>> Narrator: New York City, it's the Cube covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Welcome back, everyone. This is the Cube's live coverage in New York City's Grand Hyatt Ballroom for CyberConnect 2017 presented by Centrify. I'm John Furrier, the co-host of the Cube with my co-host this week is Dave Vellante, my partner and co-founder and co-CEO with me in SiliconAngle Media in the Cube. Our next guest is James Scott who is the co-founder and senior fellow at ICIT. Welcome to the Cube. >> Thanks for having me. >> You guys are putting on this event, really putting the content together. Centrify, just so everyone knows, is underwriting the event but this is not a Centrify event. You guys are the key content partner, developing the content agenda. It's been phenomenal. It's an inaugural event so it's the first of its kind bringing in industry, government, and practitioners all together, kind of up leveling from the normal and good events like Black Hat and other events like RSA which go into deep dives. Here it's a little bit different. Explain. >> Yeah, it is. We're growing. We're a newer think tank. We're less than five years old. The objective is to stay smaller. We have organizations, like Centrify, that came out of nowhere in D.C. so we deal, most of what we've done up until now has been purely federal and on the Hill so what I do, I work in the intelligence community. I specialize in social engineering and then I advise in the Senate for the most part, some in the House. We're able to take these organizations into the Pentagon or wherever and when we get a good read on them and when senators are like, "hey, can you bring them back in to brief us?" That's when we know we have a winner so we started really creating a relationship with Tom Kemp, who's the CEO and founder over there, and Greg Cranley, who heads the federal division. They're aggressively trying to be different as opposed to trying to be like everyone else, which makes it easy. If someone wants to do something, they have to be a fellow for us to do it, but if they want to do it, just like if they want to commission a paper, we just basically say, "okay, you can pay for it but we run it." Centrify has just been excellent. >> They get the community model. They get the relationship that you have with your constituents in the community. Trust matters, so you guys are happy to do this but more importantly, the content. You're held to a standard in your community. This is new, not to go in a different direction for a second but this is what the community marketing model is. Stay true to your audience and trust. You're relied upon so that's some balance that you guys have to do. >> The thing is we deal with cylance and others. Cylance, for example, was the first to introduce machine learning artificial intelligence to get passed that mutating hash for endpoint security. They fit in really well in the intelligence community. The great thing about working with Centrify is they let us take the lead and they're very flexible and we just make sure they come out on top each time. The content, it's very content driven. In D.C., we have at our cocktail receptions, they're CIA, NSA, DARPA, NASA. >> You guys are the poster child of be big, think small. >> Exactly. Intimate. >> You say Centrify is doing things differently. They're not falling in line like a lemming. What do you mean by that? What is everybody doing that these guys are doing differently? >> I think in the federal space, I think commercial too, but you have to be willing to take a big risk to be different so you have to be willing to pay a premium. If people work with us, they know they're going to pay a premium but we make sure they come out on top. What they do is, they'll tell us, Centrify will be like, "look, we're going to put x amount of dollars into a lunch. "Here are the types of pedigree individuals "that we need there." Maybe they're not executives. Maybe they're the actual practitioners at DHS or whatever. The one thing that they do different is they're aggressively trying to deviate from the prototype. That's what I mean. >> Like a vendor trying to sell stuff. >> Yeah and the thing is, that's why when someone goes to a Centrify event, I don't work for Centrify (mumbles). That's how they're able to attract. If you see, we have General Alexander. We've got major players here because of the content, because it's been different and then the other players want to be on the stage with other players, you know what I mean. It almost becomes a competition for "hey, I was asked to come to an ICIT thing" you know, that sort of thing. That's what I mean. >> It's reputation. You guys have a reputation and you stay true to that. That's what I was saying. To me, I think this is the future of how things get done. When you have a community model, you're held to a standard with your community. If you cross the line on that standard, you head fake your community, that's the algorithm that brings you a balance so you bring good stuff to the table and you vet everyone else on the other side so it's just more of a collaboration, if you will. >> The themes here, what you'll see is within critical infrastructure, we try to gear this a little more towards the financial sector. We brought, from Aetna, he set up the FS ISAC. Now he's with the health sector ISAC. For this particular geography in New York, we're trying to have it focus more around health sector and financial critical infrastructure. You'll see that. >> Alright, James, I've got to ask you. You're a senior fellow. You're on the front lines with a great Rolodex, great relationships in D.C., and you're adivising and leaned upon by people making policy, looking at the world and the general layout in which, the reality is shit's happening differently now so the world's got to change. Take us through a day in the life of some of the things you guys are seeing and what's the outlook? I mean, it's like a perfect storm of chaos, yet opportunity. >> It really depends. Each federal agency, we look at it from a Hill perspective, it comes down to really educating them. When I'm in advising in the House, I know I'm going to be working with a different policy pedigree than a Senate committee policy expert, you know what I mean. You have to gauge the conversation depending on how new the office is, House, Senate, are they minority side, and then what we try to do is bring the issues that the private sector is having while simultaneously hitting the issues that the federal agency space is. Usually, we'll have a needs list from the CSWEP at the different federal agencies for a particular topic like the Chinese APTs or the Russian APT. What we'll do is, we'll break down what the issue is. With Russia, for example, it's a combination of two types of exploits that are happening. You have the technical exploit, the malicious payload and vulnerability in a critical infrastructure network and then profiling those actors. We