(upbeat music) >> Announcer: From downtown San Francisco, it's theCUBE covering RSA North America 2018. Hey welcome back everybody, Jeff Frick here with theCUBE. We're at RSA's North American Conference 2018 at downtown San Francisco. 40,000 plus people talking about security. Security continues to be an important topic, an increasingly important topic, and a lot more complex with the, having a public cloud, hybrid cloud, all these API's and connected data sources. So, it's really an interesting topic, it continues to get complex. There is no right answer, but there's a lot of little answers to help you get kind of closer to nirvana. And we're excited to have Misha Govshteyn. He's the co-founder and SVP of Alert Logic, CUBE alumni, it's been a couple years since we've seen you, Misha, great to see you again. >> That's right, I'm glad to be back, thank you. >> Yeah, so since we've seen you last, nothing has happened more than the dominance of public cloud and they continue to eat up-- >> I think I predicted it on my past visits. >> Did you predict it? Wow that's good. >> But I think it happened. >> But it's certainly happening, right. Amazon's AWS' run rate is 20 billion last reported. Google's making moves. >> Their conference is bigger than ours right now. >> Is it? >> That's 45,000 people. >> Yeah, it's 45,000, re:Invent, it's nuts, it's crazy. and then obviously Microsoft's making big moves, as is Google cloud. So, what do you see from the client's perspective as the dominance of public cloud continues to grow, yet they still have stuff they have to keep inside? We have our GDPR regs are going to hit in about a month. >> Well one thing's for sure is, it's not getting any easier, right? Because I think cloud is turning things upside down and it's making things disruptive, right, so there's a lot of people that are sitting there and looking at their security programs, and asking themselves, "Does this stuff still work? "When more and more of my workloads "are going to cloud environments? "Does security have to change?" And the answer is obviously, it does but it always has to change because the adversaries are getting better as well, right. >> Right. >> There's no shortage of things for people to worry about. You know when I talk to security practitioners, the big thing I always hear is, "I'm having a good year if I don't get fired." >> Well it almost feels like it's inevitable, right? It's almost like you're going to, it seems like you're going to get hit. At some way, shape, or form you're going to get hit. So it's almost, you know how fast can you catch it? How do you react? >> That's a huge change from five years ago, right? Five years ago we were still kind of living in denial thinking that we can stop this stuff. Now it's all about detection and response and how does your answer to the response process works? That's the reason why, you know last year, I think we saw a whole bunch of noise about, you know machine learning and anomaly detection, and AI everywhere and a whole lot of next-generation antivirus products. This year, it seems like a lot of it is, a lot of the conversation is, "What do I do with all this stuff? "How do I make use of it?" >> Well then how do you leverage the massive investment that the public cloud people are making? So, you know, love James Hamilton's Tuesday night show and he talks about just the massive investments Amazon is making in networking, in security, and you know, he's got so many resources that he can bring to bear, to the benefit of people on that cloud. So where does the line? How do I take advantage of that as a customer? And then where are the holes that I need to augment with other types of solutions? >> You know here's the way I think about it. We had to go through this process at Alert Logic internally as well. Because we obviously are a fairly large IT organization, so we have 20 petabytes of data that we manage. So at some point we had to sit down and say, "Are we're going to keep managing things the way we have been "or are we going to overhaul the whole thing?" So, I think what I would do is I would watch where my infrastructure goes, right. If my infrastructure is still on-prem, keep investing in what you've been doing before, get it better, right? But if you're seeing more and more of your infrastructure move to the cloud, I think it's a good time to think about blowing it up and starting over again, right? Because when you rebuild it, you can build it right, and you can build it using some of the native platform offerings that AWS and Azure and GCP offer. You can work with somebody like Alert Logic. There's others as well right, to harness those abilities. I'll go out on a limb and say I can build a more secure environment now in a cloud than I ever could on-prem, right. But that requires rethinking a bunch of stuff, right. >> And then the other really important thing is you said the top, the conversation has changed. It's not necessarily about being 100% you know locked down. It's really incident response, and really, it's a business risk trade-off decision. Ultimately it's an investment, and it's kind of like insurance. You can't