>> Announcer: From downtown San Francisco, it's theCUBE, covering RSA North America 2018. >> Hey, welcome back everybody, Jeff Frick here with theCUBE. We're at the RSA conference in San Francisco 40,000 plus people talking about security, gets bigger and bigger every year. Soon it's going to eclipse Oracle Open World and Sales Force to be the biggest conference in all of San Francisco. But we've got somebody who's been coming here he said for 16 years, Ricardo Villidiego, the EDP and GM Security and Fraud for Cyxtera. Did I get that right, Cyxtera? >> Cyxtera. >> Jeff: Cyxtera Technologies, great to see you. >> Thank you Jeff, it's glad to be here. >> So you said you've been coming here for 16 years. How has it changed? >> Yeah, that's exactly right. You know it's becoming bigger, and bigger, and bigger I believe this is a representation of the size of the prowling out there. >> But are we getting better at it, or is it just the tax service is getting better? Why are there so many, why is it getting bigger and bigger? Are we going to get this thing solved or? >> I think it is that combination within we have the unique solution that is going to help significantly organizations to get better in the security landscape I think the issue that we have is there's just so many now use in general and I think that now is a representation of the disconnection that exists between the way technologies are deploying security and the way technologies are consuming IT. I think IT is completely, has a evolved significantly and is completely hybrid today and organizations are continuing to deploy security in a way like if we were in the 90s. >> Right. >> And that's the biggest connection that exists between the attacks and the protection. >> But in the 90s we still like, or you can correct me, and we can actually build some big brick walls and a moat and a couple crocodiles and we can keep the bad guys out. That's not the way anymore. >> It is not a way. And look, I believe we're up there every protection creates a reaction on the adversary. And that is absolutely true in security and it is absolutely true in the fraud landscape. Every protection measure will push the adversary to innovate and that innovation is what, for good and for bad, has created this big market which we can't complain. >> Right, right. So for folks that aren't familiar with Cyxtera give them the quick update on what you guys are all about. >> So see, I think Cyxtera is here to conquer the cyber security space. I think what we did is we put together technologies from the companies that we acquire. >> Right. >> With a combination of the call center facilities that we also acquired from Centurylink to build this vision of the secure infrastructure company and what we're launching here at the RSA conference 2018 is AppGate 4.0 which is the flagship offering around secure access. Secure access is that anchor up on which organizations can deploy a secure way to enable their workforce and their party relationships to get access the critical assets within the network in a secure way. >> Okay, and you said 4.0 so that implies that there was a three and a two and probably a one. >> Actually you're right. >> So what are some of the new things in 4.0? >> Well, it's great it gives it an evolution of the current platform we lounge what we call life entitlements which is an innovative concept upon which we can dynamically adjust the permitter of an an end point. And the user that is behind that end point. I think, you know, a permitter that's today doesn't exist as they were in the 90s. >> Right, right. >> That concept of a unique permitter that is protected by the firewall that is implemented by Enact Technology doesn't exist anymore. >> Right. >> Today is about agility, today is about mobility, today is about enabling the end user to securely access their... >> Their applications, >> The inevitable actions, >> They may need, right. >> And what AppGate does is exactly that. Is to identify what the security processor of the end point and the user behind the end point and deploy a security of one that's unique to the specific conditions of an end point and the user behind that end point when they're trying to access critical assets within the network. >> Okay, so if I heard you right, so instead of just a traditional wall it's a combination of identity, >> Ricardo: It's identity. >> The end point how their access is, and then the context within the application. >> That's exactly right. >> Oh, awesome so that's very significant change than probably when you started out years ago. >> Absolutely, and look Jeff, I think you know to some extent the way enterprises are deploying security is delusional. And I say that because there is a reality and it looks like we're ignoring ignoring the reality but the reality is the way organizations are consuming IT is totally different than what it was in the 90s and the early 2000s. >> Right. >> The way organizations are deploying security today doesn't match with the way they're consuming IT today. That's where AppGate SDP can breach that gap and enable organizations to deploy security strategies that match with the reality of IT obstacles today. >> Right. If they don't get it, they better get it quick 'cause else not, you know we see them in the Wall Street Journal tomorrow morning and that's not a happy place to be. >> Absolutely not, absolute not and we're trying to help them to stay aware of that. >> Right. Alright, Ricardo we'll have to leave it there we're crammed for time but thanks for taking a few minutes out of your day. >> Alright Jeff, thank you very much I love to be here. >> Alright. He's Ricardo I'm Jeff you're watching theCUBE from RSAC 2018 San Francisco. (upbeat music)

>> Announcer: From downtown San Francisco, it's theCUBE, covering RSA North America 2018. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA Conference in downtown San Francisco. Forty thousand plus security experts really trying to help us all out. Protect our borders not so much, but protects access to these machines, which is harder and harder and harder everyday with bring your own devices and all these devices. So really, it's a different strategy. And we're really excited to have ExtraHop back, we had ExtraHop on last year for the first year, he's Matt Cauthorn, the VP of security at ExtraHop. So Matt, what do you think of the show? >> Oh, amazing. Absolutely amazing. Super packed, been walking like crazy. Got all my steps in, its fantastic. >> Alright, so you guys have been in network security for a long time? >> Yeah so we've been, so we live in the East-West corridor, inside the enterprise, inside the perimeter doing wire data analytics, and network security analytics. Our source of data is the network itself. >> Okay. And the network is increasing exponentially with all the traffic that's going through, the data sources are increasing exponentially with all the traffic going through. >> That's right. >> So how are you guys keeping up with the scale, and what's really the security solution that you guys are implementing? >> So the point you make is really interesting. Yes, it is increasing exponentially, and as a data source the network is the only sort of observational point of truth in the entirety of IT. Everything else is sort of self-reported. Logs, end points, those are very valuable data sources, but as an empirical source of truth, of evidence, the network wins. That assumes you can scale. And that assumes you're fluent with the protocols that are traversing the network, and you're able to actually handle the traffic in the first place. And so for us just this week, we announced a 100gb per second capable appliance, which you know is an unprecedented amount of analytics from the network's perspective. So we're very proud about that. >> So what are you looking for? What are some of the telltale signs that you guys are sniffing for? >> So generally, we auto-classify and auto-discover all of the behaviors on the wire. From the devices themselves, to the services that those devices expose, as well as the transactions that those devices exchange. And so from a context perspective, we're able to go far deeper than almost anyone else in the space, that we know of at least. Far deeper and far more comprehensive sort of analysis as it relates to the network itself. >> And the context is really the key, right? Tag testing what, why, how. System behavior, that's what you're looking for? >> A great example is a user logging into a database, that might be part of a cluster of databases, and understanding what the user's behavior is with the database, which queries are being exchanged, what the database response is in the first place. Is it an error, is it an access denied? And does this behavior look like a denial of service, for example. And we can do all of that in real time, and we have a machine learning layer that sits over top and sort of does a lot of the analytics, and the sort of insights preemptively on your behalf. >> And it's only going to get crazier, right? With IOT and 5g. Just putting that much more data, that many more devices, that much more information on the network. Yeah, so IOT in particular is interesting, because IOT is challenging to instrument in traditional ways, and so you really do have to fall back to the network at some point for your analysis. And so that's where we're very, very strong in the IOT world and industrial controls, SCADA and beyond. Healthcare, HL7 for example. So we're able to actually give you a level of insight that's really, really difficult to get otherwise. >> And we've been hearing a lot of the keynotes and stuff, that those machines, those end points are often the easiest path in for the bad guys. >> Yes they are. >> An enormous security camera or whatever, because they don't have the same OS, they don't have all the ability to configure the protections that you would with say a laptop or a server. >> That's right. There's a surprising number of IOT devices out there that are running very, very old. And vulnerable operating systems are easy to exploit. >> Alright, so Matt I guess we're into Q2 already, hard to believe the years passing by. What's priorities for 2018 for you and ExtraHop? >> So we've announced a first class, purpose-built security solution this year, and really the plan is to continue the sort of momentum that we've accrued. Which is very encouraging, the amount of interest that we've had. It's hard to keep up, frankly. Which is fantastic. We want to continue to build on that, grow out the use cases, grow out the customer base and continue our success. >> Alright Matt, well we'll keep an eye on the story, and thanks for stopping by. >> Great, thank you. Appreciate it. >> Alrighties Matt, I'm Jeff, you're watching theCUBE from RSA Conference, San Francisco. Thanks for watching.

