>> From theCUBE Studios in Palo Alto in Boston, bringing you data driven insights from theCUBE and ETR, This is "Breaking Analysis with Dave Vellante". >> Black Hat 22 was held in Las Vegas last week, the same time as theCUBE Supercloud event. Unlike AWS re:Inforce where words are carefully chosen to put a positive spin on security, Black Hat exposes all the warts of cyber and openly discusses its hard truths. It's a conference that's attended by technical experts who proudly share some of the vulnerabilities they've discovered, and, of course, by numerous vendors marketing their products and services. Hello, and welcome to this week's Wikibon CUBE Insights powered by ETR. In this "Breaking Analysis", we summarize what we learned from discussions with several people who attended Black Hat and our analysis from reviewing dozens of keynotes, articles, sessions, and data from a recent Black Hat Attendees Survey conducted by Black Hat and Informa, and we'll end with the discussion of what it all means for the challenges around securing the supercloud. Now, I personally did not attend, but as I said at the top, we reviewed a lot of content from the event which is renowned for its hundreds of sessions, breakouts, and strong technical content that is, as they say, unvarnished. Chris Krebs, the former director of Us cybersecurity and infrastructure security agency, CISA, he gave the keynote, and he spoke about the increasing complexity of tech stacks and the ripple effects that that has on organizational risk. Risk was a big theme at the event. Where re:Inforce tends to emphasize, again, the positive state of cybersecurity, it could be said that Black Hat, as the name implies, focuses on the other end of the spectrum. Risk, as a major theme of the event at the show, got a lot of attention. Now, there was a lot of talk, as always, about the expanded threat service, you hear that at any event that's focused on cybersecurity, and tons of emphasis on supply chain risk as a relatively new threat that's come to the CISO's minds. Now, there was also plenty of discussion about hybrid work and how remote work has dramatically increased business risk. According to data from in Intel 471's Mark Arena, the previously mentioned Black Hat Attendee Survey showed that compromise credentials posed the number one source of risk followed by infrastructure vulnerabilities and supply chain risks, so a couple of surveys here that we're citing, and we'll come back to that in a moment. At an MIT cybersecurity conference earlier last decade, theCUBE had a hypothetical conversation with former Boston Globe war correspondent, Charles Sennott, about the future of war and the role of cyber. We had similar discussions with Dr. Robert Gates on theCUBE at a ServiceNow event in 2016. At Black Hat, these discussions went well beyond the theoretical with actual data from the war in Ukraine. It's clear that modern wars are and will be supported by cyber, but the takeaways are that they will be highly situational, targeted, and unpredictable because in combat scenarios, anything can happen. People aren't necessarily at their keyboards. Now, the role of AI was certainly discussed as it is at every conference, and particularly cyber conferences. You know, it was somewhat dissed as over hyped, not surprisingly, but while AI is not a panacea to cyber exposure, automation and machine intelligence can definitely augment, what appear to be and have been stressed out, security teams can do this by recommending actions and taking other helpful types of data and presenting it in a curated form that can streamline the job of the SecOps team. Now, most cyber defenses are still going to be based on tried and true monitoring and telemetry data and log analysis and curating known signatures and analyzing consolidated data, but increasingly, AI will help with the unknowns, i.e. zero-day threats and threat actor behaviors after infiltration. Now, finally, while much lip service was given to collaboration and public-private partnerships, especially after Stuxsnet was revealed early last decade, the real truth is that threat intelligence in the private sector is still evolving. In particular, the industry, mid decade, really tried to commercially exploit proprietary intelligence and, you know, do private things like private reporting and monetize that, but attitudes toward collaboration are trending in a positive direction was one of the sort of outcomes that we heard at Black Hat. Public-private partnerships are being both mandated by government, and there seems to be a willingness to work together to fight an increasingly capable adversary. These things are definitely on the rise. Now, without this type of collaboration, securing the supercloud is going to become much more challenging and confined to narrow solutions. and we're going to talk about that little later in the segment. Okay, let's look at some of the attendees survey data from Black Hat. Just under 200 really serious security pros took the survey, so not enough to slice and dice by hair color, eye color, height, weight, and favorite movie genre, but enough to extract high level takeaways. You know, these strongly agree or disagree survey responses can sometimes give vanilla outputs, but let's look for the ones where very few respondents strongly agree or disagree with a statement or those that overwhelmingly strongly agree or somewhat agree. So it's clear from this that the respondents believe the following, one, your credentials are out there and available to criminals. Very few people thought that that was, you know, unavoidable. Second, remote work is here to stay, and third, nobody was willing to really jinx their firms and say that they strongly disagree that they'll have to respond to a major cybersecurity incident within the next 12 months. Now, as we've reported extensively, COVID has permanently changed the cybersecurity landscape and the CISO's priorities and playbook. Check out this data that queries respondents on the pandemic's impact on cybersecurity, new requirements to secure remote workers, more cloud, more threats from remote systems and remote users, and a shift away from perimeter defenses that are no longer as effective, e.g. firewall appliances. Note, however, the fifth response that's down there highlighted in green. It shows a meaningful drop in the percentage of remote workers that are disregarding corporate security policy, still too many, but 10 percentage points down from 2021 survey. Now, as we've said many times, bad user behavior will trump good security technology virtually every time. Consistent with the commentary from Mark Arena's Intel 471 threat report, fishing for credentials is the number one concern cited in the Black Hat Attendees Survey. This is a people and process problem more than a technology issue. Yes, using multifactor authentication, changing passwords, you know, using unique passwords, using password managers, et cetera, they're all great things, but if it's too hard for users to implement these things, they won't do it, they'll remain exposed, and their organizations will remain exposed. Number two in the graphic, sophisticated attacks that could expose vulnerabilities in the security infrastructure, again, consistent with the Intel 471 data, and three, supply chain risks, again, consistent with Mark Arena's commentary. Ask most CISOs their number one problem, and they'll tell you, "It's a lack of talent." That'll be on the top of their list. So it's no surprise that 63% of survey respondents believe they don't have the security staff necessary to defend against cyber threats. This speaks to the rise of managed security service providers that we've talked about previously on "Breaking Analysis". We've seen estimates that less than 50% of organizations in the US have a SOC, and we see those firms as ripe for MSSP support as well as larger firms augmenting staff with managed service providers. Now, after re:Invent, we put forth this conceptual model that discussed how the cloud was becoming the first line of defense for CISOs, and DevOps was being asked to do more, things like securing the runtime, the containers, the platform, et cetera, and audit was kind of that last line of defense. So a couple things we picked up from Black Hat which are consistent with this shift and some that are somewhat new, first, is getting visibility across the expanded threat surface was a big theme at Black Hat. This makes it even harder to identify risk, of course, this being the expanded threat surface. It's one thing to know that there's a vulnerability somewhere. It's another thing to determine the severity of the risk, but understanding how easy or difficult it is to exploit that vulnerability and how to prioritize action around that. Vulnerability is increasingly complex for CISOs as the security landscape gets complexified. So what's happening is the SOC, if there even is one at the organization, is becoming federated. No longer can there be one ivory tower that's the magic god room of data and threat detection and analysis. Rather, the SOC is becoming distributed following the data, and as we just mentioned, the SOC is being augmented by the cloud provider and the managed service providers, the MSSPs. So there's a lot of critical security data that is decentralized and this will necessitate a new cyber data model where data can be synchronized and shared across a federation of SOCs, if you will, or mini SOCs or SOC capabilities that live in and/or embedded in an organization's ecosystem. Now, to this point about cloud being the first line of defense, let's turn to a story from ETR that came out of our colleague Eric Bradley's insight in a one-on-one he did with a senior IR person at a manufacturing firm. In a piece that ETR published called "Saved by Zscaler", check out this comment. Quote, "As the last layer, we are filtering all the outgoing internet traffic through Zscaler. And when an attacker is already on your network, and they're trying to communicate with the outside to exchange encryption keys, Zscaler is already blocking the traffic. It happened to us. It happened and we were saved by Zscaler." So that's pretty cool. So not only is the cloud the first line of defense, as we sort of depicted in that previous graphic, here's an example where it's also the last line of defense. Now, let's end on what this all means to securing the supercloud. At our Supercloud 22 event last week in our Palo Alto CUBE Studios, we had a session on this topic on