invest infinite resources in security, and you don't want to just stay at home and not go outside. Now that's not going to get it done. So ultimately, it's trade-offs. It's making very significant trade-off decisions as to where's the investment? How much investment? When is the investment then hit a plateau where the ROI is not there anymore? So how do people think through that? Because, the end of the day there's one person saying, "God, we need more, more, more." You know, anything is bad. At the other hand, you just can't use every nickel you have on security. >> So I'll give you two ends of the spectrum right, and on one end are those companies that are moving a lot of their infrastructure to the cloud and they're rethinking how they're going to do security. For them, the real answer becomes it's not just the investment in technology, and investing into better getting information from my cloud providers, getting a better security layer in place. Some of it is architecture right, and some of the basics right, there's thousands of applications running in most enterprises. Each one of those applications on the cloud, could be in its own virtual private cloud, right. So if it gets broken into, only one domino falls down. You don't have this scenario where the entire network falls down, because you can easily move laterally. If you're doing things right in the cloud, you're solving that problem architecturally, right. Now, aside from the cloud, I think the biggest shift we're seeing now, is towards kind of focusing on outcomes, right. You have your technology stack, but really it's all about people, analytics, data. What do you, how do you make sense of all this stuff? And this is classic I think, with the Target breach and some of the classic breaches we've seen, all the technology in the world, right? They had all the tools they needed. The real thing that broke down is analytics and people. >> Right, and people. And we hear time and time again where people had, like you said, had the architecture in place, had the systems in the place, and somebody mis-configured a switch. Or I interviewed a gal who did a live social hack at Black Hat, just using some Instagram pictures and some information on your browser. No technology, just went in through the front door, said, you know, hey, "I'm trying to get the company picnic "site up, can you please test this URL?" She's got a 100% hit rate! But I think it's really important, because as you said, you guys offer not only software solutions, but also services to help people actually be successful in implementing security. >> And the big question is, if somebody does that to you, can you really block it? And the answer a lot of times is, you can't. So the next battlefront is all about can you identify that kind of breach happening, right? Can you identify abnormal activity that starts to happen? You know, going back to the Equifax breach, right, one of the abnormal things that happened that they should've seen and for some reason didn't, you know, 30 web shells were stood up. Which is the telltale sign of, maybe you don't know how you got broken into, but because there's a web shell in your environment you know somebody's controlling your servers remotely, that should be one of those indicators that, I don't know how it happened, I don't know maybe I missed it and I didn't see the initial attack, but there's definitely somebody on a network poking around. There's still time, right? There's, you know for most companies, it takes about a hundred days on average, to steal the data. I think the latest research is if you can find the breach in less than a day, you eliminate 96% of the impact. That's a pretty big number right? That means that if you, the faster you respond, the better off you are. And most people, I think when you ask 'em, and you ask 'em, "Honestly assess your ability to quickly detect, respond, eradicate the threat." A lot of them will say, "It depends" But really the answer is "Not really." >> Right, 'cause the other, the sad stat that's similar to that one, is usually it takes many, many days, months, weeks, to even know that you've been breached, to figure out the pattern, that you can even start, you know, the investigation and the fixing. >> Somewhat not surprising, right? I don't think there's that many Security Operation Centers out there, right? There's not, you know, not every company has a SOC right? Not every company can afford a SOC. I think the latest number is, for enterprises, right, this is Fortune 2000, right, 15% of them have a SOC. What are the other 85% doing? You know, are they buying a slice of a SOC somewhere else? That's the service that we offer, but I think, suffice to say, there's not enough security people watching all this data to make sense of it right. That's the biggest battle I think going forward. We can't make enough people doing that, that requires a lot of analytics, right. >> Which really then begs, for the standalone single enterprise, that they really need help, right? They're not going to be able to hire the best of the best for their individual company. They're not going to be able to leverage