>>Hi, everybody. We're wrapping up day two of AWS reinforced the Cube's continuous coverage. My business partner, John furrier, and co-host is actually a Monaco, um, you know, getting ready to do a big crypto show over there. So they'll be reporting from there tomorrow. Check that out in the cube.net. Jeff Swain is here. He is the vice president of global programs store and tech alliances at CrowdStrike. Jeff, thanks for coming on. Thanks >>David. >>So tell us about your role, what store, help us understand that? >>Yeah, so CrowdStrike has a CrowdStrike store, which is, uh, effectively our marketplace within our application, and also available externally that allows customers to be able to review decide and trial products, not only from CrowdStrike, but also from our third party partners. So wherever we have a tech Alliance customer can come in, see the value of the integration, see how it works on our platform and the third parties platform, and then go and request a trial. So it's a very easy and dynamic way for a customer to understand that joint value proposition CrowdStrike has with various other, other vendors and our own products as well. >>So your role is to bring all these cool tech companies together and create incremental value. >>Yes. Um, we believe that the ecosystem is really a, a natural evolution of what's happened in terms of the crowd struck story. If you think that we started out with a, uh, you know, a very simple product in the very early days, 10, 10, 11 years ago, services company built a product. That product then became a platform with various modules in it. The next evolution of that is expanding out beyond our own platform and working into other areas of, of, of interest and value. So that's where the ecosystem comes into play. So you have to underpin that with some automations things like marketplaces and stores, you have to have integrations in place, joint applications and commercial vehicles to make that work. >>So I was walking around the other day and I, and it caught my eye and I sat there and listened for a better part of the presentation had to get back and do the queue, but it was a presentation between a CrowdStrike expert and an Okta expert. Yep. You know, better together was the whole thing. And, you know, I know it's kind of, and then they were describing how you guys compliment each other. So that would be an example, >>A perfect example. I mean, we, we, we compliment Okta and Okta complements us for very, in various different ways. And in fact, we sort of assemble that into different narratives that work well for our customers. So as an example with Okta, we ASEM, we work very well with them in zero trust. So we have a zero trust narrative that talks about how it works with Okta and also Zscaler. In fact, we have a, um, an Alliance through the cloud security Alliance where we're working to build practitioner guides, build, um, uh, a community of value across the different products to bring zero trust into some standardized, you know, uh, reference architectures and some standardized training that brings all of our products together for, for, for the user. That be example of a, of, one of the narratives that we have, they'd also play in our XDR narrative. Obviously XDR helps us bring telemetry in from different products. And again, we use XDR right across, you know, various, various, uh, tech >>Alliances. So, so take zero choice. So you'll take the concept of least privilege. Yep. And you'll apply that to what to end point to, you know, using identity Zscaler, you bring the cloud component. >>Correct. So then we are actually able to see how someone's traversing the entire organization. We can see who they are. We can see where they land. We can see what data they're accessing, where they're accessing. It gather a whole bunch of different telemetry around that and provide the security team with the ability to be able to see what someone's doing, enforce the, um, the, you know, access rights as, and where they need to see any anomalies or anomalous behavior within that and close it down before anything bad happens. So zero trust is a really important part of our, uh, of our, of, of, of our, um, narratives. >>And you have these plays or narratives with, with a bunch of ecosystem partners. Right? Correct. Mean, so take log management. >>Yep. >>Maybe add some context that, >>So, so around that happens, you may know we acquired, um, uh, humo, uh, right around that, where obviously we have to be able to ingest and have bridges out to a large variety of different platforms to be able to ship data into our platform. I mean, one of the values of humo is its ability to massively scale, um, and very, very easily cheaply bring, bring a lot of data into a simple place and have very fast searching. Well, what are you searching? You gotta go and have data sources. So, you know, very quickly we've built out a large number of integrations with, I think, over 30 partners to easily bring data into the Humira platform to let customers be able to have that advantage. >>So what role does AWS play in all this? >>AWS is a fantastic role in, um, both coordinating some of this in terms of, especially through the marketplace, the ability to, uh, coordinate our transactions between us and help us work together from a transactional basis, help the customer procure the right solutions together. But also AWS's nature. Natural, uh, inclination towards innovation means that they'll, they like to work with partners who, especially partners who are on their platform to drive a lot of innovation, to build out how customers are bringing more data together. Obviously it's beneficial to them in terms of the volumes of data that go computers that go across the AWS platform. But also they encourage us to work together. They, they, they say in some cases invest in those integrations. Um, they work with programs. They bring in third party reseller programs, uh, through C P O. So it gives us a, a platform gives us innovation. It gives us some structure. Um, it's been really exciting working with them. >>Now talk about CrowdStrike and your cloud strategy. How would you Des describe your cloud strategy? >>So we've been cloud native from day one. It's one of the, one of the founding principles of CrowdStrike. Um, as, as we were set up, uh, by a founder, so two elements, cloud native, and a single agent, and those two design principles have not been broken by us at any point through our history. It's very important that we, we stick to those two principles. Our cloud is, um, was born in AWS, um, and they've been supportive of us right through, right through our growth period. So we started out with one module, as I said, now we have, I think, 23 different modules and we're continually growing that. We also then have a lot of support for the cloud. So, you know, helping us understand what's happening within cloud environments so that our customers are better protected. In fact, the show here, we've announced two separate, um, uh, uh, incremental products to, to the cloud space. One that's very much focused on, um, adding, uh, better container or better visibility inside containers in our CNA product. And, um, and, and another area around how we do our threat hunting across the cloud. So we have a team of threat hunters, global best engineers who hunt right across our customers environments. We have a whole, whole bunch of additional cloud telemetry. So that's, that's been included into our, into our Overwatch threat hunting. >>So you'll ingest data from multiple clouds, right? You're running on AWS. Yes. But you can take data from anywhere from >>Anywhere, >>Including OnPrem. >>Um, so our sensor sits on laptops, servers, virtual servers devices. Do I devices wherever they need to say. Um, and then of it needs to be cloud connected. It comes into our, into our cloud. So we can, we can take information from instances in any cloud environment and any laptop, uh, to pretty much bring them in. And, uh, that's how it works, but it's a single cloud. I mean, our value proposition is that huge, um, uh, graph threat graph that we've built over the years, um, trillions and trillions of events per day, that we're now searching and using AI technologies to suite out. What's good. And what's bad. >>Yeah. So CrowdStrike, obviously we've reported on CrowdStrike in breaking analysis, a lot, CrowdStrike, Zscaler, Okta, a number of other, those, those companies you're partnering with all those guys, which is quite interesting. Yeah. You're all growing, you know, really nice, nice clips. I wonder, I always wonder in these situations, okay. As things get bigger and bigger and growth slows, we haven't seen that. See, you actually see the, we saw the cloud growth accelerating during the pandemic. Yeah. Right. But, but you know, you wonder, you see it all the time in this, in this industry is companies get big, they start doing M and a, they start getting it to adjacencies, you know, Google, apple, you know, uh, Cisco VMware, do you think you'll ever see a collision course with all these wonderful partners? Are we years away from that? Um, >>I think we're very careful with how we partner and who we partner with. Obviously we, we have discussions on what our future plans are to make sure that what we partner on is, is beneficial to both sides. Um, crowd strike itself. We're, we're growing all the time. You know, our platform has grown, as I said, the modules have grown, but in general, we've found is that our partners are taking the journey with us. Um, it's one of the advantages of, of the success that we've had is most of the partners want to be part of that journey rather than sort of, um, trying to go head on. But, you know, there's always opportunities for us to have open conversations and real dialogue to make sure that we do the right thing for the customer. And that's what drives everything that we do, you know, we're focused on the right products for the right >>Customers. What, what what's reinforcement like, what's the experience been? What, what's your takeaways from the show? >>Um, it's been a really excellent show for us in terms of, uh, getting out, meeting a lot, a lot of customers at a very decent senior level here. Actually's been very, very worthwhile. Um, we've had great response to the announcements that we've made. There's been a lot of, lot of activity through the booth, which is always great to see, um, from a, actually from a partnership perspective from my world, you know, I've had a large number of really great meetings with the AWSs leadership as well about what we can do together. Um, and the future looks really bright. >>Who's the, when you, when you think in thinking about, and I know you're not, you know, selling direct, but when you think about the constituencies, when you think about all the, the partners in your ecosystem that you're, you're building and collaborating with, who do you guys collectively talk to? You know, who do you appeal to? Is it the CISO? Is it the, you know, other security practitioners? Yeah. Is it the line of business? Is it the CIO architect who are the actors that you're sort of collaborating with in your customer >>Side? Yeah, it's really interesting obviously, cuz there's different personas depending on what it is that we're doing. Um, someone who's really interested in our log management narrative for example, is probably going to be maybe from the, the DevOps, um, uh, team or from, from that area for a C app. It's going to be someone in the cloud architecture, cloud security architecture space. Um, zero trust again will be someone who's got a bit of an identity, our area and privacy to them as well. Um, a lot of this comes up to the CISO and that's often our, you know, our, our, our economic buyer would be be in that space. But one of the things we have to do is we go into adjacent markets is learn the personas there and understand their habits and their buying cycles and, and, and build value propositions that work for those people. So it's an ongoing exercise. >>How do you see the CISO role evolving, uh, given, you know, cloud? One of my takeaways from Mr event is like, I feel like cloud is becoming the first line of defense. Mm-hmm <affirmative> the CISO and the developers becoming the second line of defense audit is like the third line of defense. Some people agree with that. Some people do so just merit bear said, no, no, it's all integrated into one thing. And I'm like, no, it's not, but okay. Yeah. But, but how is the CSO role evolving given that the cloud is becoming so much more prominent today? >>I think it's it's at this point, everyone said, you know, the CSO needs to evolve to being a direct member of the directly responsible to the board. This is something that we've all said for many years. Sure. If you look at what we see in the threat report, if you look at what we're seeing from the threat landscape, you know, the volume of threats that are coming through, not diminishing in any way, but in fact, the size and the impact of what they're doing is getting worse. So it, the risk that's being, um, uh, uh, that's being experienced is just getting worse all the time. However, we have different options for resolving that issue. You can go down a services led path with a, with an MDR player, like our file can complete, uh, process, or you can go down with an MSP. So the CISO's role is now not just on what products and how to Def, how to use them to best defend, but also what products, what services are available. >>What am I gonna invest in, in my team versus what am I going to push to a, to a, to a third party to look after for me. And we're seeing more and more companies at the going up the light up the, the, the enterprise stack, trusting us in our Falcon complete team, um, uh, with, with, with parts of their defense portfolio. So I think that role that you, you know, the CISO's role is developing all the time into something that's portfolio oriented. How am I getting value for service as well as value for money from products? It's a really interesting, it's really interesting development, um, in terms of what they have to deal with. Uh, you know, I still think that the, the visibility that you see from the endpoint is where's where it's where the, the Decron jewels are still it's where the data is. Mm-hmm <affirmative>. Um, and I think that's really why crowd strike is a unique proposition in that space. It's what >>We protect. So when you say the end point is where the data is, paint a picture of that. >>Well, if you think about, if a, if an actor is after at a personal information or IP, they're often going to be going down to the laptop or the, or the, or the virtual instance level to look for that within the weakest part, we've always said is people, um, and the more dive, the more open you are with that, the wider your audience there, the, the more risk you carry within that space, you know, we don't think endpoints laptops or phones, you know, servers, um, comput instances inside the cloud. They're all endpoint to us. Workloads is a better word. In fact, >>Those work, sorry, what's a better word >>Workloads >>Workloads. >>Okay. Yeah. We often talk about workloads rather than >>Is it data store and >>Endpoint? Yeah. If it's computer or not, it's, it's, it's basically, uh, it's a workload where, where we can put a sensor. How >>About a, how about a backup Corpus, uh, a backup backup Corpus of data? >>Well, I think if there's a, if there's a place that we can put a sensor on it to see whether it's being, you know, active or not, and we can track the telemetry from it, we would consider >>That sensor would be an agent. Yeah. An agent. Yeah. Yeah. Okay. And so you said single agent, >>We have one agent that runs all of our products this way, again, one of the design principles and, and the basics of our company, >>Because one of the things that we've seen, maybe tell me if you don't see this, is, is that a lot of times ransomware attackers will go after the, the, the backup Corpus mm-hmm <affirmative> disable it. Yeah. Because, you know, once you get that, you can't recover a hundred percent. Yeah. And they'll encrypt the, all the data on the network, and then they'll, they'll hold the backup Corpus hostage. >>This is one of the great advantages of how CrowdStrike and how our platform works. In fact, you know, um, a lot of other vendors talk in terms of, uh, you know, known bad known good, and, and, and indicators of compromise. Right. You know, I know this IP address has been compromised. I know that anything originating from here is bad. Um, what CrowdStrike looks at is, is, is we've built up a very, very, um, substantial, uh, library of what we call indicators of attack. Indications of attack are looking at the potential for attack. And whether, whether that in conjunction that specific piece of telemetry in conjunction with others makes the attack more likely. So for example, if someone, um, opens an email, we don't think that's necessarily, you know, a, a, a risk point, right. Um, but if someone opens an email and they click on an attachment, we think, well, maybe there's, there's, you know, that's happens billions of times a day, so still not bad, but if that then spills up, you know, a process, and if that process then starts to enumerate hard drives and start to look for backups, you know, we're getting more suspicious all the time. >>Um, and if they're then cause an encryption routine, we can be pretty certain at that point that what we've got in play is, is ransomware attack. Um, by looking at the holistic attack, the whole process of it, and having that sort of fingerprint of what that may look like. And in combining that with our knowledge of bad actors, our intelligence in the field, we've got a very good view on what may happen there. So exactly to your point, if we see, um, someone going after backups as part of a wider process that helps us identify that something of something bad is, is about to happen in terms of ransomware attack allows us to take action against it, put in the appropriate containment or blocking, >>And then explain. So, you know, when people hear agents, they're like, oh, another agent to manage, but I was talking to somebody the other day and saying, know, we're gonna integrate with the CrowdStrike agent because it's so robust. Correct. And what we are doing is, which is agent list is it's good, it's lightweight, but we can't get the data. Yep. You know, so explain that. So there's a trade off, right? I mean, you gotta manage an agent, right. But obviously it's working, your customers are, are adopting. >>So it's an extremely lightweight agent. That's always been the, the premise for this. And I think when George founded the company, one of the things he noticed was, you know, how long it was taking for someone to scan it, get us, get through a scan while they were trying to get an email out before a plane took off. And he said, you know, we can't have this. So, so he was looking at how do we make this as light as possible? Um, and, uh, and so that's one of been principle for us, right from day one. And you're right. Um, third parties do want to leverage our agent because of it's robustness. We look at pretty much everything that's happening as a telemetry event, once, once power hits the CPU through, till it drops out. So we've got very rich knowledge of what's happening on every single device or, or workload that's out there. >>And it's very usable for other people, as far as the customer's concerned, if a third party can use that information rather than have to deploy another agent, that's a huge win for the customer. I think we all know that proliferation of agents, Harrison, that's what, that was the old way of doing things. You know, people would acquire products and try and bundle 'em together and what they ended up with multiple agents competing for resources on the, on the system, by having one agent well defined, well architected, what we have is a modern, a modern software architecture to solve modern problems. >>Okay. So, uh, last question. Yep. When during the pandemic, we noticed that the, um, everything changed, obviously work from home remote work, and that the implications on the CISO were these permanent changes. And we reported on this and breaking analysis and other except endpoint, uh, you guys CrowdStrike, uh, uh, identity Okta got a boost, uh, cloud security, Zscaler. Yep. You know, got a boost, rethinking the network network. Security became top of mind that, and that we said is these are permanent changes, but now as we exit, but they were rushed as we exit the isolation economy. What can we expect going forward? >>I think to earlier point the ability for us to work across all of those areas and work better, you know, everyone was very much concentrating on delivered their own product as best as they could, as quickly as they could to meet the demands of the pandemic. Now we can go through a place of making sure that we work really, really well together as different units to solve the customer problem. So trim some of the trim trim, some of the, of, of, of the, the fat out of any integrations that we may have built quickly to solve a problem. Now we can focus on doing it really well. What we're seeing is a proliferation in our world of more applications in our store. So tighter integration inside our UI with our third party products, um, and a lot of demand for that. So really the, the customer experience is as seamless as possible. We talk about, you know, frictionless is what we want to see. Um, and that's, you know, the boost that the, the, the disruption got from the pan from the pandemic was fantastic start of the innovation. Right now, we have the opportunity to bring everything together, to really solve some excellent problems for customers, um, and make the world safer place. >>Jeff, great summary. Thank you for coming on. I'm gonna, I'm gonna give my quick take on, on this reinforc. I mean, I think very clearly AWS is, is enforcing the notion that that security is, is job one for them from the, the nitro chip, you know, all the way up the stack all the way through the culture. I mean, I think we heard that at, at this event. Um, I think you heard, you know, some great announcements, a lot of the stuff around, you know, threat detection and, and, and automation and, and, and reasoning, which is great. I don't think you heard a lot on how AWS are making the CISO's life simpler. I think a lot of that goes to the ecosystem. Mm-hmm <affirmative> maybe, uh, but the other thing is AWS leaving a lot of room, a lot of meat in the bone, as we like to say sometimes for the, for the ecosystem. >>Mm. Um, you know, security is a good example. I mean, you know, Microsoft makes a lot of money and security. AWS doesn't make a ton of money in security. It's just sort of comes with it. I think we're also seeing the changing role, the CISO, I think the cloud is becoming the first line of the fence, CISO and developers. The next line audit is really the third line and developer. The developer role is becoming increasingly important and, and frankly sophisticated, they gotta worry about securing the containers. They gotta worry about the run time. They have to worry about the platform as a service. And so, you know, developers need the team with the, with the, with the security operations team. So that's kind of my takeaway here. I think the event was, was, was good. It was not, it wasn't oversubscribed. I think people in, in Boston this time of year at the beach, um, whereas last 2019, you know, it was June. And so you get, you had a, a bigger attendance, but that's kind of my takeaway. Anything you'd add to that, Jeff, >>I think the quality has been here. Yeah. Um, you know, maybe not the quantity the quality has certainly been here. Um, I think, you know, there is, uh, a lot of innovation that's happening in the security industry. I think AWS has got some good products that they they're helping deliver, but as you said, they're there to help us support us and, and the other ISVs to really come together and build our best of breed overall solution that helps our customers and solve some of that complexity that you're seeing. And some of that uncertainty you're seeing is who has to solve what problem in the stack. Yeah. >>Well, thanks for that. Thanks for that. Thanks for help me wrap up here. The, the security space remains one that's highly fragmented, highly complex, you know, lack of talent is, is the, the problem that most organizations have. Lena smart of MongoDB doesn't have that problem nor does AWS, I guess cuz they're AWS and, and Mongo. Uh, but that's a wrap here from, from day two, the cube go to the cube.net. You'll see all these videos, youtube.com/silicon angle. If you want, you know, the YouTube link. Yeah. You can go there. Silicon angle.com is where we publish all the, the news of the day. wikibon.com for, for the research. This is Dave ante. Look for John furrier from Monica at, uh, the, the crypto event, uh, all this week. And we will see you next time. Thanks for watching.