>> Narrator: From downtown San Francisco it's the Cube covering RSA North America 2018. >> Hey, welcome back, everybody. Jeff Frick here with the Cube. We're at the RSA conference in downtown San Francisco, 40,000 plus professionals all about security and one of the big themes is how do we work together? How do we leverage our collective knowledge, look for patterns to help, you know, be better against the bad guys, and one of the really big forces for that is the Cyber Threat Alliance and we're really excited to have Michael Daniel, the president and CEO of Cyber Threat Alliance. Michael, great to see you. >> Thanks for having me. >> So, talk about kind of the genesis of this because it's such an important concept that, yes, we're competitors on this floor but if we work together, we can probably save ourselves a lot of work. >> Absolutely, I mean, part of the idea behind the Cyber Threat Alliance is that no matter how big you are, no matter how broad your coverage is of cyber security company, no one individual company ever sees all of the threats all of the time. >> Jeff: Right. >> And, so that, in order to better protect their customers and clients, sharing that threat intelligence at speed at scale is a very fundamental part of being a much better cyber security company. >> So, how hard of a sell was that a year ago? I think you started it a year ago, announced it, and how's the ecosystem kind of changed over the last year? >> Well, I would say that, you know, it's not like I run into anybody that says, "You know, Michael, that's a really "stupid idea, we shouldn't do that." Right, it's really finding the way for a cyber security company to fit it into their business model. >> Right. >> To be able to consume the threat intelligence at a speed that matters and really be able to bake it into their products. That's usually the hard part. Conceptually, everybody agrees that this is what we need to do. >> Right, and then, how 'about just the nitty gritty nuts and bolts of, you know, how do you share information? How is it picked up, how is it communicated? What are the protocols? I'd imagine that's not too simple. >> That's right, and one of the things that we settled on was we use the STIX format because it's an open format that everybody can translate back and forth. We had to build in a lot of business rules to actually make sure that people were playing fair. You know, for example, we actually require all of our members to share. So, you can't just join the alliance and consume information, you actually have to give in order to receive. >> Right, and you've got some really kind of high-level, lofty goals that you've built this around in terms of doing good for the greater good, kind of beyond the profitability of an individual customer transaction. I wonder if you can speak to a few of those. >> Well, sure, so the part of the idea behind the way that CTA is structured is that we're a 501 C6, so we're a non-profit, right, and the idea is that we function to help raise the level of cyber security across the digital ecosystem and actually enable our member companies to compete more effectively because they have better intelligence that their products and services are based on, but we, ourselves, are not in it to make money. >> Right, right, right, alright, Michael. Unfortunately, we're up against the time. >> Absolutely. >> So, we're going to have to leave it there, but love the work that you guys are doing and it makes so much sense for people to work together. >> Well, thank you very much, thank you for having me. >> Alright, he's Michael from Cyber Threat Alliance. I'm Jeff from the Cube. You're watching us from the RSA conference San Francisco, thanks for watchin'. (soft electronic beat)

>> Narrator: From downtown San Francisco it's the Cube covering RSA North America 2018. >> Hey, welcome back, everybody, Jeff Frick here at the Cube. We're at RSA's security conference, about 40,000 plus. I don't know, I got to get the number. The place is packed, it's a mob scene. Really excited to be here and joined by Derek Manky We saw Derek last year from Fortinet. Great to get an update, Derek, what do you think of the show this year? >> It's getting big for sure, as I said. That's an understatement. >> I know. >> This is my tenth year coming to RSA now, yeah. >> It's your tenth? >> And just to see how it's changed over 10 years is phenomenal. >> Alright. So, one of the things you want to talk about that you probably weren't talking about 10 years are swarms of bots. >> Yeah. >> What the heck is going on with swarms of bots? >> There's been a lot of changes on that front too, so the bad guys are clever, of course, right? If we look at 10 years ago, there was a lot of code, you know, crime kits, crime services that were being created for infrastructure. That led up to some more, you know, getting affiliates programs, kind of, business middle men to distribute crime. So, that drove a lot of the numbers up, but, literally, in the last three quarters, if we look at hacking activity, the number has doubled from FortiGuard labs. It's gone from 1.1 million to 2.2 to 4.4 million just over the last three quarters. So, we're looking at a exponential rise to attacks. The reason that's happening is because automation >> Right. >> And artificial intelligence is starting to be put into black cat code, and so the swarm concept, if you think of bees or ants in nature, what do they do? They work together, it's strength in numbers from a black cat's point of view. >> Right, right. >> They work together to achieve a common goal. So, it's intent based attacks, and that's what we're starting to see as precursors as some code, right? These IoT bot nets, we're actually seeing nodes within the bot net that can communicate to each other, say, "Hey, guys, I found this other target in the network. "Let's go launch a DDOS attack "or let's all try to take different "bits of file information from those targets." So, it's that swarm mentality where it takes the attacker more and more out of the loop. That means that the attack surge is also increasing in speed and becoming more agile too. >> So, the bad news, right, is the bad guys have all the same tools that the good guys have in terms of artificial intelligence, machine learning, automation, software to find and they don't have a lot of rules that they're supposed to follow as well. So, it kind of puts you in a tougher situation. >> Yeah, we're always in a tough situation for sure. You know, I would say, for sure, that when it comes to the tools, a lot of the tools are out there, they custom develop some tools. I would have to say on the technology side when it comes to security members especially collaborating together and the amount of infrastructure that we have set up, I think we have a foot up on the attackers there, we're at an advantage, but you're absolutely right, when it comes to rules, there are no rules when it comes to the black cat attackers and we have to be very careful of that, how we proceed, of course, right. >> And that's really the idea behind the alliance, right, so, that you guys are sharing information. >> Yeah. >> So, you're sharing best practices, you're picking up patterns. So, everybody's not out there all by themselves. >> Absolutely, it's strength in numbers concept on our end too. So, we look at Cyber Threat Alliance, Fortinet being out founding member working with all other leading security vendors in this space is how we can team up against the bad guys, share actionable intelligence, deploy that into our security controls which makes it a very effective solution, right. By teaming up, stacking up our security, it makes it much more expensive for cyber criminals to operate. >> Right, that's good. >> Yeah. >> That's a good thing. >> Yeah, yes. >> And then, what about kind of this integration of the knock and the sock? >> Yeah. >> Because security's so much more important for all aspects of the business, right? It's not layered on, it's not stand alone. It's really got to be integrated into the software, into the process and the operations. >> Absolutely, so, the good news is, if you look at things like we're doing with the security fabric, a lot of it is how do we integrate, how do we bring technology and intelligence down to the end user so that they don't have to do day-to-day mundane tasks, right? Talking about the swarm networks, what's happening on the black cats' side, attackers are gettin' much quicker so defense solutions have to be just as quick if not faster, and so that's what the knock sock integration is about, right, how we can take network's security visibility, put it into things like our FortiAnalyzer manager sim appliances, right, be able to bring those solutions so, again, to when it comes to a knock and sock operation, how do you bring visibility into threats? How do you respond to those threats? More importantly, how do you also have automated security defense, so agile defense, put up? >> Right. >> We talk about concepts like agile macrosegmentation, right? That's something we're doing with Fortinet, how we can look at attacks and actively lock down attacks as they're happening is a really concept, right? >> So, really, just to isolate 'em within kind of where they've caused the harm, keep 'em there until you can handle 'em and not let 'em just go bananas all over the orientation. >> Yeah, yeah, so you can think of it as, like, an active quarantine. We've also launched our threat intelligence services. So, this is bringing the why. There's a lot of intelligence out there. There's a lot of logs. We have, now,, threat intelligence services that we bring to security operation centers to show them here are the threats happening on your network. Here is why it is a threat. Here's the capabilities of the threat and here's how you respond to it. So, it helps from a CSOL perspective prioritized response on the incident response model to threats as well. >> Alright, well, Derek, we've got to let it go there. We are at a super crazy time crunch. >> I know. >> We'll get you back into the studio and have a little bit more time when it's not so crazy. >> Okay, I appreciate it. >> Alright, he's Derek Manky, I'm Jeff Frick. You're watching the Cube from RSA 2018, thanks for watchin'. (soft electronic beat)

>> Narrator: From downtown San Francisco it's theCUBE covering RSA North America 2018. >> Welcome back everybody, Jeff Frick here with theCUBE. We're at the RSA Conference North America 2018 downtown San Francisco. 40,000 plus people swarming all over Moscone to the north to the south and to the west. We're excited to have our next guest on. He's Chase Cunningham, principal analyst at Forrester. Chase, great to meet you, welcome. >> Thanks for having me. >> Absolutely, so you just had an interesting blog post. Was Zero Trust on a beer budget. >> Yeah. >> What is that all about? >> Well, so Zero Trust is a pretty simple concept about accepting failure, if you will, and focusing on the internal and moving outward. And basically the premise was, I had friend of mine ask me if he could do Zero Trust for his small company. And I said sure, let's go get a beer and we'll figure this out. And literally, in about half an hour we had a Zero Trust strategy in place for less than 40 grand and his infrastructure is way more secure and it's really simple. >> So that's pretty interesting because, you Know it's easy for big companies that have a lot of resources or the big puddle of Cloud companies have a lot of resources to put a lot of implementation into place. But as we look around this conference tons and tons of companies, it's a lot harder for small and medium businesses either to have the expertise or the budgets to really bring in what they need to secure things. So what were some of the insights from your beer exercise? >> Sure, so it was really simple. If you really think about where the majority of the threat comes from, the network is there and everybody uses it but who accesses the network? The users, the individuals, the devices, everything else. So the first thing we did was we're going to lock down identity and access management because I know if I can control that I've made a fundamental shift into power position for myself. And the next thing we did was we said look you guys don't really own intellectual property but you send emails. We're going to put stuff in place to encrypt every email you send whether you like it or not. So between those two simple things, identity access management and sort of data email encryption we put a really strong security platform in place and it didn't break the bank and it wasn't really hard to do and it's something that you can get better as it goes on. >> Right. And I'm curious, had he had an event or he was just trying to get ahead of the curve? >> He had had some weird stuff showing up. He's in esports, right, so he doesn't have actual intellectual property but he's worried because if they get dossed or they get hacked or they get ransomware for every minute they're down they're losing viewers and that's business and money for them. >> Right, so it kind of ties back to this kind of next gen access where it's really important with the identity but the other one is the context. Who is it and where are they trying to get in? Do they usually come in that way? Do they usually have access? So that's another really way to kind of isolate the problems that might come in the front door. >> Yeah, and you know the, years ago the next gen firewall was really the thing to integrate lots of functions across the network and that's all there. It still exists and it's still necessary but really when you break it down and look at historically where the threats have come from and where the compromises have come from, it's access and if you can't control that you don't have the capability of actually stopping bad things from happening. >> Right, right, so as you look around and you've been coming to this probably for a couple years, as this space evolves. You know, kind of what are your general impressions? I mean, on one hand, so many vendors, so many activities. On the other hand, it was like, we've been at this for a while or are we just stuck in this race and we just got to keep running? >> Well I think we're going to continue running the race but interestingly enough there's buses driving by now with Zero Trust all over the side of it. And I'm glad to see that that strategy is starting to take hold because the problem I have is you can Frankenstein technology together all day long but if you don't have a strategic guidepost that everybody understands from the board down to the network engineer you're going to get it wrong. You're going to miss and so I'm a fan of simplicity and force multipliers and to me the Zero Trust strategy sort of drives that forward. >> All right, well Chris thanks for taking a few minutes. Everyone can log onto your site, take a look at the blog. Thanks for stopping by. >> Thanks for having me. >> All right, he's Chris Cunningham from Forrester. I'm Jeff Frick from theCUBE. Thanks for watching from RSAC 2018.

