE. In 2010, May of 2010 at EMC World, right in this very venue, John Furrier called it the chowder and lobster post. I'm Dave Vellante. We're here at RE:INFORCE 2022, Ed Walsh, CEO of ChaosSearch. Doing a drive by Ed. Thanks so much for stopping in. You're going to help me wrap up in our final editorial segment. >> Looking forward to it. >> I really appreciate it. >> Thank you for including me. >> How about that? 2010. >> That's amazing. It was really in this-- >> Really in this building. Yeah, we had to sort of bury our way in, tunnel our way into the Blogger Lounge. We did four days. >> Weekends, yeah. >> It was epic. It was really epic. But I'm glad they're back in Boston. AWS was going to do June in Houston. >> Okay. >> Which would've been awful. >> Yeah, yeah. No, this is perfect. >> Yeah. Thank God they came back. You saw Boston in summer is great. I know it's been hot, And of course you and I are from this area. >> Yeah. >> So how you been? What's going on? I mean, it's a little crazy out there. The stock market's going crazy. >> Sure. >> Having the tech lash, what are you seeing? >> So it's an interesting time. So I ran a company in 2008. So we've been through this before. By the way, the world's not ending, we'll get through this. But it is an interesting conversation as an investor, but also even the customers. There's some hesitation but you have to basically have the right value prop, otherwise things are going to get sold. So we are seeing longer sales cycles. But it's nothing that you can't overcome. But it has to be something not nice to have, has to be a need to have. But I think we all get through it. And then there is some, on the VC side, it's now buckle down, let's figure out what to do which is always a challenge for startup plans. >> In pre 2000 you, maybe you weren't a CEO but you were definitely an executive. And so now it's different and a lot of younger people haven't seen this. You've got interest rates now rising. Okay, we've seen that before but it looks like you've got inflation, you got interest rates rising. >> Yep. >> The consumer spending patterns are changing. You had 6$, $7 gas at one point. So you have these weird crosscurrents, >> Yup. >> And people are thinking, "Okay post-September now, maybe because of the recession, the Fed won't have to keep raising interest rates and tightening. But I don't know what to root for. It's like half full, half empty. (Ed laughing) >> But we haven't been in an environment with high inflation. At least not in my career. >> Right. Right. >> I mean, I got into 92, like that was long gone, right?. >> Yeah. >> So it is a interesting regime change that we're going to have to deal with, but there's a lot of analogies between 2008 and now that you still have to work through too, right?. So, anyway, I don't think the world's ending. I do think you have to run a tight shop. So I think the grow all costs is gone. I do think discipline's back in which, for most of us, discipline never left, right?. So, to me that's the name of the game. >> What do you tell just generally, I mean you've been the CEO of a lot of private companies. And of course one of the things that you do to retain people and attract people is you give 'em stock and it's great and everybody's excited. >> Yeah. >> I'm sure they're excited cause you guys are a rocket ship. But so what's the message now that, Okay the market's down, valuations are down, the trees don't grow to the moon, we all know that. But what are you telling your people? What's their reaction? How do you keep 'em motivated? >> So like anything, you want over communicate during these times. So I actually over communicate, you get all these you know, the Sequoia decks, 2008 and the recent... >> (chuckles) Rest in peace good times, that one right? >> I literally share it. Why? It's like, Hey, this is what's going on in the real world. It's going to affect us. It has almost nothing to do with us specifically, but it will affect us. Now we can't not pay attention to it. It does change how you're going to raise money, so you got to make sure you have the right runway to be there. So it does change what you do, but I think you over communicate. So that's what I've been doing and I think it's more like a student of the game, so I try to share it, and I say some appreciate it others, I'm just saying, this is normal, we'll get through this and this is what happened in 2008 and trust me, once the market hits bottom, give it another month afterwards. Then everyone says, oh, the bottom's in and we're back to business. Valuations don't go immediately back up, but right now, no one knows where the bottom is and that's where kind of the world's ending type of things. >> Well, it's interesting because you talked about, I said rest in peace good times >> Yeah >> that was the Sequoia deck, and the message was tighten up. Okay, and I'm not saying you shouldn't tighten up now, but the difference is, there was this period of two years of easy money and even before that, it was pretty easy money. >> Yeah. >> And so companies are well capitalized, they have runway so it's like, okay, I was talking to Frank Slootman about this now of course there are public companies, like we're not taking the foot off the gas. We're inherently profitable, >> Yeah. >> we're growing like crazy, we're going for it. You know? So that's a little bit of a different dynamic. There's a lot of good runway out there, isn't there? >> But also you look at the different companies that were either born or were able to power through those environments are actually better off. You come out stronger in a more dominant position. So Frank, listen, if you see what Frank's done, it's been unbelievable to watch his career, right?. In fact, he was at Data Domain, I was Avamar so, but look at what he's done since, he's crushed it. Right? >> Yeah. >> So for him to say, Hey, I'm going to literally hit the gas and keep going. I think that's the right thing for Snowflake and a right thing for a lot of people. But for people in different roles, I literally say that you have to take it seriously. What you can't be is, well, Frank's in a different situation. What is it...? How many billion does he have in the bank? So it's... >> He's over a billion, you know, over a billion. Well, you're on your way Ed. >> No, no, no, it's good. (Dave chuckles) Okay, I want to ask you about this concept that we've sort of we coined this term called Supercloud. >> Sure. >> You could think of it as the next generation of multi-cloud. The basic premises that multi-cloud was largely a symptom of multi-vendor. Okay. I've done some M&A, I've got some Shadow IT, spinning up, you know, Shadow clouds, projects. But it really wasn't a strategy to have a continuum across clouds. And now we're starting to see ecosystems really build, you know, you've used the term before, standing on the shoulders of giants, you've used that a lot. >> Yep. >> And so we're seeing that. Jerry Chen wrote a seminal piece on Castles in The Cloud, so we coined this term SuperCloud