>>We're back in Boston, the Cube's coverage of AWS reinforced 2022. My name is Dave ante. Steve Malanney is here as the CEO of Aviatrix longtime cube alum sort of collaborator on super cloud. Yeah. Uh, which we have an event, uh, August 9th, which you guys are participating in. So, um, thank you for that. And, yep. Welcome to the cube. >>Yeah. Thank you so great to be here as >>Always back in Boston. Yeah. I'd say good show. Not, not like blow me away. We were AWS, um, summit in New York city three weeks ago. I >>Took, heard it took three hours to get in >>Out control. I heard, well, there were some people two I, maybe three <laugh>, but there was, they expected like maybe nine, 10,000, 19,000 showed up. Now it's a free event. Yeah. 19,000 people. >>Oh, I didn't know it >>Was that many. It was unbelievable. I mean, it was packed. Yeah. You know, so it's a little light here and I think it's cuz you know, everybody's down the Cape, >>There are down the Cape, Rhode Island that's after the fourth. The thing is that we were talking about this. The quality of people are pretty good though. Yeah. Right. This is there's no looky lose it's everybody. That's doing stuff in cloud. They're moving in. This is no longer, Hey, what's this thing called cloud. Right. I remember three, four years ago at AWS. You'd get a lot of that, that kind of stuff. Some the summit meetings and things like that. Now it's, we're a full on deployment mode even >>Here in 2019, the conversation was like, so there's this shared responsibility model and we may have to make sure you understand. I mean, nobody's questioning that today. Yeah. It's more really hardcore best practices and you know how to apply tools. Yeah. You know, dos and don't and so it's a much more sophisticated narrative, I think. Yeah. >>Well, I mean, that's one of the things that Aviatrix does is our whole thing is architecturally. I would say, where does network security belong in the network? It shouldn't be a bolt on it. Shouldn't be something that you add on. It should be something that actually gets integrated into the fabric of the network. So you shouldn't be able to point to network security. It's like, can you point to the network? It's everywhere. Point to air it's everywhere. Network security should be integrated in the fabric and that wasn't done. On-prem that way you steered traffic to this thing called a firewall. But in the cloud, that's not the right architectural way. It it's a choke point. Uh, operationally adds tremendous amount of complexity, which is the whole reason we're going to cloud in the first place is for that agility and the ability to operationally swipe the card and get our developers running to put in these choke points is completely the wrong architecture. So conversations we're having with customers is integrate that security into the fabric of the network. And you get rid of all those, all those operational >>Issues. So explain that how you're not a, a checkpoint, but if you funnel everything into one sort of place >>In the, so we are a networking company, uh, it is uh, cloud networking company. So we, we were born in the cloud cloud native. We, we are not some on-prem networking solution that was jammed in the cloud, uh, wrapped >>In stack wrapped >>In, you know, or like that. No, no, no. And looking for wires, right? That's VM series from Palo. It doesn't even know it's in the cloud. Right. It's looking for wires. Um, and of course multicloud, cuz you know, Larry E said now, could you believe that on stage with sat, Nadela talking about multi-cloud now you really know we've crossed over to this is a, this is a thing, whoever would've thought you'd see that. But anyway, so we're networking. We're cloud networking, of course it's multi-cloud networking and we're gonna integrate these intelligent services into the fabric. And one of those is, is networking. So what happens is you should do security everywhere. So the place to do it is at every single point in the network that you can make a decision and you embed it and actually embed it into the network. So it's that when you're making a decision of does that traffic need to go somewhere or not, you're doing a little bit of security everywhere. And so what, it looks like a giant firewall effectively, but it's actually distributed in software through every single point in a network. >>Can I call it a mesh? >>It's kind of a mesh you can think of. Yeah, it's a fabric. >>Okay. It's >>A, it's a fabric that these advanced services, including security are integrated into that fabric. >>So you've been in networking much of >>Your career career, >>37 years. All your career. Right? So yay. Cisco Palo Alto. Nicera probably missing one or two, but so what do you do with all blue coat? Blue coat? What do you do with all that stuff? That's out there that >>Symantics. >>Yes. <laugh> keep going. >>Yeah, I think that's it. That's >>All I got. Okay. So what do you do with all that stuff? That's that's out there, you rip and replace it. You, >>So in the cloud you mean yeah. >>All this infrastructure that's out there. What is that? Well, you >>Don't have it in the right. And so right now what's happening is people, look, you can't change too many things. If you're a human, you know, they always tell you don't change a job, get married and have a kid or something all in the same year. Like they just, just do one of 'em cuz you it's too much. When people move to the cloud, what they do is they tend to take what they do on Preem and they say, look, I'm gonna change one thing. We're gonna go to the cloud, everything else. I'm gonna keep the same. Cuz I don't wanna change three things. So they kind of lift and shift their same mentality. They take their firewalls, their next gen fire. I want them, they take all the things that they currently do. And they say, I'm gonna try to do that in the cloud. >>It's not really the right way to do it. But sometimes for people that are on-prem people, that's the way to get started and I'll screw it up and not screw it up and, and not change too many things. And look, I'm just used to that. And, and then I'll, then I'll go to change things, to be more cloud native, then I'll realize I can get rid of this and get rid of that and do that. But, but that's where people are. The first thing is bring these things over. We help them do that, right? From a networking perspective, I'll make it easier to bring your old security stuff in. But in parallel to that, we start adding things into the fabric and what's gonna happen is eventually we start adding all these things and things that you can't do separately. We start doing anomaly detection. We start doing behavioral analysis. Why? Because the entire network, we are the data plan. We see everything. And so we can start doing things that a standalone device can't do because not all the traffic steered to them. It can only control what's steered to you. And then eventually what's happening is people look at that device. And then they look at us and then they look at the device and they look at us and they go, why do I have both of this? And we go, I don't know. >>You don't need it. >>Well, can I get rid of that other thing? That's a tool. >>Sure. And there's not a trade off. There's not a trade off. You >>Don't have to. No. Now people rid belts and suspenders. Yeah. Cause it's just, who has, who has enough? Who has too much security buddy? They're gonna, they're gonna do belt suspenders. You know anything they can do. But eventually what will happened is they'll look at what we do and they'll go, that's good enough. That happened to me. When I was at Palo Alto networks, we inserted as a firewall. They kept their existing firewall. They had all these other devices and eventually all those went away and you just had a NextGen >>Firewall just through attrition, >>Through Atian. You're like, you're looking, you go, well, that platform is doing all these functions. Same. Thing's gonna happen to us. The platform of networking's gonna do all your network security devices. So any tool or agent or external, you know, device that you have to steer traffic to ISS gonna go away. You're not gonna need it. >>And, and you talking multi-cloud obviously, >>And then don't wanna do the same thing. Whether man Azure, you know the same. >>Yeah. >>Same, same experie architecture, same experience, same set of services. True. Multi-cloud native. Like you, that's what you want. And oh, by the way, skill, gap, skill shortage is a real thing. And it's getting worse. Cause now with the recession, you think you're gonna be able to add more people. Nope. You're gonna have less people. How do I do this? Any multicloud world with security and all this kind of stuff. You have to put the intelligence in the software, not on your people. Right? >>So speaking of recession. Yep. As a CEO of a well funded company, that's got some momentum. How are you approaching it? Do you have like, did you bring in the war time? Conig I mean, you've been through, you know, downturns before. This is you are you >>I'm on war time already. >>Okay. So yeah. Tell me more about how you you're kind of approaching this >>So recession down. So didn't change what we were doing one bit, because I run it that way from the very beginning. So I've been around 30 years, that's >>Told me he he's like me. You know what he said? >>Yeah. Or maybe >>I'm like, I want be D cuz he said, you know, people talk about, you know, only do things that are absolutely necessary during times like this. I always do things that are only, >>That's all I >>Do necessary. Why would you ever do things that aren't necessary? >><laugh> you'd be surprised. Most companies don't. Yeah. Uh, recession's very good for people like snowflake and for us because we run that way anyway. Mm-hmm <affirmative> um, I, I constantly make decisions that we have to go and dip there's people that aren't right for the business. I move 'em out. Like I don't wait for some like Sequoia stupid rest in peace. The world's ending fire all your people that has no impact on me because I already operated that way. So we, we kind of operate that way and we are, we are like sat Nadel even came out and kind of said, I don't wanna say cloud is recession proof, but it kind of is, is we are so look, our top customer spends 5 million a year. Nothing. We haven't even started yet. David that's minuscule. We're not macro. We're micro 5 million a year for these big enterprises is nothing right. SA Nadel is now starting to count people who do billion dollar agreements with him billion over a period of number of years. Like that's the, the scale we have not even >>Gun billion dollar >>Agreements. We haven't even under begun to understand the scope of what's happening in the cloud. Right. And so yeah, the recession's happening. I don't know. I guess it's impacting somebody. It's not impacting me. It's actually accelerating things because it's a flight to quality and customers go and say, I can't get gear on on-prem anyway, cuz of the, uh, shortage, you know, the, uh, uh, get chips. Um, and that's not the right thing. So guess what the recession says, I'm gonna stop spending more money there and I'm gonna put it into the cloud. >>All right. So you opened up Pandora's box, man. I wanna ask you about your sort of management philosophy. When you come into a company to take, to go lead a company like that. Yeah. How, what, what's your approach to assess the team? Who do you, who do you decide? How do you decide who to keep on the bus? Who to throw off the bus put in the right seats. So how long does that take you? >>Doesn't take long. When I join, we were 30, 30, 8 people. We're now 525. Um, and my view on everything and I I've never met Frank Lubin, but I guarantee you, he has the same philosophy. You have a one year contract me included next year, the board might come to me and say, you were the right CEO for this year. You're not next year. Ben Horowitz taught me that it's a one year contract. There's no multi-year contract. So everybody in the company, including the CEO has a one year >>Contract. So you would say that to the board. Hey, if you can find somebody better, >>If, and, and you know what, I'll be the first one to pull myself, fire myself and say, we're, we're replacing me with somebody better right now. There isn't anybody better. So it's me. So, okay, next year maybe there's somebody better. Or we hit a certain point where I'm not the right guy. I'll I'll, I'll pull myself out as the CEO, but also internally the same thing just because you're the right guy this year. And we hire people for the, what you need to do this year. We're not gonna, we don't hire, oh, like this is the mistake. A lot of companies make, well, we wanna be a billion dollars in sales. So we're gonna go hire some loser from HPE. Who's worked at a company for a billion dollars. And by the way has no idea how they became a billion dollars, right. In revenue or billions of dollars. >>But we're gonna go hire 'em because they must know more than we do. And what every single time you bring them in what you realize, they're idiots. They have no idea how we got to that. And so you, you don't pre-hire for where you want to be. You hire for where you are that year. And then if it's not right, and then if it's not right, you'd be really nice to them. Have great severance packages, be, be respectful for people and be honest with them. I guarantee you Frank, Salman's not, if you're not just have this conversation with a sales guy before I came into here, very straight conversation, Northeast hockey player mentality. We're straight. If you're not working out or I don't think you're doing things right. You're gonna know. And so it's a one year, it's a one year contract. That's what you do. So you don't have time. You don't the luxury of >>Time. So, so that's probably the hardest part of, of any leadership job is, and people don't like confrontation. They like to put it off, but you don't run away from it. It's >>All in a confrontation, right? That's what relationships have built. Why do war buddies hang out with each other? Cuz they've gone through hell, right? It's in the confrontation. And it's, it's actually with customers too, right? If there's an issue, you don't run from it. You actually bring it up in a very straightforward manner and say, Hey, we got a problem, right? They respect you. You respect them, blah, blah, blah. And then you come out of it and go, you know, you have to fight like, look with your wife. You have to fight. If you don't fight, it's not a relationship you've gotta see in that, in that tension is where the relationship's >>Built. See, I should go home and have a fight tonight. You gotta have a fight with your wife. <laugh> you know, you mentioned Satia and Nadella and Larry Ellison. Interesting point. I wanna come back to that. What Oracle did is actually pretty interesting, do we? For their use case? Yeah. You know, it's not your thing. It's like low latency database across clouds. Yeah. Who would ever thought that? But >>We love it. We love it because it drives multi-cloud it drives. Um, and, and, and I actually think we're gonna have multi-cloud applications that are gonna start happening. Um, right now you don't, you have developers that, that, that kind of will use one cloud. But as we start developing and you call it the super cloud, right. When that starts really happening, the infrastructure's gonna allow that networking and network security is that bottom layer that Aviatrix helps once that gets all handled. The app, people are gonna say, so there's no friction. So maybe I can use autonomous database here. I can use this service from GCP. I can use that service and, and put it all into one app. So where's the app run. It's a multicloud app. Doesn't exist today. >>No, that doesn't happen today. >>It's it's happen. It's gonna happen. >>But that's kind of what the vision was. No, seven, eight years ago of what >>It's >>Gonna, that would be, you know, the original premise of hybrid. Right? Right. Um, I think Chuck Hollis, the guy was at EMC at the time he wrote this piece on, he called it private cloud, but he was really describing hybrid cloud application and running in both places that never happened. But it's starting to, I mean, the infrastructure is getting put in place to enable that, I guess is what you're saying. >>Yep. >>Yeah. >>Cool. And multicloud is, is becoming not just four plus one is a lot of enterprises it's becoming plus one, meaning you're gonna have more and more. And then there won't be infrastructure clouds like AWS and so forth, but it's gonna be industry clouds. Right? You've you've talked about that again, back to super clouds. You're gonna have Goldman Sachs creating clouds and you're gonna have AI companies creating clouds. You're gonna have clouds at the edge, you know, for edge computing and all these things all need to be networked with network security integrated. And you mentioned fact >>Aviatrix you mentioned Ben Horowitz, that's mark Andreesen. All, all companies are software companies. All companies are becoming cloud companies. Yeah. Or, or they're missing missing opportunities or they might get disrupted. >>Yeah. Every single company I talk to now, you know, whether you're Heineken, they don't think of themselves as a beer company anymore. We are the most technologically, you know, advanced brewer in the world. Like they all think they're a technology company. Now, whether you're making trucks, whether you're making sneakers, whether you're making beer, you're now a technology company, every single company in >>The world, we are too, we're we're building a media cloud. You're you know, John's, it's a technology company laying that out and yeah. That's we got developers doing that. That's our, that's our future. Yep. You know? Cool. Hey, thanks for coming on, man. Thank you. Great to see you. Thank you for watching. Keep it right there. We'll be back right after this short break. It keeps coverage. AWS reinforced 20, 22 from Boston. Keep it right there. >>You tired? How many interviewed.

(upbeat music) >> Hi, everybody. We're wrapping up day two of AWS Re:Inforce 2022. This is theCUBE, my name is Dave Vellante. And one of the folks that we featured, one of the companies that we featured in the AWS startup showcase season two, episode four, was Illumio. And of course their here at the security theme event. PJ Kerner is CTO and Co-Founder of Illumio. Great to see you, welcome back to theCUBE. >> Thanks for having me. >> I always like to ask co-founders, people with co-founder in their titles, like go back to why you started the company. Let's go back to 2013. Why'd you start the company? >> Absolutely. Because back in 2013, one of the things that we sort of saw as technology trends, and it was mostly AWS was, there were really three things. One was dynamic workloads. People were putting workloads into production faster and faster. You talk about auto scale groups and now you talk about containers. Like things were getting faster and faster in terms of compute. Second thing was applications were getting more connected, right? The Netflix architecture is one define that kind of extreme example of hyper connectivity, but applications were, we'd call it the API economy or whatever, they were getting more connected. And the third problem back in 2013 was the problems around lateral movement. And at that point it was more around nation state actors and APTs that were in those environments for a lot of those customers. So those three trends were kind of, what do we need to do in security differently? And that's how Illumio started. >> So, okay, you say nation state that's obviously changed in the ROI of for hackers has become pretty good. And I guess your job is to reduce the ROI, but so what's the relationship PJ between the API economy, you talked about in that lateral movement? Are they kind of go hand in hand? >> They do. I think one thing that we have as a mission is, and I think it's really important to understand is to prevent breaches from becoming cyber disasters, right? And I use this metaphor around kind the submarine. And if you think about how submarines are built, submarines are built with water tight compartments inside the submarine. So when there is a physical breach, right, what happens? Like you get a torpedo or whatever, and it comes through the hall, you close off that compartment, there are redundant systems in place, but you close off that compartment, that one small thing you've lost, but the whole ship hasn't gone down and you sort of have survived. That's physical kind of resiliency and those same kind of techniques in terms of segmentation, compartmentalization inside your environments, is what makes good cyber resiliency. So prevent it from becoming a disaster. >> So you bring that micro segmentation analogy, the submarine analogy with micro segmentation to logical security, correct? >> Absolutely, yes. >> So that was your idea in 2013. Now we fast forward to 2022. It's no longer just nation states, things like ransomware are top of mind. I mean, everybody's like worried about what happened with solar winds and Log4j and on and on and on. So what's the mindset of the CISO today? >> I think you said it right. So ransomware, because if you think about the CIA triangle, confidentiality, integrity, availability, what does ransomware really does? It really attacks the availability problem, right? If you lock up all your laptops and can't actually do business anymore, you have an availability problem, right. They might not have stole your data, but they locked it up, but you can't do business, maybe you restore from backups. So that availability problem has made it more visible to CEOs and board level, like people. And so they've been talking about ransomware as a problem. And so that has given the CISO either more dollars, more authority to sort of attack that problem. And lateral movement is the primary way that ransomware gets around and becomes a disaster, as opposed to just locking up one machine when you lock up your entire environment, and thus some of the fear around colonial pipeline came in, that's when the disaster comes into play and you want to be avoiding that. >> Describe in more detail what you mean by lateral movement. I think it's implied, but you enter into a point and then instead of going, you're saying necessarily directly for the asset that you're going after, you're traversing the network, you're traversing other assets. Maybe you could describe that. >> Yeah, I mean, so often what happens is there's an initial point of breach. Like someone has a password or somebody clicked on a phishing link or something, and you have compromise into that environment, right? And then you might be compromised into a low level place that doesn't have a lot of data or is not worthwhile. Then you have to get from that place to data that is actually valuable, and that's where lateral movement comes into place. But also, I mean, you bring up a good point is like lateral movement prevention tools. Like, one way we've done some research around if you like, segmentation is, imagine putting up a maze inside your data center or cloud, right. So that, like how the attacker has to get from that initial breach to the crown jewels takes a lot longer when you have, a segmented environment, as opposed to, if you have a very flat network, it is just go from there to go find that asset. >> Hence, you just increase the denominator in the ROI equation and that just lowers the value for the hacker. They go elsewhere. >> It is an economic, you're right, it's all about economics. It's a time to target is what some our research like. So if you're a quick time to target, you're much easier to sort of get that value for the hacker. If it's a long time, they're going to get frustrated, they're going to stop and might not be economically viable. It's like the, you only have to run faster than the-- >> The two people with the bear chasing you, right. (laughs) Let's talk about zero trust. So it's a topic that prior to the pandemic, I think a lot of people thought it was a buzzword. I have said actually, it's become a mandate. Having said that others, I mean, AWS in particular kind of rolled their eyes and said, ah, we've always been zero trust. They were sort of forced into the discussion. What's your point of view on zero trust? Is it a buzzword? Does it have meaning, what is that meaning to Illumio? >> Well, for me there's actually two, there's two really important concepts. I mean, zero trust is a security philosophy. And so one is the idea of least privilege. And that's not a new idea. So when AWS says they've done it, they have embraced these privileges, a lot of good systems that have been built from scratch do, but not everybody has least privilege kind of controls everywhere. Secondly, least privilege is not about a one time thing. It is about a continuously monitoring. If you sort of take, people leave the company, applications get shut down. Like you need to shut down that access to actually continuously achieve that kind of least privilege stance. The other part that I think is really important that has come more recently is the assume breach mentality, right? And assume breach is something where you assume the attacker is, they've already clicked on, like stop trying to prevent. Well, I mean, you always still should probably prevent the people from clicking on the bad links, but from a security practitioner point of view, assume this has already happened, right. They're already inside. And then what do you have to do? Like back to what I was saying about setting up that maze ahead of time, right. To increase that time to target, that's something you have to do if you kind of assume breach and don't think, oh, a harder shell on my submarine is going to be the way I'm going to survive, right. So that mentality is, I will say is new and really important part of a zero trust philosophy. >> Yeah, so this is interesting because I mean, you kind of the old days, I don't know, decade plus ago, failure meant you get fired, breach meant you get fired. So we want to talk about it. And then of course that mentality had to change 'cause everybody's getting breached and this idea of least privilege. So in other words, if someone's not explicitly or a machine is not explicitly authorized to access an asset, they are not allowed, it's denied. So it's like Frank Slootman would say, if there's doubt, there's no doubt. And so is that right? >> It is. I mean, and if you think about it back to the disaster versus the breach, imagine they did get into an application. I mean, lamps stacks will have vulnerabilities from now to the end of time and people will get in. But what if you got in through a low value asset, 'cause these are some of the stories, you got in through a low value asset and you were sort of contained and you had access to that low value data. Let's say you even locked it up or you stole it all. Like it's not that important to the customer. That's different than when you pivot from that low value asset now into high value assets where it becomes much more catastrophic for those customers. So that kind of prevention, it is important. >> What do you make of this... Couple things, we've heard a lot about encrypt everything. It seems like these days again, in the old days, you'd love to encrypt everything, but there was always a performance hit, but we're hearing encrypt everything, John asked me the day John Furrier is like, okay, we're hearing about encrypting data at rest. What about data in motion? Now you hear about confidential computing and nitro and they're actually encrypting data in the flow. What do you make of that whole confidential computing down at the semiconductor level that they're actually doing things like enclaves and the arm architecture, how much of the problem does that address? How much does it still leave open? >> That's a hard question to answer-- >> But you're a CTO. So that's why I can ask you these questions. >> But I think it's the age old adage of defense in depth. I mean, I do think equivalent to what we're kind of doing from the networking point of view to do network segmentation. This is another layer of that compartmentalization and we'll sort of provide similar containment of breach. And that's really what we're looking for now, rather than prevention of the breach and rather than just detection of the breach, containment of that breach. >> Well, so it's actually similar philosophy brought to the wider network. >> Absolutely. And it needs to be brought at all levels. I think that's the, no one level is going to solve the problem. It's across all those levels is where you have to. >> What are the organizational implications of, it feels like the cloud is now becoming... I don't want to say the first layer of defense because it is if you're all in the cloud, but it's not, if you're a hybrid, but it's still, it's becoming increasingly a more important layer of defense. And then I feel like the CISO and the development team is like the next layer maybe audit is the third layer of defense. How are you seeing organizations sort of respond to that? The organizational roles changing, the CISO role changing. >> Well there's two good questions in there. So one is, there's one interesting thing that we are seeing about people. Like a lot of our customers are hybrid in their environment. They have a cloud, they have an on-prem environment and these two things need to work together. And in that case, I mean, the massive compute that you can be doing in the AWS actually increases the attack surface on that hybrid environment. So there's some challenges there and yes, you're absolutely right. The cloud brings some new tools to play, to sort of decrease that. But it's an interesting place we see where there's a attack surface that occurs between different infrastructure types, between AWS and on-prem of our environment. Now, the second part of your question was really around how the developers play into this. And I'm a big proponent of, I mean, security is kind of a team sport. And one of the things that we've done in some of our products is help people... So we all know the developers, like they know they're part of the security story, right? But they're not security professionals. They don't have all of the tools and all of the experience. And all of the red teaming time to sort of know where some of their mistakes might be made. So I am optimistic. They do their best, right. But what the security team needs is a way to not just tell them, like slap on the knuckles, like developer you're doing the wrong thing, but they really need a way to sort of say, okay, yes, you could do better. And here's some concrete ways that you can do better. So a lot of our systems kind of look at data, understand the data, analyze the data, and provide concrete recommendations. And there's a virtual cycle there. As long as you play the team sport, right. It's not a us versus them. It's like, how can we both win there? >> So this is a really interesting conversation because the developer all of a sudden is increasingly responsible for security. They got to worry about they're using containers. Now they got to worry about containers security. They got to worry about the run time. They got to worry about the platform. And to your point, it's like, okay, this burden is now on them. Not only do they have to be productive and produce awesome code, they got to make sure it's secure. So that role is changing. So are they up for the task? I mean, I got to believe that a lot of developers are like, oh, something else I have to worry about. So how are your customers resolving that? >> So I think they're up for the task. I think what is needed though, is a CISO and a security team again, who knows it's a team sport. Like some technologies adopted from the top down, like the CIO can say, here's what we're doing and then everybody has to do it. Some technologies adopted from the bottom up, right. It's where this individual team says, oh, we're using this thing and we're using these tools. Oh yeah, we're using containers and we're using this flavor of containers. And this other group uses Lambda services and so on. And the security team has to react because they can't mandate. They have to sort of work with those teams. So I see the best groups of people is where you have security teams who know they have to enable the developers and the developers who actually want to work with the security team. So it's the right kind of person, the right kind of CISO, right kind of security teams. It doesn't treat it as adversarial. And it works when they both work together. And that's where, your question is, how ingrained is that in the industry, that I can't say, but I know that does work. And I know that's the direction people are going. >> And I understand it's a spectrum, but I hear what you're saying. That is the best practice, the right organizational model, I guess it's cultural. I mean, it's not like there's some magic tool to make it all, the security team and the dev team collaboration tool, maybe there is, I don't know, but I think the mindset and the culture has to really be the starting point. >> Well, there is. I just talk about this idea. So however you sort of feel about DevOps and DevSecOps and so on, one core principle I see is really kind of empathy between like the developers and the operations folks, so the developers and the security team. And one way I actually, and we act like this at Illumio but one thing we do is like, you have to truly have empathy. You kind have to do somebody else's job, right. Not just like, think about it or talk about it, like do it. So there are places where the security team gets embedded deep in the organization where some of the developers get embedded in the operations work and that empathy. I know whether they go back to do what they were doing, what they learned about how the other side has to work. Some of the challenges, what they see is really valuable in sort of building that collaboration. >> So it's not job swapping, but it's embedding, is maybe how they gain that empathy. >> Exactly. And they're not experts in all those things, but do them take on those summer responsibilities, be accountable for some of those things. Now, not just do it on the side and go over somebody's shoulder, but like be accountable for something. >> That's interesting, not just observational, but actually say, okay, this is on you for some period of time. >> That is where you actually feel the pain of the other person, which is what is valuable. And so that's how you can build one of those cultures. I mean, you do need support all the way from the top, right. To be able to do that. >> For sure. And of course there are lightweight versions of that. Maybe if you don't have the stomach for... Lena Smart was on this morning, CISO of Mongo. And she was saying, she pairs like the security pros that can walk on water with the regular employees and they get to ask all these Colombo questions of the experts and the experts get to hear it and say, oh, I have to now explain this like I'm explaining it to a 10 year old, or maybe not a 10 year old, but a teenager, actually teenager's probably well ahead of us, but you know what I'm saying? And so that kind of cross correlation, and then essentially the folks that aren't security experts, they absorb enough and they can pass it on throughout the organization. And that's how she was saying she emphasizes culture building. >> And I will say, I think, Steve Smith, the CISO of AWS, like I've heard him talk a number of times and like, they do that here at like, they have some of the spirit and they've built it in and it's all the way from the top, right. And that's where if you have security over and a little silo off to the side, you're never going to do that. When the CEO supports the security professionals as a part of the business, that's when you can do the right thing. >> So you remember around the time that you and you guys started Illumio, the conversation was, security must be a board level topic. Yes, it should be, is it really, it was becoming that way. It wasn't there yet. It clearly is now, there's no question about it. >> No, ransomware. >> Right, of course. >> Let's thank ransomware. >> Right. Thank you. Maybe that's a silver lining. Now, the conversation is around, is it a organizational wide issue? And it needs to be, it needs to be, but it really isn't fully. I mean, how many organizations actually do that type of training, certainly large organizations do. It's part of the onboarding process, but even small companies are starting to do that now saying, okay, as part of the onboarding process, you got to watch this training video and sure that you've done it. And maybe that's not enough, but it's a start. >> Well, and I do think that's where, if we get back to zero trust, I mean, zero trust being a philosophy that you can adopt. I mean, we apply that kind of least privilege model to everything. And when people know that people know that this is something we do, right. That you only get access to things 'cause least privileges, you get access to absolutely to the things you need to do your job, but nothing more. And that applies to everybody in the organization. And when people sort of know this is the culture and they sort of work by that, like zero trust being that philosophy sort of helps infuse it into the organization. >> I agree with that, but I think the hard part of that in terms of implementing it for organizations is, companies like AWS, they have the tools, the people, the practitioners that can bring that to bear, many organizations don't. So it becomes an important prioritization exercise. So they have to say, okay, where do we want to apply that least privilege and apply that technology? 'Cause we don't have the resources to do it across the entire portfolio. >> And I'll give you a simple example of where it'll fail. So let's say, oh, we're least privilege, right. And so you asked for something to do your job and it takes four weeks for you to get that access. Guess what? Zero trust out the door at that organization. If you don't have again, the tools, right. To be able to walk that walk. And so it is something where you can't just say it, right. You do have to do it. >> So I feel like it's pyramid. It's got to start. I think it's got to be top down. Maybe not, I mean certainly bottom up from the developer mindset. No question about that. But in terms of where you start. Whether it's financial data or other confidential data, great. We're going to apply that here and we're not going to necessarily, it's a balance, where's the risk? Go hard on those places where there's the biggest risk. Maybe not create organizational friction where there's less risk and then over time, bring that in. >> And I think, I'll say one of the failure modes that we sort of seen around zero trust, if you go too big, too early, right. You actually have to find small wins in your organization and you pointed out some good ones. So focus on like, if you know where critical assets are, that's a good place to sort of start. Building it into the business as usual. So for example, one thing we recommend is people start in the developing zero trust segmentation policy during the development, or at least the test phase of rolling out a new application as you sort of work your way into production, as opposed to having to retro segment everything. So get it into the culture, either high value assets or work like that, or just pick something small. We've actually seen customers use our software to sort of like lock down RDP like back to ransomware, loves RDP lateral movement. So why can we go everywhere to everywhere with RDP? Well, you need it to sort of solve some problems, but just focus on that one little slice of your environment, one application and lock that down. That's a way to get started and that sort of attacks the ransomware problem. So there's lots of ways, but you got to make some demonstrable first steps and build that momentum over time to sort of get to that ultimate end goal. >> PJ Illumio has always been a thought leader in security generally in this topic specifically. So thanks for coming back on theCUBE. It's always great to have you guys. >> All right. Thanks, been great. >> All right. And thank you for watching. Keep it right there. This is Dave Vellante for theCUBE's coverage of AWS re:Inforce 2022 from Boston. We'll be right back. (upbeat music)

