>>All we're back. We're wrapping up day two at Falcon 22 from the area in Las Vegas, CrowdStrike CrowdStrike. The action is crazy. Second day, a keynotes. Sean Henry is back. He's the chief security officer at CrowdStrike. He did a keynote today. Sean. Good to see you. Thanks for coming >>Back. Good. See you, Dave. Thanks for having me. >>So, unfortunately, I wasn't able to see your keynote cuz I had to come do cube interviews. You interviewed Kimbo Walden from, from, you know, white house, right? >>National cyber security >>Director. We're gonna talk about that. We're gonna talk about Overwatch, your threat hunting report. I want to share the results with our audience, but start with your, well actually start with the event. We're now in day two, you've had a good chance to talk to customers and partners. What are, what are your observations? Yeah, >>It's first of all, it's been an amazing event over 2200 attendees here. It's really taking top three floors at the area hotel and we've got partners and customers, employees, and to see the excitement and the level of collaboration here is absolutely phenomenal. All these different organizations that are each have a piece of cyber security to see them coming together, all in support of how do you stop breaches? How do you work together to do it? It's really been absolutely phenomenal. You're >>Gonna love the collaboration. We kind of talked about this on our earlier segment is the industry has to do a better job and has been doing a better job. You know, I think you and Kevin laid that out pretty well. So tell me about the interview with the fireside chat with Kimba. What was that like? What topics came up? >>Yeah. Kimba is the principal, deputy national cyber security advisor. She's been there for just four months. She spent over 10 years at DHS, but she most recently came from the private sector in cybersecurity. So she's got that the experience as a private sector expert, as well as a public sector expert and to see her come together in that position. It was great. We talked a lot about some of the strategies the white house is looking to put forth in their new cybersecurity strategy. There was recently an executive order, right? That the, the president put forth that talks about a lot of the things that we're doing here. So for example, the executive order talks about a lot of the legacy type of capabilities being put to pasture and about the government embracing cloud, embracing threat, hunting, embracing EDR, embracing zero trust and identity protection. Those are all the things that the private sector has been moving towards over the last year or two. That's what this is all about here. But to see the white house put that out, that all government agencies will now be embracing that I think it puts them on a much shorter footing and it allows the government to be able to identify vulnerabilities before they get exploited. It allows them to much more quickly identify, have visibility and respond to, to threats. So the government in infrastructure will be safer. And it was really nice to hear her talk about that and about how the private sector can work with the government. >>So you know how this works, you know, having been in the bureau. But so it's the, these executive orders. A lot of times people think, oh, it's just symbolic. And there are a couple of aspects of it. One is president Biden really impressed upon the private sector to, you know, amp it up to, to really focus and do a better job. But also as you pointed out that executive order can adjudicate what government agencies must do must prioritize. So it's more than symbolic. It's actually taking action. Isn't >>It? Yeah. I, I, I think it, I think it's both. I think it's important for the government to lead in this area because while a, a large portion of infrastructure, major companies, they understand this, there is still a whole section of private sector organizations that don't understand this and to see the white house, roll it out. I think that's good leadership and that is symbolic. But then to your second point to mandate that government agencies do this, it really pushes those. That might be a bit reluctant. It pushes them forward. And I think this is the, the, the type of action that as it starts to roll out and people become more comfortable and they start to see the successes. They understand that they're becoming safer, that they're reducing risk. It really is kind of a self-fulfilling prophecy and we see things become much safer. Did, >>Did you guys talk about Ukraine? Was that, was that off limits or did that come up at all? >>It wasn't, it wasn't off limits, but we didn't talk about it because there are so many other things we were discussing. We were talking about this, the cyber security workforce, for example, and the huge gap in the number of people who have the expertise, the capability and the, and the opportunities to them to come into cyber security technology broadly, but then cyber security as a sub sub component of that. And some of the programs, they just had a big cyber workforce strategy. They invited a lot of people from the private sector to have this conversation about how do you focus on stem? How do you get younger people? How do you get women involved? So getting maybe perhaps to the untapped individuals that would step forward and be an important stop gap and an important component to this dearth of talent and it's absolutely needed. So that was, was one thing. There were a number of other things. Yeah. >>So I mean, pre pandemic, I thought the number was 350,000 open cybersecurity jobs. I heard a number yesterday just in the us. And you might have even told me this 7, 7 50. So it's doubled in just free to post isolation economy. I don't know what the stats are, but too big. Well, as a, as a CSO, how much can automation do to, to close that gap? You know, we were talking earlier on the cube about, you gotta keep the humans in the loop, you, you, the, the, the, the Nirvana of the machines will just take care of everything is just probably not gonna happen anytime in the near term, even midterm or long term, but, but, but how can automation play and help close that gap? So >>The, the automation piece is, is what allows this to scale. You know, if we had one company with a hundred endpoints and we had a couple of folks there, you could do it with humans. A lot of it when you're talking about hundreds of millions of endpoints spread around the globe, you're talking about literally trillions of events every week that are being identified, evaluated and determined whether they're malicious or not. You have to have automation and to have using the cloud, using AI, using machine learning, to sort through, and really look for the malicious needle in a stack of needle. So you've gotta get that fidelity, that fine tune review. And you can only do that with automation. What you gotta remember, Dave, is that there's a human being at the end of every one of these attacks. So we've got the bad guys, have humans there, they're using the technology to scale. We're using the technology to scale to detect them. But then when you get down to the really malicious activity, having human beings involved is gonna take it to another level and allow you to eradicate the adversaries from the environment. >>Okay. So they'll use machines to knock on the door when that door gets opened and they're in, and they're saying, okay, where do we go from here? And they're directing strategy. Absolutely. I, I spent, I think gave me a sta I, I wonder if I wrote it down correctly, 2 trillion events per day. Yeah. That you guys see is that I write that down. Right? >>You did. It changes just like the number of jobs. It changes when I started talking about this just a, a year and a half ago, it was a billion a day. And when you look at how