supercloud, securing the supercloud. Security, in our view, is going to be one of the most important and difficult challenges for the idea of supercloud to become real. We reviewed in last week's "Breaking Analysis" a detailed discussion with Snowflake co-founder and president of products, Benoit Dageville, how his company approaches security in their data cloud, what we call a superdata cloud. Snowflake doesn't use the term supercloud. They use the term datacloud, but what if you don't have the focus, the engineering depth, and the bank roll that Snowflake has? Does that mean superclouds will only be developed by those companies with deep pockets and enormous resources? Well, that's certainly possible, but on the securing the supercloud panel, we had three technical experts, Gee Rittenhouse of Skyhigh Security, Piyush Sharrma who's the founder of Accurics who sold to Tenable, and Tony Kueh, who's the former Head of Product at VMware. Now, John Furrier asked each of them, "What is missing? What's it going to take to secure the supercloud? What has to happen?" Here's what they said. Play the clip. >> This is the final question. We have one minute left. I wish we had more time. This is a great panel. We'll bring you guys back for sure after the event. What one thing needs to happen to unify or get through the other side of this fragmentation and then the challenges for supercloud? Because remember, the enterprise equation is solve complexity with more complexity. Well, that's not what the market wants. They want simplicity. They want SaaS. They want ease of use. They want infrastructure risk code. What has to happen? What do you think, each of you? >> So I can start, and extending to the previous conversation, I think we need a consortium. We need a framework that defines that if you really want to operate on supercloud, these are the 10 things that you must follow. It doesn't matter whether you take AWS, Slash, or TCP or you have all, and you will have the on-prem also, which means that it has to follow a pattern, and that pattern is what is required for supercloud, in my opinion. Otherwise, security is going everywhere. They're like they have to fix everything, find everything, and so on and so forth. It's not going to be possible. So they need a framework. They need a consortium, and this consortium needs to be, I think, needs to led by the cloud providers because they're the ones who have these foundational infrastructure elements, and the security vendor should contribute on providing more severe detections or severe findings. So that's, in my opinion, should be the model. >> Great, well, thank you, Gee. >> Yeah, I would think it's more along the lines of a business model. We've seen in cloud that the scale matters, and once you're big, you get bigger. We haven't seen that coalesce around either a vendor, a business model, or whatnot to bring all of this and connect it all together yet. So that value proposition in the industry, I think, is missing, but there's elements of it already available. >> I think there needs to be a mindset. If you look, again, history repeating itself. The internet sort of came together around set of IETF, RSC standards. Everybody embraced and extended it, right? But still, there was, at least, a baseline, and I think at that time, the largest and most innovative vendors understood that they couldn't do it by themselves, right? And so I think what we need is a mindset where these big guys, like Google, let's take an example. They're not going to win at all, but they can have a substantial share. So how do they collaborate with the ecosystem around a set of standards so that they can bring their differentiation and then embrace everybody together. >> Okay, so Gee's point about a business model is, you know, business model being missing, it's broadly true, but perhaps Snowflake serves as a business model where they've just gone out and and done it, setting or trying to set a de facto standard by which data can be shared and monetized. They're certainly setting that standard and mandating that standard within the Snowflake ecosystem with its proprietary framework. You know, perhaps that is one answer, but Tony lays out a scenario where there's a collaboration mindset around a set of standards with an ecosystem. You know, intriguing is this idea of a consortium or a framework that Piyush was talking about, and that speaks to the collaboration or lack thereof that we spoke of earlier, and his and Tony's proposal that the cloud providers should lead with the security vendor ecosystem playing a supporting role is pretty compelling, but can you see AWS and Azure and Google in a kumbaya moment getting together to make that happen? It seems unlikely, but maybe a better partnership between the US government and big tech could be a starting point. Okay, that's it for today. I want to thank the many people who attended Black Hat, reported on it, wrote about it, gave talks, did videos, and some that spoke to me that had attended the event, Becky Bracken, who is the EIC at Dark Reading. They do a phenomenal job and the entire team at Dark Reading, the news desk there, Mark Arena, whom I mentioned, Garrett O'Hara, Nash Borges, Kelly Jackson, sorry, Kelly Jackson Higgins, Roya Gordon, Robert Lipovsky, Chris Krebs, and many others, thanks for the great, great commentary and the content that you put out there, and thanks to Alex Myerson, who's on production, and Alex manages the podcasts for us. Ken Schiffman is also in our Marlborough studio as well, outside of Boston. Kristen Martin and Cheryl Knight, they help get the word out on social media and in our newsletters, and Rob Hoff is our Editor-in-Chief at SiliconANGLE and does some great editing and helps with the titles of "Breaking Analysis" quite often. Remember these episodes, they're all available as podcasts, wherever you listen, just search for "Breaking Analysis Podcasts". I publish each on wikibon.com and siliconangle.com, and you could email me, get in touch with me at david.vellante@siliconangle.com or you can DM me @dvellante or comment on my LinkedIn posts, and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching, and we'll see you next time on "Breaking Analysis". (upbeat music)

(upbeat music) >> From our studios in the heart of Silicone Valley, Palo Alto, California, Nick is a Cube conversation. >> Hello, and welcome to the Palo Alto Cube Studios, I'm John Furrier, host of the Cube. We're here for great Cube conversation with Gilad Bracha who's a distinguished engineer at Shape Security, has a legacy in the programming world, one of the early folks working on Java, a variety of other great things: Small Talk, Newspeak, a variety of programming accomplishments. A legend in the industry, thanks for coming on. >> Well, thanks for having me, it's a pleasure to be here. >> You know, one of the things we always talk about on the Cube is how I work for a company, they do this, they do this great, here's our differentiator, here's our advantage, a lot of marketing speak, and then we also do a lot of interviews around disruption, around cloud computing, getting to DevOps, network effect, changes of network, moving packets around store and compute, all the benefits of cloud computing but we don't really talk about the underlying languages that are driving all the changes and this is something that you're an expert in and I want to get your thoughts on this because, you know, computer science is at an all time high. You can't go to Berkeley, you see what's going on at Berkeley, the number one major is computer science, the data classes, dreams of starting a company, but computer science is changing a lot. More people are coding but does that mean there still more computer science going on? So, a lot of people are trying to understand where the future is going to be and underneath it all is the programming languages themselves. >> Yeah, well-- >> Your thoughts on computer science and the languages out there. >> So, too much to say. But computer science is a lot, there are trends and there's a lot of emphasis now on machine learning and things like that. And it's interesting because that affects, which language you use can make these tasks a lot easier or a lot harder. And we've, you see certain languages being picked up for that purpose and new languages being done for numerical stuff like Julia, people are using R, God forbid and it's really interesting to see that. To me, it's interesting because there's a whole set of languages, the APL family of languages which really go back to the early 60s. But they're just phenomenally designed for these kind of large arrays of data for doing mathematical operations in parallel on large arrays or multi-dimensional arrays, essentially, tensors, back before that word was used in programming. And there's huge potential for doing better in terms of programming with those things. So that is one new, not new but area that's been kind of coming alive again. >> Yeah. >> That's really cool. >> You know, it's interesting, too, you bring up a point. We were talking before we came on camera about Lisp and all these other cool science out there. With, now, the advent of unlimited compute with cloud and, now, kind of new connected devices, a lot of the old science is coming back into vogue because of some of the use cases. I mean, I remember when I graduated college in the 80s, we had departments that were actually called data processing departments. And they used data processing, that's what they did, they processed data. That's the number one use case today is processing data. So, a lot of the old is coming back because it's relevant in this new era. So, I got to ask you, what is your favorite science and computer science that you think is relevant? You mentioned APL, what concepts, we TensorFlow with Google, things like that coming back, you see machine learning and AI, these are not new concepts. >> Well, some of them, I mean-- >> What's your thoughts? >> Machine learning, definitely, there have been breakthroughs in the past, I don't know, 10, 15 years and but the basis of it, the beauty of this is the basis of this is the real hardcore math in calculus and statistics, that stuff is golden and wherever it applies throughout the universe and you look at reasoning about these things and it comes up again. That's the root of it all. Making it so that you can manipulate things closer to level you can with math is really challenge for programming languages, so that you don't spend your life dealing