so it definitely fits into basic being able to automate the redundant main mundane types of tasks that anyone can do right so you if you think about it if you have a security operations center with five or ten analysts it might take one analyst to do a task make two comes two or three hours and where you can leverage a tool like Sansom any type of sort platform to actually create a playbook to do that tasks within 30 seconds so not only are you minimizing the amount of you know headcount to do that you're also you know using your consistent tool to make that folks should make the function of you know more I want to say enhanced so you can build playbooks around it you can basically use that on a daily basis whether it's for security monitoring or network operations reporting all that becomes and the impact of mine thank you so what we do is we are a data analytics and intelligence nonprofit dedicated to countering all forms of human trafficking whether it's labor trafficking sex King or any of the subtypes men women and children all over the world so when you think about that what that really means is that we interact with thousands of state across law enforcement government nonprofits academia and then the private sector as well and all of those essentially act as data silos for human trafficking data and when you think about that as trafficking as a data problem or you tackle it as a data problem what that really means is that you have to have a technology and data led solution in order to solve the problem so that's really our mission here is to bring together all of those stakeholders give them easy access to tools that can help improve their counterpose yeah so like a day to day or like kind of what our team does is we focus on like what's going on previously what are we seeing in the wild like what campaigns are happening and then my role within my team is focused on what's coming so what are what are red team's working on what are pen testers looking into take that information begin testing it begin building proof of concepts put that back into our product so that whether it's two weeks six months two years we have coverage for it no matter what so a lot of us a lot of our time is generating proof of concepts on what may be coming so there's a lot of you know very unique things that maybe in the wild today and then there's some things that we may never see that are just very novel and kind of once one Center once a time kind of thing I joined nine months ago and when I was interviewing for the role I remember Doug Merritt saying to me hey you know we might be the only two billion dollar enterprise software company that nobody's ever heard of he said I want to go solve for that right like the folks you know Splunk and our customers they love us our product is awesome and our culture is awesome but the world doesn't know about us yet and we haven't invested there so I want to go take the brand to the next level and I want the world to understand what data use cases are out there that are so broad and so vast leave that every problem ultimately can be solved through data are almost every problem and we wanted to set the stage for that with this new brand campaign about the product were you guys ad using Splunk and you putting data sensors out there you leveraging an existing data bulb take us through some of that you know the nuts and bolts of what's going on the price so part of it is building out some data sets so there are some data sets that don't exist but the government and the counties and the private sector have built out a huge ball of corpus of data around where the buildings are where the people are where the cell phones are where the traffic is so we're able to leverage that information as we have it today the technology we're using the Amazon stack it's easy for us to spin up databases it's easy for us to build out and expand as we grow and the response we're able to have a place for all this real-time data to land and for us to be able to build API is to pull it out very very simple when we say dated everything we really mean it it's really you know it's a personal story for me I am on the government affairs team here is blog so I manage our relationships with governor's and mayors and these are the issues that they care about right when the city is burning down the mayor cares about that the governor this is you know one of the governor and California's and major initiatives is trying to find solutions on wildfires you know I met charlie my hometown Orinda California art fire chief in that town was one of sort of the outside advisors working with Charlie on this idea and we ran I met him at a house party where the fire chief was telling me that trim my trees back and shrubs back and then I was at a conference three days later that same fire chief Dave Winokur was on a panel with like folks from a super computer lab and NASA and MIT I was like you know my fire chief's still the smartest guy in that panel I got to meet this guy a few weeks later we were literally in the field doing these proof of concepts with sensors and data super savvy folks some of the other folks from Cal Fire there you know dropping Cox was with us today here it's what my and you know we've we've just been collaborating the whole time and seeing you know that that Splunk can really put some firepower the power behind these guys and we just see like look they've got the trust of these customers and we need to make sure this idea happens it's a great idea and it's going to save lives yeah the little small nuance data to everything data time and the reason behind that was we believe you can bring and we can enable our customers to bring data to every question every decision and every action to create meaningful outcomes and the use cases are vast and enormous we talked about some of them before the show started but helping look global law enforcement get ahead of human trafficking fierce Punk and spelunking what's going on across all sorts of data sources right helping zone Haven which is our first investment from Splunk ventures which startup that's actually helping firefighters figure out burn burn patterns with pilot wildfires but also when temperatures and humidity change we're sensors are they can alert firefighters 30 to 45 minutes earlier than they would usually do that and then they can also help influence evacuation patterns I mean it's it's remarkable what folks are doing with data today and it's really at the core of solving some of the world's biggest issues so I'm glad you mentioned data right we're a data company and we're very proud that we actually pull star diversity inclusion number so we moved the needle 1.8% on gender last year year-on-year pride but not satisfied we understand that there's much more to diversity inclusion than just gender but our strategy is threefold for diversity inclusion so its workforce workplace marketplace the farces arranged is where I talk about is improving our representation so that these women are no longer the only czar in the minority they were much more represented and we're lucky we have three women on our board we have four women in our C suite so we're making good good progress but there's a lot more to do and as I say it's not just about gender we want to do we know that innovation is fueled by diversity so we want to attract you know folks of different race different ethnicity books who are military veterans people with disability one its plans to be successful the important thing thing is you know the things you mentioned the the vulnerability scanning the intrusion detection these are all still important in the cloud I think the key thing that the cloud offers is the fact that you have the ability to now automate and integrate your security teams more tightly with the things that you're doing and you can actually we always talk about the move fast and stay secure customers choose AWS for the self-service the elasticity of the price and you can't take advantage of those unless you're secure you can actually keep up with you so the fact that everything isn't based on an API you can define infrastructure as code you can actually enforce standards now whether they be before you write a line of code in your DevOps pipeline we're actually being able to detect and >> those things all through code and in a consistent way really allows you to be able to look in your security in a different way and take the kind