>> Narrator: From downtown San Francisco it's TheCUBE covering RSA North American 2018. >> Hey, welcome back everybody. Jeff Frick from TheCUBE. We're on the floor at the RSA Conference 2018. 40,000 plus people packed in Moscone North, South, West, and we're excited to be here. It's a crazy conference, Security's top of mind obviously and everybody is aware of this. And our next guest, he's Bill Mann, chief product officer from Centrify. Bill, great to see you. >> Great to see you. >> So you guys have a lot of stuff going on but what I think what's interesting to me is you guys have this kind of no trust as your starting foundation. Don't trust anybody, anything, any device. How do you work from there? Why is that the strategy? >> Well that strategy is because we've got a really new environment now. A new environment where we have to appreciate that the bad actors are already within our environment. And if you stop believing that bad actors are already in your environment, you have to start changing the way you think about security. So it's a really different way of thinking about security. So what we call this new way of thinking about security is zero trust security. And you might have heard this from Google with BeyondCorp and so forth. And with that as the overarching kind of way we are thinking about security, we're focusing on something called NextGenAccess. So how do you give people access to applications and services where they're remote. They're not on the network and they're not behind a firewall because who cares about the firewall anymore because it's not secure. >> Right. So there's four tenants of NextGenAccess. One is verify the user, verify the device that they are coming from so they're not coming from a compromised device. Then give them limited access to what they are trying to access or what we call Limit Privilege and Access. And that last one is learn and adapt which is this kind of pragmatic viewpoint which is we're never going to get security right day one, right? To learn and adapt and what we're doing look at auto tune logs and session logs to change your policy and adapt to get a better environment. >> So are you doing that every time they access the system? As they go from app to app? I mean how granular is it? Where you're consistently checking all these factors? >> We're always checking the end factor and where we use an actual machine learning to check what's happening in the environment and that machine learning is able to give that user a better experience when they are logging in. Let's say Bill's logging into Salesforce.com from the same location, from the same laptop all the time. Let's not get in the way right? But if Bill the IT worker is going from a different location and logging into a different server that's prompting for another factor of authentication because you want to make sure that this is really Bill. Because fundamentally you don't trust anybody in the network. >> And that's really what you guys call this NextGenAccess, right? [Bill]- That right, that's right, that's right. >> It's not just I got a VPN. You trust my VPN. I got my machine. Those days are long gone. >> Well VPNs, no no to VPNs as well, right? We do not trust VPNs either. >> So a bit topic ever since the election, right, has been people kind of infiltrating the election. Influencing you know how people think. And you guys are trying to do some proactive stuff even out here today for the 2018 election to try to minimize that. Tell us a little bit more about it. >> Yeah we call it Secure The Vote. And if the audience has looked at the recent 60 Minutes episode that came on. That did a really good that walked everybody through what was really happening with the elections. The way you know the Russians really got onto the servers that are storing our databases for the registration systems and changed data and created chaos in the environment. But the fundamental problem was compromised credentials. I mean 80% of all breaches believe it or not have to do with compromised credentials. They are not around all the things we think are the problem. So what we're doing here with Secure The Vote is giving our technology to state and local governments for eight months for free. And essentially they can then upgrade their systems, right? So they can secure the vote. So fundamentally securing who has access to what and why and when. And if you look at the people who are working on election boards, they're volunteers, there are a lot of temporary staff and so forth. >> Right, right. >> So you can imagine how the bad guys get into the environment. Now we've got a lot of experience on this. We sell to state and local governments. We've seen our technology being used in this kind of environment. So we're really making sure that we can do our part in terms of securing the election by providing our technology for free for eight months so election boards can use our technology and secure the vote. >> So how hard is it though for them to put it in for temporary kind of situation like that? You made it pretty easy for them to put it in if they are not an existing customer? >> Absolutely I mean one of the things, one of the fallacies around this whole NextGenAccess space is the fact that it's complicated. It's all SAS-Space, it's easy to use, and it's all in bite-sized chunks, right? So some customers can focus on the MFA aspects, right? Some customers can focus on making sure the privileged users who have access to the databases, right, are limiting their access right? So there's aspects of this that you can implement based upon where you want to be able to, what problem you want to be able to solve. We do provide a very pragmatic best practices way of implementing zero trust. So we are really providing that zero trust platform for the election boards. [Jeff]- Alright well that's great work Bill and certainly appreciated by everybody. We don't want crazy stuff going on in the elections. >> Absolutely. >> Jeff: So we'll have to leave it there. We'll catch up back in the office. It's a little chaotic here so thanks for taking a few minutes. >> Thank you very much. >> Alright, he's Bill Mann and I'm Jeff Frick. You're watching TheCUBE from RSCA 2018. Thanks for watching. (bright music)

(upbeat music) >> Announcer: From downtown San Francisco, it's theCUBE covering RSA North America 2018. Hey welcome back everybody, Jeff Frick here with theCUBE. We're at RSA's North American Conference 2018 at downtown San Francisco. 40,000 plus people talking about security. Security continues to be an important topic, an increasingly important topic, and a lot more complex with the, having a public cloud, hybrid cloud, all these API's and connected data sources. So, it's really an interesting topic, it continues to get complex. There is no right answer, but there's a lot of little answers to help you get kind of closer to nirvana. And we're excited to have Misha Govshteyn. He's the co-founder and SVP of Alert Logic, CUBE alumni, it's been a couple years since we've seen you, Misha, great to see you again. >> That's right, I'm glad to be back, thank you. >> Yeah, so since we've seen you last, nothing has happened more than the dominance of public cloud and they continue to eat up-- >> I think I predicted it on my past visits. >> Did you predict it? Wow that's good. >> But I think it happened. >> But it's certainly happening, right. Amazon's AWS' run rate is 20 billion last reported. Google's making moves. >> Their conference is bigger than ours right now. >> Is it? >> That's 45,000 people. >> Yeah, it's 45,000, re:Invent, it's nuts, it's crazy. and then obviously Microsoft's making big moves, as is Google cloud. So, what do you see from the client's perspective as the dominance of public cloud continues to grow, yet they still have stuff they have to keep inside? We have our GDPR regs are going to hit in about a month. >> Well one thing's for sure is, it's not getting any easier, right? Because I think cloud is turning things upside down and it's making things disruptive, right, so there's a lot of people that are sitting there and looking at their security programs, and asking themselves, "Does this stuff still work? "When more and more of my workloads "are going to cloud environments? "Does security have to change?" And the answer is obviously, it does but it always has to change because the adversaries are getting better as well, right. >> Right. >> There's no shortage of things for people to worry about. You know when I talk to security practitioners, the big thing I always hear is, "I'm having a good year if I don't get fired." >> Well it almost feels like it's inevitable, right? It's almost like you're going to, it seems like you're going to get hit. At some way, shape, or form you're going to get hit. So it's almost, you know how fast can you catch it? How do you react? >> That's a huge change from five years ago, right? Five years ago we were still kind of living in denial thinking that we can stop this stuff. Now it's all about detection and response and how does your answer to the response process works? That's the reason why, you know last year, I think we saw a whole bunch of noise about, you know machine learning and anomaly detection, and AI everywhere and a whole lot of next-generation antivirus products. This year, it seems like a lot of it is, a lot of the conversation is, "What do I do with all this stuff? "How do I make use of it?" >> Well then how do you leverage the massive investment that the public cloud people are making? So, you know, love James Hamilton's Tuesday night show and he talks about just the massive investments Amazon is making in networking, in security, and you know, he's got so many resources that he can bring to bear, to the benefit of people on that cloud. So where does the line? How do I take advantage of that as a customer? And then where are the holes that I need to augment with other types of solutions? >> You know here's the way I think about it. We had to go through this process at Alert Logic internally as well. Because we obviously are a fairly large IT organization, so we have 20 petabytes of data that we manage. So at some point we had to sit down and say, "Are we're going to keep managing things the way we have been "or are we going to overhaul the whole thing?" So, I think what I would do is I would watch where my infrastructure goes, right. If my infrastructure is still on-prem, keep investing in what you've been doing before, get it better, right? But if you're seeing more and more of your infrastructure move to the cloud, I think it's a good time to think about blowing it up and starting over again, right? Because when you rebuild it, you can build it right, and you can build it using some of the native platform offerings that AWS and Azure and GCP offer. You can work with somebody like Alert Logic. There's others as well right, to harness those abilities. I'll go out on a limb and say I can build a more secure environment now in a cloud than I ever could on-prem, right. But that requires rethinking a bunch of stuff, right. >> And then the other really important thing is you said the top, the conversation has changed. It's not necessarily about being 100% you know locked down. It's really incident response, and really, it's a business risk trade-off decision. Ultimately it's an investment, and it's kind of like insurance. You can't invest infinite resources in security, and you don't want to just stay at home and not go outside. Now that's not going to get it done. So ultimately, it's trade-offs. It's making very significant trade-off decisions as to where's the investment? How much investment? When is the investment then hit a plateau where the ROI is not there anymore? So how do people think through that? Because, the end of the day there's one person saying, "God, we need more, more, more." You know, anything is bad. At the other hand, you just can't use every nickel you have on security. >> So I'll give you two ends of the spectrum right, and on one end are those companies that are moving a lot of their infrastructure to the cloud and they're rethinking how they're going to do security. For them, the real answer becomes it's not just the investment in technology, and investing into better getting information from my cloud providers, getting a better security layer in place. Some of it is architecture right, and some of the basics right, there's thousands of applications running in most enterprises. Each one of those applications on the cloud, could be in its own virtual private cloud, right. So if it gets broken into, only one domino falls down. You don't have this scenario where the entire network falls down, because you can easily move laterally. If you're doing things right in the cloud, you're solving that problem architecturally, right. Now, aside from the cloud, I think the biggest shift we're seeing now, is towards kind of focusing on outcomes, right. You have your technology stack, but really it's all about people, analytics, data. What do you, how do you make sense of all this stuff? And this is classic I think, with the Target breach and some of the classic breaches we've seen, all the technology in the world, right? They had all the tools they needed. The real thing that broke down is analytics and people. >> Right, and people. And we hear time and time again where people had, like you said, had the architecture in place, had the systems in the place, and somebody mis-configured a switch. Or I interviewed a gal who did a live social hack at Black Hat, just using some Instagram pictures and some information on your browser. No technology, just went in through the front door, said, you know, hey, "I'm trying to get the company picnic "site up, can you please test this URL?" She's got a 100% hit rate! But I think it's really important, because as you said, you guys offer not only software solutions, but also services to help people actually be successful in implementing security. >> And the big question is, if somebody does that to you, can you really block it? And the answer a lot of times is, you can't. So the next battlefront is all about can you identify that kind of breach happening, right? Can you identify abnormal activity that starts to happen? You know, going back to the Equifax breach, right, one of the abnormal things that happened that they should've seen and for some reason didn't, you know, 30 web shells were stood up. Which is the telltale sign of, maybe you don't know how you got broken into, but because there's a web shell in your environment you know somebody's controlling your servers remotely, that should be one of those indicators that, I don't know how it happened, I don't know maybe I missed it and I didn't see the initial attack, but there's definitely somebody on a network poking around. There's still time, right? There's, you know for most companies, it takes about a hundred days on average, to steal the data. I think the latest research is if you can find the breach in less than a day, you eliminate 96% of the impact. That's a pretty big number right? That means that if you, the faster you respond, the better off you are. And most people, I think when you ask 'em, and you ask 'em, "Honestly assess your ability to quickly detect, respond, eradicate the threat." A lot of them will say, "It depends" But really the answer is "Not really." >> Right, 'cause the other, the sad stat that's similar to that one, is usually it takes many, many days, months, weeks, to even know that you've been breached, to figure out the pattern, that you can even start, you know, the investigation and the fixing. >> Somewhat not surprising, right? I don't think there's that many Security Operation Centers out there, right? There's not, you know, not every company has a SOC right? Not every company can afford a SOC. I think the latest number is, for enterprises, right, this is Fortune 2000, right, 15% of them have a SOC. What are the other 85% doing? You know, are they buying a slice of a SOC somewhere else? That's the service that we offer, but I think, suffice to say, there's not enough security