with, sort of, irrelevant, boring details, oh, this has to be lowercase, that has to be tab, this tool doesn't work on that operating system. Most of our effort as software engineers goes, we're dealing with junk, really, and we should try and abstract over that and get over that. >> What are some of the exciting things that get you excited for programming language because there's a lot more excitement, a lot more opportunities now; you're seeing you can stand up software very quickly these days, and so there's some really quick and dirty ways to get software written with languages. Some want more principle-based design languages that have all the integrated components. What's the trade-off, what are some of the things you like around the new trends? >> So I'll give you something that meets both of the criteria that is both very principled but actually makes it much easier to put something together. One of my favorite new things that have come in the past few years is a thing called Elm which is a language, essentially, the main application, so far, has been to build websites, essentially, UI that's targeting a website but it is a functional programming language but it is much more approachable than the traditional academic stuff, even though the ideas are basically the same, but they're very well engineered. Actually, better engineered in many respects than a lot of the traditional stuff that you see like the Haskells and OCamls and stuff. And it started for the web, so it's a different game but it's a joy to use, it has great error messages, it has a time traveling debugger which is one of my favorite hobby horses, so you can actually go back and roll the computation back to where a problem occurred. And that, kind of, is interesting because it meets both of those points. >> Talk about this live programming, you mentioned rolling back and this is around live programming. >> Yeah. >> This is an exciting area. >> Oh, yeah. >> Your thoughts on live programming because we're seeing collaboration where I can have a screen open. I saw a demo at Amazon Reinvent last year or year before where people can be in different parts of the world or different offices in the same building and coding the same, I get the collaboration piece but there's also live programming languages that have built-in compile that's changing the old ways of debugging. Your thoughts. >> Right, so, definitely, that is something that people who have a heritage in small talk or Lisp, kind of, remember those systems or, if they're very lucky, still get to use them. And the thing is that most program languages don't have that level of interactivity when you work with them as a developer because there is too much of a feedback loop between when you actually specify what you want to happen by writing code and when you actually see what actually happen when you run your code and it typically doesn't do remotely what you wanted it to. That feedback loop is too long 'cause you have to go through compiles and bills and whatever, and the idea of live programming is to shorten that so that you, ideally, instantly see you change something and you can see the output and the output gets changed accordingly and you don't have to wait and, in particular, you don't have to go and rerun your program, get to the same point where you were, especially when you're debugging, right? That's the beauty of fix and continue debugging which is sort of a small but important piece of live programming where you can basically go and change a function and, immediately, proceed with the computation. You don't have to restart, you don't have to get to where you were, recreate the state, make sure the heap is in the same thing and that just, A, it's productive, it saves time. It's just a joy to watch and play with this thing, it's much more tactile, you actually feel-- >> It's faster, too, you don't have to, all the steps involved, classic debugging, restart, do it all over again. >> It's faster and it's less error prone 'cause those steps, you make mistakes, you went through all these steps and you forgot one thing or whatever or you did something wrong and didn't notice and you chased some, you know, went on a wild goose chase trying to figure out a bug, so it really is a huge H to product, a huge help to productivity and it's just so much fun to work with these systems. >> Well, I got to get this question for you while you're here because I get this question all the time and it's common. A lot of the young kids want to program, they see the future, they know that coding is a good skill to have. What's your advice to parents out there or kids, whether they're in elementary, or high school, or college, that might have a focus on, say, you know, I'm a neuroscience major or I'm doing this but I want to learn how to code? What's your advice for how to learn how to code because I've seen, oh, learn Java, I'm like, okay-- >> God, no. >> Not really my first choice. >> Eat spinach. Do 50 push-ups. No, it's not that comfortable. >> No, no. >> Java's not my first choice for recomm-- >> It's also 50 push-ups and spinach are better for you. Java is actually possibly damaging, at an early age, you should not be doing that. >> Doing Java, in particular? >> No, no. >> Why is that, it's just too complex? >> Because it's a lot of irrelevant boiler plate. It's a lot of stuff that should've been obsolete before and will be obsolete by the time you, hopefully, get to work for real and it's painful and if you aren't really into it, it'll just turn you off of the whole field. >> What's going to get someone excited, is it Elm, is it gaming, is it some sort of-- >> Yeah, so, Elm is good because you can run it, you don't need much setup, you can run in a web browser. I'm a Smalltalker and I still love the Smalltalk systems and they're still, overall, is a complete programming experience, they're still unmatched. Except for list machines which are kind of hard to come by. And so, I'd focus on those-- >> People tend to talk about Python, they talk about some of these languages. If someone's going to tinker around, what's going to be the addictive, if someone's going to-- >> So, people get addicted to all kinds of things but I would-- >> In terms of a good-- >> I tend to avoid the mainstream. People tend to latch on to the mainstream because they think it's a good career move or whatever. My advice is, you get good, learn the fundamentals in the cleanest way possible, then the mainstream stuff will be easy, rather than focusing on it, 'cause there's so much irrelevant detail in those systems and the programming experience is not that great. So, try something a little less meaty, closure is a lisp that you can use and there's closure script as a version that runs on the web. Try Elm. Try Smalltalk. >> And all these languages, they can actually produce something of value? >> Yeah, they can definitely, I think, still 70% of the world's container traffic is still run by a Smalltalk application. >> Really, I did not know that. >> Yeah, well, few people do. In Smalltalk, you find that that sort of heyday, in some sense, for commercial applications was in the 90s or 80s, whatever, but replacing those applications, a typical story is, someone says, ah, we should use Java 'cause everybody's using Java and we can get lots of programmers and they spend a lot of money and the new application doesn't work 'cause they can't actually rebuild the thing they built in Smalltalk at any reasonable cost, at any reasonable reliability. So, there are a lot of those systems out there, Morgan Stanley's still running Capital, their Smalltalk system for managing money. So, yeah, you can certainly build things. >> Well, Gilad, I love your commentary here, so I love that you're not shy to hold back. I've got to get your thoughts on cryptocurrency and the Blockchain world. >> Oh, dear. >> A lot of different languages, you got Ethereum, you have, some say, oh, I'm going to use Linux. If you're using Java, we're going to import it in, Javascript supports it, so there's been kind of like this, every kind of crypto currency, Blockchain, has their own language for decentralized applications. Your general thoughts on this. >> So, there's a need for, to slow down and be more careful, all right. Ethereum lost God knows how much money. I've heard quotes but I don't know if it's 50 million or 150 million but a fair amount of money due to problems that were classical distributed programming problems and could have been avoided by, essentially, more careful design of language in the system. There's a pressure now to turn things out in a hurry, right? In the old days, these systems took years and years of research in their little corner and, now, everybody has to do something too fast and that hurts. And, often, it's people who don't have the expertise and the background 'cause there's lots of research on all kinds of problems and smart people get snippets of those and they don't quite know what they're doing. And I don't think there's a cure for that because the incentives are there but that's why we're seeing these problems. >> So be careful, the message is be careful. >> Be careful. >> But they're rushing, all this cash is rolling in, they got to have some language. >> Sure, as long it's not their 150 million dollars that they lost, that's fine, but someone was probably upset. >> And, by the way, the security problem was software-error based. >> Most of them are. >> So, this transitions into Shape Security where you're not working as a distinguished engineer, working on some hard problems. I know it's pretty confidential but you guys do power 200 million iOS apps, this is from the PR statement. >> Probably more by now but yeah. >> Past 24 hours, you blocked more than two billion fraudulent login attempts, two million legitimate attempts. Essentially, defending intrusion detects and seems to be the company's value properties, but I don't want to get too much into the company because you're, obviously, on the engineering side. But security from a programming language side is software and people. >> Mm-hm. >> Right, software gets bugs. >> And people make them worse. >> And people make mistakes. >> People make them worse. >> Yeah. >> This is the central process problem in security. Your thoughts in computer science. >> So, most of the time, I mean, Shape does real security and this is fascinating to me but, most of the time, I've been looking at security at the programming language level because, you know, still, I think 70% of