>>From Las Vegas. It's the cube covering Qualis security conference 2019 you buy quality. >>Hey, welcome back. You're ready. Jeff Frick here with the cube. We're in Las Vegas at the Bellagio, at the quality security conference. It's the 19th year they've been doing this. It's our first year here and we're excited to be here and it's great to have a veteran who's been in this space for so long, to give a little bit more of a historical perspective as to what happened in the past and where we are now and what can we look forward to in the future. So coming right off his keynote is Felipe korto, the chairman and CEO of Qualys. Phillip, great to see you. Thank you. Same, same, same for me. Absolutely. So you touched on so many great, um, topics in your conversation about kind of the shifts of, of, of modern computing from the mainframe to the mini. We've heard it over and over and over, but the key message was really about architecture. If you don't have the right architecture, you can't have the right solution. So how has the evolution of architects of architectures impacted your ability to deliver security solutions for your clients? >>So now that's a very good question. And in fact, you know, what happened is that we started in 1999 with a vision that we could use exactly like a salesforce.com this nascent internet technologies and apply that to security. And uh, so, and mod when you have applied that to essentially changing the way CRM was essentially used and deployed in enterprises and with a fantastic success as we know. So for us, the, I can say today that 19 years later the vision was right. It took a significant longer because the security people are not really, uh, warm at the idea of silently, uh, having the data in their view, which was in place that they could not control. And the it people, they didn't really like at all the fact that suddenly they were not in control anymore of the infrastructure. So we had a lot of resistance. >>I, wherever we always, I always believe, absolutely believe that the, the cloud will be the cloud architecture to go back. A lot of people make the confusion. That was part of the confusion that for people it was a cloud, that kind of magical things someplace would you don't know where. And when I were trying to explain, and I've been saying that so many times that well you need to look at the cloud like compute that can architecture which distribute the competing power far more efficiently than the previous one, which was client server, which was distributing the convening power far better than of course the mainframes and the mini computers. And so if you look at their architectures, so the mainframe were essentially big data centers in uh, in Fort Knox, like settings, uh, private lines of communication to a dump terminal. And of course security was not really issue then because it's security was built in by the IBM's and company. >>Same thing with the mini computer, which then was instead of just providing the computing power to the large, very large company, you could afford it. Nelson and the minicomputer through the advanced in semiconductor technology could reduce a foot Frank. And then they'll bring that computing power to the labs and to the departments. And was then the new era of the digital equipment, the prime, the data general, et cetera. Uh, and then kind of server came in. So what client server did, again, if you look at the architecture, different architecture now silently servers, the land or the internal network and the PC, and that was now allowing to distribute the computing power to the people in the company. And so, but then you needed to, so everybody, nobody paid attention to security because then you were inside of the enterprise. So it started inside the walls of the castle if you prefer. >>So nobody paid attention to that. It was more complex because now you have multiple actors. Instead of having one IBM or one digital equipment, et cetera, suddenly you have the people in manufacturing and the servers, the software, the database, the PCs, and on announcer, suddenly there was the complexity, increasing efficiency, but nobody paid attention to security because it wasn't a needed until suddenly we realized that viruses could come in through the front door being installed innocently. You were absolutely, absolutely compromised. And of course that's the era of the antivirus which came in. And then because of the need to communicate more and more now, Senator, you could not stay only in your castle. You needed to go and communicate to your customers, to your suppliers, et cetera, et cetera. And now he was starting to open up your, your castle to the world and hello so now so that the, the bad guy could come in and start to steal your information. >>And that was the new era of the forward. Now you make sure that those who come in, but of course that was a little bit naive because there were so many other doors and windows, uh, that people could come in, you know, create tunnels and create these and all of that trying to ensure your customers because the data was becoming more and more rich and more, more important or more value. So whenever there is a value, of course the bad guys are coming in to try to sell it. And that was that new era of a willing to pay attention to security. The problem has been is because you have so many different actors, there was nothing really central there that was just selling more and more solutions and no, absolutely like 800 vendors bolting on security, right? And boating on anything is short-lived at the end of the day because you put more and more weight and then you also increase the complexity and all these different solutions you need. >>They need to talk together so you have a better context. Uh, but they want the design to talk together. So now you need to put other system where they could communicate that information. So you complicated and complicated and complicated the solution. And that's the problem of today. So now cloud computing comes in and again, if you look at the architecture of cloud computing, it's again data centers, which is not today I've become thanks to the technology having infinite, almost competing power and storage capabilities. And like the previous that I sent her, the are much more fractured because you just one scale and they become essentially a little bit easier to secure. And by the way, it's your fewer vendors now doing that. And then of course the access can be controlled better. Uh, and then of course the second component is not the land and the one, it's now the internet. >>And the internet of course is the web communications extremely cheap and it brings you an every place on the planet and soon in Morris, why not? So and so. Now the issue today is that still the internet needs to be secure. And today, how are we going to secure the internet? Which is very important thing today because you see today that you can spoof your email, you can spoof your website, uh, you can attack the DNS who, yes, there's a lot of things that the bad guys still do. And in fact, they've said that leverage the internet of course, to access everywhere so they take advantage of it. So now this is obviously, you know, I created the, the trustworthy movement many years ago to try to really address that. Unfortunately, the quality's was too small and it was not really our place today. There's all the Google, the Facebook, the big guys, which in fact their business depend on the internet. >>Now need to do that. And I upload or be diabetic, criticized very much so. Google was the first one to essentially have a big initiative, was trying to push SSL, which everybody understand is secret encryption if you prefer. And to everybody. So they did a fantastic job. They really push it. So now today's society is becoming like, okay, as I said, you want to have, as I said it all in your communication, but that's not enough. And now they are pushing and some people criticize them and I absolutely applaud them to say we need to change the internet protocols which were created at a time when security, you were transferring information from universities and so forth. This was the hay days, you know, of everything was fine. There was no bad guys, you know, the, he'd be days, if you like, of the internet. Everybody was free, everybody was up and fantastic. >>Okay. And now of course, today this protocol needs to be upgraded, which is a lot of work. But today I really believe that if you put Google, Amazon, Facebook altogether, and they can fix these internet protocols. So we could forget about the spoofing and who forgot about all these phishing and all these things. But this is their responsibility. So, and then you have now on the other side, you have now very intelligent devices from in a very simple sensors and you know, to sophisticated devices, the phone, that cetera and not more and more and more devices interconnected and for people to understand what is going. So this is the new environment and whether we always believe is that if you adopt an architecture, which is exactly which fits, which is similar, then we could instead of bolting security in, we can now say that the build security in a voting security on, we could build security in. >>And we have been very proud of the work that we've done with Microsoft, which we announced in fact relatively recently, very recently, that in fact our agent technologies now is bundled in Microsoft. So we have built security with Microsoft in. So from a security perspective today, if you go to the Microsoft as your secretly center, you click on the link and now you have the view of your entire Azure environment. Crazier for quality Sagent. You click on a second link and now you have the view of your significant loss posture, crazy of that same quality. Say Sagent and then you click on the third name with us. Nothing to do with quality. It's all Microsoft. You create your playbook and you remediate. So security in this environment has become click, click, click, nothing to install, nothing to update. And the only thing you bring are your policies saying, I don't want to have this kind of measured machine expose on the internet. >>I want, this is what I want. And you can continuously audit in essentially in real time, right? So as you can see, totally different than putting boxes and boxes and so many things and then having to for you. So very big game changer. So the analogy that I want you that I give to people, it's so people don't understand that paradigm shift is already happening in the way we secure our homes. You put sensors everywhere, you have cameras, you have detection for proximity detection. Essentially when somebody tried to enter your home, all that data is continuously pumped up into an incidence restaurant system. And then from your phone, again across the internet, you can change the temperature of your rooms. You can do what you can see the person who knocks on the door. You can see its face, you can open the door, close the door, the garage door, you can do all of that remotely, another medically. >>And then if there's a burglar then in your house to try to raking immediately the incidents or some system called the cops or the far Marsha difficult fire. And that's the new paradigm. So security has to follow that paradigm. And then you have interesting of the problem today that we see with all the current secretly uh, systems, uh, incidents, response system. They have a lot of false positive, false positive and false negative are the enemy really of security. Because if you are forced visited, you cannot automate the response because then you are going to try to respond to something that is not true. So you are, you could create a lot of damage. And the example I give you that today in the, if you leave your dog in your house and if you don't have the ability, the dog will bark, would move. And then the sensors would say intruder alert. >>So that's becomes a false positive. So how do you eliminate that? By having more context, you can eliminate automatically again, this false positives. Like now you take a fingerprint of your dog and of these voice and now the camera and this and the sensors and the voice can pick up and say, Oh, this is my dog. So then of course you eliminate that for solar, right? Right. Now even if another dog managed to enter your home through a window which was open or whatever for soul, you will know her window was up and but you know you cannot necessarily fix it and the dog opens. Then you will know it's a, it's a, it's not sure about, right? So that's what security is evolving such a huge sea of change, which is happening because of all that internet and today companies today, after leveraging new cloud technology, which are coming, there's so much new technology. >>What people understand is where's that technology coming from? How come silently we have, you know, Dockers netics all these solutions today, which are available at almost no cost because it's all open source. So what happened is that, which is unlike the enterprise software, which were more the Oracle et cetera, the manufacturer of that software today is in fact the cloud public cloud vendors, the Amazon, the Google, the Facebook, the Microsoft. We suddenly needed to have to develop new technology so they could scale at the size of the planet. And then very shrewdly realized that effective that technology for me, I'm essentially going to imprison that technology is not going to evolve. And then I need other technologies that are not developing. So they realized that they totally changed that open source movement, which in the early days of opensource was more controlled by people who had more purity. >>If you prefer no commercial interests, it was all for the good of the civilization and humankind. And they say their licensing model was very complex. So they simplified all of that. And then nothing until you had all this technology coming at you extremely fast. And we have leverage that technology, which was not existing in the early days when when socials.com started with the Linux lamp pour called what's called Linux Apache. My SQL and PHP, a little bit limiting, but now suddenly all this technology, that classic search was coming, we today in our backend, 3 trillion data points on elastic search clusters and we return inflammation in a hundred milliseconds. And then onto the calf cabin, which is again something at open source. We, we, we, and now today 5 million messages a day and on and on and on. So the world is changing and of course, if that's what it's called now, the digital transformation. >>So now enterprises to be essentially agile, to reach out to the customers better and more, they need to embrace the cloud as the way they do, retool their entire it infrastructure. And essentially it's a huge sea of change. And that's what we see even the market of security just to finish, uh, now evolving in a totally different ways than the way it has been, which in the past, the market of security was essentially the market for the enterprise. And I'm bringing you my, my board, my board town solutions that you have to go and install and make work, right? And then you had the, the antivirus essentially, uh, for all the consumers and so forth. So today when we see the marketplace, which is fragmenting in four different segments, which is one is the large enterprise which are going to essentially consolidate those stock, move into the digital transformation, leveraging absolutely dev ops, which isn't becoming the new buyer and of course a soak or they could improve, uh, their it for, to reach out to more customers and more effectively than the cloud providers as I mentioned earlier, which are building security in the, no few use them. >>You don't have to worry about infrastructure, about our mini servers. You need, I mean it is, it's all done for you. And same thing about security, right? The third market is going to be an emergence of a new generation of managed security service providers, which are going to take to all these companies. We don't have enough resources. Okay, don't worry, I'm going to help you, you know, do all that digital transformation. And that if you build a security and then there's a totally new market of all these devices, including the phone, et cetera, which connects and that you essentially want to all these like OT and IOT devices that are all now connected, which of course presents security risk. So you need to also secure them, but you also need to be able to also not only check their edits to make sure that, okay, because you cannot send people anymore. >>So you need to automate the same thing on security. If you find that that phone is compromised, you need to make, to be able to make immediate decisions about should I kill that phone, right? Destroyed everything in it. Should I know don't let that phone connect anymore to my networks. What should I do? Should I, by the way detected that they've downloaded the application, which are not allowed? Because what we see is more and more companies now are giving tablets, do the users. And in doing so now today's the company property. So they could say, okay, you use these tablets and uh, you're not allowed to do this app. So you could check all of that and then automatically remote. But that again requires a full visibility on what you are. And that's why just to finish, we make a big decision about a few, three months ago that we have, we build the ability for any company on the planet to automatically build their entire global HSE inventory, which nobody knows what they have in that old networking environment. >>You don't know what connects to have the view of the known and the unknown, totally free of charge, uh, across on premise and pawn cloud containers, uh, uh, uh, whether vacations, uh, OT and IOT devices to come. So now there's the cornerstone of security. So with that totally free. So, and then of course we have all these additional solutions and we're build a very scalable, uh, up in platform where we can take data in, pass out data as well. So we really need to be and want to be good citizen here because security at the end of the day, it's almost like we used to say like the doctors, you have to have that kind of apricot oath that you cannot do no arm. So if you keep, if you try to take the data that you have, keep it with you, that's absolutely not right because it's the data of your customers, right? >>So, and you have to make sure that it's there. So you have to be a good warning of the data, but you have to make sure that the customer can absolutely take that data to whatever he wants with it, whatever he needs to do. So that's the kind of totally new field as a fee. And finally today there is a new Ash culture change, which is, which is happening now in the companies, is that security has become fronted centers, is becoming now because of GDPR, which has a huge of financial could over you challenge an impact on a company. A data breach can have a huge financial impact. Security has become a board level. More and more social security is changing and now it's almost like companies, if they want to be successful in the future, they need to embrace a culture of security. And now what I used to say, and