>>Okay. We're back in Boston covering AWS reinvent 2022. This is our second live reinvent. We've done the other ones, uh, in between as digital. Uh, my name is Dave Lanta and you're watching the cube. Peter McKay is here. He's the CEO of sneaking ad Shani is the chief technical officer guys. Great to see you again. Awesome. Being here in Boston >>In July. It is Peter. You can't be weather's good weather. Yeah, red SOS. Aren't good. But everything else >>Is SOS are ruin in our sub, you know, >>Hey, they're still in the playoff, the hunt, you >>Know, all you gotta do is make it in. Yes. >>Right. And there's a new season. Simple >>Kinda like hockey, but you know, I'm worried they're gonna be selling at the trading >>Deadline. Yeah. I think they should be. I think it's you think so it's not looking good. Oh, >>You usually have a good angle on this stuff, but uh, well, Hey, we'll see. We'll go. I got a lot of tickets. We'll go and see the Yankees at least we'll see a winning team. Anyway, we last talked, uh, after your fundraising. Yeah. You know, big, big round at your event last night, a lot of buzz, one of the largest, I think the largest event I saw around here, a lot of good customers there. >>It's great. Great time. >>So what's new. Give us the update. You guys have made some, an acquisition since then. Integration. We're gonna talk >>About that. Yeah. It's been, uh, a lot has happened. So, uh, the business itself has done extremely well. We've been growing at 170% year, over year, a hundred percent growth in our number of customers added. We've done six acquisitions. So now we have, uh, five products that we've added to the mix. We've tripled the size of the company. Now we're 1300 people, uh, in the organization. So quite a bit in a very short period of time. >>Well, and of course my, in my intro, I, I said, reinvent, I'm getting ahead of myself. Right. >>Of course we'll >>Reinforced. We'll be at reinve >>In November. Are that's the next one at >>Reinforced. We've done a lot of reinvents by the way, you know? >>So there's a lot, lot of reinvention >>Here. So of course, well, you're reinventing security, right? Yes. So, you know, I try to, I think about when I go to these events, like, what's the takeaway, what's the epiphany. And we're really seeing the, the developer security momentum, and it's a challenge. They gotta worry about containers. They gotta worry about run time. They gotta worry about platform. Yeah. You guys are attacking that problem. Maybe describe that a >>Little bit for us. Yeah. I mean, for years it was always, um, you know, after the fact production fixing security in run time and billions and billions of dollars spent in fixing after the fact. Right. And so the realization early on with the was, you know, you gotta fix these issues earlier and earlier, we started with open source was the first product at wait. Then six, six years ago, then we added container security and we added infrastructure's code. We added code security. We added, um, most recently cloud security with the F acquisition. So one platform, one view that a developer can look at to fix all the issues through the, be from the beginning, all the way through the software development life cycle. So we call it developer security. So allowing developers to develop fast, but stay secure at the same time. >>So I like the fact that you're using some of your capital to do acquisitions. Yeah. Now a lot of M and a is, okay, we're gonna buy this company. We're gonna leave them alone. You guys chose to integrate them. Maybe describe what that process was like. Yeah. Why you chose that. Yeah. How hard it was, how long it took. Take us through that. >>Yeah. Yeah. I'll give, uh, two examples, maybe one on sneak, which was an acquisition of, of the company that was focused on, uh, code analysis, actually not for security. And we have identified the merit of what we need in terms of the first security solution, not an ability to take a security product and put it in the end of developer, but rather build something that will build into the dev motion, which means very fast, very accurate things that it can rely on source and not just on the build code and so on. And we have built that into the platform and by that our customers can gain all of their code related issues together with all of their ISE related issues together with all of the container issues in one platform that they can prioritize accordingly. >>Yeah. Okay. So, so talk more about the, the, the call, the few, the sneak cloud, right? Yeah. So the few name goes away. I presume, right. Or yes, it does. Okay. So you retire that and bring it in the brand is sneak. Yeah. Right. So talk about the cloud, what it does, what problems >>It's solving. Yeah. Awesome. And, and this goes exactly the same. As we mentioned on, on the code, we have looked at the, the, the cloud security solutions for a while now. And what we loved about the few team is that they were building their product with their first approach. Okay. So the notion is as followed as you are, you know, you're a CSO, you have your pro you have your program, you're looking, you have different types of controls and capabilities. And your team is constantly looking for threats. When we are monitoring your cloud environment, we can detect problems like, you know, your FL bucket is not exposing the right permissions and is exposed to the world or things like that. But from a security perspective, it might be okay to stop there. But if you're looking at an operation perspective, you need to know who needs to fix, how do they need to fix it? >>Where do they need to fix it? What will the be the impact if they would fix it? So what do we actually doing is we are connecting all the dots of the platform. So on one end, you know, the actual resources that are running and what's the implication in the actual deployed environment. On the other end, we get correlation back to the actual code that generates that. And then I can give that context both to the security person, the context of how it affects the application. But more importantly, the context for the developer is required to fix the problem. What's the context of the cloud. Yeah. And a lot of things are being exposed this way. And we can talk about that. Uh, >>So this is really interesting because, and look, I love AWS to do an amazing job. One of the other things I really like about 'em is it seems like they're not trying to go hard and monetize their security products. Mm-hmm, they're leaving that to the ecosystem, which I like. Yeah. Microsoft taken a little different approach, right? Yeah, yeah, yeah. Ton a lot. But this, this, this example you're giving ad about the S3 bucket. So we heard in the keynotes yesterday about, you know, reasoning, AI reasoning, they said, we can say, is this S3 bucket exposed to the public? We can do that with math. Right. Yeah. But you're what I'm inferring is you don't stop there. Yeah. Yeah. There's a lot of other stuff that has to, >>And sometimes have to, not as simple, just as a configuration change, sometimes the correlation between what your application is doing affects what is the resulted experience of, you know, the remote user or in this case, the attacker, right. I mean, >>The application has access, who has access to the application, is this, this the chain. >>So propagates, you have to, you have to have a, a solution that looks both at have very good understanding of the application context. A very good understanding of what we refer to as the application graph, like understanding how it works, being able to analyze that and apply the same policies, both at development time, as well as run time. >>So there's, there's human to app. There's also a machine to machine. Can you guys help with that problem as well? Or is that sort of a futures thing or >>Could you, I'm not sure. I understand what >>Referring, so machines talking to machines, right. I mean, there's data flowing. Yep. You know, between those machines, right. It's not just the humans interacting with the application. Is that a trend that you see and is that something that you guys can solve? >>So at, at the end of the day, there is a lot of automation that happens both for, by humans for good reasons, as well as by humans for bads. Right. <laugh> and, and the notion is that we are really trying to focus on what matters to the developer as they're trying to improve their business around that. So both improves making sure they know, you know, quality problems or things of this kind. But as part of that, more importantly, when we're looking at security as a quality problem, making sure that we have a flow in the development life cycle that streamline what the developer is expecting to do as they're building the solution. And if every single point, whether it's the ID, whether it's the change management, whether it's the actual build, whether it's the deployed instance on the cloud, making sure that we identify with that and connect that back to the code. >>Okay. So if there's machine automation coming in, that shouldn't be there, you can sort of identify that and then notify remediate or whatever action should be >>Taken. Yeah. Identify, identify remediate. Yep. >>Yeah. We, we really focus on making sure that we help developers build better products. So our core focus is identify areas where the product is not built way in a good way, and then suggest the corrective action that is required to make that happen. >>And I think part of this is the, you know, just, uh, the speed of the software development today. I mean, you look at developers are constantly and not just look at sneak you're, you're trying to get so much more productivity outta the developers that you have. Every company is trying to get more productivity out of developers, incredible innovation, incredible pace, get those is a competitive advantage. And so what we're trying to do is we make it easier for developers to go fast innovate, but also do it securely and embed it without slowing them down, develop fast and secure. >>So again, I love, I love AWS love what they're doing. We heard, uh, yesterday from, from CJ, you know, a lot of talk about, you know, threat detection and, you know, some talk about DevOps, et cetera. But yeah, I, I, I didn't hear a lot about how to reduce the complexity for the CSO. And the reason I bring this up is it feels like the cloud is now the first level of defense and the CISO is, is becoming the next level, which is on the developer. So the developer is becoming responsible for security at a whole shift left, maybe shield. Right. But, but shift left is becoming critical. Seems like your role and maybe others in the ecosystem is to address my concern about simplifying the life of the CISO. Is that a reasonable way to think about it? I >>Think it's changing the role of the CISO. How so? You know, really it's, I, I think it's before it, in this, in the security organization and D you should chime in here is, you know, it used to be, I did, I owned all application security, I owned the whole thing and they couldn't keep up. Like, I think it's just every security organization is totally overwhelmed. And so they have to share the responsibility. They have to get that fix the issues earlier and earlier, because it's waiting too long. It's after the fact. And then you gotta throw this over the fence and developers have to fix it. So they've gotta find a new way because they're the bottleneck they're slowing down the company from, in innovating and bringing these applications to market. So we are the kind of this bridge between the security teams that wanna make sure the, that we're staying secure and the development organizations and engineering and CEOs go fast. We need you guys to go faster and faster. So we, we tend to be the bridge between the two of them. >>One of the things I really love happening these days is that we change the culture of the organization from a culture where the CSO is trying to, you know, push and enforce and dictate the policy, which, which they should, but they really wanna see the development team speak up like that. The whole motion of DevOps is that we are empowering them to make the decisions that are right for the business, right? And then there is a gap because on one hand, this is always like, you need to do this, you need to do this. You need to do that. And the dev teams don't understand how that impacts their business. Good enough. And they don't have the tools and, you know, the ability to add a source problem. So with the solution liken, we really empower the developers to bake security as part of their cycle, which is what was done in many other fields, quality, other things, everything, it, everything moves into development already, right? So we're doing that. And the entire discussion now changes into an enablement discussion. >>So interesting. Cause you saw, this is the role of the CSOs changing. How so? I see that in a way like frees, sneak the CSO with the cloud is becoming a compliance officer. Like you do this, you do this, you do this, you do this, you third >>One would take a responsibility >>Trying. Yeah. Right, right. And so you're flipping that equation saying, Hey, we're gonna actually make this an accelerant to your business. >>So, so set the policy, determine compliance, but make sure that the teams, the developers are building applications in compliance with your policy. Right. So make sure and, and don't allow them to do something. If they're doing, if they're developing an application with a number of vulnerabilities, you can stop that from happening so you can oversee it, but you don't have to be the one who owns it all the way through from beginning to, >>Or, or get it before it's deployed. So you don't have to go back after the fact and, and remediate it with, you know, but, >>But think about deploy, they're deploying apps today. I mean, they're updating by the hour, right? Where, you know, six years ago, five years ago, two years ago was every six to nine months. Right? So the pace of this innovation from developers is so fast that the old way of doing security can't keep up. Like they're built for six month release cycles. This is six hour release cycles. And so we had to, it has to change security. Can't stay the way it is. So what we've been doing for se seven years for application security is exactly what we're doing for cloud security is moving all that earlier. All these products that we've been building over the years is really taking these afterthought security components and bringing 'em all earlier, you know, bringing everything like cloud security is done after the fact. Now we can take those issues and bring 'em right to the developers who created that and can fix the issues. So it's code to cloud back to code in a very automated fashion. So doesn't slow developers down. >>Okay. So what's the experience. We all know there's, everybody has more than one cloud. What's the experience across clouds. Can you create a consistent, continuous experience, cloud agnostic, >>Agnostic, cloud agnostic, uh, development environment, agnostic, you know, language agnostic. So that's kind of the beauty oft where you have maybe other certain tools for certain clouds, uh, or certain languages or certain development environments, but you have to learn different tools, you know, and, and they all roll up to security in a different way. And so what we have done is consolidated all that spend for open source security, container security infrastructure, now, cloud security, all that spend and all that fragmentation all under one platform. So it's one company that brings all those pieces >>Together. So it's a single continuous experience. Yeah. The developer experience you're saying is identical. Yes. >>Actually one product >>It's entitlement that we're getting. Yes. So you're hiding the underlying complexities of the respective clouds and those primitives developer doesn't have to worry about them. No, I call that a super cloud super >>Cloud. >>Okay. But no, but essentially that's what you're, you're building, building on the, on this ed Walsh would say on the shoulders of giants. Yeah, exactly. You know, you don't have to worry about the hyperscale infrastructure. Yep. Right. That you're building a layer of value on top of that. Yes. Is, is that essentially a PAs layer or is it, is it, can I think of it that way or is it not? Hmm. Is it platform? I >>Mean, yeah. I, I, I would say that at the end of the day, the, the way developers want to use a security tool is the same. Right. So we expose our functionality to them in those ways, if you're using, you know, uh, uh, one GI repository or another, if you're using one cloud or we, we are agnostic to data, don't, it's not, it doesn't really affect us in that manner. Um, I want to add another thing about the, the experience and associated with the consolidation that Peter referred to, uh, earlier, when you have a motion that automatically assess, you know, uh, problems that the developer is putting as part of the change management, as example, you do creating pool request. Now adding more capabilities into that motion is easy. So from enablement of the team, you can add another functionality, add cloud at ISC, add code and so on like that, because you already, you already made the decisions on how you are looking at that. And now you're integrated at, into your developer workflows, >>Right? So it's, it's already, it's already integrated for open source, adding container and ISD is real easy. It's all, you've already done all the integrations. And so for us going to five products and eventually 6, 7, 8, all, all based on the integrations that you already have in the same workflows that developers have become a use accustomed >>To. And that's what we, a lot of work from the company perspective. Right. >>I can ask you about another sort of trend we're seeing where you see Goldman Sachs last reinvent announced a cloud product, essentially bringing their data, their tools, their software. They're gonna run it on AWS at the snowflake summit, uh, capital one announced the service running on snowflake, Oracle by Cerner, right? Yeah. You know, they're gonna be, do something on OCI. Of course, make 'em do that. But it's, it's a spin on Andreessens every company's a software company. It's like every company's now becoming digital, a software company building their own SAS, essentially building their own clouds, or maybe, maybe something they'll be super clouds. Are you seeing industry come to sneak and say, Hey, help us build products that we can monetize >>There companies. So, first off, I think kind of the first iteration is, you know, all these industries of becoming software driven, like you said, and more software is more software risk. And so that kind of led us down this journey of now financial services, you know, tech, you know, media and entertainment, financial services, healthcare. Now it's this long tail of, of low tech. Yeah. Within those companies, they are offering services to the other parts of the organization. We have >>So far, mostly >>Internal, mostly internal, other than the global SI. And some of the companies who do that for a living, you know, they build the apps for companies and they are offering a sneak service. So before I give you these, I update these applications. I'm gonna make sure I'm running. I'm, I'm, I'm signifying those applications to make sure that they're secure before you get them. And so that now a company like a capital one coming to us saying, I wanna offer this to others. I think that's a, that's a leap because you know, companies are taking on security of someone else's and I think that's a, that's not there yet. It may be, >>Do you think it'll happen? >>We do have the, uh, uh, threat Intel that we, we have a very, a very strong security group that constantly monitors and analyzing the threat. And we create this vulnerability database. So in open sources, an example, we're the fact of standard, uh, in the field. So many of our partners are utilizing the threat Intel feed of snake as part of their offering. Okay. If you go to dock as an example, you can scan with, with snake intelligence immediately out of the gate over there, right? Yeah. >>And tenable, rapid seven trend micro. They all use the vulnerability database as well. Okay. So a lot of financial institutions use it because they had, they'd have seven, 10 people doing re security research on their own. And now they can say, well, I don't have to have those seven. I've got the industry standard for vulnerability database from Steve. >>And they don't have to throw out their existing tool sets where they have skills. >>Yes, exactly. >>Peter bring us homes, give us the bumper sticker, summarize, you know, reinforce and kind what we can expect going forward. >>Yeah, no, I mean, we're gonna continue the pace. We don't see anything slowing, slowing us down in terms of, um, just the number of customers that are, that are shifting left. Everybody's talking about, Hey, I need to embed this earlier and earlier. And I think what they're finding is this, this need to rein reinnovate like get innovation back into their business. And a lot of it had to slow down because, well, you know, you, we can't let developers develop an app without it going through security. And that takes time. It slows you down and allows you not to like slow the pace of innovation. And so for us, it's it help developers go fast, incredibly, you know, quickly, aggressively, creatively, but do it in a secure way. And I think that balance, you know, making sure that they're doing what they're doing, they're increasing developer productivity, increasing the amount of innovation that developers are trying to do, but you gotta do it securely. And that's where we compliment really what every CEO is pushing companies. I need more productivity. I need more aggressive creativity, innovation, but you better be secure at the same time. And that's what we bring together for our customers. >>And you better do that without slowing us down. That's >>Don't trade off, slow >>Us down. Always had to make. Yes, guys. Thanks so much for coming to the cube. Thanks, David. Always great to see you guys see ID. Appreciate it. All right. Keep it right there. This is the Cube's coverage of reinforced 2022 from Boston. We'll be right back right after the short break.

(upbeat music) >> Welcome back to Boston. The CUBE's coverage of AWS Re-inforce 2022. This is our second live Re-inforce. We did two in the middle that were all digital. Aaron Brown is here as US AWS cyber leader for Deloitte and Ryan Orsi the cloud foundation leader for partners for Amazon Web Services. Jen, welcome to The CUBE. >> Thanks for having us. >> Thanks. >> Nice to see you. Tell us about the story of Deloitte in cyber and then we'll get it to Deloitte cyber on AWS, or maybe even start there. >> Yeah, sure. I mean, obviously Deloitte, one of the largest cyber consultancies in the world, we've been working with AWS for a very long time. 2013, I was involved with, you know, the first Alliance agreement with them. And then we've been in cloud managed services about five years delivering workloads for clients. We have over 200 clients on that platform and then about a year and a half ago or so, the MSSP program came and it made a ton of sense to us, right? To really level the playing field and gave us a chance to really come out and demonstrate, you know, our capability around MSSP. >> The MSSP program, I saw a slide yesterday in keynote and in the analyst program was, you know, there's technology partners, there's MSSP partners. Explain the MSSP partner. >> Sure, sure. So at the Database Partner Network, we break it down. The program is called the level one MSSP Competency Program. And it is for both those companies that are sort of more of a software company with a managed service and those that are more of a pure service company, it's for both, but it's the general concept, it hosts the community of partners like Deloitte with a concentrated talent pool around 24 by 7 monitoring and response of AWS security events. >> So what is Deloitte? Deloitte's not a pure software play. It's not a pure services play anymore. It's sort of a mixture. >> Yeah, you know, asset enabled services, right? It's the way that we look at it. So, yeah, we're definitely not trying to compete with software companies out there, but we do have assets, right? So we do everything as infrastructure as code and that allows us to deploy our solutions into client environments really quickly. So where you might spend months on third party tool integrations, we leverage all native AWS tools in our standard offering and we can deploy into a client and get those services up and running in a couple of weeks. >> So you sell your software as an integrated service, is that correct? You don't- >> It's service, it's really is service. We sell a metered service. >> You don't sell your software separately? >> No. >> I should say it differently. You include your software as part of the service, is that right? >> Yeah, it is. But actually there's another element. There are obviously some clients who don't want to be in a managed service in perpetuity. And so those same assets that I talked about that we use for MSSP, you know, for the right clients, we don't just give away everything to anybody but for the right clients, for the right engagement, we will work with clients to help them build the capability that they need to run it themselves. And our solution is built in a way where they can do that. Right? We have a base component and a variable component to the solution and we will impart those assets to a client, you know, if the situation is right. >> Okay. So you'll actually transfer the software, but would you charge for that? >> Yeah, certainly, but there's obviously a big service component that goes into it. Right? >> And that's really where your expertise is. >> Yeah, we don't have like a standard, you know, list price but we'll work with clients to basically help them build out that capability because frankly the the market moves so fast that you need a constant capability and engine to update that solution. It's not something that, you know, you're going to sell and someone's just going to use that out of the box for the next five years. >> But a lot of the value that seems that Deloitte brings is you don't run from customization. You welcome that. You, you know, if a client says, hey, I need this special and that special, or whatever it is you'll go attack. You have the staff, the talent to attack that problem. And you use software in areas where you can have repeatability and it helps you scale and be more productive. Is that a fair way to think about it? >> Yeah, that's right. I mean, I guess one of the phrases that we use is we like big hairy problems, right? That's sort of our sweet spot. The, you know, the very simple, hey, I need a couple of guys to do a couple of things, typically, we're not the right firm for that. So, yes, we use the assets cause we realize like, hey, you know, out of everything that needs to be done, there's a significant portion of this that everybody needs more or less the same way. And then we build that, we build the automation to get it in and then we have that variable component working with clients to say, hey, let's make this work in your environment. We use a combination of AWS Native services, but then, you know, some clients have investments in third party tools and we can work with that. >> So it's a perfect match for AWS cause you guys are all about providing tools for builders and here's some primitives, some APIs and Go, we don't want that highly customized snowflake for every single client. >> Exactly. I mean, that's what I feel like the partnership with Deloitte is really bringing to the table for everybody and our mutual customers and builders out there that we both work with is again, they don't run from complexity or customization that security can be complex. It can be hard, Deloitte's helping making it much easier. The AWS partner network is helping kind of bring the ecosystem together and of software service, architectures that AWS recommend for like a security best practice around what to monitor, how to respond, what kind of enriched data should be added to that security finding and kind of pushing that out through our partnerships with it such as Deloitte. >> One of the things that, I mean, certainly big takeaway from this event, the security tracks that reinvent, previous Re-inforce events is AWS imparting, educating its customers on best practice and how tos and things that they should be thinking about, you know, do this, don't do that. In 2019, it was a lot about, hey guys, there's this shared responsibility model and kind of explaining that, we're way, way beyond that now, should we think about Deloitte sort of as an extension of that best practice AWS expertise that can be applied at your clients? I'll go to Deloitte because I don't have the talent to deal with that. I mean, I got talented people, but I just don't have enough of them. >> Exactly. Yeah. Yeah. And that's really, you know, our offerings tend to be comprehensive across all the domains. And like I said, the full life cycle of security operations all the way from, you know, identify the issue to resolve it and recover from it. And, you know, when we look at the shared responsibility model, you know, we like to say, hey, we will take you really far up that stack, that customer responsibility area, you know, for our service, we cover a significant portion of that landscape on our client's behalf cause, you know, what do they care about? Deploying workloads, getting the application running, right? Security is just another one of those important, necessary things, but it just sort of standing between you and the business value of your workload. >> And your ideal target customer would be a large medium up to a large enterprise or is all exclusively large or? >> Definitely not exclusively large. You know, the fact that we have all the automation that we do, we have a significant portion of our security operations folks are offshore allows us to be really competitive. And so we're able to serve clients that maybe, you know, in years past wouldn't have been what you'd think of as traditional. So like clients leveraging the marketplace, you know, we're able to serve that market segment. >> So billion dollar up kind of revenue? Odes that sound about right? >> Yeah. Even south of that a bit. >> Okay. So maybe half a billion or 500 million up. >> Yeah. >> Okay. So thinking about that ideal sort of profile, if you don't know, you don't know, I'm going to ask you to guess. >> Yeah. >> What percent of those target companies, enterprises, have a SOC? Is it 100%, 50%, you know, or are you- >> 75, 75% most so. >> Okay. So let's say 3/4. >> Yeah. >> So you compliment the SOC, right? You're not the SOC, but you may be in some cases? >> Depending, now we're talking about it's a function of what their IT enterprise landscape looks like. If they're 100% AWS, yeah. If you're born in the cloud startup and, you know, you don't do anything else and we have, you know, we have a few of those. Right. And they want to give us everything. They're like, you know, our security guys just going to kind of understand what you guys are doing and feel good about it. Yeah. We do that. But for the most, there is an existing SOC. Right. And so what we do is we leverage, you know, an ITSM software to e-bond with our clients service management functions so that when we're generating tickets, they have full visibility to what's going on. We're still resolving things on their behalf, we need to communicate with some clients, right? Cause a lot of security issues that need to get resolved require engagement with the asset owner. So we're not just a black box. So we do have to talk to folks on the ground at the client to resolve issues. >> And that's actually one thing that really impressed me to getting to know Aaron and his team more and more throughout this journey together in the partnership is they're not throwing alerts over the fence to the customers SOC team saying, well, here's some recommended remediation steps, they're actually rolling up their sleeves and doing some remediation themselves and informing the customer. This was taken care of for you. I think that's really unique. >> Yeah. In addition to, you know, our solution obviously has a bunch of auto-remediations, you know, that we do as part of the solution. >> So what's the engagement like? What's the conversation like when people come to you? Say I have a problem, it's blank, right? What are the typical blank- >> You know, a lot of it has been organizations where there's either a business unit that has kind of maybe off run and doing their own thing. And, you know, it's only sort of come to light with the compliance and security organization inside the client that like, hey, these guys maybe need some help. And boy, we're really strapped. We don't have the people cause talent's so tight to go help these guys and make them get it right. We're going to go ahead and keep them kind of off to the side. And you know, we'll do this managed service to help get that addressed. And then another typical scenario is when companies are acquired. So, you know, organization buys a company and they've got a preexisting. Again, they look under the covers and they're like, oh, these guys really need some help because of the way that we deploy everything as infrastructure as code really very quickly, it's a great way to just kind of get it sorted. It's a metered service. So it's not some massive investment that they have to make. We could just get it sorted out until maybe they get a chance to process and actually onboard that new entity into their enterprise structure. So as part of the MSSP program within AWS, you got to be really good at understanding how to utilize the AWS portfolio of cyber security services natively. So you do that, does that check the box on everything you need or do clients typically say, no, no, you got to integrate with all this other mess that I have there. Can you sweep that mess aside and say, hey, I can do this all in the cloud or what's that dynamic like? >> The answer is, yes, both. Right? So, you know, typically clients will have significant investments in existing third party tools and then either politically because of the investment or from a practical standpoint it makes sense to integrate those. Now that does slow down, you know, the deployment and the customization a bit, but, you know, and a lot of times that makes sense for the client. >> Well, it gets hairy. Like you said, you love these kind of hairy problems, right? >> Yeah, that's right. >> You run towards that. >> That's right. We run towards fire >> And, Ryan, your focus on partners is all partners or is it really the MSSPs or? >> All partners, all kinds of partners in the security space, right? >> Right, right. Yeah. Of course. >> Software companies, professional services, managed services. And we're focused on trying to make the security easier for both of our mutual customers here. Right? So that what you mentioned about best practices and, you know, how do you tell what best practices are per AWS service or third party software that's operating in an AWS environment? That's part of what our team does is we create these partner programs. There's a very detailed, very prescriptive technical checklist that out internal security experts are going through with Deloitte folks, for example, as a part of their membership and the level one MSSP program to make sure that, right? Those best practices which could be fresh off the AWS documentation truck are built into their services. And the reason those best practices exist is for a for a good reason. They're built, tried and tested, you know, in our own environments before they reach the documentation website. But all of that is incorporated into that whole kind of validated checklist that we do together. So it's a great way to make sure that operations from partners like Deloitte, software delivered, customization delivered, aligns with what we're able to see from just our Amazon culture of being so customer obsessed and really listening to all of those very specific challenges they might have that the customer will have at different points in their cloud journey. Those challenges are baked directly into key technical requirement criteria that Deloitte's teamed up with us to go achieve. >> What are you seeing at the macro, Aaron? When we talked to practitioners where we'll survey, we have a survey partner called ETR and they'll do spending surveys coming into the year of CIOs and IT buyers, we're expecting 8%, eight to 8 1/2% budget growth, post Ukraine, inflation, Fed tightening, you know, the tech lash, all that. It's dialed down a bit, it's still pretty robust it's 6% and security still remains the number one priority. And we've seen a little bit of momentum deceleration even in security spend across the board, but not anything, you know, tragic. Are you seeing the same or are you seeing security budgets kind of where they were expected to be at the beginning of the year? >> Yeah, you know, I haven't seen it decline. I mean, I think the fact of the matter is for all the things that we talked about before, right? Basically the skill shortages and just the coordination with other cloud programs, there's a tremendous backlog of stuff that needs to be done. And, you know, enterprises have more appreciation now for the need for all, you know, all the various, you know, ransomware things that have happened and others that, hey, they need to get a handle on the security and their environment. And so I think a lot of what's been going on in the last year, the reason it hasn't been faster, hasn't been for a lack of appetite. It's just been a lack of skills and process to do it. >> Has the business case changed? And the variables maybe the same, but it used to be, hey, if you don't do this, you're exposed. Okay. Here's the fear of getting, you know, infiltrated and then it's going to became if you want to quantify it, it's like, okay, what's the expected loss with, and without, you know, the kind of think of insurance terms. Is the business case shifting with digital toward this is a fundamental component of monetization in order to be able to monetize, you have to ensure this level security. Are we there yet? >> Yeah, I think so. I don't think anyone's arguing whether it's, you know, needed or not. Right. So now it's a question of, hey, and I think CJ Moses had a good slide in the opening yesterday where he was saying, you know, was it, make the secure path, the path of least resistance. Right? And so that's a big part of, you know, how we deliver our solution. We really want to make it easy for the enterprise to absorb the security services that we have. Right? And that's really critical. I think that's where the focus is, is make it easier to do security because the value comes right along with it. >> All right. I'll give you each the final word, Ryan, you go first then Aaron kind of put a bumper sticker on Re-inforce 2022. >> It's not slowing down. It's only picking up in terms of innovation, software tools, operational processes, and some of the unique ways that all these tools are tied together. Third party, Native AWS, consulting, the way these services come together, it's only accelerating. It's been pretty exciting to see some of the innovation here this time at this Re-inforce. >> Right, Aaron, what do you say? >> Yeah, I would agree. I mean, just the breadth of capabilities, the new announcements by AWS of the capabilities in their solution stack. I mean, for me, you know, I just kind of wonder like when does it narrow or when does it settle down and I know that that's not now. >> Keep waiting. >> Yeah. >> But, yeah, I think, you know, we will continue to see you know, just rapid acceleration and new features and services that... >> I often say the next decade at cloud ain't going to to be like the last. So gentlemen, thanks for coming on The CUBE. It's great to see you. >> Thanks for having us. Thank you everything. >> All right, thank you for watching. Keep it right there. This is Dave Vellante for The CUBE. We'll be back right after this short break from Boston AWS Re-inforce 2022. (soft music)