to connote this abstraction layer that hides the underlying complexities and primitives of the individual clouds and then adds value on top of it and can adjudicate and manage, irrespective of physical location, Supercloud. >> Yeah. >> Okay. What do you think about that concept?. How does it maybe relate to some of the things that you're seeing in the industry? >> So, standing on shoulders of giants, right? So I always like to do hard tech either at big company, small companies. So we're probably your definition of a Supercloud. We had a big vision, how to literally solve the core challenge of analytics at scale. How are you going to do that? You're not going to build on your own. So literally we're leveraging the primitives, everything you can get out of the Amazon cloud, everything get out of Google cloud. In fact, we're even looking at what it can get out of this Snowflake cloud, and how do we abstract that out, add value to it? That's where all our patents are. But it becomes a simplified approach. The customers don't care. Well, they care where their data is. But they don't care how you got there, they just want to know the end result. So you simplify, but you gain the advantages. One thing's interesting is, in this particular company, ChaosSearch, people try to always say, at some point the sales cycle they say, no way, hold on, no way that can be fast no way, or whatever the different issue. And initially we used to try to explain our technology, and I would say 60% was explaining the public, cloud capabilities and then how we, harvest those I guess, make them better add value on top and what you're able to get is something you couldn't get from the public clouds themselves and then how we did that across public clouds and then extracted it. So if you think about that like, it's the Shoulders of giants. But what we now do, literally to avoid that conversation because it became a lengthy conversation. So, how do you have a platform for analytics that you can't possibly overwhelm for ingest. All your messy data, no pipelines. Well, you leverage things like S3 and EC2, and you do the different security things. You can go to environments say, you can't possibly overrun me, I could not say that. If I didn't literally build on the shoulders giants of all these public clouds. But the value. So if you're going to do hard tech as a startup, you're going to build, you're going to be the principles of Supercloud. Maybe they're not the same size of Supercloud just looking at Snowflake, but basically, you're going to leverage all that, you abstract it out and that's where you're able to have a lot of values at that. >> So let me ask you, so I don't know if there's a strict definition of Supercloud, We sort of put it out to the community and said, help us define it. So you got to span multiple clouds. It's not just running in each cloud. There's a metadata layer that kind of understands where you're pulling data from. Like you said you can pull data from Snowflake, it sounds like we're not running on Snowflake, correct? >> No, complimentary to them in their different customers. >> Yeah. Okay. >> They want to build on top of a data platform, data apps. >> Right. And of course they're going cross cloud. >> Right. >> Is there a PaaS layer in there? We've said there's probably a Super PaaS layer. You're probably not doing that, but you're allowing people to bring their own, bring your own PaaS sort of thing maybe. >> So we're a little bit different but basically we publish open APIs. We don't have a user interface. We say, keep the user interface. Again, we're solving the challenge of analytics at scale, we're not trying to retrain your analytics, either analysts or your DevOps or your SOV or your Secop team. They use the tools they already use. Elastic search APIs, SQL APIs. So really they program, they build applications on top of us, Equifax is a good example. Case said it coming out later on this week, after 18 months in production but, basically they're building, we provide the abstraction layer, the quote, I'm going to kill it, Jeff Tincher, who owns all of SREs worldwide, said to the effect of, Hey I'm able to rethink what I do for my data pipelines. But then he also talked about how, that he really doesn't have to worry about the data he puts in it. We deal with that. And he just has to, just query on the other side. That simplicity. We couldn't have done that without that. So anyway, what I like about the definition is, if you were going to do something harder in the world, why would you try to rebuild what Amazon, Google and Azure or Snowflake did? You're going to add things on top. We can still do intellectual property. We're still doing patents. So five grand patents all in this. But literally the abstraction layer is the simplification. The end users do not want to know that complexity, even though they ask the questions. >> And I think too, the other attribute is it's ecosystem enablement. Whereas I think, >> Absolutely >> in general, in the Multicloud 1.0 era, the ecosystem wasn't thinking about, okay, how do I build on top and abstract that. So maybe it is Multicloud 2.0, We chose to use Supercloud. So I'm wondering, we're at the security conference, >> RE: INFORCE is there a security Supercloud? Maybe Snyk has the developer Supercloud or maybe Okta has the identity Supercloud. I think CrowdStrike maybe not. Cause CrowdStrike competes with Microsoft. So maybe, because Microsoft, what's interesting, Merritt Bear was just saying, look, we don't show up in the spending data for security because we're not charging for most of our security. We're not trying to make a big business. So that's kind of interesting, but is there a potential for the security Supercloud? >> So, I think so. But also, I'll give you one thing I talked to, just today, at least three different conversations where everyone wants to log data. It's a little bit specific to us, but basically they want to do the security data lake. The idea of, and Snowflake talks about this too. But the idea of putting all the data in one repository and then how do you abstract out and get value from it? Maybe not the perfect, but it becomes simple to do but hard to get value out. So the different players are going to do that. That's what we do. We're able to, once you land it in your S3 or it doesn't matter, cloud of choice, simple storage, we allow you to get after that data, but we take the primitives and hide them from you. And all you do is query the data and we're spinning up stateless computer to go after it. So then if I look around the floor. There's going to be a bunch of these players. I don't think, why would someone in this floor try to recreate what Amazon or Google or Azure had. They're going to build on top of it. And now the key thing is, do you leave it in standard? And now we're open APIs. People are building on top of my open APIs or do you try to put 'em in a walled garden? And they're in, now your Supercloud. Our belief is, part of it is, it needs to be open access and let you go