of philosophy and mindset you've always had around security but actually do something with it and be able to maybe do the things you've always wanted to do that have never had a chance to do it so I think I think security can actually keep up with you and actually help you different you're different to your business the acquisition is really extremely you know exciting for us you know after meeting Marcus I've known of Marcus he's a very positive influence in the community but having worked with him the vision for threat care and the vision for alike rests really closely aligned so where we want to take the future of security testing testing controls making sure upstream controls are working where threat care wanted to go for that was very much with what we aligned war so it made sense to partner up so very excited about that and I think we will roll that in our gray matter platform as another capability we really see the product involving the same way that you see a lot of the portfolio overall so Doug has talked a lot about investigate monitoring and analyzing and right and so those same concepts apply to how you think about a process as well so right now we're really helping the investigation and monitoring but will also continue to extend across that spectrum lifetime a lot of cloud services and micro services observability a big part of all this yeah definitely and how we've built the product but also I think you can sit alongside some of the other things that you're also seeing in that so I think the thing to understand is correct we're not just a security company but we are number one in the security magic quadrant we're number one in both IDC and Gartner and so that's important but what happens is all of the data that you collect first security can also be used for all these other use cases so generally speaking whatever you're collecting for security is also valuable for IT operations and it's also valuable for many other use cases so I'll give you an example Domino's which is a great customer of ours there they've gone 65% of their orders now come in digitally ok and so they monitor the entire end-to-end customer experience what they monitor not only from an IT operations perspective that same data that they use for IT operations also tells them you know what's being ordered what special orders are being made and they use that data for promotions based upon volume in traffic and timing they actually create promotions so now you're talking about the same data that you collected for a security night operations you can actually use for promotions which is marketing it's a great intro on data is awesome but we all have data to get to decisions first and actions second what that in action there's no point in gathering data and so many companies been working their tails off to digitize her landscapes why well you want a more flexible landscape but why the flexibility because there's so much data being generated there you can get effective decisions and then actions that landscape can adapt very very rapidly which goes back to machine learning and eventual AI opportunity set so that is absolutely squarely where we've been focused is translating that data into value and into actual outcomes which is why our orchestration automation piece is so so important one big 18 factors that we felt as existed is for this plunk index it's only for this blank index the pricing mechanism mechanism has been data volume and that's a little bit contrary to the promise which is you don't know where the values could be within data and whether it's a gigabyte or whether it's a petabyte why shouldn't be able to put whatever day do you want in to experiment you

(upbeat music) >> Welcome to this special Cube conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE, we have two special guests, Karim Toubba, CEO of Kenna Security, and Caroline Japic, CMO, Kenna Security. Great to see you guys, thanks for coming on, appreciate you taking the time, appreciate it. >> Thanks for having us. >> So RSA is coming up, big show, security's at the top of the list of all companies. You guys have a very interesting company. Risk based vulnerability management is like the core secret sauce, but there's a lot going on. Take a minute to talk about your company. What do you guys do? Why do you exist? >> Yeah, sure. Thanks for having us. Some, the security landscape as you very well know, pretty crowded space, a lot of different vendors, a lot of technologies that enterprises and organisations have to deal with. What we do has a lot of complexity behind it, but in an app practicality for enterprises is actually quite simple. They have many, many data sources that are finding problems for them, mapping to their attack surface, what are misconfigurations? Where are there vulnerabilities in your network or your host, where there vulnerabilities in your applications, we taking all of that data, specifically from 48 different data sources, we map it to what attackers are doing in the wild, run it through a lens of risk, and then enable the collaboration between I.T. and security, on what to focus on at the tip of the spear with a high degree of fidelity and efficacy so that they know that they can't fix everything, but prioritize the things that matter and are going to move the meter the most. >> So you guys have emerged as one of those kind of new models, the new guard of security, it's interesting, it's been around for 10 years, but yet a lot's changed in 10 years but a lot of evolving. Risk based vulnerability management is the buzzword, R-B- >> V-M >> Okay, really comes from the founder of the company. Why is this becoming an important theme? Because you got endpoints, you got all kinds of predictive stuff with data, you got surface area is growing, but what specifically about this approach makes it unique and popular? >> Yeah, I think what's happening is if you, to really answer that question, you have to look at two different ends of the spectrum in terms of the business, the security side and the IT DevOps and application development side. And at the core of that is what was largely traditional tension. If you think about security teams, operations teams, incident response teams, and if you sit down with them and understand what they do on a day to day basis, beyond the incident response and reaction side, they have a myriad of tools and technologies that discover problems, typically millions of issues. Then you go to the IT side, and the application and DevOps side, and they care about building the next application, making sure the systems are up and running. And what happens is they, we've gotten to the point where they can't possibly fix everything security is asking them to fix, and that's created a lot of tension, people have woken up, started to realize that that tension has to give way to collaboration. And the only way you can do that is enable security to detect all the problems, but then very quickly focus and prioritize on the things that matter, and then go to IT and then tell them specifically what to fix so that they have a high degree of precision and understanding, that the needle will be moved relative to what they're asking them to do. >> So is it the timing of the marketplace and the evolution of the business where it used to be IT that handled it, and now security has gotten broader in its scope, that there's now too many cooks in the kitchen, so to speak? >> Yeah, it's gotten broader in its scope, and there's also been a realization that if you think about the security problem statement, they find all the problems, but if you if you peel back the layers, you quickly realize, they own very little the remediation path. Who fixes-- >> John: They being IT? >> They being security. >> John: Okay. >> Yeah, so it's actually quite fascinating. If you think about who fixes a vulnerability on an operating system like Windows or Linux, it's the IT team. If you think about who fixes or upgrades a Java library or rewrites an application it's DevOps or the application developers, but security's finding all the problems. So they're realizing, as they deploy more tools, find more issues, and increase the amount of data, they've got to get very precise and really enable an entirely new way of collaborating with IT so that they can get them to focus on the things that matter the most. >> Karim, I want to dig into some of the complexity, but first want to get the Caroline on the