>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020. Special coverage sponsored by AWS Worldwide Public sector Welcome to the cubes Coverage of AWS 2020. This is specialized programming for the worldwide public sector. I'm Lisa Martin, and I'm joined by Mick Boccaccio, the security advisor at Splunk Met. Welcome to the Q Virtual Oh, >>thank you for having me. It's great to be here. >>So you have a really interesting background that I wanted to share with our audience. You were the first see so in the history of U. S presidential campaigns with Mayor Pete, you were also branch shape of Threat intelligence at the executive office of the President. Tell us something about about your background is so interesting. >>Uh, yeah, those and I'm a gonna Def con and I teach lock picking for funds. Ease working for Mayor Pete A. C. So the campaign was really, really unique opportunity and I'm glad I did it. I'm hoping that, you know, on both sides of the aisle, no matter what your political preference, people realize that security and campaigns can only be married together. That was an incredible experience and worked with Mayor P. And I learned so much about how campaigns work and just the overall political process. And then previous to that being at the White House and a threat intelligence, role of branch chief they're working over the last election, the 2016 election. I think I learned probably more than any one person wants Thio about elections over that time. So, you know, I'm just a security nerd. That kind of fell into those things. And and and here I am and really, really, really just fortunate to have had those experiences. >>Your phone and your email must have been blowing up the last couple of weeks in the wake of the US presidential election, where the word fraud has brought up many times everyday. But election security. When I saw that you were the first, see so for Pete Buddha Judge, that was so recent, I thought, Really, Why? Why are they just now getting folks like yourself? And you are a self described a cybersecurity nerd? Why are they Why were they just recently starting to catch on to this? >>I think it's, uh like security on the campaign and security anywhere else on credit to the Buddha Judge campaign. There is no federal or mandate or anything like that that says your campaign has toe have a security person at the head of it or any standards to implement those security. So you know that the Buddha Judge campaign kind of leaned into it. We wanna be secure. We saw everything that happened in 2016. We don't want that to be us. And I think Mawr campaigns are getting on that plane. Definitely. You know, you saw recently, uh, Trump's campaign, Biden's campaign. They all had a lot of security folks in, and I think it's the normal. Now people realize how important security is. Uh, not only a political campaign, but I guess the political process overall, >>absolutely. We've seen the rise of cyber attacks and threats and threat vectors this year alone, Ransomware occurring. Everyone attack every 11 seconds or so I was reading recently. So give me an other view of what the biggest threats are right now. >>Two elections and I think the election process in general. You know, like I said, I'm just a security nerd. I've just got a weird background and done some really unique things. Eso I always attack the problems like I'm a security nerd and it comes down to, you know that that triumvirate, the people process and technology people need had to have faith in the process. Faith in the technology. You need to have a a clear source to get their information from the process. To me, I think this year, more than previous elections highlighted the lack of a federal uniforms standard for federal elections. State the state. We have different, different standards, and that kind of leads to confusion with people because, hey, my friend in Washington did it this way. But I'm in Texas and we do it this way. And I think that that standard would help a lot in the faith in the system. And then the last part of that. The technology, uh, you know, voting machines campaigns like I mentioned about campaigns. There's nothing that says a campaign has toe have a security person or a security program, and I think those are the kind of standards for, you know, just voting machines. Um, that needs to be a standard across the board. That's uniforms, so people will will have more faith because It's not different from state to state, and it's a uniformed process. >>E think whole country could have benefited from or uniformed processes in 2020. But one of the things that I like I did my first male and fellow this year always loved going and having that in person voting experience and putting on my sticker. And this year I thought in California we got all of our But there was this massive rise in mainland ballots. I mean, think about that and security in terms of getting the public's confidence. What are some of the things that you saw that you think needs to be uniforms going forward >>again? I think it goes back to when When you look at, you know, you voted by mail and I voted absentee and your ballot was due by this date. Um, you know where I live? Voting absentee. It's Dubai. This state needs we received by the state. Andi, I think this year really highlighted the differences between the states, and I'm hoping that election security and again everyone has done a super fantastic job. Um, sister has done incredible. If you're all their efforts for the working with election officials, secretaries of states on both sides of the aisle. It's an incredible work, and I hope it continues. I think the big problem election security is you know, the election is over, so we don't care again until 2022 or 2024. And I think putting something like a federalized standard, whether it be technology or process putting that in place now so that we're not talking about this in two or