that was the, the conclusion of my talk is that now, today it DevOps, uh, security compliance, people need to unite. Not anymore. The silos. I do that. This is my, my turf, my servers. You do that, you do this. Everybody in the company can work. I have to work together towards that goal. And the vendors need to also start to inter operate as well and working with our customers. So it's a tall, new mindset, which is happening, but the safes are big. That's what I'm very confident that we're now into that. Finally, we thought, I thought it would have happened 10 years ago, quite frankly. And uh, but now today's already happening. >>She touched on a lot, a lot there. And I'll speak for another two hours if we could. We could go for Tara, but I want to, I want to unpack a couple of things. We've had James Hamilton on you to at AWS. Um, CTO, super smart guy and it was, it was at one of his talks where it really was kind of a splash, a wet water in the face when he talked about the amount of resources Amazon could deploy to just networking or the amount of PhD power he could put on, you know, any little tiny sub segment of their infrastructure platform where you just realize that you just can't, you can't compete, you cannot put those kinds of resources as an individual company in any bucket. So the inevitability of the cloud model is just, it's, it's the only way to leverage those resources. But because of that, how has, how has that helped you guys change your market? How nice is it for you to be able to leverage infrastructure partners? Like is your bill for go to market as well as feature sets? And also, you know, because the other piece they didn't talk about is the integration of all these things. Now they all work together. Most apps are collection of API APIs. That's also changed. So when you look at the cloud provider GCP as well, how does that help you deliver value to your customers? >>Yeah, but the, the, the, the club, they, they don't do everything. You know, today what is interesting is that the clubs would start to specialize themselves more and more. So for example, if you look at Amazon, the, the core value of Amazon since the beginning has been elastic computing. Uh, now today we should look at Microsoft. They leverage their position and they really have come up with a more enterprise friendly solution. And now Google is trying to find also their way today. And so then you have Addy Baba, et cetera. So these are the public cloud, but life is not uniform like is by nature. Divers life wants to leave lunch to find better ways. We see that that's what we have so many different species and it just ended up. So I've also the other phenomena of companies also building their own cloud as well. >>So the word is entering into a more hybrid cloud. And the technology is evolving very fast as well. And again, I was selling you all these open source software. There's a bigger phenomenon at play, which I used to say that people don't really understand that much wood, but it's so obvious is if you look at the printing price, that's another example that gives the printing price essentially allowed, as we all know, to distribute the gospel, which has some advantage of, you know, creating more morality, et cetera. But then what people don't know for the most part, it distributed the treaties of the Arabs on technology, the scientif treaties, because the archives, which were very thriving civilization at the time, I'd collected all the, all the, all the information from India, from many other places and from China and from etc. And essentially at the time all of Europe was pretty in the age they really came up and it now certainty that scientific knowledge was distributed and that was in fact the seeds of the industrial revolution, which then you're up cat coats and use that and creating all these different technologies. >>So that confidence of this dimension of electricity and all of that created the industrial revolution seeded by now, today what is happening is that the internet is the new printing press, which now is distributing the knowledge that not to a few millions of people to billions of people. So the rate today of advancing technology is accelerating and it's very difficult. I was mentioning today, we know today that work and working against some quantum computing which are going to totally change things. Of course we don't know exactly how and you have also it's clear that today we could use genetic, uh, the, the, the, if you look at DNA, which stores so much information, so little place that we could have significant more, you know, uh, memory capabilities that lower costs. So we have embarked into absolutely a new world where things are changing. I've got a little girl, which is 12 years old and fundamentally that new generation, especially of girls, not boys, because the boys are still on, you know, at that age. >>Uh, they are very studious. They absorb so much information via YouTube. They are things like a security stream. They are so knowledgeable. And when you look back at history 2000 years plus ago in Greece, you at 95 plus percent of the population slaves. So a few percent could start to think now, today it's totally changed. And the amount of information they can, they learn. And this absolutely amazing. And you know, she, she's, I would tell you the story which has nothing to do with computing, but as a button, the knowledge of, she came to me the few, few weeks ago and she said, Oh daddy, I would like to make my mother more productive. Okay. So I said, Oh, that's her name is Avia, which is the, which is the, the, the either Greece or Zeus weathered here. And so I say, Evie, I, so that's a good idea. >>So how are you going to do it? I mean, our answer, I was flawed, but that is very simple. Just like with, for me, I'm going to ask her to go to YouTube to learn what she needs to learn. Exactly. And she learns, she draws very well. She learns how to draw in YouTube and it's not a gifted, she's a nice, very nice little girl and very small, but all her friends are like that. Right? So we're entering in a word, which thing are changing very, very fast. So the key is adaptation, education and democracy and democratization. Getting more people access to more. Absolutely. It's very, very important. And then kind of this whole dev ops continuous improve that. Not big. That's a very good point that you make because that's exactly today the new buyer today in security and in it is becoming the DevOps shipper. >>Because what? What are these people? There are engineers which suddenly create good code and then they want to of course ship their code and then all these old silos or you need to do these, Oh no, we need to put the new server, we don't have the capacity, et cetera. How is that going to take three months or a month? And then finally they find a way through, again, you know, all the need for scale, which was coming from the Google, from the Facebook and so forth. And by the way, we can shortcut all of that and we can create and we can run out to auto-ship, our code. Guess what are they doing today? They are learning how to secure all of that, right? So again, it's that ability to really learn and move. And today, uh, one of the problem that you alluded to is that, which the Amazon was saying is that their pick there, they have taken a lot of the talent resources in the U S today because of course they pay them extra to me, what? >>Of course they'll attract that talent. And of course there's now people send security. There's not enough people that even in, but guess what? We realized that few years ago in 2007, we'll make a big decision who say, well, never going to be able to attract the right people in the Silicon Valley. And we've started to go to India and we have now 750 people. And Jack Welch used to say, we went to India for the cost and discover the talent. We went to India for the talent and we discover the cost. And there is a huge pool of tenants. So it's like a life wants to continue to leave and now to, there are all these tools to learn, are there, look at the can Academy, which today if you want to go in nuclear physics, you can do that through your phone. So that ability to learn is there. So I think we need just more and more people are coming. So I'm a very optimistic in a way because I think the more we improve our technologies that we look at the progress we're making genetics and so everywhere and that confidence of technology is really creating a new way. >>You know, there's a lot of conversations about a dystopian future and a utopian future with all these technologies and the machines. And you know what? Hollywood has shown us with AI, you're very utopian side, very optimistic on that equation. What gives you, what gives you, you know, kind of that positive feeling insecurity, which traditionally a lot of people would say is just whack a mole. And we're always trying to chase the bad guys. Generally >>speaking, if I'm a topian in in a way. But on the other end, you'd need to realize that unfortunately when you have to technological changes and so forth, it's also create factors. And when you look at this story in Manatee, the same technological advancement that some countries to take to try to take advantage of fathers is not that the word is everything fine and everything peaceful. In fact, Richard Clark was really their kid always saying that, Hey, you know that there is a sinister side to all the internet and so forth. But that's the human evolution. So I believe that we are getting longterm. It's going to. So in the meantime there's a lot of changes and humans don't adapt well to change. And so that's in a way, uh, the big challenge we have. But I think over time we can create a culture of change and that will really help. And I also believe that probably at some point in time we will re-engineer the human race. >>All right, cool. We'll leave it there. That's going to launch a whole nother couple hours. They leave. Congratulations on the event and a great job on your keynote. Thanks for taking a few minutes with us. Alrighty. It's relief. I'm Jeff. You're watching the cube where the Qualice security conference at the Bellagio in Las Vegas. Thanks for watching. We'll see you next time.

>>from Las >>Vegas. It's the cues covering quality security Conference 2019 by quality. Hey, welcome back already, Jefe Rick here with the Cube were in Las Vegas at the Bellagio at the Kuala Security Conference. It's the 19th year they've been doing this. It's our first year here, and we're excited to be here. And it's great to have a veteran who's been in this space for so long to give a little bit more of historical perspective as to what happened in the past. Where we are now, what can we look forward to in the future? So coming right off its keynote is Felipe Quarto, the chairman and CEO of Qualities felt great. See, >>Thank you. Same. Same same for me. >>Absolutely. So you touched on so many great topics in your conversation about kind of the shifts of of modern computing, from the mainframe to the mini. We've heard it over and over and over. But the key message was really about architecture. If you don't have the right architecture, you can't have the right solution. How is the evolution of architects of architectures impacted your ability to deliver security solutions for your clients >>So no That's a very good question. And in fact, you know what happened is that we started in 1999 with the vision that we could use exactly like Salesforce. They'll come this nascent Internet technologies and apply that to security. And s and Marc Benioff applied that essentially changing the way serum was essentially used and deployed in enterprises and with a fantastic success as we know. So for us, the I can't say today that 19 years later the vision was right. It took a significant longer because the security people are not really, uh, warm at the idea of Senate Lee, uh, having the data interview which was in place that they could not control. And the i t people, they didn't really like a toll. The fact that certainly they were not in control anymore of the infrastructure. So whether a lot of resistance, I wever, we always I always believe, absolutely believe that the cloud will be the architecture to go back. A lot of people make the confusion That was part of the confusion that for people it was a cloud, that kind of magical things someplace would you don't know where and when I was trying to explain, and I've been saying that so many times that well, you need to look at the club like a computer that can architecture which distribute the computing power for more efficiently than the previous one, which was Clyde Server, which was distributing the computing power for better then, of course, the mainframes and minicomputers. And so if you look at their architecture's so the mainframe were essentially big data centers in in Fort Knox, like setting private lines of communication to damn terminal. And of course, security was not really an issue then, because it's a gritty was building by the IBM said company simply with the minicomputer, which then was, instead of just providing the computing power to the large, very large company could afford it. Now 70 the minicomputer through the advance and say, My conductor technology could reduce the food frank. And then I'll bring the company power to the labs and to the departments. And that was then the new era of the dish, your equipment, the primes, that General et cetera, Uh, and then conservative. So what client service did again? If you look at the architecture, different architectures now, incidently servers LAN or the Internet network and the PC, and that was now allowing to distribute the computing power to the people in the company. And so, but then you needed to so everybody. Nobody paid attention to security because then you were inside of the enterprise. So it starts inside the wars of the castle if you prefer. So nobody paid attention to that. It was more complex because now you have multiple actors instead of having one IBM or one desert equipped. But its center said, You have the people manufacturing the servers. The software that that obeys the PC is an unannounced excellently there was the complexity increased significantly, but nobody paid attention to security because it was not needed. Until suddenly we realized that viruses could come in through the front door being installed innocent. You were absolutely, absolutely compromised. And of course, that's the era of the anti VARS, which came in and then because of the need to communicate more more. Now, Senator, you could not stay only in your castle. You need to go and communicate your customers to your suppliers, et cetera, et cetera. And now you were starting to up and up your your castle to the word and a low now so that the bad guy could come in and start to steal your information. And that's what the new era of the far wall. Now you make sure that those who come in But of course, that was a bit naive because there were so many other doors and windows that people could come in, you know, create tunnels and these and over that transfer, insure your custard. Because the day I was becoming more, more rich and more more important, more value. So whatever this value, of course, the bad guys are coming in to try to sell it. And that was that new era off a win. Each of attention to security. The problem is being is because you have so many different actors. There was nothing really central there. Now. I just suddenly had Maura and more solutions, and now absolutely like 800 vendors. Boarding on security and boating on anything is shortly at the end of the day because you put more more weight, and then you also increasing complexity in all these different solutions. Didn't they need to talk together? So you have a better context, but they weren't designed to talk together. So now you need to put other system where they could communicate that information. So you complicated, complicated, complicated the solution. And that's the problem of today. So now cloud computing comes in and again. If you look at the architecture of cloud computing, it's again Data centers, which not today, have become, thanks to the technology, having infinite, almost company power and storage capabilities. And like the previous data center, there are much more fracture because you just once gave and they become essentially a bit easier to secure. And by the way, it's your fewer vendors now doing that. And then, of course, the access can be controlled better on then. Of course, the second component is that the land and the one it's now the Internet and the Internet, of course, eyes the Web communications extremely cheap, and it brings you in every place on the planet and soon in Morse. Why no so and so now. The issue today is that still the Internet needs to be secure, and today how are you going to secure the Internet? Which is very important thing today because you see today that you can spoof your image, you can spoof your website. You could attack the Deanna's who? Yes, there's a lot of things that the bad guy still do in fact, themselves that ever is the Internet, of course, to access everywhere, so they take advantage of it. So now this is obviously, you know, I created the trustworthy movement many years ago to try to really address that. Unfortunately, qualities was too small, and it was not really our place. Today there's all the Google, the Facebook, the big guys which contract their business, depend on the Internet. Now need to do that and I upload will be been criticised very much so. Google was the 1st 1 to essentially have a big initiative. I was trying to Bush SSL, which everybody understands secret encryption, if you prefer and to everybody. So they did a fantastic job, really push it. So now today's society is becoming like okay, it's a said. You want to have this a settle on your communication, but that's not enough. And now they're pushing and some people criticize them, and I absolutely applaud them to say we need to change the Internet protocols which were created at the time when security you were transferring information from universities. And so for these was a hay days, you know, if everything was fine, there's no bad guys. No, The heebie day is if you like arranging that everybody was free, Everybody was up in fantastic. Okay. And now, of course, today, these poor cold this to be a graded, which is a lot of work. But today I really believe that if you put Google Amazon Facebook altogether and they can fix these internet for records so we could forget about the spoofing and we forget about all these fishing and all this thing this is there responsibility. So and then you have now on the other side, you have now a very intelligent devices from in a very simple sensors and, you know, too sophisticated devices the phone, et cetera, and Maura and more Maur devices interconnected and for people to understand what is being so This is the new environment. And whether we always believe is that if you adopt an architecture which is exactly which fits which is similar, then we could instead of bolting security in, we can also have the build security in voting signal on. We could be in security in. And we have been very