people watching all this data to make sense of it right. That's the biggest battle I think going forward. We can't make enough people doing that, that requires a lot of analytics, right. >> Which really then begs, for the standalone single enterprise, that they really need help, right? They're not going to be able to hire the best of the best for their individual company. They're not going to be able to leverage you know best-in-breed, Which I think is kind of an interesting part of the whole open-source ethos, knowing that the smartest brains aren't necessarily in your four walls. That you need to leverage people outside those four walls. So, as it continues to morph, what do you see changing now? What are you looking forward to here at RSA 2018? >> So I made some big predictions five years ago, so I'll say you know, five years from now, I think we're going to see a lot more companies outsource major parts of their security right, and that's just because you can't do it all in-house right. There's got to be a lot more specialization. There's still people today buying AI products right, and having machine learning models they invest in to, there's no company I'm aware of, unless they're, you know, maybe the top five financial firms out there, that should have a, you know, security focused data scientist on staff, right? And if you have somebody like that in your environment, you're probably not spending money the right way, right. So, I think security is going to get outsourced in a pretty big way. We're going to focus on outcomes more and more. I think the question is not going to be, "What algorithm are you using to identify this breach?" The question is going to be, "How good are your identifying breaches?" Period. And some of the companies that offer those outcomes are going to grow very rapidly. And some of the companies that offer just, you know, picks and shovels, are going to probably not do nearly as well. >> Right. >> So five years from now, I'll come back and we'll talk about it then. >> Well, the other big thing, that's going to be happening in a big way five years from now, is IoT and IIoT and 5G. So, the size of the attacked surface, the opportunities to breach-- >> The data volume. >> The data volume, and the impact. You know it's not necessarily stealing credit cards, it's taking control of somebody's vehicle, moving down the freeway. So, you know, the implications are only going to get higher. >> We collect a lot of logs from our customers. Usually, the log footprint, grows at three times the rate of our revenue and customers, right. So, you know, thank god-- >> The log, the log-- >> The log volume grows-- >> volume that you're tracking for a customer, grows at three times your revenue for that customer? >> That's right. I mean, they're not growing at three times that rate, annually right, but annually, you know, we've clocked anywhere between 200% to 300% growth in data that we collect from them, IoT makes that absolutely explode, right. You know, if every device out there, if you actually are watching it, and if you have any chance of stopping the breaches on IoT networks, you got to collect a lot of that data, that's the fuel for a lot of the machine learning models, because you can't put human eyes on small RTUs and you know, in factories. That means even more data. >> Right, well and you know the model that we've seen in financial services and ad-tech, in terms of, you know, an increasing amount of the transactions are going to happen automatically, with no human intervention, right, it's hardwired stuff. >> So I think it's that balance between data size and data volume, analytics, but most important, what do you feed the humans that are sitting on top of it? Can you feed them just the right signal to know what's a breach and what's just noise? That's the hardest part. >> Right, and can you get enough good ones? >> That's right. >> Underneath your own, underneath your own shell, which is probably, "No", well, hopefully. >> I think building this from scratch for every company is madness, right. There's a handful of companies out there that can pull it off, but I think ultimately everybody will realize, you know, I'm a big audio nerd so I Looked it up, right, you used to build all of your own speakers, right. You'd buy a cabinet and you'd buy some tools, and you would build all the stuff. Now you go to the store and you buy an audio system, right? >> Right, yeah, well at least audio, you had, speakers are interesting 'cause there's a lot of mechanical interpretations about how to take that signal and to make sound, but if you're making CDs you know you got to go, with the standard right? You buy Sonos now, and Sonos is a fully integrated system. What is Sonos for security, right? It doesn't exist yet. And that's, I think that's where Security as a Service is going. Security as a Service should be something you subscribe to that gives you a set of outcomes for your business, and I think that's the only way to consume this stuff. It's too complex for somebody to integrate from best-of-breed products and assemble it just the right way. I think the parallels are going to be exactly the same. I'm not building my car either, right? I'm going to buy one. Alright Misha, well, thanks for the update, and hopefully we'll see you before five years, maybe in a couple and get an update. >> We'll do some checkpoints along the way. >> Alright. Alright, he's Misha, I'm Jeff. You're watching theCUBE from RSA North America 2018 in downtown, San Francisco. Thanks for watching. (techno music)

>> Announcer: From downtown San Francisco, it's theCUBE. Covering RSA North America 2018. >> Hey welcome back everybody, Jeff Frick here with theCUBE. We're at RSA North America 2018 in San Francisco. 40,000 plus people talking security, enterprise security, cloud security, a lot going on. It just continues to get more and more important. And we're really excited for our next guest who's been playing in the enterprise space for as long as I can remember, which has been a little while. Mike Decesare, he's the CEO and President of ForeScout. Mike, great to see you. >> Started my career off when I was one. (Jeff laughs) So, I've been in this for a long time. >> You have been in it a long time. So you guys now you're all about, right so there's so much stuff going on in security and security is one of these things that I have to look at it as kind of like insurance. You can't put every last nickel in security, but at the same time, you have to protect yourself. The attack surfaces are only growing with IIoT and we were at an autonomous vehicle show, and 5G is just coming around the corner, and all these connected devices and APIs. So you guys have a pretty unique approach to how you top level think about security called visibility. Explain that to us. >> So visibility is the next big thing in the world of cybersecurity and the dynamic is very basic. It's, for 20 plus years, CIOs and CSOs were substantially able to control everything that was on their network. You'd buy your servers and Windows machines and Blackberries for your employees and then there was very little tolerance for other devices being on those organization's networks. And what happened 10 years ago this year, with the birth of the iPhone was that CIOs, those same CIOs now had to deal with allowing things onto their network that don't subscribe to those same philosophies and when you can't buy it and outfit it with security before you put it into the environment. And that's the gap that ForeScout closes for organizations is we have an agentless approach which means we plug into the network infrastructure itself and we give customers visibility into everything that is connected to their network. >> So that begs a question, how do you do that without an agent? I would imagine you would put a little agent on all the various devices. So what's your technique? >> We actually don't. That's the secret sauce of the company is that >> okay >> you know over 10 years ago, we recognized this IoT trend coming because that's, that's the thing in the world of IoT is unlike the first kind o' 20 years of the internet, there was a substantially smaller number of operating systems, most of them open. The different characteristic about the current internet is that many of these use cases are coming online as closed proprietary operating systems. The example I use here is like your home. You know, you get a Nest thermostat and you put in on your network and it monitors, you know, heating and cooling but the device, the operating system, the application is all one consumer device. It doesn't run Windows. You can't install antivirus on you Nest thermostat. So our approach is we plug into the network infrastructure. We integrate to all of the network vendors, the firewall vendors, the wireless controlling vendors and we pull both active and passive techniques for gathering data off those devices and we translate that into a real-time picture of not just everything connected to the network but we know what those devices are without that client having to do anything. >> So you have what you call device cloud or yeah, ForeScout device cloud. So is that, is that a directory of all potential kind of universe of devices that you're querying off of or is that the devices within the realm of control of your of your clients directly? >> It's the second. It's the, so the way that our product works is we plug into the network infrastructure so anything that requests an IP address, whether is wired and wireless in the campus environment, whether it's data center or cloud in the data center environments or even into the OT space, anything that requests an IP address pops onto our radar the second it requests that address. And that cloud that we've built, that we've had for about nine months, we already have three million devices inside, almost three and a half million devices, is a superset of all of the different devices across our entire install base just from the clients that have been willing to share that data with us already. And that gives us optimism because what that becomes is a known set of fingerprints about all known devices so the first time that we discover a Siemens camera that might be a manufacturer, the company might have ten thousand of those in the environment, the first time that we see that device, we have to understand the pattern of traffic off that device, we label that as a security camera and any other customer world-wide that's has that same device connects, we instantaneously know it's a Siemens security camera. So we need the fingerprint of those devices once. >> Right, and so you're almost going to be like the GE Predix of connected devices down the road potentially with this cloud. >> We won't go there on that. >> He won't go there, alright. We've talked to Bill Ruh a lot of times but he does an interesting concept. The nice thing 'cause you can leverage from a single device and knowledge across the other ones which is so, so important on security so you can pick up multiple patterns, repeated patterns et cetera. >> One of the best parts about ForeScout is the fact that we deployed incredibly quickly. We have clients that have almost a million devices that got live in less than three months. And the reason we're able to do that is we plug into the infrastructure, and then our product kind o' does its own thing with very little effort from the client where we compare what we have in this repository against what they have in their environment. We typically get to an 80 or 90% auto-classification meaning that we know 80 or 90% of the time, not just what's on the network but what that device is and then the other 20% is where we have the implementation where we go through and we look at unique devices. It might be a bank has some model of ATM we've never seen before or a healthcare company has beds or machines on a hospital floor that we haven't recognized before. And the first time that we see each of those devices uniquely, we have to go through the process of fingerprinting it which means that we're looking for the unique pattern of traffic that's coming off a, you know, a router, a switch and a firewall and we're ingesting that and we're tagging that device and saying anytime we see that unique pattern of traffic, that's a certain device, a security camera or what have you. >> Right. >> The reason's that useful is then we get to put a policy in place about how those devices are allowed to behave on the network. So if you take something like the Mirai Botnet which hit about a year ago, was the thing that took down a big chunk of the Northeast, you know, utilities and you know, internet, it infected, it was a bot that infected security cameras predominantly. Nobody thought twice about having security cameras in their environment, but they're the same as they are in your house where you know, you put it online, you hit network pair and it's online. >> Right. >> But that bot was simply trying to find devices that had the default password that shipped from the security manufacturer and was able to be successful millions of time. And with our product in place, that couldn't happen because when you set us up, we would know it's a security camera, we'd put a policy in place that says security camera can speak to one server in the data center called the security camera server. And if that device tries to do anything more criminal, if it tries to dial the internet, if it tries to break into your SAP backend, any of those activities, we would give the customer the ability to automatically to take that device offline in real time. >> Right, so you're... >> And that's why our clients find us to be very useful. >> Right, so you're really segregating the devices to the places they're supposed to play, not letting 'em out of the areas they're supposed to be. Which is the >> Absolutely. >> Which is the classic kind of back door way in that the bad guys are coming in. >> Our philosophy is let everything onto the network. We take a look at that traffic. We give you a picture of all those devices and we allow each customer to put an individual policy in place that fences that in. If you take the other extreme like a Windows machine in a corporate environment, our typical policy will be you know, do you have Windows 2009 or later? 