>>Hello, everyone. Welcome to the AWS startup showcase. This is season two, episode four, the ongoing series covering exciting startups from the AWS ecosystem to talk about cybersecurity. I'm your host, John furrier. And today I'm excited for this keynote presentation and I'm joined by John Ramsey, vice president of AWS security, John, welcome to the cubes coverage of the startup community within AWS. And thanks for this keynote presentation, >>Happy to be here. >>So, John, what do you guys, what do you do at AWS? Take, take minutes to explain your role, cuz it's very comprehensive. We saw at AWS reinforce event recently in Boston, a broad coverage of topics from Steven Schmid CJ, a variety of the executives. What's your role in particular at AWS? >>If you look at AWS, there are, there is a shared security responsibility model and CJ, the C the CSO for AWS is responsible for securing the AWS portion of the shared security responsibility model. Our customers are responsible for securing their part of the shared security responsible, responsible model. For me, I provide services to those customers to help them secure their part of that model. And those services come in different different categories. The first category is threat detection with guard. We that does real time detection and alerting and detective is then used to investigate those alerts to determine if there is an incident vulnerability management, which is inspector, which looks for third party vulnerabilities and security hub, which looks for configuration vulnerabilities and then Macy, which does sensitive data discovery. So I have those sets of services underneath me to help provide, to help customers secure their part of their shared security responsibility model. >>Okay, well, thanks for the call out there. I want to get that out there because I think it's important to note that, you know, everyone talks inside out, outside in customer focus. 80 of us has always been customer focused. We've been covering you guys for a long time, but you do have to secure the core cloud that you provide and you got great infrastructure tools technology down to the, down to the chip level. So that's cool. You're on the customer side. And right now we're seeing from these startups that are serving them. We had interviewed here at the showcase. There's a huge security transformation going on within the security market. It's the plane at 35,000 feet. That's engines being pulled out and rechange, as they say, this is huge. And, and what, what's it take for your, at customers with the enterprises out there that are trying to be more cyber resilient from threats, but also at the same time, protect what they also got. They can't just do a wholesale change overnight. They gotta be, you know, reactive, but proactive. How does it, what, what do they need to do to be resilient? That's the >>Question? Yeah. So, so I, I think it's important to focus on spending your resources. Everyone has constrained security resources and you have to focus those resources in the areas and the ways that reduce the greatest amount of risk. So risk really can be summed up is assets that I have that are most valuable that have a vulnerability that a threat is going to attack in that world. Then you wanna mitigate the threat or mitigate the vulnerability to protect the asset. If you have an asset that's vulnerable, but a threat isn't going to attack, that's less risky, but that changes over time. The threat and vulnerability windows are continuously evolving as threats, developing trade craft as vulnerabilities are being discovered as new software is being released. So it's a continuous picture and it's an adaptive picture where you have to continuously monitor what's happening. You, if you like use the N framework cybersecurity framework, you identify what you have to protect. >>That's the asset parts. Then you have to protect it. That's putting controls in place so that you don't have an incident. Then you from a threat perspective, then you ha to de detect an incident or, or a breach or a, a compromise. And then you respond and then you remediate and you have to continuously do that cycle to be in a position to, to de to have cyber resiliency. And one of the powers of the cloud is if you're building your applications in a cloud native form, you, your ability to respond can be very surgical, which is very important because then you don't introduce risk when you're responding. And by design, the cloud was, is, is architected to be more resilient. So being able to stay cyber resilient in a cloud native architecture is, is important characteristic. >>Yeah. And I think that's, I mean, it sounds so easy. Just identify what's to be protected. You monitor it. You're protected. You remediate sounds easy, but there's a lot of change going on and you got the cloud scale. And so you got security, you got cloud, you guys's a lot of things going on there. How do you think about security and how does the cloud help customers? Because again, there's two things going on. There's a shared responsibility model. And at the end of