intrusions often, not the intrusions but, basically, these big software fiasco security problems get down to array buffer overflows. Which is ridiculous 'cause this is problem that was solved decades ago. Why are we still dealing with this? That's because, you know, programming language design, the whole approach to security, access control lists, whatever, there was another approach which was capability-based. And these two grew up together in the 60 and the world, as typically, it makes the wrong choices, it takes what seems appealing in the short term and not what is sort of a more thorough thing. So, object capabilities is a really interesting way of looking at this thing. There are people working on putting some of this into Javascript so that you could use it somehow. Great work by Mark Miller and company at Agoric. I'll do a shout-out to them. So, I've usually been on that side of things, but real security, there's a lot more to it, that's just one small layer of things and, above that, there's all the humans and the multiple systems they build. The configurations, they're just mistakes, the things that happen through social engineering about which, basically, I don't know much about but I will say that making things simpler is key because that's why people make mistakes. Things are too complicated. Every piece of the system has some bunch of clever engineers who really think it through and make it really sophisticated but when you compose these, it becomes, no one understands, a thing that no one understands what's going on and we need to simplify. My work is to try to simplify at that programming language level which the typical languages people use are too complex. >> And this is really where the software always has holes in it and you just got to be on top of it and make it tight, as it were. >> Right, basically, you can't understand the consequences when you have too many moving parts, as it were, too many constructs in the programming language. The composition is endless and you can't, it's very hard to foresee how they're going to interact and what someone will come up with, eventually. Oh, you could use this to attack that. Or, this crates this bad scenario that people don't notice. And, really, there's no remedy to that. You can work and you should be careful, you should test things, you should verify, if you can, formally, but if you just try and keep it simple, clean abstractions that are very simple and composed well, you will simply avoid, by definition, most of these problems. >> Final talk track around open source. It's been well-documented that proprietary software that's funded by companies when kind of stopped and innovating, kind of, dies on the vine. Open source is great, got leverage, you get out in the open, yeah, it's great. So, open source has been growing like a weed over the past couple decades and, recently, it's been phenomenal. The open source people say, oh, security is better in open source. At the same time, you bring up the notion of language security and those programming languages. How do you see that rectifying itself? How is the security paradigm with open source going to be stabler? What do companies need to do because open source is being used everywhere. >> Open source is used everywhere for good reason but open source is not, by itself, a magic thing, right. It's still, you get problems, open source is also open to malicious contributors, to problems, and the systems are too big for, even though there are code reviews and everything, so it's a double-edged sword, in some respects and sometimes the quality just suffers. These are social organization and each one is different and they have problems, so I don't know that that is, it's good that you shine light on something, it tends to purify it, and certainly that's a great strength of open source that you cant have things buried in there that you don't know. By the same token, it is not a panacea because the other thing is someone has to fund this somehow. All the open source models have to find somewhere to keep this going. So it's a more complicated thing to pull off. >> Especially with all these appliances now, okay, which version of Linux are you running, do I review the code? How do people ensure the security know that whether it's an appliance, or a device, or phone, or anything and it doesn't have some sort of back door or security vulnerability? >> Well, backdoor, I don't-- >> Backdoor, side door. >> Or just code-- >> This is a conspiracy theory. >> Or poor code. >> Poor code, well, poor code, you know, the open source is full of poor code is the truth. And the other thing is that, one problem with the open source is it also makes it easier for people to attack it because they can see how it's engineered. So, there is a reason that secure systems tend to, actually, maintain a certain level of secrecy. So I wouldn't go overboard on the open source ideology that it's inherently more secure. It has the advantage that you can see what you're getting. It has the disadvantage that everyone, including your adversaries, can see that. >> You don't know that going in, buyer beware kind of philosophy. >> Yes. >> And so, ultimately, you need to trust, like, it always comes down to trust at some level 'cause there's no way you're going to verify the software or the hardware, the bits, the you know. You can have problems in the hardware, this is a big problem nowadays, actually, with certain vendors. I don't want to get into those political footballs but-- >> Yeah, super micro. >> Yeah, and so, you really have to see who, you do have to take a risk in who do you trust. Who has a reputation, who is responsible for things that have worked? And there are no easy answers and it's beyond my pay grade. >> Let me get your thoughts on Capital One because we know that story, as of this week and they're on an Amazon estuary bucket, firewall filtering failed, someone just stumbled into it. I mean, the person that hacked it wasn't like, probably, a famous hacker, she was bragging on Twitter and message groups like, saying, hey, I just got in. So, door's open, keys are running in the car, walked right to the safe, safe was open. >> So, I don't know anything about that incident specifically and, I mean, beyond what you and I have read on the web or somewhere-- >> That's a human error. >> But they're usually there's always, almost always human error involved. It's also why you need, sort of, it's like countermeasures, right, and counter, counter, countermeasures. You simply have to monitor, right? So that when something, when you have an intrusion, you check it, now, that's not easy but there are lots of clever things that people are doing. You can have security as an afterthought. It's really hard. That's generally the problem is that people don't think about it early enough. >> Final question before we break: What's the human problem that you see most with developers? 'Cause if humans make mistakes, which they do, what's the common mistake developers, programmers make when coding that could be avoided with just a little bit sharper focus? >> Well, it's not about focus but I'd say null pointer exceptions are the biggest, like, after array buffers, they're the other, Tony Hoare called it billion dollar mistake in 1980 in his award speech, I think. And we're talking now, it's probably a trillion dollars, right? And this is something that can be mechanically checked by the programming language and it's probably the number bang-for-a-buck feature that you might throw in. >> Just say no to null? >> Yeah. >> That's the philosophy. >> Yeah. >> Gilad, thanks for coming on the Cube, appreciate the conversation. >> Thank you very much. >> I'm John Furrier, here in Palo Alto at the Cube Studios. This has been a Cube Conversation, thanks for watching. (upbeat music)

>> from our studios in the heart of Silicon Valley, Palo Alto, California It is a cute conversation. >> Welcome to this cube competition here at the Palo Alto Cube Studios. I'm John for a host of the Cube. Were here a special guests to keep alumni investor An entrepreneur who do Sudhakar, would you Good to see you again, John. Always a pleasure. You've been on as an entrepreneur, founder. As an investor, you're always out. Scour in the Valley was a great conversation. I want to get your thoughts as kind of a guest analyst on this segment around the state of the Union for Enterprise Tech. As you know, we covering the price tag. We got all the top enterprise B to B events. The world has changed and get reinvent coming up. We got VM World before that. The two big shows, too to cap out this year got sprung a variety of other events as well. So a lot of action cloud now is pretty much a done deal. Everyone's validating it. Micro cells gaining share a lot of growth areas around cloud that's been enable I want to get your thoughts first. Question is what are the top growth sectors in the enterprise that you're seeing >> papers. Thank you for having me. It's always a pleasure talking to you over the years. You and me have done this so many times. I'm learning a lot from you. So thank you. You are so yeah, I think Let's dig into the cloud side and in general market. So I think that there are 34 areas that I see a lot that's happening a lot. Cloud is still growing, a lot 100% are more growth and cloud and dog breeders. And what is the second? I see, a lot of I T services are close services. This includes service management. The areas that service now isn't They're >> still my ops was Maybe >> they opt in that category. E I said With management, the gutter is coming with the new canticle a service management. So they're replacing idea some with a different. So that's growing 800% as a category tourist. RP according to again, the industry analysts have seen that it's going at 65 to 70% so these three areas are going a lot in the last one that I see a lot of user experience. Can you build? It's like it's a 20,000,000,000 market cap, something. So if you let it out, it's a cloud service Management services RP user experience cos these are the four areas I see a lot dating all the oxygen rest. Everybody is like the bread crumbs. >> Okay, and why do you think the growth in our P A. So how's the hype? Is it really what? What is going on in our pee, In your opinion, >> on the rumors I'm hearing or there is some companies are already 1,000,000,000 revenue run great wise. That's a lot in our piece. So it's not really a hype that really so that if you look and below that, what's happening