it's multiplied exponentially, and that will continue because of the number of applications, because of the number of devices as that gets bigger, the number of events gets bigger. And that's one of the problems that we have here is the spread of the network. The vulnerability, the environment is getting bigger and bigger and bigger as it gets bigger, more opportunities for bad guys to exploit vulnerabilities. >>Yeah. And we, we were talking earlier about IOT and extending, you know, that, that threats surface as well, talk about the Overwatch threat hunting report. What is that? How, how often have you run it? And I'd love to get into some of the results. Yeah. >>So Overwatch is a service that we offer where we have 24 by seven threat hunters that are operating in our customer environments. They're hunting, looking for, looking for malicious activity, malicious behavior. And to the point you just made earlier, where we use automation to sort out and filter what is clearly bad. When an adversary does get what we call fingers on the keyboard. So they're in the box and now a human being, they get a hit on their automated attack. They get a hit that, Hey, we're in, it's kind of the equivalent of looking at the Bober while you're fishing. Yeah. When you see the barber move, then the fisherman jumps up from his nap and starts to reel it in similar. They jump on the keyboard fingers on the keyboard. Our Overwatch team is detecting them very, very quickly. So we found 77,000 potential intrusions this past year in 2021, up to the end of June one, one every seven minutes from those detections. >>When we saw these detections, we were able to identify unusual adversary behavior that we'd not necessar necessarily seen before we call it indicators of attack. What does that mean? It means we're seeing an adversary, taking a new action, using a new tactic. Our Overwatch team can take that from watching it to human beings. They take it, they give it to our, our engineering team and they can write detections, which now become automated, right? So you have, you have all the automation that filters out all the bad stuff. One gets through a bad guy, jumps up, he's on the keyboard. And now he's starting to execute commands on the system. Our team sees that pulls those commands out. They're unusual. We've not seen 'em before we give it to our engineering team. They write detections that now all become automated. So because of that, we stopped over with the 77,000 attacks that we identified. We stopped over a million new attacks that would've come in and exploited a network. So it really is kind of a big circle where you've got human beings and intelligence and technology, all working together to make the system smarter, to make the people smarter and make the customers safer. And you're >>Seeing new IAS pop up all the time, and you're able to identify those and, and codify 'em. Now you've announced at reinforced, I, I, in July in Boston, you announced the threat hunting service, which is also, I think, part of your you're the president as well of that services division, right? So how's that going? What >>What's happening there? What we announced. So we've the Overwatch team has been involved working in customer environments and working on the back end in our cloud for many years. What we've announced is this cloud hunting, where, because of the adoption of the cloud and the movement to the cloud of so many organizations, they're pushing data to the cloud, but we're seeing adversaries really ramp up their attacks against the cloud. So we're hunting in Google cloud in Microsoft Azure cloud in AWS, looking for anomalous behavior, very similar to what we do in customer environments, looking for anomalous behavior, looking for credential exploitation, looking for lateral movement. And we are having a great success there because as that target space increases, there's a much greater need for customers to ensure that it's protected. So >>The cloud obviously is very secure. You got some of the best experts in the planet inside of hyperscale companies. So, and whether it's physical security or logical security, they're obviously, you know, doing a good job is the weakness, the seams between where the cloud provider leaves off and the customer has to take over that shared responsibility model, you know, misconfiguring and S3 bucket is the, you know, the common one, but I'm so there like a zillion others, where's that weakness. Yeah. >>That, that's exactly right. We see, we see oftentimes the it piece enabling the cloud piece and there's a connectivity there, and there is a seam there. Sometimes we also see misconfiguration, and these are some of the things that our, our cloud hunters will find. They'll identify again, the equivalent of, of walking down the hallway and seeing a door that's unlocked, making sure it's locked before it gets exploited. So they may see active exploitation, which they're negating, but they also are able to help identify vulnerabilities prior to them getting exploited. And, you know, the ability for organizations to successfully manage their infrastructure is a really critical part of this. It's not always malicious actors. It's identifying where the infrastructure can be shored up, make it more resilient so that you can prevent some of these attacks from happening. I >>Heard, heard this week earlier, something I hadn't heard before, but it makes a lot of sense, you know, patch Tuesday means hack Wednesday. And, and so I, I presume that the, the companies releasing patches is like a signal to the bad guys that Hey, you know, free for all go because people aren't necessarily gonna patch. And then the solar winds customers are now circumspect about patches. The very patches that are supposed to protect us with the solar winds hack were the cause of the malware getting in and, you know, reforming, et cetera. So that's a complicated equation. Yeah. >>It, it certainly is a couple, couple parts there to unwind. First, when you, you think about patch Tuesday, there are adversaries often, not always that are already exploiting some of those vulnerabilities in the wild. So it's a zero day. It's not yet been patched in some cases hasn't yet been identified. So you've got people who are actively exploiting. It we've found zero days in the course of our threat hunting. We report them in a, in a, in a responsible way. We've gone to Microsoft. We've told them a couple times in the last few months that we found a zero day and give them an opportunity to patch that before anybody goes public with it, because absolutely right when it does go public, those that didn't know about it before recognize that there will be millions of devices depending on the, the vulnerability that are out there and exploitable. And they will absolutely, it will tell everybody that you can now go to this particular place. And there's an opportunity to gain access, to exploit privileges, depending on the criticality of the patch. >>I, I don't, I, I don't, I'm sorry to generalize, but I wanna ask you about the hacker mindset. Let's say that what you just described a narrow set of hackers knows that there's an unpatched, you know, vulnerability, and they're making money off of that. Will they keep that to themselves? Will they share that with other folks in the net? Will they sell that information? Or is it, is it one of those? It depends. It, >>I was just gonna say, it depends you, you beat me to it. It absolutely depends. All of, all of the above would be the answer. We certainly see organ now a nation state for example, would absolutely keep that to themselves. Yeah. Right. Their goal is very different from an organized crime group, which might sell access. And we see them all the time in the underground selling access. That's how they make money nation states. They want to keep a zero day to themselves. It's something they're able to exploit in some cases for months or years, that that, that vulnerability goes undetected. But a nation state is aware of it and exploiting it. It's a, it's a dangerous game. And it just, I think, exemplifies the importance of ensuring that you're doing everything you can to patch in a timely matter. Well, >>Sean, we appreciate the work that you've done in your previous role and continuing to advance education, knowledge and protection in our industry. Thank you for coming on >>You. Thank you for having me. This is a fantastic event. Really appreciate you being here and helping to educate folks. Yeah. >>You guys do do a great job. Awesome. Set that you built and look forward to future events with you guys. My >>Friends. Thanks so much, Dave. Yeah. Thank >>You. Bye now. All right. Appreciate it. All right, keep it right there. We're gonna wrap up in a moment. Live from Falcon 22. You're watching the cube.