the day, the customer's responsible on their side. That's right, right. So that's right. Cloud has some tools. How, how do you think about going about security and, and where cloud helps specifically? >>Yeah, so really it's about there, there's a model called observe, orient, decide an actor, the ULO and it was created by John Boyd. He was a fighter pilot in the Korean war. And he knew that if I could observe what the opponent is doing, orient myself to my goals and their goals, make a decision on what the next best action is, and then act, and then follow that UTI loop, or, or also said a sense sense, making, deciding, and acting. If I can do that faster than the, than the enemy, then I can, I will win every fight. So in the cyber world, being in a position where you are observing and that's where cloud can really help you, because you can interrogate the infrastructure, you can look at what's happening, you can build baselines from it. And then you can look at deviations from, from the norm. It's just one way to observe this orient yourself around. Does this represent something that increases risk? If it does, then what's the next best action that I need to take, make that decision and then act. And that's also where the cloud is really powerful, cuz there's this huge con control plane that lets you lets you enable or disable resources or reconfigure resources. And if you're in, in the, in the situation where you can continuously do that very, very rapidly, you can, you can outpace and out maneuver the adversary. >>Yeah. You know, I remember I interviewed Steven Schmidt in 2014 and at that time everybody was poo pooing. Oh man, the cloud is so unsecure. He made a statement to me and we wrote about this. The cloud is more secure and will be more secure because it can be complicated to the hacker, but also easy for the, for provisioning. So he kind of brought up this, this discussion around how cloud would be more secure turns out he's right. He was right now. People are saying, oh, the cloud's more secure than, than standalone. What's different John now than not even going back to 2014, just go back a few years. Cloud is helpful, is more interrogation. You mentioned, this is important. What's, what's changed in the cloud per se in AWS that enables customers and say third parties who are trying to comply and manage risk as well. So you have this shared back and forth. What's different in the cloud now than just a few years ago that that's helping security. >>Yeah. So if you look at the, the parts of the shared responsibility model, AWS is the further up the stack you go from just infrastructure to platforms, say containers up to serverless the, the, we are taking more of the responsibility of that, of that stack. And in the process, we are investing resources and capabilities. For example, guard duty takes an S audit feed for containers to be able to monitor what's happening from a container perspective. And then in server list, really the majority of what, what needs to be defended is, is part of our responsibility model. So that that's an important shift because in that world, we have a very large team in our world. We have a very large team who knows the infrastructure who knows the threat and who knows how to protect customers all the way up to the, to the, to the boundary. And so that, that's a really important consideration. When you think about how you design your design, your applications is you want the developers to focus on the business logic, the business value and let, but still, also the security of the code that they're writing, but let us take over the rest of it so that you don't have to worry about it. >>Great, good, good insight there. I want to get your thoughts too. On another trend here at the showcase, one of the things that's emerging besides the normal threat landscape and the compliance and whatnot is API protection. I mean APIs, that's what made the cloud great. Right? So, you know, and it's not going away, it's only gonna get better cuz we live in an interconnected digital world. So, you know, APIs are gonna be lingual Franko what they say here. Companies just can't sit back and expect third parties complying with cyber regulations and best practices. So how do security and organizations be proactive? Not just on API, it's just a, a signal in my mind of, of, of more connections. So you got shared responsibility, AWS, your customers and your customers, partners and customers of connection points. So we live in an interconnected world. How do security teams and organizations be proactive on the cyber risk management piece? >>Yeah. So when it comes to APIs, the, the thing you look for is the trust boundaries. Where are the trust boundaries in the system between the user and the, in the machine, the machine and another machine on the network, the API is a trust boundary. And it, it is a place where you need to facilitate some kind of some form of control because what you're, what could happen on the trust boundaries, it could be used to, to attack. Like I trust that someone's gonna give me something that