Okay. We're back at AWS reinforced 2022. My name is Dave Vellante, and this is the cube we're here in Boston, home of lobster and CDA. And we're here, the convention center where the cube got started in 2010, Shariq Qureshi is here the senior manager at Deloitte and two LL P and merit bear is back on the cube. Good to see >>You guys can't keep me away, >>Right? No. Well, we love having you on the cube shark set up your role at, at Deloitte and toosh what do you actually, what's your swim lane, if you will. >>Yeah, sure. You know, I spend, I wear a lot of hats. I spend a lot of time in the assurance, the controls advisory audit type of role. So I spend our time, a lot of time working with our clients to understand, you know, regulatory requirements, compliance requirements, and then controls that they need to have in place in order to address risks, technology risks, and ultimately business risks. >>So I like to put forth premise, you know, when I walk around a show like this and come up with some observations and then I like to share 'em and then people like me. Well, you know, maybe so help me course correct. My epiphany at this event is the cloud is becoming the first line of defense. The CISO at your customers is now the second line of defense. I think audit is maybe the th third line of defense. Do, do you buy that the sort of organizational layered approach? >>No, because in fact, what we're here to talk about today is audit manager, which is integrated, right? Like if you're doing so the whole notion of cloud is that we are taking those bottom layers of the stack, right? So the concrete floors up through layer for the hypervisor, the, the racks and stacks and HVAC and guards and gates up through the hypervisor, right? Our, our proprietary hardware nitro ecosystem, which has security inheritance is okay upon that. We are then virtualized. Right? And so what we're really talking about is the ways that audit looks different today, that you can reason about what you're doing. So you're doing infrastructure as code. You can do securities code, you can do compliances code, and that's the beauty of it. So like for better, or in your case for worse in your analogy, you know, these are integrated, these are woven together and they are an API call >>Seamless. >>It, it is like easy to describe, right? I mean, like you can command line knowledge about your resources. You can also reason about it. So like, this is something that's embedded, for example, an inspector you can do network reachability know whether you have an internet facing endpoint, which is a PCI, you know, requirement, but that'll be dashboarded in your security hub. So there's the cloud is all the stuff we take away that you don't have to deal with. And also all the stuff that we manage on top of it that then you can reason about and augment and, and take action on. >>Okay. So at the same time you can't automate the audit entirely. Right? So, but, but talk about the challenges of, of, of, of automating and auditing cloud environment. >>Yeah. I mean, when I look at cloud, you know, organizations move to take advantage of cloud characteristics and cloud capabilities, right? So elasticity, scalability is one of them. And, you know, for market conditions, business, business outcomes, you know, resources expand and contract. And one of the questions that we often get as an auditor is how do you maintain a control environment for resources that weren't there yesterday, but are there today, or that are, that are no longer there and that are there today. So how do you maintain controls and how do you maintain security consistently uniformly throughout an audit environment? It's not there. So that's a challenge auditors, you know, historically when you look at the on-prem environment, you have servers that are there, it's a physical, it's a physical box. You can touch it and see it. And if it goes down, then, you know, it's still there. You can hug >>It if you're some people >>It's still there. So, but you know, with, you know, with cloud things get torn down that you don't see. So how do you maintain controls? That's, you know, it, one challenges, it >>Sounds like you're describing a CMDB for audit. >>I mean, that's a, that's an outcome of having, you know, getting good controls of having a CMDB to keep track and have an inventory of your assets. >>But the problem with CMDB is they're out of date, like so, so quickly, is it different in the cloud world? >>Yeah, exactly. I mean, yes. And yes, they are outta date. Cuz like anything static will be manual and imprecise, like it's gonna be, did John go calculate, like go count how many servers we have. That's why I was joking about server huggers versus like virtualizing it. So you put out a call and you know, not just whether it exists, but whether it's been patched, whether it's, you know, like there are ways that we can reason about what we've done, permissioning pruning, you know, like, and these, by the way, correspond to audit and compliance requirements. And so yes, we are not like there, it's not a click of a, whatever, a snap of the fingers, right. It takes work to translate between auditors and us. And it also takes work to have customers understand how they can augment the way that they think about compliance. But a lot of this is just the good stuff that they already need to be doing, right? Knowing internet facing endpoints or whatever, you know, like pruning permissioning. And there's a lot of ways that, you know, access analyzer, for example, these are automated reasoning tools that come from our formal reasoning group, automated reason group that's in identity. Like they, computers can reason about things in ways that are more complex, as long as it can be resolved. It's like EEU utility in mathematics. You don't go out and try to count every prime number. We accept the infinitude of primes to be true. If you believe in math, then we can reason about it. >>Okay. So hearing that there's a changing landscape yeah. In compliance shift from a lot of manual work to one that's much more highly automated, maybe not completely integrated and seamless. Right. But, but working in that direction, right. Yeah. Is that right? And maybe you could describe that in a little bit more detail, how that, you know, journey has progressed. >>I mean, just the fact alone that you have, you know, a lot of services, a lot of companies that are out there that are trying to remove the manual component and to automate things, to make things more efficient. So then, you know, developers can develop and we can be more agile and to do the things that, you know, really what the core competencies are of the business to remove those manual, you know, components to take out the human element and there's a growing need for it. You know, like we always look at security as, you know, like a second class citizen, we don't take advantage of, you know, the, you know, the opportunities that we need to, to do to maintain controls. So, you know, there's an opportunity here for us to look at and, and automate compliance, to automate controls and, and to make things, you know, seamless >>As a fun side benefit, you will actually hopefully have improved your actual security and also retain your workforce because people don't wanna be doing manual processes. You know, they wanna be doing stuff that humans are designed for, which is creative thinking, innovation, you know, creating ways to make new pathways instead of just like re walking these roads that a computer can analyze, >>You mentioned audit manager, what is that? I mean, let's give a plug for the product or the service. What's that all about what problems does it solve? Let's get >>Into that. Yeah. I mean, audit manager is a first of its kind service. You're not gonna find this offered through any other hyperscaler it's specifically geared and tailored towards the second line, which is security and compliance and a third line function, which is internal audit. So what is it looking to do and what is it looking to address some of those challenges working in a cloud space working, and if you have a cloud footprint. So for example, you know, most organizations operate in a multi account strategy, right? You don't just have one account, but how do you maintain consistency of controls across all your accounts? Auto manager is a service that can give, you know, kind of that single pane of view that to see across your entire landscape, just like a cartographer has a map to see, you know, the entire view of what he's designing auto managers does the same thing only from a cloud perspective. So there's also other, you know, features and capabilities that auto managers trying to integrate, you know, that presents challenges for those in compliance those in the audit space. So, you know, most companies, organizations they have, you know, not just one framework like SOC two or GDPR, high trust, HIPAA PCI, you know, you can select an industry accepted framework and evaluate your cloud consumption against, you know, an industry accepted framework to see where you stand in terms of your control posture, your security hygiene, >>And that's exclusive to AWS. Is that what you're saying? You won't find that on any other hyper scale >>And you'll find similarities in other products, but you won't find something that's specifically geared towards the second line and third line. There's also other features and capabilities to collect evidence, which is, I don't see that in the marketplace. >>Well, the only reason I ask that is because, you know, you, everybody has multiple clouds and I would love, I would love a, you know, an audit manager that's, that's span that transcends, you know, one cloud, is that possible? Or is that something that is just not feasible because of the, the, the deltas between clouds? >>I mean, anything's possible with the APIs right now, the way that, you know, you have to ingrain in, right. There's, you know, a, a feature that was introduced recently for audit manager was the ability to pull in APIs from third party sources. So now you're not just looking, looking exclusively at one cloud provider, you're looking at your entire digital ecosystem of services, your tools, your SA solutions that you're consuming to get a full, comprehensive picture of your environment. >>So compliance, risk, audit security, they're like cousins that are all sort of hanging out on the same holiday, but, but they're different. Like what help us understand and squint through those different disciplines. >>Yeah. I mean, each of them have, you know, a different role and a hat to wear. So internal audit is more of your independent arm of management working or reporting directly towards, you know, to the audit committee or to the board to give an independent view on company control and posture security and compliance works with management to help design the, that there that are intended to prevent, detect, or even correct, you know, controls, breakdowns, you know, those action, those action verb items that you wanna prevent unauthorized access, or you wanna restrict changes from making its way into production unless it's approved and, and documented and tracked and so on and so forth. So each, you know, these roles they're very similar, but they're also different in terms of what their function is. >>How are customers dealing with regional differences? You mentioned GDPR, different regulations, data sovereignty, what are the global nuances and complexities that, that, that cloud brings. And how are you addressing those? >>Yeah. Merit, I don't know if you had any thoughts on that one. >>I mean, I think that a lot of what, and this will build off of your response to the sort of Venn diagrams of security and risk and compliance and audit. I think, you know, what we're seeing is that folks care about the same stuff. They care about privacy. They care about security. They care about incentivizing best practices. The form that that takes when it's a compliance framework is by definition a little bit static over time. Whereas security tends to be more quickly evolving with standards that are like industry standards. And so I think one of the things that, you know, all these compliance frameworks have in, in mind is to go after those best practices, the forms that they take may take different forms. You know what I mean? And so I, I see them as hopeful in the motivation sense that we are helping entities get the wherewithal, they need to grow up or mature or get even more security minded. I think there are times that they feel a little clunky, but you know, that's just Frank. Yeah. >>It, it, it can audit manager sort of help me solve that problem. Is that the intent? And I see what you're saying, merit, that there security is at a different pace than, than, you know, GDPR, a privacy, you know, person, >>Right. I mean, like security says, we want this outcome. We want to have, you know, data be protected. The compliance may say, it must be this particular encryption standard. You know what I mean? Like the form I see things taking over time will evolve and, and feels dynamic. Whereas I think that sometimes when we think about compliance and it's exactly why we need stuff like audit manager is to like help manage exactly what articulation of that are we getting in this place at this time for this regulated industry? And like almost every customer I have is regulated. If you're doing business, you're probably in PCI, right. >>And there's never just one silver bullet. So security is, is a number of things that you're gonna do, the number of tools that you're gonna have. And it's often the culture in, in what you develop in your people, your process and technology. So auto manager is one of the components of robust strategy on how to address security. >>But it's also one of those things where like, there are very few entities, maybe Deloitte is one that are like built to do compliance. They're built to do manufacturing, automotive hospitality. Yeah. You know, like they're doing some other industry as their industry. Right. And we wanna let them have less lag time as they make sure that they can do that core business. And the point is to enable them to move our, I mean like sure. I think that folks should move to the pod because of security, but you don't have to, you should move because it enables your business. And this is one of the ways in which it just like minimizes, you know, like whatever our tailwinds lagging or push it anyway, it pushes you. Right. I mean, like it minimizes the lag >>Definitely tailwind. So are you suggesting merit that you can inject that industry knowledge and specificity into things like audit manager and, and actually begin to automate that as, and of course Deloitte has, you know, industry expertise char, but, but, but how should we think about that? >>I mean, you're gonna, you're gonna look at your controls comprehensively a across the board. So if you operate in an industry, you're gonna look to see like, what's, what's important for you. What do you have to, you know, be mindful of? So if you have data residency concerns, you wanna make sure that you've tailored your controls based on the risks that you're addressing. So if there's a framework >>And remember that you can go in the console and choose what region you're, you know, like we never remove your data from your region that you have chosen, you know, like this is, there's an intentionality and an ability to do this with a click of a mouse or with an API call that's, you know, or with a cloud formation template. That's like, there is a deliberateness there. There's not just like best wishes. >>You know, >>ESG is in scope. I presume, you know, helping the CISO become more green, more diverse. Increasingly you're seeing ESG reports come out from major organizations. I presume that's part of the compliance, but maybe not, maybe it hasn't seeped in yet. Are you seeing >>For that? I think it's still a new service auto manager. It's still, you know, being developed, but, you know, continuous feedback to make sure that, you know, we're covering a, a broad range of services and, and, and those considerations are definitely in the scope. Yeah. >>I mean, are you hearing more of that from >>Clients? So, I mean, we have an internal commitment to sustainability, right. That has been very publicly announced and that I'm passionate about. We also have some other native tools that probably, you know, are worth mentioning here, like security hub that does, you know, CIS benchmarking and other things like that are traffic lighted in their dashboard. You know, like there are ways a lot of this is going to be the ways that we can take what might have been like an ugly ETL process and instead take the managed ness on top of it and, and consume that and allow your CISO to make high velocity decision, high velocity, high quality decisions. >>What's the relationship between your two firms? How do you work >>To I'm like we just met. >>Yeah. I sense that, so is it, is it, how do you integrate, I guess is >>A question. Yeah. I mean, I mean, from the audit perspective, our perspective, working with clients and understanding, you know, their requirements and then bringing the service audit manager from the technical aspect and how we can work together. So we have a few use cases, one we've working with the tech company who wanted to evaluate, you know, production workload that had content, you know, critical client information, client data. So they needed to create custom controls. We were working with them to create custom controls, which auto manager would evaluate their environment, which would, you know, there's a reporting aspect of it, which was used to, you know, to present to senior leadership. So we were working together with AWS and on helping craft what those custom controls were in implement at the customer. >>Yeah. I mean, among other things, delight can help augment workforce. It can help folks interpret their results when they get outputs and act upon them and understand industry standards for responsiveness there. I mean, mean like it's a way to augment your approach by, you know, bringing in someone who's done this before. >>Yeah. Cool, cool. Collaboration on a topic that's generally considered, sorry. Don't, don't hate me for saying this boring, but really important. And the fact that you're automating again makes it a lot more interesting guys. Excellent. Thanks for your sharp first time on the cube. Thank you. Absolutely on, appreciate it. Rapidly. Becoming a VIP. Thanks. Coming on. Hey, I'll take it. All right. Keep it right there. Thank you. This is Dave ante for the cube. You're watching our coverage of AWS reinforce 2022 from Boston. We'll be right back.

>>Welcome back to Boston. Everybody watching the cubes coverage, OFS reinforce 22 from Boston, Atlanta chow lobster, the SOS a ruin in my summer, Andy and Smith is here is the CMO of laminar. Andy. Good to see you. Good >>To see you. Great to be >>Here. So laminar came outta stealth last year, 2021, sort of, as we were exiting the isolation economy. Yeah. Why was laminar started >>Really about there's there's two mega trends in the industry that, that created a problem that wasn't being addressed. Right? So the two mega trends was cloud transformation. Obviously that's been going on for a while, but what most people doesn't don't realize is it really accelerated with COVID right? Being all, everybody having to be remote, et cetera, various stats I've read like increased five times, right? So cloud transformation are now you are now problem, right? That's going on? And then the other next big mega trend is data democratization. So more data in the cloud than ever before. And this is, this is just going and going and going. And the result of those two things, more data in the cloud, how am I securing that data? You know, the, the, the breach culture we're in like every day, a new, a new data breach coming up, et cetera, just one Twitter, one yesterday, et cetera. The, those two things have caused a gap with data security teams and, and that's what he >>Heard at attract. Yeah. So, you know, to your point and we track this stuff pretty carefully quarterly, and you saw, it was really interesting trend. You actually saw AWS's growth rate accelerate during the pandemic. Absolutely. You know? Absolutely. So you're talking about, you know, a couple of hundred billion dollars for the big four clouds. If you, if you include Alibaba and it's still growing at 35, you know, 40% a year, which is astounding, so, okay. So more cloud, more data. Explain why that's a, a problem for practitioners. >>Yeah, exactly. The reality is in, in the security, what, what are we doing? What all the security it's about protecting your data in the end, right? Like, like we're here at this at, at reinforce all these security vendors here really it's about protecting your data, your sensitive data. And, but what, what had been happening is all the focus was on the infrastructure, the network, et cetera, et cetera, and not as much focus, particularly on the data and, and the move to the cloud gave the developers and the data scientists, way more power. They don't longer have to ask for permission. And so they can just do what they want. And it's actually wonderful for the business. The business is moving faster, you spin up applications sooner, you get new, new insights. So all those things are really great, but because the developer has so much power, they can just copy data over here, make a backup over here, new et cetera. And, and security has no idea about all these copies of the, of the data that are out there. And they're typically not as well protected as that main production source. And that's the gap that >>Exists. Okay. So there was this shift from sort of perimeter hardening the perimeter, hardening the infrastructure and, and now your premises, it's moving to the data we saw when, when there was during the pandemic, there was definitely a shift to end point security. There was a shift to cloud security rethinking the network, but it was still a lot of, you know, kind of cha chasing the whackamole and people have talked about this is a data problem for years. Yeah. But it was, it's taken a while for, for companies, for the technology industry to, to come at it. You guys are one of the first, if not the first. Yeah. Why do you think it took so long? Is this cuz it's really hard. >>Yeah. I mean, it, it's hard. You need to focus on it. The, the traditional security has been around the network and the box, right. And those are still necessary. It's important to, you know, your use identity to cover the edge, to, to make sure people can't get into the box, but you also have to have data. So what, what happens is there's really good solutions for enterprise data security, looking at database, you know, technology, et cetera. There are good solutions for cloud infrastructure security. So the CSP of the world and the CWPP are protecting containers, you know, protecting the infrastructure. But there really wasn't much for cloud everything you build and run in the cloud. So basically your custom application, your custom applications in the IAS and PAs environments, there really wasn't anything solving that. And that's really where laminar is focused. >>Okay. So you guys use this term shadow data. We talk about shadow. It what's shadow data. >>Yeah. So what we're finding at a hundred percent of our customer environments and our POVs and talking to CISOs out there is that they have these shadow data assets and shadow data elements that they have no clue that existed. So here's the example. Everybody knows the main RDS database that is in production. And this is where, you know, our, our data is taken from. But what people don't realize is there's a copy of that. You know, in a dev environment, somebody went to run a test and they was supposed to be there for two weeks. But then that developer left forgot, left it there. They left the company, oh, now it's been there for two years that there was an original SQL database left over from a lift and shift project. They got moved to RDS, but nobody deleted that thing there, you know, it's a database connected to an application, the application left, but that database, that abandoned database is still sitting. These are all real life customer examples of shadow data that we run into. And there's, and what the problem is that main production data store is secured pretty well. It's following all your policies, et cetera. But all these shadow data resources are typically less well protected unmonitored. And that is what the attackers are after. >>So you're, you know, the old, the, the Watergate follow the money, you're following the data, >>Following the data. >>How do you follow that data if there's so much of it, it, and it's, you know, sometimes, you know, not really well understood where it is. How do you know where >>It is? Yeah. It's the beauty of partnering with somebody like AWS, right? So with each of the cloud providers, we actually take a role in your cloud account and use the APIs from the cloud provider to see all the changes in all the instances are going on. Like it is, the problem is way more complicated in the cloud because I mean, AWS has over 200 services, dozens of ways to store data, right. It's wonderful for the developer, but it's very hard for the security practitioner. And so, because we have that visibility through the cloud provider's APIs, we can see all those changes that are happening. We can then say, ah, that's a data store. Let me go analyze, make a copy, have a snapshot of that and do the analyzing of that data right inside our customer's account without pulling the data out. And we have complete visibility to everything. And then we can give that data catalog over to the customer. >>All right. I gotta ask you a couple Colombo questions. So if you know, we talk about encryption, everything's encrypted everything. If, if the data is encrypted, why then would I need laminar? >>Because I mean, we'll make sure that the data's encrypted okay. Right. Often. So it's not supposed to be and not right. Two is, we're gonna tell you what type of data is inside there. Oh, is this, is this health information? Is it personal identify information? Is it credit cards? You know, et cetera, C so we'll classify the data for you. We will also, then there's things like retention, period. How long should we, I hold onto that data, all the things about what are, who has access, what's the exposure level for that data. And so when you, when you think about data security posture, what's the posture of that data you're looking at at those data policies. It's something that has been very well defined and written down. But in the past, there was just no way to go verify that those, that, that, that policy is actually being followed. And so we're doing that verification automatically. >>So without the context, you can't answer those other questions. So you make sure it's encrypted. If it's not, or you can at least notify me that it's not, you don't do the encryption. Right. Or do you, >>We don't do it ourselves, but we can give you here. Here's the command in and the Amazon to go encrypt it >>Right. Then I can automate that. And then the classification is key because now you're telling me the context. So I can say, okay, apply this policy to that data, retain it for this long, get rid of it after X number of years, or if it's work, process, get rid of it now. Yeah. And then who should have access to that data. And so you can help at least inform how to enforce those policies. >>Exactly. And so we, we, we call it guided remediation because what we're, you know, talking to a CISO, they're like, I need 400 more alerts, like a hole in the head like that. Doesn't do me any good. If you can't tell me how to resolve the, the, the, this security gap that I have or this, then it doesn't do any good. And, and the first, first it starts with who do I need to go talk to? Right. So they have hundreds, if not thousands of developers. Oh, great. You found this issue. I, I, I don't know who to go. Like, I can't just delete it myself, but I need to go talk to somebody really, should this be deleted? We need, do we really, really need to hold onto this? So we, we help guide who the data owner is. So we give you who to talk to. You, give you all the context. Here's the data, here's the data asset that it's in. Here's our suggestion. Here's the problem. Here's our suggestion for >>Solution. And you started the company on AWS >>Started on AWS. Absolutely. >>So what's of course it's best cloud and why not start there? So what's the relationship like, I mean, how'd you get started? You said, okay, Hey, we're we got an idea for a company. We're gonna build it on AWS. We're gonna become a customer. We're gonna, you know, >>We actually, so insight partners is our main investor. Yeah. And they were very helpful in giving us access to literally hundreds of CSOs, who we had conversations with before we actually launched the company. And so we did some shifting and to, to figure out our exact use case. But by the time we came to market, it was in February this year, we actually GAed the product that, where like product market fit nailed because we'd had so many conversations that we knew the problem in the market that we needed to solve. And we knew where we needed to solve it first. And, and the, the, the relationship we AWS is great. We just got on the marketplace, just became a, a partner. So really good. Good >>Start. So I gotta ask you, so I always ask this question. So how do you actually know when you have product market fit? >>You it's about those conversations. Right. You know, so like, I I've been to lots of startups and sometimes you're you're, you, you each have a conversation and then they, they saying, oh, well kind of want this. And we kind of like that. And so it, the more conversations you have, the more, you know, you're solving a real problem. Right. And, and, and, and, and you re react to what that, what that prospect is telling you back and, or that advisor or that whoever we're talking to. And, and every single one of the CISO conversations we had was I don't have a good inventory of my data in the cloud. >>The reason I asked that, cause I always ask the startups, like, when do you scale? Cause I think startups sometimes scale too fast. They try to scale too fast, they'll hire 50 sales people. And then they, you know, churn, you know, they, they got a 50% churn, but they're trying to optimize their go to market when they got 50% of their customers are gonna leave. So it's, it's gotta be the sequential thing. So, so you got product market fit. So are, are you in the scaling phase >>Now? We are. Yeah. Yeah, yeah. So now it's about how quickly can we deliver? We, we we're ramping customer base significantly. And, and you know, we've got a whole go to market team in, you know, sales and marketing in the us and, and often off to the races >>And you just run on AWS or you run another clouds. >>It's multi-cloud so AWS, Azure, GCP, et cetera. >>Okay. So then my least my next question is it sort of, you can do this within each of the individual clouds today. Do you see a day and maybe it's here today is where you can create a single experience across those clouds >>Today. It's a single experience across cloud. So our SaaS, we have our SaaS portion runs in AWS, but the actual data analysis runs in each cloud provider. So AWS, Azure, GCP and snowflake too, actually. >>Ah, okay. So I come through your whatever portal, like if I can use that term. Yep. And that's running on AWS. Yes. You're SAS, as you say, and then you go out to these other environments, GCP, Azure, AWS itself, and snowflake. Yep. And I see laminar, is that right? Or >>There's a piece running inside our customer's environment. Okay. So, so we have a customer, they, the, we have, we get a role inside of their cloud account or read only role inside of their cloud account. And we spin up serverless functions in that cloud account. That's where all the analysis happens. And that's why we don't take any data out of the environment. So it all stays there. And, and therefore we don't, we don't actually see the data outside of the environment. Like, I, I can tell you there's a metadata comes out. I can tell you, there are credit cards inside that data store, but I can't tell you exactly which credit card it is cuz I don't know. So all the important actions happens are there and just the metadata metadata comes out. So we can give you a cross cloud dashboard of all your sensitive data. >>And of course, so take the example of snowflake. They're going across clouds, they're building what we call super cloud sort of, of a layer that floats on top. You're just sort of going wherever that data goes. >>Yeah, exactly. So, so each of there's a component that lives in the customer's environment in the, in those multi-cloud environments and then a single view of the world dashboard that is our SaaS component that runs an AWS. So >>You guys are, is, am I correct? You're series a funded >>Series, a funded yeah, exactly. >>And, and already scaling to go to market. Yeah. Which is, which is early to scale. Right. I mean you've got startup experience. Right? >>Absolutely. >>How does it compare? >>Well, what was amazing here was access. I mean, really it was through the relationship with insight. It was access to the CISOs that I had never had at any of the other startups I was with. You're trying to get meetings, you're meeting with a lot of practitioners, you know, et cetera. But getting all those conversations with buyers was, was super valuable for us to say, ah, I know I'm solving a real problem that has value that they will pay for. Right. And, and, and so that, that was a year and a half probably still of all that work going on. We just, just waited to GA until we understood the market >>Better. Yeah. Insight. They're amazing. The way to talk about scaling. I mean, they've just the last 10 years that comp that, that PE firm has just gone wild in terms of just their, their philosophy, their approach, their cadence, their consistency. And now of course their portfolio. >>Yeah. And, and they started doing a little bit earlier and earlier stage. I mean, I, I always think of them as PE too, but you know, they, they did our seed round. Right. They did our a round and, and they're doing earlier stages, but particularly what they saw in Laar was exactly what we started this conversation with. They saw cloud transformation speeding up, they saw data democratization happening. They're like, we need to invest in this now because this is a now a problem to solve. >>Yeah. It's interesting. Cuz when you go back even pre 2010, you talk to, you know, look at insight, they would wait. They would invest in companies unless there was, you know, on the way to five plus million dollar ARR, they weren't doing seed deals. Totally. Like they saw, wow, these actually can be pretty lucrative and we can play and we have a point of view and yeah. So cool. Well, congratulations. I'll give you the final word. What, what should we be watching for from, from Laar as sort of, you know, milestones that you guys want to hit and, and indicators of success. >>Yeah. Now it's all about growth partnerships, you know, integrations with, with other of the players out here. Right. And so, you know, like scaling our AWS partnership is one of the key aspects for us. And so, you know, just look for, look for the name out there and, and you'll start, you'll start to see it a lot more. And, and if, if you have the need, you know, come look us up. Laar security.com. >>Awesome. Well thanks very much for coming to Cuban. Good luck. Appreciate it. All right. >>Wonderful. Thanks. You're >>Welcome. All right. Keep it right there, everybody. This is Dave ante. We'll be back right after this short break from AWS reinvent 2022 in Boston. You're watching the cue.