>> We're back at the ARIA Las Vegas. We're covering CrowdStrike's Fal.Con 22. First one since 2019. Dave Vellante and Dave Nicholson on theCUBE. Adam Meyers is here, he is the Senior Vice President of Intelligence at CrowdStrike. Adam, thanks for coming to theCUBE. >> Thanks for having me. >> Interesting times, isn't it? You're very welcome. Senior Vice President of Intelligence, tell us what your role is. >> So I run all of our intelligence offerings. All of our analysts, we have a couple hundred analysts that work at CrowdStrike tracking threat actors. There's 185 threat actors that we track today. We're constantly adding more of them and it requires us to really have that visibility and understand how they operate so that we can inform our other products: our XDR, our Cloud Workload Protections and really integrate all of this around the threat actor. >> So it's that threat hunting capability that CrowdStrike has. That's what you're sort of... >> Well, so think of it this way. When we launched the company 11 years ago yesterday, what we wanted to do was to tell customers, to tell people that, well, you don't have a malware problem, you have an adversary problem. There are humans that are out there conducting these attacks, and if you know who they are what they're up to, how they operate then you're better positioned to defend against them. And so that's really at the core, what CrowdStrike started with and all of our products are powered by intelligence. All of our services are our OverWatch and our Falcon complete, all powered by intelligence because we want to know who the threat actors are and what they're doing so we can stop them. >> So for instance like you can stop known malware. A lot of companies can stop known malware, but you also can stop unknown malware. And I infer that the intelligence is part of that equation, is that right? >> Absolutely. That that's the outcome. That's the output of the intelligence but I could also tell you who these threat actors are, where they're operating out of, show you pictures of some of them, that's the threat intel. We are tracking down to the individual persona in many cases, these various threats whether they be Chinese nation state, Russian threat actors, Iran, North Korea, we track as I said, quite a few of these threats. And over time, we develop a really robust deep knowledge about who they are and how they operate. >> Okay. And we're going to get into some of that, the big four and cyber. But before we do, I want to ask you about the eCrime index stats, the ECX you guys call it a little side joke for all your nerds out there. Maybe you could explain that Adam >> Assembly humor. >> Yeah right, right. So, but, what is that index? You guys, how often do you publish it? What are you learning from that? >> Yeah, so it was modeled off of the Dow Jones industrial average. So if you look at the Dow Jones it's a composite index that was started in the late 1800s. And they took a couple of different companies that were the industrial component of the economy back then, right. Textiles and railroads and coal and steel and things like that. And they use that to approximate the overall health of the economy. So if you take these different stocks together, swizzle 'em together, and figure out some sort of number you could say, look, it's up. The economy's doing good. It's down, not doing so good. So after World War II, everybody was exuberant and positive about the end of the war. The DGI goes up, the oil crisis in the seventies goes down, COVID hits goes up, sorry, goes down. And then everybody realizes that they can use Amazon still and they can still get the things they need goes back up with the eCrime index. We took that approach to say what is the health of the underground economy? When you read about any of these ransomware attacks or data extortion attacks there are criminal groups that are working together in order to get things spammed out or to buy credentials and things like that. And so what the eCrime index does is it takes 24 different observables, right? The price of a ransom, the number of ransom attacks, the fluctuation in cryptocurrency, how much stolen material is being sold for on the underground. And we're constantly computing this number to understand is the eCrime ecosystem healthy? Is it thriving or is it under pressure? And that lets us understand what's going on in the world and kind of contextualize it. Give an example, Microsoft on patch Tuesday releases 56 vulnerabilities. 11 of them are critical. Well guess what? After hack Tuesday. So after patch Tuesday is hack Wednesday. And so all of those 11 vulnerabilities are exploitable. And now you have threat actors that have a whole new array of weapons that they can deploy and bring to bear against their victims after that patch Tuesday. So that's hack Wednesday. Conversely we'll get something like the colonial pipeline. Colonial pipeline attack May of 21, I think it was, comes out and all of the various underground forums where these ransomware operators are doing their business. They freak out because they don't want law enforcement. President Biden is talking about them and he's putting pressure on them. They don't want this ransomware component of what they're doing to bring law enforcement, bring heat on them. So they deplatform them. They kick 'em off. And when they do that, the ransomware stops being as much of a factor at that point in time. And the eCrime index goes down. So we can look at holidays, and right around Thanksgiving, which is coming up pretty soon, it's going to go up because there's so much online commerce with cyber Monday and such, right? You're going to see this increase in online activity; eCrime actors want to take advantage of that. When Christmas comes, they take vacation too; they're going to spend time with their families, so it goes back down and it stays down till around the end of the Russian Orthodox Christmas, which you can probably extrapolate why that is. And then it goes back up. So as it's fluctuating, it gives us the ability to really just start tracking what that economy looks like. >> Realtime indicator of that crypto. >> I mean, you talked about, talked about hack Wednesday, and before that you mentioned, you know, the big four, and I think you said 185 threat actors that you're tracking, is 180, is number 185 on that list? Somebody living in their basement in their mom's basement or are the resources necessary to get on that list? Such that it's like, no, no, no, no. this is very, very organized, large groups of people. Hollywood would have you believe that it's guy with a laptop, hack Wednesday, (Dave Nicholson mimics keyboard clacking noises) and everything done. >> Right. >> Are there individuals who are doing things like that or are these typically very well organized? >> That's a great question. And I think it's an important one to ask and