also have another problem, the influence operations, which is why we started the Center for Cyber Influence Operations Studies. We've been asked repeatedly since the elections last year by the intelligence community to tell us, explain this new propaganda. The interesting thing is the synergies between the two sides are exploiting and weaponizing the same vectors. While on the technical side, you're exploiting a vulnerability in a network with a technical exploit, with a payload, a compiled payload with a bunch of tools. On the influence operations side, they're weaponizing the same social media platforms that you would use to distribute a payload here but only the... >> Contest payload. Either way you have critical infrastructure. The payload being content, fake content or whatever content, has an underpinning that gamification call it virality, network effect and user psychology around they don't really open up the Facebook post, they just read the headline and picture. There's a dissonance campaign, or whatever they're running, that might not be critical to national security at that time but it's also a post. >> It shifts the conversation in a way where they can use, for example, right now all the rage with nation states is to use metadata, put it into big data analytics, come up with a psychographic algorithm, and go after critical infrastructure executives with elevated privileges. You can do anything with those guys. You can spearfish them. The Russian modus operandi is to call and act like a recruiter, have that first touch of contact be the phone call, which they're not expecting. "Hey, I got this job. "Keep it on the down low. Don't tell anybody. "I'm going to send you the job description. "Here's the PDF." Take it from there. >> How should we think about the different nation state actors? You mentioned Russia, China, there's Iran, North Korea. Lay it out for us. >> Each geography has a different vibe to their hacking. With Russia you have this stealth and sophistication and their hacking is just like their espionage. It's like playing chess. They're really good at making pawns feel like they're kings on the chessboard so they're really good at recruiting insider threats. Bill Evanina is the head of counterintel. He's a bulldog. I know him personally. He's exactly what we need in that position. The Chinese hacking style is more smash and grab, very unsophisticated. They'll use a payload over and over again so forensically, it's easy to... >> Dave: Signatures. >> Yeah, it is. >> More shearing on the tooling or whatever. >> They'll use code to the point of redundancy so it's like alright, the only reason they got in... Chinese get into a network, not because of sophistication, but because the network is not protected. Then you have the mercenary element which is where China really thrives. Chinese PLA will hack for the nation state during the day, but they'll moonlight at night to North Korea so North Korea, they have people who may consider themselves hackers but they're not code writers. They outsource. >> They're brokers, like general contractors. >> They're not sophisticated enough to carry out a real nation state attack. What they'll do is outsource to Chinese PLA members. Chinese PLA members will be like, "okay well, here's what I need for this job." Typically, what the Chinese will do, their loyalties are different than in the west, during the day they'll discover a vulnerability or an O day. They won't tell their boss right away. They'll capitalize off of it for a week. You do that, you go to jail over here. Russia, they'll kill you. China, somehow this is an accepted thing. They don't like it but it just happens. Then you have the eastern European nations and Russia still uses mercenary elements out of Moscow and St. Petersburg so what they'll do is they will freelance, as well. That's when you get the sophisticated, carbonic style hack where they'll go into the financial sector. They'll monitor the situation. Learn the ins and outs of everything having to do with that particular swift or bank or whatever. They go in and those are the guys that are making millions of dollars on a breach. Hacking in general is a grind. It's a lot of vulnerabilities work, but few work for long. Everybody is always thinking there's this omega code that they have. >> It's just brute force. You just pound it all day long. >> That's it and it's a grind. You might have something that you worked on for six months. You're ready to monetize. >> What about South America? What's the vibe down there? Anything happening in there? >> Not really. There is nothing of substance that really affects us here. Again, if an organization is completely unprotected. >> John: Russia? China? >> Russia and China. >> What about our allies? >> GCHQ. >> Israel? What's the collaboration, coordination, snooping? What's the dynamic like there? >> We deal, mostly, with NATO and Five Eyes. I actually had dinner with NATO last night. Five Eyes is important because we share signals intelligence and most of the communications will go through Five Eyes which is California, United States, Australia, New Zealand, and the UK. Those are our five most important allies and then NATO after that, as far as I'm concerned, for cyber. You have the whole weaponization of space going on with SATCOM interception. We're dealing with that with NASA, DARPA. Not a lot is happening down in South America. The next big thing that we have to look at is the cyber caliphate. You have the Muslim brotherhood that funds it. Their influence operations domestically are extremely strong. They have a lot of contacts on the Hill which is a problem. You have ANTIFA. So there's two sides to this. You have the technical exploit but then the information warfare exploit. >> What about the bitcoin underbelly that started with the silk roads and you've seen a lot of bitcoin. Money laundering is a big deal, know your customer. Now regulation is part of big ICOs going on. Are you seeing any activity from those? Are they pulling from previous mercenary groups or are they arbitraging just more free? >> For updating bitcoin? >> The whole bitcoin networks. There's been an effort to commercialize (mumbles) so there's been a legitimate track to bring that on but yet there's still a lot of actors. >> I think bitcoin is important to keep and if you look at the more black ops type hacking or payment stuff, bitcoin is an important element just as tor is an important element, just as encryption is an important element. >> John: It's fundamental, actually. >> It's a necessity so when I hear people on the Hill, I have my researcher, I'm like, "any time you hear somebody trying to have "weakened encryption, back door encryption" the first thing, we add them to the briefing schedule and I'm like, "look, here's what you're proposing. "You're proposing that you outlaw math. "So what? Two plus two doesn't equal four. "What is it? Three and a half? "Where's the logic?" When you