(upbeat music) >> Hello everyone, welcome back to the manager risk across the extended attack surface with Armis. I'm John Furrier, your host of theCUBE. Got the demo. Got here, Bryan Inman sales engineer at Armis. Bryan, thanks for coming on. We're looking forward to the demo. How you doing? >> I'm doing well, John, thanks for having me. >> We heard from Nadir describing Armis' platform, lot of intelligence. It's like a search engine meets data at scale, intelligent platform around laying out the asset map, if you will, the new vulnerability module among other things that really solves CISCO's problems. A lot of great customer testimonials and we got the demo here that you're going to give us. What's the demo about? What are we going to see? >> Well, John, thanks. Great question. And truthfully, I think as Nadir has pointed out what Armis as a baseline is giving you is great visibility into every asset that's communicating within your environment. And from there, what we've done is we've layered on known vulnerabilities associated with not just the device, but also what else is on the device. Is there certain applications running on that device, the versions of those applications, and what are the vulnerabilities known with that? So that's really gives you great visibility in terms of the devices that folks aren't necessarily have visibility into now, unmanaged devices, IoT devices, OT, and critical infrastructure, medical devices things that you're not necessarily able to actively scan or put an agent on. So not only is Armis telling you about these devices but we're also layering on those vulnerabilities all passively and in real time. >> A lot of great feedback we've heard and I've talked to some of your customers. Rhe agentless is a huge deal. The discoveries are awesome. You can see everything and just getting real time information. It's really, really cool. So I'm looking forward to the demo for our guests. Take us on that tour. Let's go with the demo for the guests today. >> All right. Sounds good. So what we're looking at here is within the Armis console is just a clean representation of the passive reporting of what Armis has discovered. So we see a lot of different types of devices from your virtual machines and personal computers, things that are relatively easy to manage. But working our way down, you're able to see a lot of different types of devices that are not necessarily easy to get visibility into, things like your up systems, IT cameras, dash cams, et cetera, lighting systems. And today's day and age where everything is moving to that smart feature, it's great to have that visibility into what's communicating on my network and getting that, being able to layer on the risk factors associated with it as well as the vulnerabilities. So let's pivot over to our vulnerabilities tab and talk about the the AVM portion, the asset vulnerability management. So what we're looking at is the dashboard where we're reporting another clean representation with customizable dashlets that gives you visuals and reporting and things like new vulnerabilities as they come in. What are the most critical vulnerabilities, the newest as they roll in the vulnerabilities by type? We have hardware. We have application. We have operating systems. As we scroll down, we can see things to break it down by vulnerabilities, by the operating system, Windows, Linux, et cetera. We can create dashlets that show you views of the number of devices that are impacted by these CVEs. And scrolling down, we can see how long have these vulnerabilities been sitting within my environment? So what are the oldest vulnerabilities we have here? And then also of course, vulnerabilities by applications. So things like Google Chrome, Microsoft Office. So we're able to give a good representation of the amount of vulnerabilities as they're associated to the hardware and applications as well. So we're going to dig in and take a a deeper look at one of these vulnerabilities here. So I'm excited to talk today about of where Armis AVM is, but also where it's going as well. So we're not just reporting on things like the CVSS score from NIST NVD. We're also able to report on things like the exploitability of that. How actively is this CVE being exploited in the wild? We're reporting EPSS scores. For example, we're able to take open source information as well as a lot of our partnerships that we have with other vendors that are giving us a lot of great value of known vulnerabilities associated with the applications and with hardware, et cetera. But where we're going with this is in very near future releases, we're going to be able to take an algorithm approach of, what are the most critical CVSS that we see? How exploitable are those? What are common threat actors doing with these CVEs? Have they weaponized these CVEs? Are they actively using those weaponized tools to exploit these within other folks' environments? And who's reporting on these? So we're going to take all of these and then really add that Armis flavor of we already know what that device is and we can explain and so can the users of it, the business criticality of that device. So we're able to pivot over to the matches as we see the CVEs. We're able to very cleanly view, what exactly are the devices that the CVE resides on. And as you can see, we're giving you more than just an IP address or a lot more context and we're able to click in and dive into what exactly are these devices. And more importantly, how critical are these devices to my environment? If one of these devices were to go down if it were to be a server, whatever it may be, I would want to focus on those particular devices and ensuring that that CVE, especially if it's an exploitable CVE were to be addressed earlier than say the others and really be able to manage and prioritize these. Another great feature about it is, for example, we're looking at a particular CVE in terms of its patch and build number from Windows 10. So the auto result feature that we have, for example, we've passively detected what this particular personal computer is running Windows 10 and the build and revision numbers on it. And then once Armis passively discovers an update to that firmware and patch level, we can automatically resolve that, giving you a confidence that that has been addressed from that particular device. We're also able to customize and look through and potentially select a few of these, say, these particular devices reside on your guest network or an employee wifi network where we don't necessarily, I don't want to say care, but we don't necessarily value that as much as something internally that holds significantly, more business criticality. So we can select some of these and potentially ignore or resolve for determining reasons as you see here. Be able to really truly manage and prioritize these CVEs. As I scroll up, I can pivot over to the remediation tab and open up each one of these. So what this is doing is essentially Armis says, through our knowledge base been able to work with the vendors and pull down the patches associated with these. And within the remediation portion, we're able to view, for example, if we were to pull down the patch from this particular vendor and apply it to these 60 devices that you see here, right now we're able to view which patches are going to gimme the most impact as I prioritize these and take care of these affected devices. And lastly, as I pivot back over. Again, where we're at now is we're able to allow the users to customize the organizational priority of this particular CVE to where in terms of, this has given us a high CVSS score but maybe for whatever reasons it may be, maybe this CVE in terms of this particular logical segment of my network, I'm going to give it a low priority for whatever the use case may be. We have compensating controls set in place that render this CVE not impactful to this particular segment of my environment. So we're able to add that organizational priority to that CVE and where we're going as you can see that popped up here but where we're going is we're going to start to be able to apply the organizational priority in terms of the actual device level. So what we'll see is we'll see a column added to here to where we'll see the the business impact of that device based on the importance of that particular segment of your environment or the device type, be it critical networking device or maybe a critical infrastructure device, PLCs, controllers, et cetera, but really giving you that passive reporting on the CVEs in terms of what the device is within your network. And then finally, we do integrate with your vulnerability management and scanners as well. So if you have a scanner actively scanning these, but potentially they're missing segments of your net network, or they're not able to actively scan certain devices on your network, that's the power of Armis being able to come back in and give you that visibility of not only what those devices are for visibility into them, but also what vulnerabilities are associated with those passive devices that aren't being scanned by your network today. So with that, that concludes my demo. So I'll kick it back over to you, John. >> Awesome. Great walk through there. Take me through what you think the most important part of that. Is it the discovery piece? Is it the interaction? What's your favorite? >> Honestly, I think my favorite part about that is in terms of being able to have the visibility into the devices that a lot of folks don't see currently. So those IoT devices, those OT devices, things that you're not able to run a scan on or put an agent on. Armis is not only giving you visibility into them, but also layering in, as I said before, those vulnerabilities on top of that, that's just visibility that a lot of folks today don't have. So Armis does a great job of giving you visibility and vulnerabilities and risks associated with those devices. >> So I have to ask you, when you give this demo to customers and prospects, what's the reaction? Falling out of their chair moment? Are they more skeptical? It's almost too good to be true and end to end vulnerability management is a tough nut to crack in terms of solution. >> Honestly, a lot of clients that we've had, especially within the OT and the medical side, they're blown away because at the end of the day when we can give them that visibility, as I've said, Hey, I didn't even know that those devices resided in that portion, but not only we showing them what they are and where they are and enrichment on risk factors, et cetera, but then we show them, Hey, we've worked with that vendor, whatever it may be and Rockwell, et cetera, and we know that there's vulnerabilities associated with those devices. So they just seem to be blown away by the fact that we can show them so much about those devices from behind one single console. >> It reminds me of the old days. I'm going to date myself here. Remember the old Google Maps mashup days. Customers talk about this as the Google Maps for their assets. And when you have the Google Maps and you have the Ubers out there, you can look at the trails, you can look at what's happening inside the enterprise. So there's got to be a lot of interest in once you get the assets, what's going on those networks or those roads, if you will, 'cause you got in packet movement. You got things happening. You got upgrades. You got changing devices. It's always on kind of living thing. >> Absolutely. Yeah, it's what's on my network. And more importantly at times, what's on those devices? What are the risks associated with the the applications running on those? How are those devices communicating? And then as we've seen here, what are the vulnerabilities associated with those and how can I take action with them? >> Real quick, put a plug in for where I can find the demo. Is it online? Is it on YouTube? On the website? Where does someone see this demo? >> Yeah, the Armis website has a lot of demo content loaded. Get you in touch with folks like engineers like myself to provide demos whenever needed. >> All right, Bryan, thanks for coming on this show. Appreciate, Sales Engineer at Armis, Bryan Inman. Given the demo God award out to him. Good job. Thanks for the demo. >> Thanks, thanks for having me. >> Okay. In a moment, we're going to have my closing thoughts on this event and really the impact to the business operations side, in a moment. I'm John Furrier of theCUBE. Thanks for watching. (upbeat music)