(upbeat music) >> We're back in Boston, theCUBE's coverage of Re:Inforce 2022. My name is Dave Vellante. Dave Hatfield is here. He's the co-CEO of Lacework. Dave, great to see again. Hat. >> Thanks Dave. >> Do you still go by Hat? >> Hat is good for me. (Dave V laughing) >> All right cool. >> When you call me David, I'm in trouble for something. (Dave V Laughing) So just call me Hat for now. >> Yeah, like my mom, David Paul. >> Exactly. >> All right. So give us the update. I mean, you guys have been on a tear. Obviously the Techlash, >> Yep. >> I mean, a company like yours, that has raised so much money. You got to be careful. But still, I'm sure you're not taking the foot off the gas. What's the update? >> Yeah no. We were super focused on our mission. We want to de deliver a cloud security for everybody. Make it easier for developers and builders, to do their thing. And we're fortunate to be in a situation, where people are in the early innings of moving into the cloud, you know. So our customers, largely digital natives. And now increasingly cloud migrants, are recognizing that in order to build fast, you know, in the cloud, they need to have a different approach to security. And, you know, it used to be that you're either going be really secure or really fast. And we wanted to create a platform that allowed you to have both. >> Yeah. So when you first came to theCUBE, you described it. We are the first company. And at the time, I think you were the only company, thinking about security as a data problem. >> Yeah. >> Explain what that means. >> Well, when you move to the cloud, you know, there's literally a quintillion data sets, that are out there. And it's doubling every several days or whatever. And so it creates a massive problem, in that the attack surface grows. And different than when you're securing a data center or device, where you have a very fixed asset, and you kind of put things around it and you kind of know how to do it. When you move to the shared ephemeral massive scale environment, you can't write rules, and do security the way you used to do it, for a data centers and devices. And so the insight for us was, the risk was the data, the upside was the data, you know? And so if you can harness all of this data, ingest it, process it, contextualize it, in the context of creating a baseline of what normal is for a company. And then monitor it constantly in real time. Figure out, you know, identify abnormal activity. You can deliver a security posture for a company, unlike anything else before. Because it used to be, you'd write a rule. You have a known adversary or a bad guy that's out there, and you constantly try and keep up with them for a very specific attack service. But when you move to the cloud, the attack service is too broad. And so, the risk of the massive amount of data, is also the solution. Which is how do you harness it and use it with machine learning and AI, to solve these problems. >> So I feel like for CISOs, the cloud is now becoming the first line of defense. >> Yep. The CISOs is now the second line. Maybe the auditing is the third line. I don't know. >> Yeah. >> But, so how do you work with AWS? You mentioned, you know, quadrillion. We heard, I think it was Steven Schmidt, who talked about in his keynote. A quadrillion, you know, data points of a month or whatever it was. That's 15 zeros. Mind boggling. >> Yeah. >> How do you interact with AWS? You know, where's your data come from? Are you able to inspect that AWS data? Is it all your own kind of first party data? How does that all work? >> Yeah, so we love AWS. I mean we ultimately, we started out our company building our own service, you know, on AWS. We're the first cloud native built on the cloud, for the cloud, leveraging data and harnessing it. So AWS enabled us to do that. And partners like Snowflake and others, allowed us to do that. But we are a multi-cloud solution too. So we allow builders and customers, to be able to have choice. But we'd go deep with AWS and say, the shared responsibility model they came up with. With partners and themselves to say, all right, who ultimately owns security? Like where is the responsibility? And AWS does a great job on database storage, compute networking. The customer is responsible for the OS, the platform, the workloads, the applications, et cetera, and the data. And that's really where we come in. And kind of help customers secure their posture, across all of their cloud environments. And so we take a cloud trail data. We look at all of the network data. We look at configuration data. We look at rules based data and policies, that customers might have. Anything we can get our hands on, to be able to ingest into our machine learning models. And everybody knows, the more data you put into a machine learning model, the finer grain it's going to be. The more insightful and the more impactful it's going to be. So the really hard computer science problem that we set out to go do seven years ago, when we founded the company, was figure out a way to ingest, process, and contextualize mass amounts of data, from multiple streams. And the make sense out of it. And in the traditional way of protecting customers' environments, you know, you write a rule, and you have this linear sort of connection to alerts. And so you know, if you really want to tighten it down and be really secure, you have thousands of alerts per day. If you want to move really fast and create more risk and exposure, turn the dial the other way. And you know, we wanted to say, let's turn it all the way over, but maintain the amount of alerts, that really are only the ones that they need to go focus on. And so by using machine learning and artificial intelligence, and pulling all these different disparate data systems into making sense of them, we can take, you know, your alert volume from thousands per day, to one or two high fidelity critical alerts per day. And because we know the trail, because we're mapping it through our data graph, our polygraph data platform, the time to remediate a problem. So figure out the needle in the haystack. And the time to remediate is 90, 95% faster, than what you have to do on your own. So we want to work with AWS, and make it really easy for builders to use AWS services, and accelerate their consumption of them. So we were one of the first to really embrace Fargate and Graviton. We're embedded in Security Hub. We're, you know, embedded in all of the core platforms. We focus on competencies, you know. So, you know, we got container competency. We've got security and compliance competencies. And we really just want to continue to jointly invest with AWS. To deliver a great customer outcome and a really integrated seamless solution. >> I got a lot to unpack there. >> Okay. >> My first question is, what you just described, that needle in the haystack. You're essentially doing that in near real time? >> Yep. >> Or real time even, with using AI inferencing. >> Yeah. >> Describe it a little better. >> You're processing all of this data, you know, how do you do so efficiently? You know. And so we're the fastest. We do it in near real time for everything. And you know, compared to our competitors, that are doing, you know, some lightweight side scanning technology, and maybe they'll do a check or a scan once a day or twice a day. Well, the adversaries aren't sleeping, you know, over the other period of time. So you want to make it as near real time as you can. For certain applications, you know, you get it down into minutes. And ideally over time, you want to get it to actual real time. And so there's a number of different technologies that we're deploying, and that we're putting patents around. To be able to do as much data as you possibly can, as fast as you possibly can. But it varies on the application of the workload. >> And double click in the technology. >> Yeah. >> Like tell me more about it. What is it? Is it a purpose-built data store? >> Yeah. Is it a special engine? >> Yeah. There's two primary elements to it. The first part is the polygraph data platform. And this is this ingestion engine, the processing engine, you know, correlation engine. That has two way APIs, integrates into your workflows, ingests as much data as we possibly can, et cetera. And unifies all the data feeds that you've got. So you can actually correlate and provide context. And security now in the cloud, and certainly in the future, the real value is being able to create context and correlate data across the board. And when you're out buying a bunch of different companies, that have different architectures, that are all rules based engines, and trying to stitch them together, they don't talk to each other. And so the hard part first, that we wanted to go do, was build a cloud native platform, that was going to allow us to build applications, that set on top of it. And that, you know, handled a number of different security requirements. You know, behavior based threat detection, obviously is one of the first services that we offered, because we're correlating all this data, and we're creating a baseline, and we're figuring out what normal is. Okay, well, if your normal behavior is this. What's abnormal? So you can catch not only a known bad threat, you know, with rules, et cetera, that are embedded into our engines, but zero day threats and unknown unknowns. Which are the really scary stuff, when you're in the cloud. So, you know, we've got, you know, application, you know, for behavioral threat detection. You have vulnerability management, you know. Where you're just constantly figuring out, what vulnerabilities do I have across my development cycle and my run time cycle, that I need to be able to keep up on, and sort of patch and remediate, et cetera. And then compliance. And as you're pulling all these data points in, you want to be able to deliver compliance reports really efficiently. And the Biden Administration, you know, is issuing, you know, all of these, you know, new edicts for regulations. >> Sure. Obviously countries in, you know, in Europe. They have been way ahead of the US, in some of these regulations. And so they all point to a need for continuous monitoring of your cloud environment, to ensure that you're, you know, in real time, or near real time complying with the environments. And so being able to hit a button based on all of this data and, you know, deliver a compliance report for X regulation or Y regulation, saves a lot of time. But also ensures customers are secure. >> And you mentioned your multi-cloud, so you started on AWS. >> Yeah. >> My observation is that AWS isn't out trying to directly, I mean, they do some monetization of their security, >> Yep. >> But it's more like security here it is, you know. Use it. >> Yeah. >> It comes with the package. Whereas for instance, take Microsoft for example, I mean, they have a big security business. I mean, they show up in the spending surveys. >> Yeah. >> Like wow, off the charts. So sort of different philosophies there. But when you say you're Multicloud, you're saying, okay, you run on AWS. Obviously you run on Azure. You run on GCP as well. >> Yeah. Yep. >> We coin this term, Supercloud, Dave. It's it's like Multicloud 2.0. The idea is it's a layer above the clouds, that hides the underlying complexity. >> Yep. >> You mentioned Graviton. >> Yep. >> You worry about Graviton. Your customer don't, necessarily. >> We should be able to extract that. >> Right. But that's going to be different than what goes on Microsoft. With Microsoft primitives or Google primitives. Are you essentially building a Supercloud, that adds value. A layer, >> Yeah. >> on top of those Hyperscalers. >> Yeah. >> Or is it more, we're just going to run within each of those individual environments. >> Yeah. No we definitely want to build the Security OS, you know, that sort of goes across the Supercloud, as you talk about. >> Yeah. >> I would go back on one thing that you said, you know, if you listen to Andy or Adam now, talk about AWS services, and all the future growth that they have. I mean, security is job one. >> Yeah. Right, so AWS takes security incredibly seriously. They need to. You know, they want to be able to provide confidence to their customers, that they're going to be able to migrate over safely. So I think they do care deeply it. >> Oh, big time. >> And are delivering a number of services, to be able to do it for their customers,. Which is great. We want to enhance that, and provide Multicloud flexibility, deeper dives on Kubernetes and containers, and just want to stay ahead, and provide an option for companies. You know, when you're operating in AWS, to have better or deeper, more valuable, more impactful services to go layer on top. >> I see. >> And then provide the flexibility, like you said, of, hey look, I want to have a consistent security posture across all of my clouds. If I choose to use other clouds. And you don't, the schema are different on all three. You know, all of the protocols are different, et cetera. And so removing all of that complexity. I was just talking with the CISO at our event last night, we had like 300 people at this kind of cocktail event. Boston's pretty cool in the summertime. >> Yeah. Boston in July is great. >> It's pretty great. They're like going, look, we don't want to hire a Azure specialist, and a AWS specialist, and you know, a GCP specialist. We don't want to have somebody that is deep on just doing container security, or Kubernetes security. Like we want you to abstract all of that. Make sense of it. Stay above it. Continue to innovate. So we can actually do what we want to do. Which is, we want to build. We want to build fast. Like the whole point here, is to enable developers to do their job without restriction. And they intuitively want to have, and build secure applications. And, you know, because they recognize the importance of it. But if it slows them down. They're not going to do it. >> Right. >> And so we want to make that as seamless as possible, on top of AWS. So their developers feel confident. They can move more and more applications over. >> So to your point about AWS, I totally agree. I mean, security's job one. I guess the way I would say it is, from a monetization standpoint. >> Yeah. >> My sense is AWS, right now anyway, is saying we want the ecosystem, >> Yeah. >> to be able to monetize. >> Yeah. >> We're going to leave that meat on the bone for those guys. Whereas Microsoft is, they sometimes, they're certainly competitive with the ecosystem, sometimes. End point. >> Yeah. >> They compete with CrowdStrike. There's no question about it. >> Yeah. >> Are they competitive with you in some cases? Or they're not there yet. Are you different. >> Go talk to George, about what he thinks about CrowdStrike and I, versus Microsoft. (Dave V laughing) >> Well, yeah. (Dave H laughing) A good point in terms of the depth of capability. >> Yeah. >> But there's definitely opportunities for the ecosystem there as well. >> Yeah. But I think on certain parts of that, there are more, there's higher competitiveness, than less. I think in the cloud, you know, having flexibility and being open, is kind of core to the cloud's premise. And I think all three of the Hyperscalers, want to provide a choice for customers. >> Sure. >> And they want to provide flexibility. They obviously, want to monetize as much as they possibly can too. And I think they have varying strategies of those. And I do think AWS is the most open. And they're also the biggest. And I think that bodes well for what the marketplace really wants. You know, if you are a customer, and you want to go all in for everything, with one cloud. All right, well then maybe you use their security stack exclusively. But that's not the trend on where we're going. And we're talking about a $154 billion market, growing at, you know, 15% for you. It's a $360 billion market. And one of the most fragmented in tech. Customers do want to consolidate on platforms. >> Absolutely. >> If they can consolidate on CSPs, or they consolidate on the Supercloud, I'm going to steal that from you, with the super cloud. You know, to be able to, you know, have a consistent clarity posture, for all of your workloads, containers, Kubernetes, applications, across multiple clouds. That's what we think customers want. That's what we think customers need. There's opportunity for us to build a really big, iconic security business as well. >> I'm going to make you laugh. Because, so AWS doesn't like the term Supercloud. And the reason is, because it implies that they're the infrastructure, kind of commodity layer. And my response is, you'll appreciate this, is Pure Storage has 70% gross margin. >> Yeah. Yep. >> Right. Look at Intel. You've got Graviton. You control, you can have Intel, like gross margin. So maybe, your infrastructure. But it's not necessarily commodity, >> Yeah. >> But it leaves, to me, it leaves the ecosystem value. Companies like Lacework. >> Amazon offers 220 something services, for customers to make their lives easier. There's all kinds of ways, where they're actually focusing on delivering value, to their customers that, you know, is far from commodity and always will be. >> Right. >> I think when it comes to security, you're going to have, you're going to need security in your database. Your storage. Your network compute. They do all of that, you know, monetize all of that. But customers also want to, you know, be able to have a consistent security posture, across the Supercloud. You know, I mean, they don't have time. I think security practitioners, and security hiring in general, hasn't had unemployment for like seven or 10 years. It's the hardest place to find quality people. >> Right. >> And so our goal, is if we can up level and enable security practitioners, and DevSecOps teams, to be able to do their job more efficiently, it's a good thing for them. It's a win for them. And not having to be experts, on all of these different environments, that they're operating in. I think is really important. >> Here's the other thing about Supercloud. And I think you'll appreciate this. You know, Andreesen says, all companies are software companies. Well, all companies are becoming SAS and Cloud companies. >> Yeah. >> So you look at Capital One. What they're doing with on Snowflake. You know, Goldman what they're doing with AWS. Oracle by Cerner, you know that. So industries, incumbents, are building their own Superclouds. They don't want to deal with all this crap. >> Yeah. >> They want to add their own value. Their own tools. Their own software. And their own data. >> Yeah. >> And actually serve their specific vertical markets. >> Yeah. A hundred percent. And they also don't want tools, you know. >> Right. >> I think when you're in the security business. It's so fragmented, because you had to write a rule for everything, and they were super nuanced. When you move to a data driven approach, and you actually have a platform, that removes the need to actually have very nuanced, specific expertise across all these different. Because you're combining it into your baseline and understanding it. And so, customers want to move from, you know, one of the biggest banks in North America, has 550 different point solutions for security. Thousands of employees to go manage all of this. They would love to be able to consolidate around a few platforms, that integrate the data flows, so they can correlate value across it. And this platform piece is really what differentiates our approach. Is that we already have that built. And everybody else is sort of working backwards from Legacy approaches, or from a acquired companies. We built it natively from the ground up. Which we believe gives us an advantage for our customers. An advantage of time to market speed, efficacy, and a much lower cost. Because you can get rid of a bunch of point solutions in the process. >> You mentioned Devs. Did you, you know, that continuous experience across clouds. >> Yep. >> Do you have like the equivalent of a Super PAs layer, that is specific to your use case? Or are you kind of using, I mean, I know you use off the shelf tooling, >> Yep. >> you allow your developers to do so, but is, is the developer experience consistent across the clouds? That's really what I'm asking? >> Well, I think it is. I mean, I was talking to another CEO of a company, you know, on the floor here, and it's focusing on the build side. You know we focus on both the build and the run time. >> Right. >> And we were talking about, you know, how many different applications, or how fragmented the developer experience is, with all the different tools that they have. And it's phenomenal. I mean, like this, either through acquisition or by business unit. And developers, like to have choice. Like they don't like to be told what to do or be standardized, you know, by anybody. Especially some compliance organization or security organization. And so, it's hard for them to have a consistent experience, that they're using a bunch of different tools. And so, yeah. We want to be able to integrate into whatever workload, a workflow a customer uses, in their Dev cycle, and then provide consistent security on top of it. I mean, for our own company, you know, we got about a thousand people. And a lot of them are developers. We want to make it as consistent as we possibly can, so they can build code, to deliver security efficacy, and new applications and new tools for us. So I think where you can standardize and leverage a platform approach, it's always going to be better. But the reality is, especially in large existing companies. You know, they've got lots of different tools. And so you need to be able to set above it. Integrate with it and make it consistent. And security is one of those areas, where having a consistent view, a consistent posture, a consistent read, that you can report to the board, and know that your efficacy is there. Whatever environment you're in. Whatever cloud you're on. Is super, super critical. >> And in your swim lane, you're providing that consistency, >> Yep. >> for Devs. But you're right. You've got to worry about containers. You got to worry about the run time. You got to worry about the platform. The DevSecOps team is, you know, becoming the new line of defense, right? I mean, security experts. >> Absolutely. Well, we have one customer, that we just have been working with for four years ago. And it's, you know, a Fortune, a Global 2000 company. Bunch of different industries grew through acquisition, et cetera. And four years ago, their CTO said, we're moving to the cloud. Because we want to drive efficiency and agility, and better service offerings across the board. And so he has engineering. So he has Dev, you know. He has operations. And he has security teams. And so organizationally, I think that'll be the model, as companies do follow entries in to sort of, you know, quote. Become software companies and move on their digital journeys. Integrating the functions of DevSecOps organizationally, and then providing a platform, and enabling platform, that makes their jobs easier for each of those personas. >> Right. >> Is what we do. You want to enable companies to shift left. And if you can solve the problems in the code, on the front end, you know, before it gets out on the run time. You're going to solve, you know, a lot of issues that exist. Correlating the data, between what's happening in your runtime, and what's happening in your build time, and being able to fix it in near realtime. And integrate with those joint workflows. We think is the right answer. >> Yeah. >> Over the long haul. So it's a pretty exciting time. >> Yeah. Shift left, ops team shield right. Hat, great to see you again. >> Good to see you, Dave. >> Thanks so much for coming on theCUBE. >> Thanks a lot. >> All Right. Keep it right there. We'll be back. Re:Inforce 2022. You're watching theCUBE from Boston. (calming music)

>>You want us to >>Look at that camera? Okay. We're back in Boston, everybody. This is Dave ante for the cube, the leader in enterprise tech coverage. This is reinforce 2022 AWS's big security conference. We're here in Boston, the convention center where the cube started in 2010. Highend song is here. She's head of security and distributed cloud services at F five. And she's joined by Dan woods. Who's the global head of intelligence at F five. Great to see you again. Thanks for coming in the cube, Dan, first time I believe. Yeah. Happy to be here. All right. Good to see you guys. How's the, how's the event going for? Y'all >>It's been just fascinating to see all those, uh, new players coming in and taking security in a very holistic way. Uh, very encouraged. >>Yeah. Boston in, in July is, is good. A lot of, a lot of action to Seaport. When I was a kid, there was nothing here, couple mob restaurants and that's about it. And, uh, now it's just like a booming, >>I'm just happy to see people in, in person. Finally, is >>This your first event since? Uh, maybe my second or third. Third. Okay, >>Great. Since everything opened up and I tell you, I am done with >>Zoom. Yeah. I mean, it's very clear. People want to get back face to face. It's a whole different dynamic. I think, you know, the digital piece will continue as a compliment, but nothing beats belly to belly, as I like absolutely say. All right. Hi on let's start with you. So you guys do a, uh, security report every year. I think this is your eighth year, the app security report. Yeah. Um, I think you, you noted in this report, the growing complexity of apps and integrations, what did you, what are, what were your big takeaways this year? >>And so, like you said, this is our eighth year and we interview and talk to about 1500 of like companies and it decision makers. One of the things that's so prevalent coming out of the survey is complexity that they have to deal with, continue to increase. It's still one of the biggest headaches for all the security professionals and it professionals. And that's explainable in a way, if you look at how much digital transformation has happened in the last two years, right? It's an explosion of apps and APIs. That's powering all our digital way of working, uh, in the last two years. So it's certainly natural to, to see the complexity has doubled and tripled and, and we need to do something about it. >>And the number of tools keeps growing. The number of players keeps growing. I mean, so many really interesting, you know, they're really not startups anymore, but well funded new entrance into the marketplace. Were there any big surprises to you? You know, you're a security practitioner, you know, this space really well, anything jump out like, whoa, that surprised >>Me. Yeah. It's been an interesting discussion when we look at the results, right. You know, some of us would say, gosh, this is such a big surprise. How come people still, you know, willing to turn off security for the benefits of performance. And, and, and as a security professional, I will reflect on that. I said, it's a surprise, or is it just a mandate for all of us in security, we got to do better. And because security shouldn't be the one that prevents or add friction to what the business wants to do, right? So it's a surprise because we, how can, after all the breaches and, and then security incidents, people are still, you know, the three quarters of the, uh, interviewees said, well, you know, if we were given a choice, we'll turn off security for performance. And I think that's a call to action for all of us in security. How do we make security done in a way that's frictionless? And they don't have to worry about it. They don't have to do a trade off. And I think that's one of the things, you know, Dan in working our entire anti automation, uh, solution one is to PR protect. And the other thing is to enable. >>Yeah. You think about Dan, the, I always say the, the adversary is extremely capable. The ROI of cyber tech just keeps getting better and better. And your jobs really is to, to, to lower the ROI, right. It decrease the value, increase the cost, but you're, I mean, fishing continues to be prevalent. You're seeing relatively new technique island hopping, self forming malware. I mean, it's just mind boggling, but, but how are you seeing, you know, the attack change? You know, what what's the adversary do differently over the last, you know, several years maybe pre and post pandemic, we've got a different attack service. What are you seeing? >>Well, we're seeing a lot higher volume attacks, a lot higher volume and velocity. Mm-hmm, <affirmative> it isn't uncommon at all for us to go in line and deploy our client side signals and see, uh, the upper 90%, um, is automated, unwanted automation hitting the application. Uh, so the fact that the security teams continue to underestimate the size of the problem. That is something I see. Every time we go in into an enterprise that they underestimate the size of the problem, largely because they're relying on, on capabilities like caps, or maybe they're relying on two of a and while two of a is a very important role in security. It doesn't stop automated attacks and cap certainly doesn't stop automated >>Tax. So, okay. So you said 90% now, as high as 90% are, are automated up from where maybe dial back to give us a, a marker as to where it used to be. >>Well, less than 1% is typically what all of our customers across the F five network enjoy less than 1% of all traffick hitting origin is unwanted, but when we first go online, it is upper 90, we've seen 99% of all traffic being unwanted >>Automation. But Dan, if I dial back to say 2015, was it at that? Was it that high? That, that was automated >>Back then? Or, you know, I, I don't know if it was that high then cuz stuffing was just, you know, starting to kind take off. Right? No. Right. Um, but as pre stuffing became better and better known among the criminal elements, that's when it really took off explain the pays you're right. Crime pays >>Now. Yeah. It's unfortunate, but it's true. Yeah. Explain the capture thing. Cause sometimes as a user, like it's impossible to do the capture, you know, it's like a twister. Yeah. >>I >>Got that one wrong it's and I presume it's because capture can be solved by, by bots. >>Well, actually the bots use an API into a human click farming. So they're humans to sit around, solving captures all day long. I actually became a human capture solver for a short time just to see what the experience was like. And they put me to the training, teaching me how to solve, captures more effectively, which was fascinating, cuz I needed that training frankly. And then they tested to make sure I solve caps quickly enough. And then I had solved maybe 30 or 40 caps and I hadn't earned one penny us yet. So this is how bots are getting around caps. They just have human solve them. >>Oh, okay. Now we hear a lot at this event, you gotta turn on multifactor authentication and obviously you don't want to use just SMS based MFA, but Dan you're saying not good enough. Why explain >>That? Well, most implementations of two a is, you know, you enter in username and password and if you enter in the correct username and password, you get a text message and you enter in the code. Um, if you enter in the incorrect username and password, you're not sent to code. So the, the purpose of a credential stocking attack is to verify whether the credentials are correct. That's the purpose. And so if it's a two, a protected log in, I've done that. Admittedly, I haven't taken over the account yet, but now that I have a list of known good credentials, I could partner with somebody on the dark web who specializes in defeating two, a through social engineering or port outs or SIM swaps S so seven compromises insiders at telcos, lots of different ways to get at the, uh, two, a text message. >>So, wow, <laugh>, this is really interesting, scary discussion. So what's the answer to, to that problem. How, how have five approach >>It highend touched on it. We, we want to improve security without introducing a lot of friction. And the solution is collecting client side signals. You interrogate the users, interactions, the browser, the device, the network, the environment, and you find things that are unique that can't be spoof like how it does floating point math or how it renders emojis. Uh, this way you're able to increase security without imposing friction on, on the customer. And honestly, if I have to ever have to solve another capture again, I, I, I just, my blood is boiling over capture. I wish everyone would rip it out >>As a user. I, I second that request I had, um, technology got us into this problem. Can technology help us get out of the problem? >>It has to. Um, I, I think, uh, when you think about the world that is powering all the digital experiences and there's two things that comes to mind that apps and APIs are at the center of them. And in order to solve the problem, we need to really zero in where, you know, the epic center of the, the, uh, attack can be and, and had the max amount of impact. Right? So that's part of the reason from a F five perspective, we think of application and API security together with the multitier the defense with, you know, DDoS to bots, to the simple boss, to the most sophisticated ones. And it has to be a continuum. You don't just say, Hey, I'm gonna solve this problem in this silo. You have to really think about app and APIs. Think about the infrastructure, think about, you know, we're here at AWS and cloud native solutions and API services is all over. You. Can't just say, I only worry about one cloud. You cannot say, I only worry about VMs. You really need to think of the entire app stack. And that's part of the reason when we build our portfolio, there is web application firewall, there's API security there's bot solution. And we added, you know, application infrastructure protection coming from our acquisition for threat stack. They're actually based in Boston. Uh, so it's, it's really important to think holistically of telemetry visibility, so you can make better decisions for detection response. >>So leads me to a number of questions first. The first I wanna stay within the AWS silo for a minute. Yeah. Yeah. What do you, what's the relationship with AWS? How will you, uh, integrating, uh, partnering with AWS? Let's start there. >>Yeah, so we work with AWS really closely. Uh, a lot of our solutions actually runs on the AWS platform, uh, for part of our shape services. It's it's, uh, using AWS capabilities and thread stack is purely running on AWS. We just, uh, actually had integration, maybe I'm pre announcing something, uh, with, uh, the cloud front, with our bot solutions. So we can be adding another layer of protection for customers who are using cloud front as the w on AWS. >>Okay. So, um, you integrate, you worry about a APIs, AWS APIs and primitives, but you have business on prem, you have business, other cloud providers. How do you simplify those disparities for your customers? Do you kind of abstract all that complexity away what's F fives philosophy with regard then and creating that continuous experience across the states irrespective of physical >>Location? Yeah, I think you're spot on in terms of, we have to abstract the complexity away. The technology complexity is not gonna go away because there's always gonna be new things coming in the world become more disaggregated and they're gonna be best of brain solutions coming out. And I think it's our job to say, how do we think about policies for web application? And, you know, you're, on-prem, you're in AWS, you're in another cloud, you're in your private data center and we can certainly abstract out the policies, the rules, and to make sure it's easier for a customer to say, I want this particular use case and they push a button. It goes to all the properties, whether it's their own edge or their own data center, and whether it's using AWS, you know, cloud front as you using or web. So that is part of our adapt. Uh, we call it adaptive application. Vision is to think delivery, think security, think optimizing the entire experience together using data. You know, I come from, uh, a company that was very much around data can power so many things. And we believe in that too. >>We use a, we use a term called super cloud, which, which implies a layer that floats above the hyperscale infrastructure hides the underlying complexity of the primitives adds value on top and creates a continuous experience across clouds, maybe out to the edge even someday on prem. Is that, does that sound like, it sounds like that's your strategy and approach and you know, where are you today? And that is that, is that technically feasible today? Is it, is it a journey? Maybe you could describe >>That. Yeah. So, uh, in my title, right, you talked about a security and distribute cloud services and the distribute cloud services came from a really important acquisition. We did last year and it's about, uh, is called Wil Tara. What they brought to F five is the ability not only having lot of the SAS capabilities and delivery capabilities was a very strong infrastructure. They also kept have capability like multi-cloud networking and, you know, people can really just take our solution and say, I don't have to go learn about all the, like I think using super cloud. Yeah, yeah. Is exactly that concept is we'll do all the hard work behind the scenes. You just need to decide what application, what user experience and we'll take care of the rest. So that solutions already in the market. And of course, there's always more things we can do collect more telemetry and integrate with more solutions. So there's more insertion point and customer can have their own choice of whatever other security solution they want to put on top of that. But we already provide, you know, the entire service around web application and API services and bot solution is a big piece of that. >>So I could look at analytics across those clouds and on-prem, and actually you don't have to go to four different stove pipes to find them, is that >>Right? Yeah. And I think you'd be surprised on what you would see. Like you, you know, typically you're gonna see large amounts of unwanted automation hitting your applications. Um, it's, I, I think the reason so many security teams are, are underestimating. The size of the problem is because these attacks are coming from tens of thousands, hundreds of thousands, even millions of IP addresses. So, you know, for years, security teams have been blocking by IP and it's forced the attackers to become highly, highly distributed. So the security teams will typically identify the attack coming from the top hundred or 1500 noisiest IPS, but they missed the long tail of tens of thousands, hundreds of thousands of IPS that are only used one or two times, because, you know, over time we forced the attackers to do this. >>They're scaling. >>Yeah, they are. And, and they're coming from residential IPS now, uh, not just hosting IPS, they're coming from everywhere. >>And, and wow. I mean, I, we know that the pandemic changed the way that organization, they had to think more about network security, rethinking network security, obviously end point cloud security. But it sounds like the attackers as well, not only did they exploit that exposure, but yeah, yeah. They were working from home and then <laugh> >>The human flick farms. They're now distributor. They're all working from home. >>Now we could take advantage >>Of that when I was solving captures, you could do it on your cell phone just by walking around, solving, captures for money. >>Wow. Scary world. But we live in, thank you for helping making it a little bit safer, guys. Really appreciate you coming on the queue. >>We'll continue to work on that. And our motto is bring a better digital world to life. That's what we can set out >>To do. I love it. All right. Great. Having you guys. Thank you. And thank you for watching. Keep it right there. This is Dave ante from reinforce 2022. You're watching the cube right back after this short break.