break it down for them like that, on the Hill in particular, they begin to get it. They're like, "well how do we get the intelligence community "or the FBI, for example, to get into this iphone?" Civil liberties, you've got to take that into consideration. >> I got to ask you a question. I interviewed a guy, I won't say his name. He actually commented off the record, but he said to me, "you won't believe how dumb some of these state actors are "when it comes to cyber. "There's some super smart ones. "Specifically Iran and the Middle East, "they're really not that bright." He used an example, I don't know if it's true or not, that stuxnet, I forget which one it was, there was a test and it got out of control and they couldn't pull it back and it revealed their hand but it could've been something worse. His point was they actually screwed up their entire operation because they're doing some QA on their thing. >> I can't talk about stuxnet but it's easy to get... >> In terms of how you test them, how do you QA your work? >> James: How do you review malware? (mumbles) >> You can't comment on the accuracy of Zero Days, the documentary? >> Next question. Here's what you find. Some of these nation state actors, they saw what happened with our elections so they're like, "we have a really crappy offensive cyber program "but maybe we can thrive in influence operations "in propaganda and whatever." We're getting hit by everybody and 2020 is going to be, I don't even want to imagine. >> John: You think it's going to be out of control? >> It's going to be. >> I've got to ask this question, this came up. You're bringing up a really good point I think a lot of people aren't talking about but we've brought up a few times. I want to keep on getting it out there. In the old days, state on state actors used to do things, espionage, and everyone knew who they were and it was very important not to bring their queen out, if you will, too early, or reveal their moves. Now with Wikileaks and public domain, a lot of these tools are being democratized so that they can covertly put stuff out in the open for enemies of our country to just attack us at will. Is that happening? I hear about it, meaning that I might be Russia or I might be someone else. I don't want to reveal my hand but hey, you ISIS guys out there, all you guys in the Middle East might want to use this great hack and put it out in the open. >> I think yeah. The new world order, I guess. The order of things, the power positions are completely flipped, B side, counter, whatever. It's completely not what the establishment was thinking it would be. What's happening is Facebook is no more relevant, I mean Facebook is more relevant than the UN. Wikileaks has more information pulsating out of it than a CIA analyst, whatever. >> John: There's a democratization of the information? >> The thing is we're no longer a world that's divided by geographic lines in the sand that were drawn by these two guys that fought and lost a war 50 years ago. We're now in a tribal chieftain digital society and we're separated by ideological variation and so you have tribe members here in the US who have fellow tribe members in Israel, Russia, whatever. Look at Anonymous. Anonymous, I think everyone understands that's the biggest law enforcement honeypot there is, but you look at the ideological variation and it's hashtags and it's keywords and it's forums. That's the Senate. That's congress. >> John: This is a new reality. >> This is reality. >> How do you explain that to senators? I was watching that on TV where they're trying to grasp what Facebook is and Twitter. (mumbles) Certainly Facebook knew what was going on. They're trying to play policy and they're new. They're newbies when it comes to policy. They don't have any experience on the Hill, now it's ramping up and they've had some help but tech has never been an actor on the stage of policy formulation. >> We have a real problem. We're looking at outside threats as our national security threats, which is incorrect. You have dragnet surveillance capitalists. Here's the biggest threats we have. The weaponization of Facebook, twitter, youtube, google, and search engines like comcast. They all have a censorship algorithm, which is how they monetize your traffic. It's censorship. You're signing your rights away and your free will when you use google. You're not getting the right answer, you're getting the answer that coincides with an algorithm that they're meant to monetize and capitalize on. It's complete censorship. What's happening is, we had something that just passed SJ res 34 which no resistance whatsoever, blew my mind. What that allows is for a new actor, the ISPs to curate metadata on their users and charge them their monthly fee as well. It's completely corrupt. These dragnet surveillance capitalists have become dragnet surveillance censorists. Is that a word? Censorists? I'll make it one. Now they've become dragnet surveillance propagandists. That's why 2020 is up for grabs. >> (mumbles) We come from the same school here on this one, but here's the question. The younger generation, I asked a gentleman in the hallway on his way out, I said, "where's the cyber west point? "We're the Navy SEALS in this new digital culture." He said, "oh yeah, some things." We're talking about the younger generation, the kids playing Call of Duty Destiny. These are the guys out there, young kids coming up that will probably end up having multiple disciplinary skills. Where are they going to come from? So the question is, are we going to have a counterculture? We're almost feeling like what the 60s were to the 50s. Vietnam. I kind of feel like maybe the security stuff doesn't get taken care of, a revolt is coming. You talk about dragnet censorship. You're talking about the lack of control and privacy. I don't mind giving Facebook my data to connect with my friends and see my thanksgiving photos or whatever but now I don't want fake news jammed down my throat. Anti-Trump and Anti-Hillary spew. I didn't buy into that. I don't want that anymore. >> I think millennials, I have a 19 year old son, my researchers, they're right out of grad school. >> John: What's the profile like? >> They have no trust whatsoever in the government and they laugh at legislation. They don't care any more about having their face on their Facebook page and all their most intimate details of last night's date and tomorrow's date with two different, whatever. They just don't... They loathe the traditional way of things. You got to talk to General Alexander today. We have a really good relationship with him, Hayden, Mike Rogers. There is a counterculture in the works but it's not going to happen overnight because we have a tech deficit here where we need foreign tech people just to make up for the deficit. >> Bill Mann and I were talking, I heard the general basically, this is my interpretation, "if we don't get our shit together, "this is going to be an