>> Live from Boston, Massachusetts, it's The Cube, covering AWS re:Inforce 2019. Brought to you by Amazon web services and its ecosystem partners. >> Hey, welcome back everyone. It's The Cube's live coverage here in Boston, Massachusetts for AWS re:Inforce. This is Amazon web services' inaugural security conference around Cloud security. I'm John Furrier. My host Dave Vellante. We've got special guest, we've got another CSO, Dan Meacham, VP of Security and Operations at Legendary Entertainment. Great to see you. Thanks for coming on The Cube. >> Oh, thank you. It's a very pleasure to be here. >> We had some fun time watching the Red Socks game the other night. It was the best night to watch baseball. They did win. >> Was it ever. >> Always good to go to Fenway Park, but we were talking when we were socializing, watching the Red Socks game at Fenway Park about your experience. You've seen a lot of waves of technology you've been involved in. >> Yes, yes. >> Gettin' dirty with your hands and gettin' coding and then, but now running VP of Security, you've seen a lot of stuff. >> Oh. >> You've seen the good, bad, and the ugly. (laughing) >> Yeah, fun business. >> It is. >> You guys did Hangover, right? >> Yes. >> Dark Knight. >> Yes. >> Some really cool videos. >> Good stuff there, yeah. And it's just amazing cause, you know, how much technology has changed over the years and starting back out in the mid-eighties and early nineties. Sometimes I'm just like, oh, if I could only go back to the IPXSX days and just get rid of botnets and things like that. (laughing) That'd be so much easier. Right? >> The big conversation we're having here, obviously, is Amazon's Security Conference. What's your take on it? Again, security's not new, but their trying to bring this vibe of shared responsibility. Makes sense because they've got half of the security equation, but you're seeing a lot of people really focusing on security. What's your take of, so far, as an attendee? >> Well, as we look and, cause I like to go to these different things. One, first to thank everybody for coming because it's a huge investment of time and money to be at these different shows, but I go to every single booth to kind of take a look to see where they are cause sometimes when we look at some of the different technology, they may have this idea of what they want the company to be and they're maybe only a couple years old, but we may see it as a totally different application and like to take those ideas and innovate them and steer them in another direction that kind of best suits our needs. But a lot of times you see a lot of replay of the same things over and over again. A lot of folks just kind of miss some of the general ideas. And, um, this particular floor that we have, there's some interesting components that are out there. There's a lot of folks that are all about configuration management and auto correction of misconfigured environments and things like that. Which is good, but I think when we look at the shared responsibility model and so forth, there's some components that a lot of folks don't really understand they really have to embrace in their environment. They think, oh it's just a configuration management, it's just a particular checklist or some other things that may fix something, but we really got to talk about the roots of some of the other things because if it's not in your data center and it's out somewhere else, doesn't mean you transfer the liability. You still have the ownership, there's still some practice you got to focus on. >> Take us through the Cloud journey with Legendary. You put some exchange service out there. Continue. >> Yes, and so as we started bringing these other different SaaS models because we didn't want to have the risk of if something went down we lost everything, but as we did that and started embracing Shadow IT, because if this worked for this particular department, we realized that there wasn't necessarily a applicable way to manage all of those environments simultaneous. What we mean after the standpoint, like we mentioned before, the MFA for each of these different components of the Cloud applications. So that naturally led us into something like single sign-on that we can work with that. But as we started looking at the single sign-on and the device management, it wasn't so much that I can't trust you devices, it's how do I trust your device? And so that's when we created this idea of a user-centric security architecture. So it's not necessarily a zero trust, it's more of a, how can I build a trust around you? So, if your phone trusts you based off of iometrics, let me create a whole world around that, that trust circle and build some pieces there. >> Okay, so, let me just interrupt and make sure we understand this. So, you decided to go Cloud-First. You had some stuff in colo and then said, okay, we need to really rethink how we secure our operations, right? So, you came up with kind of a new approach. >> Correct. >> Cloud approach. >> Absolutely. And it's Cloud and so by doing that then, trying to focus in on how we can build that trust, but also better manage the applications because, say for example, if I have a collaboration tool where all my files are, I may want to have some sort of protection on data loss prevention. Well, that Cloud application may have its own piece that I can orchestrate with, but then so does this one that's over here and this one over here and so now I've got to manage multiple policies in multiple locations, so as we were going down that piece, we had to say, how do we lasso the security around all these applications? And so, in that particular piece, we went ahead and we look forward at where is the technology is, so early on, all we had were very advanced sims where if I get reporting on user activity or anomalies, then I had limited actions and activities, which is fine, but then the CASB world ended up changing. Before, they were talking about Shallow IT, now they actually do policy enforcement, so then that allowed us to then create a lasso around our Cloud applications and say, I want to have