brand, and the marketing challenge because it's almost an easy job in the sense, because there's a lot of security problems out there to solve, but it's also hard on the other side, is that, where's the differentiation? There's so many vendors out, there's a lot of noise. How are you looking at the marketplace? Because you guys are emerging in with nice, lift on the value proposition, you won some recent awards. How do you view the marketplace? RSA is going to be packed with vendors, it's going to be wall to wall, we get put in the corner, we are going to have small space for theCUBE, but there's a lot there and customers are being bombarded. How are you marketing the value proposition? >> You are right. There's so much noise out there, but we are very clear and precise on the value we bring to our customers, we also let our customers tell the story. So whether it's HSBC, or SunTrust, or Levi, we work with them very closely with those CSOs, with their head of IT to understand their challenges, and then to bring those stories to life so we can help other companies because our biggest challenge is that people just don't know that there's a better solution to this problem. This problem's been around a long time, it's getting worse every day, we're reading about the vulnerabilities that are happening on a regular basis, and we're here to let people know we can fix it, and we can do it in a pretty quick and painless way. >> You had mentioned before we came on camera that when you you're getting known, as the brand gets out there, but when you're in the deals, you win. Could you guys share some commentary on why that's the case? Why are you winning? >> Yeah, by the way, just to piggyback off that a little bit, there is a really interesting paradigm happening within the security space, if you look at the latest publications, I don't know, there are 1400 of us all buzzing around with the same words? I think what Caroline and the team have done an exceptional job on, particularly in relative to the positioning is, we don't want to scare people into looking at Kenna. We want to be more ethereal than that and make them understand that we're ushering in a new way away from tension to an era of collaboration with IT, DevOps and application teams. That's very different than telling somebody in your messaging, Hey, did you hear the latest attack that happened at XYZ? >> Yeah. >> That sort of fear and marketing through FUD, is creating a lot of challenges for organizations, and candidly, is making CISOs and other people in security close the door. >> I've definitely heard that, do you think that's happening a lot? >> I think that's happening a lot. I think we're sort of, I like to think that Caroline and the team are sort of at the forefront of leading that initiative, and you can, and we're doing it in every way possible to really sort of tell a much more positive story about how security can be smarter and spin in a positive light, and in fact, the technology is enabling that, so it's consistent. >> We live in dark times. Unfortunately, a lot of people like, if it bleeds, it leads, and that's a really kind of bad way to look at it. But back to your point about tension and collaborations, I think that's an interesting thread. There's a ton of tension out there, that's real, from the CISO's perspective. Because there's too many teams, I mean, you got, Blue Team, Red Team, IT, governance, compliance, full stack developers, app. So you have now too many teams, too many tools that have been bought and it's like, people have all these platforms, they're drowning in this. How do you guys solve that problem? >> Yeah, it's back to that point of collaboration, and what we've really found that's been interesting in solving that problem, because what we're doing if you step back, is, we're bringing in all these data sources, and where that tension comes in, if you unpack it a little bit, is from different people coming in with different data sources. So IT comes to the table about what to fix, with their own point of view, security comes with their own point of view, application teams come with their own point of view, governance and compliance comes with their point of view. What we do is we come in and even though we're technology, we're really aligning people in process. We're saying, "Look, we're going to to amass all that data, "we're going to very quickly use machine learning "and a bunch of algorithms to sift through "millions of pieces of data "and divine what actually matters." It's empirical, it's evidence based, and we align all the organizations around that filter through risks so that there's agreement on how to measure that, what to prioritize, what to action and what the results look like. And when it turns out that when you get a bunch of people across an organization, to get aligned around data that they all agree with as the source of truth, it gets much easier to get them to really focus on the things that ultimately matter. >> It's a single version of the truth, right? It's a single version that they all can work from. Security isn't telling IT, "This should be your priority today," when they say, "You don't know what my priorities are," is actually the data that's telling them what their priorities are by role, and that's really important and really gets past all the, the friction and the fighting in between the teams. >> Yeah, that's great point, back to my other question when I get back to you Caroline, is what is the success formula look like for you guys? Why are you winning? What are the feedback you're hearing from your customers? Because at the end of the day, references are important, but also, success is a tell sign. So what's the reasons behind the success? >> Yeah, I'll let Karim talk about being face to face with customers, because he does that all the time. But what we're saying is that, the customers are resonating with the story that we're telling, they understand they have the problem we're laying out in a very simple way for, to be able to solve their solution, and that's working. We've redone our positioning, our messaging, we've trained our sales team, people understand the value we can bring, and that's what we're communicating, and that's what's working. >> Karim, please add on that, I want to get more into this. >> Yeah, and on the customer side, what we see and I'll give you a pretty classic example for us with a very large bank that's a customer of ours. We actually started on the security side, right? We sold to their deputy CISO to deploy, and then eventually, they doubled down and then deployed globally across 64 countries. And that happened sponsored by the CIO. Now we're a security company, so you ask the question, well, why did that get driven in that structure? And why did that deal go down ultimately in that way? And what was the real value? The value to the security person was clear, I want to aggregate 10 to 12 different data sources, I want to prioritize, I want to collaborate with IT. The value to the CIO was the CIO happens to own all the application developers and all the IT people and the security people on a global basis. And so what they wanted to do, is they wanted to understand what the risk was for each of the lines of businesses they had within organization so that they can hold the business users accountable to paying a small tax for security, not just developing the next billion dollar high net worth application, which is extremely important to those businesses, but at the same time, ensuring that they're secure. And so that leverage when you start with security, and then branch out in other organizations, especially in large, multinational organizations, is really where the the real value comes into the platform. >> So if I hear you correctly, you come in for security, okay, we can get rid of the noise, help you out, check, win, and then the rest of the organization doesn't have security teams per se, >> Karim: Correct. >> Needs security to be built in from day one. >> Karim: Correct. >> You're providing a cross connect of value to the other teams? >> That's right. >> It's almost like, security is code, if you will. >> Karim: That's right. And nowhere is that more evident in our utilization statistics. So we're a SaaS platform, so of course we, like many other SaaS companies do a bunch of analytics on utilization of our customers, more often than not, in our large scale enterprises, we actually have more IT and