is I'd be a Companies are automating automation. The key for here is if I can improve the user experience and also automate things. RPS started doing screen scraping right in their leaders, looking at any reservations supply chain any workflow automation. So every company is so complex. Now somebody has to automate the workflow. How can you do this with less number of people, less number, resources, and improve the productivity >> coming? R P A. Is you know, robotic process automation is what it stands for, but ultimately it's software automation. I mean, it's software meets cloud meets automation. It seems to be the big thing. That's also where a I can play a part. Your take on the A I market right now. Obviously, Cloud and A I are probably the two biggest I think category people tend to talk about cloud and a eyes kind of a big kind of territories. RPG could fall under a little bit of bulls, but what you take on a guy, >> Yeah, so I think if you look at our pier, I actually call the traditional appears to be historical legacy. Wonders and R P companies are doing a good job to transform themselves to the next level, right? But our pianist Rocky I score. It's no longer the screen skipping tradition, making the workflow understanding. So there are new technology called conversational Rp. There's actually a separate market. Guys been critical conversation within a Can I talk to in a dialogue manner like what you experienced Instagram are what using what's up our dialogue flow? How can I make it? A conversational RPS is a new secretary is evolving it, but our becomes have done a good job. They leave all their going out. A >> lot has been has great success. We've been covering them like a blanket on a single cube. Um, I got it. I got to get your take on how this all comes into the next generation modern era because, um, you know, we're both been around the block. We've seen the waves of innovation. The modern error of clouds certainly cloud one Dato Amazon. Now Microsoft has your phone. Google anywhere else really goes. Dev Ops, The devil's movement cloud native amazing, create a lot of value continues to do well, but now there's a big culture on cloud 2.0, what is your definition of cloud two point? Oh, how do you see Cloud 2.0, evolving. But >> I like the name close to party. I think it's your third. It is going to continue as a trained. So look, throw two point with eyes. I don't know what it will be, but I can tell you what it should be and what it can have. Some other things that should do in the cloud is cloud is still very much gun to human beings. Lot of develops people. Lot of human being The next addition to a daughter should have things done programmatically I don't need tens of thousands off Assad ease and develops people. So back to your air, upside and everything. Some of those things should become close to become proactive. I don't want to wait until Amazon. Easter too is done. If I'm paying him is on this money. Amazon should be notifying me when my service is going to be done. The subsidy eaters They operated Chlo Trail Cloudwatch Exeter. But they need to take it to a notch level. But Amazon Azure. >> So making the experience of deploying, running and building APS scalable. Actually, that's scales with Clavet. Programmable kind of brings in the RPI a mean making a boat through automation edge of the network is also interesting. Comes up a lot like Okay, how do you deal with networking? Amazons Done computing storage and meet amazing. Well, cloud and networking has been built in, I guess to me, the trend of networking kicks in big because now it's like, OK, if you have no perimeter, you have a service area with I o t. >> There's nothing that >> cloud to point. It has to address riel time programming ability. Things like kubernetes continues to rise. You're gonna need to have service has taken up and down automatically know humans. So this >> is about people keep on fur cloak. What should be done before the human in the to rate still done. It develops. People are still using terror from lot of scripting. Lot of manual. Can you automata? That's one angle The second angle I see in cloud 2.0 is if you step back and say What, exactly? The intrinsic properties of Claude Majors. It's the work floor. It's automation, but it's also able to do it. Pro, actually. So what I don't have to raise if I'm playing club renders this much money. Tell me what outrageous are happening. Don't wait until outage happens. Can you predict voted? Yes, they have the capability to women. It should be Probably steal it. No, not 100%. So I want to know what age prediction. I wonder what service are going down. Are notified the user's that will become a a common denominator and solutions will be start providing, even though you see small startups doing this. Eventually they become features all these companies, and they'll get absorbed by the I called his aircraft carriers. You have Masson agile DCP. They're going to absorb all this, a ups to the point that provide that as the functionality. >> Yeah, let's get the consolidation in second. I want to get your thoughts on the cloud to point because we really getting at is that there's a lot of white space opportunity coming in. So I gotta ask you to start up. Question as you look at your investor, prolific investor in start ups. Also, you're an entrepreneur yourself. What >> is? >> They have opportunities out there because we'll get into the big the big whales Amazon, who were building and winning at scale. So embarrassed entry or higher every day, even though it's open sources, They're Amazons, betting on open source. Big time. We had John Thompson talk about that. That was excessive. Something Nutella. And so what? What if I was a printer out there? Would what do I do? I mean, is there Is there any real territory that I could create a base camp on and make money? >> That's plenty. So there's plenty of white faces to create. Look, first of all your look at what's catering, look at what's happening. IBM is auto business in service management, CSL itself to Broadcom. BMC is sold twice to private companies. Even the CEO got has left our war It is. Then you have to be soldiers of the Micro Focus. The only company that's left is so it's not so in that area, you can create plenty of good opportunities. That's a big weight. >> Sensors now just had a bad quarter. So actually, clarity will >> eventually they're gonna enough companies to go in that space. That play that's based can support 23 opportunities so I can see a publicly traded company in service. No space in next five years. My production is they'll be under company will go a p o in the service management space. Same things would happen. Rp, Rp vendors won't get acquired A little cleared enough work for automation. They become the next day because of the good. I can see a next publicly traded company. What happened in the 80 operations? Patriotism Probably. Computer company Pedro is doing really well. Watch it later. Don't. They're going to go public next. So that area also, you see plenty of open record companies in a UPS. >> So this is again back to the growth areas. Cloud hard to compete on Public Cloud. Yes, the big guys are out there. There's a cloud enablers, the people who don't have the clouds. So h p tried to do a cloud hp They had to come out, they'll try to cloud couldn't do It s a P technically is out there with a cloud. They're trying to be multi cloud. So you have a series of people who made it an oracle still on the fence. They still technically got a cloud, but it's really more Oracle and Oracle. So they're kind of stuck in the middle between the cloud and able nervous. The Cloud player. If you're not a cloud player large enterprise, what is the strategy? Because you got HP, IBM, Cisco and Dell. >> So I don't know. You didn't include its sales force in that If I'm Salesforce, I want sales force to get in. They have a sales cloud marketing cloud commerce code. Mark is not doing anything in the area of fighting clothes. They cannot go from 100,000,000,000 toe, half a trillion trillion market cap. Told I D. They have to embrace that and that's 100% growth area. You know, people get into this game at some point. It'll be is already hard and 50,000,000,000 market cap. Then that leaves. What is this going to do? Cisco has been buying more security software assets, but they don't wanna be a public company, their hybrid club. But they have to figure out How can they become an arms dealer in escape and by ruining different properties off close services? And that's gonna happen. And I've been really good job by acquiring Red Heart. So I think some place really figuring out this what is happening. But they have to get in the gaming club they have to do. Other service management have begun and are here. They have to get experience. None of these guys have experienced in this day and age that you killed and who are joining the workforce. They care for Airbnb naked for we work. They care for uber. They care for Netflix. It is not betting unders. So if I'm on the border, Francisco, I'm not talking about experience That's a problem to me. Hey, tree boredom is not talking about that. That's what if I'm I know Mark is on the board. Paramount reason. But Mark is investing in all the slack. Cos then why is it we are doing it either hit special? Get a separate board member. They should get somebody else. >> Why? He wouldn't tell. You have to move. Maybe. I don't know. We don't talk about injuries about that. But I want to get back to this experience thing because experience has become the new expectation. Yes, that's been kind of a design principle kind of ethos. Okay, so let's take that. The next little younger generation, they're consuming Airbnb. They're using the serious like their news and little chunks be built a video service for that. So things are changing. What is? I tease virgin as the consumption is a product issue. So how does I t cater to these new experience? What are some of those experiences? I >> think all of them. But I think I d for Social Kedrick, every property, every product should figure out how to offer to the young dreamers how they were contributed offer to the businesses on the B two baby to see. So the eye has to think every product or not. Should I start thinking about how my user should consume this and how should out for new experiences and how they want to see this in a new way, right? It's not in the same the same computer networking. How can a deluded proactively How can a dealer to