a data loss prevention policy that says if you download 5,000 files within one minute, take this action. So, before, in our sim, we would get alert and there were some things we could do and some things we couldn't, but now in the CASB I can now take that as a piece. >> So more refined >> Exactly. >> in policy. Now, did you guys write that code? Did you build it out? Did you use Cloud? >> We work with a partner on help developing all this. >> So, when you think about where the CASBs were five years ago or so, it was all about, can we find Shadow IT? Can we find where social security numbers are? Not necessarily can I manage the environment. So, if you were take a step back to back in the old days when you had disparate in network architecture equipment, right? And you wanted to manage all your switches and firewalls, you had to do console on each and every one. Over time as it progressed, we now had players out there that can give you a single console that can get in and manage the entire network infrastructure, even if it's disparate systems. This is kind of what we're seeing right now within the Cloud, where on the cusp of it, some of then are doing really good and some of them still have a lot of things to catch up to do, but we're totally stoked about how this is working in this particular space. >> So, talk about, like, um, where you are now and the landscape that you see in front of you. Obviously, you have services. I know you. We met through McAfee, you have other, some fenders. You have a lot of people knocking on your doors, telling you stuff. You want to be efficient with your team. >> Yes. >> You want to leverage the Cloud. >> Yes. >> As you look at the landscape and a future scape as well, what're you thinking about? What's on your mind? What's your priorities? How're you going to navigate that? What're some of the things that's driving you? >> (sighing) It's a cornucopia of stuff that's out there. (laughing) Depending on how you want to look at it. And you can specialize in any particular division, but the biggest things that we really want to focus on is we have to protect out data, we have to protect our devices, and we have to protect our users. And so that's kind of that mindset that we're really focused on on how we integrate. The biggest challenges that we have right now is not so much the capability of the technology, because that is continually to evolve and it's going to keep changing. The different challenges that we have when we look in some of these different spaces is the accountability and the incorporation and cooperation because a incident's going to happen. How are you going to engage in that particular incident and how are you going to take action? Just because we put something in the Cloud doesn't mean it was a set and forget kind of thing. Because if it was in my data center, then I know I have to put perimeter around it, I know I got to do back-ups, I know I got to do patch management, but if I put it in the Cloud, I don't have to worry about it. That is not the case. So, what we're finding a lot is, some of these different vendors are trying to couch that as, hey we'll take care of that for you, but in fact, reality is is you got to stay on top of it. >> Yeah. And then you got to make sure all the same security practices are in there. So, the question I have for you is: what's the security view of the Cloud versus on premise (muttering) the data's in the perimeter, okay that's kind of an older concept, but as your thinking about security in Cloud, Cloud security versus on premise, what's the difference? What's the distinction? What's the nuances? >> Well, if we go old-school versus new-school, old-school would say, I can protect every thing that's on prem. That's not necessarily the case that we see today because you have all this smart technology that's actually coming in and is eliminating your perimeter. I mean, back in the day you could say, hey, look, we're not going to allow any connections, inbound or outbound, to only outside the United States cause we're just a U.S.-based company. Well, that's a great focus, but now when you have mobile devices and smart technology, that's not what's happening. So, in my view, there's a lot of different things that you may actually be more secure in the Cloud than you are with things that are on prem based off of the architectural design and the different components that you can put in there. So, if you think about it, if I were to get a CryptoLocker in house, my recovery time objective, recovery point objective is really what was my last back-up. Where if I look at it in the Cloud perspective, it's where was my last snapshot? (stuttering) I may have some compliance competes on there that records the revision of a file up to 40 times or 120 times, so if I hit that CryptoLocker, I have a really high probability of being able to roll back in the Cloud faster than I could if I lost something that was in prem. So, idly, there's a lot more advantages in going with the Cloud than on prem, but again, we are a Cloud-First company. >> Is bad user behavior still your biggest challenge? >> Is it ever! I get just some crazy, stupid things that just happen. >> The Cloud doesn't change that, right? >> No! (laughing) No, you can't change that with technology, but a lot of it has to be with education and awareness. And so we do have a lot of very restrictive policies in our workforce today, but we talk to our users about this, so they understand. And so when we have things that are being blocked for a particular reason, the users know to call us to understand what had happened and in many cases it's, you know, they clicked on a link and it was trying to do a binary that found inside of a picture file of all things on a web browser. Or they decided that they wanted to have the latest Shareware file to move mass files and then only find out that they downloaded it from an inappropriate site that had binaries in it that were bad and you coach them to say, no this is a trusted source, this is the repository where we want you to get these files. But my favorite though is, again, being