after it. >> Well. And build your applications on top of it openly. >> They come back to snowflake. That's what Snowflake's doing. And they're basically saying, Hey come into our proprietary environment. And the benefit is, and I think both can win. There's a big market. >> I agree. But I think the benefit of Snowflake's is, okay, we're going to have federated governance, we're going to have data sharing, you're going to have access to all the ecosystem players. >> Yep. >> And as everything's going to be controlled and you know what you're getting. The flip side of that is, Databricks is the other end >> Yeah. >> of that spectrum, which is no, no, you got to be open. >> Yeah. >> So what's going to happen, well what's happening clearly, is Snowflake's saying, okay we've got Snowpark. we're going to allow Python, we're going to have an Apache Iceberg. We're going to have open source tooling that you can access. By the way, it's not going to be as good as our waled garden where the flip side of that is you get Databricks coming at it from a data science and data engineering perspective. And there's a lot of gaps in between, aren't there? >> And I think they both win. Like for instance, so we didn't do Snowpark integration. But we work with people building data apps on top of Snowflake or data bricks. And what we do is, we can add value to that, or what we've done, again, using all the Supercloud stuff we're done. But we deal with the unstructured data, the four V's coming at you. You can't pipeline that to save. So we actually could be additive. As they're trying to do like a security data cloud inside of Snowflake or do the same thing in Databricks. That's where we can play. Now, we play with them at the application level that they get some data from them and some data for us. But I believe there's a partnership there that will do it inside their environment. To us they're just another large scaler environment that my customers want to get after data. And they want me to abstract it out and give value. >> So it's another repository to you. >> Yeah. >> Okay. So I think Snowflake recently added support for unstructured data. You chose not to do Snowpark because why? >> Well, so the way they're doing the unstructured data is not bad. It's JSON data. Basically, This is the dilemma. Everyone wants their application developers to be flexible, move fast, securely but just productivity. So you get, give 'em flexibility. The problem with that is analytics on the end want to be structured to be performant. And this is where Snowflake, they have to somehow get that raw data. And it's changing every day because you just let the developers do what they want now, in some structured base, but do what you need to do your business fast and securely. So it completely destroys. So they have large customers trying to do big integrations for this messy data. And it doesn't quite work, cause you literally just can't make the pipelines work. So that's where we're complimentary do it. So now, the particular integration wasn't, we need a little bit deeper integration to do that. So we're integrating, actually, at the data app layer. But we could, see us and I don't, listen. I think Snowflake's a good actor. They're trying to figure out what's best for the customers. And I think we just participate in that. >> Yeah. And I think they're trying to figure out >> Yeah. >> how to grow their ecosystem. Because they know they can't do it all, in fact, >> And we solve the key thing, they just can't do certain things. And we do that well. Yeah, I have SQL but that's where it ends. >> Yeah. >> I do the messy data and how to play with them. >> And when you talk to one of their founders, anyway, Benoit, he comes on the cube and he's like, we start with simple. >> Yeah. >> It reminds me of the guy's some Pure Storage, that guy Coz, he's always like, no, if it starts to get too complicated. So that's why they said all right, we're not going to start out trying to figure out how to do complex joins and workload management. And they turn that into a feature. So like you say, I think both can win. It's a big market. >> I think it's a good model. And I love to see Frank, you know, move. >> Yeah. I forgot So you AVMAR... >> In the day. >> You guys used to hate each other, right? >> No, no, no >> No. I mean, it's all good. >> But the thing is, look what he's done. Like I wouldn't bet against Frank. I think it's a good message. You can see clients trying to do it. Same thing with Databricks, same thing with BigQuery. We get a lot of same dynamic in BigQuery. It's good for a lot of things, but it's not everything you need to do. And there's ways for the ecosystem to play together. >> Well, what's interesting about BigQuery is, it is truly cloud native, as is Snowflake. You know, whereas Amazon Redshift was sort of Parexel, it's cobbled together now. It's great engineering, but BigQuery gets a lot of high marks. But again, there's limitations to everything. That's why companies like yours can exist. >> And that's why.. so back to the Supercloud. It allows me as a company to participate in that because I'm leveraging all the underlying pieces. Which we couldn't be doing what we're doing now, without leveraging the Supercloud concepts right, so... >> Ed, I really appreciate you coming by, help me wrap up today in RE:INFORCE. Always a pleasure seeing you, my friend. >> Thank you. >> All right. Okay, this is a wrap on day one. We'll be back tomorrow. I'll be solo. John Furrier had to fly out but we'll be following what he's doing. This is RE:INFORCE 2022. You're watching theCUBE. I'll see you tomorrow.

(bright music) >> Welcome back everyone to the live Cube coverage here in Boston, Massachusetts for AWS re:Inforce 22, with a great guest here, Denise Hayman, CRO, Chief Revenue of Sonrai Security. Sonrai's a featured partner of Season Two, Episode Four of the upcoming AWS Startup Showcase, coming in late August, early September. Security themed startup focused event, check it out. awsstartups.com is the site. We're on Season Two. A lot of great startups, go check them out. Sonrai's in there, now for the second time. Denise, it's great to see you. Thanks for coming on. >> Ah, thanks for having me. >> So you've been around the industry for a while. You've seen the waves of innovation. We heard encrypt everything today on the keynote. We heard a lot of cloud native. They didn't say shift left but they said don't bolt on security after the fact, be in the CI/CD pipeline or the DevStream. All that's kind of top of line, Amazon's talking cloud native all the time. This is kind of what you guys are in the middle of. I've covered your company, you've been on theCUBE before. Your, not you, but your teammates have. You guys have a unique value proposition. Take a minute to explain for the folks that don't know, we'll dig into it, but what you guys are doing. Why you're winning. What's the value proposition. >> Yeah, absolutely. So, Sonrai is, I mean what we do is it's, we're a total cloud solution, right. Obviously, right, this