>> Announcer: Live from San Diego, California it's The Cube! Covering Cisco Live US 2019. Brought to you by Cisco and it's ecosystem partners. >> Welcome back to The Cube's coverage of Cisco Live Day 2 from sunny San Diego. I'm Lisa Martin joined by Dave Vallante. Dave and I have an alumni, a Cube alumni back with us, Jeff Moncrief, consulting systems engineer from Cisco. Jeff, welcome back! >> Thank you very much, it's great to be back! >> So, we're in the DevNet Zone, loads of buzz going on behind us. This community is nearly 600,000 strong. We want to talk with you about Stealthwatch. You did a very interesting talk yesterday. You said, it had a couple hundred folks in there. War stories from real networks. War stories ... strong descriptor. Talk to us about what that means, what some of those war stories are, and how Stealthwatch can help customers learn from that and eradicate those. >> So it's called Saved by Stealthwatch. It was a really good session. This is the third Cisco Live that I've presented this session at. And it's really just stories from actual customer networks where I've actually deployed Stealthwatch into. I've been selling Stealthwatch for about five years now. And I've compiled quite a list of stories, right? And it really ... if you think about advanced threats and insider threats and those kinds of exciting things, the presentation was really about getting back to fundamentals. Getting back to the fact that in all these years that I've been working with customers and using Stealthwatch, a lot of the scary things that I have found have nothing to do with that. With the advanced type threat stuff. It really has to do with the fact that they're forgetting the basics. Their firewalls are wide open, their networks are flat. Their segmentation boundaries aren't being adhered to. So it's allowed us to come in and expose a lot of scary things that were going on and they were just completely oblivious to it. >> Why are those gaps there? Is it because of a change management issue? Technology's moving so quickly? Lack of automation? >> Yeah, I think there's a couple reasons that I've seen. It's a recurring theme really. Limited resources ... number one. Number two, limited budgets, so your priorities have to shift. But I think a big one that I've seen a lot is turnover and attrition. A lot of times we'll go in with Stealthwatch and we'll kick off an evaluation or whatnot and the customer will say, I just don't know what's there. I don't know if I have 100 machines that need visibility or for a thousand. And I'm a Stealthwatch cloud consulting systems engineer so the cloud world is where I spend a lot of my time now and what I'm seeing as it relates to the cloud realm is that's exponentially worse now. Because now you've got things like devops and shadow IT that are all playing in the customer's public cloud environment deploying workloads, deploying instances and building things that the security team has no awareness of. So there's a lot of things that are living and breathing on the network that they just don't know about. >> And so the tribal knowledge leaves the building, how do you guys help solve that problem? >> So we come in ... and you know the last time that you and I spoke, you used the term cockroaches, I think, which I loved. I actually have used that a lot since then, so thank you for that. >> Dave: Yeah, you're welcome. >> No, but, you know ... we come in and we actually, we turn the customer's network infrastructure ... Whether it's on-prem or in the public cloud into a giant security sensor grid. And we leverage something called NetFlow, which you've probably heard of. And it's essentially allowing us to account for every conversation throughout the entire infrastructure, whether or not it's on-prem or in the public cloud or maybe even in a private cloud. We've got you covered in that area. And it allows us to expose every one of those living, breathing things. And then we can just query the system. So think of us like a giant network DVR on steroids. We see everything, you can't hide from us, because we're using the network to look at everything. And then we can just set little trip wires up. And that's kind of what I go into in my presentation also is how you can set these trip wires ahead of time to find things that are going on that you just didn't know about and frankly, they're probably going to scare ya. >> One of the stories that you shared in your talk yesterday. You talk about people really forgetting the basics. A university that had a vending machine breach. You just think, a vending machine in a cafeteria? >> Jeff: That's right. >> Really? Tell us about that. What kind of data was exposed from a vending machine? >> So that's one of my favorite stories to tell. We had gone in and we'd installed Stealthwatch at a small university in the US. And they had a very small team. Okay, you're going to see that recurring theme. Limited staff. And they really just had a firewall. Okay, that was what they were doing for security. So we came in, we enabled NetFlow, we kind of let Stealthwatch do it's thing for a couple of days, and I just queried