'Cause most customers have policies they don't want XP in their environments anymore. But we enforce it. So if an XP device hits the network, we can block that device or we can force a new version down. If you have Symantec, has it got a dat file update? If you've got Tenable, has it had a scan recently? If you've got, you know, any of the other products that are out there that are on those machines, our job is to enforce that the device actually matches the company's policy before that device is allowed in. >> Before you let it. Alright. >> And if at any time that it's on that network, it becomes noncompliant, we would take that device offline. >> You know, with the proliferation of devices and continuation growth of IoT and then industrial IoT, I mean, you guys are really in a good space because everything is getting an IP address and as you said, most of them have proprietary operation systems or they have some other proprietary system that's not going to allow, kind o' classic IT protections to be put into place. You've really got to have something special and it's a pretty neat approach coming at it from the connectivity. >> It's the secret sauce of the company is we recognized many years ago that the the combination of not just there being very few operating systems but they were all open. Windows, Lennox, right? I mean, you can buy a Windows machine and you can install any product you want on it. But we saw this trend coming when the next wave of devices was going to be massively heterogeneous and also in many cases, very closed. And you know, you mentioned the example of the OT space and that's one of the other, the third biggest driver for us in our business is the OT space because when you looking a WanaCry or a NotPetya and you see companies like Maersk and FedEx and others that are, that are publicly talking about the impact of these breaches on their earnings calls. What those companies are waking up and realizing is they've got 25 year old systems that have run, you know, an old version of Microsoft that's been end-of-life decades ago and the bad actors have proven very adept at trying to find any entry point into an organization, right, and the great news for ForeScout is that really lends itself very much towards our age-endless approach. I mean, many of these OT companies that we're in, devices that are in their manufacturing facilities don't even have an API. There were built so long ago so there's no concept of interacting with that machine. >> Right >> So for us, allowing that device to hit the Belden switches and then be able to interrogate the traffic coming off those switches let's us do the same thing that we do in the campus world over in the OT world as well. >> Good spot to be. So RSA 2018, what are ya looking forward to for this week? >> This is just massive in size. It's like speed dating. From a customer's perspective too, I mean, I meet so many customer's that come here and able to meet with 30 or 40 vendors in a single week and it's no different, you know, for the providers themselves so. You know, we've got some really, kind o' really high profile big wins, you know, it's very coming for us to be doing deals at this point that get up over a million devices so they're very high profile so it's a great chance to reconnect with customers. You know, one of the things I didn't mention to you is that kind o' the, the whole thing that we do of identifying devices and then understanding what they are and allowing those policies to get put in places, that's fundamentally done with our own IP, and the connections into the switch and firewall vendors. But we've built this whole other ecosystem of applications in the world of orchestration that set on top of our products. We integrate the firewall vendors, the vulnerability management vendors, the EDR vendors, the AV vendors, so it's a great chance for us to reconnect with you know, those vendors as well. In fact, we're doing a dinner tonight with CrowdStrike. They're one of our newer partners. Very excited about this week. It brings a lot of optimism. >> Well, great story Mike and excited to watch it to continue to unfold. >> We appreciate you giving us some time. >> Alright, thanks for stopping by. That's Mike Decesare. I'm Jeff Frick. You're watching theCUBE from RSA North America 2018. Thanks for watchin'. Catch you next time. (techno music)

>> Presenter: From downtown San Francisco, it's theCUBE, covering RSA North America 2018. >> Hey, welcome back, everybody. Jeff Frick here with the theCUBE. We're in downtown San Francisco with RSA North America 2018 40,000 plus professionals talking about security, enterprise security. It's a growing field, it's getting baked into everything. There's a whole lot of reasons that this needs to be better and more integrated into everything that we do, as opposed to just kind of a slap on at the end. And, who better to have on, who's investing at the cutting edge, keeping an eye on the startups than Sean Cunningham, our next guest. He's a managing director ForgePoint Capital, the newly named, so welcome to ForgePoint Capital, I guess. (Sean laughs) >> Thanks, Jeff, we're pretty excited about it. So, we were branded Trident Capital Cybersecurity. We're a 300 million dollar cybersecurity only fund, we closed the fund about a year and a half ago. We've invested in a dozen companies, and we decided that now is a great time to rebrand ForgePoint really tells more about what we're doing, we're forging ahead with our Series A, Series B funded companies, as well as a few growth equity. So, it made a lot of sense, but we're pretty excited about the market, and obviously RSA, with 1700 cybersecurity companies makes it interesting. >> Right, so you've been at this for a while. I wonder if you can speak to some of the macro trends as we've seen the growth of cloud, the growth of IoT will soon be more industrial IoT, enabled by 5G. We've got all these automated systems and financial services trading, and ad tech that we're going to see more and more of that automated transaction happening. You've got APIs and everything's connected to everything else to enable my application. So, really really exciting, and huge, growing threat surface if you will, but at the same, these are the technologies that are driving forward. So, what are you seeing from your, seat at the table some of the newer, more innovative startups? >> Jeff, I think you should probably tell me. You have all the answers there. >> I talked to a lot of smart people, that's the benefit of the job. >> I think the only two buzzwords you left off was Bitcoin and fraudulent payments. >> Oh, we can work a little blockchain in if you want. >> Yeah, but it is absolutely a bit of an interesting environment. I've been doing it since 2000 with Intel Capital for 15 years, but what's really changed, what hasn't changed is the fact that it's all about the hackers are able to monetize this. So, that's not going away. The biggest change are the, I guess, overt nation state attacks. So, between all of those things, the drivers are just continuing to force cybersecurity to become better and better. And, that's why the innovative startups are really, you're seeing these 1700, because the legacy companies can't fix these problems. And, you know, you talk about all these different paths for hackers to get in. It's absolutely the case and we are really big on areas, as you mentioned Jeff, the automation. It has to be about automating. It has to be about having a real solution for a real problem. You know, you look at, let's say 1500 of these security startups, a lot of them are about technology for the sake of technology. So, we're pretty excited about a couple of areas. One, is application security. If you think about the Equifax hack, you know, it's as simple as getting into the website and being able to hack into all of the PII data if you will. And, we've invested in a company called Prevoty and what they do is they make it easy for the application security folks to meet with the DevOps folks and inject the software into these applications. The reason why that's really interesting is, if you think about how long it takes for the DevOps guys to get all their new updates out, through that whole cycle, when you could automate that process and reduce that time to market, that's what it's really all about. >> So, what's your take on GDPR. You know, it's past a little while ago, the enforcement comes into place next month. It's weird what's going on with Facebook right now. I don't ever hear GDPR in the conversation of what's going on, and yet, it's just around the corner and it seems like it would be part of that conversation. DC is just king of a Y2K moment, where there's a lot of buzz and the date hits and we get past it and then we kind of move on with our lives, or is this really a fundamental shift in the way that companies are going to have to manage their data? >> Well, I can show you my scars from investigating compliance companies. I think the winners in that space, from a business standpoint are going to be the consultant companies, initially and at some point then, the legacy guys are going to be also involved, as well as some of the startups. But, clearly, until you see some of the large penalties happen, there's not going to be a lot of movement. There's going to be a lot of hand waving and consulting firms are trying to figure out what's your problem, how do we solve it. So, you're going to see, I'm sure, around the floor a lot of GDLP stuff, but we're being very cautious about where we invest there because, as you say, Y2K and a lot of this is going to be a lot fud. The legacy guys are going to say, oh we can handle that. Same as they did with cloud. Look how long it's taking cloud to get adopted, my God. I mean-- >> Right. >> GDRP is a big piece of that. We did investments in that space, around CASB, it's called. And, we invested in a company called Prelert. It had great traction, but then it just kind of topped out. So, it's going to be investable space and there's going to be a lot of money dumped in there because it's, you know, the Lemming effect. All VCs are going to follow that. >> Right. >> We'll see what happens. >> And then on the cloud, you know, with the growth of public cloud with Amazon and Azure and Google Cloud Platform, and they've got significant resources that they're investing into the security of their clouds and their infrastructure. And, yet, we still hear things happen all the time where there's some breach because somebody forgot to turn a switch from green to blue, or whatever. How did the startups, you know, kind of find their path within these huge public cloud spaces to find a vector that they can concentrate on, that's not already covered by some of these massive investments that the big public cloud people are making? >> Yeah, I think some of the, you know you point something out, I mean we got to think about cloud, you think about the public cloud, you think of private cloud and hybrid model and so on. I think that's really where things are going to to be for a while. The big guys, the big companies, enterprises are not putting a lot of their crown jewels out in the public clouds, yet. And, so the private clouds are equally important to them. And, so they have to be secured. And, the public cloud, you know, there's definitely they have some good security, but they quietly are implementing security from innovative companies also. They're not as public about it because they want to have they're already secure, so don't worry about me, but there's a lot of opportunity there. >> Okay, and then when CIOs are talking about security and thinking about security, ultimately they cannot be 100 percent secure, right, it's just you cannot be. >> It's called job security. >> Yeah, job security for us, right. But, I was thinking of this kind of as an insurance model. At some point, you get kind of the law of diminishing returns and you got to start making business trade-offs for the investment. How are these people thinking about this, at the same time, seeing their competitors and neighbors showing up on the cover of the Wall Street Journal breach after breach after breach? What's the right balance? How should they be thinking about managing risk, and thinking of a risk problem as opposed to kind of a castle problem? >> Yeah, and that's the biggest problem with CIOs and CSOs right now. It's all about what's good enough. Where do I reach that threshold? And, so there is definitely buyer fatigue. And, I think it's a matter, there are companies out there that look at the risk profile and are actually giving ratings of, what is your environment look like. We just invested in a spin out from, we helped spin out a company called CyberCube out of Symantec, and it's insurance. And, they're looking at, from a cyber insurance perspective, of what's your risk profile within your organization and selling and that data from Symantec as well as the data they have and going back to the insurance, the under buyer and saying, hey, we can show you the risk profile of this company and you can properly price your cyber insurance now. We all know how large the cyber insurance market is, so there's a lot of opportunities in that space to really look at the risk factors. >> Alright, well before I let you go, to go visit all the 117 startups, which will be looking for your cheque, I'm sure. >> Human ATM. >> What is one or two things that you think about in some of the more progressive startups that you talk about that still hasn't kind of hit the public eye yet. That they should be thinking about, or that we're going to be talking about in a couple years that's still kind of below the radar? >> Yeah, you know, if I told you then everyone else would be-- >> That's true. >> So, I have to be a little careful. You know, I think the interesting thing is, you know, a bit of a contrarian view. Is, if you think about consumer space, people don't really want to invest. Investors don't want to put money in the consumer, but you think about Symantec again, LifeLock. Identity protection, 2.3 billion dollars Symantec paid to get LifeLock. That's a lot of money. But, if you think about five years ago, how many consumers would pull out their Visa card to buy security. So, we think that there's really a potential opportunity on the consumer side. Now, AV is pretty well scorched earth. A lot of places, a lot of these endpoint things are scorched earth, but consumer might be an interesting place to be able to take these enterprise applications and, what I call, the consumerization of security, and take some of those interesting application and solutions and bring them down to the consumer in a bundle type of environment. >> Yeah, well certainly with all the stuff going on with Facebook now, people's kind of reawakening at the consumer level of what's really happening would certainly be fuel for that fire. >> We have an investment in a company called IDEXPERTS, which does breach remediation and our goal right now is we're continuing to add products from that space to be able to give the consumers a very robust offering. >> Alright, Sean, well thanks for taking a few minutes out of your day from prospecting. >> Yeah, pleasure. >> Over on the floor, he's Sean Cunningham, I'm Jeff Frick. You're watching theCUBE from RSA North America 2018 in downtown San Francisco. Thanks for watching, I'll see you next time. (upbeat music)

>> Announcer: From downtown San Francisco, it's The Cube, covering RSA North America 2018. >> Welcome back, Jeff Frick with The Cube. We're at RSAC, the RSA Conference North American in San Francisco, 2018. 40,000 people, it's an amazingly huge and growing conference, 'cause security is obviously at the forefront of everything, especially as everything moves to devices and services and cloud, we can't forget security and we're excited to have somebody who's kind of got to a third-party validation kind of point of view on the marketplace to get their perspective. It's Jason Brvenik and he is the Chief Technology Officer for NSS Labs. So, Jason, great to meet you. >> Great to meet you. >> So for people that aren't familiar with NSS Labs, give us kind of the overview of what you guys are all about. >> We work with enterprises to understand their needs in security, and then, build and create test environments that create real-world conditions to assess whether or not a product is a good fit. We create comparable environments, so that we can understand fundamentally whether or not the products are delivering on their claims. >> Right, and recently you've done some work around the data center intrusion prevention systems group test. >> Mm-hmm. >> It's a mouthful. What is that all about? >> Well, that's all about the recognition that data centers are the keys to access for most organizations and appropriately protecting them is not as easy as deploying a firewall. You need to have much greater inspections on the interactions with systems, whether or not security's being provided within the application layers, being properly secured, and so, latency and performance and effectiveness against attacks are all measured and then presented in a set of group test reports. >> Right. So, must be getting increasingly complex, 'cause there's all these different components now that build up a solution. Right? It's not just one set of applications, that you're pulling maybe public data sources, you've got a bring-your-own-devices, you've got this huge string of things that are all pulled together. How do you incorporate that into your testing? How do you figure out how these things work together? 