f'd up situation." That's what I heard him basically say. You guys don't come together so what Bill talked about was two scenarios. If industry and government don't share and come together, they're going to have stuff mandated on them by the government. Do you agree? >> I do. >> What's going to happen? >> The argument for regulation on the Hill is they don't want to stifle innovation, which makes sense but then ISPs don't innovate at all. They're using 1980s technology, so why did you pass SJ res 34? >> John: For access? >> I don't know because nation states just look at that as, "oh wow another treasure trove of metadata "that we can weaponize. "Let's start psychographically charging alt-left "and alt-right, you know what I mean?" >> Hacks are inevitable. That seems to be the trend. >> You talked before, James, about threats. You mentioned weaponization of social. >> James: Social media. >> You mentioned another in terms of ISPs I think. >> James: Dragnet. >> What are the big threats? Weaponization of social. ISP metadata, obviously. >> Metadata, it really depends and that's the thing. That's what makes the advisory so difficult because you have to go between influence operations and the exploit because the vectors are used for different things in different variations. >> John: Integrated model. >> It really is and so with a question like that I'm like okay so my biggest concern is the propaganda, political warfare, the information warfare. >> People are underestimating the value of how big that is, aren't they? They're oversimplifying the impact of info campaigns. >> Yeah because your reality is based off of... It's like this, influence operations. Traditional media, everybody is all about the narrative and controlling the narrative. What Russia understands is to control the narrative, the most embryo state of the narrative is the meme. Control the meme, control the idea. If you control the idea, you control the belief system. Control the belief system, you control the narrative. Control the narrative, you control the population. No guns were fired, see what I'm saying? >> I was explaining to a friend on Facebook, I was getting into a rant on this. I used a very simple example. In the advertising world, they run millions of dollars of ad campaigns on car companies for post car purchase cognitive dissonance campaigns. Just to make you feel good about your purchase. In a way, that's what's going on and explains what's going on on Facebook. This constant reinforcement of these beliefs whether its for Trump or Hillary, all this stuff was happening. I saw it firsthand. That's just one small nuance but it's across a spectrum of memes. >> You have all these people, you have nation states, you have mercenaries, but the most potent force in this space, the most hyperevolving in influence operations, is the special interest group. The well-funded special interests. That's going to be a problem. 2020, I keep hitting that because I was doing an interview earlier. 2020 is going to be a tug of war for the psychological core of the population and it's free game. Dragnet surveillance capitalists will absolutely be dragnet surveillance propagandists. They will have the candidates that they're going to push. Now that can also work against them because mainstream media, twitter, Facebook were completely against trump, for example, and that worked in his advantage. >> We've seen this before. I'm a little bit older, but we are the same generation. Remember when they were going to open up sealex? Remember the last mile for connectivity? That battle was won before it was even fought. What you're saying, if I get this right, the war and tug of war going on now is a big game. If it's not played in one now, this jerry rigging, gerrymandering of stuff could happen so when people wake up and realize what's happened the game has already been won. >> Yeah, your universe as you know it, your belief systems, what you hold to be true and self evident. Again, the embryo. If you look back to the embryo introduction of that concept, whatever concept it is, to your mind it came from somewhere else. There are very few things that you believe that you came up with yourself. The digital space expedites that process and that's dangerous because now it's being weaponized. >> Back to the, who fixes this. Who's the watchdog on this? These ideas you're talking about, some of them, you're like, "man that guy has lost it, he's crazy." Actually, I don't think you're crazy at all. I think it's right on. Is there a media outlet watching it? Who's reporting on it? What even can grasp what you're saying? What's going on in D.C.? Can you share that perspective? >> Yeah, the people that get this are the intelligence community, okay? The problem is the way we advise is I will go in with one of the silos in the NSA and explain what's happening and how to do it. They'll turn around their computer and say, "show me how to do it. "How do you do a multi vector campaign "with this meme and make it viral in 30 minutes." You have to be able to show them how to do it. >> John: We can do that. Actually we can't. >> That sort of thing, you have to be able to show them because there's not enough practitioners, we call them operators. When you're going in here, you're teaching them. >> The thing is if they have the metadata to your treasure trove, this is how they do it. I'll explain here. If they have the metadata, they know where the touch points are. It's a network effect mole, just distributive mole. They can put content in certain subnetworks that they know have a reaction to the metadata so they have the knowledge going in. It's not like they're scanning the whole world. They're monitoring pockets like a drone, right? Once they get over the territory, then they do the acquired deeper targets and then go viral. That's basically how fake news works. >> See the problem is, you look at something like alt-right and ANTIFA. ANTIFA, just like Black Lives Matter, the initiatives may have started out with righteous intentions just like take a knee. These initiatives, first stage is if it causes chaos, chaos is the op for a nation state in the US. That's the op. Chaos. That's the beginning and the end of an op. What happens is they will say, "oh okay look, this is ticking off all these other people "so let's fan the flame of this take a knee thing "hurt the NFL." Who cares? I don't watch football anyway but you know, take a knee. It's causing all this chaos. >> John: It's called trolling. >> What will happen is Russia and China, China has got their 13 five year plan, Russia has their foreign influence operations. They will fan that flame to exhaustion. Now what happens to the ANTIFA guy when he's a self-radicalized wound collector with a mental disorder? Maybe he's bipolar. Now with ANTIFA, he's experienced a heightened more extreme variation of that particular ideology so who steps in next? Cyber caliphate and Muslim brotherhood. That's why we're