the system. Okay, it's not rocket science, it's not AI a lot of times, it's really the fundamentals. And I just said, tell me anything talking on remote desktop protocols inside the network out to the internet. And lo and behold, there was one IP address that had communication from it to every bad country you can imagine ... actively. And I said to them ... I said, what is this IP address? What's it doing? And that was in the conference room in the university with their staff and the guy looked it up in the asset inventory system, and he looked at me and he goes, that's a vending machine. And I said, a vending machine? And he said, yeah. And then I was like, okay, well that's a first, I've never heard of that before. And he goes wait a minute, it's a dirty tray return machine. You ever heard of one of those? >> Lisa: No. >> I hadn't either. >> Lisa: Explain. >> So for loss prevention, I guess universities and other public institutions, they will buy these unique vending machines that are designed for loss prevention. So that the college students don't go around and you know, steal or throw away the trays from the cafeteria. You have to return the tray to get a coin. There's a common supermarket chain that does the same thing with their shopping carts. And it's for loss prevention. So I said, okay, that's pretty strange. Even stranger than just vending machine. And I said, well did you realize that it was talking to a remote desktop all over the world? And he said no. And I said so, can you tell me what it has access to? So he looked it up in the firewall manager right there and he said, it has access to the entire network. Flat network, no segmentation. No telling how long this had been going on, and we exposed it. >> And Stealthwatch exposes those gaps with just kind of old school knock on the door. >> Yeah, it really is. We're talking about fundamental network telemetry that we're gathering off the route switch infrastructure itself. You know, obviously, we're at Cisco Live, we work really well with Cisco gear. Cisco actually invented NetFlow about 20 years ago. And we leveraged that to give visibility footprint that allow us to expose things like the vending machine. I've found hospital x-ray machines that were scanning all the US military, for instance. I find things in the cloud that are just completely wide open from a security ACL standpoint. So we've got that fundamental level of visibility with Stealthwatch, and then we kick in some really cool machine learning and statistical analytics and machine running analytics and that allows us to look for anomalies that would be indicators of compromise. So we're taking that visibility footprint and we're taking it to that next level looking for threats that might be in the customer's environment. >> So before we get to the machine intelligence, I presume that cloud and containers only makes this problem worse. What are you seeing in the field? How are you dealing with that? >> So we're in a landscape today where we've got a lot of customers that might be cloud averse. But we've also got a lot of customers that are on the wide other side of that spectrum and they're very cloud progressive. And a lot of them are doing things like server-less micro services, containers and, when you think of containers you think of container orchestration ... kubernetes. So Stealthwatch Cloud is actually in that realm right now today, able to protect and illuminate those environments. That's really the Wild West right now, is trying to protect those very abstract server-less and containerized environments but yeah, we come in, we are able to deploy inside kubernetes clusters or AWS or azure or GCP, and tell the Stealthwatch story in those environments, find segmentation violations, find firewall holes just like we would on premise, and then look for anomalies that would be interesting. >> So the security paradigm for those three you mentioned, those three cloud vendors, and you're on-prem, and maybe even some of your partners, is a lot of variability there. How should customers deal with maintaining the edicts of the organization and sort of busting down those silos? >> Yeah, so you think about like Stealthwatch Cloud which is the product that I'm a CSE for, we're really focusing on automation, high efficacy and accuracy. All right, we're not going to be triggering hundreds or thousands of alerts whenever you plug us in. It's going to further bog down a limited team. They've got limited time and they have to change their priorities constantly. This solution is designed to work immediately out of the box quickly deploy within a matter of hours. It's all SAAS based so actually it lives in the cloud. And it really takes that burden off of the organization of having to go and set a bunch of policies and trip wires and alerts. It does it automatically. It's going to let you know when you need to take a look at it so that you can focus on your other priorities. >> So curious where your conversations are within an organization - whether it's a hospital, or a university when what you're finding is in this multi-cloud world that we live in where there's