is legitimate, but you don't know that that a actually is true. You should assume that the, the one side of the trust boundary is, is malicious and you have to validate it. And by default, make sure that you know, that what you're getting is actually trustworthy and, and valid. So think of an API is just a trust boundary and that whatever you're gonna receive at that boundary is not gonna be legitimate in that you need to validate, validate the contents of, of whatever you receive. >>You know, I was noticing online, I saw my land who runs S3 a us commenting about 10 years anniversary, 10, 10 year birthday of S3, Amazon simple storage service. A lot of the customers are using all their applications with S3 means it's file repository for their application, workflow ingesting literally thousands and trillions of objects from S3 today. You guys have about, I mean, trillions of objects on S3, this is big part of the application workflow. Data security has come up as a big discussion item. You got S3. I mean, forget about the misconfiguration about S3 buckets. That's kind of been reported on beyond that as application workflows, tap into S3 and data becomes the conversation around securing data. How do you talk to customers about that? Because that's also now part of the scaling of these modern cloud native applications, managing data on Preem cross in flight at rest in motion. What's your view on data security, John? >>Yeah. Data security is also a trust boundary. The thing that's going to access the data there, you have to validate it. The challenge with data security is, is customers don't really know where all their data is or even where their sensitive data is. And that continues to be a large problem. That's why we have services like Macy, which are whose job is to find in S3 the data that you need to protect the most because it's because it's sensitive. Getting the least privilege has always been the, the goal when it comes, when it comes to data security. The problem is, is least privilege is really, really hard to, to achieve because there's so many different common nations of roles and accounts and org orgs. And, and so there, there's also another technology called access analyzer that we have that helps customers figure out like this is this the right, if are my intended authorizations, the authorizations I have, are they the ones that are intended for that user? And you have to continuously review that as a, as a means to make sure that you're getting as close to least privilege as you possibly can. >>Well, one of the, the luxuries of having you here on the cube keynote for this showcase is that you also have the internal view at AWS, but also you have the external view with customers. So I have to ask you, as you talk to customers, obviously there's a lot of trends. We're seeing more managed services in areas where there's skill gaps, but teams are also overloaded too. We're hearing stories about security teams, overwhelmed by the solutions that they have to deploy quickly and scale up quickly cost effectively the need for in instrumentation. Sometimes it's intrusive. Sometimes it agentless sensors, OT. I mean, it's getting crazy at re Mars. We saw a bunch of stuff there. This is a reality, the teams aspect of it. Can you share your experiences and observations on how companies are organizing, how they're thinking about team formation, how they're thinking about all these new things coming at them, new environments, new scale choices. What, what do you seeing on, on the customer side relative to security team? Yeah. And their role and relationship to the cloud and, and the technologies. >>Yeah, yeah. A absolutely it. And we have to remember at the end of the day on one end of the wire is a black hat on the other end of the wire is a white hat. And so you need people and, and people are a critical component of being able to defend in the context of security operations alert. Fatigue is absolutely a problem. The, the alerts, the number of alerts, the volume of alerts is, is overwhelming. And so you have to have a means to effectively triage them and get the ones into investigation that, that you think will be the most, the, the most significant going back to the risk equation, you found, you find those alerts and events that are, are the ones that, that could harm you. The most. You'll also one common theme is threat hunting. And the concept behind threat hunting is, is I don't actually wait for an alert I lean in and I'm proactive instead of reactive. >>So I find the system that I at least want the hacker in. I go to that system and I look for any anomalies. I look for anything that might make me think that there is a, that there is a hacker there or a compromise or some unattended consequence. And the reason you do that is because it reduces your dwell time, time between you get compromised to the time detect something, which is you, which might be, you know, months, because there wasn't an alert trigger. So that that's also a very important aspect for, for AWS and our security services. We have a strategy across all of the