going to have an epidemic. I can't believe, you know, ANTIFA is a domestic terrorist organization. It's shocking that the FBI is not taking this more serious. What's happening now is Muslim brotherhood funds basically the cyber caliphate. The whole point of cyber caliphate is to create awareness, instill the illusion of rampant xenophobia for recruiting. They have self-radicalized wound collectors with ANTIFA that are already extremists anyway. They're just looking for a reason to take that up a notch. That's when, cyber caliphate, they hook up with them with a hashtag. They respond and they create a relationship. >> John: They get the fly wheel going. >> They take them to a deep web forum, dark web forum, and start showing them how it works. You can do this. You can be part of something. This guy who was never even muslim now is going under the ISIS moniker and he acts. He drives people over in New York. >> They fossilized their belief system. >> The whole point to the cyber caliphate is to find actors that are already in the self-radicalization phase but what does it take psychologically and from a mentoring perspective, to get them to act? That's the cyber caliphate. >> This is the value of data and context in real time using the current events to use that data, refuel their operation. It's data driven terrorism. >> What's the prescription that you're advising? >> I'm not a regulations kind of guy, but any time you're curating metadata like we're just talking about right now. Any time you have organizations like google, like Facebook, that have become so big, they are like their own nation state. That's a dangerous thing. The metadata curation. >> John: The value of the data is very big. That's the point. >> It is because what's happening... >> John: There's always a vulnerability. >> There's always a vulnerability and it will be exploited and all that metadata, it's unscrubbed. I'm not worried about them selling metadata that's scrubbed. I'm worried about the nation state or the sophisticated actor that already has a remote access Trojan on the network and is exfiltrating in real time. That's the guy that I'm worried about because he can just say, "forget it, I'm going to target people that are at this phase." He knows how to write algorithms, comes up with a good psychographic algorithm, puts the data in there, and now he's like, "look I'm only going to promote this concept, "two people at this particular stage of self-radicalization "or sympathetic to the kremlin." We have a big problem on the college campuses with IP theft because of the Chinese Students Scholar Associations which are directly run by the Chinese communist party. >> I heard a rumor that Equifax's franchising strategy had partners on the VPN that were state sponsored. They weren't even hacking, they had full access. >> There's a reason that the Chinese are buying hotels. They bought the Waldorf Astoria. We do stuff with the UN and NATO, you can't even stay there anymore. I think it's still under construction but it's a no-no to stay there anymore. I mean western nations and allies because they'll have bugs in the rooms. The WiFi that you use... >> Has fake certificates. >> Or there's a vulnerability that's left in that network so the information for executives who have IP or PII or electronic health records, you know what I mean? You go to these places to stay overnight, as an executive, and you're compromised. >> Look what happened with Eugene Kaspersky. I don't know the real story. I don't know if you can comment, but someone sees that and says, "this guy used to have high level meetings "at the Pentagon weekly, monthly." Now he's persona non grata. >> He fell out of favor, I guess, right? It happens. >> James, great conversation. Thanks for coming on the Cube. Congratulations on the great work you guys are doing here at the event. I know the content has been well received. Certainly the key notes we saw were awesome. CSOs, view from the government, from industry, congratulations. James Scott who is the co founder and senior fellow of ICIT, Internet Critical Infrastructure Technology. >> James: Institute of Critical Infrastructure Technology. >> T is for tech. >> And the Center for Cyber Influence Operations Studies. >> Good stuff. A lot of stuff going on (mumbles), exploits, infrastructure, it's all mainstream. It's the crisis of our generation. There's a radical shift happening and the answers are all going to come from industry and government coming together. This is the Cube bringing the data, I'm John Furrier with Dave Vellante. Thanks for watching. More live coverage after this short break. (music)

>> Announcer: Live from Las Vegas, it's theCUBE, covering InterConnect 2017. Brought to you by IBM. >> Hey, welcome back, everyone. Here live at the Mandalay Bay in Las Vegas for theCUBE's three-day exclusive coverage of IBM InterConnect 2017. I'm John Furrier. My co-host, Dave Vellante. Our next guest here is Greg Pepper, head of cloud security architects at Check Point Software Technologies. >> You got it. Good afternoon, gentlemen. >> Welcome, welcome to theCUBE. So, security obviously is big. You're seeing compel all the networks, every company out there is buying security, so there's been a security sprawl. But now you guys have a stock that's trading at a very high, 52-week high. Congratulations. >> Yeah, thank you. You know, some people forget about us. We've been doing this for 24 years, we've been the leaders in this industry for over two decades, but sometimes, we're the best kept secret in the industry. >> Unleash some of those secrets here. I know you guys probably can't go into too much secret sauce as a public company, but what's the software secret? Obviously, relationship with IBM is part of why you're here, but what's the Check Point secret sauce right now? >> I think first and foremost, we've built upon a legacy for the last 20 years. We didn't just acquire technology through acquisition, duct tape and paper clips and call it an architecture for our customers. We've built upon a consistent common platform building on our core strengths. I think the second thing that really differentiates us from some of the other guys you mentioned is our commitment and focus to security first. We are a security company end to end, and everything we do is built off of those tenets. And especially with the growth in security in the data center, its migration to cloud, the industry has kind of come back around to software, and though for a while we delivered hardware appliance to customers, 'cause it was the preferred consumption model, when customers go to the cloud, whether it's SoftLayer, Azure, Amazon, Google, and others, we don't have hardware to bring with you, so you need a software defined security strategy to play in the cloud today. >> What is that software defined security strategy? What's the hottest product that you guys have that's working best? >> Everything we have built on our core