attrition and all of these other factors contributing to organizations that don't know what they have with multi-cloud edge comes this very amorphous perimeter, right? Where are those conversations because if data is the lifeblood of an organization, if it's not secure and protected, if it's exposed there's a waterfall of problems that could come with that. So is this being elevated into the C-Suite of an organization? How do you start those conversations? >> So it's not just the C-Suite and the executive type structure that we're having to talk to now, traditionally we would go in with the Stealthwatch opportunity and talk to the teams in the organization it's going to be the InfoSec team, right? As we move to the cloud though, we're talking about a whole bunch of different teams. You've got the InfoSec team, you've got the network operations team now, they're deploying those workloads. The big one though that we've really got to think about and what we've really got to educate our customers on is the Dev Ops teams. Because the Dev Ops teams, they're really the ones that are deploying those cloud workloads now. You've got to think about ... they've got API access, they've got direct console login access. So you've got multiple different entry points now into all these different heterogeneous environments. And a lot of times, we'll go in and we'll turn on Stealthwatch and we show the organization, yeah, you knew that Dev Ops was in the VPC's deploying things, but you didn't know the extent that they were deploying them. >> Lights up like a Christmas tree? >> Yeah, lights up like a Christmas tree and like a conversation I had last week with a customer. I asked them, I said, all right so you're in AWS, are we talking do you have 50 instances or do you have 500? He said, I have no idea. Because I'm not the one deploying these instances. I'm just lucky enough to get permission to have access to them to let you plug your stuff in to show me what's going on in that environment. But yet they're in charge of securing that data. So it's quite frightening. >> So you've got discovery, you've got ways to expose the gaps, and then you're obviously advising on remediation activity. And you're also bringing in machine intelligence. So what's the endgame there? Is it automation? Is it systems of agency where the machine is actually taking action? Can you explain that? So when the statistical analysis comes in and the anomaly detection comes in, it's really that network DVR, so we've got the data, now let's do some really cool things with it. And that's where we're in actually, for every single one of these entities, and I do stress entities because the days of operating systems and IP addresses are going away. Face it, it's happening. Things are becoming more and more abstract. You know, API keys, user accounts, lambda's and runtime compute, we have to think about those. So what we do for all these different entities is we build a model for each one of these, and that model, that's where all the math and the AI comes in. We're going to learn Known Good for it. Who do they talk to? How much data's sent or received? And then we start looking for activity in that infrastructure as it relates to that entity that's outside of that Known Good model. So that would be the anomaly detection and you know, our anomaly detection, it really can be attributed to two different major categories. Number one is going to be, we're looking for things that cross the cyber kill chain. So those different IOC's as a threat actually manifests. That's what the anomaly detection's doing. And then we're also looking for just straight compliance and configuration violations in the customer's cloud infrastructure, for instance, that would just be a flat out security risk today, day one, forget base lining anomaly detection, it should just not be configured that way. >> Let's see, roughly 25% of Cisco's revenue is in services, what role does the customer service team play in all this? How do you interact ... how do the product guys and the service guys work together? >> So we've got a great customer experience team, customer services team for Stealthwatch and it doesn't matter if we're talking Stealthwatch on-premise or the Stealthwatch cloud, they cover both. And what will happen is we'll come in from a pre-sales standpoint, we do the evaluation, show good value, and then we've got a good relationship with the CX team where we'll hand that off to them, and then we'll work with the CX team to make sure that customer is good to go, they're taken care of, and it's not we've sold this and we're just going to forget you type scenario. They do a good job of coming in, they make sure that the customer's needs are met, any feature requests that they like taken care of. You know, they have routine touchpoints with the customers and they make sure that the product, for all intents and purposes, doesn't lose interest or visibility in the customer's environment. That they're using it, they're getting good value out of it, and we're going to build a relationship. I call it cradle to grave. We're going to be with that customer cradle to