it's both it tends to be more, the bigger groups. There are some one-off ones where it's one or two people. Sometimes they get big. Sometimes they get small. One of the big challenges. Have you heard of ransomware as a service? >> Of course. Oh my God. Any knucklehead can be a ransomwarist. >> Exactly. So we don't track those knuckleheads as much unless they get onto our radar somehow, they're conducting a lot of operations against our customers or something like that. But what we do track is that ransomware as a service platform because the affiliates, the people that are using it they come, they go and, you know, it could be they're only there for a period of time. Sometimes they move between different ransomware services, right? They'll use the one that's most useful for them that that week or that month, they're getting the best rate because it's rev sharing. They get a percentage that platform gets percentage of the ransom. So, you know, they negotiate a better deal. They might move to a different ransomware platform. So that's really hard to track. And it's also, you know, I think more important for us to understand the platform and the technology that is being used than the individual that's doing it. >> Yeah. Makes sense. Alright, let's talk about the big four. China, Iran, North Korea, and Russia. Tell us about, you know, how you monitor these folks. Are there different signatures for each? Can you actually tell, you know based on the hack who's behind it? >> So yeah, it starts off, you know motivation is a huge factor. China conducts espionage, they do it for diplomatic purposes. They do it for military and political purposes. And they do it for economic espionage. All of these things map to known policies that they put out, the Five Year Plan, the Made in China 2025, the Belt and Road Initiative, it's all part of their efforts to become a regional and ultimately a global hegemon. >> They're not stealing nickels and dimes. >> No they're stealing intellectual property. They're stealing trade secrets. They're stealing negotiation points. When there's, you know a high speed rail or something like that. And they use a set of tools and they have a set of behaviors and they have a set of infrastructure and a set of targets that as we look at all of these things together we can derive who they are by motivation and the longer we observe them, the more data we get, the more we can get that attribution. I could tell you that there's X number of Chinese threat groups that we track under Panda, right? And they're associated with the Ministry of State Security. There's a whole other set. That's too associated with the People's Liberation Army Strategic Support Force. So, I mean, these are big operations. They're intelligence agencies that are operating out of China. Iran has a different set of targets. They have a different set of motives. They go after North American and Israeli businesses right now that's kind of their main operation. And they're doing something called hack and lock and leak. With a lock and leak, what they're doing is they're deploying ransomware. They don't care about getting a ransom payment. They're just doing it to disrupt the target. And then they're leaking information that they steal during that operation that brings embarrassment. It brings compliance, regulatory, legal impact for that particular entity. So it's disruptive >> The chaos creators that's.. >> Well, you know I think they're trying to create a they're trying to really impact the legitimacy of some of these targets and the trust that their customers and their partners and people have in them. And that is psychological warfare in a certain way. And it, you know is really part of their broader initiative. Look at some of the other things that they've done they've hacked into like the missile defense system in Israel, and they've turned on the sirens, right? Those are all things that they're doing for a specific purpose, and that's not China, right? Like as you start to look at this stuff, you can start to really understand what they're up to. Russia very much been busy targeting NATO and NATO countries and Ukraine. Obviously the conflict that started in February has been a huge focus for these threat actors. And then as we look at North Korea, totally different. They're doing, there was a major crypto attack today. They're going after these crypto platforms, they're going after DeFi platforms. They're going after all of this stuff that most people don't even understand and they're stealing the crypto currency and they're using it for revenue generation. These nuclear weapons don't pay for themselves, their research and development don't pay for themselves. And so they're using that cyber operation to either steal money or steal intelligence. >> They need the cash. Yeah. >> Yeah. And they also do economic targeting because Kim Jong Un had said back in 2016 that they need to improve the lives of North Koreans. They have this national economic development strategy. And that means that they need, you know, I think only 30% of North Korea has access to reliable power. So having access to clean energy sources and renewable energy sources, that's important to keep the people happy and stop them from rising up against the regime. So that's the type of economic espionage that they're conducting. >> Well, those are the big four. If there were big five or six, I would presume US and some Western European countries would be on there. Do you track, I mean, where United States obviously has you know, people that are capable of this we're out doing our thing, and- >> So I think- >> That defense or offense, where do we sit in this matrix? >> Well, I think the big five would probably include eCrime. We also track India, Pakistan. We track actors out of Columbia, out of Turkey, out of Syria. So there's a whole, you know this problem is getting worse over time. It's proliferating. And I think COVID was also, you know a driver there because so many of these countries couldn't move human assets around because everything was getting locked down. As machine learning and artificial intelligence and all of this makes its way into the cameras at border and transfer points, it's hard to get a human asset through there. And so cyber is a very attractive, cheap and deniable form of espionage and gives them operational capabilities, not, you know and to your question about US and other kind of five I friendly type countries we have not seen them targeting our customers. So we focus on the threats that target our customers. >> Right. >> And so, you know, if we were to find them at a customer environment sure. But you know, when you look at some of the public reporting that's out there, the malware that's associated with them is focused on, you know, real bad people, and it's, it's physically like crypted to their hard drive. So unless you have sensor on, you know, an Iranian or some other laptop that might be target or something like that. >> Well, like Stuxnet did. >> Yeah. >> Right so. >> You won't see it. Right. See, so yeah. >> Well Symantec saw it but way back when right? Back in the day. >> Well, I mean, if you want to go down that route I think it actually came from a company in the region that was doing the IR and they were working with Symantec. >> Oh, okay. So, okay. So it was a local >> Yeah. I think Crisis, I think was the company that first identified it. And then they worked with Symantec. >> It Was, they found it, I guess, a logic controller. I forget what it was. >> It was a long time ago, so I might not have that completely right. >> But it was a seminal moment in the industry. >> Oh. And it was a seminal moment for Iran because you know, that I think caused them to get into cyber operations. Right. When they realized that something like that could happen that bolstered, you