four years. I'm hoping that moment, um, continues, >>what would your recommendation be from building security programs to culture and awareness? How would you advise that they start? >>So, uh, one of the things that when I was on the Buddha Judge campaign, you know, like I said, we was the first person to do security for a campaign. And a lot of the staffers didn't quite have the background of professional background of work with security person. No, you know why? What I was doing there Eso my hallmark was You know, I'm trying to build a culture heavy on the cult. Um, you got to get people to buy in. I think this year when you look at what What Krebs and siesta and where the team over there have done is really find a way to tell us. Security story and every facet of the election, whether it be the machines themselves, the transporting the votes, counting the votes, how that information gets out to people websites I started like rumor control, which were were amazing amazing efforts. The public private partnerships that were there I had a chance to work with, uh, MJ and Tanya from from AWS some election project. I think everyone has skin in the game. Everyone wants to make it better. And I hope that moment, um, continues. But I think, you know, embracing that there needs to be a centralized, uniformed place, uh, for every state. And I think that would get rid of a lot of confusion >>when you talk about culture and you mentioned specifically called Do you think that people and agencies and politicians are ready to embrace the culture? Is there enough data to support that? This is really serious. We need to embrace this. We need to buy in a You said, um >>I hope right. I don't know what it could take. I'm hoping so after seeing everything you know, being at the White House from that aperture in 2016. Seeing all of that, I would, you know, think right away. Oh, my gosh. 2018, The midterms, We're gonna be on the ball. And that really didn't happen like we thought it would. 2020. We saw a different kind of technical or I guess, not as technical, uh, security problem. And I think I'm kind of shifting from that to the future. People realize. And I think, uh, both sides of the aisle are working towards security programs and security posture. I think there's a lot of people that have bought into the idea. Um, but I think it kind of starts from the top, and I'm hoping it becomes a standard, so there's not really an option. You will do this just for the security and safety of the campaigns and the electoral process. But I do see a lot more people leaning into it, and a lot more resource is available for those people that are >>talk to me about kind of the status of awareness of security. Needing to combat these issues, be able to remediate them, be able to defend against them where our folks in that awareness cycle, >>I think it ebbs and flows like any other process. Any other you know, incident, event. That happens. And from my experience in the info SEC world, normally there's a compromise. There's an incident, a bunch of money gets thrown at it and then we forget about it a year or two later. Um, I think that culture, that awareness comes in when you have folks that would sustain that effort. And again, you know, on the campaign, um, even at the White House, we try to make everyone apart of security. Security is and all the time thing that everyone has a stake in. Um, you know, I can lock down your email at work. I can make sure this system is super super secure, but it's your personal threat model. You know, your personal email account, your personal social media, putting more security on those and being aware of those, I think that's that awareness is growing. And I Seymour folks in the security community just kind of preaching that awareness more and more and something I'm really, really excited about. >>Yeah, the biggest thing I always think when we talk about security is people that were the biggest threat vector and what happened 89 months ago when so many businesses, um, in any, you know, public sector and private went from on site almost maybe 100% on site to 100% remote people suddenly going, I've got to get connected through my home network. Maybe I'm on my own personal device and didn't really have the time of so many distractions to recognize a phishing email just could come in and propagate. So it's that the people challenge e always seems to me like that might be the biggest challenge. Besides, the technology in the process is what do you think >>I again it goes back. I think it's all part of it. I think. People, um, I've >>looked at it >>slightly. Ah, friend of mine made a really good point. Once he was like, Hey, people gonna click on the link in the email. It's just I think 30% of people dio it's just it's just the nature of people after 20 some odd years and info sec, 20 some odd years and security. I think we should have maybe done a better job of making that link safer, to click on, to click on to make it not militias. But again it goes back, Thio being aware, being vigilant and to your point. Since earlier this year, we've seen a tax increase exponentially specifically on remote desktop protocols from Cove. It related themes and scams and, you know, ransomware targeting healthcare systems. I think it's just the world's getting smaller and we're getting more connected digitally. That vigilance is something you kind of have to building your threat model and build into the ecosystem. When we're doing everything, it's just something you know. I quit a lot, too. You've got junk email, your open your mailbox. You got some junk mail in there. You just throw it out. Your email inbox is no different, and just kind of being aware of that a little more than we are now might go a long way. But again, I think security folks want to do a better job of kind of making these things safer because malicious actors aren't going away. >>No, they're