is what everybody says. But what we're dealing with is really, our superpower has to do with the data and identity pieces within that framework. And we're tying together all the relationships across the cloud, right. And this is a unique thing because customers are really talking to us about being able to protect their sensitive data, protect their identities. And not just people identities but the non-people identity piece is the hardest thing for them to reign in. >> Yeah. >> So, that's really what we specialize in. >> And you guys doing good, and some good reports on good sales, and good meetings happening here. Here at the show, the big theme to me, and again, listening to the keynotes, you hear, you can see what's, wasn't talk about. >> Mm-hmm. >> Ransomware wasn't talked about much. They didn't talk about air-gapped. They mentioned ransomware I think once. You know normal stuff, teamwork, encryption everywhere. But identity was sprinkled in everywhere. >> Mm-hmm. >> And I think one of the, my favorite quotes was, I wrote it down, We've security in the development cycle CSD, they didn't say shift left. Don't bolt on any of that. Now, that's not new information. We know that don't bolt, >> Right. >> has been around for a while. He said, lessons learned, this is Stephen Schmidt, who's the CSO, top dog on security, who has access to what and why over permissive environments creates chaos. >> Absolutely. >> This is what you guys reign in. >> It is. >> Explain, explain that. >> Yeah, I mean, we just did a survey actually with AWS and Forrester around what are all the issues in this area that, that customers are concerned about and, and clouds in particular. One of the things that came out of it is like 95% of clouds are, what's called over privileged. Which means that there's access running amok, right. I mean, it, it is, is a crazy thing. And if you think about the, the whole value proposition of security it's to protect sensitive data, right. So if, if it's permissive out there and then sensitive data isn't being protected, I mean that, that's where we really reign it in. >> You know, it's interesting. I zoom out, I just put my historian hat on going back to the early days of my career in late eighties, early nineties. There's always, when you have these inflection points, there's always these problems that are actually opportunities. And DevOps, infrastructure as code was all about APS, all about the developer. And now open source is booming, open source is the software industry. Open source is it in the world. >> Right. >> That's now the software industry. Cloud scale has hit and now you have the Devs completely in charge. Now, what suffers now is the Ops and the Sec, Second Ops. Now Ops, DevOps. Now, DevSecOps is where all the action is. >> Yep. >> So the, the, the next thing to do is build an abstraction layer. That's what everyone's trying to do, build tools and platforms. And so that's where the action is here. This is kind of where the innovation's happening because the networks aren't the, aren't in charge anymore either. So, you now have this new migration up to higher level services and opportunities to take the complexity away. >> Mm-hmm. >> Because what's happened is customers are getting complexity. >> That's right. >> They're getting it shoved in their face, 'cause they want to do good with DevOps, scale up. But by default their success is also their challenge. >> Right. >> 'Cause of complexity. >> That's exactly right. >> This is, you agree with that. >> I do totally agree with that. >> If you, you believe that, then what's next. What happens next? >> You know, what I hear from customers has to do with two specific areas is they're really trying to understand control frameworks, right. And be able to take these scenarios and build them into something that they, where they can understand where the gaps are, right. And then on top of that building in automation. So, the automation is a, is a theme that we're hearing from everybody. Like how, how do they take and do things like, you know it's what we've been hearing for years, right. How do we automatically remediate? How do we automatically prioritize? How do we, how do we build that in so that they're not having to hire people alongside that, but can use software for that. >> The automation has become key. You got to find it first. >> Yes. >> You guys are also part of the DevCycle too. >> Yep. >> Explain that piece. So, I'm a developer, I'm an organization. You guys are on the front end. You're not bolt-on, right? >> We can do either. We prefer it when customers are willing to use us, right. At the very front end, right. Because anything that's built in the beginning doesn't have the extra cycles that you have to go through after the fact, right. So, if you can build security right in from the beginning and have the ownership where it needs to be, then you're not having to, to deal with it afterwards. >> Okay, so how do you guys, I'm putting my customer hat on for a second. A little hard, hard question, hard problem. I got active directory on Azure. I got, IM over here with AWS. I wanted them to look the same. Now, my on-premises, >> Ah. >> Is been booming, now I got cloud operations, >> Right. >> So, DevOps has moved to my premise and edge. So, what do I do? Do I throw everything out, do a redo. How do you, how do you guys talk about, talk to customers that have that chance, 'cause a lot of them are old school. >> Right. >> ID. >> And, and I think there's a, I mean there's an important distinction here which is there's the active directory identities right, that customers are used to. But then there's this whole other area of non-people identities, which is compute power and privileges and everything that gets going when you get you know, machines working together. And we're finding that it's about five-to-one in terms of how many identities are non-human identities versus human identity. >> Wow. >> So, so you actually have to look at, >> So, programmable access, basically. >> Yeah. Yes, absolutely. Right. >> Wow. >> And privileges and roles that are, you know accessed via different ways, right. Because that's how it's assigned, right. And people aren't really paying that close attention to it. So, from that scenario, like the AD thing of, of course that's important, right. To be able to, to take that and lift it into your cloud but it's actually even bigger to look at the bigger picture with the non-human identities, right. >> What about the CISOs out there that you talk to. You're in the front lines, >> Yep. >> talking to customers and you see what's coming on the roadmap. >> Yep. >> So, you kind of get the best of both worlds. See what they, what's coming out of engineering. What's the biggest problem CISOs are facing now? Is it the sprawl of the problems, the hacker space? Is it not enough talent? What, I mean, I see the fear, what are, what are they facing? How do you, how do you see that, and then what's your conversations like? >> Yeah. I mean the, the answer to that