non security users logging into Kenna, in a self service model, because they're the ones, back to the point you made earlier, that are actually driving the remediation path. >> Take us through how that works. So say I'm interested, okay, you sold me on it, great, I need the pain relief on the security side, I need the enablement and empowerment on the collaboration side, what do I do? Do I just plug my databases into you? Is it API driven? Are you on Amazon? Are you on Azure? What's cloud? What am I dealing with? Take me through the engagement. >> Yeah, so we're 100% cloud based platform. Multi cloud, so we can deploy in AWS, we can deploy in Google et cetera. And then what we do is we effectively through a bunch of API's called connectors that are transparent to the customers, we enable them to bring in their data. So this is everything from traditional scanning data like Qualys, Rapid7, Tenable, more, newer data like CrowdStrike, Tanium, DaaS SaaS, software composition analysis tools, WhiteHat, Veracode, Black Duck, Sonatype, you name it. The list goes on, specifically, there's about 48 of them. All of that is basically helps us understand what the totality of the attack surface is. That's very useful for security because they're using multiple tools. We then overlay what we call exploit and tell, this is the data that tells us about what attackers are doing in the wild. Specifically, we have 5 billion pieces of data that tell us about what vulnerabilities are being popped, what's the rate of change, what malware are they being embedded in? That use, that information is used through machine learning to help us prioritize and risk score each of the findings we get from the customer tools. And then where it pivots over to IT, is we then allow them to take all of that data and that metadata and asset criticality into what we call risk meters. So they're basically aligned with where, how IT operates. So for example, if you own all the Linux infrastructure in the cloud, you log in, you'll only see the risk across the infrastructure you own. Whereas if Caroline owns all the endpoint real estate across Windows, she logs in and understands what her risk is across Windows. And then we of course, integrate in the ticketing systems to drive the remediation and report up to executives and then over to security, about what the workflow you-- >> So you guys really focusing not so much on the security knock or the sock, it's more on indexing, if you will, for lack of a better description, the surface area, >> Karim: Correct. >> And getting that prepared from a visibility standpoint to acquire the data. >> Karim: That's right. >> And then leveraging that across-- >> Across the organizations, yeah. >> Did I get that, right? >> It's exactly right. And if you ask, if you again, double click deeper on that, what's fascinating to watch, so we have a an annual, or bi annual report that we do called prioritization or prediction, or P2P. And this is all of our customer data completely anonymized in a warehouse, and then we run a bunch of reports, and lot of the analytics we ran initially were around security. Now we're starting to pivot in IT. If you look at our latest report, one of the most interesting things I found in my time here is that the average large scale enterprise has actually no more than 10% remediation capacity, right? So what does that tell you? That tells you that 90% of the problems are going to go unsolved, which pinpoints why it's even more important to have specific prioritization on the things that matter. >> They solve the right 10%. >> At the right time too, >> At the right time. >> 10% capacity, operating capacity, assuming some automation that might take care of some of the low hanging fruit >> Exactly. >> Through DevOps or automation. You can focus on those 10% at the right time, which by the way, if you use that capacity for the wrong problems at the wrong time, it's wasted capacity. >> Karim: That's right. >> That's what you guys are trying to get at, right? >> Karim: That's exactly right, work smarter, not harder. >> So Kenna security, what's the vision? What's the next step? Why should someone care about working with you guys? Why is it important to engage you guys? What's the big deal? Is it the risk based vulnerability, kind of origination invention, which is the core or the DNA, or is it something bigger? What's the vision? What's the why? Yeah, well look for us, we started, our company was actually founded by a gentleman by the name Ed Bellis, who's the ex chief security officer at Orbitz, and he founded the company out of a need. We started very early in the traditional pure vulnerability space. This was like calling Classic Qualys, Rapid7, Tenable. We then expanded into the application world. So this is starting to take in, moving up stack if you will full stack, as the environment moves to cloud, as the environment moves to containers, as the environment moves to configuration management as the environment moves to a much more ephemeral state, that will drive an entirely new set of data sources that will drive an entirely different new set of priorities all aligned with the same model of risk. So our view of the future is that we are the platform that enables the organization to understand the totality of the attack surface, that enables collaboration across all the groups that deal with technology within enterprises, and allows them to really prioritize and understand risk in a way that not only fosters the collaboration, but gives you that return on investment that candidly ultimately CIOs are looking for. >> Caroline the story from a marketing perspective, what's the story you're trying to tell? >> We started this space, our founder Ed Bellis is the father of risk based vulnerability management and he loves it when I say that, but it's 100% true. We are continuing down this path, I mean, there are so many companies that have this problem that don't know that there's a better way to solve it. And so for now, our mission is to make sure that we're educating those people, they understand what's possible to do today, and then continuing from there, so. >> Well, I really appreciate you guys coming in and introducing and sharing more about Kenna Security, we've been seeing successes. I'm going to ask you about what you guys think about RSA, I'd love to get both you guys to weigh in. But before we get to the RSA kind of what's coming, take a quick minute to plug the company. What do you guys looking to do? You hiring? You just got some funding? Give the quick pitches. >> Yeah, sure, we did. We just closed $48 million series D round. We had all of our investors and a new investor, Sorenson Ventures come in. We also had two strategic investors, Citi and HSBC, because we do quite well, that very good validation. And we're also quite prominent in the financial services vertical, it helps that. And so for us, it's really about scaling, right? Scaling people, scaling the technology, scaling capabilities-- >> John: Across the board. >> Across the board. >> Engineering, obviously. >> Engineering, sales, geographies, it's really about getting the word out there and then being able to follow that up with the feed on the street that matter. >> We're definitely hiring, but we're also growing through OEMs. So we have a relationship with VMware, they're embedding us into their app defense products, and so if you buy app defense from VMware, you are buying Kenna whether you know it or not. >> So you're going to be an ingredient in other products. >> That's right. >> And or direct or indirect, probably some channel ecosystem opportunities? >> That's right. >> So we're growing on the technology partner OEM front, definitely interested in talking to companies that are interested on that front. >> We should do a whole segment on my fascination with what I call tier two or tier 1B clouds, specialty clouds, security clouds. So maybe do that another time. Okay, final question for you guys. RSA is coming this year 2020, and then a series of other events. Cloud Security has been a hot topic since re:Inforce last year was launched, we were there, kicking off theCUBE in security. What do you guys expect this year at RSA? What do you think the big themes are going to be? The hype? The meat on the bone? What's the real deal? What's the hype? What do you guys think is going to happen? >> Karim: I'll let you start. >> Yeah, I can tell you our theme is the right fight