proud of the work that went down with my car itself, which we announce, in fact, reluctantly recently, very recently, that, in fact, our agent technologies now it's banned erred in Microsoft. So we have been security with Microsoft in So from a security perspective today, if you go to the Microsoft as your security center, you click on a link, and now you have the view. If you're in tar, is your environment courtesy of record? It's agent. You click on a second link, and now you have the view of your secret cameras. First year, crazy of the same qualities agent. And then you click on the third inning with us. Nothing to do with quite it's It's old Mike ourself you create your playbook and Yuri mediates The security in this environment has become quickly, quick, nothing to in store, nothing to update, and the only thing you bring. All your policies saying I don't want to have this kind of machine exposed on the Internet on what this is what I want and you can continuously owed it essentially in real time, right? So, as you can see, totally different than putting boxes and boxes and so many things. And then I think for you, so very big game changer. So the analogy that I want you that I give to people it's so people understand that paradigm shift. It's already happening in the way we secure our homes. You put sensors everywhere, your cameras of detection, approximately detection. Essentially, when somebody tried to enter your home all that day, that's continuously pumped up into an incident response system. And then from your phone again across the Internet, you can change the temperature of your rooms. You can do it. You can see the person who knocks on the door. You can see its face. You can open the door, close the door, the garage door. You can do all of that remotely and automatically. And then, if there's a burglar, then in your house, who's raking immediately that the incidence response system called the cops or the farmer shirt? If good far. And that's the new paradigm. So security has to follow that product, and then you have interesting of the problem today that we see with all the current security systems incidents Original system developed for a positive force. Positive and negative are the enemy reedy off security? Because if you have forced positive, you cannot automate the response because then you're going to try to respond to something that is that true? So you are. You could create a lot of damage. And the example. I give you that today in the if you leave your dog in your house and if you don't have the ability the dog would bark would move, and then the senses will say intruder alert. So that's become the force. Pretty. So how do you eliminate that? By having more context, you can eliminate automatically again this false positives, like now you, I think a fingerprint of fuel dog and of his voice. And now the camera and this and the sensors on the voice can pick up and say, Oh, this is my dog. So then, of course, you eliminate that forces right now, if if another dog managed to return your home through a window which was open or whatever for so what do we know? A window was open, but you know you can't necessarily fix it on the dog weapons, then you will know it. Sze, not yours. So that's what securities avoiding such a huge sea of change which is happening because of all that injured that end today Companies today after leverages nuclear technology which are coming, there's so much new to college. What people understand is where's that technology coming from? How come silently we have doctors cybernetics a ll these solutions today which are available at almost no cost because it's all open source So what happened is that which is unlike the enterprise software which were Maur the oracle, et cetera, the manufacturer of that software today is in fact the cloud bubbly club Sanders, the Amazon, the Google, the Facebook, the macro self which shouldn't be needed to have to develop new technology so they could scale at the size of the planet. And that very shrewdly realized that if I keep the technology for me, I'm essentially going to imprison. The technology is not going to evolve. And then I need other technologies that I'm not developing. So they realize that they totally changed that open source movement, which in the early days of happens offers more controlled by people who had more purity. If you prefer no commercial interests, it was all for the good, off the civilization and humankind. And they say they're licensing Modern was very complex or the simplified all of that. And then Nelson and you had all this technology coming at you extremely fast. And we have leverage that technology, which was not existing in the early days when when such was not come started with the eunuchs, the lamb, pork or what's called leaks. Apache mice Fewer than Petri limiting Announcer Tiel This technology, like elasticsearch, was coming. We index today now back and three trillion points or less excerpts, clusters, and we return information in 100 minutes seconds and then on the calf campus, which is again something that open source way Baker Now today, five million messages a day and on and on and on. So the word is changing. And of course, if that's what it's called now, the dish transformation now enterprises to be essentially a joy to reach out to the customers better and Maur, they need to embrace the cloud as well, >>right? I >>do retool their entire right infrastructure, and it's such A. It's a huge sea of change, and that's what we see even the market of security just to finish now, evolving in a totally different ways than the way it has Bean, which in the positive market of security was essentially the market for the enterprise. And I'm bringing you might my board, my board, towns, traditions that you have to go in installed and make work. And then you had the the anti virus, essentially for all the consumers and so forth. So today, when we see the marketplace, which is fragmenting in four different segments, which is one is the large enterprise which are going to essentially constantly data start moving to the transformation. Leveraging absolutely develops, which isn't becoming the new buyer. And, of course, so they could improve their I t. For to reach out to more customers and more effectively than the current providers. As I mentioned earlier, which are building security in the knife, you use them. You don't have to worry about infrastructure about how many servers you need, amenities. It's all done for you and something about security. The third market is going to be in an emergence of a new generation of managed Grannie service providers which are going to take all these companies. We don't have enough resources. Okay, Don't worry. I'm going to help you, you know, duel that digital transformation and help you build the security. And then there's a totally new market of all these devices, including the phone, et cetera, which connects and that you essentially I want to all these i, o t and I ot devices that are or now connected, which, of course, present security risk. So I need to also secure them. But you also need to be able to also not only check their health to make sure that okay, because you cannot send people read anymore. So you tournament simply on security. If you find that that phone is compromised, you need to make to be able to make immediate decisions about Should I kill that phone? Destroyed everything in it. Should I Now don't let that phone connect any more to my networks. What should I do? Should I, by the way, detected that they've done with the application which another loud Because what we see is more and more companies are giving tablets to their users and in doing so now, today's the company property so they could say, OK, you use these tablets and you're not allowed to do that so you could check all of that and then automatically. But that again requires full visibility in what you are. And that's why just to finish, we make a big decision about the few three months ago that were We build the ability for any company on the planet to automatically build their targetable itis it eventually, which nobody knows what they have. That old networking environment. You don't know what connects to have the view of the known and the unknown totally free of charge across on premise and pawned crowd continues Web obligations or to united devices to come. So now that's the cornerstone of securities with that totally free. So and then, of course, you have all these additional solutions, and we're being very scalable up in platform where we can take data, a passel data as well. So we really need to be and want to be good citizen here because security at the end of it, it's almost like we used to say, like the doctors, you have to have that kind of feeble court oath that you can do no arms. So if you keep if you try to take the data that you have, keep it with you, that's all.

>> Narrator: From Las Vegas, it's theCUBE, covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey, welcome back, everybody. Jeff Rick here with theCUBE. We're in Las Vegas at the Bellagio at the Qualys Security Conference. They've been doing this for 19 years. They've been in this business for a long time, seen a lot of changes, so we're happy to be here. Our next guest works for Caterpillar. He is Brian Rossi, the senior security manager vulnerability management. Brian, great to see you. >> Thanks for having me. >> So I was so psyched, they had an interview, a gentleman from Caterpillar a few years ago, and it was fascinating to me how far along the autonomous vehicle route Caterpillar is. And I don't think most people understand, right? They see the Waymo cars driving around, and they read about all this stuff. But Caterpillar's been doing autonomous vehicles for a super long time. >> A really long time, a really long time, 25-plus years, pioneering a lot of the autonomous vehicle stuff that's out there. And we've actually, it's been cool, had an opportunity to do some security testing on some of the stuff that we're doing. So, even making it safer for the mines and the places that are using it today. >> Yeah, you don't want one of those big-giant dump-truck things to go rogue. (laughing) >> Off a cliff. Yeah, no, bad idea. >> Huge. Or into a bunch of people. All right, so let's jump into it. So, vulnerability management. What do you focus on, what does that mean exactly? >> So, for me, more on the traditional vulnerability management side. So I stay out of the application space, but my group is focused on identifying vulnerabilities for servers, workstations, endpoints that are out there, working with those IT operational teams to make sure they get those patched and reduce as many vulnerabilities as we can over the course of a year. >> So we've done some stuff with Forescout, and they're the kings of vulnerability sniffing-out. In fact, I think they have an integration with Qualys as well. So, is it always amazing as to how much stuff that gets attached to the network that you weren't really sure was there in the first place? >> Yes, absolutely. (laughs) And it's fun to be on the side that gets to see it all, and then tell people that it's there. I think with Qualys and with some of the other tools that we use, right? We're seeing these things before anybody else is seeing them and we're seeing the vulnerabilities that are associated with them, before anyone else sees them. So it's an interesting job, to tell people what's out there when they didn't even know. >> Right, so another really important integration is with ServiceNow, and you're giving a talk I believe tomorrow on how you use both Qualys and ServiceNow together. Give us kind of the overview of what you're going to be talking about. >> Absolutely, so the overview is really what our motto has been all year, right? Is put work where people work. So what we found was that with our vulnerability management program, we're doing scanning, we're running reports, we're trying to communicate with these IT operational teams to fix what's out there. But that's difficult when you're just sending spreadsheets around and you're trying to email people. There's organizational changes, people are moving around. They might not be responsible for those platforms anymore. And keeping track of all that is incredibly difficult in a global scale, with hundreds of thousands of assets that people are managing. And so we turned to ServiceNow and Qualys to really find a way to easily communicate, not just easily, but also timely, communicate those vulnerabilities to the teams that are responsible for doing it. >> Right, so you guys already had the ServiceNow implementation obviously, it was something that was heavily used. You're kind of implying that that was the screen that a lot of people had open on their desktop all the time. >> We lucked out that we were early in the implementation with ServiceNow. So, Caterpillar was moving from a previous IT service management solution to ServiceNow so we got in on the ground floor with the teams that were building out the configuration management database. We got in with the ground floor with the teams who were operationalizing, using ServiceNow to drive their work. We had the opportunities to just build relationships with them, take those relationships, ask them how they want that to work, and then go build it for them. >> Right, it's so funny because everyone likes to talk about single pane of glass, and to own that real estate that's on our screens that we sit and look at all day long, and it used to be emails. It's not so much email anymore, and ServiceNow is one of those types of apps that when you're in it, you're working it, that is your thing. And it's one thing to sniff out the vulnerabilities and find vulnerabilities, but you got to close the loop. >> Brian: You got to, absolutely. >> And that's really where the ServiceNow piece fits. >> And it's been great. We've seen a dramatic reduction in the number of vulnerabilities that are getting fixed over the course of a 30-day period. And I think it simply is because the visibility is finally there, and it's real-time visibility for these groups. They're not receiving data 50 days after we found it. We're getting them that data as soon as we find it, and they're able to operationalize it immediately. >> Right, and what are some of the actions that are the higher frequency that you've found, that you're triggering, that this process is helping you mitigate? >> I would say, actually, what it's really finding is some of our oldest vulnerabilities, a lot of stuff that people have just let fall off the plate. And they're isolated, right? They may have run patching for a specific vulnerability six months ago, but there was no view to tell them whether or not they got everything. Or maybe it was an asset that was off the network when they were patching, and now it's back on the network. So we're getting them the real-time visibility. Stuff that they may have missed, that they would have never seen before, without this integration. >> So I'd love to get your take on one of the top topics that came in the keynote this morning, both with Dick Clark as well as Philippe, was IoT-5G and the increasing surface-area, attack surface area, vulnerability surface area. You guys, Caterpillar's obviously well into internet of things. You've got a lot of connected devices. I'm sure you're excited about 5G, and I'm sure in a mining environment, or those types of environments are just prime 5G opportunities. Bad news is, your attack surface just grew exponentially. >> Yeah. >> So you're in charge of keeping track of vulnerabilities. How do you balance the opportunity, and what you see that's coming with 5G and connected devices and even a whole other rash of sensors, compared to the threat that you have to manage? >> Certainly in the IoT space it's unique. We can't do the things to those devices that we would do with normal laptops' assets, right? So I think figuring out unique ways to actually deal with them is going to be the hardest part. Finding vulnerabilities is always the easiest thing to do, but dealing with them is going to be the hard part. 5G is going to bring a whole new ballgame to a lot of the technology that we use. Our engineering groups are looking at those, and we're going to be partnering with them all the way through their journey on how to use 5G, how to use IoT to drive better services for our customers, and hopefully security will be with them the whole way. >> Right, the other piece that didn't get as much talk today, but it's a hot topic everywhere else we go is Edge, right? And this whole concept of, do you move the data, do you move the data to the computer or the computer to the data? I'm sure you guys are going to be leveraging Edge in a big way, when you're getting more of that horsepower closer to the sites. There's a lot of challenges with Edge. It's not a pristine data center. There are some nasty environmental conditions and you're limited in power, connectivity, and some of these other things. So when you think about Edge in your world, and maybe you're not thinking of it, but I bet you are, how are you seeing that, again, as an opportunity to bring more compute power closer to where you need it, closer to these vehicles? >> So I think, I wish I had our other security division here with me to talk about it. We're piloting a lot of those things, but that's been a big piece of our digital transformation at Caterpillar, is really leveraging data from those connected devices that are out in the field. And we actually, our Edge has to be brought closer to home. Our engineers pack so much into the little space they have on the devices that are out there, that they don't have room to actually calculate on that data that's out in the field, right? So we are actually bringing the Edge a little closer to home, in order for us to provide the best service for our customers. >> Right, so another take on digital transformation. You talked about Caterpillar's digital transformation. You've been there for five years now. Before that you were at State Farm. Checking on your LinkedIn, right? State Farm is the business of actuarial numbers, right? Caterpillar has got big heavy metal things, and yet you talk about digital transformation. How did you guys, how are you thinking about digital transformation in this heavy-equipment industry that's in construction? Probably not what most people think of as a digital enterprise, but in fact you guys are super aggressively moving in that direction. >> Yeah, and for us, from a securities perspective, it's been all about shift-left, right? We have to get embedded with these groups when they're designing these things. We have to be doing threat models. We have to be doing pen testing. We have to be doing that secure life cycle the entire way through the product. Because with our product line, unlike State Farm where we could easily just make a change to an application so that it was more secure, once we produce these vehicles, and once we roll them out and start selling them, they're out there. And we build our equipment to last, right? So there's not an expectation that a customer is going to come back and say, "I'm ready to buy a new truck two years from now," because of security vulnerability. >> Jeff: Right, right. >> So, yeah, it's a big thing for us to get as early in the development life cycle as possible and partner with those groups. >> I'm curious in terms of the role of the embedded software systems in these things now, compared to what it was five years ago, 10 years ago 'cause you do need to upgrade it. And we've seen with Teslas, right? You get patches and upgrades and all types of things. So I would imagine you're probably a lot more Tesla-like than the Caterpillar of 20 years ago. >> Moving in that direction, and that is the goal, right? We want to be able to get the best services and the most quality services to our customers as soon as possible. >> Right, very cool. Well, Brian, next time we talk, I want to do it on a big truck. >> Okay. >> A big, yellow truck. >> Let's do it. >> I don't want to do it here at the Bellagio. >> Let's do it, all right. >> Okay, excellent. Well, thanks for-- >> Thank you. >> For taking a few minutes, really appreciate it. >> Absolutely. >> All right, he's Brian, I'm Jeff, you're watching theCUBE. We're at the Bellagio in Las Vegas, not on a big yellow truck, out in the middle of nowhere digging up holes and moving big dirt around. Thanks for watching. We'll see you next time. (upbeat techno music)