Cloud-First, there's no reason to VPN into our offices for anything because everything is out there and how we coordinate, right? But we do have VPN set up for when we travel to different countries with regards to, as a media company, you have to stream a lot of different things and, so, if we're trying to pitch different pieces that we may have on another streaming video-on-demand service, some of those services and some of those programmings may not be accessible into other countries or regions of the world. So, doing that allows us to share that. So, then, a lot of times, what we find is we have offices and users that're in different parts of the world that will download a free VPN. (laughing) Because they want to to be able to get to certain types of content. >> Sounds good. >> And then when you're looking at that VPN and that connection, you're realizing that that VPN that they got for free is actually be routed through a country that is not necessarily friendly to the way we do business. They're like, okay, so you're pushing all of our data through that, but we have to work through that, there's still coaching. But fortunately enough, by being Cloud-First, and being how things are architected, we see all that activity, where if was all in prem, we wouldn't necessarily know that that's what they were doing, but because of how the user-centric piece is set-up, we have full visibility and we can do some coaching. >> And that's the biggest issue you've got. Bigtime, yes? Visibility. >> What's a good day for a security practitioner? >> (laughing) A good day for a security practitioner. Well, you know, it's still having people grumpy at you because if they're grumpy at you, then you know you're doing you job, right? Because if everybody loves the security guy, then somebody's slipping something somewhere and it's like, hey, wait a minute, are you really supposed to be doing that? No, not necessarily. A good day is when your users come forward and say, hey, this invoice came in and we know that this isn't out invoice, we want to make sure we have it flagged. And then we can collaborate and work with other studios and say, hey, we're seeing this type of vector of attack. So, a good day is really having our users really be a champion of the security and then sharing that security in a community perspective with the other users inside and also communicating back with IT. So, that's the kind of culture we want to have within out organization. Because we're not necessarily trying to be big brother, we want to make it be able to run fast because if it's not easy to do business with us, then you're not going to do business with us. >> And you guys have a lot of suppliers here at the re:Inforce conference. Obviously, Amazon, Cloud. What other companies you working with? That're here. >> That're here today? Well, CrowdStrike is a excellent partner and a lot of things. We'll have to talk on that a little bit. McAfee, with their MVISION, which was originally sky-high, has just been phenomenal in our security architecture as we've gone through some of the other pieces. We do have Alert Logic and also Splunk. They're here as well, so some great folks. >> McAfee, that was the sky-high acquisition. >> That is correct and now it's MVISION. >> And that's the Cloud group within McAfee. What do they do that you like? >> They brought forth the Cloud access security broker, the CASB product, and one of the things that has just been fascinating and phenomenal in working with them is when we were in evaluation mode a couple of years ago and were using the product, we're like, hey, this is good, but we'd really like to use it in this capacity. Or we want to have these artifacts of this intelligence come out of the analytics and, I kid you not, two weeks later the developers would put it out there in the next update and release. And it was like for a couple of months. And we're like, they're letting us use this product for a set period of time, they're listening to what we're asking for, we haven't even bought it, but they're very forward-thinking, very aggressive and addressing the specific needs from the practitioner's view that they integrated into the product. It was no-brainer to move forward with them. And they continue to still do that with us today. >> So that's a good experience. I always like to ask practitioners, what're some things that vendors are doing that either drive your crazy or they shouldn't be doing? Talk to them and say, hey, don't do this or do this better. >> Well, when you look at your stop-doing and your start doing list and how do you work through that? What really needs to be happening is you need your vendor and your account manager to come out on-site once a quarter to visit with you, right? You're paying for a support on an annual basis, or however it is, but if I have this Cloud application and that application gets breached in some way, how do I escalate that? I know who my account manager is and I know the support line but there needs to be an understanding and an integration into my incidents response plan as when I pick up the phone, what' the number I dial? And then how do we engage quickly? Because now where we are today, if I were to have breach, a compromised system administrator account, even just for 20 minutes, you can lose a lot of data in 20 minutes. And you think about reputation, you think about privacy, you think about databases, credit cards, financials. It can be catastrophic in 20 minutes today with the high-speed rates we can move data. So, my challenge back to the vendors is once a quarter, come out and visit me, make sure that I have that one sheet about what that incident response integration is. Also, take a look at how you've implemented Am I still on track with the artchitecture? Am I using the product I bought from you effectively and efficiently? Or is there something new that I need to be more aware of? Because a lot of times what we see is somebody bought something, but they never leveraged the training, never leveraged the support. And they're only using 10% of the capability of the product and