>> Okay, welcome back to the portion of the program for customer lightning talks, where we chat with Armis' customers for a rapid fire five minute session on their Cisco perspectives and insights into cybersecurity. First up is Tim Everson, CISO of Kalahari resorts and conventions. Let's get it going. Hi, Tim. Welcome to theCUBE and Armis program, managing risk across your extended surface area. >> Thanks for having me appreciate it. >> So let's get going. So unified visibility across the extended asset serves as key. You can't secure what you can't see. Tell me about what you're able to centralize, your views on network assets and what is Armis doing from an impact standpoint that's had on your business? >> Sure. So traditionally basically you have all your various management platforms, your Cisco platforms, your Sims, your wireless platforms, all the different pieces and you've got a list of spare data out there and you've got to chase all of this data through all these different tools. Armis is fantastic and was really point blank dropping in place for us as far as getting access to all of that data all in one place and giving us visibility to everything. Basically opened the doors letting us see our customer wireless traffic, our internal traffic, our PCI traffic because we deal with credit cards, HIPAA, compliance, all this traffic, all these different places, all into one. >> All right, next up, vulnerability management is a big topic, across all assets, not just IT devices. The gaps are there in the current vulnerability management programs. How has Armis vulnerability management made things better for your business and what can you see now that you couldn't see before? >> So Armis gives me better visibility of the network side of these vulnerabilities. You have your Nessus vulnerability scanners, the things that look at machines, look at configurations and hard facts. Nessus gives you all those. But when you turn to Armis, Armis looks at the network perspective, takes all that traffic that it's seeing on the network and gives you the network side of these vulnerabilities. So you can see if something's trying to talk out to a specific port or to a specific host on the internet and Armis consolidates all that and gives you trusted sources of information to validate where those are coming from. >> When you take into account all the criticality of the different kinds of assets involved in a business operation and they're becoming more wider, especially with edge in other areas, how has the security workload changed? >> The security workload has increased dramatically, especially in hospitality. In our case, not only do we have hotel rooms and visitors and our guests, we also have a convention center that we deal with. We have water parks and fun things for people to do. Families and businesses alike. And so when you add all those things up and you add the wireless and you add the network and the audio video and all these different pieces that come into play with all of those things in hospitality and you add our convention centers on top of it, the footprint's just expanded enormously in the past few years. >> When you have a digital transformation in a use case like yours, it's very diverse. You need a robust network, you need a robust environment to implement SaaS solutions. No ages to deploy, no updates needed. You got to be in line with that to execute and scale. How easy was Armis to implement ease of use of simplicity, the plug and play? In other words, how quickly do you achieve this time to value? >> Oh goodness. We did a proof of concept about three months ago in one of our resort locations, we dropped in an Armis appliance and literally within the first couple hours of the appliance being on the network, we had data on 30 to 40,000 devices that were touching our network. Very quick and easy, very drop and plug and play and moving from the POC to production, same deal. We, we dropped in these appliances in site. Now we're seeing over 180,000 devices touching our networks within a given week. >> Armis has this global asset knowledge base, it's crowdsourced an a asset intelligent engine, it's a game changer. It tracks managed, unmanaged IOT devices. Were you shocked when you discovered how many assets they were able to discover and what impact did that have for you? >> Oh, absolutely. Not only do we have the devices that we have, but we have guests that bring things on site all the time, Roku TVs and players and Amazon Fire Sticks and all these different things that are touching our network and seeing those in real time and seeing how much traffic they're using we can see utilization, we can see exactly what's being brought on, we can see vehicles in our parking lot that have access points turned on. I mean, it's just amazing how much data this opened our eyes to that you know it's there but you don't ever see it. >> It's bring your own equipment to the resort just so you can watch all your Netflix, HDMI cable, everyone's doing it now. I mean, this is the new user behavior. Great insight. Anything more you'd want to say about Armis for the folks watching? >> I would say the key is they're very easy to work with. The team at Armis has worked very closely with me to get the integrations that we've put in place with our networking equipment, with our wireless, with different pieces of things and they're working directly with me to help integrate some other things that we've asked them to do that aren't there already. Their team is very open. They listen, they take everything that we have to say as a customer to heart and they really put a lot of effort into making it happen. >> All right, Tim. Well, thanks for your time. I'm John Furrier with theCUBE, the leader in enterprise tech coverage. Up next in this lightning talk session is Brian Gilligan, manager, security and Operations at Brookfield Properties. Thanks for watching.

>> Okay, up next in the Lightning Talk Session is Brian Galligan; Mgr, Security and Operations at Brookfield Properties. Brian, great to see you. Thanks for coming on. >> Thanks for having me, John. >> So unified visibility across extended asset surface area is key these days. You can't secure what you can't see. So tell me more about how you were able to centralize your view of network assets with Armis and what impact that had on your business. >> Yeah, that's been a really key component of ours where we've actually owned multiple companies with them and are always acquiring companies from time to time. So it's always a question. What is actually out there and what do we need to be worried about. So from an inventory perspective it's definitely something that we've been looking into. Armis was a great partner in being able to get us the visibility into a lot of the IoT that we have out in the environment. And then also trying to find what we have and what's actually installed on those devices. What's running, who's talking to who. So that's definitely been a key component with our partnership with Armis. >> You know, we interview a lot of practitioners and companies and one things we found is vulnerability Management programs. There's a lot of gaps. You know, vulnerability management comes across more sometimes just IT devices, but not all assets. How has Armis Vulnerability Management made things better for your business? And what can you see now that you couldn't see before? >> Yeah, again, because we own multiple companies and they actually use different tools for vulnerability management. It's been a challenge to be able to compare apples to apples on when we have vulnerability. When we have risk out there, how do you put a single number to it? How do you prioritize different initiatives across those sectors? And being able to use Armis and have that one score, have that one visibility and also that one platform that you can query across all of those different companies, has been huge because we just haven't had the ability to say are we vulnerable to X, Y and Z across the board in these different companies? >> You know, it's interesting when you have a lot of different assets and companies, as you mentioned. It kind of increases the complexity and yeah we love the enterprise. You solve complexity by more complexity but that's not the playbook anymore. We want simplicity. We want to have a better solution. So when you take into account, the criticality of these businesses as you're integrating in, in real time and the assets within those business operations you got to keep focused on the right solutions. What has Armis done for you that's been correct and right for you guys? >> Yeah, so being able to see the different like be able to actually drill down into the nitty gritty on what devices are connecting to what. Being able to enforce policies that way, I think has been a huge win that we've been able to see from Armis. It's one of those things where we were able to see north-south traffic. No problem with our typical SIM tools, firewall tools and different logging sources but we haven't been able to see anything east-west and that's where we're going to be most vulnerable. That's where we've been actually found. We found some gaps in our coverage from a pen test perspective where we've found that where we don't have that visibility. Armis has allowed us to get into that communication to better fine tune the rules that we have across devices across sectors, across the data center to properties. Properties of the data center and then also to the cloud. >> Yeah, visibility into the assets is huge. But as you're in operations you got to operationalize these tools. I mean, some people sound like they've got a great sales pitch and all sounds like, "Wait a minute, I got to re-configure my entire operations." At the end of the day, you want to have an easy to use, but effective capability. So you're not taxed either personnel or operations. How easy has it been with Armis to implement from an ease of use, simplicity, plug and play? In other words, how quickly did you get to the time to value? Can you share your thoughts? >> This honestly is the biggest value that we've seen in Armis. I think a, a big kudos goes to the professional services group for getting us stood up being able to explain the tool, be able to dig into it and then get us to that time to value. Honestly, we've only scratched the surface on what Armis can give us which is great because they've given us so much already. So definitely taking that model of let's crawl, walk, run with what we're able to do. But the professional services team has given us so much assistance in getting from one collector to now many collectors. And we're in that deployment phase where we're able to gather more data and find those anomalies that are out there. I again, big props to the, the professional services team. >> Yeah, you know one of we'd add an old expression when you know when the whole democratization happened on the web here comes all the people, you know social media and whatnot now with IoT here comes all the devices. Here comes all the things- >> Yeah. >> Things >> More things are being attached to the network. So Armis has this global asset knowledge base that crowd-sources the asset intelligence. How has that been a game changer for you? And were you shocked when you discovered how many assets they were able to discover and what impact did that have for you? >> We have a large wifi footprint for guests, vendors, contractors that are working on site along with our corporate side, which has a lot of devices on it as well. And being able to see what devices are using what services on there and then be able to fingerprint them easily has been huge. I would say one of the best stories that I can tell is actually with a pen test that we ran recently. We were able to determine what the pen test device was and how it was acting anomalous and then fingerprint that device within five minutes opposed to getting on the phone with probably four or five different groups to figure out what is this device? It's not one of our normal devices. It's not one of our normal builds or anything. We were able to find that device within probably three to five minutes with Armis and the fingerprinting capability. >> Yeah, nothing's going to get by you with these port scans or any kind of activity, so to speak, jumping on the wifi. Great stuff. Anything else you'd like to share about Armis while I got you here? >> Yeah, I would say that something recently, we actually have an open position on our team currently. And one of the most exciting things is being able to share our journey that we've had with Armis over the last year, year and a half, and their eyes light up when they hear the capabilities of what Armis can do, what Armis can offer. And you see a little bit of jealousy of, you know, "Hey I really wish my current organization had that." And it's one of those selling tools that you're able to give to security engineers, security analysts saying, "Here's what you're going to have on the team to be able to do your job, right." So that you don't have to worry about necessarily the normal mundane things. You get to actually go do the cool hunting stuff, which Armis allows you to do. >> Well. Brian, thanks for the time here on this Lightning Talk, appreciate your insight. I'm John Furrier with theCUBE the leader in enterprise tech coverage. Up next in the Lightning Talk Session is Alex Schuchman. He's the CISO of Colgate-Palmolive Thanks for watching.