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019. Brought to you by Qualys. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the Bellagio Hotel in Las Vegas, at the Qualys Security Conference. This conference has been going on for 19 years. It's our first time to be here. We're excited to be here, but it's amazing that they've just been clipping along through wave after wave after wave. They've got some new announcements today and we're excited to get the full rundown here. Our next guest is Chris Carlson, the VP of Strategy from Qualys. Chris, great to meet you. >> Great, thanks, great to be here. >> Yeah, so you just got out of your session. How did your session go? >> Yeah, it was fantastic. In fact, that's the great thing about a Qualys Security Conference, because we have the ability to not only interact with our customers and partners, but actually showcase what's new, but also what we're working on coming in the future. >> Jeff: Right. >> And that's really important for us at Qualys because we get the feedback from the customers early, and we can work very closely with them to find the right set of solutions and the right products for their use in their environment and programs. >> Now, the security landscape has changed quite a bit over the last two decades, and Phillipe's keynote, I mean he is right on the edge in terms of really appreciating cloud and the benefits of cloud. You guys have a lot of great integration partners. You know, did you have to re-architect this thing, at some point down the road? I mean it's pretty amazing that you've been at it for two decades and still really sitting in a good spot here as kind of the cloud and IOT and 5G and this next big wave of innovation starts to hit. >> Well that's right, and I think that's why it starts with that vision, but it's not just a vision of where the market is going, but the vision of where technology is going. So when Qualys started, they started in the cloud, and they started with the cloud delivered architecture. And that was really, maybe early for a lot of first customers. 20 years ago security was maybe not as much, and put security in the cloud, that's where all the bad guys are. But it's really that architecture vision technology that allowed us to not only innovate quickly on a platform, but as our customers grew, as our customers moved to the cloud, as our customers moved to IOT and OT and mobile computing and those aspects, we're already there. >> Jeff: Right, right. >> We're already there. So and that is what really the advantage for us is, we don't have to re-architect our platform, we can layer on new capabilities and new services, new products leveraging the existing architecture that we've developed in the cloud. >> Yeah, it's really little bit of good fortune, a little bit of luck, a little bit of smarts, right. >> I think it's maybe a lot of experience and smarts from that. >> Well, it's just funny right, 'cause we had John Chambers on not that long ago, and his kind of computing waves, he was using kind of 10 year waves as kind of the starting points. And Phillipe's were a little bit longer, but it's the same kind of story with mainframes and minis and client server and now cloud, but as he said, and as you've reinforced, if you don't architect it to be able to do that at the beginning, you can't necessary repurpose it for this new application. It's really architecture-specific, and without that kind of vision, you're not going to be able to take advantage. >> That's right. >> Of these kind of new waves. >> Exactly, and I think that architecture breaks down into different levels. So one is systems architecture, but there's also the design architecture. So the technologies that we're using on our platform today aren't the same 20 years ago. We've swapped out those technologies. We use new modern technologies. Technically, like Kafka streaming blasts to do real-time event streaming. Cassandra for object data store. Those did not exist five or six years ago. But from our architecture that we're collecting lightweight data from our customers, and analyzing it in our cloud platform. Doesn't matter if we have one million events, a billion events, a hundred billion events, the platform can scale the process of those. >> Right. The other piece clearly that you've mentioned two or three vocabulary words right there is the open source component. You know, the open source has grown dramatically since the early days of Linux, both in terms of market acceptance as well as kind of new opportunities for things like Kafka to be able to grab that type of , integrate it into your product set and really drive a whole bunch of extra value. >> Yeah, that's right. I think we benefit as Qualys is using some of these open source technologies and we do contribute back, because we work with those teams. If there's any defects or performance enhancements, we do that. But while we've benefited from some of the open source technologies, our customers have benefited as well. Now they've benefited from new technology architectures, but in some cases they've benefited from new security problems. So if you get commercial off-the-shelf software, the vendor produces a security patch, they test that patch and they can apply the patch. In many cases with some open source software it's not like that. The customer has to get the software, compile it, make sure it works. Maybe it doesn't fix the vulnerability, and that's why in that case for them open-source technology can improve some of their IT systems and their business initiatives, but it puts a challenge on security to keep up with all the security risks that are happening across the board. >> Right. So one of the big announcements today was the VMDR. >> That's right. >> Tell us all about it. >> Great, so VMDR stands for Vulnerability Management Detection and Response, and that really is a capability that we've actually had in the platform itself, but the feedback from our customers were that internally their own people, their own process and their own tools created these artificial silos that prevented them from actually doing security detection and remediation at scale quickly. We have all these capabilities in the Qualys platform anyway, but with this new VMDR bundle we're bringing it together with new automation, new workflow, new orchestration, new user interfaces that actually reduce the time to remediate down to near zero in some cases. So, we had an example of a live attack that happened two years ago, WannaCry with EternalBlue, and many companies did nothing for two months. So they had the right tools, but maybe the data silos to go from one application to another application, to one team to another team just increased that length of when they could remediate. Our customers that had Qualys already had that data within the Qualys platform. We can tell them what assets they have, what the vulnerabilities were, that WannaCry was a big thing happening. And then with our patch management they can click one button and then just fix those assets easily. >> Jeff: Right, right. >> That was two years ago. Now this summer something called Blue Key. So Blue Key and Deja Blue is another attack that's happening, is going on right now. People don't know about it. Well, maybe not you. (laughing) Maybe if you're a Windows. >> I got nothing, I got nothing. >> Maybe if he has a Windows Operating System he's being attacked right now, I don't know about that. But a lot of our customers here, they're struggling with that every day. Not that Qualys can't tell them where it is, but they have to rely on another team to actually fix it. And that's what's so exciting about VMDR, Vulnerability Management Detection and Response, is the D and the R, the detection and the response allow them to remediate in a full life-cycle very quickly, very effectively, and with a high confidence that it has actually corrected those issues. >> Yeah, it's really interesting. You know, kind of the application versus platform conversation. You guys are integration partners with ServiceNow. Fred Luddy's been on many, many times, and tells a great story. You know, he wanted to build a platform, but you can't go to market with a platform. You got to go to market with an application, hopefully get some traction, and over time he started adding more applications, and it was pretty interesting listening to you guys. >> Well, I was actually going to stop you right there if you don't mind. >> No. >> The marketing people go to market with the platform. The marketing people say, "Hey version one is a platform." >> To their customers? But nobody's got a line-item to buy a new platform today, right. >> Exactly, and that's sort of the disconnect. >> Right. >> Really with normal enterprise sales models and technology. The marketing sales disconnect versus the technical reality that customers depend on for their environment. >> But if you do it right, then you can build that application stack, and I think in their earnings call, your guys last earnings call, you defined seven specific applications that sit on this platform that enabled in you to bundle and have kind of multi-application integration in the new VDMR. >> Yes, that's right, and I think that the difference with Qualys is they knew that the architecture was important. So our vulnerability management was an application on the architecture when it first launched 20 years ago. >> Right. >> And that really helped us going forward. So from the earnings call it's seven product capabilities on our lightweight agent, but the entire Qualys platform has 19 different product capabilities, in the same platform using the same user interface model and the VMDR takes many of those and bring it together in that single bundle on a per asset basis. >> Okay great, thanks for that clarification. Slight shift of focus. Another thing that came up in Philippe's keynote was kind of re-architecting the sales side and the market bundles that you guys are going to go to market with over time. And he broke it down into really only four big buckets of categories. Cloud providers, I think managed security service providers, enterprises, and I can't remember what the the last one was. Oh, OT and IOT vendors. >> Chris: IOT, correct, yes. >> So as you kind of look forward in the way that you're going to develop your products to go to market, how is that impacting your strategy, and are you seeing that start to play out in the marketplace? >> Yes, when we look at security technology and actually part of his keynote, he had this slide that had, you couldn't zoom in, because there's a million logos on this slide, security companies. And you go to some of the security shows, there's 800 vendors in the exhibit hall. >> Jeff: Oh yeah, we go to RSAC. I mean that that's why, it's chaos, right. >> So it's crazy, it's crazy. And there was an analyst that actually said a couple years ago that whenever there's a new threat, there's a new tech. Here's a new threat vector, now there's five new startups. And is that new threat vector super narrow, and it's only a feature, or is it a product, but our view of Qualys was a little bit different in that while the buying centers may be different, while some of the assets may be different, an OT asset versus a cloud asset versus the endpoint asset, the ability to discover it, identify it, categorize it, assess it, prioritize and remediate it is the same. That is the same. So whether it is a PLC on a shop floor from a car manufacturing, or a ecommerce web server that's running in a public cloud, or an end-user machine, the process to identify assess and remediate is exactly the same through us at Qualys with their platform. Different sensors for different asset types, normalized security data and different remediation approaches for different asset types, but all the same platform. >> But it sounds like you're doing some special stuff with Azure. >> Chris: Yes. >> So, tell us a little bit about kind of what's special about that relationship, what's special about that solution. >> Yeah, and that integration was announced two weeks ago at Microsoft Ignite, which is a big Microsoft show, and that really is a close partnership that we have with Microsoft. We actually did an early integration with them four years ago, but this is a lot deeper. And that really is Phillipe's and Qualys vision that security needs to be built in and not bolted on. >> Jeff: Right. >> That if you take, let's take a car for example. When you buy a car, you don't buy the car without a seat belt, an airbag, maybe a radio. You don't buy it without tires, it all comes together. You don't buy a car, then go to the seatbelt shop, and then buy a car and then go to the airbag shop. It all comes together, and that's what we're very excited about this announcement with Microsoft and Azure is that the vulnerability assessment is powered by Qualys already built into Azure. So there may be a whole set of customers that know nothing about Qualys, know nothing about our 20-year history, know nothing about our conference. they go to Microsoft Azure's, the security center, and it goes, "Assess your vulnerabilities," click a button and there's the vulnerability information. So this opens up a new capability for customers that they may not have used, but more importantly bringing security into IT without them knowing that they're doing security. And that is very powerful. >> So is it like a white label, under the covers or? >> So, it's not a white label, it's a joint integration. >> Chris: Okay. >> And it's a Microsoft Azure. >> Chris: So they eventually have, probably is in the bottom of the report. >> Powered by Qualys, powered by Qualys, right, so we got to have that name in there. >> Right, right, right, good. >> And what's exciting about Microsoft Ignite is that we had a lot of Microsoft IT and dev people come up to our Qualys booth and say, hey I don't know much about Qualys, but I get this report of things that I need to fix, tell me more about what you're doing and how can we help that fix faster. >> Chris: Right. >> And it's really about speed. Time to market, time to acquire customers, time to service customers, but more importantly time to produce new technology, time to secure the new technology, and lastly, unfortunately, time to respond to security events that may have happened in your network. >> And I presume they can buy more of the suite through the, and run it on the Azure stack. >> Yes, that's right. In fact, all of our capabilities can go on there from it, and that really is a strong partnership. In fact the group product manager for Azure is speaking at Qualys Security Conference just later today. That really shows a testament of the deep integration of partnership that we have with them. >> All right, Chris, before I let you go, you're the strategy guy. So as you look down the road in your crystal ball, I won't say more than three years, two years, three years, four years. What are some of the things you're keeping an eye on, what are the things you're excited about, what are the things you're a little concerned about? >> Well, I think that the things that we're excited about is a vision that Philippe and of course Ahmet has painted for it, is that the computing environment is accelerating dramatically, it's fragmenting dramatically. 5g might be a complete game-changer across the board. We have some of our large customers that have a project that they call Data Center Zero. 17 data centers, in two years, no data centers at all. I say that in their corporate offices they have laptops and printers, that's it. How do you secure and assess an environment that is ephemeral and that is virtual and that is remote, and that's where the Qualys platform architecture can move along with those customers. Our very largest customers are the ones leading the charge, not only developing new capabilities, but also using them as they come out. So I think that's what we're very excited about. I think that's some areas that we're working deeper with our customers on, is at the end of the day, it's people, process, and tools. And we're working on the technology capability and stack that can also influence and make the process better, but ultimately the people have to come in and understand that security has to be built in, we have to shift left, integrate it into the dev cycle to really reduce that attack surface and have a stronger, more secure enterprise. >> All right Chris, well, think you're going to be busy for the next couple years. >> It's a exciting time, it's an exciting time for Qualys. >> All right, well again, congrats on the event. >> Thanks very much. >> Thanks for having us. Can't believe it's been here for 19 years and we haven't been here yet. So again, thanks for having us and congrats on all your success. >> Great, fantastic Jeff. >> All right, he's Chris, I'm Jeff. You're watching theCUBE. We're at the Qualys Security Conference in Las Vegas. Thanks for watching. We'll see you next time. (upbeat music)