know there was a lot of underground hacking forums in Iran. And, you know, after Stuxnet, we started seeing that those hackers were dropping their hacker names and they were starting businesses. They were starting to try to go after government contracts. And they were starting to build training offensive programs, things like that because, you know they realized that this is an opportunity there. >> Yeah. We were talking earlier about this with Shawn and, you know, in the nuclear war, you know the Cold War days, you had the mutually assured destruction. It's not as black and white in the cyber world. Right. Cause as, as Robert Gates told me, you know a few years ago, we have a lot more to lose. So we have to be somewhat, as the United States, careful as to how much of an offensive posture we take. >> Well here's a secret. So I have a background on political science. So mutually assured destruction, I think is a deterrent strategy where you have two kind of two, two entities that like they will destroy each other if they so they're disinclined to go down that route. >> Right. >> With cyber I really don't like that mutually assured destruction >> That doesn't fit right. >> I think it's deterrents by denial. Right? So raising the cost, if they were to conduct a cyber operation, raising that cost that they don't want to do it, they don't want to incur the impact of that. Right. And think about this in terms of a lot of people are asking about would China invade Taiwan. And so as you look at the cost that that would have on the Chinese military, the POA, the POA Navy et cetera, you know, that's that deterrents by denial, trying to, trying to make the costs so high that they don't want to do it. And I think that's a better fit for cyber to try to figure out how can we raise the cost to the adversary if they operate against our customers against our enterprises and that they'll go someplace else and do something else. >> Well, that's a retaliatory strike, isn't it? I mean, is that what you're saying? >> No, definitely not. >> It's more of reducing their return on investment essentially. >> Yeah. >> And incenting them- disincening them to do X and sending them off somewhere else. >> Right. And threat actors, whether they be criminals or nation states, you know, Bruce Lee had this great quote that was "be like water", right? Like take the path of least resistance, like water will. Threat actors do that too. So, I mean, unless you're super high value target that they absolutely have to get into by any means necessary, then if you become too hard of a target, they're going to move on to somebody that's a little easier. >> Makes sense. Awesome. Really appreciate your, I could, we'd love to have you back. >> Anytime. >> Go deeper. Adam Myers. We're here at Fal.Con 22, Dave Vellante, Dave Nicholson. We'll be right back right after this short break. (bouncy music plays)

(upbeat music) >> Hey, welcome to theCUBE's coverage of AWS re:Invent 2021. I'm Lisa Martin, and I'm pleased to be joined by Jessica Alexander, who is the VP of Cloud Solutions Sales and Alliances at CrowdStrike. Jessica, welcome to the program. >> Thank you, Lisa. It's great to be here. >> So we're going to unpack a lot today, some news, what's going on with the threat landscape, what you're seeing across industries, but I want to get started talking a little bit about your team. As I mentioned, VP of Cloud Solutions Sales and Alliances. Talk to me about your team because you have a unique GTM here that I'd like to get into. >> Sure. Thank you, Lisa. Well, we recently launched our new cloud security products, Cloud Workload Protection and Horizon earlier this year. So we wanted to make sure that we accelerated our entry into this new product market, this new addressable market, and so we established not only a cloud sales specialist team that helps our core sellers as well as our partners sell our new cloud security products but we also wanted to make sure it was tightly integrated and aligned with our Cloud Alliances so specifically our co-sell relationship and partnership that we have with AWS. >> Got it. Let's talk about some of the things you mentioned, Aksino acceleration entering into the market. We saw a lot of acceleration in the last 20 months and counting, especially with respect to cloud adoption, digital transformation, but also the threat landscape things have accelerated. Wanted to get some information from you on what you've seen. We've seen and talked to a lot of folks on ransomware stats, you know, it's up nearly 11x in the first half of '21, but you guys have some unique stats and insights on that. Talk to me about what CrowdStrike is seeing with respect to that threat landscape and who it's impacting. >> Sure. You know, we have a unique perspective. CrowdStrike has millions of sensors out in our customer environments, they're feeding trillions of events into the cloud and we're able to correlate this data in real time, so this gives us a very unique perspective into what's happening in adversary activity out in the world. We also get feeds from our incident response teams that are actively responding to issues, as well as our Intel operatives out in the world. So, you know, we correlate these three sources of data into our threat graph in the cloud powered by AWS, which gives us very good insights into activity that we're seeing from an adversary perspective. So we also have a group called the OverWatch team, they are 24 by seven, you know, humans monitoring our cloud and monitoring our customer's networks to detect or, you know, get pre-breach activity information. And what they're seeing is that, you know, over this last year, an adversary is able to enter a network and move laterally into that network within one hour and 32 minutes. Now, you know, this is really fast, especially when you consider that in 2020, that average was four hours and 37 minutes for a threat actor to move laterally, you know, infiltrate a network and then move laterally. So, you know, the themes that we're seeing are adversaries are getting a lot faster and a lot more efficient, and, you know, as more companies are moving to remote work environments, you know, setting up virtual infrastructure for employees to use for work and productivity, you know, that threat landscape becomes more critical. >> Right? It becomes more critical. It becomes bigger. And of course we are in this work from anywhere environment that's going to last or some amount of it will persist permanently. So what you're saying is you're seeing a 4x increase in the speed with which adversaries can get in and laterally move within a network, so dramatically faster in a year over year period, where, so there's been so much flux in every market and of course in our lives, what are some of the things that you're helping customers do to combat this growing challenge? >> Well, it really goes back to being predictive and having that real time snapshot of what's going on and being able to proactively reach out to customers before anything bad happens and, you know, we're also seeing that ransomware continues to be an issue for customers, so, you know, having the ability to prevent these attacks and ransomware from happening in the first place and really taking the advantage that an adversary may have from a speed or intelligence perspective, taking that advantage away by having the Falcon Platform actively monitoring our customer environments is a big advantage. >> So let's talk about, speaking of advantages, what are you guys announcing at re:Invent this year? >> Sure. Well, we have two new service integrations with Amazon EKS, AWS Outpost and AWS Firelands to talk about this year. The cool thing is that, you know, customers are going to get our wonderful breach protection that we have, you know, the gold standard of breach protection, they'll