(electronic music) >> Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS re:Inforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here, she's the chief information security officer at MongoDB rocket ship company We covered MongoDB World earlier this year, June, down in New York. Lena, thanks for coming to theCUBE. >> Thank you for having me. >> You're very welcome, I enjoyed your keynote yesterday. You had a big audience, I mean, this is a big deal. >> Yeah. >> This is the cloud security conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security, how it used to be an afterthought, used to be the responsibility of a small group of people. >> Yeah. >> You know, it used to be a bolt on. >> Yep. >> That's changed dramatically and that change has really accelerated through the pandemic. >> Yep. >> Just describe that change from your perspective. >> So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess? So he's worked for, MongoDB be twice before, his name is Chris Sandalo, and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while and having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So us combined is like indestructible, we we're a great team. >> Is your scope of responsibility, obviously you're protecting Mongo, >> Yeah. >> How much of your role extends into the product? >> So we have a product security team that report into Sahir Azam, our chief product officer. I think you even spoke to him. >> Yeah, he's amazing. >> He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer facing. I'm also to a certain extent customer facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance risk and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. And I think that's really important. We have to listen to what our customers want, but also internally. You know, what our internal groups need as well to help them grow. >> I remember last year, Re:invent 2021, I was watching a talk on security. It was the, I forget his name, but it was the individual who responsible for data center security. And one of the things he said was, you know, look it's not at the end of the day, the technology's important but it's not the technology. It's how you apply the tools and the practices and the culture- >> Right. That you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. >> Yes. >> Let's put it that way. So talk about the challenges of building that culture, how you go about that, and how you sustain that cultural aspect. >> So, I think having the security champion program, so that's just, it's like one of my babies, that and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually people grade themselves, when they join us, we give them a little tick box. Like five is, I walk in security water. One is, I can spell security but I'd like to learn more. Mixing those groups together has been game changing for us. We now have over a hundred people who volunteer their time, with their supervisors permission, they help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them- And we have people from product as security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security program stronger. As I say, that's been a game changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through this Champions program. >> Makes a lot of sense. You take somebody who walks on water in security, mix them with somebody who really doesn't know a lot about it but wants to learn and then can ask really basic questions, and then the experts can actually understand better how to communicate. >> Absolutely. >> To that you know that 101 level. >> It's absolutely true. Like my mom lives in her iPad. She worships her iPad. Unfortunately she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to- So she's a one, and I might be a five, that's hard. That's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. >> My mom, rest her soul, when she first got a- we got her a Macintosh, this was years and years and years ago, and we were trying to train her over the phone, and said, mom, just grab the mouse. And she's like, I don't like mice. (Lena laughs) There you go. I know, I know, Lena, what that's like. Years ago, it was early last decade, we started to think about, wow, security really has to become a board level item. >> Yeah. >> And it really wasn't- 2010, you know, for certain companies. But really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. >> Yes. >> We had this conversation, and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely. Here's how you know, here. This is the criticality. Now it's totally changed. >> Right. >> I mean, it's now a board level item. But how do you communicate to the C-Suite, the board? How often do you do that? What do you recommend is the right regime? And I know there's not any perfect- there's got to be situational, but how do you approach it? >> So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killalea. You know, Amazon alum, I mean, just genius. And he, and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday. So this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked and that's not a good thing. Where, at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence. So I actually get their attention for at least an hour once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting. So they know what we're going to talk about and we know what their concerns are. And so you're not going in like, oh my gosh, what what's going to happen for this hour? We come prepared. We have statistics. We can show them where we're growing. We can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has has helped me mature my role 10 times. And then also we have the chance to ask them, well what are your other CISOs doing? You know, they're members of other boards. So I can say to Dave, for example, you know, what's so-and-so doing at Datadog? Or Tom Killelea, what's the CISO of Capital One doing? And they help me make a lot of those connections as well. I mean, the CISO world is small and me being a female in the world with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's the Irish girl. Yeah. She's Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dev is a huge, huge fan of security and GRC. It's no longer that box ticking exercise that I used to feel security was, you know, if you heated your SOC2 type two in FinTech, oh, you were good to go. You know, if you did a HERC set for the power industry. All right, right. You know, we can move on now. It's not that anymore. >> Right. It's every single day. >> Yeah. Of course. Dev is Dev at the Chario. Dev spelled D E V. I spell Dave differently. My Dave. But, Lena, it sounds like you present a combination of metrics, so, the board, you feel like that's appropriate to dig into the metrics. But also I'm presuming you're talking strategy, potentially, you know, gaps- >> Road roadmaps, the whole nine yards. Yep. >> What's the, you know, I look at the budget scenario. At the macro level, CIOs have told us, they came into the year saying, hey we're going to grow spending at the macro, around eight percent, eight and a half percent. That's dialed down a little bit post Ukraine and the whole recession and Fed tightening. So now they're down maybe around six percent. So not dramatically lower, but still. And they tell us security is still the number one priority. >> Yes. >> That's been the case for many, many quarters, and actually years, but you don't have an unlimited budget. >> Sure >> Right. It's not like, oh, here is an open checkbook. >> Right. >> Lena, so, how does Mongo balance that with the other priorities in the organization, obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now, is it, you know continuing on in 2022 despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? >> We would never tap the breaks. I mean, this is something that's- So my other half works in the finance industry still. So we have, you know, interesting discussions when it comes to geopolitics and financial politics and you know, Dev, the chairman of the board, all very technical people, get that security is going to be taken advantage of if we're seeing to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We are not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team: treat this money as if it's your own. As if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO, or the CISO of the company that's supplying it, and saying are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you, X company, to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership, and I mean, that's how some of this stuff builds, and so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible, yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new and they know the board is never going to say no, but at some point, people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us what the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO but I've got a dotted line to the CTO. So I'm, you know, I'm one of the few people at this level that's got my feet in both camps. You know budgets are talked at Dev's level. So, you know, it's really important that we get the spend right. >> And that value is essentially, as I was kind of alluding to before, it's decreasing the value equation for the hackers, for the adversary. >> Hopefully, yes. >> Right? Who's the- of course they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like, when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. >> Yes. >> You know, AWS likes to educate people and back then it was like, okay, hey, by the way, you know you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary. >> Right, right. >> There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO but because of the shared responsibility model, CISO is now the second line of defense >> Yes. Does that change your role? Does it make it less complicated in a way? Maybe, you know, more complicated because you now got to get your DevSecOps team? The developers are now much more involved in security? How is that shifting, specifically in the context of your relationship with AWS? >> It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ or you know, our account manager, its not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from. And you know, how far are we shifting left? Are we actually shifting right now? It's like, you know, get the balance, right? You can't be too much to one side. But I think in terms of where we're teaching the developers, you know, we are a company by developers for developers. So, we get it, we understand where they're coming from, and we try and be as proactive as AWS is. >> When you obviously the SolarWinds hack was a a major mile- I think in security, there's always something in the headlines- >> Yes. But when you think of things like, you know, Stuxnet, you know, Log4J, obviously Solarwinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and you know, much more automated. It's always been automated attacks, but you know island hopping and infiltrating and self-forming malware and really sophisticated techniques. >> Yep. >> How are you thinking about that supply chain, bill of materials from inside Mongo and ultimately externally to your customers? >> So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure. And that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure that the steel we were buying was the steel we were using. And so that became the H bomb. The hardware bill of materials, bad name. But, you know, we remember what it stood for. And then fast forward: President Biden's executive order. SBOs front and center, cloud first front and center. It's like, this is perfect. And so I was actually- I actually moderated a panel earlier this year at Homeland Security Week in DC, where we had a sneak CISA, So Dr. Allen Friedman from CISA, and also Patrick Weir from OWASP for the framework, CISA for the framework as well, and just the general guidance, and Snake for the front end. That was where my head was going. And MongoDB is the back-end database. And what we've done is we've taken our work with Snake and we now have a proof of concept for SBOs. And so I'm now trying to kind of package that, if you like, as a program and get the word out that SBOs shouldn't be something to be afraid of. If you want to do business with the government you're going to have to create one. We are offering a secure repository to store that data, the government could have access to that repository and see that data. So there's one source of truth. And so I think SBOs is going to be really interesting. I know that, you know, some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely- I've just, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another Log4j, there's always going to be another Log4j, we know that. we don't know everything, the unknown unknown, but at least if we're prepared to go find stuff quicker than we were then before Log4j, I think having SBOs on hand, having that one source of truth, that one repository, I think is going to make it so much easier to find those things. >> Last question, what's the CISO's number one challenge? Either yours or the CISO, generally. >> Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And, you know, we're sometimes like meerkats, you know. there's meerkats, you see like this, it's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. >> Last question, part B. As a hot technology company, that's, you know, rising star, you know not withstanding the tech lash and the stock market- >> Yeah. >> But Mongo's growing, you know, wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest, biggest challenge. Do you find that that's not the challenge for you? >> Not at all. I think on two fronts, one, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they'd already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. >> I was so looking forward to interviewing you, Lena, thanks so much for coming. >> Thank you, this was a pleasure. >> It was really great to have you. >> Thank you so much. Thank you. >> You're really welcome. All right, keep it right there. This is Dave Villante for theCUBE. We'll be right back at AWS Re:inforce22 right after this short break.

>>And welcome back to the cubes coverage of a, of us. Reinforc here in Boston, Massachusetts. I'm John furrier. We're here for a great interview on the next generation topic of state of industrial security. We have two great guests, Tim Jefferson, senior vice president data network and application security at Barracuda. And Cenon Aron vice president of zero trust engineering at Barracuda. Gentlemen. Thanks for coming on the queue. Talk about industrial security. >>Yeah, thanks for having us. >>So one of the, one of the big things that's going on, obviously you got zero trust. You've got trusted, trusted software supply chain challenges. You've got hardware mattering more than ever. You've got software driving everything, and all this is talking about industrial, you know, critical infrastructure. We saw the oil pipeline had a hack and ransomware attack, and that's just constant barrage of threats in the industrial area. And all the data is pointing to that. This area is gonna be fast growth machine learning's kicking in automation is coming in. You see a huge topic, huge growth trend. What is the big story going on here? >>Yeah, I think at a high level, you know, we did a survey and saw that, you know, over 95% of the organizations are experiencing, you know, security challenges in this space. So, you know, the blast radius in the, of the, the interface that this creates so many different devices and things and objects that are getting network connected now create a huge challenge for security teams to kind of get their arms around that. >>Yeah. And I can add that, you know, majority of these incidents that, that these organizations suffer lead to significant downtime, right? And we're talking about operational technology here, you know, lives depend on, on these technologies, right? Our, our wellbeing everyday wellbeing depend on those. So, so that is a key driver of initiatives and projects to secure industrial IOT and operational technologies in, in these businesses. >>Well, it's great to have both of you guys on, you know, Tim, you know, you had a background at AWS and sit on your startup, founder, soldier, coming to Barracuda, both very experienced, seeing the ways before in this industry. And I'd like to, if you don't mind talk about three areas, remote access, which we've seen in huge demand with, with the pandemic and the out, coming out with the hybrid and certainly industrial, that's a big part of it. And then secondly, that the trend of clear commitment from enterprises to have in a public cloud component, and then finally the secure access edge, you know, with SAS business models, securing these things, these are the three hot areas let's go into the first one, remote access. Why is this important? It seems that this is the top priority for having immediate attention on what's the big challenge here? Is it the most unsecure? Is it the most important? What, why is this relevant? >>So now I'll let you jump in there. >>Yeah, sure. Happy to. I mean, if you think about it, especially now, we've been through a, a pandemic shelter in place cycle for almost two years. It, it becomes essentially a business continuity matter, right? You do need remote access. We also seen a tremendous shift in hiring the best talent, wherever they are, right. Onboarding them and bringing the talent into, into, into, into businesses that have maybe a lot more distributed environments than traditionally. So you have to account for remote access in every part of everyday life, including industrial technologies, you need remote support, right? You need vendors that might be overseas providing you, you know, guidance and support for these technologies. So remote support is every part of life. Whether you work from home, you work on your, on the go, or you are getting support from a vendor that happens to be in Germany, you know, teleporting into your environment in Hawaii. You know, all these things are essentially critical parts of everyday life. Now >>Talk about ZT and a zero trust network access is a, this is a major component for companies. Obviously, you know, it's a position taking trust and verifies. One other approach, zero trust is saying, Hey, I don't trust you. Take us through why that's important. Why is zero trust network access important in this area? >>Yeah. I mean, I could say that traditionally remote access, if you think about infancy of the internet in the nineties, right? It was all about encryption in, in transit, right? You were all about internet was vastly clear text, right? We didn't have even SSL TLS, widely distributed and, and available. So when VPNs first came out, it was more about preventing sniffing, clear tech clear text information from, from, from the network, right? It was more about securing the, the transport, but now that kind of created a, a big security control gap, which implicitly trusted user users, once they are teleported into a remote network, right? That's the essence of having a remote access session you're brought from wherever you are into an internal network. They implicitly trust you that simply breakdown over time because you are able to compromise end points relatively easily using browser exploits. >>You know, so, so for supply chain issues, water hole attacks, and leverage the existing VPN tunnels to laterally move into the organization from within the network, you literally move in further and further and further down, you know, down the network, right? So the VPN needed a, a significant innovation. It was meant to be securing packets and transit. It was all about an encryption layer, but it had an implicit trust problem with zero trust. We turn it into an explicit trust problem, right? Explicit trust concept, ideally. Right? So you are, who do you say you are? And you are authorized to access only to things that you need to access to get the work done. >>So you're talking about granular levels versus the one time database look up you're in >>That's right. >>Tim, talk about the OT it side of this equation of industrial, because it, you know, is IP based, networking, OT have been purpose built, you know, maybe some proprietary technology yeah. That connects to the internet internet, but it's mainly been secure. Those have come together over the years and now with no perimeter security, how is this world evolving? Because there's gonna be more cloud there, be more machine learning, more hybrid on premise, that's going on almost a reset if you will. I mean, is it a reset? What's the, what's the situation. >>Yeah. I think, you know, in typical human behavior, you know, there's a lot of over rotation going on. You know, historically a lot of security controls are all concentrated in a data center. You know, a lot of enterprises had very large sophisticated well-established security stacks in a data center. And as those applications kind of broke down and, and got rearchitected for the cloud, they got more modular, they got more distributed that centralized security stack became an anti pattern. So now this kind of over rotation, Hey, let's take this stack and, and put it up in the cloud. You know, so there's lots of names for this secure access, service edge, you know, secure service edge. But in the end, you know, you're taking your controls and, and migrating them into the cloud. And, you know, I think ultimately this creates a great opportunity to embrace some of security, best practices that were difficult to do in some of the legacy architectures, which is being able to push your controls as far out to the edge as possible. >>And the interesting thing about OT and OT now is just how far out the edge is, right? So instead of being, you know, historically it was the branch or user edge, remote access edge, you know, Syon mentioned that you, you have technologies that can VPN or bring those identities into those networks, but now you have all these things, you know, partners, devices. So it's the thing, edge device edge, the user edge. So a lot more fidelity and awareness around who users are. Cause in parallel, a lot of the IDP and I IBM's platforms have really matured. So marrying those concepts of this, this lot of maturity around identity management yeah. With device in and behavior management into a common security framework is really exciting. But of course it's very nascent. So people are, it's a difficult time getting your arms around >>That. It's funny. We were joking about the edge. We just watching the web telescope photos come in the deep space, the deep edge. So the edge is continuing to be pushed out. Totally see that. And in fact, you know, one of the things we're gonna, we're gonna talk about this survey that you guys had done by an independent firm has a lot of great data. I want to unpack that, but one of the things that was mentioned in there, and I'll get, I wanna get your both reaction to this is that virtually all organizations are committing to the public cloud. Okay. I think it was like 96% or so was the stat. And if you combine in that, the fact that the edge is expanding, the cloud model is evolving at the edge. So for instance, a building, there's a lot behind it. You know, how far does it go? So we don't and, and what is the topology because the topology seem to change too. So there's this growth and change where we need cloud operations, DevOps at, at the edge and the security, but it's changing. It's not pure cloud, but it's cloud. It has to be compatible. What's your reaction to that, Tim? I mean, this is, this is a big part of the growth of industrial. >>Yeah. I think, you know, if you think about, there's kind of two exciting developments that I would think of, you know, obviously there's this increase to the surface area, the tax surface areas, people realize, you know, it's not just laptops and devices and, and people that you're trying to secure, but now they're, you know, refrigerators and, you know, robots and manufacturing floors that, you know, could be compromised, have their firmware updated or, you know, be ransomware. So this a huge kind of increase in surface area. But a lot of those, you know, industrial devices, weren't built around the concept with network security. So kind of bolting on, on thinking through how can you secure who and what ultimately has access to those, to those devices and things. And where is the control framework? So to your point, the control framework now is typically migrated now into public cloud. >>These are custom applications, highly distributed, highly available, very modular. And then, you know, so how do you, you know, collect the telemetry or control information from these things. And then, you know, it creates secure connections back into these, these control applications, which again, are now migrated to public cloud. So you have this challenge, you know, how do you secure? We were talking about this last time we discussed, right. So how do you secure the infrastructure that I've, I've built in deploying now, this control application and in public cloud, and then connect in with this, this physical presence that I have with these, you know, industrial devices and taking telemetry and control information from those devices and bringing it back into the management. And this kind marries again, back into the remote axis that Sunan was mentioning now with this increase awareness around the efficacy of ransomware, we are, you know, we're definitely seeing attackers going after the management frameworks, which become very vulnerable, you know, and they're, they're typically just unprotected web applications. So once you get control of the management framework, regardless of where it's hosted, you can start moving laterally and, and causing some damage. >>Yeah. That seems to be the common thread. So no talk about, what's your reaction to that because, you know, zero trust, if it's evolving and changing, you, you gotta have zero trust you. I didn't even know it's out there and then it gets connected. How do you solve that problem? Cuz you know, there's a lot of surface area that's evolving all the OT stuff and the new, it, what's the, what's the perspective and posture that the clients your clients are having and customers. Well, >>I, I think they're having this conversation about further mobilizing identity, right? We did start with, you know, user identity that become kind of the first foundational building block for any kind of zero trust implementation. You work with, you know, some sort of SSO identity provider, you get your, you sync with your user directories, you have a single social truth for all your users. >>You authenticate them through an identity provider. However that didn't quite cut it for industrial OT and OT environments. So you see like we have the concept of hardware machines, machine identities now become an important construct, right? The, the legacy notion of being able to put controls and, and, and, and rules based on network constructs doesn't really scale anymore. Right? So you need to have this concept of another abstraction layer of identity that belongs to a service that belongs to an application that belongs to a user that belongs to a piece of hardware. Right. And then you can, yeah. And then you can build a lot more, of course, scalable controls that basically understand the, the trust relation between these identities and enforce that rather than trying to say this internal network can talk to this other internal network through a, through a network circuit. No, those things are really, are not scalable in this new distributed landscape that we live in today. So identity is basically going to operationalize zero trust and a lot more secure access going forward. >>And that's why we're seeing the sassy growth. Right. That's a main piece of it. Is that what you, what you're seeing too? I mean, that seems to be the, the approach >>I think like >>Go >>Ahead to, yeah. I think like, you know, sassy to me is really about, you know, migrating and moving your security infrastructure to the cloud edge, you know, as we talked to the cloud, you know, and then, you know, do you funnel all ingress and egress traffic through this, you know, which is potentially an anti pattern, right? You don't wanna create, you know, some brittle constraint around who and what has access. So again, a security best practices, instead of doing all your enforcement in one place, you can distribute and push your controls out as far to the edge. So a lot of SASI now is really around centralizing policy management, which is the big be one of the big benefits is instead of having all these separate management plans, which always difficult to be very federated policy, right? You can consolidate your policy and then decide mechanism wise how you're gonna instrument those controls at the edge. >>So I think that's the, the real promise of, of the, the sassy movement and the, I think the other big piece, which you kind of touched on earlier is around analytics, right? So it creates an opportunity to collect a whole bunch of telemetry from devices and things, behavior consumption, which is, which is a big, common, best practice around once you have SA based tools that you can instrument in a lot of visibility and how users and devices are behaving in being operated. And to Syon point, you can marry that in with their identity. Yeah. Right. And then you can start building models around what normal behavior is and, you know, with very fine grain control, you can, you know, these types of analytics can discover things that humans just can't discover, you know, anomalous behavior, any kind of indicators are compromised. And those can be, you know, dynamic policy blockers. >>And I think sun's point about what he was talking about, talks about the, the perimeters no longer secure. So you gotta go to the new way to do that. Totally, totally relevant. I love that point. Let me ask you guys a question on the, on the macro, if you don't mind, how concerned are you guys on the current threat landscape in the geopolitical situation in terms of the impact on industrial IOT in this area? >>So I'll let you go first. Yeah. >>I mean, it's, it's definitely significantly concerning, especially if now with the new sanctions, there's at least two more countries being, you know, let's say restricted to participate in the global economic, you know, Mar marketplace, right? So if you look at North Korea as a pattern, since they've been isolated, they've been sanctioned for a long time. They actually double down on rents somewhere to even fund state operations. Right? So now that you have, you know, BES be San Russia being heavily sanctioned due to due to their due, due to their activities, we can envision more increase in ransomware and, you know, sponsoring state activities through illegal gains, through compromising, you know, pipelines