>>from Las >>Vegas. It's the cues covering quality security Conference 2019 Bike. Wallace. Hey, welcome back It ready? Geoffrey here with the Cube were at the Bellagio in Las Vegas. It's actually raining outside, which is pretty odd, but through the desert is happy. We're here at the Kuala Security Conference. Been going on for 19 years. It's our first time here. We're excited to be here, but we got a really familiar Gaston. She's been on a number of times that Nutanix next, conferences and girls who code conferences, etcetera. So we're happy to have back Wendy Pfeifer. She's the C I O of Nutanix and as of August, early this year, a board member for quality. So great to see you. >>Nice to see you again, too. So it's raining outside. I'll have to get out. >>I know it's pretty, uh, pretty cool, actually. School coming in on the plane. But let's let's jump into a little bit from your C I, Oh, roll. We're talking a lot about security and in the age old thing came up in the keynote. You know, there's companies that have been hacked, and then there's companies that have been hacked and don't know it yet, but we're introducing 1/3 type of the company. Here is one of the themes which is that you actually can prevent, you know, not necessarily getting hacked, but kind of the damage and destruction and the duration once people get in. I'm just curious from your CEO >>hat. How >>do you look at this problem? That the space is evolving so quickly? How do you kind of organize your your thoughts around it? >>Yeah, for me. First of all, um, it starts with good architecture. So whether it's our own products running or third party products running, we need to ensure that those products are architected for resilience. And that third kind of company, the Resilient company, is one that has built in architecture er and a set of tools and service is that are focused on knowing that we will be hacked. But how can we minimize or even eliminate the damage from those hacks? And in this case, having the ability to detect those hacks when their incoming and to stop them autonomously is the key to HQ Wallace's play and the key to what I do as CEO at Nutanix, >>right? So one of the other things that keeps coming up here is kind of a budget allocation to security within the CEO budget on. And I think Mr Clark said that, you know, if you're doing 3% or less, you're losing, and you gotta be spending at least 8%. But I'm curious, because it to me is kind of like an insurance story. How much do you spend? How much do you allocate? Because potentially the downside is enormous. But you can't spend 100% of your budget just on security. So how do you think about kind of allocating budget as a percentage of spin versus the risk? >>Well, I love that question. That's part of the art of being a C i O A. C. So, you know, first of all, we have ah mixed portfolio of opportunities to spend toe hold to divest at any one time, and I t portfolio management has been around for 30 years, 40 years, almost as long as some of the people that I know. However, um, we always have that choice, right? We're aware of risk, and then we have the ability to spend. Now, of course, perfect security is to not operate at all. But that's about that's, you know, swinging too far the wrong way on Dhe. Then we also have that ability, maybe to not protect against anything and just take out a big old cyber security policy. And where is that policy might help us with lawsuits? It wouldn't necessarily have help us with ongoing operations. And so it's somewhere in the middle, and I liked some of the statistics that they share today. One of the big ones for me was that companies that tend to build resilient worlds of cybersecurity tend to spend about 10% of their total I t operating budgets on cyber security. That makes sense to me, and that reflects my track record at Nutanix and elsewhere, roughly in that amount of spending. Now you know, checking the box and saying, Well, we're spending 10% on cybersecurity doesn't really buy us that much, and also we have to think about how we're defining that spend on cyber security. Part of that spend is in building resilient architectures and building resilient code. And uh, that's sort of a dual purpose spend, because that also makes for performance code it makes for scalable, supportable code, et cetera. So you know, we can do well by doing good in this >>case. So again, just to stay on that beam permit, it went. So when you walk the floor at R S. A. And there's 50,000 people and I don't even know how many vendors and I imagine your even your I T portfolio now around security is probably tens of products, if not hundreds, and certainly tens of vendors again. How do you How do you? You kind of approach it. Do you have trusted advisors around certain point solutions? Are you leveraging? You know, system integrators or other types of specialists to help? You kind of sort through and get some clarity around this just kind of mess. >>Well, all of us actually are looking for that magic discernment algorithm. Wouldn't it be great if >>you could just >>walk up to a vendor and apply the algorithm? And ah ha. There's one who's fantastic. We don't have that, and so we've got a lot of layers of ingest. I try to leave room in my portfolio for stealth and emerging technologies because generally the more modern the technology Is the Mauritz keeping pace with the hackers out there and the bad guys out there? Um, we do have sort of that middle layer that surround the ability for us to operate at scale because we also have to operate these technologies. Even the most cutting edge technology sometimes lack some of the abilities for us to ingest them into our operations. And then they're sort of the tried and true bedrock that hopefully is built into products we consume. Everything from public Cloud service is to, uh, you know, hardware and so on. And so there's this range of choices. What we have to dio ultimately is we use that lens of operations and operational capability. And first of all, we also ensure that anything we ingest meets our design standards and our design standards include some things that I think are fascinating. I won't go into too much detail because I know how much you love this detail. But you know, things like are the AP eyes open? What is integration look like? What's the interaction design look like? And so those things matter, right? Ultimately, we have to be able to consume the data from those things, and then they have to work with our automation, our machine learning tools. Today at Nutanix, for example, you know, we weigh like toe. I'm happy to say we catch, you know, most if not all of any of the threats against us, and we deal with well over 95% of them autonomously. And so were a living example of that resilient organization that is, of course, being attacked, but at the same time hopefully responding in a resilient way. We're not perfect knock on wood, but we're actively engaged. >>So shifting gears a little bit a bit a bit now to your board hat, which again, Congratulations. Some curious. You know, your perspective on kind of breaking through the clutter from the from the board seat Cos been doing this for 19 years. Still relatively small company. But, you know, Philippe talked a lot about kind of company. Percy's me industry security initiatives that have to go through what are some of the challenges and opportunities see sitting at the board seat instead of down in the nitty gritty down the CEO. >>Well, first of all, um, quality is financially a well run responsible organization and one of Philippe and the leadership teams. Goals has always been toe operate profitably and tow. Have that hedge on DSO. What that means is that as consumers, we can count on the longevity of the organization and the company's ability to execute on its road map. It's the road map that I think is particularly attractive about Wallace. You know, I am who I am. I'm an operator. I'm a technologist. And so although I'm a board member and I care about all dimensions of the company, the most attractive component is that this this road map in those 19 years of execution are now coming to fruition at exactly the right time. For those of us who need these tools in these technologies to operate, this is a different kind of platform and its instrumented with machine learning with a I. At a time when the Attackers and the attacks are instrumented that way as well as as you mentioned, we have a lot of noise in the market today, and these point solutions, they're gonna be around for a while, right? We operate a messy and complex and wonderful ecosystem. But at the same time, the more that we can streamline, simplify on and sort of raised that bar. And the more we can depend on the collected data. From all of these point tools to instrument are automated responses, the better off we'll be. And so this is, Ah, platform whose whose time has come and as we see all of the road map items sort of coming to fruition. It's really, really exciting. And it's, you know, just speaking for a moment of someone who's been a leader in various technology companies in the security and, you know, technology space for some time. One of the most disappointing things about many technology startups is that they don't build in that that business strength. Thio have enough longevity and have enough of a hedge to execute on that brilliant vision. And so many brilliant ideas have just not seen the light of day because of a failure to execute. In this case, we have a company with a track record of execution that's monetized the build out of the platform, and now also these game changing technologies are coming to fruition. It's it's really, really exciting to be a part of it. >>So Wendy, you've mentioned a I machine learning Probably get checked. The transfer of a number of times 85 times is this interview. So it's really interesting, you know, kind of there's always a lot of chatter in the marketplace, But you talked about so many threats coming in and we heard about Mickey noticed. Not really for somebody sitting in front of a screen anymore to pay attention, this stuff. So when you look at the opportunity of machine learning and artificial intelligence and how that's going to change the role of the CEO and specifically and security when if you can share your thoughts on what that opens up >>absolutely s so there's kind of two streams here I'd love to talk about. The first is that we've had this concern as we've moved to Public Cloud and I t that i t people would be left behind. But in fact, after sort of ah little Dev ops blip where non i t people were writing code that was them consumed by enterprises were now seen the growth of I t. Again and what this relates to is this In the past, when we wanted to deploy something in public cloud. We had to be able Thio compose an express infrastructure as code. And, um, folks who are great at infrastructure are actually pretty lousy at writing code, and so that was a challenge. But today we have low code and know code tools, things like work Otto, for example, that my team uses that allow us to express the operational processes that we follow sort of the best practices and the accumulated knowledge of these I t professionals. And then we turn the machine on that inefficient code and the machine improves and refines the code. So now, adding machine learning to the mix enables us to have these I t professionals who know more than you'd ever imagine about storage and compute and scaling and data and cybersecurity and so on. And they're able to transform that knowledge into code that a machine can read, refine and execute against. And so we're seeing this leap forward in terms of the ability of some of these tools. Thio transform how we address the scale and the scope in the complexity of these challenges. And so on the one side, I think there's new opportunity for I T professionals and for those who have that operational expertise to thrive because of these tools on the other side, there's also the opportunity for the bad guys in the in the cyberspace. Um, Thio also engage with the use of thes tools. And so the use of these tools, that sort of a baseline level isn't enough. Now we need to train the systems, and the systems need to be responsive, performance resilient. And also, they need to have the ability to be augmented by to be integrated with these tools. And so suddenly we go from having this utopian. Aye, aye. Future where you know, the good looking male or female robot, you know, is the nanny for our kids, um, to something much more practical that's already in place, which is that the machine itself, the computer itself is refining in augmenting the things that human beings are doing and therefore able to be first of all, more responsive, more performance, but also to do that layer of work that is not unique to human discernment. >>Right? We hear that over and over because the press loved to jump on the general. May I think it's much more fun to show robots than then Really, the applied A I, which is lots of just kind of like Dev ops. Lots of little improvements. Yeah, lots of little places. >>Exactly. Exactly. You know, I mean, I kind of like the stories of our robot overlords, you know, take it over to. But the fact is, at the end of the day, these machine, it's just math. It's just mathematics. That's all it is. It's compute. >>So when you find let you go, I won't touch about women in tech. You know, you're a huge proponent of women in tech. You're very active on lots of boards and cure with Adriaan on the girls and Tech board where we last where we last sat down. Um, and you're making moves now. Obviously, you've already got a C title. Now you're doing more bored work. I just wonder if you can kind of share your thoughts of how this thing's kind of movement is progressing. It seems to have a lot of of weight behind it, but I don't know if the numbers air really reflecting that, but you're you're on the front lines. What can you shares? You know, you're trying to help women. That's much getting detect. But to stay into tech, I think, is what most of the stats talk about. >>Yeah, I've got a lot of thoughts on this. I think I'll try to bring our all the vectors together. So I recently was awarded CEO of the year by the Fisher Center for Data and Analytics and thank you very much. And the focus there is on inclusive analytics and inclusive. Aye, aye. And And I think this this is sort of a story that that makes the point. So if we think about all of the data that is training these technology tools and systems, um, and we think about the people who are creating these systems and the leaders who are our building, these systems and so on, for the most part, the groups of people who are working on these things technologists, particularly in Silicon Valley. They're not a diverse set of people. They're mostly male. They're overwhelmingly male. Many are from just a handful of of, um, you know, countries and groups, right? It's it's It's mainly, you know, Caucasian males, Indian males and Asian males. And and because of that, um, this lack of diverse thinking and diverse development is being reflected in the tools in ways that eventually will build barriers for folks who don't share those characteristics. As an example, Natural language processing tooling is trained by non diverse data sets, and so we have challenges with that. For example, people who are older speak a little bit more slowly and have different inflections in general on how they speak. And the voice recognition tools don't recognize them as often. People who have heavy accents, for example, are just not recognized. Yes, you know, I always have a phone, Um, and this is my iPhone and I have had an iPhone for 10 years. Siri, my, you know, helpful Agent has been on the phone in all those years. And in all of those years, um, I have had a daughter named Holly H O l L Y. And every time that I speak Thio, I dictate to Syria to send a message on. I use my daughter's name. Holly. Syria always responds with the spelling. H o L I. The Hindu holiday. Now, in 10 years, Siri has never learned that. When I say Holly, I'm most likely mean my daughter >>was in the context of the sentence. >>Exactly. Never, ever, ever. Because, you know Siri is an Aye aye, if you will. That was built without allowing for true user input through training at the point of conversation. And so s So that's it. That's bad architecture. There's a lot of other challenges with that architecture that reflect on cybersecurity and so on. One tiny example. But I think that, um now more than ever, we need diverse voices in the mix. We need diverse training data. We need, you know, folks who have different perspectives and who understand different interaction design to be not only as a tech entrepreneurs, builders and leaders of country of companies like, you know, girls in tech Support's educating women supporting women entrepreneurs. I'm I'm also on the board of another group called Tech Wald. That's all about bringing US combat veterans into the technology workforce. There's another diverse group of people who again can have a voice in this technology space. There are organizations that I work with that go into the refugee that the permanent refugee camps and find technically qualified folks who can actually build some of this training data for, ah, you know, analytics and a I We need much, much more of that. So, you know, my heart is full of the opportunity for this. My my head's on on fire, you know, and just trying to figure out how can we get the attention of technology companies of government leaders and and before it's too late, are training data sets are growing exponentially year over year, and they're being built in a way that doesn't reflect the potential usage. I was actually thinking about this the other day. I had an elderly neighbor who ah, spoke with me about how excited he waas that he he no longer could drive. He wasn't excited about that. He no longer could drive. He couldn't see very well and couldn't operate a car. And he was looking forward to autonomous vehicles because he was gonna have a mobility and freedom again. Right? Um, but he had asked me to help him to set up something that he had on his computer, and it was actually on his phone. But he there was their voice commands, but But it didn't understand him. He was frustrated. So he said, Could you help me. And I thought, man, if his mobile phone doesn't understand him, how's the autonomous vehicle going to understand him so that the very population who needs these technologies the most will will be left out another digital divide? And and, um, now is the moment while these tools and technologies are being developed, a word about Wallace. You know, when I was recruited for the board, um, you know, they already had 50 50 gender parity on the board. It wasn't even a thing in my interviews. We didn't talk about the fact that I am female at all. We talked about the fact that I'm an operator, that I'm a technologist. And so, um, you know that divide? It was already conquered on HK. Wallace's board that's so not true for many, many other organizations and leadership teams is particularly in California Silicon Valley. And so I think there's a great opportunity for us to make a difference. First of all, people like me who have made it, you know, by representing ourselves and then people of every gender, every color, every ethnicity, immigrants, et cetera, um, need to I'm begging you guys stick with it, stay engaged don't let the mean people. The naysayers force you to drop out. Um, you know, reconnect with your original values and stay strong because that's what it's gonna take. >>It's a great message. And thank you for your passion and all your hard work in the space. And the today it drives better outcomes is not only the right thing to do and a good thing to do that it actually drives better outcomes. >>We see that. >>All right, Wendy, again. Always great to catch up. And congratulations on the award and the board seat and look forward to seeing you next time. Thank you. All right, She's windy. I'm Jeff. You're watching the Cube with a quality security conference at the Bellagio in Las Vegas. Thanks for watching. We'll see you next time.