definitely not going away that we're seeing the threat surfaces expanding. I think it was Facebook and TIC Tac and Instagram that were hacked in September. And I think it was unsecured cloud database that was the vehicle. But talking about communication because we talk about culture and awareness communication from the top down Thio every level is imperative. How how do we embrace that and actually make it a standard as possible? >>Uh, in my experience, you know, from an analyst to a C So being able to communicate and communicate effectively, it's gonna save your butt, right? It's if you're a security person, you're You're that cyber guy in the back end, something just got hacked or something just got compromised. I need to be able to communicate that effectively to my leadership, who is gonna be non technical people, and then that leadership has to communicate it out to all the folks that need to hear it. I do think this year just going back to our elections, you saw ah lot of rapid communication, whether it was from DHS, whether it was from, you know, public partners, whether was from the team over Facebook or Twitter, you know, it was ah, lot of activity that they detected and put out as soon as they found it on it was communicated clearly, and I thought the messaging was done beautifully. When you look at all the work that you know Microsoft did on the block post that came out, that information is put out as widely as possible on. But I think it just goes back to making sure that the people have access to it whenever they need it, and they know where to get it from. Um, I think a lot of times you have compromised and that information is slow to get out. And you know that DeLay just creates a confusion, so it clearly concisely and find a place for people, could get it >>absolutely. And how do you see some of these challenges spilling over into your role as the security advisor for Splunk? What are some of the things that you're talking with customers about about right now that are really pressing issues? >>I think my Rolex Plunkett's super super weird, because I started earlier in the year, I actually started in February of this year and a month later, like, Hey, I'm hanging out at home, Um, but I do get a chance to talk to ah, lot of organizations about her security posture about what they're doing. Onda about what they're seeing and you know everything. Everybody has their own. Everybody's a special snowflakes so much more special than others. Um, credit to Billy, but people are kind of seeing the same thing. You know, everybody's at home. You're seeing an increase in the attack surface through remote desktop. You're seeing a lot more fishing. You're singing just a lot. People just under computer all the time. Um, Zoom WebEx I've got like, I don't know, a dozen different chat clients on my computer to talk to people. And you're seeing a lot of exploits kind of coming through that because of that, people are more vigilant. People are adopting new technologies and new processes and kind of finding a way to move into a new working model. I see zero trust architecture becoming a big thing because we're all at home. We're not gonna go anywhere. And we're online more than we're not. I think my circadian rhythm went out the window back in July, so all I do is sit on my computer more often than not. And that caused authentication, just, you know, make sure those assets are secure that we're accessing from our our work resource is I think that gets worse and worse or it doesn't. Not worse, rather. But that doesn't go away, no matter what. Your model is >>right. And I agree with you on that circadian rhythm challenge. Uh, last question for you. As we look at one thing, we know this uncertainty that we're living in is going to continue for some time. And there's gonna be some elements of this that air gonna be permanent. We here execs in many industries saying that maybe we're going to keep 30 to 50% of our folks remote forever. And tech companies that air saying Okay, maybe 50% come back in July 2021. As we look at moving into what we all hope will be a glorious 2021 how can businesses prepare now, knowing some amount of this is going to remain permanent? >>It's a really interesting question, and I'll beyond, I think e no, the team here. It's Plunkett's constantly discussions that start having are constantly evaluating, constantly changing. Um, you know, friends in the industry, it's I think businesses and those executives have to be ready to embrace change as it changes. The same thing that the plans we would have made in July are different than the plans we would have made in November and so on. Andi, I think, is having a rough outline of how we want to go. The most important thing, I think, is being realistic with yourself. And, um, what, you need to be effective as an organization. I think, you know, 50% folks going back to the office works in your model. It doesn't, But we might not be able to do that. And I think that constant ability Thio, adjust. Ah, lot of company has kind of been thrown into the fire. I know my backgrounds mostly public sector and the federal. The federal Space has done a tremendous shift like I never well, rarely got to work, uh, vert remotely in my federal career because I did secret squirrel stuff, but like now, the federal space just leaning into it just they don't have an option. And I think once you have that, I don't I don't think you put Pandora back in that box. I think it's just we work. We work remote now. and it's just a new. It's just a way of working. >>Yep. And then that couldn't be more important to embrace, change and and change over and over again. Make. It's been great chatting with you. I'd love to get dig into some of that secret squirrel stuff. I know you probably have to shoot me, so we will go into that. But it's been great having you on the Cube. Thank you for sharing your thoughts on election security. People processes technology, communication. We appreciate it. >>All right. Thanks so much for having me again. >>My pleasure for McClatchy. Oh, I'm Lisa Martin. You're watching the Cube virtual.