competencies of management and the gateways themselves. But these days, it's not enough to just be a firewall vendor, so advanced threat prevention, the ability to both prevent and detect malware from getting on the network, rather than just alerting you that something bad happened. We're providing additional access controls with data awareness. I don't need to plug into the network to tell you people are going to YouTube, Netflix, but what's the information about your organization that's being posted out there? Those are the interesting things that we can help differentiate and alert customers to what's going on. >> So, the perimeter's, with the cloud, all these APIs, microservices coming down the pike with cloud, that's the challenge. I mean, this whole idea of being data and software focused. How do you guys play in that world, and what's this focus there? >> The biggest change is moving away from the traditional management architecture to one that's driven by code. These days especially in the cloud to be agile with dev-ops, you have to have security be able to be deployed, programmed, managed, and monitored all through an API, and this is something over the last few years we've enhanced our products to enable automatic deployment in the cloud providers, automatic management, and also integration with people like IBM QRadar in a highly automated way. >> The big discussion in the last couple years in security has been, hey, it's not enough just to dig a moat around the castle. The queen wants to leave her castle, so we've got to, security's got to be everywhere, it's got to follow the data, and also response is another major focus of discussion, we've got to shift spending there. How has that impacted, first of all, you buy that, second of all, how has that impacted your business and your strategy? >> We definitely do agree, which is why as part of our end to end security strategy, the laptops, the desktops, the mobile devices is an area of increased focus for us. Where really just having the traditional perimeter alone is not adequate. The second thing we started to talk about is the ability to move into the cloud. A lot of the competitive solutions out there don't play as well in the cloud because they're dependent on proprietary hardware. If you're a vendor that has custom ASICs, well, you don't have those ASICs when you go to the cloud. Whereas for us, our software defined security strategy, when we go to Amazon, Azure, SoftLayer, and other cloud providers, 100% of our core capabilities moves along with us. >> Talk that through the value proposition and the customer impact. So, it's more flexibility. Is it lower cost, is it speed, is it better response? >> I believe the primary driver for cloud adoption is agility, not always cost savings, although in some cases that is the case. However, the ability to grow and shrink on demand. In the past, our traditional enterprise customers would consume technology for their max resources. If I'm a large department store, I need to be able to handle Black Friday. Well, that's one week a year that you need that peak utilization. That ability to scale up and scale down is one of the major things driving people to the cloud. Well, security has to have the same model. We have to be able to automatically deploy, scale up for those large-scale events, but then also come back down to an average run-time use to help customers save money. >> How about analytics? How does that play into the security business? >> Yeah, I mean look, the whole reason we exist is to give interesting information for technology to be able to chew on, and the ability to provide the forensic auditing accounting for access controls and for our threat prevention, whether it's on the perimeter, in the cloud, in the core, on mobile and end-point devices, there's a reason after 20 years we've been the lead in the industry is 'cause we provide the best forensics data and integration with all the major leading SIM vendors out there. >> Yeah, the 20-year stair with Check Point. Obviously, the company's evolved a lot since then. Talk about the relationship with IBM, obviously we're here at IBM InterConnect, what are you guys doing with IBM? >> IBM's one of our best partners for over the last two decades. For over 18 years now, they've been a customer, a reseller, and a managed services security partner, so there's multiple organization within IBM that have relationship with Check Point to help secure the corporate assets, customer projects in our managed data centers, or even just purely security managed services. One of the exciting projects that we've been working on that was demonstrated at the security booth was an automated security deployment for the hybrid cloud, where the IBM team worked with us to help take security, automatically roll it out into Amazon and Azure, but also bring it into their MSS environment, their managed security services with zero touch, and they're able to provision, have it managed, monitored, and ready to rock and roll in less than 30 seconds. >> And they were doing that all in software? >> Greg: 100% in software, 100% in code with no human intervention. >> So take us through some of those use cases going forward. As you go talk to customers with IBM or on your own, you write on a lot of white board, I can imagine, so what are some of the white board conversations you're having, 'cause security architecture's one of these, kind of a moving train right now. What are some of the patterns you're seeing right now? >> First and foremost, there's a lot of cloud novice, this is new for all of us. So in the walk-jog-run mentality, we all need to come up with the basic terminology and fundamentals so we can have a more advanced conversation. Once we provide the basic knowledge transfer, the second step is how can you help me lift this legacy application and move it to a cloud-centric application, yet still give me the same levels of security and visibility, 'cause I can't go to the board and tell 'em, "Oh, we screwed up. "We moved to the cloud, and now our apps are not secure." As a matter of fact, for our largest customers, the most critical applications will not move to the cloud unless they have a clearly defined security strategy in place. >> So you lay out those parameters up front, then you kind of walk through it, I'd say crawl, walk, run, then jog. >> Greg: Absolutely. >> However you had it, but I mean, lot of people are kind of crawling, but now also, multi-cloud's a big theme here. So now, you're looking at multiple clouds, and some workloads might make sense for cloud one, two, or three depending on the workloads, but some stay on prem. >> 100%. >> And now you got the true private cloud trend where I'm going to have a cloud-like environment on prem. That's cool, development environment looks the same as the cloud, but I got multiple clouds. How do you guys deal with the multi-cloud and this idea of being consistent on prem and on cloud? >> First