security services that we call end to end, or how do we move from APIs? Because they're all API driven and security buyers generally not most do not ha have like a development team, like their security operators and they want a solution. And so we're moving more from APIs to outcomes. So how do we stitch all the services together in a way so that the time, the time that an analyst, the SOC analyst spends or someone doing investigation or someone doing incident response is the, is the most important time, most valuable time. And in the process of stitching this all together and helping our customers with alert, fatigue, we'll be doing things that will use sort of inference and machine learning to help prioritize the greatest risk for our customers. >>That's a great, that's a great call out. And that brings up the point of you get the frontline, so to speak and back office, front office kind of approach here. The threats are out there. There's a lot of leaning in, which is a great point. I think that's a good, good comment and insight there. The question I have for you is that everyone's kind of always talks about that, but there's the, the, I won't say boring, the important compliance aspect of things, you know, this has become huge, right? So there's a lot of blocking and tackling that's needed behind the scenes on the compliance side, as well as prevention, right? So can you take us through in your mind how customers are looking at the best strategies for compliance and security, because there's a lot of work you gotta get done and you gotta lay out everything as you mentioned, but compliance specifically to report is also a big thing for >>This. Yeah. Yeah. Compliance is interesting. I suggest taking a security approach to compliance instead of a compliance approach to security. If you're compliant, you may not be secure, but if you're secure, you'll be compliant. And the, the really interesting thing about compliance also is that as soon as something like a, a, a category of control is required in, in some form of compliance, compliance regime, the effectiveness of that control is reduced because the threats go well, I'm gonna presume that they have this control. I'm gonna presume cuz they're compliant. And so now I'm gonna change my tactic to evade the control. So if you only are ever following compliance, you're gonna miss a whole set of tactics that threats have developed because they presume you're compliant and you have those controls in place. So you wanna make sure you have something that's outside of the outside of the realm of compliance, because that's the thing that will trip them up. That's the thing that they're not expecting that threats not expecting and that that's what we'll be able to detect them. >>Yeah. And it almost becomes one of those things where it's his fault, right? So, you know, finger pointing with compliance, you get complacent. I can see that. Can you give an example? Cause I think that's probably something that people are really gonna want to know more about because it's common sense. But can you give an example of security driving compliance? Is there >>Yeah, sure. So there's there they're used just as an example, like multifactor authentication was used everywhere that for, for banks in high risk transactions, in real high risk transactions. And then that like that was a security approach to compliance. Like we said, that's a, that's a high net worth individual. We're gonna give them a token and that's how they're gonna authenticate. And there was no, no, the F F I C didn't say at the time that there needed to be multifactor authentication. And then after a period of time, when account takeover was, was on the rise, the F F I C the federally financial Institute examiner's council, something like that said, we, you need to do multifactor authentication. Multifactor authentication was now on every account. And then the threat went down to, okay, well, we're gonna do man in the browser attacks after the user authenticates, which now is a new tactic in that tactic for those high net worth individuals that had multifactor didn't exist before became commonplace. Yeah. And so that, that, that's a, that's an example of sort of the full life cycle and the important lesson there is that security controls. They have a diminishing halflife of effectiveness. They, they need to be continuous and adaptive or else the value of them is gonna decrease over time. >>Yeah. And I think that's a great call up because agility and speed is a big factor when he's merging threats. It's not a stable, mature hacker market. They're evolving too. All right. Great stuff. I know your time's very valuable, John. I really appreciate you coming on the queue. A couple more questions for you. We have 10 amazing startups here in the, a AWS ecosystem, all private looking grade performance wise, they're all got the kind of the same vibe of they're kind of on something new. They're doing something new and clever and different than what was, what was kind of done 10 years ago. And this is where the cloud advantage is coming in cloud