is unfortunately yes, right. They're dealing with all of those things. And, and here we are at the intersection of, you know, this huge complex thing around cloud that's happening. There's already a gap in terms of resources nevermind skills that are different skills than they used to have. So, I hear that a lot. The, the bigger thing I think I hear is they're trying to take the most advantage out of their current team. So, they're again, worried about how to operationalize things. So, if we bring this on, is it going to mean more headcount. Is it going to be, you know things that we have to invest in differently. And I was actually just with a CISO this morning, and the whole team was, was talking about the fact that bringing us on means they have, they can do it with less resource. >> Mm-hmm. >> Like this is a a resource help for them in this particular area. So, that that was their value proposition for us, which I loved. >> Let's talk about Adrian Cockcroft who retired from AWS. He was at Netflix before. He was a big DevOps guy. He talks about how agility's been great because from a sales perspective the old model was, he called it the, the big Indian wedding. You had to get everyone together, do a POC, you know, long sales cycles for big tech investments, proprietary. Now, open sources like speed dating. You can know what's good quickly and and try things quicker. How is that, how is that impacting your sales motions. Your customer engagements. Are they fast? Are they, are they test-tried before they buy? What's the engagement model that you, you see happening that the customers like the best. >> Yeah, hey, you know, because of the fact that we're kind of dealing with this serious part of the problem, right. With the identities and, and dealing with data aspects of it it's not as fast as I would like it to be, right. >> Yeah, it's pretty important, actually. >> They still need to get in and understand it. And then it's different if you're AWS environment versus other environments, right. We have to normalize all of that and bring it together. And it's such a new space, >> Yeah. >> that they all want to see it first. >> Yeah. >> Right, so. >> And, and the consequences are pretty big. >> They're huge. >> Yeah. >> Right, so the, I mean, the scenario here is we're still doing, in some cases we'll do workshops instead of a POV or a POC. 90% of the time though we're still doing a POV. >> Yeah, you got to. >> Right. So, they can see what it is. >> They got to get their hands on it. >> Yep. >> This is one of those things they got to see in action. What is the best-of-breed? If you had to say best-of-breed in identity looks like blank. How would you describe that from a customer's perspective? What do they need the most? Is it robustness? What's some of the things that you guys see as differentiators for having a best-of-breed solution like you guys have. >> A best-of-breed solution. I mean, for, for us, >> Or a relevant solution for that matter, for the solution. >> Yeah. I mean, for us, this, again, this identity issue it, for us, it's depth and it's continuous monitoring, right. Because the issue in the cloud is that there are new privileges that come out every single day, like to the tune of like 35,000 a year. So, even if at this exact moment, it's fine. It's not going to be in another moment, right. So, having that continuous monitoring in there, and, and it solves this issue that we hear from a lot of customers also around lateral movement, right. Because like a piece of compute can be on and off, >> Yeah, yeah, yeah. >> within a few seconds, right. So, you can't use any of the old traditional things anymore. So to me, it's the continuous monitoring I think that's important. >> I think that, and the lateral movement piece, >> Yep. >> that you guys have is what I hear the most of the biggest fears. >> Mm-hmm. >> Someone gets in here and can move around, >> That's right. >> and that's dangerous. >> Mm-hmm. And, and no traditional tools will see it. >> Yeah. Yeah. >> Right. There's nothing in there unless you're instrumented down to that level, >> Yeah. >> which is what we do. You're not going to see it. >> I mean, when someone has a firewall, a perimeter based system, yeah, I'm in the castle, I'm moving around, but that's not the case here. This is built for full observability, >> That's right. >> Yet there's so many vulnerabilities. >> It's all open. Mm-hmm, yeah. And, and our view too, is, I mean you bring up vulnerabilities, right. It, it is, you know, a little bit of the darling, right. People start there. >> Yep. >> And, and our belief in our view is that, okay, that's nice. But, and you do have to do that. You have to be able to see everything right, >> Yep. >> to be able to operationalize it. But if you're not dealing with the sensitive data pieces right, and the identities and stuff that's at the core of what you're trying to do >> Yeah. >> then you're not going to solve the problem. >> Yeah. Denise, I want to ask you. Because you make what was it, five-to-one was the machine to humans. I think that's actually might be low, on the low end. If you could imagine. If you believe that's true. >> Yep. >> I believe that's true by the way If microservices continues to be the, be the wave. >> Oh, it'll just get bigger. >> Which it will. It's going to much bigger. >> Yeah. >> Turning on and off, so, the lateral movement opportunities are going to be greater. >> Yep. >> That's going to be a bigger factor. Okay, so how do I protect myself. Now, 'cause developer productivity is also important. >> Mm-hmm. >> 'Cause, I've heard horror stories like, >> Yep. >> Yeah, my Devs are cranking away. Uh-oh, something's out there. We don't know about it. Everyone has to stop, have a meeting. They get pulled off their task. It's kind of not agile. >> Right. Right. >> I mean, >> Yeah. And, and, in that vein, right. We have built the product around what we call swim lanes. So, the whole idea is we're prioritizing based on actual impact and context. So, if it's a sandbox, it probably doesn't matter as much as if it's like operational code that's out there where customers are accessing it, right. Or it's accessing sensitive data. So, we look at it from a swim lane perspective. When we try to get whoever needs to solve it back to the person that is responsible for it. So we can, we can set it up that way. >> Yeah. I think that, that's key insight into operationalizing this. >> Yep. >> And remediation is key. >> Yes. >> How, how much, how important is the timing of that. When you talk to your customer, I mean, timing is obviously going to be longer, but like seeing it's one thing, knowing what to do is another. >> Yep. >> Do you guys provide that? Is that some of the insights you guys provide? >> We do, it's almost like, you know, us. The, and again, there's context that's involved there, right? >> Yeah. >> So, some remediation from a priority perspective doesn't have to be immediate. And some of it is hair on fire, right. So, we provide actually, >> Yeah. >> a recommendation per each of those situations. And, and in some cases we can auto remediate, right. >> Yeah. >> If, it depends on what the customer's comfortable with, right. But, when I talk to customers about what is their favorite part of what we do it is the auto remediation. >> You know, one of the things on the keynotes, not to, not to go off tangent, one second here but, Kurt who runs platforms at AWS, >> Mm-hmm. >> went on his little baby project that he loves was this automated, automatic reasoning feature. >> Mm-hmm. >> Which essentially is advanced machine learning. >> Right. >> That can connect the dots. >> Yep. >> Not just predict stuff but like actually say this doesn't belong here. >> Right. >> That's advanced computer science. That's heavy duty coolness. >> Mm-hmm. >> So, operationalizing that way, the way you're saying it I'm imagining there's some future stuff coming around the corner. Can you share how you guys are working with AWS specifically? Is it with Amazon? You guys have your own secret sauce for the folks watching. 