have that available on various cloud services. And what it does is it provides consistent security and simplified operational management across AWS services, as customers extend those from public cloud to the data center, to the edge. And you know, the other great benefit is that it accelerates threat hunting, so we were talking about, you know, being able to predict and see what adversaries are doing. You know, one of the great customer benefits is that they can do that with their own teams and be able to do that on a cloud infrastructure as well. >> And how much of the events of the last 20 months was a catalyst or were catalysts for these integrations that you just mentioned? I imagine the threat landscape growing ransomware becoming a 'when we get hit not if' would have been some of those catalysts. >> Well, you know, we're seeing that the adoption of cloud services, especially for end user computing is growing much faster than traditional on-prem desktops, laptops, as people continue to work remotely and customers need to be, or corporations need to be efficient at how they manage end user computing environments. So, you know, we are seeing that adversary activity is picking up, they're getting smarter about, you know, leveraging cloud services and potential misconfigurations, there're really four key areas that we see customers struggle with, whether it be, you know, the complexity of cloud services, whether it be shadow IT, and a lot of the security folks don't necessarily know where all the cloud services are being deployed, then you've got, you know, kind of the advanced techniques that adversaries are using to get into networks. And then, you know, last but certainly not least is skills shortage. We're finding that a lot of customers want a turnkey solution, where they don't have to have a team of cloud security specialists to respond or handle any misconfigurations or issues that come up. They want to have a turnkey solution, a team that's already watching and reaching out to them to say, "Hey, you may want to look into XYZ and update a policy, or, you know, activate this new, you know, this feature in the platform." >> Yeah. That real time, the ability to have something that's turnkey is critical in this day and age where things are moving so quickly, there's so much being accelerated, good stuff and bad stuff. But also you mentioned that cybersecurity skills gap, which is in its, I think it's in its fifth year now, which is a big challenge for organizations as this scattered, work from anywhere persists as does the growth of the threat landscape. Let's get into now, for, you mentioned the adoption of cloud services has gone up considerably in this interesting time period, how is CrowdStrike helping customers do that securely, migrate from on-prem to the cloud with that security and that confidence that their landscape is protected? >> Yeah, well, we find obviously in the shared responsibility model, the great thing is that, you know, CrowdStrike and AWS team up to help, you know, customers have a better together experience as they migrate to the cloud. AWS is obviously responsible for the security of the cloud and customers are responsible for the security in the cloud. And in speaking with our customers who are moving or have moved to cloud services, and they really want a trusted and simple platform to use when securing their data and applications. So what, you know, they also have hybrid environments that can get complex to support, and, you know, we want to be able to provide them with a unified platform, a unified experience, regardless of where the workload is running or what services that it's using. You know, they have that unified visibility and protection across all of the cloud workloads. We're also, you know, seeing that, especially the reason we're doing this great integration with Outpost and EKS Anywhere is that customers are, you know, taking their cloud services out to their data centers as well as to the edge locations and branch offices, so they want to be able to run EKS on their own infrastructure. So it's important that customers have that portability that regardless of whether it's a laptop or an EC2 instance or an EKS container, you know, they have that portability throughout the continuum of their cloud journey. >> That continuum is absolutely critical as we, you know, talk about cloud and application or continuum from the customer's perspective, the cloud continuum is something that is front and center for customers, I imagine in every industry. >> Oh, for sure, 'cause every industry is adopting cloud maybe at a different speed, maybe for different applications, but, you know, everybody's moving to the cloud. >> So talk to me about what you're announcing with AWS, let's get into a little bit about the partnership that CloudStrike and AWS have, let's unpack that a bit. >> Sure. You know, we've been an AWS advanced technology partner for over five years. We've had our products, we now have six of our CrowdStrike products listed on AWS Marketplace. We're an active co-sell partner and, you know, have our security competency and our well-architected certification. And really it's about building trust with our customers. You know, AWS has a lot of wonderful partner products for customers to use and it's really about building trust that, you know, we're validated, we're vetted, we have a lot of customers who are using our products with AWS, and, you know, I think it's that tight collaboration, for example, if you look at what we're doing with Humio, we've implemented a quick start program, which AWS has to get customers quickly deployed with an integration or a new capability with a partner product. And what this does is it spins up a quick cloud formation template, customer can integrate it very quickly with the AWS Firelands and then, you know, all that log information coming from the AWS containers is easily ingested into the Humio platform. And so, you know, it really reduces the time to get the integration up and running as well as pulling all that data into the Humio platform so that customers can, like we said earlier, go back and threat hunt across, you know, different cloud service components in a quick and easy way. >> Quick and easy is good as is faster time to value. You mentioned the word trust, and, you know, we talk about trust, we've been talking about it for years as it relates to technology, but I'm curious, Jessica, in the last year and a half, if your customer conversations have changed, is trust now even more important than ever as there are so many things in flux, have you noticed any sort of change there in your customer conversations? >> Well, you know, I think trust is extensible. And over the last 10 years, CrowdStrike's done a really great job of building customer trust. And, you know, we started out as, you know, kind of primarily EDR and we've moved into prevention and now we're moving into identity protection and XDR so, you know, I see a pattern that, you know, we've built this amazing core of trust across our existing customers, and as we offer more capabilities, whether it be, you know, cloud security or XDR, identity protection, you know, customers trust us and so they're very willing to say, "ah well, I want to try out these new capabilities that CrowdStrike has because we trust you guys, you know, you've done a lot to protect our brand and, you know, really make our internal teams a lot more efficient and a lot smarter." So, you know, I think while trust is important, it's also something that we get to carry forward as we enter new markets and continue to innovate and provide new capabilities for our customers. >> And really extending that trusted, valued partner relationship that you've already established with customers in every industry. So where can customers go? So the