>>from Las Vegas. It's the Q covering quality security conference 2019. You >>bike, Wallace. Hey, Welcome back. You're ready. Geoffrey here with the Cube were in Las >>Vegas at the Kuala Security Conference here at the Bellagio. 19 years they've been doing this conference star first time here, But we've got a real veteran. Has been here for 16 years who can really add some depth and perspective for happy to welcome submit to car. He's a president and chief product officer for cause like >>to see you. Thank you, >>Jeff. Thanks for having me. >>Pleasure. So just, uh, don't lorry before getting ready for this. Um, this day, listening to the earnings call. And you got a really nice shout out in the nights in the Last Rings call and your promotion just to let everybody know what submits got underneath his plate. R and D. Q A ops, product marketing and customer support and adding worldwide field sales ops. You're busy, guy. >>Yeah, you know. But the good thing is, >>no matter who you are, you only have 24 hours in the >>day. That's true. Just as Leo. But I am curious because you've been here for a >>while, you've seen a lot of technology, you know, kind of waves. And yet here you guys still are. You've got an architecture that's built to take advantage of things like open source to take advantage of things. My cloud is you kind of take a breath between customer meetings and running from panel the panel and you think about kind of the journey. You know what? What kind of strikes you that you know, that you guys are still here, Still successful, Still have a founding CEO. It's >>your position. Yeah, It's actually very interesting >>being here for 16 years. Started a software engineer. And, you know, I've been doing a lot of stuff doing a product management now, engineering and all of that. And I think one thing that's really part of the DNA for us and which is really helped us keep growing, is being innovative continuously, right, because five years ago, nobody would have said container technology docker eso, as new security knew in for sexual pattern times have come about. We've just been on our toes and making sure that we are addressing all these different newer areas. And so the key is not so much about what new technology is going to come, because two years from now there was something that we don't even know about right now. What's key is that we build a platform that we keep adding additional capabilities that continue to quickly and nimbly be able to address customer's needs. From that perspective. >>Yeah, we just had Laureano. She talked quite a bit about your kind of customer engagement model being different than the traditional ones, really trying to build a long lasting relationship and to collect that data from the customers to know what their prairies are all about. >>Yeah, >>and, you know, it's because we've been subscription based since day one. You know, this is the not we're not incentivized to go and try to sell our customers big fact, multimillion dollar deals. Then we don't disappear like enterprise sales usually does on perpetual licenses. So we have to earn our keep, and we want to make sure customers are we understand their needs so that they actually buy and purchase only what they are going to use so we can go back and they can grow more. We show the value. Uh, so that's a very different model on, you know, at the end of the day, that is a model of the cloud. So everybody who was in this consumption based model has to ensure that they are every year, going back and showing the value and earning their subscription back. So in that sense, security. Not a lot of vendors have done that for a long time. We've been the ones since the beginning to kind of follow this model, and it's worked very well for us. It's a great model. Customers were happy as we had more solutions. We showed the value, and it's very easy for them to upgrade and get additional value of quality at a very reasonable of you. No cost to them. >>It's interesting. Feli talked about an early conversation that he had with Marc Benioff details Horse and and I would argue that it was really sales force. That kind of cracked the code in terms of enterprising, being comfortable with a cloud based system and, you know, kind of past the security and the trust in this in that, so to make that gamble on the cloud so early, very, very fortunate and for two days. Thea Other thing I think that does not get enough play which you just touched on is a subscription business model forces you to deliver every month they're paying every month you gotta deliver Your mother is a very different relationship than a once a year. You know, not even once year to go get that big lump sum to get the renewal cause you're in bed with them. Every single say absolutely. Yeah, >>so that's really a very interesting model. >>So as you look forward, I know you're just given Ah, talk on, you know, kind of starting to look at the next big wave of trends. How do you get out ahead of it? What are you thinking about? What keeps you up at night would be excited about. >>So the very cool part about that about my job is that I also heard engineering and product Fork Wallace and Security. So we're living that digital transformation that our customers are going through as well. So we have a massive black farm. We have, like, three trillion data points. Every index, we have one million rights per second on Cassandra Clusters. So we are dealing with the same infrastructure innovation that our customers are doing and so died is helping us also learn how the secular own platform what our customers are thinking. Because as they are moving into Dev ops, we have already moved into that. We have learned our lessons, so we relate to what they're going through. And that's really the next big thing is hard to be enabled. Security tools to really be built into the develops stool chain so that we eliminate a lot of the issues upfront before they ever even become an issue. And, you know, my talk this morning was about started with the notion of t t R, which is the time to remediate, and the best time to the mediator is the time of zero, right? If you don't ever let the issue get into your production environment, you never have to worry about fixing it. And that's really the next big thing for us is how do we create a platform that helps customer not the look at security in multiple silos, but to have a single platform where they can go all the way from develops to production to remediation to response all orchestrated to the same platform, >>right? It's pretty interesting, because that was, uh, Richard Clarke. Keynote the author. You know, we used to always break cos down into two buckets. You know, either those that had that have been breached and those that have been breached just don't know about it yet. Yeah. Yeah. And then, you know, he introduced his third concept, which is those that got breached but actually got on it. Remediated it. Maybe not the time, zero, but in a way that it did not become a big issue. Because, let's face it, you're going to get breached at some level. It's How do you keep it from becoming a big, big nightmare? >>Exactly. And that is really the only measure off effectiveness off your security, right? It's not about how many people you have, how many dollars you spend on security, how big your security team is. Harmony renders you have How quickly can you get in there, find and fix any issue that comes up? That's that. That's the living matter. If you can't do that with no people and no, uh, you know, re sources that are being put to it with automation, then that's great. If you do that with 50 people, that's great. We just need to be able to get to that point. And today, off course with hybrid infrastructure, we are realizing quickly, throwing more people that the problem is not really solving the problem. We just cannot keep going. We need to leverage that seem scalable technology that has been used in the digital transformation to provide that similar stuff from a security perspective through the customers as well, >>right? And even if you even if you wanted to hire the people, there aren't enough people, >>and that's another just our people, right? So the other >>thing that you must be really excited about is on the artificial intelligence of machine learning site and a lot of buzz in the press. Talk about robots and machines and this type of stuff. But, as you know, is we know where that robber really hits. The road is applied a I and bring in the power of that technology to specific problems. Complete game changer, I would assume for which you guys could do looking forward. >>Yeah. I mean, uh, you can really only >>have good machine learning and gold. Aye aye, if you really have a massive historic data that you can really mind to find out trends and understand how patterns have evolved, right, so only cloud based solutions can actually do that because they have a large amount of customer telemetry that they can understand and do that. So from that sense, Wallace Black form is absolutely suited for that. But having said that again, all of these have there specific application. So there's vendors were coming out and claiming that machine learning's going to solve world hunger and everything's gonna be great just because your machine learning but no machine learning and the prediction that comes with that on the privatization is one element off your tool kit. You still have to do your devil options still have to fix things. You still have to do a lot of things. But then how do you predict out of all the chaos, how can you try to focus on some things that may become a real problem, which are not now? So that's really the exciting part is to be able to bring that as an additional tool kit for the customer in their arsenal to be ableto respond to threats much faster and better than they have in the past, >>right? It is a cloud based platform. You guys are sitting in the catbird seat for that. What about on the other side? The on the ed side, Another kind of new thing that's coming rapidly. Edges are are messy. They don't have nice, pristine data. Center your environments. There's connectivity, problems, power problems, all types of issues as you look at kind of edge and an I A. T more generally, you know, increasing the threat surface dramatically. How do you How do you kind of think about that? How do you approach it to make it not necessarily a problem, but really an opportunity for follows? >>I mean, that's Ah, that's a great question because there is no magic pill for that, right? It's like you just have to be able to leverage continuous telemetry collection and the collection to be able to see these devices CDs, patterns on. So that's works really well for us because that to be able to do that right in a global organization to almost every organization is global. Global organization has multiple infrastructure, multiple people in different locations, multiple offices. And, uh, if you look at the eye ot architecture, it is about sensors that are pushing down the one common platform which controls them and which updates them and all of that. That's the platform that Wallace's build since the beginning is multiple of these different sensors that are continuously collecting later, pushing it back into our platform. And that's the only way you can get the visibility across your global infrastructure. So in many ways, we are well suited to do that. And which is the big reason why we gave out of a global ideas and then 20 product for free for customers, because we truly believe that that's the first step for them to start to get secure. And because we have the architecture and the platform and become significantly easier for us to be able to give them that gave every day, which is truly wide and not just say I have visibly in my cloudy here. But then container visibly, somewhere there and I ot visibly somewhere else, we bring all of that together in one place. >>All right, Spencer, I know you've got Thio run off >>to your next commitment. We >>could we could keep going, but I think we have to leave it there again. Congrats on your promotion >>and thank you. All right. He submit. I'm Jeff. You're watching the Cuba Think >>Wallace Security conference in Las Vegas. Thanks for watching. We'll see you next time. Thanks.