'cause ultimately, that increases your attack surface area, vulnerabilities, I would imagine. >> Certainly, and we create an environment, an architecture that we propose, that based on our interactions with the enterprises, it's fairly representative of what an enterprise would have, and then we create or simulate the types of interactions you would have with the different systems, generate attacks against them, and measure whether or not the products are able to sustain a concerted attack from an adversary. All the way into creating evasive techniques, so that an attack that is known to be blocked by a technology, we would apply different techniques to make it evasive and see if we can evade the security controls and to measure those. >> So how accurate are people, not to call anybody up, but how accurate are people in assessing the effectiveness of their own products and solutions? >> That's an interesting mixed bag. >> I'm sure it must run the gamut, right? >> It does, it does. >> Well, we don't want to call out any, beat anybody up, but I would imagine there are some that are just, Are they just looking at the wrong thing? Or how do you sort that all out? >> It's interesting to see the different perspectives that exist in the security space. Everything from just make the pain stop, where they want to do simple signature blocking to, we really want to understand what's happening and dig deep into the protocols and interactions and understand what's an appropriate interaction beyond whether or not there's an attack there. The fundamental premise we have in our space is there's an absolute shortage of talent in the security space that understands that just because the standard says something should be, doesn't mean that an attacker has to adhere to it. And so there's a ton of breaks in that. >> Dang. And what are some of the things that people just miss as the attack surfaces change? And I just think of the fully automated systems like we've seen in ad tech and advanced financial trading systems that are now moving more and more into an increasing group of applications that are going to be IoT-enabled, they're all going to be connected with 5G moving very quickly, so the potential for problems becomes pretty significant if there's a bad actor that gets inserted into that process. >> Certainly and it's interesting that the attackers seem to have automation down pretty well. They can get in and move laterally pretty quickly. >> Right. >> And ferreting out attacker behavior from just bad user behavior can be very difficult. The presumptions that a lot of technologies because the standard says something should be, it will be, create these situations where people aren't effectively looking for the ambiguities and standards, and those are abused all the time. When you look at embedded devices, they get deployed and they stay for 10 years. >> Jeff: Right. >> That's 10 years of technical data that's just deployed and waiting to be exercised and exploited, and having a good general hygiene on an operational environments to understand where these rifts are is probably the biggest gap in the Enterprise world. On the security side, the reliance on standards and the reliance on assumptions of what should be tend to continue, come back, and bite vendors, all right? >> It's funny. So you say just general hygiene and we talked about that in one of the prior interviews where often we'll hear, say, there's a Amazon breach or something and you get to the second paragraph and it's because somebody forgot to set a configuration in the right way, so it's not necessarily the technology or the infrastructure or the safeguards that are put up, it's just somebody forgot to turn the switch on. >> It is. >> So, why these things, general hygiene is still such a problem, is it just because it's so complex, things are moving so fast, people are just too busy? Is it a symptom of dev ops? >> We're human, we're human. >> There we go. >> There's a 1000 things demanding our attention all the time, and without solid processes and procedures, it's easy to miss something. And it's easy in the moment when you've got a big project that needs to launch to say that can wait until next week and then the next big project comes along and next week is here and it waits until the week after. Next thing you know, it's forgotten and you've got an old piece of architecture, infrastructure or security out there that just isn't being maintained anymore. >> Right. >> It's one of the reasons we created an environment that strives to do what we call continuous security validation. So even if you had the best security technologies in the world, it's indistinguishable from no security at all until a breach occurs, right? And so, continuous security validation allows us to look at live attacks that you're usually going to face, measure whether or not your security is deployed, is delivering all protections against them, and highlights there's a gap, simply because you're human. The best technology in the world isn't going to work if you're not managing it well. >> Right. So, are you creating kind of like a digital twin of the key components of my environment back in your lab? Or are you putting things in my system so that you can do this kind of continual monitoring? >> We create, effectively, a virtual remote office and then deploy your security controls and then we attack that remote office for you. And measure whether or not your security controls are being effective and whether or not your people with those controls are able to respond effectively. >> So what's been the impact of public cloud? Of the rise of public cloud? Both obviously, for those applications that are sitting in the public cloud from the Enterprise perspective, but now it's creating this kind of hybrid situation where they've still got stuff in the data center, they've got stuff in the public cloud, there's probably some stuff that's migrating in between, maybe it's tested to have in the public cloud and it gets deployed internally, or maybe they're trying to do a lift-and-shift out of the data center, so how has the rise of public cloud and with the hybrid cloud and multi-cloud environments impacted your guys' world? >> Oh, the biggest shift there, I think, is in the proliferation of what otherwise would have been well-controlled development environments into production environments. It's so easy to move what evolved in developing a technology into a production world without going in and paying attention whether or not all of the right elements are in play. So it used to be you developed it, then you moved it into QA and then from QA, it got moved into production. Now you go right from Dev to Production and QA kind of happens in the background. >> Right, right. And we talked in an earlier conversation, too, which is before then this security would be layered on after the test dev, once it was moving in production. Well, let's slap some security on it, but now it's got to be incorporated in from day one, so another huge opportunity, I guess, to miss that, as you roll that into production. >> It seems like nobody ever thinks about security first. It just isn't the function. No developer ever wakes up in the morning and thinks, I need to do security and then develop features. Their life is all around delivering the value that the customers are looking for and security prevents them creating the feature velocity they want to deliver. There's always a push-and-pull there to get the right balance and it's easy when you're not under sustained attack to believe that security isn't important. >> So how do people adjust kind of their thinking around security? Or is it just below the surface, or it's presumed? How does it become more of an ongoing part of the conversation and a feature that's always baked in during the development versus kind of an afterthought or, oh my gosh, my neighbor just got hacked or there's a big story in the Wall Street Journal? >> I think what we're seeing now in the evolution of software and development is the supply chain involved. It used to be you created systems from scratch and you built it from scratch and you had the opportunity to layer security in as you were going. You would find a weakness, you would design around it, you would overcome it. Now it's more of an assemblage of components to produce an outcome, and the security wasn't built in when the component was built, you've pretty much lost that opportunity and it's hard to go retrofit that. I think we're going to soon see the next phase where these components are start building security assumptions in up front, but it's going to be a long time, much like IoT where things are deployed forever, where we start seeing that supply chain evolve on its own and you can assemble secure software from the start. >> Yeah, it's amazing that's it's still kind of an afterthought when these things are in the newspaper every day and it's almost an assumption maybe we're getting a little numb to the thing that you're going to be breached and you're going to have an issue and how do you react to it? How quickly can you find it? How do you limit the damage? Because it seems like everybody's getting breached every day. >> Especially, when you consider we have decades of technical data. There are companies that still run their businesses on mainframes that haven't been produced in 20 years. >> I didn't even think of that part of it. All right, last question before I let you go, Jason. Big, big week this week at RSA. What are you looking forward to? >> Ah, I'm looking forward to really the evolution of advanced end point technologies, the delivery of visibility to the enterprise, that can do new response actions based on new knowledge. I'm looking forward to the growth of automation. Automation as it relates to security elements, so we can reduce the human element. >> Jeff: Right. >> And the mistakes that are made. >> Yeah, 'cause we certainly need it, 'cause it is easy to make mistakes when you've got a 1000 little tasks, right? >> It is. >> All right, Jason. Well, thank you for taking a few minutes of your day and stopping by. >> Thanks for having me. >> All right. He's Jason, I'm Jeff. You're watching The Cube. We're at RSAC 2018 North America in San Francisco. Thanks for watching. (exciting music)

(upbeat music) >> Announcer: From downtown San Francisco, it's theCUBE. Covering RSA North America 2018. >> Welcome back everybody, Jeff Frick here, with theCUBE. We're at RSA Conference 2018 in downtown San Francisco, 40,000 plus people, it's a really busy, busy, busy conference, talking about security, enterprise security and, of course, a big, new, and growing important theme is cloud and how does public cloud work within your security structure, and your ecosystem, and your system. So we're excited to have an expert in the field, who comes from that side. He's Tim Jefferson, he's a VP Public Cloud for Barracuda Networks. Tim, great to see you. >> Yeah, thanks for having me. >> Absolutely, so you worked for Amazon for a while, for AWS, so you've seen the security from that side. Now, you're at Barracuda, and you guys are introducing an interesting concept of public cloud firewall. What does that mean exactly? >> Yeah, I think from my time at AWS, one of my roles was working with all the global ISVs, to help them re-architect their solution portfolio for public cloud, so got some interesting insight into a lot of the friction that enterprise customers had moving their datacenter security architectures into public cloud. And the great biggest friction point tend to be around the architectures that firewalls are deploying. So they ended up creating, if you think about how a firewall is architected and created, it's really designed around datacenters and tightly coupling all the traffic back into a centralized policy enforcement point that scales vertically. That ends up being a real anti-pattern in public cloud best practice, where you want to build loosely coupled architectures that scale elastically. So, just from feedback from customers, we've kind of re-architected our whole solution portfolio to embrace that, and not only that, but looking at all the native services that the public cloud IaaS platforms, you know, Amazon, Azure, and Google, provide, and integrating those solutions to give customers the benefit, all the security telemetry you can get out of the native fabric, combined with the compliance you get out of web application and next-generation firewall. >> So, it's interesting, James Hamilton, one of my favorite people at AWS, he used to have his Tuesday Nights with James Hamilton at every event, very cool. And what always impressed me every time James talked is just the massive scale that Amazon and the other public cloud vendors have at their disposal, whether it's for networking and running cables or security, et cetera. So, I mean, what is the best way for people to take advantage of that security, but then why is there still a hole, where there's a new opportunity for something like a cloud firewall? >> I think the biggest thing for customers to embrace is that there's way more security telemetry available in the APIs that the public cloud providers do than in the data plane. So most traditional network security architects consider network packets the single source of truth, and a lot of the security architecture's really built around instrumenting in visibility into the data plane so you can kind of crunch through that, but the reality is the management plane on AWS and Azure, GCP, offer tremendous amount of security telemetry. So it's really about learning what all those services are, how you can use the instrument controls, mine that telemetry out, and then combine it with control enforcement that the public cloud providers don't provide, so that kind of gives you the best of both worlds. >> It's interesting, a lot of times we'll hear about a breach and it'll be someone who's on Amazon or another public cloud provider, and then you see, well they just didn't have their settings in the right configuration, right? >> It's usually really kind of Security 101 things. But the reality is, just because it's a new sandbox, there's new rules, new services, you know, and engineers have to kind of, and the other interesting thing is that developers now own the infrastructures they're deploying on. So you don't have the traditional controls that maybe network security engineers or security professionals can build architectures to prevent that. A developer can inadvertently build an app, launch it, not really think about security vulnerabilities he put in, that's kind of what you see in the news. Those people kind of doing basic security misconfigurations that some of these tools can pick up programmatically. >> Now you guys just commissioned a survey about firewalls in the cloud. I wonder if you can share some of the high-level outcomes of that survey. What did you guys find? >> Yeah, it's similar to what we're chatting. It's just that, I think, you know, over 90% of enterprise customers acknowledge the fact that there's friction when they're deploying their datacenter security architectures, specifically network security tools, just because of the architectural friction and the fact that, it's really interesting, you know, a lot of those are really built because everything's tightly coupled into them, but in the public cloud, a lot of your policy enforcement comes from the native services. So, for instance, your segmentation policy, the route tables actually get put into the, when you're creating the networking environment. So the security tools, a network security tool, has to work in conjunction with those native services in order to build architectures that are truly compliant. >> So is firewall even the right name anymore? Should it have a different name, because really, we always think, all right, firewall was like a wall. And now it's really more like this layered risk management approach. >> There's definitely a belief, you know, among especially the cloud security evangelists, to make sure people don't think in terms of perimeter. You don't want to architect in something that's brittle in something that's meant to be truly elastic. I think there's kind of two, you know the word firewall is expanding, right, so more and more customers are now embracing web application firewalls because the applications are developing are port 