a point where people can consume it and make other medications so darn edition making? That's where the air comes in. Don't wait for me toe. Ask the question. Suggest it's like Gmail auto complete. Every future should be thinking through problem. Still, what can I do to improve the experience that changes the product? Management's on? And that's what I'm looking at, companies who are thinking like that connection and see Adam Connection security. But that has to happen in the product. >> I was mentioning the people who didn't have clouds HP, IBM, Cisco and Dell you through sales force in there, I kind of would think sales were six, which is technically a cloud. They were cloud before cloud was even cloud. They built basically oracle for the cloud that became sales force. But you mentioned service now. Sales force. You got adobe, You got work day. These are application clouds. So they're not public clouds per se they get Amazon Web service is, you know, at Adobe runs on AWS, right? A lot of other people do. Microsoft has their own cloud, but they also have applications as well. Office 3 65 So what if some of these niche cloud these application clouds have to do differently? Because if you think about sales force, you mentioned a good point. Why isn't sales were doing more? People generally don't like Salesforce. You think that it's more of a lock inspect lesson with a wow. They've done really innovative things. I mean, I don't People don't really tend to talk about sales force in the same breath as innovation. They talk about Well, we run sales for us. We hate it or we use it and they never really break into these other markets. What's your take on them? >> I think Mark has done a good job to order. Yes, acquiring very cos it has to start from the top and at the market. His management team should say, I want to get in a new space. He got in tow. Commerce. Claudia got into marketing. He has to know, decide to get into idea or not. Once he comes out, he's really taken because today, science. What is below the market cap? Com Part of it'll be all right. If I am sales force, I need to go back down. Should I go after service? No. Industry should go after entire 80 services industry. Yes or no, But they have to make a suggestion. Something with Toby Toby is not gonna be any slower. They will get into. I decide. They're already doing the eyesight and experience. They're king of experience. Their king off what they're doing. Marketing site. They will expand. Writing. >> What does something We'll just launched a platform. Yes, that's right. The former executive from IBM. That's an interesting direction. They all have these platforms. Okay, so I got together to the Microsoft Amazon, Um, Google, the big clouds and then everybody else. A lot of discussion around consolidation. A lot of people say that the recession's coming next year. I doubt that. No, nos. The consolidation continues to happen. You can almost predict that. But where do you see the consolidation of you got some growth areas as you laid out cloud I t service is our p a experience based off where looks like where's the consolidation happening? If growth is happening, they're words to tell. >> It was happening. Really Like I see a lot in cyber security. I'm in Costa Rica, live in public. You have the scaler, the whole bunch of companies. So the next level of cos you always saw Sisko Bart, do your security followed has been buying aggressively companies. So secret is already going to a lot of consolidation. You're not seeing other people taking it, but in the I T services industry, you'll start seeing that you're already seeing that in the community space. That game is pretty much over right. Even the ember barred companies, even Net are barred companies and the currency. So I think console is always going to happen. People are picking up the right time. It's happening across the board. It's a great time to be an entrepreneur creator value. They come this public. So it's like I think it's cannot anymore very time. Look to your point where the decision happens or not. Nobody can predict. But if a chance now, it's best time to raise money. Build a company. >> Well, we do. I think the analysis, at least from my perspective, is looking at all the events we go to is the same theme comes up over and over. And Andy Jassy this heat of a tigress always talks about Old Garden new Guard. I think there's two sides of the streets developing old way in a new way, and I think the modern architect of the modern era of computer industry is coming, and it looks a lot different than it. Waas. So I think the consolidate is happening on those companies that didn't make the right bets, either technically or business model wise, for they took on too much technical debt and could not convert over to the cloud world or these really robust software environment. So I think consolidations from just just the passing of holder >> seems pretty set up for a member of the first men. First Main Computing was called mainframe Era, then, with clients Herrera and Kim, the club sodas 6 2009 13 years old, the new Errol called. Whatever the name, it will be something with a n mission in India that things would be so automated. That's what we have new area of computing, So that's I would like to see. So that's a new trick, this vendetta near turn. So even though we go through this >> chance all software software sales data 11. Yeah, it's interesting. And I think the opportunity, for starters is to build a new brands. His new branch would come out. Let's take an example of a company that but after our old incumbent space dying market share not not very attractive from a VC standpoint. From market space standpoint, Zoom Zoom went after Web conferencing, and they took on WebEx and portability. And they did it with a very simple formula. Be fast, be cloud native and go after that big market and just beat them on speed and simple >> experience. They give your greatest experience just on the Web, conferencing it and better than sky better than their backs better than anybody else in that market. Paid them with reward. Thanks, Vic. He had a good >> guy and he's very focused. He used clouds. Scale took the value proposition of WebEx. Get rid of all the other stuff brought its simple to video conference. And Dr Mantra is one >> happening. The A applying to air for 87 management. A ops A customer surveys. >> So this is what our Spurs could do. They can target big markets debt and go directly at either a specific differentiation. Whether it's experience or just a better mouse trap in this case could win, >> right? And one more thing we didn't talk about is where their underpants go after is the area number. Many of these abs are still enterprise abs. Nobody really focused on moving this enterprise after the club. Hollis Clubbers are still struggling with the thing. How can I move my workload number 10%. We're closing the club 90% still on track. So somebody needs to figure out how to migrate these clouds to the cloud really seamlessly. The Alps are gonna be born in the cloud club near the apse. So how do you address truckload in here? So there's enough opportunity to go after enterprise applications clouded your application. Yeah, >> I mean, I do buy the argument that they will still be on premises activity, but to your point will be stealing massive migration to the cloud either sunsetting absent being born the cloud or moving them over on Prem All in >> all the desert I keep telling the entree and follow the money. When there is a thing you look for it Is there a big market? Are people catering there? If people are dying and the old guard is there to your point and is that the new are you? God will happen. And if you can bet on the new guard in your experience, market will reward you. >> Where is the money? Follow the money. Worse. What do we follow? Show me where it is. Tell me where it is >> That all of the clothes, What is the big I mean, if you're not >> making money in the club for the cloud, you are a fool right now. If there any company on making out making in the club as a CEO, a board member, you need to think through it. Second automation whether you go r p a IittIe automation here to make money on, said his management. Whether it's from customer service to support the operation, you got to take the car. Start off it if you are Jesse ever today and you're not making birds that cementing. I see it mostly is that still don't want to take it back. They want to build empires. The message to see what's right, Nice. Either you do it or get out. Get the job to somebody that >> I hold a lot of sea cells and prayer. Preparing for reinforce Amazon's new security cloud security conference and overwhelmingly response from the sea. So's chief security officer is we are building stacks internally. When I asked him about multi cloud, you know what they said? Multi cloud is B s. I said, Why? Because Well, we have a secondary cloud, but I don't want to fork my development team. I want to keep my people focused on one cloud. It's Amazon. Go Amazon. It's azure. We stay with Azure. I don't wanna have three development teams. So this a trend to keep the stack building internally. That means they're investing in building their own text. Axe your thoughts on that >> look, I mean, that's again. There's no one size fits all. There will be some CEOs who want to have three different silos. Some people have a hard, gentle stack like I've seen companies. Right now. They write, the court wants it, compiles, and it's got an altar cloth. That's a new irritability you're not. We locate a stack for each of them. You're right. The court order to users and NATO service is but using the same court base. That's the whole The new startups are building it. If somebody's writing it like this, that's all we have. Thing is the CEO. So there's that. The news he always have to think through. How can you do? One court works on our clothes? >> Great. You do. Thank you for coming on again. Always great to get your commentary. I learned a lot from you as well. Appreciate it. I gotta ask the final question as you go around the VC circles. You don't need to mention any names you can if you want, but I want to get a taste of the market size of rounds, Seed Round A and B. What are hot rounds? What sizes of Siri's am seeing? Maur? No. 10,000,000? 