(upbeat music) >> Today's organizations are overwhelmed by the number of different assets connected to their networks, which now include not only IT devices and assets, but also a lot of unmanaged assets, like cloud, IoT, building management systems, industrial control systems, medical devices, and more. That's not just it, there's more. We're seeing massive volume of threats, and a surge of severe vulnerabilities that put these assets at risk. This is happening every day. And many, including me, think it's only going to get worse. The scale of the problem will accelerate. Security and IT teams are struggling to manage all these vulnerabilities at scale. With the time it takes to exploit a new vulnerability, combined with the lack of visibility into the asset attack surface area, companies are having a hard time addressing the vulnerabilities as quickly as they need. This is today's special CUBE program, where we're going to talk about these problems and how they're solved. Hello, everyone. I'm John Furrier, host of theCUBE. This is a special program called Managing Risk Across Your Extended Attack Surface Area with Armis, new asset intelligence platform. To start things off, let's bring in the co-founder and CTO of Armis, Nadir Izrael. Nadir, great to have you on the program. >> Yeah, thanks for having me. >> Great success with Armis. I want to just roll back and just zoom out and look at, what's the big picture? What are you guys focused on? What's the holy grail? What's the secret sauce? >> So Armis' mission, if you will, is to solve to your point literally one of the holy grails of security teams for the past decade or so, which is, what if you could actually have a complete, unified, authoritative asset inventory of everything, and stressing that word, everything. IT, OT, IoT, everything on kind of the physical space of things, data centers, virtualization, applications, cloud. What if you could have everything mapped out for you so that you can actually operate your organization on top of essentially a map? I like to equate this in a way to organizations and security teams everywhere seem to be running, basically running the battlefield, if you will, of their organization, without an actual map of what's going on, with charts and graphs. So we are here to provide that map in every aspect of the environment, and be able to build on top of that business processes, products, and features that would assist security teams in managing that battlefield. >> So this category, basically, is a cyber asset attack surface management kind of focus, but it really is defined by this extended asset attack surface area. What is that? Can you explain that? >> Yeah, it's a mouthful. I think the CAASM, for short, and Gartner do love their acronyms there, but CAASM, in short, is a way to describe a bit of what I mentioned before, or a slice out of it. It's the whole part around a unified view of the attack surface, where I think where we see things, and kind of where Armis extends to that is really with the extended attack surface. That basically means that idea of, what if you could have it all? What if you could have both a unified view of your environment, but also of every single thing that you have, with a strong emphasis on the completeness of that picture? If I take the map analogy slightly more to the extreme, a map of some of your environment isn't nearly as useful as a map of everything. If you had to, in your own kind of map application, you know, chart a path from New York to whichever your favorite surrounding city, but it only takes you so far, and then you sort of need to do the rest of it on your own, not nearly as effective, and in security terms, I think it really boils down into you can't secure what you can't see. And so from an Armis perspective, it's about seeing everything in order to protect everything. And not only do we discover every connected asset that you have, we provide a risk rating to every single one of them, we provide a criticality rating, and the ability to take action on top of these things. >> Having a map is huge. Everyone wants to know what's in their inventory, right, from a risk management standpoint, also from a vulnerability perspective. So I totally see that, and I can see that being the holy grail, but on the vulnerability side, you got to see everything, and you guys have new stuff around vulnerability management. What's this all about? What kind of gaps are you seeing that you're filling in the vulnerability side, because, okay, I can see everything. Now I got to watch out for threat vectors. >> Yeah, and I'd say a different way of asking this is, okay, vulnerability management has been around for a while. What the hell are you bringing into the mix that's so new and novel and great? So I would say that vulnerability scanners of different sorts have existed for over a decade. And I think that ultimately what Armis brings into the mix today is how do we fill in the gaps in a world where critical infrastructure is in danger of being attacked by nation states these days, where ransomware is an everyday occurrence, and where I think credible, up-to-the-minute, and contextualize vulnerability and risk information is essential. Scanners, or how we've been doing things for the last decade, just aren't enough. I think the three things that Armis excels at and completes the security staff today on the vulnerability management side are scale, reach, and context. Scale, meaning ultimately, and I think this is of no news to any enterprise, environments are huge. They are beyond huge. When most of the solutions that enterprises use today were built, they were built for thousands, or tens of thousands of assets. These days, we measure enterprises in the billions, billions of different assets, especially if you include how applications are structured, containers, cloud, all that, billions and billions of different assets, and I think that, ultimately, when the latest and greatest in catastrophic new vulnerabilities come out, and sadly, that's a monthly occurrence these days. You can't just now wait around for things to kind of scan through the environment, and figure out what's going on there. Real time images of vulnerabilities, real time understanding of what the risk is across that entire massive footprint is essential to be able to do things, and if you don't, then lots and lots of teams of people are tasked with doing this day in, day out, in order to accomplish the task. The second thing, I think, is the reach. Scanners can't go everywhere. They don't really deal well with environments that are a mixed IT/OT, for instance, like some of our clients deal with. They can't really deal with areas that aren't classic IT. And in general, these days over 70% of assets are in fact of the unmanaged variety, if you will. So combining different approaches from an Armis standpoint of both passive and active, we reach a tremendous scale, I think, within the environment, and ability to provide or reach that is complete. What if you could have vulnerability management, cover a hundred percent of your environment, and in a very effective manner, and in a very scalable manner? And the last thing really is context. And that's a big deal here. I think that most vulnerability management programs hinge on asset context, on the ability to understand, what are the assets I'm dealing with? And more importantly, what is the criticality of these assets, so I can better prioritize and manage the entire process along the way? So with these things in mind, that's what Armis has basically pulled out is a vulnerability management process. What if we could collect all the vulnerability information from your entire environment, and give you a map of that, on top of that map of assets? Connect every single vulnerability and finding to the relevant assets, and give you a real way to manage that automatically, and in a way that prevents teams of people from having to do a lot of grunt work in the process. >> Yeah, it's like building a search engine, almost. You got the behavioral, contextual. You got to understand what's going on in the environment, and then you got to have the context to what it means relative to the environment. And this is the criticality piece you mentioned, this is a huge differentiator in my mind. I want to unpack that. Understanding what's going on, and then what to pay attention to, it's a data problem. You got that kind of search and cataloging of the assets, and then you got the contextualization of it, but then what alarms do I pay attention to? What is the vulnerability? This is the context. This is a huge deal, because your businesses, your operation's going to have some important pieces, but also it changes on agility. So how do you guys do that? That's, I think, a key piece. >> Yeah, that's a really good question. So asset criticality is a key piece in being able to prioritize the operation. The reason is really simple, and I'll take an example we're all very, very familiar with, and it's been beaten to death, but it's still a good example, which is Log4j, or Log4Shell. When that came out, hundreds of people in large organizations started mapping the entire environment on which applications have what aspect of Log4j. Now, one of the key things there is that when you're doing that exercise for the first time, there are literally millions of systems in a typical enterprise that have Log4j in them, but asset criticality and the application and business context are key here, because some of these different assets that have Log4j are part of your critical business function and your critical business applications, and they deserve immediate attention. Some of them, or some Git server of some developer somewhere, don't warrant quite the same attention or criticality as others. Armis helps by providing the underlying asset map as a built-in aspect of the process. It maps the relationships and dependencies for you. It pulls together and clusters together. What applications does each asset serve? So I might be looking at a server and saying, okay, this server, it supports my ERP system. It supports my production applications to be able to serve my customers. It serves maybe my .com website. Understanding what applications each asset serves and every dependency along the way, meaning that endpoint, that server, but also the load balancers are supported, and the firewalls, and every aspect along the way, that's the bread and butter of the relationship mapping that Armis puts into place to be able to do that, and we also allow users to tweak, add information, connect us with their CMDB or anywhere else where they put this in, but once the information is in, that can serve vulnerability management. It can serve other security functions as well. But in the context of vulnerability management, it creates a much more streamlined process for being able to do the basics. Some critical applications, I want to know exactly what all the critical vulnerabilities that apply to them are. Some business applications, I just want to be able to put SLAs on, that this must be solved within a week, this must be solved within a month, and be able to actually automatically track all of these in a world that is very, very complex inside of an operation or an enterprise. >> We're going to hear from some of your customers later, but I want to just get your thoughts on, anecdotally, what do you hear from? You're the CTO, co-founder, you're actually going into the big accounts. When you roll this out, what are they saying to you? What are some of the comments? Oh my God, this is amazing. Thank you so much. >> Well, of course. Of course. >> Share some of the comments. >> Well, first of all, of course, that's what they're saying. They're saying we're great. Of course, always, but more specifically, I think this solves a huge gap for them. They are used to tools coming in and discovering vulnerabilities for them, but really close to nothing being able to streamline the truly complex and scalable process of being able to manage vulnerabilities within the environment. Not only that, the integration-led, designer-led deployment and the fact that we are a completely agent-less SaaS platform are extremely important for them. These are times where if something isn't easily deployable for an enterprise, its value is next to nothing. I think that enterprises have come to realize that if something isn't a one click deployment across the environment, it's almost not worth the