joint GTM customers, and you said products available in the AWS marketplace, but where do you recommend customers go to learn more about how they can work with these joint solutions that CrowdStrike and AWS have together? >> Absolutely. We have a landing page on AWS, if you Google AWS and CrowdStrike, whether it be marketplace or EKS Anywhere, Amazon outposts, we're on all the joint product pages with Amazon, as well as always going to crowdstrike.com and looking up our cloud security products. >> Got it. And last question for you, Jessica, summarize the announcement in terms of business outcomes that it's going to enable your joint customers to achieve. >> Absolutely. You know, I think it goes back to probably the primary reason is complexity. And, you know, with complexity comes risk and blind spots so being able to have a unified platform that no matter where the workload is, or the employee may be, they are protected and have, you know, a unified platform and experience to manage their security risk. >> Excellent. Jessica, thank you so much for coming on the program today, sharing with me, what's new with CrowdStrike, some of the things that you're seeing, and what you're helping customers to accomplish in a very dynamic environment, we appreciate your time and your insights. >> Thank you for having me, Lisa. >> For Jessica Alexander, I'm Lisa Martin, and you're watching theCUBE's coverage of AWS re:Invent 2021. (gentle music)

(upbeat music) >> Hey, welcome to theCUBE's coverage of AWS re:Invent 2021. I'm Lisa Martin, and I'm pleased to be joined by Jessica Alexander, who is the VP of Cloud Solutions Sales and Alliances at CrowdStrike. Jessica, welcome to the program. >> Thank you, Lisa. It's great to be here. >> So we're going to unpack a lot today, some news, what's going on with the threat landscape, what you're seeing across industries, but I want to get started talking a little bit about your team. As I mentioned, VP of Cloud Solutions Sales and Alliances. Talk to me about your team because you have a unique GTM here that I'd like to get into. >> Sure. Thank you, Lisa. Well, we recently launched our new cloud security products, Cloud Workload Protection and Horizon earlier this year. So we wanted to make sure that we accelerated our entry into this new product market, this new addressable market, and so we established not only a cloud sales specialist team that helps our core sellers as well as our partners sell our new cloud security products but we also wanted to make sure it was tightly integrated and aligned with our Cloud Alliances so specifically our co-sell relationship and partnership that we have with AWS. >> Got it. Let's talk about some of the things you mentioned, Aksino acceleration entering into the market. We saw a lot of acceleration in the last 20 months and counting, especially with respect to cloud adoption, digital transformation, but also the threat landscape things have accelerated. Wanted to get some information from you on what you've seen. We've seen and talked to a lot of folks on ransomware stats, you know, it's up nearly 11x in the first half of '21, but you guys have some unique stats and insights on that. Talk to me about what CrowdStrike is seeing with respect to that threat landscape and who it's impacting. >> Sure. You know, we have a unique perspective. CrowdStrike has millions of sensors out in our customer environments, they're feeding trillions of events into the cloud and we're able to correlate this data in real time, so this gives us a very unique perspective into what's happening in adversary activity out in the world. We also get feeds from our incident response teams that are actively responding to issues, as well as our Intel operatives out in the world. So, you know, we correlate these three sources of data into our threat graph in the cloud powered by AWS, which gives us very good insights into activity that we're seeing from an adversary perspective. So we also have a group called the OverWatch team, they are 24 by seven, you know, humans monitoring our cloud and monitoring our customer's networks to detect or, you know, get pre-breach activity information. And what they're seeing is that, you know, over this last year, an adversary is able to enter a network and move laterally into that network within one hour and 32 minutes. Now, you know, this is really fast, especially when you consider that in 2020, that average was four hours and 37 minutes for a threat actor to move laterally, you know, infiltrate a network and then move laterally. So, you know, the themes that we're seeing are adversaries are getting a lot faster and a lot more efficient, and, you know, as more companies are moving to remote work environments, you know, setting up virtual infrastructure for employees to use for work and productivity, you know, that threat landscape becomes more critical. >> Right? It becomes more critical. It becomes bigger. And of course we are in this work from anywhere environment that's going to last or some amount of it will persist permanently. So what you're saying is you're seeing a 4x increase in the speed with which adversaries can get in and laterally move within a network, so dramatically faster in a year over year period, where, so there's been so much flux in every market and of course in our lives, what are some of the things that you're helping customers do to combat this growing challenge? >> Well, it really goes back to being predictive and having that real time snapshot of what's going on and being able to proactively reach out to customers before anything bad happens and, you know, we're also seeing that ransomware continues to be an issue for customers, so, you know, having the ability to prevent these attacks and ransomware from happening in the first place and really taking the advantage that an adversary may have from a speed or intelligence perspective, taking that advantage away by having the Falcon Platform actively monitoring our customer environments is a big advantage. >> So let's talk about, speaking of advantages, what are you guys announcing at re:Invent this year? >> Sure. Well, we have two new service integrations with Amazon EKS, AWS Outpost and AWS Firelands to talk about this year. The cool thing is that, you know, customers are going to get our wonderful breach protection that we have, you know, the gold standard of breach protection, they'll have that available on various cloud services. And what it does is it provides consistent security and simplified operational management across AWS services, as customers extend those from public cloud to the data center, to the edge. And you know, the other great benefit is that it accelerates threat hunting, so we were talking about, you know, being able to predict and see what adversaries are doing. You know, one of the great customer benefits is that they can do that with their own teams and be able to do that on a cloud infrastructure as well. >> And how much of the events of the last 20 months was a catalyst or were catalysts for these integrations that you just mentioned? I imagine the threat landscape growing ransomware becoming a 'when we get hit not if' would have been some of those catalysts. >> Well, you know, we're seeing that the adoption of cloud services, especially for end user computing is growing much faster than traditional on-prem desktops, laptops, as people continue to work remotely and customers need to be, or corporations need to be efficient at how they manage end user computing environments. So, you know, we are seeing that adversary activity is picking up, they're getting smarter about, you know, leveraging cloud services and potential misconfigurations, there're really four key areas that we see customers struggle with, whether it be, you know, the complexity of cloud services, whether it be shadow