scale. You mentioned that some of those things, data, so you start to see new things emerge. How, how would you talk to CSOs or CXOs that are watching about how to evaluate startups like these they're, they're, they're somewhat, still small relative to some of the bigger players, but they've got unique solutions and they're doing things a little bit differently. How should some, how should CSOs and Steve evaluate them? How can startups work with the CSOs? What's your advice to both the buyer and the startup to, to bring their product to the market. And what's the best way to do that? >>Yeah. So the first thing is when you talk to a CSO, be respected, be respectful of their time like that. Like, they'll appreciate that. I remember when I was very, when I just just started, I went to talk to one of the CISOs as one of the five major banks and he sat me down and he said, and I tried to tell him what I had. And he was like son. And he went through his book and he had, he had 10 of every, one thing that I had. And I realized that, and I, I was grateful for him giving me an explanation. And I said to him, I said, look, I'm sorry. I wasted your time. I will not do that again. I apologize. I, if I can't bring any value, I won't come back. But if I think I can bring you something of value now that I know what I know, please, will you take the meeting? >>He was like, of course. And so be respectful of their time. They know what the problem is. They know what the threat is. You be, be specific about how you're different right now. There is so much confusion in the market about what you do. Like if you're really have something that's differentiated, be very, very specific about it. And don't be afraid of it, like lean into it and explain the value to that. And that, that, that would, would save a, a lot of time and a lot and make the meeting more valuable for the CSO >>And the CISOs. Are they evaluate these startups? How should they look at them? What are some kind of markers that you would say would be good, kind of things to look for size of the team reviews technology, or is it doesn't matter? It's more of a everyone's environment's different. What >>Would your, yeah. And, you know, for me, I, I always look first to the security value. Cause if there isn't security value, nothing else matters. So there's gotta be some security value. Then I tend to look at the management team, quite frankly, what are, what are the, what are their experiences and what, what do they know that that has led them to do something different that is driving security value. And then after that, for me, I tend to look to, is this someone that I can have a long term relationship with? Is this someone that I can, you know, if I have a problem and I call them, are they gonna, you know, do this? Or are they gonna say, yes, we're in, we're in this together, we'll figure it out. And then finally, if, if for AWS, you know, scale is important. So we like to look at, at scale in terms of, is this a solution that I can, that I can, that I can get to, to the scale that I needed at >>Awesome. Awesome. John Ramsey, vice president of security here on the cubes. Keynote. John, thank you for your time. I really appreciate, I know how busy you are with that for the next minute, or so share a little bit of what you're up to. What's on your plate. What are you thinking about as you go out to the marketplace, talk to customers what's on your agenda. What's your talk track, put a plug in for what you're up to. >>Yeah. So for, for the services I have, we, we are, we are absolutely moving. As I mentioned earlier, from APIs to outcomes, we're moving up the stack to be able to defend both containers, as well as, as serverless we're, we're moving out in terms of we wanna get visibility and signal, not just from what we see in AWS, but from other places to inform how do we defend AWS? And then also across, across the N cybersecurity framework in terms of we're doing a lot of, we, we have amazing detection capability and we have this infrastructure that we could respond, do like micro responses to be able to, to interdict the threat. And so me moving across the N cybersecurity framework from detection to respond. >>All right, thanks for your insight and your time sharing in this keynote. We've got great 10 great, amazing startups. Congratulations for all your success at AWS. You guys doing a great job, shared responsibility that the threats are out there. The landscape is changing. The scale's increasing more data tsunamis coming every day, more integration, more interconnected, it's getting more complex. So you guys are doing a lot of great work there. Thanks for your time. Really appreciate >>It. Thank you, John. >>Okay. This is the AWS startup showcase. Season two, episode four of the ongoing series covering the exciting startups coming out of the, a AWS ecosystem. This episode's about cyber security and I'm your host, John furrier. Thanks for watching.