club. Because we are focused on the right fight that you need to have every day inside your enterprise. It's not focused on all the vulnerabilities that are hitting you because they're hundreds of thousands of them, millions of them, and there's going to be more every single day, it's about fighting the right fight. So if you come by our booth, you'll see that, it's going to be very exciting-- >> And of course, don't talk about the Fight Club vulnerabilities. (Karim laughs) >> You know the rules of the fight club. >> The first rule is to talk to Kenna about the right fight club. That is the first rule. >> That's cool. >> Yeah, I mean, it's interesting. Every, as you very well know, every year when people walk away from RSA, there's a few blogs that are written about what was the theme this year, I suspect this year's in security specifically, is going to be about AI driven security. We've been starting to see that for a while, it started to bleed into last year's event. I think for us in particular, we have a very particular point of view, and our book point of view is that doesn't matter if it's ML, if it's AI, or what type of algorithms you're running, the question is, what's the value? What is the value when you have 1400 people all screaming to get in the door of an organization? Everybody really has to begin to answer that question fundamentally. And I think the people that have that position in the market are the people that are going to be able to stand out. It's interesting, as always the hype with AI, but it's interesting, I was just trying to figure out when the term there is no perimeter was kind of first coined in theCUBE, I'm thinking probably about five years ago, it really became a narrative and then more recently, with the cloud, the perimeter is dead. Edge is out there. >> Karim: Right. >> So this is, what's the gestation period of real scalable security post perimeter is dead. It's interesting, is it years, is it seems to be hitting this year. It seems to be the point where, okay, I tried everything, now I've got to be data driven or figure out a way to map the surface area. >> That's right. >> End to end. Well, thanks to Kenna Security coming in, a solution for figuring out the vulnerabilities with a real invention. We're going to be covering security at RSA with Kenna Security and others. Thanks for watching, this is theCUBE. (upbeat music)

>> From our studios in the heart of Silicon Valley. HOLLOWAY ALTO, California It is a cube conversation. >> Welcome to the special. Keep conversation here in Palo Alto, California. I'm John for a co host of the Cube. Were Arsenal was a C I S O. C. So for Microsoft also corporate vice President, Chief information security. Thanks for joining me today. >> Thank you. >> Appreciate it. Thanks. So you have a really big job. You're a warrior in the industry, security is the hardest job on the planet. >> And hang in sight >> of every skirt. Officer is so hard. Tell us about the role of Microsoft. You have overlooked the entire thing. You report to the board, give us an overview of what >> happens. Yeah. I >> mean, it's you know, obviously we're pretty busy. Ah, in this world we have today with a lot of adversaries going on, an operational issues happening. And so I have responsibility. Accountability for obviously protecting Microsoft assets are customer assets. And then ah, And for me, with the trend also responsibility for business continuity Disaster recovery company >> on the sea. So job has been evolving. We're talking before the camera came on that it's coming to CEO CF roll years ago involved to a business leader. Where is the sea? So roll now in your industry is our is a formal title is it establishes their clear lines of reporting. How's it evolved? What's the current state of the market in terms of the sea? So it's roll? >> Yeah, the role is involved. A lot. Like you said, I think like the CIA or twenty years ago, you know, start from the back room of the front room and I think the, you know, one of things I look at in the role is it's really made it before things. There's technical architecture, there's business enablement. There's operational expert excellence. And then there's risk management and the older ah, what does find the right word? But the early see so model was really about the technical architecture. Today. It's really a blend of those four things. How do you enable your business to move forward? How do you take calculated risks or manage risks? And then how do you do it really effectively and efficiently, which is really a new suit and you look at them. You'LL see people evolving to those four functions. >> And who's your boss? Would you report to >> I report to a gentleman by the name of a curtain. Little Benny on DH. He is the chief digital officer, which would be a combination of Seo did officer and transformation as well as all of Microsoft corporate strategy >> and this broad board visibility, actually in security. >> Yeah, you >> guys, how is Microsoft evolved? You've been with the company for a long time >> in the >> old days ahead perimeters, and we talk about on the Cube all the time. When a criminalist environment. Now there's no perimeter. Yeah, the world's changed. How is Microsoft evolved? Its its view on security Has it evolved from central groups to decentralize? How is it how how was it managed? What's the what's the current state of the art for security organization? >> Well, I think that, you know, you raise a good point, though things have changed. And so in this idea, where there is this, you know, perimeter and you demanded everything through the network that was great. But in a client to cloak cloud world, we have today with mobile devices and proliferation or cloud services, and I ot the model just doesn't work anymore. So we sort of simplified it down into Well, we should go with this, you know, people calls your trust, I refer to It is just don't talk to strangers. But the idea being is this really so simplified, which is you've got to have a good identity, strong identity to participate. You have to have managed in healthy device to participate, to talk to, ah, Microsoft Asset. And then you have to have data in telemetry that surrounds that all the time. And so you basically have a trust, trust and then verify model between those three things. And that's really the fundamental. It's really that simple. >> David Lava as Pascal senior with twenty twelve when he was M. C before he was the C E O. V M. Where he said, You know his security do over and he was like, Yes, it's going to be a do over its opportunity. What's your thoughts on that perspective? Has there been a do over? Is it to do over our people looking at security and a whole new way? What's your thoughts? >> Yeah, I mean, I've been around security for a long time, and it's there's obviously changes in Massa nations that happened obviously, at Microsoft. At one point we had a security division. I was the CTO in that division, and we really thought the better way to do it was make security baked in all the products that we do. Everything has security baked in. And so we step back and really change the way we thought about it. To make it easier for developers for end users for admin, that is just a holistic part of the experience. So again, the technology really should disappear. If you really want to be affected, I think >> don't make it a happy thought. Make it baked in from Day one on new product development and new opportunity. >> Yeah, basically, shift the whole thing left. Put it right in from the beginning. And so then, therefore, it's a better experience for everyone using it. >> So one of things we've observed over the past ten years of doing the Cube when do first rolled up with scene, you know, big data role of date has been critical, and I think one of the things that's interesting is, as you get data into the system, you can use day that contextually and look at the contextual behavioral data. It's really is create some visibility into things you, Meyer may not have seen before. Your thoughts and reaction to the concept of leveraging data because you guys get a lot of data. How do you leverage the data? What's the view of data? New data will make things different. Different perspectives creates more visibility. Is that the right view? What's your thoughts on the role of Data World Data plays? >> Well, they're gonna say, You know, we had this idea. There's identity, there's device. And