>>from Las Vegas. It's the cues covering quality security Conference 2019. Bike. Wallace. >>Hey, welcome back it. Ready? Geoffrey here with the Q worth the Bellagio Hotel in Las Vegas for the quality security conference. This thing's been going on for 19 years. I had no idea. It's our first time here, but it's pretty interesting out. Felipe and the team have evolved this security company over a lot of huge technological changes and security changes, and they're still clipping along, doing a lot of cool things in cloud and open source. We're excited of our next guest. She's Laurie McCarthy, the EVP of worldwide field >>operations. Lori, great to see you. >>Thanks. Glad to be here. >>Absolutely. So first off, congratulations in doing some homework for this. I was going through the earnings call. The last turning call, which A was a nice earnings call. You're making money buying back stock. Also, you were promoted or the announcement of your promotion on that call and really some nice, complimentary words from Philippe and the team about the work that you've done actually >>very grateful. Thank you. And >>one of the things we >>talked about, which is unique in your background as you came from a customer. Not It's always a day ago. These shows we have people that I came from customers that went to the vendor, and then we have people that rest of Endor and they went over to the customers. There's a lot of that kind of movement, but he really complimented your execution at CVS as a big reason why you got the promotion that you did. So again. Congrats. But let's talk about, you know, kind of the CVS experience from when you were running it. Not when you're on the quality side. Yeah, that the threats. And CBS is in class nationwide, all kinds of stuff. >>Yeah, well, I mean, you know, just like any other company that's in that health care vertical, you've got so many different things to think about. Additionally, we were also in the retail vertical, so we had a lot of compliance. E's to worry about p c p c i p. I s O. A lot of the programs had been very much, uh, checkbox driven prior to the team that moved in there, including myself, and kind of changed that. So I helped to rebuild the vulnerability program there. And we started to do it in such a way that it was for the sake of security, not just checking a box. And we were really innovated how they do things. A lot of my friends are still there, and they have their own stock now, and we kind of brought everything in house. So a lot of that was outsourced. >>So what was the catalyst to make the change To move from beyond simple compliance and check in the box, Actually making a strategic part of the execution? >>Yeah, at the time and a new sea so had been put into place. And it was someone with that vision, and I think that's what really drove it. I came in just after that and was brought in on the premise that this is what we're going to change and move toward. So I was part of that process from that >>point, right? It clearly, qualities was part of the solution. So what? What did you use calls for their and how is the solution changed? You know, kind of >>so back then when >>you want to call it, >>we're talking. In 9 4010 2011 Right around there. If you opened up the quality platform, you had three things to choose from. Versus today, when you log in, you've got 18 or more, depending. And S O CVS used a little bit of all of that with the mainstay having been the vulnerability management. So I ran to full vulnerability management programs there because we had to keep our pharmacy benefit company and our retail companies separate. So I sort of did double duty, >>Right? So what you doing now on field operations? >>So is the E V p of worldwide for Wallace. I'm running all of the technical account managers for our company way have a unique sales model here, so it's a little different. So everyone in the field to service is our clients rolls up to me, and then that also includes some additional teams, like our federal team, our strategic alliances team and also our subject matter experts >>today. So you said a couple >>times you guys have your account management structure is different than maybe traditional. Kind of >>walk through. Yeah, absolutely. So versus a traditional sales model. We have a salesperson. You have client service person. You have a technical, you know, social architect kind of person. We service our clients all with one person. We have a technical account manager. We break them up into two flavors. We have a presales who are very technical folks that go out and help us get our business. And then those accounts get handed over to our post sales, who are basically the farmers in our business, maintaining and growing our existing clients. What that allows for, which is really special, is we can go in and really build a relationship built on trust and understanding and strategy, because we bring people into our company like myself who have done this, who have sat on that side of the table. So you know, someone comes in and says What? You know, how would you like to buy one of my gizmos? It's a lot different conversation when it's like, Look at what I do with this gizmo like it's amazing. So it's It's kind of a similar feeling that you guys >>have your kind of platform with application strategy enables you to kind of do a land and expand, and in fact you even a something that people can try for free. >>Yeah, absolutely. So we review our model as, like, try and buy. So for both our non clients are freemium service is that we offer our, you know, out of this world for people being able to just log in without even being a client and start to evaluate their environment. And then when they see the value that we bring, it's very easy to translate that into a buy and then likewise, for our clients who sign up for a service or two enabling additional trials and having them work within our new service is as they're being rolled out, is very, very simple, the way our platform is built. So it's just it's a really effortless, very natural progression of business that we that we built. And it's one of the reasons that I work here because as a client, I really enjoyed my relationship with this company because it never felt like I was being sold anything. It always felt like I was being handed solutions to my challenges, and that's what we tried to do. And that's how I lead everyone today is Let's get out, Let's listen, let's strategize and let's see where we fit in with folks, right strategies for, you know, the coming >>future. So must be a team >>approach, though, right? Because one person you know to say, trying to manage the CVS account, that would be, >>Oh, so we have a little bit of a break out in our post side. We have what a new role that I helped get implemented here at the company, which is a major account solution architect they handle are bigger, more complex accounts. So as our platform has matured, so have our clients are bigger. Clients are using more of our platform. They're using it in a more expert way. So we had to answer that with the right kind of people who could speak to that expert level of usage and be able to finance that. So that's a little bit part of it. And on our bigger clients, we do have more of a team approach. We have a product management, a project management organization. The S M E team are subject matter. Experts roll up under me. They're experts in each of our solutions. So it's a sizeable team and they are liaise between product management, engineering our fields and our clients. And that's another support mechanism. And then our support at Wallace is also something that augments our technical account managers jobs on a daily basis. >>So new opportunity with a sure that was recently announced a bundle. Yeah, you're bundled in kind of under the covers, not not really under the covers. So a little bit about how that's gonna work from kind of an account management and and from your kind of point of view, >>So it's It's actually not gonna change much of anything on the way that we are. Mom are our model is a hybrid, right? So we have direct sales that we have indirect sales, even honor in direct sales through partners through relationships like we've just built with azure MSs peas and reach whatever. We still treat every end customer and every partner like a direct customer. So we work very hard to educate her partners, to work with them, to make sure they're successful with our clients. And we're also treating our clients who are through that avenue the same way. So it's it's just gonna blend right in with what we >>d'oh Yeah, that's great, but hopefully it's a sales channel and they get more than they just bought it under the covers and start implementing. >>It's easy for them to jump in with us. And then from there we can build those relationships with perhaps, you know, prospects and folks that aren't our clients now and be able to show them more things that we do. Besides just, you know, the one thing that they might be signing up for at that time, >>right? Right. Okay, great. I want to shift gears a little bit. >>We had windy by front earlier from from Nutanix. When he's a fantastic lady, yes, and she is super super involved in in girls Who Code and women in Tech and trying to drive that kind of forward along a number of parameters everything from the board to getting people jobs, training little girls to staying at staying in the industry. I know that's a big, passionate area of yours. I wonder if you could share some of the activities you guys were doing around women. I could think more specifically, and security is a subset of all tech, but share the some of the activities you have going on. >>So personally, I try to be very involved locally. Four Children. One of them is a daughter. She's too little, quite yet for getting into tact. I have two older sons and s so I try to be really involved in middle school high school. Hey, put me in, Coach, I'll come in and talk to the kids. Generating interest in getting into this field at a young age is what we need to do. They're still aren't enough gals and, honestly, guys heading into our business in college. So I I really take it upon myself as a security professional to try to promote that specifically around women. I'm really pleased that our company supports an organization which I've been a part of for a while, and that's the Executive Woman's Forum, and we sponsor their conference every year, and we sponsor events with them. I personally am part of their mentor program, so that allows me a channel. Thio have ah, unassigned person to work with, and I really enjoy that, and our company itself is just very excellent at promoting and enabling women within our organization. And it's another reason that I really loved working here for the past eight years, >>right? Well, from the top. Because the board, I think, is either for more than half. Yemen, which is certainly half >>women CEO, is very supportive. Our presidents, two men way have a great environment. Thio grow women professionally here in my company, >>right? That's great. So, ah, year from now, when we come back, what are we gonna be talking about? What's kind of on a road map? For the next year, >>we're going to be talking about our data leak efforts, or Sim. We're gonna be talking about our improved Edie, our capabilities that are really gonna put us in the position to be a major player in that market. Um, and who knows? We have such a quick turnaround of innovation here and what we do by the way we do our business. So starting with the technical account manager's boots on the ground with our clients, when we're there listening to all of their challenges, we're also taking that back, and that drives our innovation that the company so we hear what they need, and that's what we provide. So as things changed, we're going to continue to do that digital transformation, of course, is is making that something that we have to be even quicker about. And I think we're doing a good job >>keeping up well. 19 years and counting, making money. Find back, buying back shares to help everyone else's stock delusion. So not that, but nothing but good success. It's all right. Well, Laurie, thanks for taking a few minutes of your day. And again, congratulations on your promotion as well as a terrific event. >>Thank you very much. >>All right. She's Laurie. I'm Jeff. You're watching the Cube with the quality security conference at the Bellagio and lovely >>Las Vegas. Thanks for watching. We'll see you next time.

>> Narrator: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019. Brought to you by Qualys. >> Hey, welcome back, you ready with Jeff Frick here with theCUBE. We are at the Qualys Security Conference in Las Vegas. This show's been going on, I think, 19 years. This is our first time here. We're excited to be here, and we've got, there's always these people that go between the vendor and the customer and back and forth. We've had it go one way, now we've got somebody who was at Qualys and now is out implementing the technology. We're excited to welcome Grant Johnson. He is the director of Risk and Compliance for Ancestry. Grant, great to see you. >> Thank you for having me, great to be here. >> Yeah, it is always interesting to me and there's always a lot of people at these shows that go back and forth between, and their creating the technology and delivering the technology versus implementing the technology and executing at the customer side. So, you saw an opportunity at Ancestry, what opportunity did you see and why did you make that move? >> Well it's a good question, I was really happy where I was at, I worked for here at Qualys for a long time. But, I had a good colleague of mine from way back just say, hey look, he took over as the chief information security officer at Ancestry and said, "they've got an opportunity here, do you want it?" I said, "hey sure." I mean, it was really kind of a green field. It was the ability to get in on the ground floor, designing the processes, the environment, the people and everything to, what I saw is really a really cool opportunity, they were moving to the cloud. Complete cloud infrastructure which was a few years ago, you know, a little uncommon so it was just and opportunity to learn a lot of different things and kind of be thinking through some different processes and the way to fix it. >> Right, right, so you've been there for a little while now. Over three years, what was the current state and then what was the opportunity to really make some of those changes, as kind of this new initiative with this new see, so? >> No, yeah, we were traditional. You know, a server data center kind of background and everything like that. But with the way the company was starting to go as we were growing it, really just crazy, just at a crazy clip, to where we really couldn't sustain. We wanted to go global, we wanted to move Ancertry out to Europe and to other environments and just see the growth that was going to happen there, and there just wasn't a way that we could do it with the traditional data center model. We're plugging those in all over the place, so the ideas is, we're going to go to a cloud and with going to the cloud, we could really rethink the way that we do security and vulnerability management, and as we went from a more traditional bottle which is, where you scan and tell people to patch and do things like that, to where we can try to start to bake vulnerability management into the process and do a lot of different things. And you know, we've done some pretty cool things that way, I think as a company and, always evolving, always trying to be better and better every day but it was a lot of fun and it's been really kind of a neat ride. >> So, was there a lot of app redesign and a whole bunch of your core infrastructure. Not boxes, but really kind of software infrastructure that had to be redone around a cloud focus so you can scale? >> Yeah. There absolutely was. We really couldn't lift and shift. We really had to take, because we were taking advantage of the cloud environment, if we just lifted and shifted our old infrastructure in there, it wasn't going to take advantage of that cloud expansion like we needed it to. >> Right. >> We needed it to be able to handle it tide, of high tide, low tide, versus those traffic times when we're high and low. So it really took a rewrite. And it was a lot of really neat people coming together. We basically, at the onset of this right when I started in 2016, our chief technology officer got up and said, "we're going to burn the ships." We have not signed the contract for our data center to renew at 18 months. So we have to go to the cloud. And it was really neat to see hundreds of people really come together and really make that happen. I've been involved in the corporate world for a long time in IT. And a lot of those projects fail. And it was really neat to see a big project like that actually get off the ground. >> Right, right. It's funny, the burning the ship analogy is always an interesting one. (grant laughs) Which you know, Arnold Schwarzenegger never had a plan B. (grant laughs) Because if you have plan B, you're going to fall back. So just commit and go forward. >> A lot of truth to that. Right, you're flying without a net, whatever kind of metaphor you want to use on that one. Yeah, but you have to succeed and there is a lot that'll get it done I think, if you just don't have that plan B like you said. >> Right, so talk about kind of where Ancestry now is in terms of being able to roll out apps quicker, in terms of being able to scale much larger, in terms of being able to take advantages of a lot more attack surface area, which probably in the old model was probably not good. Now those are actually new touch points for customers. >> It's a brave new world on a lot of aspects. I mean, to the first part of that, we're just a few days away from cyber Monday. Which is you know, our normal rate clip of transactions is about 10 to 12 transactions a second. >> So still a bump, is cyber Monday still a bump? >> It's still huge for us. >> We have internet at home now. We don't have to go to work to get on the internet to shop. >> You know, crazy enough, it still is. You know, over the course of the week, and kind of starting on Thanksgiving, we scale to have about 250 transactions a second. So that was one of the good parts of