then they just get frustrated and then they spend money and go to the next product down the road, which is good for the honeymoon period, but then you run into the same process again. So, a lot of it really comes back to vendor management more so than it is about the technology and the relationship. >> My final question is: what tech are you excited about these days? Just in general in the industry. Obviously security, you've got the Cloud, you're Cloud-First, so you're on the cutting edge, you've got some good stuff going on. You've got a historical view. What's exciting you these days from a tech perspective? >> Well, over the last couple of years, there's been two different technologies that have really started to explode that I really am excited about. One was leveraging smart cameras and facial recognition and integrating physical stock with cyber security stock. So, if you think about from another perspective, Cameras, surveillance today is, you know, we rewind to see something happen, maybe I can mark something. So, if somebody jumped over a fence, I can see cause it crossed the line. Now the smart cameras over the last three or four or five years have been like, if I lost a child in a museum, I could click on child, it tells me where it is. Great. Take that great in piece and put it in with your cyber, so now if you show up on my set or you're at one of our studios, I want the camera to be able to look at your face, scrub social media and see if we can get a facial recognition to know who you are and then from that particular piece, say okay, has he been talking trash about our movies? Is he stalking one of our talent? From those different perspectives. And then, moreover, looking at the facial expression itself. Are you starstruck? Are you angry? Are you mad? So, then that way, I know instantly in a certain period of time what the risk is and so I can dispatch appropriately to have security there or just know that this person's just been wandering around because they're a fan and they want to know something. So, maybe one of those things where we can bring them a t-shirt and they'll move on onto their way and they're happy. Versus somebody that's going to show up with a weapon and we have some sort of catastrophic event. Now, the second technology that I'm really pretty excited about. Is when we can also talk a little about with the Five G technology. So, when everybody talk about FIJI, you're like, oh, hey, this is great. This is going to be faster, so why are we all stoked about things being super, super fast on cellular? That's the technical part. You got to look at the application or the faculty of things being faster. To put it into perspective, if you think about a few years ago when the first Apple TV came out, everybody was all excited that I could copy my movies on there and then watch it on my TV. Well, when internet and things got faster, that form factor went down to where it was just constantly streaming from iTunes. Same thing with the Google Chrome Cast or the Amazon Fire Stick. There's not a lot of meat to that, but it's a lot of streaming on how it works. And so when you think about the capability from that perspective, you're going to see technology change drastically. So, you're smartphone that holds a lot of data is actually probably going to be a lot smaller because it doesn't have to have all that weight to have all that stuff local because it's going to be real-time connection, but the fascinating thing about that, though, is with all that great opportunity also comes great risk. So, think about it, if we were to have a sphere and if we had a sphere and you had the diameter of that sphere was basically technology capability. As that diameter grows, the volume of the technology that leverages that grows, so all the new things that come in, he's building. But as that sphere continue to grow, what happens is the surface is your threat. Is your threat vector. As it continue to grow, that's going to continue to grow. (stuttering) There's a little but of exponential components, but there's also a lot of mathematical things on how those things relate and so with Five G, as we get these great technologies inside of our sphere, that threat scape on the outside is also going to grow. >> Moore's law in reverse, basically. >> Yeah. >> Surface area is just balloon to be huge. That just kills the perimeter argument right there. >> It does. >> Wow. And then we heard from Steve and Schmidt on the keynote. They said 90% of IOT data, thinking about cameras, is HTTP, plain text. >> Exactly. And it's like, what're you-- >> Oh, more good news! >> Yeah. (laughing) >> At least you'll always have a job. >> Well, you know, someday-- >> It's a good day in security. Encrypt everywhere, we don't have time to get into the encrypt everywhere, but quick comment on this notion of encrypting everything, what's your thoughts? Real quick. (sighing) >> All right, so. >> Good, bad, ugly? Good idea? Hard? >> Well, if we encrypt everything, then what does it really mean? What're we getting out? So, you remember when everybody was having email and you had, back in the day, you had your door mail, netscape navigator and so forth, and thought, oh, we need to have secure email. So then they created all these encryption things in the email, so then what happens? That's built into the applications, so the email's no longer really encrypted. >> Yeah. >> Right? So I think we're going to see some things like that happening as well. Encryption is great, but then it also impedes progress when it comes to forensics, so it's only good until you need it. >> Awesome. >> Dan, thanks so much here on the insights. Great to have you on The Cube, great to get your insights and commentary. >> Well, thank you guys, I really appreciate it. >> You're welcome. >> All right, let's expecting to steal is from noise, talking to practitioner CSOs here at re:Inforce. Great crowd, great attendee list. All investing in the new Cloud security paradigm, Cloud-First security's Cube's coverage. I'm John Furrier, Dave Vellante. Stay tuned for more after this short break. (upbeat music)