80 or 443, they're public-facing web apps, and those have a unique set of protections into them. And then next-generation firewalls still provide ingress/egress policy management that the native platforms don't offer, so they're important tools for customers to use for compliance and policy enforcement. They key is just getting customers to understand thinking through specifically which controls they're trying to implement and then architect the solutions to embrace the public cloud they're playing in. So, if they're in Azure, they need to think about making sure the tools they're choosing are architected specifically for the Azure environment. If they're using AWS, the same sort of thing. Both those companies have programs where they highlight the vendors that have well-architected their solutions for those environments. So Barracuda has, you know, two security competencies, there's Amazon Web Services. We are the first security vendor for Azure, so we were their Partner of the Year. So the key is just diving in, and there's no silver bullet, just re-architecting the solutions to embrace the platforms you're deploying on. >> What's the biggest surprise to the security people at the company when they start to deploy stuff on a public cloud? There's obviously things they think about, but what do they usually get caught by surprise? >> I think it's just the depth and breadth of the services. There's just so many of them. And they overlap a little bit. And the other key thing is, especially for network security professionals, a lot of the tools are made for software developers. And they have APIs and they're tooling is really built around software development tools, so if you're not a software developer, it can be pretty intimidating to understand how to architect in the controls and especially to leverage all these native services which all tie together. So it's just bridging those two worlds, you know, software development and network security teams, and figuring out a way for them to collaborate and work together. And our advice to customers have been, we've seen comical stories for those battles between the two. Those are always fun to talk about, but I think the best practice is around getting, instead of security teams saying no, I think everybody's trying to get culturally around how do I say yes. Now the burden can be back to the software development teams. The security teams can say, here the list of controls that I need you to cover in order for this app to go live. You know, HIPAA or PCI, here are these compliance controls. You guys chose which tools and automation frameworks work as part of your CI/CD pipeline pr your development pipeline, and then I'll join your sprints and you guys can show incrementally how we're making progress to those compliance. >> And how early do they interject that data in kind of a pilot program that's on its way to a new production app? How early do the devs need to start baking that in? >> I think it has to be from day zero, because as you embrace and think through the service, and the native services you're going to use, depending on which cloud provider, each one of those has an ecosystem of other native services that can be plugged in and they all have overlapping security value, so it's kind of thinking through your security strategy. And then you can be washed away by all the services, and what they can and can't do, but if you just start from the beginning, like what policies or compliance frameworks, what's our risk management posture, and then architect back from that. You know, start from the end mine and then work back, say hey, what's the best tool or services I can instrument in. And then, it may be, starting with less cloudy tools, you know, just because you can instrument in something you know, and then as you build up more expertise, depending on which cloud platform you're on, you can sort of instrument in the native services that you get more comfortable with then. So it's kind of a journey. >> You got to start from the beginning. Bake it in from the zero >> Got to be from the zero. >> It's not a build-on anymore. All right Tim, last question. What are we looking forward to at RSA this week? >> I'm very cloud-biased, you know, so I'm always looking at the latest startups and how creative people are about rethinking how to deploy security controls and just kind of the story and the pulse around the friction with public cloud security and seeing that evolve. >> All right, well I'm sure there'll be lots of it. It never fails to fascinate me, the way that this valley keeps evolving and evolving and evolving. Whatever the next big opportunity is. All right, he's Tim Jefferson, I'm Jeff Frick, thanks for stopping by. You're watching theCUBE. We're at RSAC 2018 in San Francisco. Thanks for watching. (upbeat techno music)

>> Narrator: From downtown San Francisco, it's theCUBE, covering RSA North America 2018. >> And welcome back everybody, Jeff Frick here with theCUBE. We're at the RSA Conference in San Francisco, it's 40 thousand plus people talking security, really one of the biggest conferences in San Francisco, and security continues to be an ever increasing and important topic, and more and more complex and complicated and multifaceted. We're excited to have really an innovator who just recently sold his company to Sumo Logic, he's Dave Frampton, VP of security solutions now at Sumo Logic. Dave, great to see you. >> Dave: Good to be here. >> So you guys were relatively a relatively small team working on a very specific piece of this giant pie. So, tell us a little bit about what you're doing and what attracted Sumo Logic to you. >> FactorChain, acquired by Sumo Logic in Q4 of last year was focused on building an investigation platform to really help security analysts very quickly and completely identify, for an individual threat or alert of which they get an avalanche every day, what happened, where did it spread, and then what should be done about it, more importantly. >> It's funny 'cause we talk often, at all these conferences, right, everybody in the keynote will talk about it, "six months before you know you've been breached", or two years, or whatever the average, it changes all the time. But nobody ever really talks about once you've figured it out, then what? So that's really what you guys are about, the "then what?" So what are some of the things that people do wrongly, and what are some of the immediate triage and best practices that people should be aware of if they're not already? >> It's a great question, there's really a difficult work flow that exists when you start digging into one of these indicators of compromise or alerts, typically an analyst is trying to connect the dots across huge numbers of systems and huge data sets. They may have to go to five to ten different systems, run queries which take a long time to run and then take a long time to interpret, kind of stitch together the clues across all of them, and this process can often take 30 minutes, an hour, or even two hours against an inflow rate of hundreds of these per day. So there's sort of this expanding backlog of uninvestigated urgent threats. In many cases, people only get to about 10% of the most urgent threats or alerts that come in to their security operation center, or SOC. And FactorChain's innovation was to develop some new techniques to help human analysts quickly connect the dots across these huge data sets. Integrate a lot of those different systems, so you can go to one place, see huge, deep connections between data sets, and then kind of put it all together in a very concise work flow that helps you get through this process just a lot faster, a lot more skilled. >> So are you identifying patterns of past behavior, 'cause you have a database of how these things work, are you looking for consistency of behavior within one system in others, I mean, what are some of the, obviously you're not going to tell us your secret sauce, but what are some of the tricks and tips that enable you to speed up that process? It's scary to hear that they have hundreds of high priority that they can't get to. >> There's two main components of trying to accelerate this whole work flow. The first one is trying to help analysts very quickly get insight into how variables change in an environment. This investigation process is little bit like a game of whack-a-mole, you're following a particular user or particular machine, but then the name will change, and then there'll be another variable introduced but it will change four times, and you're left to try to figure out which one of these changes map to the original. This process just repeats over and over again. So part of our insight was to try to figure out how to chain, hence the name FactorChain, all of these variable changes together in a very, very concise way, so you can help the analyst find the right path through the data and ignore all the false trails, get back on the trail when they lose the trail. So it's really sort of a data navigation and insight, sort of the key core of FactorChain's innovation. >> So a big factor, shouldn't use that word again, but we'll use it again, factor happening today in the industry is everything going to cloud, right? A huge percentage of business going to cloud. AWS is up to 20 billion dollar run rate and Sumo is a big partner, and Microsoft and Google are trying to catch up from behind, and IBM's got a cloud. So cloud's a big thing and there's more and more cloud. Also, we're in this API economy now, so whether I want to use public data sets and inject those into my processes, or I've got partners that I'm, I'm connecting all these things via API's and I still have my on-prem stuff, or the stuff that just can't go to cloud or legacy for whatever reason. So the environment is becoming way more complex, the number of third party people that you're playing nice with is becoming much, much larger, and a lot of these connections are completely automated, right, when you look at ad tech and some of the financial trading systems. So how does that increasing complexity play into what you guys are doing? >> The migration to the cloud is putting enormous disruptive pressure on some of these traditional security processes. You think about, the old world involved a security operations center and a small team of analysts just going through this list of alerts that were sent in by their infrastructure. The cloud really challenges that in two fundamental ways. I think one of them you hit really well in your description of it, which is just the sheer surface area of possible attack has increased so dramatically. You hit all the key points, there's automated processes, there's a lot of customer facing and production security that didn't exist in the old worlds, so you have so many more ways for the attackers to get in. But importantly, there are new sources of information which are critical to actually orchestrating the defense, to figuring out what to pay attention to and how to pay attention to it. Application layer information is much more relevant in a cloud context. And you have a lot of the infrastructures being standardized underneath, but a lot of the interesting insight might be from the application. Is this a customer or is it a partner? Is it a sensitive piece of information or application, or not? There's all sorts of context which needs to be brought in to the forensic process to help the investigators really get to the bottom of what happened and where did it spread. There's also a need to collaborate across security and other functions in IT in a much more seamless, horizontal way. A typical example would be an analyst in the SOC might understand an awful lot about security forensics but may not really understand some of this application context or even how to interpret some of the application logs at all. So you really need a horizontal collaboration involving IT operations, you hear a lot about DevOps and sort of DevSecOps, you need a much more collaborative work flow, not just a common data set, which I think everybody recognized a few years back, but also common analytics and a common work flow, common tooling that they can collaborate in the same system on the same investigation. And so those are the ways in which the traditional security industry and the boundaries around its processes and its tools are really being challenged and disrupted by the migration to the cloud, and at Sumo Logic, this is sort of at the center of where we live. We live in a world where people are rapidly migrating to the cloud, looking for monitoring and troubleshooting and security analytics, functionality. As they do that, looking at modern applications and how their architectures are changing and what implications that has for security. So we have our sights squarely set on sort of creating that new model for that new cloud-oriented environment. >> Right, and then how much do you work with other applications, which I guess in the past may have been thought of as competitive, but when you're in an environment with all these integrated systems at a customer, and there's probably tremendous benefit to sharing some level of information in terms of the signature of threats and when threats are coming in. I'm sure there's ton of great data that, if shared across people on the good side of the fence, will probably be to the benefit of all. So has that been changing, is that evolving, how do you see kind of working with other apps within, let's just pick the AWS cloud for example, within a particular customer, whether it's AWS directly or other partners in the ecosystem? >> Right, well first, you hit it, I mean, this function of security operations has to be agnostic, right? You have to be open to ingesting context from whichever system and whichever vendor and whatever source it might come from. And so these ecosystems are really important, and integration so that you can quickly, not only take in information from third parties, but then quickly get trending and visualization and really bring insight to that data. And so to that end, Sumo Logic's a leader in the AWS ecosystem, we've been built from the ground up on AWS, and we have rich partnerships with the vast majority of the ecosystem of tools that surround the AWS environment. So we can bring that in and very quickly deliver insight, make correlations, figure out what you need to pay attention to, and then do this investigation work flow that we were talking about earlier. >> Alright, crazy times. So, 40 thousand people here, what are you looking forward to for the next couple of days here at RSAC? >> I think a couple of things. One is, I think everyone is focused, right now, on the upcoming deadline for GEPR, and sort of data protection, data privacy, how do we identify within our data what might be subject to some of these regulations and new compliance requirements, and then how many of those overlap. Though the best of intentions, it creates some dilemmas about how to approach problems, such as for example, right to be forgotten. And I think seeing the community come together and sort of in a live venue, which is really what the show is all about, and kind of discuss and debate those issues, I think that's one. Two is the center of what we've been talking about, is the impact of modern application architectures and cloud on some of these old, traditional security practices and models. And that's why we have a bigger presence this year at the show, because we think that's something that is going to change the way things have been done in the security industry, and we want to be a part of that conversation and obviously giving previews of our upcoming products that address some of those problems. Looking forward to a good week. >> Should be good of a week for you, be busy. >> Dave: Absolutely. >> Thanks for taking a few minutes, and again congratulations on the acquisition with Sumo, great marriage I'm sure, and look forward to following the story. >> Thanks so much. >> Alright, he's Dave Frampton, I'm Jeff Frick. You're watching theCUBE from RSAC 2018 San Francisco. Thanks for watching.