>> Live from Barcelona, Spain. It's the cue covering Sisqo. Live Europe. Brought to you by Cisco and its ecosystem partners. >> Welcome back to sunny Barcelona. Everybody watching the Cube, the leader and live tech coverage. We go out to the events, we extract the signal from the noise we hear There's our third day of coverage that Sisqo live. Barcelona David Lot. John Furrier. This here stew Minutemen all week. John, we've been covering this show. Walter Wall like a canon ae is here is a distinguished engineer and product line. CTO for Cisco Analytics. Welcome to the Cube. You see you again. Welcome back to the Cube. I should say thank you very much. So tell us about your role. You're focused right now on malware encryption. We want to get into that, but but set it up with your roll >> first. Well, I'm trying to raise the cost to the bad guy's hiding in your network. I mean, basically it's it. It it's an economics thing because one there's a lot of places for them to hide. And and they they are innovating just as much as we are. And so if I can make it more expensive for them to hide and operate. Then I'm doing my job. And and that means not only using techniques of the past but developing new techniques. You know, Like I said, it's It's really unlike a regular job. I'm not waiting for the hard drive to fail or a power supply to fail. I have an active adversary that's smart and well funded. So if I if I shipped some innovation, I forced them to innovate and vice versa. >> So you're trying to reduce their our ally and incentives. >> I want to make it too expensive for them to do business. >> So what's the strategy there? Because it's an arms race. Obviously wanted one one. You know, Whitehead over a black hat, kind of continue to do that. Is it decentralized to create more segments? What is the current strategies that you see to make it more complex or less economically viable to just throw resource at a port or whatever? >> There's sort of two dimensions that are driving change one. You know they're trying to make a buck. Okay? And and, you know, we saw the ransomware stuff we saw, you know, things that they did to extract money from a victim. Their latest thing now is they've They've realized that Ransomware wasn't a recurring revenue stream for them. Right? And so what's called crypto jacking is so they essentially have taking the cost structure out of doing crypto mining. You know, when you do crypto mining, you'll make a nickel, maybe ten cents, maybe even twenty cents a day. Just doing this. Mathematical mining, solving these puzzles. And if you had to do that on your own computer, you'd suck up all this electricity and thing. You'd have some cost structure, right and less of a margin. But if you go on, you know, breach a thousand computers, maybe ten thousand, maybe one hundred thousand. Guess what, right you? Not one you're hiding. So guess what? Today you make a nickel tomorrow, you make another nickel. So, you know, if you if you go to the threat wall here, you'd be surprised this crypto mining activity taking place here and nobody knows about it. We have it up on the threat wall because we can detect its behavior. We can't see the actual payload because all encrypted. But we have techniques now. Advanced Analytics by which we can now call out its unique behaviour very distinctly. >> Okay, so you're attacking this problem with with data and analytics. Is that right? What? One of the ingredients of your defense? >> Yeah. I mean, they're sort of Ah, three layer cake There. You first. You have? You know, I always say all telemetry is data, but not all data. Is telemetry. All right? So when you when you go about looking at an observation or domain, you know, Inhumans, we have sight. We have hearing these air just like the network or the endpoint. And there's there's telemetry coming out of that, hopefully from the network itself. Okay, because it's the most pervasive. And so you have this dilemma tree telling you something about the good guys and the bad guys and you, you perform synthesis and analytics, and then you have an analytical outcome. So that's sort of the three layer cake is telemetry, analytics, analytical outcome. And what matters to you and me is really the outcome, right? In this case, detecting malicious activity without doing decryption. >> You mentioned observation. Love this. We've been talking to Cuba in the past about observation space. Having an observation base is critical because you know, people don't write bomb on a manifest and ship it. They they hide it's it's hidden in the network, even their high, but also the meta data. You have to kind extract that out. That's kind of where you get into the analytics. How does that observation space gets set up? Happened? Someone creating observation special? They sharing the space with a public private? This becomes kind of almost Internet infrastructure. Sound familiar? Network opportunity? >> Yeah. You know, there's just three other. The other driver of change is just infrastructure is changing. Okay. You mean the past? Go back. Go back twenty years, you had to rent some real estate. You gotto put up some rocks, some air conditioning, and you were running on raw iron. Then the hyper visors