'Cause this remediation should, it only gets harder. You got to, you have to be smarter on your end, >> Yep. >> with your engineers. What's coming next. >> Oh gosh, I don't know how much of what's coming next I can share with you, except for tighter and tighter integrations with AWS, right. I've been at three meetings already today where we're talking about different AWS services and how we can be more tightly integrated and what's things we want out of their APIs to be able to further enhance what we can offer to our customers. So, there's a lot of those discussions happening right now. >> What, what are some of those conversations like? Without revealing. >> I mean, they have to do with, >> Maybe confidential privilege. >> privileged information. I don't mean like privileged information. >> Yep. I mean like privileges, right, >> Right. >> that are out there. >> Like what you can access, and what you can't. >> What you can, yes. And who and what can access it and what can't. And passing that information on to us, right. To be able to further remediate it for an AWS customer. That's, that's one. You know, things like other AWS services like CloudTrail and you know some of the other scenarios that they're talking about. Like we're, you know, we're getting deeper and deeper and deeper with the AWS services. >> Yeah, it's almost as if Amazon over the past two years in particular has been really tightly integrating as a strategy to enable their partners like you guys >> Mm-hmm. >> to be successful. Not trying to land grab. Is that true? Do you get that vibe? >> I definitely get that vibe, right. Yesterday, we spent all day in a partnership meeting where they were, you know talking about rolling out new services. I mean, they, they are in it to win it with their ecosystem. Not on, not just themselves. >> All right, Denise it's great to have you on theCUBE here as part of re:Inforce. I'll give you the last minute or so to give a plug for the company. You guys hiring? What are you guys looking for? Potential customers that are watching? Why should they buy you? Why are you winning? Give a, give the pitch. >> Yeah, absolutely. So, so yes we are hiring. We're always hiring. I think, right, in this startup world. We're growing and we're looking for talent, probably in every area right now. I know I'm looking for talent on the sales side. And, and again, the, I think the important thing about us is the, the fullness of our solution but the superpower that we have, like I said before around the identity and the data pieces and this is becoming more and more the reality for customers that they're understanding that that is the most important thing to do. And I mean, if they're that, Gartner says it, Forrester says it, like we are one of the, one of the best choices for that. >> Yeah. And you guys have been doing good. We've been following you. Thanks for coming on. >> Thank you. >> And congratulations on your success. And we'll see you at the AWS Startup Showcase in late August. Check out Sonrai Systems at AWS Startup Showcase late August. Here at theCUBE live in Boston getting all the coverage. From the keynotes, to the experts, to the ecosystem, here on theCUBE, I'm John Furrier your host. Thanks for watching. (bright music)

(theme music) >> Okay, welcome back everyone, theCUBE's live coverage here in Boston, Massachusetts for AWS re:Inforce '22. Big show for ground security, Amazon re:Invent's coming up. That's the big event of all time for AWS. re:MARS was another one, re:Inforce, the re:Shows, they call them, theCUBE's got you covered. I'm John Furrier, host of theCUBE with Dave Vellante, who's in an analyst session right now. He'll be back shortly. We've got 2 great guests from an amazing company, HackerOne, been on theCUBE many times, (mumbles) Marten Mickos, of course, a big time, (mumbles) We got two great guests. Sean Ryan, Sr. Principal Product Marketing Manager Will Kapcio, Senior Sales Engineer. Gents, welcome to theCUBE. >> Thanks for having us John. >> So Marten's been on many times, he's such a character. He's such a legend. >> Yeah. >> Your company has had great traction, great community, just this phenomenal example of community meets technology and problem solver. >> Yeah. >> He's been part of that organization. Here at re:Inforce they're just kind of getting wind of it now, right? You hear an open, teamwork, breaking down the silos, a big theme is this whole idea of open community, but yet be hardcore with the security. It's been a big part of the re:Inforce. What do you guys think of the show so far? >> Loving it. Partly too, we're both local here in the Boston area. So the commute was pretty nice. (everyone laughs) And the heat wave broke the other day so that's wonderful, but yeah, great show. It's good to be back in person doing this kind of stuff and just, it's really lively. You get a lot of good energy. We've had a bunch of people stopping by trying to learn what we're all about and so, it's really fun. Great show so far. >> And you guys have a great company. Take a minute to explain for the folks who may not know HackerOne. Tell them what you guys do real quick in one minute. >> Okay, the quick elevator pitch. (chuckles) So really we're making the internet safer using a community of ethical hackers. And so our platform enables that so we can skill match the best talent that's out there around the world to help find all the vulnerabilities that your company needs to discover. So you can plug those holes and keep yourself safe. >> So in an era of a talent gap, Will, you know the technologies out there, but sometimes the skills are not there. So you guys can feel the void kind of a crowdsourced vibe, right? >> Yeah, exactly. If you're trying to build a security program, and apply defense in depth, we offer a terrific way to engage additional security talent either because you can't hire enough or your team is simply overloaded, too much to do, so. >> Hackers like to be a little bit, white hat hackers like to be