and foremost, being a software defined gateway, we have this unique capabilities that's the same on premise, Amazon, Azure, Google, SoftLayer, and others as well. Since we're not dependent upon hardware, we have consistent capabilities across all the clouds. The second thing I want to add is from a management perspective, we've built, excuse me, tight integrations with all the data center and cloud providers, so we're able to trust Amazon, VMware, Cisco, OpenStack, Google, and others and real-time integrate their applications and objects and metadata into our security policies, further tightening the integration and automation capabilities between those cloud providers. >> So, you're actively working with all the clouds to integrate in tightly to manage the security. You become the Switzerland for-- >> Look, we were the first of the major security vendors to both be in Amazon and Azure. We were the first achieve Amazon security competency. We were the first to support basic things like clustering and scale set support, which has been a very common deployment in the cloud as well. We've been in this cloud game for the last seven or eight years now, or as I like to joke, we've cloud up-times longer than some of my competitors have been in business. >> Microsoft was actually down on the cloud. We published a report today on siliconangle.com. Three cloud vendors down in a week. I'll give Amazon a little week there, but it's still, you're still going to see some these bumps in the road, but security, you can't have bumps, you got to be rock solid. >> The thing with today in cloud, whether it's the application, the servers, the storage and securities, you have to anticipate for that total failure situation. Heaven forbid, what happens if an east region went down? Case in point, when Amazon had their storage outage, Netflix was not interrupted at all. Now, other organizations that were only deployed in a single region, we were impacted. This is where, I think from an application architecture, one, we have to think beyond single region, single cloud provider. We have to anticipate the total catastrophic failure and how does our business continuity and disaster recovery work. And then, security has to be an integral portion of that. We can't bolt it on after the fact, it's got to be part of the foundation. >> Greg, great point. And by having software, gives you so much flexibility, I love that hybrid cloud example, but I want to get your thoughts on what you said earlier about lift and shift. That seems to be the parlance of the generation. It used to be rip and replace on the enterprise side, but that's not as easy as it is. To your point, you can't just throw it to the cloud, you might have some gaps. As people look to lift and shift, which I always say is be careful, you got to have some concerns. How do you advise your customers when you say, "Hey, we're lifting and shifting to the cloud." >> For those people, I say don't bother. Right, if I'm going to move the same applications and same products and processes from my private data center to the cloud, why bother? If we're not taking advantage of the agility, elasticity, automation, and all the benefits that clouds has to offer, companies should be building new cloud-ready applications for the cloud. We should not just be lifting our legacy applications and like for like moving them to the cloud, 'cause we're not going to get the benefit in return on investment. >> And it's risky, too, by the way. I would agree with you. So, net new applications, no brainer. If the cloud's available, why not? >> Absolutely. >> Let's go back to the workload. Some clouds have better, like analytics use case is a great cloud, just throw IOT data into Amazon or Azure or Office 365 is Azure, and Amazon gets Kinesis, good stuff, and you've got Bluemix over here. You're starting to see that swim lanes of the different vendors. How do you view the differentiation between the vendors, and how do you advise customers? "Hey Greg, I don't know which cloud to go to. "What's your advice?" >> First and foremost, there's pros and cons to everyone's offering. >> It's kind of like Red Sox, Yankees, you know. It's like trying to-- >> Well, let's stop right there, Yankees for sure. >> Dave: You think? >> Absolutely. >> Dave: You really think? >> Well, maybe not in 2017, but-- >> Who's the Yankees, Microsoft or AWS? >> Microsoft probably the Yankees right now. Then again, from my perspective as a Red Sox fan, I'd say it's a tough call. >> (muttering) is the Yankee-killer. Anywhere, let's... >> Alright, go back. >> We digress. >> What I was I going to make a comment of is look for the adjunct services behind the basics, beyond the basic storage, compute and networking services that everybody has as kind of table stakes. For example, if you're someone who's a very heavy Microsoft Office 365 SharePoint user, you're using their business application suite, well, probably migration to Azure is a more natural transition, right. People who are similarly in the Google environment and using the Google suite of applications, it's a benefit to moving the applications there. And to be honest, people who are purely just into the raw compute horsepower and probably the most mature and largest cloud platform, well, Amazon has probably got a five-year head start on the rest of the guys. So, we try not to sit here and determine which of the three clouds is better, 'cause for us, we play in all of them, and our security footprint has to be consistent across all of them. I'll share with you an anecdotal use case from one of my retail customers is building a commerce platform in AWS. But all the corporate applications are moving to Azure, and separately now, they're looking at Google for other global applications as well. So for them, they're going to be in all three cloud providers, just with different applications finding more natural homes. >> Justin Youngblood was just on. He said, the IBM data said 70% of all organizations, or 70% of the organizations have three or more clouds, infrastructure clouds, right. >> I would believe that. >> Back to the security, I mean, the market's booming. In a way, it's unfortunate that the market's booming is 'cause it's such a huge problem that doesn't end. It's great for you. Each year, we look back at last year and say, okay, we feel more secure, and we don't. So, what's happening in the market? Are we finally going to get a handle on sort of how to deal with this, or is it just always going to be this good guy, bad guy, leap-frogging sort of endless loop? >> The big change these days are the bad guys are pros. This is their full-time job, they're very well funded, trained, and able. >> Dave: And they only have to succeed once. >> And remember, the cost of defense is exponentially higher than the cost of offense. So what it costs my banks and hospitals to secure their environment is 10 to 100-fold over what it costs the bad guys, either in the U.S. or