effort these days, because environments are so complex that you can't fully realize the value any other way. So from an Armis standpoint, the fact that we can deploy with a few clicks, the fact that we immediately provide that value, the fact that we're agent-less, in the sense that we don't need to go around installing a footprint within the environment, and for clients who already have Armis, the fact that it's a flip of a switch, just turn it on, are extreme. I think that the fact, in particular, that Armis can be deployed. the vulnerability management can be deployed on top of the existing vulnerability scanner with a simple one-click integration is huge for them. And I think all of these together are what contribute to them saying how great this is. But yeah, that's it. >> The agent listing is huge. What's the alternative? What does it look like if they're going to go the other route, slow to deploy, have meetings, launch it in the environment? What's it look like? >> I think anything these days that touches an endpoint with an agent goes through a huge round of approvals before anything goes into an environment. Same goes, by the way, for additional scanners. No one wants to hear about additional scanners. They've already gone through the effort with some of the biggest tools out there to punch holes through firewalls, to install scanners in different ways. They don't want yet another scanner, or yet another agent. Armis rides on top of the existing infrastructure, the existing agents, the existing scanners. You don't need to do a thing. It just deploys on top of it, and that's really what makes this so easy and seamless. >> Talk about Armis research. Can you talk about, what's that about? What's going on there? What are you guys doing? How do you guys stay relevant for your customers? >> For sure. So one of the, I've made a lot of bold claims throughout, I think, the entire Q and A here, but one of the biggest magic components, if you will, to Armis that kind of help explain what all these magic components are, are really something that we call our collective asset knowledge base. And it's really the source of our power. Think of it as a giant collective intelligent that keeps learning from all of the different environments combined that Armis is deployed at. Essentially, if we see something in one environment, we can translate it immediately into all environments. So anyone who joins this or uses the product joins this collective intelligence in essence. What does that mean? It means that Armis learns about vulnerabilities from other environments. A new Log4j comes out, for instance. It's enough that, in some environments, Armis is able to see it from scanners, or from agents, or from SBOMs, or anything that basically provides information about Log4j, and Armis immediately infers or creates enrichment rules that act across the entire tenant base, or the entire client base of Armis. So very quick response to industry events, whenever something comes out, again, the results are immediate, very up to the minute, very up to the hour, but also I'd say that Armis does its own proactive asset research. We have a huge data set at our disposal, a lot of willing and able clients, and also a lot of partners within the industry that Armis leverages, but our own research is into interesting aspects within the environment. We do our own proactive research into things like TLStorm, which is kind of a bit of a bridging research and vulnerabilities between cyber physical aspect. So on the one hand, the cyber space and kind of virtual environments, but on the other hand, the actual physical space, vulnerabilities, and things like UPSs, or industrial equipment, or things like that. But I will say that also, Armis targets its research along different paths that we feel are underserved. We started a few years back research into firmwares, different types of real time operating systems. We came out with things like URGENT/11, which was research into, on the one hand, operating systems that run on two billion different devices worldwide, on the other hand, in the 40 years it existed, only 13 vulnerabilities were ever exposed or revealed about that operating system. Either it's the most secure operating system in the world, or it's just not gone through enough rigor and enough research in doing this. The type of active research we do is to complement a lot of the research going on in the industry, serve our clients better, but also provide kind of inroads, I think, for the industry to be better at what they do. >> Awesome, Nadir, thanks for sharing the insights. Great to see the research. You got to be at the cutting edge. You got to investigate, be ready for a moment's notice on all aspects of the operating environment, down to the hardware, down to the packet level, down to the any vulnerability, be ready for it. Great job. Thanks for sharing. Appreciate it. >> Absolutely. >> In a moment, Tim Everson's going to join us. He's the CSO of Kalahari Resorts and Conventions. He'll be joining me next. You're watching theCUBE, the leader in high tech coverage. I'm John Furrier. Thanks for watching. (upbeat music)

(upbeat music) >> Today's organizations are overwhelmed by the number of different assets connected to their networks, which now include not only IT devices and assets, but also a lot of unmanaged assets, like cloud, IoT, building management systems, industrial control systems, medical devices, and more. That's not just it, there's more. We're seeing massive volume of threats, and a surge of severe vulnerabilities that put these assets at risk. This is happening every day. And many, including me, think it's only going to get worse. The scale of the problem will accelerate. Security and IT teams are struggling to manage all these vulnerabilities at scale. With the time it takes to exploit a new vulnerability, combined with the lack of visibility into the asset attack surface area, companies are having a hard time addressing the vulnerabilities as quickly as they need. This is today's special CUBE program, where we're going to talk about these problems and how they're solved. Hello, everyone. I'm John Furrier, host of theCUBE. This is a special program called Managing Risk Across Your Extended Attack Surface Area with Armis, new asset intelligence platform. To start things off, let's bring in the co-founder and CTO of Armis, Nadir Izrael. Nadir, great to have you on the program. >> Yeah, thanks for having me. >> Great success with Armis. I want to just roll back and just zoom out and look at, what's the big picture? What are you guys focused on? What's the holy grail? What's the secret sauce? >> So Armis' mission, if you will, is to solve to your point literally one of the holy grails of security teams for the past decade or so, which is, what if you could actually have a complete, unified, authoritative asset inventory of everything, and stressing that word, everything. IT, OT, IoT, everything on kind of the physical space of things, data centers, virtualization, applications, cloud. What if you could have everything mapped out for you so that you can actually operate your organization on top of essentially a map? I like to equate this in a way to organizations and security teams everywhere seem to be running, basically running the battlefield, if you will, of their organization, without an actual map of what's going on, with charts and graphs. So we are here to provide that map in every aspect of the environment, and be able to build on top of that business processes, products, and features that would assist security teams in managing that battlefield. >> So this category, basically, is a cyber asset attack surface management kind of focus, but it really is defined by this extended asset attack surface area. What is that? Can you explain that? >> Yeah, it's a mouthful. I think the CAASM, for short, and Gartner do love their acronyms there, but CAASM, in short, is a way to describe a bit of what I mentioned before, or a slice out of it. It's the whole part around a unified view of the attack surface, where I think where we see things, and kind of where Armis extends to that is really with the extended attack surface. That basically means that idea of, what if you could have it all? What if you could have both a unified view of your environment, but also of every single thing that you have, with a strong emphasis on the completeness of that picture? If I take the map analogy slightly more to the extreme, a map of some of your environment isn't nearly as useful as a map of everything. If you had to, in your own kind of map application, you know, chart a path from New York to whichever your favorite surrounding city, but it only takes you so far, and then you sort of need to do the rest of it on your own, not nearly as effective, and in security terms, I think it really boils down into you can't secure what you can't see. And so from an Armis perspective, it's about seeing everything in order to protect everything. And not only do we discover every connected asset that you have, we provide a risk rating to every single one of them, we provide a criticality rating, and the ability to take action on top of these things. >> Having a map is huge. Everyone wants to know what's in their inventory, right, from a risk management standpoint, also from a vulnerability perspective. So I totally see that, and I can see that being the holy grail, but on the vulnerability side, you got to see everything, and you guys have new stuff around vulnerability management. What's this all about? What kind of gaps are you seeing that you're filling in the vulnerability side, because, okay, I can see everything. Now I got to watch out for threat vectors. >> Yeah, and I'd say a different way of asking this is, okay, vulnerability management has been around for a while. What the hell are you bringing into the mix that's so new and novel and great? So I would say that vulnerability scanners of different sorts have existed for over a decade. And I think that ultimately what Armis brings into the mix today is how do we fill in the gaps in a world where critical infrastructure is in danger of being attacked by nation states these days, where ransomware is an everyday occurrence, and where I think credible, up-to-the-minute, and contextualize vulnerability and risk information is essential. Scanners, or how we've been doing things for the last decade, just aren't enough. I think the three things that Armis excels at and completes the security staff today on the vulnerability management side are scale, reach, and context. Scale, meaning ultimately, and I think this is of no news to any enterprise, environments are huge. They are beyond huge. When most of the solutions that enterprises use today were built, they were built for thousands, or tens of thousands of assets. These days, we measure enterprises in the billions, billions of different assets, especially if you include how applications are structured, containers, cloud, all that, billions and billions of different assets, and I think that, ultimately, when the latest and greatest in catastrophic new vulnerabilities come out, and sadly, that's a monthly occurrence these days. You can't just now wait around for things to kind of scan through the environment, and figure out what's going on there. Real time images of vulnerabilities, real time understanding of what the risk is across that entire massive footprint is essential to be able to do things, and if you don't, then lots and lots of teams of people are tasked with doing this day in, day out, in order to accomplish the task. The second thing, I think, is the reach. Scanners can't go everywhere. They don't really deal well with environments that are a mixed IT/OT, for instance, like some of our clients deal with. They can't really deal with areas that aren't classic IT. And in general, these days over 70% of assets are in fact of the unmanaged variety, if you will. So combining different approaches from an Armis standpoint of both passive and active, we reach a tremendous scale, I think, within the environment, and ability to provide or reach that is complete. What if you could have vulnerability management, cover a hundred percent of your environment, and in a very effective manner, and in a very scalable manner? And the last thing really is context. And that's a big deal here. I think that most vulnerability management programs hinge on asset context, on the ability to understand, what are