independent, might want some flexibility in their schedule, live around the world. >> Yes. No question for hackers that do it full time, that do it part-time and then everything in between. >> Well, you guys are in the middle here with some real products. So talk about what's going on here. How vulnerable are the surface areas in organizations that you're seeing? >> Yeah, probably more so than you would think. So we ran a survey earlier this year, 800 security and IT professionals across North America and Europe. And one of the findings from that survey was that nearly a third, actually over a third, 37% of the attack surfaces, not secured. Some of it's not even known. They don't know what they don't know. They just have this entire area. And you can imagine, I mean there's a lot of reasons you know, real legitimate reasons that this happens. One of those really being that we don't know what we don't know. We haven't scanned our attack surface. >> And also it's about a decade of no perimeter anymore. >> Yes. >> Welcome to the cloud. >> For sure. Absolutely. And people are moving quick, right? You know, the Cloud perfect example. Cloud people are building new applications on top of these new underlying configurations happening on a constant basis. Acquisitions, you know, that's just a fast moving thing. Nobody can keep track of it. There's a lot of different skill sets you need you know. And yeah, skill shortage out there too. As we talked about. >> What's the attacker solution you guys have? You guys have this HackerOne attack resistance component, what's that about? >> That's right. So that is to solve what we call the attack resistance gap. So that area that's not protected, hasn't been secured, on top of just not knowing what those assets are, or how vulnerable they are. The other thing that happens is people are sort of doing status quo testing, or they're not able to keep up with effective testing. So scanners are great. They can catch common vulnerabilities, but they're not going to catch those really hard to find vulnerabilities. The thing that the really sophisticated attackers are going to go after. >> Yeah. >> So we use... This large community that we have of ethical hackers around the world to be able to skill match them and get them doing bug bounties, doing pen tests, really bulletproofing the organization, and helping them risk-rank what they find. >> Yeah. >> Triage these, do the retesting, you know, get it very secure. So that's how we do it on a high level. Will, you might have a-- >> Yeah. I mean there's a tremendous amount of automation out there, right? But you can't quite at least not yet replace critical thinking. >> Yeah. >> From smart security minds. So HackerOne has a number of solutions where we can apply those minds in different ways at different parts of the software life cycle at different cadences, to fit our customers' needs, to fit their security needs, and make sure that there's more complete human coverage throughout their software lifecycle, and not just automation. >> Yeah. I think that's a great point, Will and Sean, because you think about open source is like not only grown significantly, it's like's it is the software industry. If you believe that, which I do. Open source is there it's all software free. The integration is creating a DevOps movement that's going the whole level. So Devs are doing great. They're pumping out codes. In fact, I heard a quote here on theCUBE earlier this morning from the CTO Sequence Security that said: "Shift left but shield right." So shifting left is build your security into the code, but still you got to have a shield. You guys have this shielding capability with your attack module management service. So you now you got the Devs thinking: "I got to get better security native" So but they're pumping out so much code. >> Yep. >> There's more use cases, so there's going to be code reviews needed for stuff that she said, "What is this? We got to code review new stuff. A developer created something." >> Yes. >> I mean, that's what happened. That's what's going on everywhere, right? >> Exactly. We often hear that for every 100 developers, you've got one security professional. (John laughs) You know, talk about skill shortage that's just not sustainable. How are you going to keep up with that? >> Yeah. >> So-- >> Your phone is ringing off the hook. There's no phones anymore, but like technically-- >> Yeah, yeah, exactly. So, you know, yeah, you need to go external find some experts who can help you figure that out, and keep up with that cadence, you know keeps going and going. >> So, HackerOne. I love the ethical thing. I mean, you know, I'm a big fan. Everyone who watches theCUBE knows I'm a big fan of Marten and your company, but it's not just bug bounties that you do. That's just people think of, they see that in the news. "Oh, I made a million dollars from saving Microsoft teams from being exploited" or something like that, or weird things big numbers. But you do more than that. There's code reviews, there's assessments, like a variety of different things, right? >> Yes, exactly. Exactly. >> What are the hottest areas? >> Yeah, I mean, that's exactly why we coined the term, Attack Resistance Management really is to help describe all those areas that we cover, so you're right, bug bounty is our flagship product. It's what we're best known for. And it's a terrific solution. But on top of that, we're able to layer things like vulnerability disclosure, pen testing and code review. >> Pen test is actually really important-- >> Attack surface management, you know, a whole suite of complimentary offerings to help you engage these hackers in new and interesting ways. >> Yeah. >> The bug bounty is very popular because it's fun. >> Yeah. >> I mean if your going to work on something... It's fun for the hackers but the white hat hackers, the companies they can see where's my bugs it's the fear of missing out and the fear of getting screwed over. That's the biggest driver, right, you Know-- >> Yes, definitely and we now have a product called assets. So this is attack surface management. And what we're able to do with that is bring that in leverage the ethical hackers to risk-rank. What's your assets out there? How vulnerable are these? What's critical? Feed that in, and then you know, as Will was saying we've got all kinds of different testing options. Sometimes bug bounty continuous that works. Sometimes you want pen test, you know, you want it bound. >> Well, the thing about the thing about the pen test, well the soccer report, Amazon's got soccer reports but pen test is a moving train. >> Yeah >> Cause if you're pushing new code, you got to pen test it all the time. It's not a one and done. >> Exactly. >> You got to keep it running. Just one and run, right? >> You can't do the old school penetration test once a year, big monolithic thing. You know, this is just a check the box for compliances like, no, you need to be focusing this on the assets that you're releasing, which are constantly changing. And