grave. >> Now Jeff, one of the things I didn't talk to you about at Google Next was ... first I got to ask you, you're a security guy, right? Have you always been a security guy? >> Yeah, security for about 20 years now, dating back to internet security systems. >> The question I often ask security guys is who's your favorite superhero? >> My favorite superhero ... I'd say Batman. >> Dave: Batman? >> Yeah. >> I like Batman. (chuckles) The reason I ask is that somebody told me one time that true security guys, they love superheroes because they grew up kind of wanting to save the world and protect the innocent. So ... just had to ask. >> Yeah there you go .. Batman. >> I'm sensing a tattoo coming. Last question for you Jeff is in terms of time to business impact, the vending machine story is just so polarizing because it's such a shocking massive exposure point, did they ever discover how long it had been open and in terms of being able to remedy that, how quickly can Stealthwatch come in, identify these- >> So very quick operation wise. So like the vending machine story, that's something that if you turn on Flow, and you send it to Stealthwatch right now, we can pick that up in 10 minutes. That quick to visibility and value. Now how long has it been going on? A lot of times they can't answer that question because they've never had anything to illuminate that to begin with. But moving forward, now they've got a forensic incident response audit trail capability with Stealthwatch which is actually a pretty common use case. Especially if you think about things like PCI that have got auto requirements and whatnot. A lot of organizations if they're not using a Flow based security analytics tool, they can't always meet those audit and forensic requirements. So at least from the point of installing Stealthwatch they'll be good to go from that point forward. >> So if they can find an anomaly that needs to be rectified in 10 minutes, what's the next step for them to actually completely close that gap? >> So like with Cisco Identity Services engine, we've got a great integration there where we can actually take action, shut off that machine instantly. We can shut off a switch port. We can isolate that machine to an isolated sandboxed VLAN, get it off the network, and then in the cloud, we can do things like automated remediation. We can use things like Amazon and Lambda to actually shut off an instance that might be compromised. We can actually use Lambda's to insert firewall rules. So if we find a hole, we can plug it. Very easily, automated- >> Ship a function to it and plug a hole. >> Batman slash detective. I think you need a tattoo and a badge. >> I can work on that, I like it. >> Jeff thank you so much for joining Dave and me on The Cube this afternoon. >> My pleasure. >> Really interesting stuff, we appreciate your time. >> Absolutely. >> For Dave Vallante, I'm Lisa Martin. You're watching The Cube's second day of coverage of Cisco Live from San Diego. Thanks for watching. (upbeat music)

live from Las Vegas it's the cube covering AWS reinvent 2018 brought to you by Amazon Web Services Intel and their ecosystem partners welcome back everyone live here the cube coverage at Amazon Web service AWS reinvent 2018 our sixth year covering Amazon now 52,000 lost people here packed house this is where the industry gathers to really kind of check out the future where the state of the cloud business is what it means to enterprise I'm John Fourier the post of the cube with Lauren Cooney co-host me.we this week on set one of two sets here our next two guests Jeff monk resulting systems engineer stealthWatch cloud that's now part of Cisco Systems and Earth has been Product Marketing Manager jetbrains welcome to the cube guys thanks for coming on thanks launched six years now we've been covering Amazon we were here when kind of people didn't really understand what it was we saw here so Jerry Chen just gave him a venture capitalist and Braille app and we're like this is gonna be big it's big but the big news here this week is on premises okay you guys cisco you own premises with routing networking developers of programming applications in the cloud needs to run on premise it's a big theme it's all kind of coming together it's kind of first validation this year that on-premises is not going away and cloud is becoming more prevalent for data and analytics for coding for DevOps but now working seamlessly together you guys agree with this recently announced the deal with AWS right you have networking which the critical part of the holy trinity of infrastructure network storage compute powering a new class of software development and tools what's your view on this I mean give us a take yeah so from a Cisco stealthWatch standpoint like you said we see that customers are not necessarily going away from on-premise deployments a lot of organizations have got large data centers and Colo facilities they still run all right and they've also got workloads in the public cloud so what we see is you know any some kind of mixture of organizations that have still got bare metal servers and virtual machines on premise that