the cloud, do you invest and the big iron and in the big piping for your peak times of the year. Or and it sits, your 7-10% utilization during the rest of the year, but you can handle those peaks well. So I mean, we're just getting into the time of year, so that's where our cloud expansion, where a lot of the value for that has come. In terms, of attack surface, yeah, absolutely. Five years ago, I didn't even know what a container was. And we're taking advantage a lot of that technology to be able to move nimbly. You can't spin up a server fast enough to meet the demands of user online clicking things. You really have to go with containers and that also increases what you really need to be able to secure with people and the process and technology and everything like that. >> Right. >> So it's been a challenge. It's been really revitalizing and really, really neat to me to get in there and learn some new things and new stuff like that. >> That's great. So I want to ask you. It may be a little sensitive, not too sensitive but kind of sensitive right. Is with 23 and Me and Ancestry, and DNA registries, et cetera, it's opened up this whole new conversation around cold case and privacy and blah blah blah. I don't want to get into that. That's a whole different conversation, but in terms of your world and in terms of risking compliance, that's a whole different type of a data set I think that probably existed in the early days of Ancestry.com >> Yeah >> Where you're just trying to put your family tree together. So, how does that increased value, increased sensitivity, increased potential opportunity for problems impact the way that you do your job and the way that you structure your compliance systems? >> Boy. Honestly, that is part of the reason why I joined the company. Is that I really kind of saw this opportunity. Kind of be a part of really a new technology that's coming online. I'd have to say. >> Or is it no different than everyone else's personal information and those types of things? Maybe it's just higher profile in the news today. >> Not it all, no. It kind of inherent within our company. We realized that our ability to grow and stay affable or just alive as a business, we pivot on security. And security for us and privacy is at the fore front. And I think one of the key changes that's done for maybe in other companies that I get is, people from our development teams, to our operations teams, to our security department, to our executives. We don't have to sell security to em. They really get it. It's our customer privacy and their data that we're asking people to share their most personal data with us. We can give you a new credit card. Or, you can get a new credit card number issued. We can't give you a new DNA sequence. >> Right. >> So once that's out there, it's out there and it is the utmost to us. And like I said, we don't have to sell security internally, and with that we've gotten a lot of support internally to be able to implement the kind of things that we needed to implement to keep that data as secure as we can. >> Right, well that's nice to hear and probably really nice for you to be able to execute your job that you don't have to sell securities. It is important, important stuff. >> Grant: Yes, that's absolutely true. >> All right, good. So we are jamming through digital transformation. If we talk a year from now, what's on your plate for the next year? >> We just continue to evolve. We're trying to still continue the build in some of those processes that make us better, stronger, faster, as we go through, to respond to threats. And just really kind of handle the global expansion that our company's undergoing right now. Just want to keep the lights on and make sure that nobody even thinks about security when they can do this. I can't speak for them, but I think we really want to lead the world in terms of privacy and customer trust and things like that. So there are a lot of things that I think we've got coming up that we really want to kind of lead the way on. >> Good, good. I think that is a great objective and I think you guys are in a good position to be the shining light to be, kind of guiding in that direction 'cause it's important stuff, really important stuff. >> Yeah, we hope so, we really do. >> Well Grant, nothing but the best to you. Good luck and keep all that stuff locked down. >> Thank you, thank you so much! Thanks for having me. >> He's Grant, I'm Jeff. You're watching theCube. We're at the Qualys Security Conference at the Bellagio in La Vegas. Thanks for watching. We'll see you next time. (upbeat music)

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey welcome back everybody, Jeff Frick here with theCUBE, we're in Las Vegas at the Bellagio, at the Qualys Security Conference, pretty amazing, it's been going on for 19 years, we heard in the keynote. It's our first time here, and we're excited to have our first guest, he was a keynote earlier this morning, the author of nine books, Richard Clarke, National Security and Cyber Risk expert, and author most recently of "The Fifth Domain." Dick, great to see you. >> Great to be with you. >> Absolutely. So you've been in this space for a very long time. >> I started doing cybersecurity in about 1996 or 1997. >> So early days. And preparing for this, I've watched some of your other stuff, and one of the things you said early on was before there was really nothing to buy. How ironic to think about that, that first there was a firewall, and basic kind of threat protection. Compare and contrast that to walking into RSA, which will be in a couple of months in Moscone, 50,000 people, more vendors than I can count on one hand, now there's too much stuff to buy. Do you look at this evolution? What's your take? And from a perspective of the CIO and the people responsible for protecting us, how should they work through this morass? >> Well, the CIO and the CFO, got used to thinking cyber security costs a little bit, 'cause you can only buy, this is 1997, you can only buy antivirus, firewall, and maybe, in 1997, you could buy an intrusion detection system. Didn't do anything, it just went "beep," but you could buy that too. So you had three things in 1997. And so that resulted in the IT budget having to take a tiny little bit of it, and put it aside for security, maybe 2%, 3% of the budget. Well, now, if you're only spending 2 or 3% of your IT budget on security, somebody owns your company, and it's not you (laughs). >> And that's 2 or 3% of the IT budget, that's not the whole budget. >> No, that's the IT budget. What we found in researching the book, is that secure companies, and there are some, there's companies that don't get hacked, or they get hacked, but the hack gets in, immediately contained, identified, quarantined. The damage is done, but it's easily repaired. Companies that are like that, the resilient companies, are spending 8%, 10%, we found companies at 12 and 17%, of their IT budget on security, and to your point, how many devices do you have to buy? You look at the floor at any of these RSA Conventions, Black Hat, or something, now there are 2000 companies at RSA, and they're all selling something, but their marketing message is all the same. So pity the poor CSO as she goes around trying to figure out, "Well, do I want to talk to that company? "What does it do?" We found that the big banks, and the big corporations, that are secure, have not three, anymore, but 75, 80, different, discreet cybersecurity products on their network, most of it software, some of it hardware. But if you've got 80 products, that's probably 60 vendors, and so you got to, for yourself, there's the big challenge, for a CSO, she's got to figure out, "What are the best products? "How do they integrate? "What are my priorities?" And, that's a tough task, I understand why a lot of the people want to outsource it, because it's daunting, especially for the small and medium-size business, you got to outsource it. >> Right, right. So the good news is, there's a silver lining. So traditionally, and you've talked about this, we talk about it all the time too, there's people that have been hacked and know it, and people that have been hacked and just don't know it yet, and the statistics are all over the map, anywhere you grab it, it used to be hundreds of days before intrusions were detected. Kind of the silver lining in your message is, with proper investments, with proper diligence and governance, you can be in that group, some they're trying to get in all the time, but you can actually stop it, you can actually contain it, you can actually minimize the damage. >> What we're saying is, used to be two kinds of companies, those that are hacked and knew it, and those that are hacked that don't, that didn't know it. Now there's a third kind of company. The company that's stopping the hack successfully, and the average, I think, is a 175 days to figure it out, now it's 175 minutes, or less. The attack gets in, there's all the five or six stages, of what's called "the attack killchain," and gets out very, very quickly. Human beings watching glass, looking at alerts, are not going to detect that and respond in time, it's got to be automated. Everybody says they got AI, but some people really do (laughs), and machine learning is absolutely necessary, to detect things out of the sea of data, 75 different kinds of devices giving you data, all of them alarming, and trying to figure out what's going on, and figure out in time, to stop that attack, quarantine it, you got to move very, very quickly, so you've got to trust machine learning and AI, you got to let them do some of the work. >> It's so funny 'cause people still are peeved when they get a false positive from their credit card company, and it's like (laughs), do you realize how many of those things are going through the system before one elevates to the level that you are actually getting an alert? >> So the problem has always been reducing the number of false positives, and identifying which are the real risks, and prioritizing, and humans can't do that anymore. >> Right, right, there's just too much data. So let's shift gears a little bit about in terms of how this has changed, and again, we hear about it over and over, right, the hacker used to be some malicious kid living in his mom's basement, being mischievous, maybe, actually doing some damage, or stealing a little money. Now it's government-funded, it's state attacks, for much more significant threats, and much more significant opportunities, targets of opportunity. You've made some interesting comments in some of your prior stuff, what's the role of the government? What's the role of the government helping businesses? What's the role of business? And then it also begs the question, all these multinational business, they don't even necessarily just exist in one place, but now, I've got to defend myself against a nation state, with, arguably, unlimited resources, that they can assign to this task. How should corporate CIOs be thinking about that, and what is the role, do you think, of the government? >> Let's say you're right. 20 years ago we actually used to see the number of cyber attacks go up on a Friday night and a Saturday night, because it was boys in their mother's basement who couldn't get a date, you know, and they were down there having fun with the computer. Now, it's not individuals who are doing the attacks. It is, as you say, nation states. It's the Russian Army, Russian Intelligence, Russian Military Intelligence, the GRU. The North Korean Army is funding its development of nuclear weapons by hacking companies and stealing money, all over the world, including central banks, in some cases. So, yeah, the threat has changed, and obviously, a nation state is going to be far more capable of attacking, military is going to be far more capable of attacking, so, CISOs say to me, "I'm being attacked by a foreign military, "isn't that the role of the Pentagon "to defend Americans, American companies?" And General Keith Alexander, who used to run Cyber Command, talks about, if a Russian bomber goes overhead, and drops a bomb on your plant, you expect the United States Air Force to intercept that Russian bomber, that's why you pay your taxes, assuming you pay taxes. What's the difference? General Alexander says, whether that's a Russian bomber attacking your plant, or a Russian cyber attack, attacking your plant, and he says, therefore, people should assume the Pentagon will protect them from foreign militaries. That sounds nice. There's a real ring of truth to that, right? But it doesn't work. I mean, how could the Pentagon defend your regional bank? How could the Pentagon defend the telephone company, or a retail store? It can't. It can barely defend itself, and they're not doing a great job of that either, defending the federal government. So, do you really want the Pentagon putting sensors on your network? Looking at your data? No, you don't. Moreover, they can't. They don't have enough people, they don't have enough skills. At the end of the day, whatever the analogy is about how the Defense Department should defend us from foreign military attack, they can't. And they shouldn't, by the way, in my view. The conclusion that that gets you to, is you got to defend yourself, and you can, right now, if you use the technology that exists. The government has a role, sure. It can provide you warnings, it can provide the community with intelligence, it can fund development and stuff, can train people, but it cannot defend your network, you have to defend your network. >> And you have municipalities, I think it's Atlanta, is the one that keeps getting hit, there's-- >> Well Louisiana, just the other night, the whole state of Louisiana government unplugged from the internet, because it was being hit by a ransomware attack. The whole city of Baltimore's been down, the whole city of Atlanta, as you said. There's a real problem here, because people, many of them are paying the ransom, and they pay the ransom, and they get their network back right away. People ask me, "Can I trust these criminals?" Well you can trust them to give you your network back, because they have a reputation to maintain. Think about that. This whole thing about ransomware depends on their reputation, the bad guys' reputation. If they get a reputation for not giving you your network back when you pay, no one's ever going to pay, so they do give it back, and sometimes that's a lot quicker, and a lot cheaper, than saying no and rebuilding your network. But if we give them the money, what are they doing with it? Yeah, they're buying Ferraris to drive round the streets of Moscow, but some of that money is going back into R&D, so they can develop more effective attacks. >> So it's an interesting take, right, so most people, I think, would say that the cybersecurity war is completely always going to be kind of cat and mouse, whack-a-mole, that the bad guys are always a little step ahead, and you're always trying to catch up, just the way the innovation cycle works. You specifically say no, that's not necessarily always true, that there are specific things you can do to, not necessarily have an impenetrable wall, but to really minimize the impact and neutralize these threats, like a super white blood cell, if you will. So what are those things that companies should be doing, to better increase their probability, their chance, of, I don't know, blocking-- >> Depends on the size of the company. >> Absorbing. >> Depends on the size of the company. But I think whether you're a small-to-medium business, or you're an enterprise, you begin in the same place. And I do this with all of my consulting contracts, I sit down with the leadership of the company individually, and I ask every one of them, "What are you worried about? "What could happen? "What could a bad guy do to you "that matters to your company?" 'Cause what matters to one company may not matter to another company. And you can't spend your entire budget defending the network, so let's figure out exactly what risk we're worried about, and what risk we're just kind of willing to tolerate. And then, we can design security around that, and sometimes that security will be outsourced, to a managed security provider. A lot of it means getting into the cloud, because if you're in Amazon or Microsoft's cloud, you've got some security automatically built in, they've got thousands of people doing the security of the cloud, and if your server's in your basement, good luck. (laughs) >> So, as you look forward, now you said you finished the book earlier in the year, it gets published, and it's out, and that's great, but as you said, it's a fast-moving train, and the spaces develops. 10 years from now, we don't want to look at 10 years from now, it's way too long. But as you look forward the next couple, two, three years, what are you keeping an eye on, that's going to be, again, another sea change of both challenge and opportunity in this space? >> The three technologies we talk about in the book, for the three-year time horizon, 'cause I can't get beyond three years, more machine learning on the defense, but also more machine learning on the offense, and where does that balance work out? To whose advantage? Secondly, quantum computing, which, we don't know how rapidly quantum computing will come onto the market, but we do know it's a risk for some people, in that it might break encryption, if the bad guys get their hands on the quantum computer, so that's a worry. But one I think most immediately, is 5G. What 5G allows people to do, is connect millions of things, at high speed, to the internet. And a lot of those things that will be connected are not defended right now, and are outside firewalls, and don't have end-point protection, and aren't really built into networks on a secure network. So I worry about 5G empowering the Internet of Things, and doing what we call expanding the attack surface, I worry about that. >> Right, Richard, well thank you for taking a few minutes, and congrats on the book, and I'm sure within a couple of years the gears will start turning and you'll put pen to paper and kick another one out for us. >> Number 10. >> All right. He's Richard, I'm Jeff, you're watching theCUBE, we're at the Qualys Security Conference at the Bellagio in Las Vegas, thanks for watching, we'll see you next time. (upbeat music)