the assets I'm dealing with? And more importantly, what is the criticality of these assets, so I can better prioritize and manage the entire process along the way? So with these things in mind, that's what Armis has basically pulled out is a vulnerability management process. What if we could collect all the vulnerability information from your entire environment, and give you a map of that, on top of that map of assets? Connect every single vulnerability and finding to the relevant assets, and give you a real way to manage that automatically, and in a way that prevents teams of people from having to do a lot of grunt work in the process. >> Yeah, it's like building a search engine, almost. You got the behavioral, contextual. You got to understand what's going on in the environment, and then you got to have the context to what it means relative to the environment. And this is the criticality piece you mentioned, this is a huge differentiator in my mind. I want to unpack that. Understanding what's going on, and then what to pay attention to, it's a data problem. You got that kind of search and cataloging of the assets, and then you got the contextualization of it, but then what alarms do I pay attention to? What is the vulnerability? This is the context. This is a huge deal, because your businesses, your operation's going to have some important pieces, but also it changes on agility. So how do you guys do that? That's, I think, a key piece. >> Yeah, that's a really good question. So asset criticality is a key piece in being able to prioritize the operation. The reason is really simple, and I'll take an example we're all very, very familiar with, and it's been beaten to death, but it's still a good example, which is Log4j, or Log4Shell. When that came out, hundreds of people in large organizations started mapping the entire environment on which applications have what aspect of Log4j. Now, one of the key things there is that when you're doing that exercise for the first time, there are literally millions of systems in a typical enterprise that have Log4j in them, but asset criticality and the application and business context are key here, because some of these different assets that have Log4j are part of your critical business function and your critical business applications, and they deserve immediate attention. Some of them, or some Git server of some developer somewhere, don't warrant quite the same attention or criticality as others. Armis helps by providing the underlying asset map as a built-in aspect of the process. It maps the relationships and dependencies for you. It pulls together and clusters together. What applications does each asset serve? So I might be looking at a server and saying, okay, this server, it supports my ERP system. It supports my production applications to be able to serve my customers. It serves maybe my .com website. Understanding what applications each asset serves and every dependency along the way, meaning that endpoint, that server, but also the load balancers are supported, and the firewalls, and every aspect along the way, that's the bread and butter of the relationship mapping that Armis puts into place to be able to do that, and we also allow users to tweak, add information, connect us with their CMDB or anywhere else where they put this in, but once the information is in, that can serve vulnerability management. It can serve other security functions as well. But in the context of vulnerability management, it creates a much more streamlined process for being able to do the basics. Some critical applications, I want to know exactly what all the critical vulnerabilities that apply to them are. Some business applications, I just want to be able to put SLAs on, that this must be solved within a week, this must be solved within a month, and be able to actually automatically track all of these in a world that is very, very complex inside of an operation or an enterprise. >> We're going to hear from some of your customers later, but I want to just get your thoughts on, anecdotally, what do you hear from? You're the CTO, co-founder, you're actually going into the big accounts. When you roll this out, what are they saying to you? What are some of the comments? Oh my God, this is amazing. Thank you so much. >> Well, of course. Of course. >> Share some of the comments. >> Well, first of all, of course, that's what they're saying. They're saying we're great. Of course, always, but more specifically, I think this solves a huge gap for them. They are used to tools coming in and discovering vulnerabilities for them, but really close to nothing being able to streamline the truly complex and scalable process of being able to manage vulnerabilities within the environment. Not only that, the integration-led, designer-led deployment and the fact that we are a completely agent-less SaaS platform are extremely important for them. These are times where if something isn't easily deployable for an enterprise, its value is next to nothing. I think that enterprises have come to realize that if something isn't a one click deployment across the environment, it's almost not worth the effort these days, because environments are so complex that you can't fully realize the value any other way. So from an Armis standpoint, the fact that we can deploy with a few clicks, the fact that we immediately provide that value, the fact that we're agent-less, in the sense that we don't need to go around installing a footprint within the environment, and for clients who already have Armis, the fact that it's a flip of a switch, just turn it on, are extreme. I think that the fact, in particular, that Armis can be deployed. the vulnerability management can be deployed on top of the existing vulnerability scanner with a simple one-click integration is huge for them. And I think all of these together are what contribute to them saying how great this is. But yeah, that's it. >> The agent listing is huge. What's the alternative? What does it look like if they're going to go the other route, slow to deploy, have meetings, launch it in the environment? What's it look like? >> I think anything these days that touches an endpoint with an agent goes through a huge round of approvals before anything goes into an environment. Same goes, by the way, for additional scanners. No one wants to hear about additional scanners. They've already gone through the effort with some of the biggest tools out there to punch holes through firewalls, to install scanners in different ways. They don't want yet another scanner, or yet another agent. Armis rides on top of the existing infrastructure, the existing agents, the existing scanners. You don't need to do a thing. It just deploys on top of it, and that's really what makes this so easy and seamless. >> Talk about Armis research. Can you talk about, what's that about? What's going on there? What are you guys doing? How do you guys stay relevant for your customers? >> For sure. So one of the, I've made a lot of bold claims throughout, I think, the entire Q and A here, but one of the biggest magic components, if you will, to Armis that kind of help explain what all these magic components are, are really something that we call our collective asset knowledge base. And it's really the source of our power. Think of it as a giant collective intelligent that keeps learning from all of the different environments combined that Armis is deployed at. Essentially, if we see something in one environment, we can translate it immediately into all environments. So anyone who joins this or uses the product joins this collective intelligence in essence. What does that mean? It means that Armis learns about vulnerabilities from other environments. A new Log4j comes out, for instance. It's enough that, in some environments, Armis is able to see it from scanners, or from agents, or from SBOMs, or anything that basically provides information about Log4j, and Armis immediately infers or creates enrichment rules that act across the entire tenant base, or the entire client base of Armis. So very quick response to industry events, whenever something comes out, again, the results are immediate, very up to the minute, very up to the hour, but also I'd say that Armis does its own proactive asset research. We have a huge data set at our disposal, a lot of willing and able clients, and also a lot of partners within the industry that Armis leverages, but our own research is into interesting aspects within the environment. We do our own proactive research into things like TLStorm, which is kind of a bit of a bridging research and vulnerabilities between cyber physical aspect. So on the one hand, the cyber space and kind of virtual environments, but on the other hand, the actual physical space, vulnerabilities, and things like UPSs, or industrial equipment, or things like that. But I will say that also, Armis targets its research along different paths that we feel are underserved. We started a few years back research into firmwares, different types of real time operating systems. We came out with things like URGENT/11, which was research into, on the one hand, operating systems that run on two billion different devices worldwide, on the other hand, in the 40 years it existed, only 13 vulnerabilities were ever exposed or revealed about that operating system. Either it's the most secure operating system in the world, or it's just not gone through enough rigor and enough research in doing this. The type of active research we do is to complement a lot of the research going on in the industry, serve our clients better, but also provide kind of inroads, I think, for the industry to be better at what they do. >> Awesome, Nadir, thanks for sharing the insights. Great to see the research. You got to be at the cutting edge. You got to investigate, be ready for a moment's notice on all aspects of the operating environment, down to the hardware, down to the packet level, down to the any vulnerability, be ready for it. Great job. Thanks for sharing. Appreciate it. >> Absolutely. >> In a moment, Tim Everson's going to join us. He's the CSO of Kalahari Resorts and Conventions. He'll be joining me next. You're watching theCUBE, the leader in high tech coverage. I'm John Furrier. Thanks for watching. (upbeat music)

>>Hello, Ron. Welcome back to the manage risk across your extended attack service area with Armas asset intelligence platform. I'm Sean furier host we're here at the CSO perspective, Alex Chuck bin, who is the CSO of Colgate Colgate Palm mall of company. Alex, thanks for coming on. >>Thanks for having >>Me, you know, unified visibility across the enterprise surface area is about knowing what you gotta protect. You can't protect what you can't see. Tell me more about how you guys are able to centralize your view with network assets with Armas. >>Yeah, I think the, the most important part of any security program is really visibility. And, and that's one of, kind of the building blocks. When you're building a security program, you need to understand what's in your environment. What's what you control, what is being introduced new into the environment. And that's really what any solution that gives you full visibility to your infrastructure, to your environment, to all the assets that are there, that that's really one of your bread and butter pieces to your security program. >>What's been the impact on your business? >>You know, I, I think from, from an it point of view, running the security program, you know, our key thing is really enabling the business to do their job better. So if we can give them visibility into all the assets that are available in their individual environments, and we're doing that in an automated fashion with no manual collection, you know, that's yet another thing that they don't have to worry about. And then we're delivering because really it is an enabler for the business. And then they can focus really on what their job is, which is to, to deliver product. >>Yeah. And a lot of changes in their network. You got infrastructure, you got OT devices, OT devices. So vulnerability management becomes more important. It's been around for a while, but it's not just it devices anymore. There are gaps in vulnerability across the OT network. What can you tell us about Colgate's use of Armas as vulnerability management? What can you, can you see now what you couldn't you see before? Can you share your thoughts on this? >>Yeah, I, I think what's really interesting about