they need visibility into and one protect then they've also got public cloud workloads that are virtual machines but then they've gone beyond virtual machines and there are things like micro services and server lists and containers and they need a solution that can protect all those different environments and that's what stealthWatch comes into play and i want to get you guys saw it on on this because i'll see now security used to be a blocker for cloud it can't put seven the cloud skids not secure now security is their baseline at least needs more work you've got to have that visibility and you guys have a programmable strategy for the network is now coding be pcs is becoming more important than ever before right how is security evolving as compute start to get more powerful storage of storage data it's not going away it's only growing with IOT and IOT edge with connectivity networking now has to up its game write an application of elves don't want anything to do with all that anymore they want to just program so what's this mean for people what are security right for security yeah so what we're seeing and I mentioned a second ago was the expansion into micro services serverless cloud native if you will and organizations are continuing to go that route but what they don't realize is as they expand into those different technologies they're actually increased creating an increasing attack surface if you will right they're not really thinking about that and what they're doing is opening up multiple new points out to the internet that are vulnerable and it to exposure and risk right so they're not thinking about securing those new environments that are deploying and that's where we come into play also awesome let's talk about jet Breen what do you guys do what's the relationship with Cisco how do you fit in what's the story so let me start with introducing jetbrains little but you're just talking about all these various spaces where people have to run their code nowadays yeah if you want to develop for all these environments you need tools that allow you to develop for all these environments at JetBrains that were tooling professionals what we do we are software developers we make tools for software developers we really want to give the developer all this power in their hands to be able to develop insight for example containers and step through their code as they go inside these environments of course our own products and our own services they are all a lot of them are hosts on AWS and Cisco comes in there and healthy let's make sure that all of our servants that we have online remains secure and the relationship with Cisco is part of the go-to-market you guys share products together what's the relationship as jetbrains is actually a stealthWatch customer they've been a customer for a few years now and we actually protect all of their Amazon workloads they've got deployed in the Amazon infrastructure anything from ec2 instances to RDS redshift lambdas pretty much any sort of service that they're using from a compute standpoint in Amazon stealthWatch cause in protecting for a few years now so with kubernetes and now lambda the old days was was still grade you spit up an instance ten seconds lambda you can do this in really really high velocity how does that change the tooling how does it impact your world it's a customer so for us as the customer self watch it impacts us that we have to of course make sure that whenever these lambdas fire we know what's going on and we can see what's happening and one of the things we really want to do within Jefferson we want to give our developers we want to empower they want to make sure that they can experiment that they can make new things and it's all Excel what really helps us make sure that when our developers are out there doing things we can still maintain that we're following the best practices and everything stay secure how does automation guys weave in because kubernetes is a big battleground right now we're seeing important one as orchestrating and managing cluster certainly the state of application data unstated applications also with AP is obviously growing visibility is critical but automations may be right around the horizon ku Bernays at some point gonna be automated away and if so what's that looked like from software standpoint because yeah it's dynamic now so what we see from a kubernetes and a container orchestration perspective is that the kubernetes itself is designed to do the automation all right it's elastic expand and contract right but what you may be looking at today is a small kubernetes cluster with a couple of nodes and a couple dozen pods then all sudden tomorrow based on load you could be looking at hundreds of nodes and thousands of pots a massively increased attack surface if you will it right there's a building into and trying to figure out what's going on there right stealth watts cloud luckily we're there we're in kubernetes today and what we do is we deploy automatically in the kubernetes environment and in a way that allows us to expand with you automatically so as your cluster expands we will give you complete