you know best-in-breed, Which I think is kind of an interesting part of the whole open-source ethos, knowing that the smartest brains aren't necessarily in your four walls. That you need to leverage people outside those four walls. So, as it continues to morph, what do you see changing now? What are you looking forward to here at RSA 2018? >> So I made some big predictions five years ago, so I'll say you know, five years from now, I think we're going to see a lot more companies outsource major parts of their security right, and that's just because you can't do it all in-house right. There's got to be a lot more specialization. There's still people today buying AI products right, and having machine learning models they invest in to, there's no company I'm aware of, unless they're, you know, maybe the top five financial firms out there, that should have a, you know, security focused data scientist on staff, right? And if you have somebody like that in your environment, you're probably not spending money the right way, right. So, I think security is going to get outsourced in a pretty big way. We're going to focus on outcomes more and more. I think the question is not going to be, "What algorithm are you using to identify this breach?" The question is going to be, "How good are your identifying breaches?" Period. And some of the companies that offer those outcomes are going to grow very rapidly. And some of the companies that offer just, you know, picks and shovels, are going to probably not do nearly as well. >> Right. >> So five years from now, I'll come back and we'll talk about it then. >> Well, the other big thing, that's going to be happening in a big way five years from now, is IoT and IIoT and 5G. So, the size of the attacked surface, the opportunities to breach-- >> The data volume. >> The data volume, and the impact. You know it's not necessarily stealing credit cards, it's taking control of somebody's vehicle, moving down the freeway. So, you know, the implications are only going to get higher. >> We collect a lot of logs from our customers. Usually, the log footprint, grows at three times the rate of our revenue and customers, right. So, you know, thank god-- >> The log, the log-- >> The log volume grows-- >> volume that you're tracking for a customer, grows at three times your revenue for that customer? >> That's right. I mean, they're not growing at three times that rate, annually right, but annually, you know, we've clocked anywhere between 200% to 300% growth in data that we collect from them, IoT makes that absolutely explode, right. You know, if every device out there, if you actually are watching it, and if you have any chance of stopping the breaches on IoT networks, you got to collect a lot of that data, that's the fuel for a lot of the machine learning models, because you can't put human eyes on small RTUs and you know, in factories. That means even more data. >> Right, well and you know the model that we've seen in financial services and ad-tech, in terms of, you know, an increasing amount of the transactions are going to happen automatically, with no human intervention, right, it's hardwired stuff. >> So I think it's that balance between data size and data volume, analytics, but most important, what do you feed the humans that are sitting on top of it? Can you feed them just the right signal to know what's a breach and what's just noise? That's the hardest part. >> Right, and can you get enough good ones? >> That's right. >> Underneath your own, underneath your own shell, which is probably, "No", well, hopefully. >> I think building this from scratch for every company is madness, right. There's a handful of companies out there that can pull it off, but I think ultimately everybody will realize, you know, I'm a big audio nerd so I Looked it up, right, you used to build all of your own speakers, right. You'd buy a cabinet and you'd buy some tools, and you would build all the stuff. Now you go to the store and you buy an audio system, right? >> Right, yeah, well at least audio, you had, speakers are interesting 'cause there's a lot of mechanical interpretations about how to take that signal and to make sound, but if you're making CDs you know you got to go, with the standard right? You buy Sonos now, and Sonos is a fully integrated system. What is Sonos for security, right? It doesn't exist yet. And that's, I think that's where Security as a Service is going. Security as a Service should be something you subscribe to that gives you a set of outcomes for your business, and I think that's the only way to consume this stuff. It's too complex for somebody to integrate from best-of-breed products and assemble it just the right way. I think the parallels are going to be exactly the same. I'm not building my car either, right? I'm going to buy one. Alright Misha, well, thanks for the update, and hopefully we'll see you before five years, maybe in a couple and get an update. >> We'll do some checkpoints along the way. >> Alright. Alright, he's Misha, I'm Jeff. You're watching theCUBE from RSA North America 2018 in downtown, San Francisco. Thanks for watching. (techno music)