>> Announcer: From downtown San Francisco, it's theCUBE covering RSA North America 2018. >> Hey welcome back everybody, Jeff Frick here with theCUBE. We're in San Francisco at RSA conference 2018, as 40,000 plus professionals talking about security. It's quickly becoming one of the biggest conferences that we have in San Francisco right up there with Oracle OpenWorld and Salesforce.com, pretty amazing show and we're excited to get some of the insight with some of the experts that are here for the event and all the way from the East Coast, from New Hampshire Edna Conway's joining us, she's a chief security officer, global value chain for Cisco, Edna great to see you. >> Oh I'm delighted to be here Jeff, thank you. >> Absolutely so we're glad to get you out of the 21 degree weather that you said was cold and sleety when you departed. >> Cold and sleety, spring in New Hampshire, although it's not much nicer here in San Francisco. >> No, it's a little dodgy today. Well anyway let's jump into it. So you're all about value chain. What exactly when you think about value chain, explain to the people, what are you thinking? >> You know that's a great question because we define the value chain as the end to end life cycle for any solution. So it could be hardware, it could be software, it could be a service, whether it's a service afforded by a person, or a service afforded by the cloud. >> Now it's interesting because the number of components in a solution value chain just continue to grow over time as we have the API economy, and clouds, and all these things are interconnected so I would imagine that the complexity of managing and then by relation securing that value chain must be getting harder and harder over time as we continue to add all these, kind of API components to the solution. Is that what you see in the field? >> I think there's a challenge there without a doubt, but sometimes that interconnection actually gives you a hook in right, and so what we've been thinking about for years now is, is there a way to actually define a simple high level architecture that can be flexible and elastic with some rigidity that allows you to identify what your core goals are, and then allows those third party ecosystem members to join you in the effort to achieve those goals in a way that works for their business. >> Right and then how does open source play in that? Because that's also an increasing component of the value chain, is that integrated into more and more either just overtly, or you're implementing an open source solution or you've got all these people that are kind of open source plus and what they're building and delivering to the market. >> Yeah open source is a great challenge without a doubt. I think the way in which to deal with open source is to understand where you're getting it from, just like all third party ecosystem members. Who are they? What are they doing for you? And more precisely how are you going to utilize them and take a risk based approach to where you're embedding them. >> Right. >> Right. Not all things are created equally. And so your worry needs to be different depending on the utilization. >> Right. The risk based approach is a great comment because cause security in a way to me is kind of like insurance, you can't be ultimately secure unless you just lock the doors and sit in there by yourself. So it's always kind of this risk trade off, benefit versus trade off, and really a financial decision as to how much do you want to invest in that next unit of security relative to the return. So when you're thinking about it from a risk modeling basis versus just, you know, we're putting up the moat and nobody's coming in, which we know doesn't work anymore. What are some of the factors to think about so that you're achieving the right level of success at the right investment? >> I think there are a number of things to think about, and the primary one I would say is, look at what I believe is the currency of the digital economy which is trust. And in order to build trust what you need to do is understand the risks that you're taking. And those risks need to measured in the language of business. So all of a sudden, it becomes really clear when you know what someone is doing for you, and you know how they're doing it, and the invasiveness of your inquiry and partnership with them actually needs to be adjusted, and all of a sudden you develop not only a baseline, but an opportunity to enhance your trust for, let's take an example. So Cisco's working with Intel, we're going to deploy Intel threat detection technology, our first instantiation of that will be tetration. Clearly they're a third party ecosystem member. >> Right, right. >> And they have been for some time. Now what we're thinking about is how does Intel go about deploying that capability? And not only that, but how are we going to utilize it? And our view is if you take CPU telemetry and you combine it with our edge as well as our network telemetry, you have a better solution down the road, better solution for alerts, better solution for quicker decisions for the inevitable. That risk based approach says we're embedding into and partnering at a core solution level. >> Right. >> That's a different area of inquiry then somebody, we were talking earlier and I said, you know, if you're a sheet metal provider on the external part of a chassis, great. >> Don't they love the diligence on that piece? >> Quality due diligence, but security limited, yeah? >> So but it's interesting because on one hand you're opening up kind of new kind of threat surfaces if you will, the more components that are in a solution from the more providers. On the positive side, now you're leveraging their security expertise within the components that they're bringing to the solution. So as most things in life right, it's really kind of two sides of the same coin, opening up more threats, but leveraging another group of resources who have an expertise within that piece of the value chain. >> Absolutely. Look none of us make something from nothing, you know, the reality is we're relying more and more on the digital economy on those third parties. So understanding precisely how they're doing something is important, but we also have to be respectful of one another's intellectual property. And that is a unique wrinkle in a day and age of integration that we haven't seen previously. The other thing I think that's really important is we're seeing a wonderful, I think explosion of IOT, there's a downside obviously, the question is have folks deployed their IOT in a way that included the security community. You should have security at the table, but what IOT does is give you edge visibility that you've never had before. So I see it as a positive, but it needs to be informed by things like AI, it needs to be informed by things like machine learning, and they need to be gates within at the end of the day where the information is managed, which is at the network. >> Right, cause again it's just another entry point in as well, so good thing, bad thing. I want to circle back on kind of the boardroom discussion that we talked about a little bit earlier. Everyone's talking about securities and board conversation, clouds and board conversation, a lot of these big, kind of IT transformational things that are happening are now being elevated to the board cause everybody's a digital company and everybody's a digital business. When you want to talk to the board, and how should people talk to the board about security vis a vis kind of this risk analysis versus just a pure, you know, we're secure, or we're not secure, and I'm sure every CEO and board is worried for that announcement to come out in the paper that they were breached some time ago. And you almost think it's inevitable at some point in time, so what does the board discussion look like? How's the board decision changing as security gets elevated beyond kind of the basics? >> So let me answer that in the context of value chain security. >> Absolutely. >> I think we need to get to the point where security speaks the language of business. We need to walk into the board and say we have an architecture, we are deploying measures to achieve the architecture at a certain level of compliance and goal setting across the ecosystem on a risk based approach. Fabulous words, I'm a board member. What does that mean to me? >> Help me, help me, gimme a number. Exactly, well, and the number comes out of tolerance levels. So if you have this architecture and you have goals set we have 11 domains, we set goals flexibly based on the nature of the third party and what they do for us. Now we have a tolerance level and guess what you can report? I'm at tolerance, I'm above tolerance, I'm below tolerance. And if you start to model through a variety of techniques, there are a number of standards out there and processes some folks have written about them, where you can translate that risk of tolerance into dollars if you're in the US or currency of your choice and the reality is you're walking in and saying at tolerance means this degree of risk, below tolerance means I've reduced my risk to this. It might afford you an opportunity to say hmmm, perhaps you can share some of that benefit with me to take the program to a new level. >> Right, right or in a different area. >> About tolerance, higher degree of risk, what do we do about it? Now you're speaking the language of business. >> So that's pretty old school business right? I want to talk to you about something that's a little bit newer school which is block chain. And you've used the word trust I don't know how many times in this interview, we'll check the transcript, but trust is a really important thing obviously, and some people have said that they view block chain as trust as a service. I'm just curious to get your perspective as we hear more and more about block chain, and big companies like IBM and a lot of companies are putting a bunch of resources behind it, where do you see block chain fitting? What is Cisco's position or I don't know if they have a official position yet as block chain now is introduced into this world of trust. >> So I think we're all looking at it, Cisco included block chain is an incredibly useful tool without a doubt. I'm not sure that block chain's going to solve world hunger or world peace. >> Shoot. >> However, just as we said trust has elements of use artificial intelligence to inform your decisions, achieve a higher degree of trust, what you can have is a set of let's say, hashes, date and time stamps, as something passes through the network because remember, if the currency is trust the integrity of the data is the fuel that allows you to earn trust. And digital, digital ledger technology or block chain is something that I think allows us to develop what I call a passport for the data. So we have a chain of custody, you know I'm an old homicide prosecutor from many, many, years ago chain of custody was important in the trial so too chain of custody of your data and your actions across the full spectrum of a life cycle add a degree of integrity we've never had the ability to do easily before. >> Interesting times. >> Alright Edna well thank you for spending some of your day with us, I'm sure you have a crazy, busy RSA planned out for the next couple days so thanks again. >> My pleasure, thank you so much for having me. >> Alright she's Edna Conway, I'm Jeff Frick. You're watching theCUBE from RSA Conference 2018 thanks for watching. (theme music)

(upbeat music) >> Hey, welcome back, everybody. Jeff Frick here with The Cube. We're at the RSA Convention in downtown San Francisco. 40,000 people talking security, trying to keep you safe. Keep your car safe, your nest safe, microwave safe, refrigerator safe. >> Everything safe. >> Oh my gosh. Jason Porter, VP, Security Solutions from AT&T, welcome. >> Very good, thanks for having me, Jeff. >> So what are your impressions of the show? This is a crazy event. >> It is crazy, I mean look at all the people. It's the crowds, it's a lot of fun. The best part is just walking the hallways, getting to connect with friends and network and really create new solutions to help our customers. >> It seems to be a reoccurring theme. Everybody sees everybody who's involved in this space is here today. >> Absolutely, yeah, for the next couple of days it's just all in all the time. >> AT&T, obviously, big network, you guys are carrying all this crazy IP traffic that's got good stuff and bad stuff, a lot of fast-moving parts, a ton more data flying through the system. What's kind of your step-back view of what's going on and how are you guys addressing new challenges with 5G and IoT and an ever-increasing amount of data-flow through the network? >> Absolutely, so you're right, at AT&T, we see a ton of traffic. We see 130 petabytes of traffic everyday across our network, so our threat-platform, we pull in five billion threat events every 10 minutes. So-- >> Wait, one more time. Five billion with a B? >> Five billion events every 10 minutes. >> Every 10 minutes. >> So, that's what our big data platform is analyzing with our data scientists and our math, so, lots of volume and activity going on. We have 200 million inpoints, all feeding that threat-platform as well. What are we seeing? We're seeing threats continuing to to grow. Obviously, everybody here at this show knows it, but give you some concrete examples, we've seen a 4,000% increase in IoT vulnerability scanning. IoT is something as a community, as a group here, we definitely need to go solve and that's why we launched our IoT Security Alliance last week. We formed an alliance with some big names out there, like Palo Alto Networks and IBM and Trustonic and others that really, we all have a passion in going out and solving IoT security. It's the number one barrier or concern for adopting IoT. >> You touched on all kinds of stuff there. >> A whole ton of stuff, sorry. >> Let's go to the big data. >> Yeah. >> What's interesting about big data and I always tell kids, right? Every coin has two sides. >> Absolutely. >> The bad part is you've got that much more data to sort through, but the good news is you can use a lot of those same tools. Obviously, it's not a guy sitting with a pager waiting for a red light to go off. >> That's right. >> Analyzing that. How has the big data tools helped you guys to be able to see the threats faster, to react to them faster? >> Yeah. >> To really be more proactive? >> That's a great point, so cyber security is a zero percent unemployment field, right? >> People, you can't get enough people to come work in Cyber security who have the right talent. We had to really evolve. A few years ago, we had to make a big shift that we were not going to just put platforms and people watching screens, looking for blinking red lights, right? We made the shift to a big data threat platform that's basically doing the work of identifying the threats without the people, so we're able to analyze at machine-speed instead of people-speed, which allows us to, as I said, get through many more events. >> Right. >> Much more quickly and allows us to eliminate false-positives and keep our people working really at that, looking at those new threats, those things that we want the people analyzing. >> Right, so the next thing you talked about is IoT. >> Yep. >> My favorite part of Iot is autonomous vehicles just cause I live in Palo Alto. >> Absolutely. >> We see the Google Cars and they're coming soon, right? >> Absolutely. >> But, now you're talking about moving in a 3,000 pound vehicle. >> Yeah. >> Potentially, somebody takes control, so security's so important for IoT. The good news for you guys, 5G's got to be a big part of it. >> Absolutely. >> Not necessarily just for security, but enablement, so you guys are right the heart of IoT. >> Yeah, we are, we have one of the largest IoT deployments in the world. We have the most connected devices and so, what we see is really a need for a layered approach to security. You mentioned 5G, 5G's certainly a part of getting capacity to that, but when you moved to IoT with connected cars and things, you move beyond data harm to physical harm for people and so we've got to be able to up our game and so a layered approach, securing that device, us putting malware detection, but even threat and monitoring what's going on between the hardware and the operating system and the user and then segmenting, say, in a car, telematics from infotainment right? You want to really segment the telematics so that the controls of driving and stopping that car are separate from the infotainment, the internet traffic, the video watching for my kids. >> Right, Spotify, or whatever, right, right right. >> Absolutely and so we do that through SMS, private SMS user groups, private APNs, VPNs, those kinds of things and then of course, you want to build that castle around your data. Your control unit that's managing that car. Make sure you do full UTM threat capabilities. Throw everything you can at that. We've even got some specialized solutions that we've built with some three-letter agencies to really monitor that control point. >> Right, then the last thing you touched on is really partnership. >> Okay. >> And coopetition. >> Yep. >> And sharing which has to be done at a scale that it wasn't before-- >> Absolutely. >> To keep up with the bad guys because apparently, they're sharing all their stuff amongst each other all the time. >> Yeah, absolutely. >> And here we are, 40,000 people, it's an eco-system. How is that evolving in terms of kind of the way that you share data that maybe you wouldn't have wanted to share before for the benefit of the whole? >> Yeah, so, our threat platform, we built it with that in mind with sharing, so it's all, it's surrounded by an API layer, so that we can actually extract data for our customers. Our customers can give us their date. It's interesting, I thought they would want to pull data, but our biggest customers said, no, you know what? We want your data scientists and your math looking at our environment too, so they wanted to push data, but speaking about alliances overall, it's got to be a community as you said. And our IoT Security Alliance is a great example of that. We've got some big suppliers in there, like Palo Alto, but we also have IBM. IBM and AT&T are two of the largest manage-security companies in the planet, so you would think competition, but we came together in this situation because we feel like IoT's one of those things we got to get right as a community. >> Right, right, all right, Jason. I'll give you the last words. >> Okay. >> 2017, we're just getting started, what are kind of your priorities for this year, what will we be talking about a year from now at RSA 2018? >> You're going to continue to hear more about attack types, different attack types, the expanding threats surface of IoT but I think you're going to continue to hear more about our critical infrastructure being targeted. You saw with the dying attack, you're starting to take out major pieces that are impacting people's lives and so you think about power grids and moving into some more critical infrastructure, I think that's going to be more and more the flavor of the day as you continue to progress through the year. >> All right, well hopefully you get good night's sleep. We want you working hard, we're all rooting for ya. >> Absolutely, we're all working on it >> All right, he's Jason Porter from AT&T. I'm Jeff Frick with The Cube. You're watching The Cube from RSA Conference San Francisco. Thanks for watching. (melodic music) (soothing beat)