came. Okay, well, I need another observation. A ll. You know, I meet eyes and ears on this hyper visor you got urbanity is now you've got hybrid Cloud. You have even serve Ellis computing, right? These are all things I need eyes and ears. Now, there that traditional methods don't don't get me there so again, being able to respect the fact that there are multiple environments that my digital business thrives on. And it's not just the traditional stuff, you know, there's there's the new stuff that we need to invent ways by which to get the dilemma tree and get the analytical >> talkabout this dynamic because we're seeing this. I think we're just both talking before we came on camera way all got our kind of CS degrees in the eighties. But if you look at the decomposition of building blocks with a P, I's and clouds, it's now a lot of moving to spare it parts for good reasons, but also now, to your point, about having eyes and ears on these components. They're all from different vendors, different clouds. Multi cloud creates Mohr opportunities. But yet more complexity. Software abstractions will help manage that. Now you have almost like an operating system concept around it. How are you guys looking at this? I'll see the intent based networking and hyper flex anywhere. You seeing that vision of data being critical, observation space, etcetera. But if you think about holistically, the network is the computer. Scott McNealy once said. Yeah, I mean, last week, when we are this is actually happening. So it's not just cloud a or cloud be anon premise and EJ, it's the totality of the system. This is what's happening >> ways. It's it's absolutely a reality. And and and the sooner you embrace that, the better. Because when the bad guys embrace it verse, You have problems, right? And and you look at even how they you know how they scale techniques. They use their cloud first, okay, that, you know their innovative buns. And when you look at a cloud, you know, we mentioned the eyes and ears right in the past. You had eyes and ears on a body you own. You're trying to put eyes in here on a body you don't own anymore. This's public cloud, right? So again, the reality is somebody you know. These businesses are somewhere on the journey, right? And the journey goes traditional hyper visor. You have then ultimately hybrid multi clouds. >> So the cost issue comes back. The play of everything sass and cloud. It's just You start a company in the cloud versus standing up here on the check, we see the start of wave from a state sponsored terrorist organization. It's easy for me to start a threat. So this lowers the cost actually threat. So that lowers the IQ you needed to be a hacker. So making it harder also helps that this is kind of where you're going. Explain this dynamic because it's easy to start threats, throw, throw some code at something. I could be in a bedroom anywhere in the world. Or I could be a group that gets free, open source tools sent to me by a state and act on behalf of China. Russia, >> Of course, of course, you know, software, software, infrastructures, infrastructure, right? It's It's the same for the bad guys, the good guys. That's sort of the good news and the bad news. And you look at the way they scale, you know, techniques. They used to stay private saying, You know, all of these things are are valid, no matter what side of the line you sit on, right? Math is still math. And again, you know, I just have Ah, maybe a fascination for how quickly they innovate, How quickly they ship code, how quickly they scale. You know, these botnets are massive, right? If you could get about that, you're looking at a very cloud infrastructure system that expands and contracts. >> So let's let's talk a little more about scale. You got way more good guys on the network than bad guys get you. First of all, most trying to do good and you need more good guys to fight the bad guys up, do things. Those things like infrastructure is code dev ops. Does that help the good guys scale? And and how so? >> You know it does. There's a air. You familiar with the concept called The Loop Joe? It was It was invented by a gentleman, Colonel John Boyd, and he was a jet fighter pilot. Need taught other jet fighter pilots tactics, and he invented this thing called Guadalupe and it's it's o d a observe orient decide. And at all right. And the quicker you can spin your doodle ooh, the more disoriented your adversary ISS. And so speed speed matters. Okay. And so if you can observe Orient, decide, act faster, then your adversary, you created almost a knowledge margin by which they're disoriented. And and the speed of Dev ops has really brought this two defenders. They can essentially push code and reorient themselves in a cycle that's frankly too small of a window for the adversary to even get their bearings right. And so speed doesn't matter. And this >> changing the conditions of the test, if you will. How far the environment, of course, on a rabbit is a strategy whether it's segmenting networks, making things harder to get at. So in a way, complexity is better for security