the, the kind of manufacturing environments today is if you look back a number of years, most of the manufacturing equipment was really disconnected from the internet. It was really running in silos. So it was very easy to protect equipment that, that isn't internet connected. You could put a firewall, you could segment it off. And it was, it was really on an island on its own. Nowadays you have a lot of IOT devices. You have a lot of internet connected devices, sensors providing information to multiple different suppliers or vendor solutions. And you have to really then open up your ecosystem more, which of course means you have to change your security posture and you really have to embrace. If there's a vulnerability with one of those suppliers, then how do you mitigate the risk associated to vulnerability? Armas really helps us get a lot of information so that we can then make a decision with our business teams. >>That whole operational aspect of criticality is huge. How on the assets knowing what's what's key? How has that changed your, the, the security workload for you guys? >>Yeah, for us, I mean, it, it's all about being efficient. If we can have the, the visibility across our manufacturing environments, then, then my team can easily consume that information. You know, if we spend a lot of time trying to digest the information, trying to process it, trying to prioritize it, that, that, that really hurts our efficiency as, as a team where as a function, what we really like is being able to use technology to help us do that work. We're, we're not an it shop. We're a manufacturing shop, but we're a very technical shop so that we like to drive everything through automation and not be a bottleneck for any of the, the actions that take place. >>You know, the old expression is the juice worth. The squeeze. It comes up a lot when people are buying tools around vulnerability management and point, all this stuff. So SAS solution is key with no agents to deploy. They have that talk about how you operationalize Armas in your environment, how quickly did it AC achieve time to value, take us through that, that consumption of the product. And, and, and what was the experience like? >>Yeah, I I'll definitely say a in, in the security ecosystem that that's one of the, the biggest promises you hear across the industry. And when, when we started with Armas, we started with a very small deployment and we wanted to make sure if, if it was really worth the lift to your point, we implemented the, the first set of plants very quickly, actually, even quicker than we had put in our project plan, which is, is not typical for implementing complex security solutions. And then we were so successful with that. We expanded to cover more of our manufacturing plants, and we were able to get really true visibility across our entire manufacturing organization in the first year with the ability to also say that we extended that, that information, that visibility to our manufacturing organization, and they could also consume it just as easily as we could. >>That's awesome. How many assets did you guys discover? Just curious on the numbers? >>Oh, that, that's the really interesting part, you know, before we started this project, we would've had to do a, a manual audit of, of our plants, which is typical in, in our industry. You know, when, when we started this project and, and we put in estimates, we really, really didn't have a great handle on what we were gonna find. And what's really nice about the Arma solution is it it's truly giving you full visibility. So you're actually seeing, besides the servers and the PLCs and all the equipment that you're familiar with, you're also connecting it to your wireless access points. You're connecting it to see any of those IOT devices as well. And then you're really getting full visibility through all the integrations that they offer. You're amazed how many devices you're actually seeing across your entire ecosystem. >>It's like Google maps for your infrastructure. You get little street view. You wanna look at it, you get the, you know, fake tree in there, whatever, but it gives you the picture that's key, >>Correct. And with a nice visualization and an easy search engine, similar to your, your Google analogy, you know, everything is, is, is really at your fingertips. If you wanna find something, you just go to the search bar, click a couple entries and, and boom, you get your, your list of the associated devices or the, the associated locations devices. >>Well, I appreciate your time. I know you're super busy at CSIG a lot of your plate. Thanks for coming on sharing. Appreciate it. >>No problem, John. Thanks for having me. >>Okay. In a moment, Brian Inman, a sales engineer at Armas will be joining me. You're watching the cube, the leader in high tech coverage. Thanks for watching.

(upbeat music) >> Welcome to theCUBE. I'm Dave Nicholson, and this is part of the continuing conversation about Managing Risk in the Digital Supply Chain. I have with me today Vincent Danen, vice president of product security from Red Hat and Luke Hines security engineering lead from the office of the CTO at Red Hat. Gentlemen, welcome to theCUBE. >> Thank you. >> Great to be here. >> So let's just start out and dive right into this, Vincent, what is the software or digital supply chain? What are we talking about? Yeah, that's a good question. Software supply chain is basically the software that an end user would get from a vendor or in our case, we're talking about open source, so upstream. It is the software that comes in that is part of your package, operating system, applications. It could be something that you get from one vendor, multiple vendors. So we look at in the example of Red Hat, we are one part of the customer's software supply chain. >> So it's interesting that it's coming in from different areas. Do we have a sense for the ratio of kind of commercial software versus open source software that makes up an enterprise today? >> I think that's a really hard thing to answer and I think every enterprise or every company would have a little bit different. Depends if you have an open source vendor that you choose, you may get a significant amount of software from them. Certainly you're not going to get it all. As an example, Red Hat provides thousands of open source packages. We certainly can't provide all of them. There are millions that are out there. So when you're looking at a specific application that you're building, chances are, you could be running that on a managed platform or an enterprise supply platform, but there are going to be packages that you're going to be obtaining from other sources in other communities as well in order to power your applications. >> So, Luke, that sounds like a kind of a vague situation we're looking at in terms of where all of our software is coming from. So what do we need to know about our software supply chain in that context? What do we need to understand? Before we even get anywhere near the idea of securing it, what are some of the issues that arise from that? >> Yeah, so Vincent's touchpoint is a very wide range in ecosystem, multiple sources when we're talking about open source. So essentially awareness is key really. I think a lot of people are really not aware of the sources that they're drawing from to create their own supply chain. So there's multiple supply chains. You can be somebody like Red Hat that the provide software, and then people will leverage Red Hats for their own supply chain. And then you have the cloud provider and they have their own source of software. So I think that the key thing is the awareness of how much you rely upon that ecosystem before we look at the security of the supply chain. It's really understanding your supply chain. >> And just to follow up on that. So can you... I'm sort of checking my own level of understanding on this subject. When you talk about open source code, you're talking about a code base that is often maintained essentially by volunteers, isn't that correct? >> A mix of volunteers and paid professionals where a company has an interest in the open source project, but predominantly I would say it's... Well, I'm not entirely sure, but volunteers make up a substantial part of the ecosystem that is for sure. So it's a mix really. Some people do it because they enjoy writing software. They want to share software. Other people also enjoy working software, but they're in the position that a company pays for them to work on that software. So it's a mix of both. >> Vincent, give us a reminder of reminder of why this is important from a little bit of a higher level. Step back from the data center view of things, from the IT view of things, just from a societal perspective, Vincent, what happens when we don't secure our digital supply chain? What are the things that are put at risk? >> Okay, well, there's a significant number of things that are placed at risk, the security of the enterprise itself. So your own customer data, your own internal corporate data is place at risk if there were a supply chain breach. But further to that for a software provider, and I think that in a lot of cases, most companies today are software providers or software developers. You actually put your own customers at risk as well, not just their data, but their actual... The things that they're working on, any workloads that they may have, an order that they might place as an example. So there's a number of areas where you want to have the security of that supply chain and the software components that you have figured out. You want to be on top of that because there is that risk that trickles down when it comes to an event. I mean, we've seen that with breaches earlier this year, one company is breached multiple companies end up being breached as a result of that. So it's really important. I think we all have a part to play in that I always view it as it's not just about the company itself. So I mean, speaking from a Red Hat perspective, I don't look at it as we're just securing Red Hat, we're securing our customers, and then we're also doing that for their customers as well, because they're writing software that's running on the software that we're providing to them. So there is this trickle down effect that comes, and so I think that every link in that chain, I mean, it's wonderful that it's called a supply chain. It's only as strong as its weakest link. So our view is how do we strengthen every link in that chain? And we're one part of it, but we're kind of looking a little broader, what can we do upstream and how can we help our customers to ensure the security of their part in that supply chain? >> Yeah, I want to talk about that in a broad sense, but let's see if we can get a little bit more specific in terms of what some of the chains look like because it's not just really one chain when you think about it, there's the idea of inherent flaws that can be caught and then there are the things that bad actors might be doing to leverage those flaws. So you've got all of these different things that are converging. So first and Vincent, if you want to toss this to Luke back and forth, it's up to you guys. What about this issue of inherent flaws in code? We referenced this idea of the maintainer community. What are best practices for locking that down to make sure that there aren't inherent flaws or security risks? >> I'll take a stab at it, and then I'll let Luke follow up with maybe some of the technologies that Red Hat provides. And again, speaking to Red Hat as part of that chain. When we're talking about inherent risk, there's a vulnerability that's present upstream. We pull that software to Red Hat. We package it as a component of one of the pieces of software that we provide to our customers. It's our responsibility to pay attention to those upstream potential vulnerabilities, potential risks, and correct them in our code. So that might be taking a patch from upstream, applying it to our software, might be grabbing the latest version from upstream, whatever the case might be, but it's our responsibility to provide that protection for that software to actually remediate that risk, and then our customers can then install the update and apply the mitigation themselves. If we take a look at it from, when we're looking at multiple suppliers where you'd asked earlier about, what part of it is Red Hat and what part of it is self-service open source? When you look at that, the work that Red