15,000,000? Siri's >> A. >> Um >> Siri's bees are always harder to get than Siri's. A seeds. I always kind of easier. What's your take on the hot rounds that are hot right now. And what's the sizes of the >> very good question? So I'm in the series the most easy one, right? Your concept. But the seed sizes went up from 200 K to know mostly drones are 1,000,000 2 1,000,000 Most city says no oneto $10,000,000. So if you're a citizen calmly, you're not getting 10 to 15. Something's wrong because that become the norm because there's more easy money. It also helps entrepreneurs. You don't have to look for money. See, this beast are becoming $2025 $5,000,000 pounds, Siri sees. If you don't raise a $50,000,000 then that means you're in good company. So the minimum amount of dries 50,000,000 and CDC Then after that, you're really looking for expansions. $100,000,000 except >> you have private equity or secondary mortgage >> keys, market valuations, all the rent. So I tell entrepreneurs when there is an opportunity, if you have something, you can command the price. So if you're doing a serious be a $20,000,000 you should be commanding $100,000,000.150,000,000 dollars, 2,000,000 evaluations right if you're not other guys are getting that you're giving too much of your company, so you need to think through all of that. >> So serious bees at 100,000,000 >> good companies are much higher than that. That'll be 1 52 100 And again, this is a buyer's market. The underpinnings market. So he says, more money in the cash. Good players they're putting. Whether you have 1,000,000 revenue of 5,000,000 revenue, 10,000,000 series is the most hardest, but its commanding good premium >> good time to be in our prayers were with bubble. Always burst when it's a bite, mark it on the >> big money. Always start a company >> when the market busts. That's always my philosophy. Voodoo. Thanks for coming. I appreciate your insight. Always as usual. Great stuff way Do Sudhakar here on the Q investor friend of the Cube Entrepreneur, I'm John for your Thanks >> for watching. Thank you.

>> from our studios in the heart of Silicon Valley, Palo Alto, California. It is a cute conversation. >> Everyone. Welcome to this Special Cube conversation here at the Palo Alto Cube Studios. I'm John for a host of Cuba here. Moritz man is the head of the product management team at Open Systems A G. Great to see you again. Thanks for coming in. >> Hey, John. Thanks for having me. >> So last time we spoke, you had your event in Las Vegas. You guys are launching. You have a new headquarters here in Silicon Valley. Opened up this past spring. Congratulations. Thank you. >> Yeah, it's a great, great venue to start, and we set foot on the Silicon Valley ground. So to make our way to >> I know you've been super busy with the new building and rolling out, expanding heavily here in the Valley. But you guys were in the hottest area that we're covering Security Cloud security on premise, security. The combination of both has been the number one conversation pretty much in the cloud world right now. Honestly, besides a normal cloud, native cloud I t hybrid versus multi cloud out. See, that continues to be the discussion I think there's no more debate around multi cloud in hybrid public clouds. Great people gonna still keep their enterprises. But the security equation still is changing this new requirements. What's the latest that you guys are seeing with respect to security? >> Yeah. So, John, what we see is actually that cloud adoption had happens at different speeds. So you have usually the infrastructure of the service. Adoption would happens in a quite controlled way because there's a lift in shift. Do you have your old data center? You you take it and you transferred into azure I W S O G C P. But then there's also uncontrolled at option, which is in the SAS space. And I think this is where a lot off data risk occur, especially the wake off GDP are on where we see that this adoption happens. Maurin a sometimes control, but sometimes in a very uncontrolled way, >> explain that the uncontrolled and controlled expansion of of how security and multi cloud and cloud is going because this interesting control means this this plan's to do stuff uncontrolled means it's just by other forces explain uncontrolled versus controls >> eso controlled specifically means the IittIe team takes as a project plan and aches servers and workloads and moves them in a controlled fashion or in a dedicated project to the cloud. But what happened in the business world of business I t is actually did use those share content at any time with any device at any at any time and in all locations. So this is called the Mobile Enterprise on the Cloud First Enterprise. So it means that the classical security perimeter and the controls in that are my past, actually, by the path of least resistance or the shortest path >> available. And this is the classic case. People use Dropbox with some, you know, personal things. They're at home, they're at work, a p I based software. That's what you're getting at the >> and the issue of this is that that the data that has bean, like contained an pera meters where, you know, as it Caesar, where your data is. This has bean deployed too many edge devices, too many mobile devices, and it's get it gets shared, a nun controlled way. >> We'll get a couple talk tracks would like to drill down on that, because I think this is the trend. We're seeing a pea eye's dominant. The perimeter on the infrastructure has gone away. It's only getting bigger and larger. You got I, O. T and T Edge just and the networks are controlled and also owned by different people. So the packets of moving on it that's crazy so that that's the reality. First, talk track is the security challenge. What is the security challenge? How does a customer figure out what to do from an architectural standpoint when they're dealing with hybrid and multi cloud? So first of >> all, um, customers or BC enterprises try need to re think their infrastructure infrastructure centric view off the architecture's. So the architecture that had been built around data send us needs to become hybrid and multi cloud aware. So that means they need to define a new way off a perimeter, which is in cloud but also in the covering. Still the old, so to say, legacy hyper data center set up, which has the data still in the old data center and at the same time, they need to open up and become the cloud themselves, so to say, and but still draw a perimeter around their data and they users and not and their applications and not so much anymore around the physical infrastructure. >> So taking, changing their view of what a security product is, Is that really what you're getting at? >> Yeah, So the issues with the product point solution was that they fixed a certain part off off a tactile issue. So if you take a firewall in itself, firewall back then it was like a entry door to a big building, and you could could decide who comes out goes in. Now. If the the kind of the walls of the building are vanishing or arm or more FIC, you need to come over the more integrated concept. So having these stacked appliance and stacked security solutions trying to work together and chain them doesn't work anymore. So we think and we see that, >> Why is that? Why doesn't it work? Because in >> the end, it's it's it's hardly two to operate them. Each of those points solutions have their own end off life. They have their own life cycle. They have their own AP eyes. They have their own TCO, as all that needs to be covered. And then there's the human aspect where you have the knowledge pools around >> those technologies. So as an enterprise you have to content to continuously keep the very scar security experts to maintain content continues the depreciating assets running right, >> and they're also in it. We weren't built for tying into a holistic kind of platform. >> Yeah, What we see is that that enterprises now realize we have data centers and it's not accepted reality that you can abstracted with the cloud. So you have You don't own your own servers and buildings anymore. So you have a PAX model to subscribe to Cloud Service is and we think that this has to happen to security to so shift from cap ex to our pecs and the same way also for operational matters >> securities. The service is a crepe is a small I want to ask you on that front you mentioned mobile users. How do you secure the mobile uses when they use cloud collaboration? Because this is really what uses expect, and they want How do you secure it? >> So be secured by by actually monitoring the data where it actually gravitates, and this is usually in the cloud. So we enforce the data that is in transit through, ah, proxies and gators towards the cloud from the endpoint devices, but also then looking by AP eyes in the cloud themselves to look for threats, data leakage and also sandbox. Certain activities that happened. There >> are the next talk talk I want to get into is the expansion to hybrid and multi cloud so that you guys do from a product standpoint, solution for your customers. But in general, this is in the industry conversation as well. How how do you look at this from a software standpoint? Because, you know, we've heard Pat Gelsinger of'em were talking about somewhere to find Data Center S d n. Everything's now software based. You talk about the premiere goes away. You guys were kind of bring up a different approaches. A software perimeter? Yeah, what is the challenge for expanding to multi cloud and hybrid cloud? >> So So the challenge for enterprise and customers we talked to is that they have to run their old business. Gardner once called it by motile business, and it's still adopting not one cloud, but we see in our surveys. And this is also what market research confirms is that customers end up with 2 to 3 loud vendors. So there were will be one or two platforms that will be the primary to their major majority of applications and data gravity. But they will end up and become much more flexible with have running AWS, the old Davis Center. But it was the G, C, P and Azure, or Ali Baba glowed even side by side, right tow cover the different speeds at what their own and the price runs. And >> so I gotta ask you about Cloud Needed was one of the things that you're bringing up that just jumps in my head. And when I got to ask, because this is what I see is a potential challenge. It might be a current challenges when you have kubernetes growing such a rapid rate. You see the level of service is coming online much higher rate. So okay, people, mobile users, they're using the drop boxes, the boxes and using all these FBI service's. But that's just those wraps. As