because it's more complex. It costs more to penetrate complex to whom to the adversary of the machine, trying very central data base. Second, just hack in, get all the jewels >> leave. That's right, >> that's right. And and again. You know, I think that all of this new technology and and as you mentioned new processes around these technologies, I think it's it's really changing the game. The things that are very deterministic, very static, very slow moving those things. They're just become easy targets. Low cost targets. If you will >> talk about the innovation that you guys are doing around the encryption detecting malware over encrypted traffic. Yeah, the average person Oh, encrypted traffic is totally secure. But you guys have a method to figure out Mel, where behavior over encrypted, which means the payload can't be penetrated or it's not penetrated. So you write full. We don't know what's in there but through and network trav explain what you're working on. >> Yeah. The paradox begins with the fact that everybody's using networks now. Everything, even your thermostat. You're probably your tea kettle is crossing a network somewhere. And and in that reality, that transmission should be secure. So the good news is, I no longer have to complain as much about looking at somebody's business and saying, Why would you operate in the clear? Okay, now I say, Oh, my God, you're business is about ninety percent dot Okay, when I talked about technology working well for everyone, it works just as well for the bad guys. So I'm not going to tell this this business start operating in the clear anymore, so I can expect for malicious activity. No, we have to now in for malicious activity from behavior. Because the inspection, the direct inspection is no longer available. So that we came up with a technique called encrypted Traffic analytics. And again, we could have done it just in a product. But what we did that was clever was we went to the Enterprise networking group and said, if I could get of new telemetry, I can give you this analytical outcome. Okay? That'll allow us to detect malicious activity without doing decryption. And so the network as a sensor, the routers and switches, all of those things are sending me this. Richard, it's Tellem aji, by which I can infer this malicious activity without doing any secret. >> So payload and network are too separate things contractually because you don't need look at the payload network. >> Yeah. I mean, if you want to think about it this way, all encrypted traffic starts out unencrypted. Okay, It's a very small percentage, but everything in that start up is visible. So we have the routers and switches are sending us that metadata. Then we do something clever. I call it Instead of having direct observation, I need an observational derivative. Okay, I need to see its shape and size over time. So at minute five minute, fifteen minute thirty, I can see it's timing, and I can model on that timing. And this is where machine learning comes in because it's It's a science. That's just it's day has come for behavioral science, so I could train on all this data and say, If this malware looks like this at minute, five minute, ten minute fifteen, then if I see that exact behavior mathematically precise behaviour on your network, I can infer that's the same Mallory >> Okay, And your ability you mentioned just you don't have to decrypt that's that gives you more protection. Obviously, you're not exposed, but also presumably better performance. Is that right, or is that not affected? >> A lot? A lot better performance. The cryptographic protocols themselves are becoming more and more opaque. T L s, which is one of the protocols used to encrypt all of the Web traffic. For instance, they just went through a massive revision from one dot two two version one not three. It is faster, It is stronger. It's just better. But there's less visible fields now in the hitter. So you know things that there's a term being thrown around called Dark Data, and it's getting darker for everyone. >> So, looking at the envelope, looking at the network of fact, this is the key thing. Value. The network is now more important than ever explain why? Well, >> it connects everything right, and there's more things getting connected. And so, as you build, you know you can reach more customers. You can You can operate more efficiently, efficiently. You can. You can bring down your operational costs. There's so many so many benefit. >> FBI's also add more connection points as well. Integration. It's Metcalfe's law within a third dimension That dimension data value >> conductivity. I mean, the message itself is growing exponentially. Right? So that's just incredibly exciting. >> Super awesome topic. Looking forward to continuing this conversation. Great. Great. Come. Super important, cool and relevant and more impactful. A lot more action happening. Okay, Thanks for sharing that. Great. It's so great to have you on a keeper. Right, everybody, we'll be back to wrap Day three. Francisco live Barcelona. You're watching the Cube. Stay right there.