then there's the data telemetry. That platform becomes everything we do, what there's just security and are anomalous behavior like you were talking about. It is how do we improve the user experience all the way through? And so we use it to the service health indicator as well. I think the one thing we've learned, though, is I was building where the biggest data repositories your head for some time. Like we look at about a six point five trillion different security events a day in any given day, and so sort of. How do you filter through that? Manage? That's pretty amazing, says six point five trillion >> per day >> events per day as >> coming into Microsoft's >> that we run through the >> ecosystem your systems. Your computers? >> Yeah. About thirty five hundred people. Reason over that. So you can Certainly the math. You need us. Um, pretty good. Pretty good technology to make it work effectively for you and efficiently >> at RC A Heard a quote on the floor and on the q kind of echoing the same sentiment is you can't hire your way to success in this market is just not enough people qualified and jobs available to handle the volume and the velocity of the data coming in. Automation plays a critical role. Your reaction to that comment thoughts on? >> Well, I think I think the cure there, John, those when you talk about the volume of the data because there's what we used to call speeds and feeds, right? How big is it? And I used to get great network data so I can share a little because we've talked, like from the nineties or whatever period that were there. Like the network was everything, but it turns out much like a diverse workforce creates the best products. It turns out diverse data is more important than speeds and feeds. So, for example, authentication data map to, you know, email data map to end point data map. TEO SERVICE DATA Soon you're hosting, you know, the number of customers. We are like financial sector data vs Healthcare Data. And so it's the ability Teo actually do correlation across that diverse set of data that really differentiates it. So X is an example. We update one point two billion devices every single month. We do six hundred thirty billion authentications every single month. And so the ability to start correlating those things and movement give us a set of insights to protect people like we never had before. >> That's interesting telemetry you're getting in the marketplace. Plus, you have the systems to bring it in >> a pressure pressure coming just realized. And this all with this consent we don't do without consent, we would never do without consent. >> Of course, you guys have the terms of service. You guys do a good job on that, But I think the point that I'm seeing there is that you guys are Microsoft. Microsoft got a lot of access. Get a lot of stuff out there. How does an enterprise move to that divers model because they will have email, obviously. But they have devices. So you guys are kind of operating? I would say tear one of the level of that environment cause you're Microsoft. I'm sure the big scale players to that. I'm just an enterprising I'm a bank or I'm an insurance company or I'm in oil and gas, Whatever the vertical. Maybe. What do I do if I'm the sea? So they're So what does that mean, Diversity? How should they? >> Well, I think they have a diverse set of data as well. Also, if they participate, you know, even in our platform today, we you know, we have this thing called the security graph, which is an FBI people can tap into and tap into the same graph that I use and so they can use that same graph particular for them. They can use our security experts to help them with that if they don't have the all the resource and staff to go do that. So we provide both both models for that to happen, and I think that's why a unique perspective I should think should remind myself of which is we should have these three things. We have a really good security operations group we have. I think that makes us pretty unique that people can leverage. We build this stuff into the product, which I think is good. But then the partnership, the other partners who play in the graph, it's not just us. So there's lots of people who play on that as well. >> So like to ask you two lines of questions. Wanting on the internal complex is that organizations will have on the external complexity and realities of threats and coming in. How do they? How do you balance that out? What's your vision on that? Because, you know, actually, there's technology, his culture and people, you know in those gaps and capabilities on on all three. Yeah, internally just getting the culture right and then dealing with the external. How does a C so about his company's balance? Those realities? >> Well, I think you raised a really good point, which is how do you move the culture for? That's a big conversation We always have. And that was sort of, you know, it's interesting because the the one side we have thirty five hundred people who have security title in their job, But there's over one hundred thousand people who every day part of their job is doing security, making sure they'LL understand that and know that is a key part we should reinforce everyday on DSO. But I think balancing it is, is for me. It's actually simplifying just a set of priorities because there's no shortage of, you know, vendors who play in the space. There's no shortage of things you can read about. And so for us it was just simplifying it down and getting it. That simplifies simplified view of these are the three things we're going to go do we build onerous platform to prioritize relative to threat, and then and then we ensure we're building quality products. Those five things make it happen. >> I'd like to get your thoughts on common You have again Before I came on camera around how you guys view simplification terminal. You know, you guys have a lot of countries, the board level, and then also you made a common around trust of security and you an analogy around putting that drops in a bucket. So first talk about the simplification, how you guys simplifying it and why? Why is that important? >> You think we supply two things one was just supplying the message to people understood the identity of the device and making sure everything is emitting the right telemetry. The second part that was like for us but a Z to be illustrative security passwords like we started with this technology thing and we're going to do to FAA. We had cards and we had readers and oh, my God, we go talk to a user. We say we're going to put two FAA everywhere and you could just see recoil and please, >> no. And then >> just a simple change of being vision letters. And how about this? We're just going to get rid of passwords then People loved like they're super excited about it. And so, you know, we moved to this idea of, you know, we always said this know something, know something new, how something have something like a card And they said, What about just be something and be done with it? And so, you know, we built a lot of the capability natively into the product into windows, obviously, but I supported energies environment. So I you know, I support a lot of Mac clinics and IOS and Android as well So you've read it. Both models you could use by or you could use your device. >> That's that. That's that seems to be a trend. Actually, See that with phones as well as this. Who you are is the password and why is the support? Because Is it because of these abuses? Just easy to program? What's the thought process? >> I think there's two things that make it super helpful for us. One is when you do the biometric model. Well, first of all, to your point, the the user experience is so much better. Like we walk up to a device and it just comes on. So there's no typing this in No miss typing my password. And, you know, we talked earlier, and that was the most popular passwords in Seattle with Seahawks two thousand seventeen. You can guess why, but it would meet the complexity requirements. And so the idea is, just eliminate all that altogether. You walk up machine, recognize you, and you're often running s o. The user experience is great, but plus it's Actually the entropy is harder in the biometric, which makes it harder for people to break it, but also more importantly, it's bound locally to the device. You can't run it from somewhere else. And that's the big thing that I think people misunderstanding that scenario, which