a hundreds and thousands of micro service is being stood up and Tauron down in there, you guys are taking, I think, an approach of putting a perimeter software premieres around these kinds of things, but they get turned on enough. How do you know what's clean? It's all done automatically, so this is becoming a challenge. So is this what you guys mean when you say software perimeter that you guys could just put security around things at any time? Is that explain this? >> Yeah, So? So if you talk about the service match so really mashing cloudy but native functions, I think it's still in the face where it's, I would say, chaos chaotic when you have specific projects that are being ramped up them down. So we draw a perimeter in that specific contact. So let's say you have You're ramping up a lot off cloud a function AWS. We can build a pyramid around this kind off containment and look especially for threats in the activity locks off. The different component is containers, but from from a design perspective, this needs to be, uh, we need to think off the future because if you look at Mike soft on AWS strategy, those containers will eventually move Also back to the edge. Eso were in preparing that to support those models also cover. Bring these functions closer back again to the edge on We call that not any longer the when, ej but it will become a cloud at at actually. So it's not an extension of the land that comes to the data. It's actually the data and the applications coming back to the user and much closer. >> Yeah. I mean, in that case, you could define the on premises environment has an edge, big edge, because this is all about moving, were close and data around. This is what the new normal is. Yeah, So okay, I gotta ask the next question, which is okay, If that's true, that means that kubernetes becomes a critical part of all this. And containers. How do you guys play with that at all? >> So we play with us by by actually looking at data coming from that at the moment. We're looking at this from a from a data transit perspective. We But we will further Maur integrate into their eighties AP eyes and actually become part off the C I C D. Process that building then actually big become a security function in approval and rolling out a cannery to certain service mesh. And we can say, Well, this is safe for this is unsafe This is, I think, the eventual goal to get there. But But for now, it's It's really about tracking the locks of each of those containers and actually having a parent her and segmentation around this service mash cloud. So to say, >> I think you guys got a good thing going on when you talk about this new concept that's of softer to find perimeter. You can almost map that to anything you get. Really think everything has its own little perimeter workload. Could be moving around still in these three secure. So I gotta ask on the next talk Trek is this leads into hybrid cloud. This is the hottest topic. Hybrid cloud to me is the same as multi cloud. Just kind of get together a little bit different. But hybrid cloud means you're operating both on premises and in the cloud. This is becoming a channel most si si SOS Chief admission Security officers. I don't want to fork their teams and have multiple people coding different stacks. They don't want the vendor lock in, and so you're seeing a lot of people pulling back on premises building their own stacks, deploying in the cloud and having a seamless operation. What is your definition of hybrid? Where do you see hybrid going? And how important is it? Have a hybrid strategy. >> So I think the key successfactors of a hybrid strategy is that standards standardization is a big topic. So we think that a service platform that to secure that like the SD when secure service platform rebuilt, needs to be standardized on operational level, but also from a baseline security and detection level. And this means that if you run and create your own work, those on Prem you need to have the same security and standard security and deployment standard for the clout and have the seamless security primary perimeter and level off security no matter where these these deployments are. And the second factor of this is actually how do you ensure a secure data transfer between those different workloads? And this is where S T win comes into play, which acts as a fabric together with when backbone, where we connect all those pieces together in a secure fashion >> where it's great to have you on the Q and sharing your insight on the industry. Let's get into your company. Open systems. You guys provide an integrated solution for Dev Ops and Secure Service and Security Platform. Take a minute to talk about the innovations that you guys were doing because you guys talk a lot about Casby. Talk a lot about integrated esti when but first define what Casby is for. The audience doesn't know what Casby is. C. A S B. It's kicked around all of the security conscious of your new to security. It's an acronym that you should pay attention to so defined casby and talk about your solution. >> Eso casby isn't theory. Aviation means cloud access security we broker. So it's actually becoming this centralized orchestrator that that allows and defines access based on a trust level. So saying, um, first of all, it's between networks saying I have a mobile workforce accessing SAS or I s applications. Can't be it in the middle to provide security and visibility about Where's my data moving? Where's married? Where do I have exposure off off GDP, our compliance or P C. I or he power risks And where is it exposed to, Which is a big deal on it's kind of the lowest level to start with, But then it goes further by. You can use the Casby to actually pull in data that that is about I s were close to toe identified data that's being addressed and stored. So are there any incidentally, a shared data artifacts that are actually critical to the business? And are they shared with extra resource is and then going one step further, where we then have a complete zero trust access model where we say we know exactly who can talkto which application at any time on give access to. But as everything this needs to be is in embedded in an evolution >> and the benefit ultimately goes to the SAS applications toe, have security built in. >> That's the first thing that you need to tackle. Nowadays, it's get your sass, cloud security or policy enforced on, but without disrupting service on business on to actually empower business and not to block and keep out the business >> can make us the classic application developer challenge, which is? They love to co they love the build applications, and what cloud did with Dev Ops was abstracted away the infrastructure so that they didn't have to do all this configuration. Sister. Right? APs You guys air enabling that for security? >> Exactly. Yeah. So coming back to this multi protein product cloud would, which is not keeping up anymore with the current reality and needs of a business. So we took the approach and compared death ops with a great service platform. So we have engineers building the platform. That's Integrated Security Service Platform, which promotes Esti Wen managed Detection response and Caspi Service is in one on the one platform which is tightly integrated. But in the in the customer focus that we provide them on or Pecs model, which is pretty, very predictable, very transparent in their security posture. Make that a scalable platform to operate and expand their business on. >> And that's great. Congratulations. I wanna go back for the final point here to round up the interview for the I T. Folks watching or, um, folks who have to implement multi cloud and hybrid cloud they're sitting there could be a cloud architect that could be an I T. Operations or 90 pro. They think multi cloud this in hybrid club. This is the environment. They have to get their arms around. How? What >> should they >> be thinking about? Around multi cloud and hybrid cloud. What is it, really? What's the reality now? What >> should they be considering for evaluation? What are some of the key things that that should be on their mind when they're dealing with hybrid cloud and all the opportunity around it? >> So I think they're they're like, four key pieces. Oneness. Um, they think they still have to start to think strategic. So what? It's a platform and a partner That helps them to plan ahead for the next 3 to 5 years in a way that they can really focus on what their business needs are. This is the scalability aspect. Secondly, it's a do. We have a network on security, our architecture that allows me to grow confidently and go down different venues to to actually adopt multi clouds without worrying about the security implication behind it. Too much, uh, and to implement it. And third is have this baseline and have this standardized security posture around wherever the data is moving, being at Mobil's being it SAS or being on Prem and in clouds workloads, the fourth pieces again, reading, thinking off where did you spend most of my time? Where do I create? Create value by by defining this framework so it really can create a benefit and value for the enterprise? Because if you do it not right your not right. You will have a way. You will end up with a an architecture that will break the business and not accelerated. >> Or it's made head of product that open systems here inside the Cube studios. Um, great job. Must love your job. You got the keys. A lot of pressure. Security being a product. Head of product for security companies. A lot of pressure before we wrap up. Just give a quick plug for the company. You guys hiring you have a new office space here in Redwood City. Looks beautiful. Give a quick shared play for the company. >> Yeah. So open systems the great company to work with. We're expanding in the U. S. On also, Amy, uh, with all the work force. So we're hiring. So go on our website. We have a lot off open positions, exciting challenges in a growth or into workspace. Andi. Yeah. As you said, security at the moment, it's one of the hottest areas to be in, especially with all the fundamental changes happening in the enterprise and architecture. I d landscape. So yeah, >> and clouds securing specifically. Not just in point. The normal stuff that people used to classify as hot as hot as Hades could be right now. But thanks for coming on. Strong insights. I'm jumping with Cuba here in Palo Alto with more Morris Man is the head of product management for open systems. Thanks for watching.