some other nation-state, to attack those environments. I think the biggest challenge that most of our customers face, to be honest, is technology saturation. They've bought every product known to mankind. As I like to joke, for every threat, there's an app for that, and most of our customers have bought all three of them. But then they struggle operationally with the technology, and this is more of a people and a process issue than it is a product issue. There's a lot of great technology out there, ours and other vendors as well, but if it's not implemented and maintained properly, those potentially represent the weakest links. >> And there's new threats emerging, ransomware, for instance, is to your point they're overmanned, and the cost to even compare, or defend against that, but they're already hacked. They'll pay the ransom in bit coin to get their stuff back. >> And look, it's cheaper, quicker, and faster to maybe just whack the system and try and do some forensics clean-up than deploy a next generation end-point to try and detect and mitigate against ransomware, disk encryption, or other bots that may get on the end-points themselves. >> But I almost feel like the mitigation, I mean, you've got to have perimeter security, obviously, and continue to invest in that, but I feel like you're never going to stop somebody from penetrating your organization. What's the status on average, the company's penetrated for 200 and whatever end days before they know? 220, 250, whatever number you want. There's got to be more investment in remediating, responding, managing that complexity. And so, I guess the answer to my earlier question was, well, not any time soon. We're going to have to continue to invest in new approaches, new methodologies to deal with this inundation of data, which isn't going to subside. >> Well, but part of it too is in the past, most of the security controls that companies invested in, they put at the perimeter. So, they're overprotecting on the perimeter, but now, the attacks are coming in through the side door. Spearfishing attempts >> Dave: Or internally. >> They're coming in from laptops or mobile devices that leave the organization and come back in, and since most customers lack internal segmentation, a very small infection becomes a very big problem very quickly. So, a lot of customers now are trying to figure out how do I take what I've done in the perimeter and treat my data center, my campus as untrusted, segment and silo and create smaller fault-isolation domains so that heaven forbid there is a breach or an outbreak, it's contained to a smaller subzone, rather than, look at the Target situation, which came in from an HVAC vendor, moved into a payment system, and then exfiltrated millions of credit card records. >> And, or, and not or, but, and techniques to allow the response to focus on the things that matter, and like you said, organizations, CCOS, are inundated with technology, and they don't know necessarily which threats to go deal with. They've got so much data, and to the extent that they can narrow down those high value threats, that's going to help solve the problem. That's why I was asking the question about analytics before. >> That's where I think the partnership with IBM is so important for us, right, 'cause both what they do with Watson and big data analytics and QRadar as well, it's one thing to just create a bunch of alerts, but for most customers, that's a lot of noise. Give me the interesting bits of information. I don't care about these 10 million alerts over the last week. What are the most critical things that my team needs to address right now? And those are the things that collectively IBM and Check Point help. >> How about the competitive landscape? And you guys are kickin' butt, you're well over a billion, what, $1.7 billion company, roughly? >> A little more, but yeah. >> A little more than that, almost a $20 billion market cap, which you said earlier, John, stocks almost at an all-time high, so obviously compete with Palo Alto. Do you compete with HPE, with ArcSight a little bit? I mean, that acquistion, they sort of, that's-- >> They jettisoned some of their core products that were competitive, like TippingPoint. They've kept some of their ArcSight and other big data analytics, the drive service and storage and services out there. But they're as much a partner as they are a competitor. >> Dave: They are? Okay. >> I mean, I would say the usual competitive suspects, some of the guys you mentioned, some of the big route switch vendors like a Cisco or a Juniper out there. Actually, we're in the end-point mobile space as well, which brings in the Symantec and McAfee and Kaspersky. >> And so, right, okay, so what's your big differentiation? >> I think first and foremost is that we have an enterprise management solution that goes from the mobile to the end-point to the cloud to the network. We do it all through a singular console. We have the most scalable security platform in the marketplace today, and to be honest, we have the best security solution out there, both in terms of the effectiveness as well as the manageability. >> Dave: And you're profitable and you're growing. I'm going to throw that in. >> Greg: We've been profitable since day one. >> Greg, thanks for coming onto theCUBE. We really appreciate, give you the final word on the segment as the outlook going forward. Obviously, all the cloud vendors, you work with them all, all trying to be enterprise-ready. >> Yes. >> And they're all, we're the enterprise cloud. Amazon's now the enterprise cloud, Google was flaunting it at Google Next, they got some work to do. IBM certainly is in the enterprise, Oracle's in the enterprise, Microsoft's in the enterprise. Enterprise readiness and the next few years as security evolves, what are the key table stakes that the cloud guys need to continue to work on, continue to invest in, continue to innovate? >> I think the first thing, and this is across all technology, not just cloud, is that interoperability is the new best of breed. All of our customers are going to have a couple of trusted partners. No one enterprise is single-vendor end to end. But we have to be able to play nicely in the sandox. So, whether it's working with Cisco or McAfee or Microsoft or Symantec, if I don't work well with the other investments my companies and customers have invested in, they're not going to have me around for very long. >> And that's the truth. And multi-cloud, and workloads will fit best, 'cause the SaaS also defines some of these big cloud vendors as well. Microsoft SaaS is Office 365, if you have Microsoft, that's going to be some things for ya. Greg, thanks so much, appreciate it. Great commentary with Check Point Software Technologies, talking security, head of architecture here. Greg Pepper, thanks for joining us. This is theCUBE, more live coverage here, day three coverage from theCUBE after this short break. (electronic keyboard music)