Hat's doing there as a commercial provider of open source and end user for that little bit that they're going to grab themselves, that Red Hat doesn't provide, it's going to have to do all of those things as well. They're going to have to pay attention to that risk from upstream. They're going to have to pay attention to any potential vulnerabilities and pull that in to figure out, do I need to patch? Where do I need to patch it? And that's something we didn't really touch on was an inventory of the software that you have in place. I mean, you don't know that you need to fix something. You don't even know that it's running. So, I mean, there's a lot of considerations there where you have to pay attention to a lot of sources. Certainly there's metadata, automation, all of these things that make it easier, but it doesn't absolve us of the responsibility across the board to pay attention to these things, whether you're grabbing it from upstream directly or from the vendor. And it's the vendor's responsibility to then be paying attention to things upstream. >> Yeah, so Luke, I want you to kind of riff on that from the perspective that let's just assume that Vincent was just primarily talking about the idea that, okay, we've established that this code is solid and we've got gold copy of it and we know it's okay. There aren't inherent problems in the code as far as we can tell. Well, that's fine. I'm a developer. I go out to pull code and to use. How do I know if it's not been tampered with? How do I know if it's in fact the code that was validated during this process before? What do you do about that? >> So there's several methods there, but I just like to loop back to that point, because I think this is really interesting around, so if you look at a software supply chain, this is a mix of humans and machines, and both have flaws, probably humans a bit more. And a supply chain, you have developers. You have code reviewers, you have your systems administrators that set up the systems, and then you have your machine actors. So you've got your build systems, the various machines that are part of that supply chain. Now the humans, there's a as an attack factor there 'cause typically they will have some sort of identity, which they leverage for access to the supply chain. So quite often a developer's identity can be compromised. So a lot of the time people will have a corporate account that gives them some sort of single sign on access to multiple systems. So the developers are coming and this could be somebody in the community as well. Their account is compromised, then they're able to easily backdoor systems. So that's one aspect. And then there is machines as well. There's the whole premise of machines software not being up to date. So when the latest nasty vulnerability is released, machines are updated, then the machines have their flaws. They can be exploited. So I would say it's not just a technical problem. There is a humanistic element to this as well around protecting your supply chain. And I would say a really good perspective to carry when you're looking to, how do I secure my supply chain is treat it like you would a production system. So what do I mean by that? When we put something into production and we've got this very long legacy of treating it with a very strict security context around who can access that people, okay. How much it's upgraded and it's patched? And we seem to not have this same perception around our supply chain and our build systems, the integrity of those, the access of those, the policy around the access and so forth. So that's one giveaway that I would say is a real key focus that you should have is treat it like a production system. Be very mindful about what you're bringing in, who can access it because it is the keys to the kingdom, because if somebody compromises your supply chain, your build systems and so forth, they can compromise the whole chain because the chain is only as strong as the weakest link. So that's what I draw upon it. And around the verifications, there is multiple technologies that you can leverage. So Red Hat, we've got a very robust sign in system that we use so that you can be sure that the packages that we get you have non-repudiation that they've been produced by Red Hat. When you update your system, that's automatically looked after. And there are other systems as well, there's other new technologies that are starting to get a foothold around the provenance of aspects of your build system. So when you're pulling in from these multiple sources of open source communities, you can have some provenance around what you're putting in as well. And yeah, I don't want to bite share too much on the technologies, but there's some exciting stuff starting to happen there as well. >> So let's look at an example of something, because I think it's important to understand all of these different aspects. Recently, I think actually still in the news, we found that some logging software distributed by Apache that's widely used in people's websites to gather information about... To help from a security perspective and to help developers improve things that are going on in websites. A vulnerability was discovered. I guess, first Alibaba, some folks were reported it directly to some folks at Apache and the Apache Organization. And then of all people, some folks from Minecraft mentioned it in a blog. That seems like a crazy way to find out about something that's a critical flaw. Now we're looking at this right now with hindsight. So with hindsight, what could we have done to not be in the circumstances that we're in right now? Vincent, I'll toss that to you first, but again, if Luke is more appropriate, let us know. >> No, it's a great question, and it's a hard question. >> How did you let this happen, Vincent? How did you let this happen? >> It wasn't me, I promise. (Dave laughs) >> What I mean, it's a challenging question I mean, and there's a number of areas where we focused on a lot of what we perceived as critical software. So it comes to web server applications, DNS, a number of the kind of the critical infrastructure that powers the internet. Right or wrong. Do we look at logging software as a critical piece of that? Well, maybe, maybe we should, right? Logging is definitely important as part of an incident response or just an awareness of what's going on. So, I mean, yeah, it probably should have been considered critical software, but I mean, it's open source, right? So there's a number of different logging applications. I imagine now we're scrutinizing those a little bit more, but looking beforehand, how do you determine what's critical until an event like this happens, and it's unfortunate that it happens. And I like to think of these as learning opportunities, and certainly not just for Red Hat, but for this (talking over each other) >> Certainly this is not... Yeah, this is not an indictment of our entire industry. We are all in this together and learning every day. It just highlights how complex the situation is that we're dealing with, right? >> It really is. And I mean, a lot of what we're looking at now is how do we get tools into the hands of developers who can catch some of these things earlier. And there's a lot of commercial offerings, there's a lot of open source tools that are available and being produced that are going to help with these sorts of situations moving forward. But I mean, all the tools on the planet aren't going to help if they're not being used. So, I mean, there has to be an education and an incentive for these developers, particularly, maybe in some upstream communities where they are labors of love and they're passionate projects they're not sponsored or backed by a corporation who's paying for these tools, to be able to use some of them and move that forward. I think that looking at things now, there is work to be done. Obviously there's always going to be work to be done. Not all of these tools, and we have to recognize this, they're not all perfect. They're not going to catch everything. These tools could have been... I mean, I don't know if they were running these tools or not, they could have been, and the tool simply could not have picked them up. So part of it is the proactive part. We talk a lot about shift left and moving these things earlier into the development process and that's great, and we should do it. It certainly should never be seen as a silver bullet or a replacement for a good response. And I think the really important thing to highlight with respect to this, and I mean, this touches on the supply chain issue as well, companies, especially those who never maybe saw themselves as a software development company really have to figure out and understand how to do appropriate response. Part of that is awareness, what do you have installed? Part of it is sources of information. Like how do I find out about a new vulnerability or a potential vulnerability? And then it's just the speed to respond. We know that a number of companies they have, maybe it's a Patch Tuesday, maybe it's a patch 26th of the month, maybe it's patch day of the quarter, we have to learn how to respond to these things quickly so that we can apply these mitigations and these fixes as quickly as possible to them protect ourselves and protect the end users or customers that we have, or to keep the kids from using some backdoors in Minecraft is the word. >> (laughs) Yeah. Look, this is an immensely important subject. To wrap us up on this, Luke, I'd like you to pretend that you just got into an elevator in a moderately tall building, and you have 60 seconds to share with me someone who already trusts you, you don't have to convince me of your credentials or anything. I trust you. What tools specifically do you need me to be running, tools and processes. You've got 60 seconds to say, Dave, if you're not doing these things right now, you're unnecessarily vulnerable. So ready, and go, Luke. >> So automatically update all packages. Always stay up-to-date so that when an issue does hit, you're not having to go back 10 versions and work your way forward. That's the key thing. Ensure that everything you pull in, you're not going to have 100%, but have a very strict requirement that there is non-repudiation, is signed content, so you can verify that it's not being tampered with. For your developers that are producing code, run static, dynamic analysis, API fuzzes, all of these sorts of tools. They will find some vulnerabilities for you. Be part of communities. Be part of communities, help chop the wood and carry the water because the log for Jay, the thing is that was found because it was in the open. If it wasn't any open, it wouldn't have been found. And I've been in this business for a long time. Software developers will always write bugs. I do. Some of them will be security bugs. That's never going to change. So it's not about stopping something that's inevitable. It's about being prepared to react accordingly in our right and correct manner when it does happen so that you can mitigate against those risks. >> Well, we're here on the 35th floor. That was amazing. Thank you, Luke. Vincent, you were in the elevator also listening in on this conversation. Did we miss anything? >> No, I mean, the only thing I'll say is that it's really helpful to partner with an enterprise open source provider, be it Red Hat or anybody else. I don't want to toot our own horn. They do a lot of that work on your behalf that you don't have to do. A lot of the things that Luke was talking about, those providers do, so you don't have to. And that's where you.. I liked that you talked about, hey, you don't have to convince me that I'm trusted, or that I trust you. Trust those vendors. They're literally here to do a lot of that heavy lifting for you and trust the process. Yeah, it's a very, very good point. And I know that sometimes it's hard to get to that point where you are the trusted advisor. Both of you certainly are. And with that, I would like to thank you very much for an interesting conversation. Gentlemen, let's keep in touch. You're always welcome on theCUBE. Luke, second time, getting a chance to talk to you on theCUBE personally. Fantastic. With that, I would like to thank everyone for joining this very special series on theCUBE. Managing risk in the digital supply chain is a critical topic to keep on top of. Thanks for tuning into theCUBE. We'll be back soon. I'm Dave Nicholson saying, thanks again. (upbeat music)