>> Hello, everyone. This is a special presentation of the Cube. We're here in London at eight of us, one of eight of US locations in London. My name is Dave Volante and the Q We go, we'd like to go out to the events. We extract a signal from the noise and we've been following the ascendancy of a ws public sector from its early days. If you go back to two thousand thirteen, there was a significant moment in the history of eight of us where it won CIA contract a very large contract. CIA. It was contested by idea. My bm was used to kind of the what sometimes called the old guard the legacy companies used to selling into the government big, big contracts. And here comes this start up essentially eight of us taking away government business with CIA no less huge, huge contract. Well, IBM contested it. Judge Wheeler ruled against IBM for eight of us. And when reading that ruling, it was clear that the eight of US platform was superior to the IBM platform. He laid out the essentially the components of the R F P and the line by line and showed that a ws was the winner and virtually all of the line items. I think there was parody and won the reason why that was so important. It was that there were several factors there. One, It was a major milestone event. No, only Frito. Eight of us. But for cloud in general, if you think about security Ah, CIA, obviously very security conscious. It was the recognition that cloud actually could be more secure than on premises infrastructure. So the government was actually one of the first to kind of realise that and lean into that as a side effect, IBM had to go out and spend two billion dollars on soft layer toe actually compete in the cloud market Plys. So you had all these ripple effects Fast forward today to two thousand nineteen. You have the jet icon to contract a joint enterprise defense initiative. It's a ten billion dollar contract. A ws is in the lead for that contract. Oracle again another old Guard company has contested. And when you look through when when a company contests these bids, a whole lot of public information comes out. What? What the information suggested was that a single cloud the D o d determine that a single cloud was more secure, less complex and more cost effective. And so Oracle contested the the likelihood of an award to a single company because government contracts usually are awarded to multiple vendors. But in this case, because it's so critical tohave the data in one place so that they can serve the field better and responded the field better, the D o. D decided to use a single cloud. So oracles, you know, throwing off all rights of muck into the ring. Ah, basically asking the General Accountability Office to look at it. They did, Ggo said. If we're going to go with the D. O. D s decision, the D. O. D itself did an internal investigation. Now it's narrowed down to two vendors eight of us and Microsoft, and we believe that eight of us is the leading contender. Why is that? It's because eight of us says the most services. It's the most advanced, the highest levels of security and certifications within the government that are necessary to win these types of contracts. Why don't I spend so much time on these things? There's a two milestone events, the CIA contract in two thousand thirteen and what will soon to be the Jet I contract in two thousand nineteen. And what we're seeing is Amazon Web services, a thirty billion dollars run rate company growing at forty plus percent per annum. It's just a massive flywheel effect that we always talk about on the Cube. So we're here in London because we wanted to see how the public sector activities of Amazon are translating into the European markets. So we're here at a special public sector mini summit, if you will. There's a healthcare predate going on. This is ahead of the eight of US London summit, and we're siphoning off a number of the practitioners in and and startups software companies. Eight of US partners in the health care industry, as well as a WS executives particularly focused on the public sector today. So we're doing this sort of. We followed the career of Teresa Carlson for a number of years, seen the ascendancy of a ws public sector. We've covered ah, public sector summit in D. C. We flew to Bahrain last year. John Fairy of my business partner did the Bahrain summit. Bahrain was the first country in the Middle East to declare cloud first. So ah, critical location in the Middle East and you're seeing it now. Europe across a number of industries, obviously n hs than Ethan's. National Health Service is a very prominent in in the UK in a in a big consumer of services all kinds of startups and other software companies trying to sell and helped transform The N H s N hs has ah put forth a half a billion dollars nearly a half a billion dollar pound initiative on modernization. Ah, lot of that modernization is evolving the cloud. So the cube is here. We're trying to peel back the onion, understand what's going on here. Who were the winners? Who was going to get affected? Practitioners of startups, CEOs, nonprofit organizations, NGOs, executives from a ws and across the industry. So we'LL be here. We have three events this week in Ah in London here today at eight of US headquarters in London. Ah, tonight we have an impact investor event and then tomorrow we're at the eight of us Summit in AA in London at the XL Center. So keep it right here. Watch this channel. Check out silicon angle dot com For all the news, check out the cube dot net, which is where we host all these videos. And of course, we could bond downward for all the research. So thank you for watching and keep it right there. And you're watching the Cube this day, Volante.