and, you know, industrial, you know, op operations and, and seeking large payouts. So, so I think the more they will, they're ized they're pushed out from the, from the global marketplace. There will be a lot more aggression towards critical infrastructure. >>Oh yeah. I think it's gonna ignite more action off the books, so to speak as we've seen. Yeah. We've >>Seen, you know, another point there is, you know, Barracuda also runs a, a backup, you know, product. We do a, a purpose built backup appliance and a cloud to cloud backup. And, you know, we've been running this service for over a decade. And historically the, the amount of ransomware escalations that we got were very slow, you know, is whenever we had a significant one, helping our customers recover from them, you know, you know, once a month, but over the last 18 months, this is routine now for us, this is something we deal with on a daily basis. And it's becoming very common. You know, it's, it's been a well established, you know, easily monetized route to market for the bad guys. And, and it's being very common now for people to compromise management planes, you know, they use account takeover. And the first thing they're doing is, is breaking into management planes, looking at control frameworks. And then first thing they'll do is delete, you know, of course the backups, which this sort of highlights the vulnerability that we try to talk to our customers about, you know, and this affects industrial too, is the first thing you have to do is among other things, is, is protect your management planes. Yeah. And putting really fine grain mechanisms like zero trust is, is a great, >>Yeah. How, how good is backup, Tim, if you gets deleted first is like no backup. There it is. So, yeah. Yeah. Air gaping. >>I mean, obviously that's kinda a best practice when you're bad guys, like go in and delete all the backups. So, >>And all the air gaps get in control of everything. Let me ask you about the, the survey pointed out that there's a lot of security incidents happening. You guys pointed that out and discussed a little bit of it. We also talked about in the survey, you know, the threat vectors and the threat landscape, the common ones, ransomware was one of them. The area that I liked, what that was interesting was the, the area that talked about how organizations are investing in security and particularly around this, can you guys share your thoughts on how you see the, the market, your customers and, and the industry investing? What are they investing in? What stage are they in when it comes to IOT and OT, industrial IOT and OT security, do they do audits? Are they too busy? I mean, what's the state of their investment thesis progress of, of, of how they're investing in industrial IOT? >>Yeah. Our, our view is, you know, we have a next generation product line. We call, you know, our next, our cloud chain firewalls. And we have a form factor that sports industrial use cases we call secure connectors. So it's interesting that if you, what we learned from that business is a tremendous amount of bespoke efforts at this point, which is sort of indicative of a, of a nascent market still, which is related to another piece of information I thought was really interested in the survey that I think it was 93% of the, the participants, the enterprises had a failed OT initiative, you know, that, you know, people tried to do these things and didn't get off the ground. And then once we see build, you know, strong momentum, you know, like we have a, a large luxury car manufacturer that uses our secure connectors on the, on the robots, on the floor. >>So well established manufacturing environments, you know, building very sophisticated control frameworks and, and security controls. And, but again, a very bespoke effort, you know, they have very specific set of controls and specific set of use cases around it. So it kind of reminds me of the late nineties, early two thousands of people trying to figure out, you know, networking and the blast radi and networking and, and customers, and now, and a lot of SI are, are invested in this building, you know, fast growing practices around helping their customers build more robust controls in, in helping them manage those environments. So, yeah, I, I think that the market is still fairly nascent >>From what we seeing, right. But there are some encouraging, you know, data that shows that at least helpful of the organizations are actively pursuing. There's an initiative in place for OT and a, you know, industrial IOT security projects in place, right. They're dedicating time and resources and budget for this. And, and in, in regards to industries, verticals and, and geographies oil and gas, you know, is, is ahead of the curve more than 50% responded to have the project completed, which I guess colonial pipeline was the, you know, the call to arms that, that, that was the big, big, you know, industrial, I guess, incident that triggered a lot of these projects to be accelerating and, and, you know, coming to the finish line as far as geographies go DACA, which is Germany, Austria, Switzerland, and of course, north America, which happens to be the industrial powerhouses of, of the world. Well, APAC, you know, also included, but they're a bit behind the curve, which is, you know, that part is a bit concerning, but encouragingly, you know, Western Europe and north America is ahead of these, you know, projects. A lot of them are near completion or, or they're in the middle of some sort of an, you know, industrial IOT security project right >>Now. I'm glad you brought the colonial pipeline one and, and oil and gas was the catalyst. Again, a lot of, Hey, scared that better than, than me kinda attitude, better invest. So I gotta ask you that, that supports Tim's point about the management plane. And I believe on that hack or ransomware, it wasn't actually control of the pipeline. It was control over the management billing, and then they shut down the pipeline cuz they were afraid it was gonna move over. So it wasn't actually the critical infrastructure itself to your point, Tim. >>Yeah. It's hardly over the critical infrastructure, by the way, you always go through the management plane, right. It's such an easier lying effort to compromise because it runs on an endpoint it's standard endpoint. Right? All this control software will, will be easier to get to rather than the industrial hardware itself. >>Yeah. It's it's, it's interesting. Just don't make a control software at the endpoint, put it zero trust. So down that was a great point. Oh guys. So really appreciate the time and the insight and, and the white paper's called NETEC it's on the Barracuda. Netex industrial security in 2022. It's on the barracuda.com website Barracuda network guys. So let's talk about the read force event hasn't been around for a while cuz of the pandemic we're back in person what's changed in 2019 a ton it's like security years is not dog years anymore. It's probably dog times too. Right. So, so a lot's gone on where are we right now as an industry relative to the security cybersecurity. Could you guys summarize kind of the, the high order bit on where we are today in 2022 versus 2019? >>Yeah, I think, you know, if you look at the awareness around how to secure infrastructure in applications that are built in public cloud in AWS, it's, you know, exponentially better than it was. I think I remember when you and I met in 2018 at one of these conferences, you know, there were still a lot of concerns, whether, you know, IAS was safe, you know, and I think the amount of innovation that's gone on and then the amount of education and awareness around how to consume, you know, public cloud resources is amazing. And you know, I think that's facilitated a lot of the fast growth we've seen, you know, the consistent, fast growth that we've seen across all these platforms >>Say that what's your reaction to the, >>I think the shared responsibility model is well understood, you know, and, and, and, and we can see a lot more implementation around, you know, CSBM, you know, continuously auditing the configurations in these cloud environments become a, a standard table stake, you know, investment from every stage of any business, right? Whether from early state startups, all the way to, you know, public companies. So I think it's very well understood and, and the, and the investment has been steady and robust when it comes to cloud security. We've been busy, you know, you know, helping our customers and AWS Azure environments and, and others. So I, I think it's well understood. And, and, and we are on a very optimistic note actually in a good place when it comes to public cloud. >>Yeah. A lot of great momentum, a lot of scale and data act out there. People sharing data, shared responsibility. Tim is in, thank you for sharing your insights here in this cube segment coverage of reinforce here in Boston. Appreciate it. >>All right. Thanks for having >>Us. Thank you. >>Okay, everyone. Thanks for watching the we're here at the reinforced conference. AWS, Amazon web services reinforced. It's a security focused conference. I'm John furier host of the cube. We'd right back with more coverage after the short break.

>>Hello, Ron. Welcome to AWS reinforce here. Live in Boston, Massachusetts. I'm John feer, host of the cube. We're here at Carl Matson. CSO at no name security. That's right, no name security, no name securities, also a featured partner at season two, episode four of our upcoming eightish startup showcase security themed event happening in the end of August. Look for that at this URL, AWS startups.com, but we're here at reinforc Carl. Thanks for joining me today. Good to see >>You. Thank you for having us, John. >>So this show security, it's not as packed as the eight of us summit was in New York. That just happened two weeks ago, 19,000 people here, more focused crowd. Lot at stake operations are under pressure. The security teams are under a lot of pressure as apps drive more and more cloud native goodness. As we say, the gen outta the bottle, people want more cloud native apps. Absolutely. That's put a lot of pressure on the ops teams and the security teams. That's the core theme here. How do you see it happening? How do you see this unfolding? Do you agree with that? And how would you describe today's event? >>Well, I think you're, you're spot on. I think the, the future of it is increasingly becoming the story of developers and APIs becoming the hero, the hero of digital transformation, the hero of public cloud adoption. And so this is really becoming much more of a developer-centric discussion about where we're moving our applications and, and where they're hosted, but also how they're designed. And so there's a lot of energy around that right now around focusing security capabilities that really appeal to the sensibilities and the needs of, of modern applications. >>I want to get to know name security a second, and let you explain what you guys do. Then I'll have a few good questions for you to kind of unpack that. But the thing about the structural change that's happened with cloud computing is kind of, and kind of in the past now, DevOps cloud scale, large scale data, the rise of the super cloud companies like snowflake capital, one there's examples of companies that don't even have CapEx investments building on the cloud. And in a way, our, the success of DevOps has created another sea of problems and opportunities that is more complexity as the benefits of DevOps and open source, continue to rise, agile applications that have value can be quantified. There's no doubt with the pandemic that's value there. Yeah. Now you have the collateral damage of success, a new opportunity to abstract away, more complexity to go to the next level. Yep. This is a big industry thing. What are the key opportunities and areas as this new environment, cuz that's the structural change happening now? Yep. What's the key dynamics right now. That's driving this new innovation and what are some of those problem areas that are gonna be abstracted away that you see? >>Well, the, the first thing I I'd suggest is is to, to lean into those structural changes and take advantage of them where they become an advantage for governance, security risk. A perfect example is automation. So what we have in microservices, applications and cloud infrastructures and new workloads like snowflake is we have workloads that want to talk, they want to be interoperated with. And because of that, we can develop new capabilities that take advantage of those of those capabilities. And, and so we want to have on our, on our security teams in particular is we wanna have the talent and the tools that are leaning into and capitalizing on exactly those strengths of, of the underlying capabilities that you're securing rather than to counter that trend, that the, the security professional needs to get ahead of it and, and be a part of that discussion with the developers and the infrastructure teams. >>And, and again, the tructure exchange could kill you too as well. I mean, some benefits, you know, data's the new oil, but end of the day it could be a problematic thing. Sure. All right. So let's get that. No names talk about the company. What you guys do, you have an interesting approach, heavily funded, good success, good buzz. What's going on with the company? Give the quick overview. >>Well, we're a company that's just under three years old and, and what APIs go back, of course, a, a decade or more. We've all been using APIs for a long time, but what's really shifted over the last couple of years is the, is the transition of, of applications and especially business critical processes to now writing on top of public facing APIs where API used to be the behind the scenes interconnection between systems. Now those APIs are exposed to their public facing. And so what we focus on as a company is looking at that API as a, as a software endpoint, just like any other endpoint in our environments that we're historically used to. That's an endpoint that needs full life cycle protection. It needs to be designed well secure coding standards for, for APIs and tested. Well, it also has to be deployed into production configured well and operated well. And when there's a misuse or an attack in progress, we have to be able to protect and identify the, the risks to that API in production. So when you add that up, we're looking at a full life cycle view of the API, and it's really it's about time because the API is not new yet. We're just starting to now to apply like actual discipline and, and practices that help keep that API secure. >>Yeah. It's interesting. It's like what I was saying earlier. They're not going anywhere. They're not going, they're the underpinning, the underlying benefit of cloud yes. Cloud native. So it's just more, more operational stability, scale growth. What are some of the challenges that, that are there and what do you guys do particularly to solve it? You're protecting it. Are you scaling it? What specifically are you guys addressing? >>But sure. So I think API security, even as a, as a discipline is not new, but I think the, the, the traditional look at API security looks only at, at the quality of the source code. Certainly quality of the source code of API is, is sort of step one. But what we see in, in practices is most of the publicly known API compromises, they weren't because of bad source code that they because of network misconfiguration or the misapplication of policy during runtime. So a great example of that would be developer designs, an API designs. It in such a way that Gar that, that enforces authentication to be well designed and strong. And then in production, those authentication policies are not applied at a gateway. So what we add to the, we add to the, to the conversation on API security is helping fill all those little gaps from design and testing through production. So we can see all of the moving parts in the, the context of the API to see how it can be exploited and, and how we can reduce risk in independent of. >>So this is really about hardening the infrastructure yep. Around cuz the developer did their job in that example. Yep. So academic API is well formed working, but something didn't happen on the network or gateway box or app, you know, some sort of network configuration or middleware configuration. >>Absolutely. So in our, in our platform, we, we essentially have sort of three functional areas. There's API code testing, and then we call next is posture management posture. Management's a real thing. If we're talking about a laptop we're talking about, is it up to date with patches? Is it configured? Well, is it secure network connectivity? The same is true with APIs. They have to be managed and cared for by somebody who's looking at their posture on the network. And then of course then there's threat defense and run time protection. So that posture management piece, that's really a new entrant into the discussion on API security. And that's really where we started as a company is focusing on that sort of acute gap of information, >>Posture, protection, >>Posture, and protection. Absolutely >>Define that. What does that, what does posture posture protection mean? How would you define that? >>Sure. I think it's a, it's identifying the inherent risk exposure of an API. Great example of that would be an API that is addressable by internal systems and external systems at the same time. Almost always. That is, that is an error. It's a mistake that's been made so well by, by identifying that misconfiguration of posture, then we can, we can protect that API by restricting the internet connectivity externally. That's just a great example of posture. We see almost every organization has that and it's never intended. >>Great, great, great call out. Thanks for sharing. All right, so I'm a customer. Yep. Okay. Look at, Hey, I already got an app firewall API gateway. Why do I need another tool? >>Well, first of all, web application firewalls are sort of essential parts of a security ecosystem. An API management gateway is usually the brain of an API economy. What we do is we, we augment those platforms with what they don't do well and also when they're not used. So for example, in, in any environment, we, we aspire to have all of our applications or APIs protected by web application firewall. First question is, are they even behind the web? Are they behind the w at all? We're gonna find that the WAFF doesn't know if it's not protecting something. And then secondary, there are attack types of business logic in particular of like authentication policy that a WAFF is not gonna be able to see. So the WAFF and the API management plan, those are the key control points and we can help make those better. >>You know what I think is cool, Carl, as you're bringing up a point that we're seeing here and we've seen before, but now it's kind of coming at the visibility. And it was mentioned in the keynote by one of the presenters, Kurt, I think it was who runs the platform. This idea of reasoning is coming into security. So the idea of knowing the topology know that there's dynamic stuff going on. I mean, topes aren't static anymore. Yep. And now you have more microservices. Yep. More APIs being turned on and off this runtime is interesting. So you starting to see this holistic view of, Hey, the secret sauce is you gotta be smarter. Yep. And that's either machine learning or AI. So, so how does that relate to what you guys do? Does it, cuz it sounds like you've got something of that going on with the product. Is that fair or yeah. >>Yeah, absolutely. So we, yeah, we talked about posture, so that's, that's really the inherent quality or secure posture of a, of an API. And now let's talk about sending traffic through that API, the request and response. When we're talking about organizations that have more APIs than they have people, employees, or, or tens of thousands, we're seeing in some customers, the only way to identify anomalous traffic is through machine learning. So we apply a machine learning model to each and every API in independently for itself because we wanna learn how that API is supposed to be behave. Where is it supposed to be talking? What kind of data is it supposed to be trafficking in, in, in all its facets. So we can model that activity and then identify the anomaly where there's a misuse, there's an attacker event. There's an, an insider employee is doing something with that API that's different. And that's really key with APIs is, is that no, a no two APIs are alike. Yeah. They really do have to be modeled individually rather than I can't share my, my threat signatures for my API, with your organization, cuz your APIs are different. And so we have to have that machine learning approach in order to really identify that >>Anomaly and watch the credentials, permissions. Absolutely all those things. All right. Take me through the life cycle of an API. There's pre-production postproduction what do I need to know about those two, those two areas with respect to what you guys do? >>Sure. So the pre-production activities are really putting in the hands of a developer or an APSEC team. The ability to test that API during its development and, and source code testing is one piece, but also in pre-production are we modeling production variables enough to know what's gonna happen when I move it into production? So it's one thing to have secure source code, of course, but then it's also, do we know how that API's gonna interact with the world once it's sort of set free? So the testing capabilities early life cycle is really how we de-risk in the long term, but we all have API ecosystems that are existing. And so in production we're applying the, all of those same testing of posture and configuration issues in runtime, but really what it, it may sound cliche to say, we wanna shift security left, but in APIs that's, that's a hundred percent true. We want to keep moving our, our issue detection to the earliest possible point in the development of an API. And that gives us the greatest return in the API, which is what we're all looking for is to capitalize on it as an agent of transformation. >>All right, let's take the customer perspective. I'm the customer, Carl, Carl, why do I need you? And how are you different from the competition? And if I like it, how do I get started? >>Sure. So the, the, the first thing that we differentiate selves from the customer is, or from our competitors is really looking at the API as an entire life cycle of activities. So whether it's from the documentation and the design and the secure source code testing that we can provide, you know, pre-development, or pre-deployment through production posture, through runtime, the differentiator really for us is being a one-stop shop for an entire API security program. And that's very important. And as that one stop shop, the, the great thing about that when having a conversation with a customer is not every customer's at the same point in their journey. And so if, if a customer discussion really focuses on their perhaps lack of confidence in their code testing, maybe somebody else has a lack of confidence in their runtime detection. We can say yes to those conversations, deliver value, and then consider other things that we can do with that customer along a whole continuum of life cycle. And so it allows us to have a customer conversation where we don't need to say, no, we don't do that. If it's an API, the answer is, yes, we do do that. And that's really where we, you know, we have an advantage, I think, in, in looking at this space and, and, and being able to talk with pretty much any customer in any vertical and having a, having a solution that, that gives them something value right away. >>And how do I get started? I like it. You sold me on, on operationalizing it. I like the one stop shop. I, my APIs are super important. I know that could be potential exposure, maybe access, and then lateral movement to a workload, all kinds of stuff could happen. Sure. How do I get started? What do I do to solve >>This? Well, no name, security.com. Of course we, we have, you know, most customers do sandboxing POVs as part of a trial period for us, especially with, you know, being here at AWS is wonderful because these are customers who's with whom we can integrate with. In a matter of minutes, we're talking about literally updating an IAM role. Permission is the complexity of implementation because cloud friendly workloads really allow us to, to do proofs of concept and value in a matter of minutes to, to achieve that value. So whether it's a, a dedicated sandbox for one customer, whether it's a full blown POC for a complicated organization, you know, whether it's here at AWS conference or, or, or Nona security.com, we would love to do a, do a, like a free demo test drive and assessment. >>Awesome. And now you guys are part of the elite alumni of our startup showcase yep. Where we feature the hot startups, obviously it's the security focuses episodes about security. You guys have been recognized by the industry and AWS as, you know, making it, making it happen. What specifically is your relationship with AWS? Are you guys doing stuff together? Cuz they're, they're clearly integrating with their partners. Yeah. I mean, they're going to companies and saying, Hey, you know what, the more we're integrated, the better security everyone gets, what are you doing with Amazon? Can you share any tidbits? You don't have to share any confidential information, but can you give us a little taste of the relationship? >>Well, so I think we have the best case scenario with our relationship with AWSs is, is as a, as a very, very small company. Most of our first customers were AWS customers. And so to develop the, the, the initial integrations with AWS, what we were able to do is have our customers, oftentimes, which are large public corporations, go to AWS and say, we need, we need that company to be through your marketplace. We need you to be a partner. And so that partnership with, with AWS has really grown from, you know, gone from zero to 60 to, you know, miles per hour in a very short period of time. And now being part of the startup program, we have a variety of ways that a customer can, can work with us from a direct purchase through the APS marketplace, through channel partners and, and VA, we really have that footprint now in AWS because our customers are there and, and they brought our customers to AWS with us. >>It's it nice. The customers pulls you to AWS. Yes. Its pulls you more customers. Yep. You get kind of intermingled there, provide the value. And certainly they got, they, they hyperscale so >>Well, that creates depth of the relationship. So for example, as AWS itself is evolving and changing new services become available. We are a part of that inner circle. So to speak, to know that we can make sure that our technology is sort of calibrated in advance of that service offering, going out to the rest of the world. And so it's a really great vantage point to be in as a startup. >>Well, Carl, the CISO for no name security, you're here on the ground. You partner with AWS. What do you think of the show this year? What's the theme. What's the top story one or two stories that you think of the most important stories that people should know about happening here in the security world? >>Well, I don't think it's any surprise that almost every booth in the, in the exhibit hall has the words cloud native associated with it. But I also think that's, that's, that's the best thing about it, which is we're seeing companies and, and I think no name is, is a part of that trend who have designed capabilities and technologies to take advantage and lean into what the cloud has to offer rather than compensating. For example, five years ago, when we were all maybe wondering, will the cloud ever be as secure as my own data center, those days are over. And we now have companies that have built highly sophisticated capabilities here in the exhibit hall that are remarkably better improvements in, in securing the cloud applications in, in our environments. So it's a, it's a real win for the cloud. It's something of a victory lap. If, if you hadn't already been there, you should be there at this point. >>Yeah. And the structural change is happening now that's clear and I'd love to get your reaction if you agree with it, is that the ops on security teams are now being pulled up to the level that the developers are succeeding at, meaning that they have to be in the boat together. Yes. >>Oh, lines of, of reporting responsibility are becoming less and less meaningful and that's a good thing. So we're having just in many conversations with developers or API management center of excellence teams to cloud infrastructure teams as we are security teams. And that's a good thing because we're finally starting to have some degree of conversions around where our interests lie in securing cloud assets. >>So developers ops security all in the boat together, sync absolutely together or win together. >>We, we, we win together, but we don't win on day one. We have to practice like we as organizations we have to, we have to rethink our, we have to rethink our tech stack. Yeah. But we also have to, you have to rethink our organizational models, our processes to get there, to get >>That in, keep the straining boat in low waters. Carl, thanks for coming on. No name security. Why the name just curious, no name. I love that name. Cause the restaurant here in Boston that used to be of all the people that know that. No name security, why no name? >>Well, it was sort of accidental at, in the, in the company's first few weeks, the there's an advisory board of CISOs who provides feedback on, on seed to seed companies on their, on their concept of, of where they're gonna build platforms. And, and so in absence of a name, the founders and the original investor filled out a form, putting no name as the name of this company that was about to develop an API security solution. Well, amongst this board of CSOs, basically there was unanimous feedback that the, what they needed to do was keep the name. If nothing else, keep the name, no name, it's a brilliant name. And that was very much accidental, really just a circumstance of not having picked one, but you know, a few weeks passed and all of a sudden they were locked in because sort of by popular vote, no name was, >>Was formed. Yeah. And now the legacy, the origination story is now known here on the cube call. Thanks for coming on. Really appreciate it. Thank you, John. Okay. We're here. Live on the floor show floor of AWS reinforced in Boston, Massachusetts. I'm John with Dave ALO. Who's out and about getting the stories in the trenches in the analyst meeting. He'll be right back with me shortly day tuned for more cube coverage. After this short break.