visibility into everything that's moving east west in kubernetes as well as north south so it's a very simple deployment doesn't matter where kubernetes lives we've got you covered if people are going to download stealthWatch from the catalog right what is it how would you describe right so stealthWatch cloud it is a SAS offering all right so we get asked that a lot just today over in the booth you know we've got a lot of questions about where do we put our sensors where do you put the collectors people if they're having a hard time wrapping their heads around the fact that it's straight API calls okay we're bringing in cloud trail we're bringing in I am and cloud watch BPC flow logs right and we're bringing it all in all automated over the API AWS - AWS where we live and it is a SAS billing offering writes if there's nothing that you have to go deploy it's a 5-minute integration you can buy it right there on the AWS marketplace like you said for public or private network monitoring and it's a subscription billing so it's a true SAS you're looking to kind of expand you know your footprint in this space with kubernetes is there any thought of you know some sort of code donation to kubernetes to actually increase your footprint among users and get them more engaged or is that something that you you know talked about thought about things like that donating code donating some code yeah I don't honestly don't think there's anything that we've ever discussed about donating commenting like that what about you guys are donating code to the kubernetes project well just to increase your footprint right so you would have available as a component of kubernetes and people would put into there great idea yeah yeah it's not something that I know that we discussed but yeah I mean if we could deploy something that would be open source that we actually part of that project that would be a huge visibility for us and I think that's big sensitive you look at what's going on in Cisco whether things like to give you guys a prop here is that the def net developer community has really taken - cloud native and with definite create dev net at Cisco live and Cisco Barcelona we've been this past year what a sea change I mean you got command line interface dudes going hey I need to be dashboard oriented meaning I gotta automate stuff so the notion of programming the network it's not a foreign concept to network engineers they're pretty smart right they get things so how is this world of all I mean how is the persona of a Cisco customer that needs to get more software development shops going what's it like I mean is there future dashboards as their future gonna be scripts event alerts let me manage it so how do you guys see that persona evolving I think what we see and you can probably relate to this also erst is that more and more organizations it doesn't matter how averse they are to cloud and new development technologies more organizations are going towards a DevOps oh yeah framework with C ICD constant continuous integration and continuous delivery right so it's hard to avoid the fact that that's where the paradigm is shifting and in doing so as we move into more cloud native and serverless capabilities you're looking at things that don't get necessarily involved operating systems and IP addresses and traditional endpoints and that's where most organizations are going so and so from a security perspective we've got to go there also know about your relationship with just as a customer are you happy what's it like how's the product so if I were very happy we've had some great experiences with the onboarding of stealthWatch cloud yeah we had some of course you know as you're starting to get started we needed a little bit of assistance getting used to the tool and getting started and getting anything configured the support was very helpful and they really helped us get started and then at some point we actually did some of this cloud automation and we set up terraform scripts so we could actually automatically configure stealthWatch cloud into many of our AWS accounts great great stuff final question for Cisco what's next for you guys on the product side anything going on give a quick plug of what's happened yeah I'd say what's next for us from a stealth watch cloud standpoint is you're going to see more integration with the Cisco portfolio we're integrating with the Cisco identity services engine integrating with the next-gen firewall integrating with the new encrypted traffic analytics that you've probably discussed here on the cube before so it's a tiger portfolio integration because that really sets us apart awesome guys thanks for coming on the key appreciate the insight good to see a customer here thanks for coming I appreciate very good job kubernetes at the head start as at the center of all the action with developers cluster man has been scaling up lamda server list this is the really the fasting programming gold networks is key the queue bringing all the coverage here live in Las Vegas for 80 bus reinvent 2018 I'm Shepard Lauren Cooney stay with us for more coverage after this short break [Music]