IT, and a lot of the security folks don't necessarily know where all the cloud services are being deployed, then you've got, you know, kind of the advanced techniques that adversaries are using to get into networks. And then, you know, last but certainly not least is skills shortage. We're finding that a lot of customers want a turnkey solution, where they don't have to have a team of cloud security specialists to respond or handle any misconfigurations or issues that come up. They want to have a turnkey solution, a team that's already watching and reaching out to them to say, "Hey, you may want to look into XYZ and update a policy, or, you know, activate this new, you know, this feature in the platform." >> Yeah. That real time, the ability to have something that's turnkey is critical in this day and age where things are moving so quickly, there's so much being accelerated, good stuff and bad stuff. But also you mentioned that cybersecurity skills gap, which is in its, I think it's in its fifth year now, which is a big challenge for organizations as this scattered, work from anywhere persists as does the growth of the threat landscape. Let's get into now, for, you mentioned the adoption of cloud services has gone up considerably in this interesting time period, how is CrowdStrike helping customers do that securely, migrate from on-prem to the cloud with that security and that confidence that their landscape is protected? >> Yeah, well, we find obviously in the shared responsibility model, the great thing is that, you know, CrowdStrike and AWS team up to help, you know, customers have a better together experience as they migrate to the cloud. AWS is obviously responsible for the security of the cloud and customers are responsible for the security in the cloud. And in speaking with our customers who are moving or have moved to cloud services, and they really want a trusted and simple platform to use when securing their data and applications. So what, you know, they also have hybrid environments that can get complex to support, and, you know, we want to be able to provide them with a unified platform, a unified experience, regardless of where the workload is running or what services that it's using. You know, they have that unified visibility and protection across all of the cloud workloads. We're also, you know, seeing that, especially the reason we're doing this great integration with Outpost and EKS Anywhere is that customers are, you know, taking their cloud services out to their data centers as well as to the edge locations and branch offices, so they want to be able to run EKS on their own infrastructure. So it's important that customers have that portability that regardless of whether it's a laptop or an EC2 instance or an EKS container, you know, they have that portability throughout the continuum of their cloud journey. >> That continuum is absolutely critical as we, you know, talk about cloud and application or continuum from the customer's perspective, the cloud continuum is something that is front and center for customers, I imagine in every industry. >> Oh, for sure, 'cause every industry is adopting cloud maybe at a different speed, maybe for different applications, but, you know, everybody's moving to the cloud. >> So talk to me about what you're announcing with AWS, let's get into a little bit about the partnership that CloudStrike and AWS have, let's unpack that a bit. >> Sure. You know, we've been an AWS advanced technology partner for over five years. We've had our products, we now have six of our CrowdStrike products listed on AWS Marketplace. We're an active co-sell partner and, you know, have our security competency and our well-architected certification. And really it's about building trust with our customers. You know, AWS has a lot of wonderful partner products for customers to use and it's really about building trust that, you know, we're validated, we're vetted, we have a lot of customers who are using our products with AWS, and, you know, I think it's that tight collaboration, for example, if you look at what we're doing with Humio, we've implemented a quick start program, which AWS has to get customers quickly deployed with an integration or a new capability with a partner product. And what this does is it spins up a quick cloud formation template, customer can integrate it very quickly with the AWS Firelands and then, you know, all that log information coming from the AWS containers is easily ingested into the Humio platform. And so, you know, it really reduces the time to get the integration up and running as well as pulling all that data into the Humio platform so that customers can, like we said earlier, go back and threat hunt across, you know, different cloud service components in a quick and easy way. >> Quick and easy is good as is faster time to value. You mentioned the word trust, and, you know, we talk about trust, we've been talking about it for years as it relates to technology, but I'm curious, Jessica, in the last year and a half, if your customer conversations have changed, is trust now even more important than ever as there are so many things in flux, have you noticed any sort of change there in your customer conversations? >> Well, you know, I think trust is extensible. And over the last 10 years, CrowdStrike's done a really great job of building customer trust. And, you know, we started out as, you know, kind of primarily EDR and we've moved into prevention and now we're moving into identity protection and XDR so, you know, I see a pattern that, you know, we've built this amazing core of trust across our existing customers, and as we offer more capabilities, whether it be, you know, cloud security or XDR, identity protection, you know, customers trust us and so they're very willing to say, "ah well, I want to try out these new capabilities that CrowdStrike has because we trust you guys, you know, you've done a lot to protect our brand and, you know, really make our internal teams a lot more efficient and a lot smarter." So, you know, I think while trust is important, it's also something that we get to carry forward as we enter new markets and continue to innovate and provide new capabilities for our customers. >> And really extending that trusted, valued partner relationship that you've already established with customers in every industry. So where can customers go? So the joint GTM customers, and you said products available in the AWS marketplace, but where do you recommend customers go to learn more about how they can work with these joint solutions that CrowdStrike and AWS have together? >> Absolutely. We have a landing page on AWS, if you Google AWS and CrowdStrike, whether it be marketplace or EKS Anywhere, Amazon outposts, we're on all the joint product pages with Amazon, as well as always going to crowdstrike.com and looking up our cloud security products. >> Got it. And last question for you, Jessica, summarize the announcement in terms of business outcomes that it's going to enable your joint customers to achieve. >> Absolutely. You know, I think it goes back to probably the primary reason is complexity. And, you know, with complexity comes risk and blind spots so being able to have a unified platform that no matter where the workload is, or the employee may be, they are protected and have, you know, a unified platform and experience to manage their security risk. >> Excellent. Jessica, thank you so much for coming on the program today, sharing with me, what's new with CrowdStrike, some of the things that you're seeing, and what you're helping customers to accomplish in a very dynamic environment, we appreciate your time and your insights. >> Thank you for having me, Lisa. >> For Jessica Alexander, I'm Lisa Martin, and you're watching theCUBE's coverage of AWS re:Invent 2021. (gentle music)