is you have to be local to that. To me, that's a >> great example of rethinking the security paradigm. Exactly. Let's talk about trust and security. You you have an opinion on this. I want to get your thoughts, the difference between trust and security so they go hand in hand at the same time. They could be confused. Your thoughts on this >> well being. You can have great trust. You can, so you can have great security. But you generally and you would hope that would equate like a direct correlation to trust. But it's not. You need to you build trust. I think our CEO said it best a long time ago. You put one bucket of water, one bucket. Sorry, one truffle water in the bucket every time. And that's how you build trust. Over time, my teenager will tell you that, and then you kick it over and you put it on the floor. So you have to. It's always this ratcheting up bar that builds trust. >> They doing great you got a bucket of water, you got a lot of trust, that one breach. It's over right, >> and you've got to go rebuild it and you've got to start all over again. And so key, obviously, is not to have that happen. But then, that's why we make sure you have operational rigor and >> great example that just totally is looking Facebook. Great. They have massive great security. What really went down this past week, but still the trust factor on just some of the other or societal questions? >> Yeah, >> and that something Do it. >> Security. Yeah, I think that's a large part of making sure you know you're being true. That's what I said before about, you know, we make sure we have consent. We're transparent about how we do the things we do, and that's probably the best ways to build trust. >> Okay, so you guys have been successful in Microsoft, just kind of tight the company for second to your role. It's pretty well documented that the stock prices at an all time high. So if Donatella Cube alumni, by the way, has been on the cue before he he took over and clear he didn't pivot. He just said we'd go in the cloud. And so the great moves, he don't eat a lot of great stuff. Open source from open compute to over the source. And this ship has turned and everything's going great. But that cheering the cloud has been great for the company. So I gotta ask you, as you guys move to the cloud, the impact to your businesses multi fold one products, ecosystem suppliers. All these things are changing. How has security role in the sea? So position been impact that what have you guys done? How does that impact security in general? Thoughts? >> Yeah, I think we obviously were like any other enterprise we had thousands of online are thousands of line of business applications, and we did a transformation, and we took a method logical approach with risk management. And we said, Okay, well, this thirty percent we should just get rid of and decommission these. We should, you know, optimize and just lifting shifting application. That cloud was okay, but it turns out there's massive benefit there, like for elasticity. Think of things that quarterly reporting or and you'll surveys or things like that where you could just dynamically grow and shrink your platform, which was awesome linear scale that we never had Cause those events I talk about would require re architectures. Separate function now becomes linear. And so I think there is a lot of things from a security perspective I could do in a much more efficient must wear a fish. In fact, they're then I had to have done it before, but also much more effective. I just have compute capability. Didn't have I have signal I didn't have. And so we had to wrap her head around that right and and figure out how to really leverage that. And to be honest, get the point. We're exploited because you were the MySpace. I have disaster and continent and business. This is processed stuff. And so, you know, everyone build dark fiber, big data centers, storage, active, active. And now when you use a platform is a service like on that kind of azure. You could just click a Bach and say, I want this thing to replicate. It also feeds your >> most diverse data and getting the data into the system that you throw a bunch of computer at that scale. So What diverse data? How does that impact the good guys and the bad guys? That doesn't tip the scales? Because if you have divers date and you have his ability, it's a race for who has the most data because more data diversity increases the aperture and our visibility into events. >> Yeah, I you >> know, I should be careful. I feel like I always This's a job. You always feel like you're treading water and trying to trying to stay ahead. But I think that, um, I think for the first time in my tenure do this. I feel there's an asymmetry that benefits. They're good guys in this case because of the fact that your ability to reason over large sets of data like that and is computed data intensive and it will be much harder for them like they could generally use encryption were effectively than some organization because the one the many relationship that happens in that scenario. But in the data center you can't. So at least for now, I feel like there's a tip This. The scales have tipped a bit for the >> guy that you're right on that one. I think it's good observation I think that industry inside look at the activity around, from new fund adventures to overall activity on the analytics side. Clearly, the data edge is going to be an advantage. I think that's a great point. Okay, that's how about the explosion of devices we're seeing now. An explosion of pipe enabled devices, Internet of things to the edge. Operational technologies are out there that in factory floors, everything being I P enables, kind of reminds me of the old days. Were Internet population you'd never uses on the Internet is growing, and >> that costs a lot >> of change in value, creation and opportunities devices. Air coming on both physical and software enabled at a massive rate is causing a lot of change in the industry. Certainly from a security posture standpoint, you have more surface area, but they're still in opportunity to either help on the do over, but also create value your thoughts on this exploding device a landscape, >> I think your Boston background. So Metcalfe's law was the value the net because the number of the nodes on the network squared right, and so it was a tense to still be true, and it continues to grow. I think there's a huge value and the device is there. I mean, if you look at the things we could do today, whether it's this watch or you know your smartphone or your smart home or whatever it is, it's just it's pretty unprecedented the capabilities and not just in those, but even in emerging markets where you see the things people are doing with, you know, with phones and Lauren phones that you just didn't have access to from information, you know, democratization of information and analysis. I think it's fantastic. I do think, though, on the devices there's a set of devices that don't have the same capabilities as some of the more markets, so they don't have encryption capability. They don't have some of those things. And, you know, one of Microsoft's responses to that was everything. Has an M see you in it, right? And so we, you know, without your spirit, we created our own emcee. That did give you the ability to update it, to secure, to run it and manage it. And I think that's one of the things we're doing to try to help, which is to start making these I, O. T or Smart devices, but at a very low cost point that still gives you the ability because the farm would not be healed Update, which we learn an O. T. Is that over time new techniques happen And you I can't update the system >> from That's getting down to the product level with security and also having the data great threats. So final final talk Tracking one today with you on this, your warrior in the industry, I said earlier. See, so is a hard job you're constantly dealing with compliance to, you know, current attacks, new vector, new strains of malware. And it's all over the map. You got it. You got got the inbound coming in and you got to deal with all that the blocking and tackling of the organization. >> What do you What do >> you finding as best practice? What's the what if some of the things on the cso's checklist that you're constantly worried about and or investing in what some of >> the yeah, >> the day to day take us through the day to day life >> of visited