(upbeat music) >> Welcome back to Boston, everybody. This is the birthplace of theCUBE. In 2010, May of 2010 at EMC World, right in this very venue, John Furrier called it the chowder and lobster post. I'm Dave Vellante. We're here at RE:INFORCE 2022, Ed Walsh, CEO of ChaosSearch. Doing a drive by Ed. Thanks so much for stopping in. You're going to help me wrap up in our final editorial segment. >> Looking forward to it. >> I really appreciate it. >> Thank you for including me. >> How about that? 2010. >> That's amazing. It was really in this-- >> Really in this building. Yeah, we had to sort of bury our way in, tunnel our way into the Blogger Lounge. We did four days. >> Weekends, yeah. >> It was epic. It was really epic. But I'm glad they're back in Boston. AWS was going to do June in Houston. >> Okay. >> Which would've been awful. >> Yeah, yeah. No, this is perfect. >> Yeah. Thank God they came back. You saw Boston in summer is great. I know it's been hot, And of course you and I are from this area. >> Yeah. >> So how you been? What's going on? I mean, it's a little crazy out there. The stock market's going crazy. >> Sure. >> Having the tech lash, what are you seeing? >> So it's an interesting time. So I ran a company in 2008. So we've been through this before. By the way, the world's not ending, we'll get through this. But it is an interesting conversation as an investor, but also even the customers. There's some hesitation but you have to basically have the right value prop, otherwise things are going to get sold. So we are seeing longer sales cycles. But it's nothing that you can't overcome. But it has to be something not nice to have, has to be a need to have. But I think we all get through it. And then there is some, on the VC side, it's now buckle down, let's figure out what to do which is always a challenge for startup plans. >> In pre 2000 you, maybe you weren't a CEO but you were definitely an executive. And so now it's different and a lot of younger people haven't seen this. You've got interest rates now rising. Okay, we've seen that before but it looks like you've got inflation, you got interest rates rising. >> Yep. >> The consumer spending patterns are changing. You had 6$, $7 gas at one point. So you have these weird crosscurrents, >> Yup. >> And people are thinking, "Okay post-September now, maybe because of the recession, the Fed won't have to keep raising interest rates and tightening. But I don't know what to root for. It's like half full, half empty. (Ed laughing) >> But we haven't been in an environment with high inflation. At least not in my career. >> Right. Right. >> I mean, I got into 92, like that was long gone, right?. >> Yeah. >> So it is a interesting regime change that we're going to have to deal with, but there's a lot of analogies between 2008 and now that you still have to work through too, right?. So, anyway, I don't think the world's ending. I do think you have to run a tight shop. So I think the grow all costs is gone. I do think discipline's back in which, for most of us, discipline never left, right?. So, to me that's the name of the game. >> What do you tell just generally, I mean you've been the CEO of a lot of private companies. And of course one of the things that you do to retain people and attract people is you give 'em stock and it's great and everybody's excited. >> Yeah. >> I'm sure they're excited cause you guys are a rocket ship. But so what's the message now that, Okay the market's down, valuations are down, the trees don't grow to the moon, we all know that. But what are you telling your people? What's their reaction? How do you keep 'em motivated? >> So like anything, you want over communicate during these times. So I actually over communicate, you get all these you know, the Sequoia decks, 2008 and the recent... >> (chuckles) Rest in peace good times, that one right? >> I literally share it. Why? It's like, Hey, this is what's going on in the real world. It's going to affect us. It has almost nothing to do with us specifically, but it will affect us. Now we can't not pay attention to it. It does change how you're going to raise money, so you got to make sure you have the right runway to be there. So it does change what you do, but I think you over communicate. So that's what I've been doing and I think it's more like a student of the game, so I try to share it, and I say some appreciate it others, I'm just saying, this is normal, we'll get through this and this is what happened in 2008 and trust me, once the market hits bottom, give it another month afterwards. Then everyone says, oh, the bottom's in and we're back to business. Valuations don't go immediately back up, but right now, no one knows where the bottom is and that's where kind of the world's ending type of things. >> Well, it's interesting because you talked about, I said rest in peace good times >> Yeah >> that was the Sequoia deck, and the message was tighten up. Okay, and I'm not saying you shouldn't tighten up now, but the difference is, there was this period of two years of easy money and even before that, it was pretty easy money. >> Yeah. >> And so companies are well capitalized, they have runway so it's like, okay, I was talking to Frank Slootman about this now of course there are public companies, like we're not taking the foot off the gas. We're inherently profitable, >> Yeah. >> we're growing like crazy, we're going for it. You know? So that's a little bit of a different dynamic. There's a lot of good runway out there, isn't there? >> But also you look at the different companies that were either born or were able to power through those environments are actually better off. You come out stronger in a more dominant position. So Frank, listen, if you see what Frank's done, it's been unbelievable to watch his career, right?. In fact, he was at Data Domain, I was Avamar so, but look at what he's done since, he's crushed it. Right? >> Yeah. >> So for him to say, Hey, I'm going to literally hit the gas and keep going. I think that's the right thing for Snowflake and a right thing for a lot of people. But for people in different roles, I literally say that you have to take it seriously. What you can't be is, well, Frank's in a different situation. What is it...? How many billion does he have in the bank? So it's... >> He's over a billion, you know, over a billion. Well, you're on your way Ed. >> No, no, no, it's good. (Dave chuckles) Okay, I want to ask you about this concept that we've sort of we coined this term called Supercloud. >> Sure. >> You could think of it as the next generation of multi-cloud. The basic premises that multi-cloud was largely a symptom of multi-vendor. Okay. I've done some M&A, I've got some Shadow IT, spinning up, you know, Shadow clouds, projects. But it really wasn't a strategy to have a continuum across clouds. And now we're starting to see ecosystems really build, you know, you've used the term before, standing on the shoulders of giants, you've used that a lot. >> Yep. >> And so we're seeing that. Jerry Chen wrote a seminal piece on Castles in The Cloud, so we coined this term SuperCloud to connote this abstraction layer that hides the underlying complexities and primitives of the individual clouds and then adds value on top of it and can adjudicate and manage, irrespective of physical location, Supercloud. >> Yeah. >> Okay. What do you think about that concept?. How does it maybe relate to some of the things that you're seeing in the industry? >> So, standing on shoulders of giants, right? So I always like to do hard tech either at big company, small companies. So we're probably your definition of a Supercloud. We had a big vision, how to literally solve the core challenge of analytics at scale. How are you going to do that? You're not going to build on your own. So literally we're leveraging the primitives, everything you can get out of the Amazon cloud, everything get out of Google cloud. In fact, we're even looking at what it can get out of this Snowflake cloud, and how do we abstract that out, add value to it? That's where all our patents are. But it becomes a simplified approach. The customers don't care. Well, they care where their data is. But they don't care how you got there, they just want to know the end result. So you simplify, but you gain the advantages. One thing's interesting is, in this particular company, ChaosSearch, people try to always say, at some point the sales cycle they say, no way, hold on, no way that can be fast no way, or whatever the different issue. And initially we used to try to explain our technology, and I would say 60% was explaining the public, cloud capabilities and then how we, harvest those I guess, make them better add value on top and what you're able to get is something you couldn't get from the public clouds themselves and then how we did that across public clouds and then extracted it. So if you think about that like, it's the Shoulders of giants. But what we now do, literally to avoid that conversation because it became a lengthy conversation. So, how do you have a platform for analytics that you can't possibly overwhelm for ingest. All your messy data, no pipelines. Well, you leverage things like S3 and EC2, and you do the different security things. You can go to environments say, you can't possibly overrun me, I could not say that. If I didn't literally build on the shoulders giants of all these public clouds. But the value. So if you're going to do hard tech as a startup, you're going to build, you're going to be the principles of Supercloud. Maybe they're not the same size of Supercloud just looking at Snowflake, but basically, you're going to leverage all that, you abstract it out and that's where you're able to have a lot of values at that. >> So let me ask you, so I don't know if there's a strict definition of Supercloud, We sort of put it out to the community and said, help us define it. So you got to span multiple clouds. It's not just running in each cloud. There's a metadata layer that kind of understands where you're pulling data from. Like you said you can pull data from Snowflake, it sounds like we're not running on Snowflake, correct? >> No, complimentary to them in their different customers. >> Yeah. Okay. >> They want to build on top of a data platform, data apps. >> Right. And of course they're going cross cloud. >> Right. >> Is there a PaaS layer in there? We've said there's probably a Super PaaS layer. You're probably not doing that, but you're allowing people to bring their own, bring your own PaaS sort of thing maybe. >> So we're a little bit different but basically we publish open APIs. We don't have a user interface. We say, keep the user interface. Again, we're solving the challenge of analytics at scale, we're not trying to retrain your analytics, either analysts or your DevOps or your SOV or your Secop team. They use the tools they already use. Elastic search APIs, SQL APIs. So really they program, they build applications on top of us, Equifax is a good example. Case said it coming out later on this week, after 18 months in production but, basically they're building, we provide the abstraction layer, the quote, I'm going to kill it, Jeff Tincher, who owns all of SREs worldwide, said to the effect of, Hey I'm able to rethink what I do for my data pipelines. But then he also talked about how, that he really doesn't have to worry about the data he puts in it. We deal with that. And he just has to, just query on the other side. That simplicity. We couldn't have done that without that. So anyway, what I like about the definition is, if you were going to do something harder in the world, why would you try to rebuild what Amazon, Google and Azure or Snowflake did? You're going to add things on top. We can still do intellectual property. We're still doing patents. So five grand patents all in this. But literally the abstraction layer is the simplification. The end users do not want to know that complexity, even though they ask the questions. >> And I think too, the other attribute is it's ecosystem enablement. Whereas I think, >> Absolutely >> in general, in the Multicloud 1.0 era, the ecosystem wasn't thinking about, okay, how do I build on top and abstract that. So maybe it is Multicloud 2.0, We chose to use Supercloud. So I'm wondering, we're at the security conference, >> RE: INFORCE is there a security Supercloud? Maybe Snyk has the developer Supercloud or maybe Okta has the identity Supercloud. I think CrowdStrike maybe not. Cause CrowdStrike competes with Microsoft. So maybe, because Microsoft, what's interesting, Merritt Bear was just saying, look, we don't show up in the spending data for security because we're not charging for most of our security. We're not trying to make a big business. So that's kind of interesting, but is there a potential for the security Supercloud? >> So, I think so. But also, I'll give you one thing I talked to, just today, at least three different conversations where everyone wants to log data. It's a little bit specific to us, but basically they want to do the security data lake. The idea of, and Snowflake talks about this too. But the idea of putting all the data in one repository and then how do you abstract out and get value from it? Maybe not the perfect, but it becomes simple to do but hard to get value out. So the different players are going to do that. That's what we do. We're able to, once you land it in your S3 or it doesn't matter, cloud of choice, simple storage, we allow you to get after that data, but we take the primitives and hide them from you. And all you do is query the data and we're spinning up stateless computer to go after it. So then if I look around the floor. There's going to be a bunch of these players. I don't think, why would someone in this floor try to recreate what Amazon or Google or Azure had. They're going to build on top of it. And now the key thing is, do you leave it in standard? And now we're open APIs. People are building on top of my open APIs or do you try to put 'em in a walled garden? And they're in, now your Supercloud. Our belief is, part of it is, it needs to be open access and let you go after it. >> Well. And build your applications on top of it openly. >> They come back to snowflake. That's what Snowflake's doing. And they're basically saying, Hey come into our proprietary environment. And the benefit is, and I think both can win. There's a big market. >> I agree. But I think the benefit of Snowflake's is, okay, we're going to have federated governance, we're going to have data sharing, you're going to have access to all the ecosystem players. >> Yep. >> And as everything's going to be controlled and you know what you're getting. The flip side of that is, Databricks is the other end >> Yeah. >> of that spectrum, which is no, no, you got to be open. >> Yeah. >> So what's going to happen, well what's happening clearly, is Snowflake's saying, okay we've got Snowpark. we're going to allow Python, we're going to have an Apache Iceberg. We're going to have open source tooling that you can access. By the way, it's not going to be as good as our waled garden where the flip side of that is you get Databricks coming at it from a data science and data engineering perspective. And there's a lot of gaps in between, aren't there? >> And I think they both win. Like for instance, so we didn't do Snowpark integration. But we work with people building data apps on top of Snowflake or data bricks. And what we do is, we can add value to that, or what we've done, again, using all the Supercloud stuff we're done. But we deal with the unstructured data, the four V's coming at you. You can't pipeline that to save. So we actually could be additive. As they're trying to do like a security data cloud inside of Snowflake or do the same thing in Databricks. That's where we can play. Now, we play with them at the application level that they get some data from them and some data for us. But I believe there's a partnership there that will do it inside their environment. To us they're just another large scaler environment that my customers want to get after data. And they want me to abstract it out and give value. >> So it's another repository to you. >> Yeah. >> Okay. So I think Snowflake recently added support for unstructured data. You chose not to do Snowpark because why? >> Well, so the way they're doing the unstructured data is not bad. It's JSON data. Basically, This is the dilemma. Everyone wants their application developers to be flexible, move fast, securely but just productivity. So you get, give 'em flexibility. The problem with that is analytics on the end want to be structured to be performant. And this is where Snowflake, they have to somehow get that raw data. And it's changing every day because you just let the developers do what they want now, in some structured base, but do what you need to do your business fast and securely. So it completely destroys. So they have large customers trying to do big integrations for this messy data. And it doesn't quite work, cause you literally just can't make the pipelines work. So that's where we're complimentary do it. So now, the particular integration wasn't, we need a little bit deeper integration to do that. So we're integrating, actually, at the data app layer. But we could, see us and I don't, listen. I think Snowflake's a good actor. They're trying to figure out what's best for the customers. And I think we just participate in that. >> Yeah. And I think they're trying to figure out >> Yeah. >> how to grow their ecosystem. Because they know they can't do it all, in fact, >> And we solve the key thing, they just can't do certain things. And we do that well. Yeah, I have SQL but that's where it ends. >> Yeah. >> I do the messy data and how to play with them. >> And when you talk to one of their founders, anyway, Benoit, he comes on the cube and he's like, we start with simple. >> Yeah. >> It reminds me of the guy's some Pure Storage, that guy Coz, he's always like, no, if it starts to get too complicated. So that's why they said all right, we're not going to start out trying to figure out how to do complex joins and workload management. And they turn that into a feature. So like you say, I think both can win. It's a big market. >> I think it's a good model. And I love to see Frank, you know, move. >> Yeah. I forgot So you AVMAR... >> In the day. >> You guys used to hate each other, right? >> No, no, no >> No. I mean, it's all good. >> But the thing is, look what he's done. Like I wouldn't bet against Frank. I think it's a good message. You can see clients trying to do it. Same thing with Databricks, same thing with BigQuery. We get a lot of same dynamic in BigQuery. It's good for a lot of things, but it's not everything you need to do. And there's ways for the ecosystem to play together. >> Well, what's interesting about BigQuery is, it is truly cloud native, as is Snowflake. You know, whereas Amazon Redshift was sort of Parexel, it's cobbled together now. It's great engineering, but BigQuery gets a lot of high marks. But again, there's limitations to everything. That's why companies like yours can exist. >> And that's why.. so back to the Supercloud. It allows me as a company to participate in that because I'm leveraging all the underlying pieces. Which we couldn't be doing what we're doing now, without leveraging the Supercloud concepts right, so... >> Ed, I really appreciate you coming by, help me wrap up today in RE:INFORCE. Always a pleasure seeing you, my friend. >> Thank you. >> All right. Okay, this is a wrap on day one. We'll be back tomorrow. I'll be solo. John Furrier had to fly out but we'll be following what he's doing. This is RE:INFORCE 2022. You're watching theCUBE. I'll see you tomorrow.

hi everybody welcome back to boston you're watching thecube's coverage of reinforce 2022 last time we were here live was 2019. had a couple years of virtual merit bear is here she's with the office of the cso for aws merit welcome back to the cube good to see you thank you for coming on thank you so much it's good to be back um yes cso chief information security officer for folks who are acronym phobia phobic yeah okay so what do you do for the office of the is it ciso or sizzo anyway ah whatever is it sim or theme um i i work in three areas so i sit in aws security and i help us do security we're a shop that runs on aws i empathize with folks who are running shops it is process driven it takes hard work but we believe in certain mechanisms and muscle groups so you know i work on getting those better everything from how we do threat intelligence to how we guard rail employees and think about vending accounts and those kinds of things i also work in customer-facing interactions so when a cso wants to meet awssc so that's often me and then the third is product side so ensuring that everything we deliver not just security services are aligned with security best practices and expectations for our customers so i have to ask you right off the bat so we do a lot of spending surveys we have a partner etr i look at the data all the time and for some reason aws never shows up in the spending metrics why do you think that is maybe that talks to your strategy let's double click on that yeah so first of all um turn on guard duty get shield advanced for the you know accounts you need the 3k is relatively small and a large enterprise event like this doesn't mean don't spend on security there is a lot of goodness that we have to offer in ess external security services but i think one of the unique parts of aws is that we don't believe that security is something you should buy it's something that you get from us it's something that we do for you a lot of the time i mean this is the definition of the shared responsibility model right everything that you interact with on aws has been subject to the same rigorous standards and we aws security have umbrella arms around those but we also ensure that service teams own the security of their service so a lot of times when i'm talking to csos and i say security teams or sorry service teams own the security of their service they're curious like how do they not get frustrated and the answer is we put in a lot of mechanisms to allow those to go through so there's automation there are robots that resolve those trouble tickets you know like and we have emissaries we call them guardian champions that are embedded in service teams at any rate the point is i think it's really beautiful the way that customers who are you know enabling services in general benefit from the inheritances that they get and in some definition this is like the value proposition of cloud when we take care of those lower layers of the stack we're doing everything from the concrete floors guards and gates hvac you know in the case of something like aws bracket which is our quantum computing like we're talking about you know near vacuum uh environments like these are sometimes really intricate and beautiful ways that we take care of stuff that was otherwise manual and ugly and then we get up and we get really intricate there too so i gave a talk this morning about ddos protection um and all the stuff that we're doing where we can see because of our vantage point the volume and that leads us to be a leader in volumetric attack signatures for example manage rule sets like that costs you nothing turn on your dns firewall like there are ways that you just as a as an aws customer you inherit our rigorous standards and you also are able to benefit from the rigor with which we you know exact ourselves to really you're not trying to make it a huge business at least as part of your your portfolio it's just it's embedded it's there take advantage of it i want everyone to be secure and i will go to bad to say like i want you to do it and if money is a blocker let's talk about that because honestly we just want to do the right thing by customers and i want customers to use more of our services i genuinely believe that they are enablers we have pharma companies um that have helped enable you know personalized medicine and some of the copic vaccines we have you know like there are ways that this has mattered to people in really intimate ways um and then fun ways like formula one uh you know like there are things that allow us to do more and our customers to do more and security should be a way of life it's a way of breathing you don't wake up and decide that you're going to bolt it on one day okay so we heard cj moses keynote this morning i presume you were listening in uh we heard a lot about you know cool tools you know threat detection and devops and container security but he did explicitly talked about how aws is simplifying the life of the cso so what are you doing in that regard and what's that that's let's just leave it there for now i talk to c sales every day and i think um most of them have two main concerns one is how to get their organization to grow up like to understand what security looks like in a cloudy way um and that means that you know your login monitoring is going to be the forensics it's not going to be getting into the host that's on our side right and that's a luxury like i think there are elements of the cso job that have changed but that even if you know cj didn't explicitly call them out these are beauties things like um least privilege that you can accomplish using access analyzer and all these ways that inspector for example does network reachability and then all of these get piped to security hub and there's just ways that make it more accessible than ever to be a cso and to enable and embolden your people the second side is how csos are thinking about changing their organization so what are you reporting to the board um how are you thinking about hiring and um in the metrics side i would say you know being and i get a a lot of questions that are like how do we exhibit a culture of security and my answer is you do it you just start doing it like you make it so that your vps have to answer trouble tickets you may and and i don't mean literally like every trouble ticket but i mean they are 100 executives will say that they care about security but so what like you know set up your organization to be responsive to security and to um have to answer to them because it matters and and notice that because a non-decision is a decision and the other side is workforce right and i think um i see a lot of promise some of it unfulfilled in folks being hired to look different than traditional security folks and act different and maybe a first grade teacher or an architect or an artist and who don't consider themselves like particularly technical like the gorgeousness of cloud is that you can one teach yourself this i mean i didn't go to school for computer science like this is the kind of thing we all have to teach ourselves but also you can abstract on top of stuff so you're not writing code every day necessarily although if you are that's awesome and we love debbie folks but you know there's there's a lot of ways in which the machine of the security organization is suggesting i think cj was part to answer your question pointedly i think cj was trying to be really responsive to like all the stuff we're giving you all the goodness all the sprinkles on your cupcake not at all the organizational stuff that is kind of like you know the good stuff that we know we need to get into so i think so you're saying it's it's inherent it's inherently helping the cso uh her life his life become less complex and i feel like the cloud you said the customers are trying to become make their security more cloudy so i feel like the cloud has become the first line of defense now the cso your customer see so is the second line of defense maybe the audit is the third line what does that mean for the role of the the cso how is that they become a compliance officer what does that mean no no i think actually increasingly they are married or marriable so um when you're doing so for example if you are embracing [Music] ephemeral and immutable infrastructure then we're talking about using something like cloud formation or terraform to vend environments and you know being able to um use control tower and aws organizations to dictate um truisms through your environment you know like there are ways that you are basically in golden armies and you can come back to a known good state you can embrace that kind of cloudiness that allows you to get good to refine it to kill it and spin up a new infrastructure and that means though that like your i.t and your security will be woven in in a really um lovely way but in a way that contradicts certain like existing structures and i think one of the beauties is that your compliance can then wake up with it right your audit manager and your you know security hub and other folks that do compliance as code so you know inspector for example has a tooling that can without sending a single packet over the network do network reachability so they can tell whether you have an internet facing endpoint well that's a pci standard you know but that's also a security truism you shouldn't have internet facing endpoints you don't approve up you know like so these are i think these can go in hand in hand there are certainly i i don't know that i totally disregard like a defense in-depth notion but i don't think that it's linear in that way i think it's like circular that we hope that these mechanisms work together that we also know that they should speak to each other and and be augmented and aware of one another so an example of this would be that we don't just do perimeter detection we do identity-based fine-grained controls and that those are listening to and reasoned about using tooling that we can do using security yeah we heard a lot about reasoning as well in the keynote but i want to ask about zero trust like aws i think resisted using that term you know the industry was a buzzword before the pandemic it's probably more buzzy now although in a way it's a mandate um depending on how you look at it so i mean you anything that's not explicitly allowed is denied in your world and you have tools and i mean that's a definition if it's a die that overrides if it's another it's a deny call that will override and allow yeah that's true although anyway finish your question yeah yeah so so my it's like if there's if there's doubt there's no doubt it seems in your world but but but you have a lot of capabilities seems to me that this is how you you apply aws internal security and bring that to your customers do customers talk to you about zero trust are they trying to implement zero trust what's the best way for them to do that when they don't have that they have a lack of talent they don't have the skill sets uh that it and the knowledge that aws has what are you hearing from customers in that regard yeah that's a really um nuanced phrasing which i appreciate because i think so i think you're right zero trust is a term that like means everything and nothing i mean like this this notebook is zero trust like no internet comes in or out of it like congratulations you also can't do business on it right um i do a lot of business online you know what i mean like you can't uh transact something to other folks and if i lose it i'm screwed yeah exactly i usually have a water bottle or something that's even more inanimate than your notebook um but i guess my point is we i don't think that the term zero trust is a truism i think it's a conceptual framework right and the idea is that we want to make it so that someone's position in the network is agnostic to their permissioning so whereas in the olden days like a decade ago um we might have assumed that when you're in the perimeter you just accept everything um that's no longer the right way to think about it and frankly like covid and work from home may have accelerated this but this was ripe to be accelerated anyway um what we are thinking about is both like you said under the network so like the network layer are we talking about machine to machine are we talking about like um you know every api call goes over the open internet with no inherent assurances human to app or it's protected by sig v4 you know like there is an inherent zero trust case that we have always built this goes back to a jeff bezos mandate from 2002 that everything be an api call that is again this kind of like building security into it when we say security is job zero it not only reflects the fact that like when you build a terraform or a cloud formation template you better have permission things appropriately or try to but also that like there is no cloud without security considerations you don't get to just bolt something on after the fact so that being said now that we embrace that and we can reason about it and we can use tools like access analyzer you know we're also talking about zero trust in that like i said augmentation identity centric fine grained controls so an example of this would be a vpc endpoint policy where it is a perm the perimeter is dead long live the perimeter right you'll have your traditional perimeter your vpc or your vpn um augmented by and aware of the fine-grained identity-centric ones which you can also reason about prune down continuously monitor and so on and that'll also help you with your logging and monitoring because you know what your ingress and egress points are how concerned should people be with quantum messing up all the encryption algos oh it's stopping created right okay so but we heard about this in the keynote right so is it just a quantum so far off by the time we get there is it like a y2k you're probably not old enough to remember y2k but y2k moment right i mean i can't take you anywhere what should we um how should we be thinking about quantum in the context of security and sure yeah i mean i think we should be thinking about quantum and a lot of dimensions as operationally interesting and how we can leverage i think we should be thinking about it in the security future for right now aes256 is something that is not broken so we shouldn't try to fix it yeah cool encrypt all the things you can do it natively you know like i love talking about quantum but it's more of an aspirational and also like we can be doing high power compute to solve problems you know but like for it to get to a security uh potentially uh vulnerable state or like something that we should worry about is a bit off yeah and show me an application that can yeah and i mean and i think at that point we're talking about homomorphic improvements about another thing i kind of feel the same way is that you know there's a lot of hype around it a lot of ibm talks about a lot you guys talked about in your keynote today and when i really talk to people who understand this stuff it seems like it's a long long way off i don't think it's a long long way off but everything is dog years in tech world but um but for today you know like for today encrypt yourself we will always keep our encryption up to standard and you know that will be for now like the the industry grade standard that folks i mean like i i have i have never heard of a case where someone had their kms keys broken into i um i always ask like awesome security people this question did you like how did you get into this did you have like did you have a favorite superhero as a kid that was going to save the world i um was always the kid who probably would have picked up a book about the cia and i like find this and i don't remember who i was before i was a security person um but i also think that as a woman um from an american indian family walking through the world i think about the relationship between dynamics with the government and companies and individuals and how we want to construct those and the need for voices that are observant of the ways that those interplay and i always saw this as a field where we can do a lot of good yeah amazing merritt thanks so much for coming on thecube great guest john said you would be really appreciate your time of course all right keep it ready you're very welcome keep it right there this is dave vellante for the cube we'll be right back at aws reinforced 2022 from boston keep right there [Music]