doing ongoing smaller cadences of pen testing. >> I had someone at a conference had a few cocktails in them, confessed to me, that they forged a pen test report. >> Oh man. >> Wow! (everyone laughs) >> Because he's like, "Oh! It was three months ago. Don't Worry about it." Like, but a lot can happen in three months. No, this is reality, they are like, "I can't turn it around fast enough" They had an Apsec review... >> Yeah. >> In their company and... >> And that's it. >> I mean, I'm not saying everyone's doing bad behavior, but like people can look the other way that creates more vulnerabilities. >> It can happen. And even just that time space. Let's say you're only doing a pen test once a year or once every two years. That's a long time. It's a lot of dwell time, you can have an attacker inside mulling around your network. >> All right. So we get a big service here. This one, AWS, we're here at re:Inforce the trend that you see Amazon getting closer to the ecosystem, lot more integration. How are you guys taking HackerOne's attack surface area product management software, closer to Amazon? What's going involved? Because at the end of the day they're enabling a lot of value and their partners are growing and becoming platforms within of themselves. What is the connection with Amazon? Keeping those apps running? How do you guys do that? >> Yeah. So we've got a specific assessment type for AWS. So... On the one hand, we're bringing in the right group of ethical hack hackers who are AWS certified. They have the right skillset, we're matching them. We've got the right assessment type for them to be able to track against and find the right vulnerabilities, report on those. So this is our pen test offering geared particularly towards the AWS platform. And then we also have an AWS security hub integration. So if customers are using the AWS security hub, we can plug into that, feed that information. And that gets more to it, the defense and depth for your AWS. >> And you guys verify all the ethical hackers? Everything's verified? >> Oh yes, absolutely. Fully. >> Yep. So they're verified for their pen testing experience, and skills and of course their AWS skills in particular. And their work experience, making sure that it's long enough that it's good, background check, the whole nine, so. >> How far has Amazon come from your perspective, over the past few years with the security partnerships? I mean their services have grown every year. I mean, every Amazon re:Invent, thousands of new announcements, new services. I mean if they update the DNS server, it's a new thing. Right? So like everything's happening. >> Yeah. >> What's different now? >> It's great to see. I mean, you look around at how many different types of security solutions there are here how many different types of partners, and it just shows you that defense in depth again, it's a really critical thing. Been a wonderful partner for us. I mean that, they're a big fan of us. They tell us that all the time. >> Yeah, 'cause the customers use you. >> Cause they're customers too. Right. Exactly. Exactly. But no, it's, it's been great. So we're looking at, we've got some things on the roadmap, some continued integrations that we look forward to doing with AWS, but you know, again it's a great powerful platform. It gives customers a lot of freedom, but with that freedom comes the responsibility that's needed to actually-- >> Will, what's your take? We hear hybrid security keys, management systems, announced today, encrypt everything, don't have over permissive environments. Obviously they're talking about more platform and that type of stuff >> Absolutely. My take would be, I think our own partnership with the AWS security team is great evidence that they're thinking about the right things. We worked within conjunction with them to develop our pen test methodology. So that combined for proprietary HackerOne platform data and findings across all of our customers that are common issues found in AWS environments with their own knowledge and their own experiences from the AWS security team directly. So it's a pretty powerful checklist that we're able to run through on some of these customers and make sure that all of the most common miss-configurations and such are covered. >> Yeah. They're highly motivated to do that. 'Cause they get blamed for the S3 buckets being kept open. It's not even their fault. >> Right. (crosstalk) >> We got hack over in Amazon. Amazon's terrible! >> Yeah. You know, one of the things we like to talk about is the fact that, you know, cloud is really about automation, right? >> Yeah. >> Yep. >> But you can't automate that human ingenuity the skills that come with an actual human who has the experience and the know how to fix these things. >> It's a lot going on in Amazon. It's always been kind of like, you just described earlier in theCUBE. An erector set, not Lego blocks yet, but still kind of, you still got to build it. It's getting better in the Lego model, but there are challenges in protecting cloud, Will. I mean this is a big part of protecting cloud platforms like AWS. What are some of those challenges? >> I think some of the challenges are the ephemeral nature of the cloud can really result in developers, and you know really business units across an organization spinning up assets that IT or security don't know about. And so that's where things like HackerOne assets in those attack surface management style solutions come into play, trying to identify those assets proactively and make sure that they're receiving some sort of attention from the security team whether it's automated or manual or ideally both. >> You guys got a good solution. So how about the partnership? We got one minute left. Talk about your partnership with AWS. You guys are certified in their security group, with their team and marketplace, right? Talk about some of those things. >> Yeah, we've been in marketplace over a year. We've had that the specific solution that I mentioned the App Pen test for AWS in place and integrated with security hub for some time now. There's some other stats that we could probably share around the ethical hackers that we have working on that. We have a number of certified AWS hackers, who again they have the right skill set for AWS, and they've been a great partner. We are very focused on continuing to work with them, and build out some new offerings going forward. >> Well, you guys have done a great job. Will, tell your team congratulations on the tech side, on the product side, very strong community. You guys had a lot of success. Congratulations! And thanks for sharing on theCUBE, appreciate it. >> Thanks for having us John. >> Thank you for your time-- We're here at re:Inforce where all the access tab is open, it's team oriented, we got cloud scale, data, encryption on everything. Big news coming out of re:Inforce, well, theCUBE's got it covered here. I'm John Furrier, your host. Thanks for watching. We'll be right back with more coverage after this short break. (theme music)