a lot? Yeah, it >> starts with not a Leslie. That's the first thing you have to get used to, but I think the you know again, like I said, there's risk Manager. Just prioritize your center. This is different for every company like for us. You know, hackers don't break and they just log in. And so identity still is one of the top things. People have to go work on him. You know, get rid of passwords is good for the user, but good for the system. We see a lot in supply chain going on right now. Obviously, you mentioned in the Cambridge Analytical Analytics where we had that issue. It's just down the supply chain. And when you look at not just third party but forthe party fifth party supply and just the time it takes to respond is longer. So that's something that we need to continue to work on. And then I think you know that those are some of the other big thing that was again about this. How do you become effective and efficient and how you managed that supply chain like, You know, I've been on a mission for three years to reduce my number of suppliers by about fifty percent, and there's still lots of work to do there, but it's just getting better leverage from the supplier I have, as well as taking on new capability or things that we maybe providing natively. But at the end of the day, if you have one system that could do what four systems going Teo going back to the war for talent, having people, no forces and versus one system, it's just way better for official use of talent. And and obviously, simplicity is the is the friend of security. Where is entropy is not, >> and also you mentioned quality data diversity it is you're into. But also there's also quality date of you have quality and diverse data. You could have a nice, nice mechanism to get machine learning going well, but that's kind of complex, because in the thie modes of security breaches, you got pre breached in breech post breach. All have different data characteristics all flowing together, so you can't just throw that answer across as a prism across the problem sets correct. This is super important, kind of fundamentally, >> yeah, but I think I >> would I would. The way I would characterize those is it's honestly, well, better lessons. I think I learned was living how to understand. Talk with CFO, and I really think we're just two things. There's technical debt that we're all working on. Everybody has. And then there's future proofing the company. And so we have a set of efforts that go onto like Red Team. Another actually think like bad people break them before they break you, you know, break it yourself and then go work on it. And so we're always balancing how much we're spending on the technical, that cleanup, you know, modernizing systems and things that are more capable. And then also the future proofing. If you're seeing things coming around the corner like cryptography and and other other element >> by chain blockchain, my supply chain is another good, great mechanism. So you constantly testing and R and D also practical mechanisms. >> And there in the red team's, which are the teams that attacking pen everything, which is again, break yourself first on this super super helpful for us >> well bred. You've seen a lot of ways of innovation have been involved in multiple ways computer industry client server all through the through the days, so feel. No, I feel good about this you know, because it reminds me and put me for broken the business together. But this is the interesting point I want to get to is there's a lot of younger Si SOS coming in, and a lot of young talent is being attractive. Security has kind of a game revived to it. You know, most people, my friends, at a security expert, they're all gamers. They love game, and now the thrill of it. It's exciting, but it's also challenging. Young people coming might not have experience. You have lessons you've learned. Share some thoughts over the years that scar either scar tissue or best practices share some advice. Some of the younger folks coming in breaking into the business of, you know, current situation. What you learned over the years it's Apple Apple. But now the industry. >> Yeah, sadly, I'd probably say it's no different than a lot of the general advice I would have in the space, which is there's you value experience. But it turns out I value enthusiasm and passion more here so you can teach about anybody whose passion enthusiastic and smart anything they want. So we get great data people and make them great security people, and we have people of a passion like you know, this person. It's his mission is to limit all passwords everywhere and like that passion. Take your passion and driver wherever you need to go do. And I >> think the nice >> thing about security is it is something that is technically complex. Human sociology complex, right? Like you said, changing culture. And it affects everything we do, whether it's enterprise, small, medium business, large international, it's actually a pretty It's a fasten, if you like hard problem. If you're a puzzle person, it's a great It's a great profession >> to me. I like how you said Puzzle. That's I think that's exactly it. They also bring up a good point. I want to get your thoughts on quickly. Is the talent gap is is really not about getting just computer science majors? It's bigger than that. In fact, I've heard many experts say, and you don't have to be a computer scientist. You could be a lot of cross disciplines. So is there a formula or industry or profession, a college degree? Or is it doesn't matter. It's just smart person >> again. It depends if your job's a hundred percent. Security is one thing, but like what we're trying to do is make not we don't have security for developers you want have developed to understand oppa security and what they build is an example on DSO. Same with administrators and other components. I do think again I would say the passion thing is a key piece for us, but But there's all aspects of the profession, like the risk managers air, you know, on the actuarial side. Then there's math people I had one of my favorite people was working on his phD and maladaptive behavior, and he was super valuable for helping us understand what actually makes things stick when you're trying to train their educate people. And what doesn't make that stick anthropologist or super helpful in this field like anthropologist, Really? Yeah, anthropologist are great in this field. So yeah, >> and sociology, too, you mentioned. That would think that's a big fact because you've got human aspect interests, human piece of it. You have society impact, so that's really not really one thing. It's really cross section, depending upon where you want to sit in the spectrum of opportunity, >> knowing it gives us a chance to really hire like we hire a big thing for us has been hard earlier in career and building time because it's just not all available. But then also you, well, you know, hire from military from law enforcement from people returning back. It's been actually, it's been a really fascinating thing from a management perspective that I didn't expect when I did. The role on has been fantastic. >> The mission. Personal question. Final question. What's getting you excited these days? I mean, honestly, you had a very challenging job and you have got attend all the big board meetings, but the risk management compliance. There's a lot of stuff going on, but it's a lot >> of >> technology fund in here to a lot of hard problems to solve. What's getting you excited? What what trends or things in the industry gets you excited? >> Well, I'm hopeful we're making progress on the bad guys, which I think is exciting. But honestly, this idea the you know, a long history of studying safety when I did this and I would love to see security become the air bags of the technology industry, right? It's just always there on new president. But you don't even know it's there until you need it. And I think that getting to that vision would be awesome. >> And then really kind of helping move the trust equation to a whole other level reputation. New data sets so data, bits of data business. >> It's total data business >> breath. Thanks for coming on the Q. Appreciate your insights, but also no see. So the chief information security officer at Microsoft, also corporate vice president here inside the Cuban Palo Alto. This is cute conversations. I'm John Career. Thanks for watching. >> Thank you.