(upbeat music) >> Okay, we're here talking about how you can better understand and manage the risks associated with the digital supply chain. How in this day and age where software comes from so many different places and sources throughout the ecosystem, how can organizations manage the risks associated with our dependence on software? And with me now are two great guests, Andrea Hall, who is a specialist solution architect and project manager for security and compliance at Red Hat. She's going to focus on public sector. And Andrew Block who's a distinguished architect at Red Hat Consulting, folks welcome. >> Welcome >> Thank you. Thanks for having us. >> You're very welcome. Andrea, let's start with you. Let's talk about regulations. What exists today that we should be aware of that organizations should be paying attention to? >> Oh sure, so the thing that comes to mind first being in the US is the presidential executive order on cybersecurity that came out a few months ago. Organizations are really paying attention to that. And in the US, it's having a ripple effect with policy, but we're also seeing policy considerations pop up in other countries, Australia and England. The supply chain is a big focus right now, of course, but we see these changes coming down the road as more and more government organizations are trying to secure their critical infrastructure. >> Is there kind of a leadership, or probably in other words, is somebody saying seeing what the UK does and say, okay, we're going to follow that template? Or is it just a variety and a mish mash with no sort of consolidation? How is that sort of playing out? >> I see a lot of organizations kind of basing their requirements on (indistinct) However, each organization has its own nuances. Each agency has its own nuances to how it wants them implemented. >> Andrew, maybe you could chime in here. What are you seeing when you talk to customers that are tuned into this issue? >> You know, as Andrea had just mentioned having that north star in terms of regulations is so fundamentally great for them because many of them especially in regulate industries, look to these regulations on how they apply their own policies. So at least it has some guidance on how to move forward because as we all know the secure software supply chain is getting news every day and how they react to it is something that I know all their leaders are asking themselves, especially those IT leaders. >> Andrea, when I talk to practitioners, sometimes they're frustrated. They understand they have to comply. They know new regulations are coming out, but sometimes it's hard for them to keep up. It would be helpful if you're sitting across the table from somebody who's frustrated and they ask you, what are your expectations? What are the trends in regulations? How do you see the current regulations evolving to specifically accommodate the digital supply chain and the security exposures and corollary requirements there? >> We see a lot of organizations struggling in the sense of trying to understand what the policy actually wants. Definitions are still a little bit vague, but implementation is also difficult because sometimes organizations will add more tools to their toolkit, adding a layer of complexity there. Really automation has to be pulled in. That's key to implementing this instead of adding more workload and more burden to your folks. It's really important for these organizations to pull stakeholders in the organization together. So the IT leaders bring together the developers, the security operations sit at the same table, talk about whether or not what needs to be implemented or what's proposed to be implemented, will affect the mission or in any way or disrupt operations. It's important for everybody to be on the same page so it doesn't slow anything down as you're trying to roll it out. >> And one of the things here is that we're seeing a lot of change with these new regulations and with a lot of organizations, any type of change is scary. And that is one area that they're looking for guidance not only in the tooling, but also how they apply it in the organization. >> I'll add on. >> Please. >> I'll add onto that and say, organizations really need to take into account the people side of things too. People need to understand what the impact is to the organization, so that they don't try to find the loopholes, they're buying into what needs to be done. They understand the why behind it. You for example, if you walk into your house, you normally close the door behind you. Security needs to be seen as that, as well, that's the culture and it's the habit. And it's ingrained in the fabric of the organization to live this way, not just implement the tools to do it. >> Right, and the number of doors you have in your infrastructure are a lot more than just a couple. Andrew mentioned sort of guidance and governments are obviously taking a more active role. I mean, sometimes I'm a cynic. I mean, the president Biden signs an executive order, but swipe of a pen doesn't really give us enough to go on. Do you think Andrea, that we're going to see new guidance from governments in the very near future? What are you expecting? >> I expect to see more conversations happening. I know that agencies who developed the policies are pulling together stakeholders and getting input. But I do see in the not too distant future, that mandates will be rolling out, yes. >> Well, so Andrew of course, Andrea, if you have a thought on this as well, but how do you see organizations dealing with adopting these new policies. >> Slowly, don't boil the ocean is one thing I tell a lot to every one of them, because a lot of these tooling, a lot of these concepts are foreign to them, brand new. How they adopt those and how they implement them, needs to be done in a very agile fashion, very slow and prescriptive. Go ahead and try to find one area of improvement and go ahead and work upon it and build upon it. Because not only does that normally make your organization more successful and secure, but also helps your organization just from a more out standpoint. One thing that you need to emphasize is that don't blame anyone. 'Cause a lot of times when you're going through this, you're reassessing your own supply chain. You might find where you could see improvements that need to be done. Don't blame things that may have occurred in the past. See how you can benefit from these lessons learned in the future. >> It's interesting you say that the blame game, I mean it used to be that failure meant you get fired and that's obviously has changed. As many have said, you know you're going to have incidents. It's how you respond to those incidents. What you learn from them. Do you have Andrew, any insights from specifically working with customers on securing their software supply chain? What can you tell us about what leading practitioners are doing today? >> They're going in and not only assessing what their software components consist of. Using tools like an SBOM, a software bill of materials, understand where all the components of their ecosystem and their lineage comes from. We're hearing almost every single day, new vulnerabilities that are being introduced in various software packages. By having that understanding of what is in your ecosystem, you can then better understand how to mitigate those concerns moving forward. >> Andrea, Andrew was just saying, one of the things is you don't just dive in. You've got to be careful. There's going to be ripple effects is what I'm inferring, but at the same time, there's a mandate to move quickly. Are there things that could accelerate the adoption of regulation or even the creation of regulations and that guidance in your view? What could accelerate this? >> As far as accelerating it goes, I think it's having those conversations proactively with the stakeholders in your organization and understanding the environment like Andrew said. Go ahead and get that baseline. And just know that whatever changes you make are maybe going to be audited down the road, because as we were moving towards this kind of third-party verification, that you're actually implementing things in order to do business with another organization. The importance of that, if organizations see that gravity to this, I think they will try to speed things up. I think that if organizations and the people in those organizations understand that why, that I talked about earlier and they understand how things like solar winds or things like the oil disruption that happened earlier this year. The personal effect to cyber events will help your organization move forward. Again, everybody's bought into the concept, everybody's working towards the same goals and they understand that why behind it. >> In addition to that, having tooling available, that makes it easy for them. You have a lot of individuals who this is all foreign, providing that base level tooling that aligns to a lot of the regulations that might be applicable within their real realm and their domain, makes it easier for them to start to complying and taking less burden off of them to be able to be successful. >> So it's a hard problem because Andrew, how do you deal with sort of the comment more tools, okay. But I look at that the Optiv map, if you've seen that. It makes your eyes cross. You've got so many tools, so much fragmentation, you're introducing new tools. Can automation help that? Is there hope for consolidation of that tools portfolio? >> Right now, this space is very emerging. It's very emerging, it's very fluid to be honest, 'cause there is actually mandates only a year or two old. But as they come over the course of time, however, I do see these types of tooling starting to consolidate where right now it seems like every vendor has a tool that tries to address this. It's being able to have the people work together, have more regulations that will come out that will allow us to start to redefine and solidify on certain tools like ISO standards. There are certain ones that I mentioned on as balance previously, there's now a ISO standard on SBOM there wasn't previously. So as more and more of these regulations come out, it makes it easier to provide that recommended set of tooling that organizations can start leveraging instead of vendor A, vendor B. >> Andrea, I said this before I was a cynic, but will give you the last word, give us some hope. I mean, obviously public policy is very important. A partnership between governments and industry, both the practitioners, the organizations that are buying these tools, as well as the technology industry got to work together in an ecosystem. Give us some hope. >> The hope I think will come from realizing that as you're doing this, as you are implementing these changes, you're in a sense trying to prevent those future incidents from happening. There's some assurance that you're doing everything that you can do here. It's a situation, it can be daunting, I'll put it that way. It can be really daunting for organizations, but just know that organizations like Red Hat are doing what we can to help you down the road. >> And really it's just continuing this whole shifting left mentality. The top of supply chain is just one component, but the introducing dev sec ops security at the beginning, that really will make the organizations become successful because this is not just a technology problem, It's a people issue as well. And being able to kind of package them all up together will help organizations as a whole. >> Yeah, so that's a really important point. You hear that term shift left. For years, people say, hey, you can't just bolt security on, as an afterthought, that's problematic. And that's the answer to that problem, right? Is shifting left meaning designing it in at the point of code, infrastructure as code, dev sec ops. That's where it starts, right? >> Exactly, being able to have security at the forefront and then have everything afterwards. Propagate from your security mindset. >> Excellent, okay, Andrea, Andrew, thanks so much for coming to the program today. >> Thank you for having us. >> Very welcome, thanks for watching. This is Dave Vellante for The Cube. Your a global leader in enterprise tech coverage. (soft music)

(upbeat music) >> Hello everyone, my name is Dave Vellante, and we're digging into the many facets of the software supply chain and how to better manage digital risk. I'd like to introduce Kirsten Newcomer, who is the Director of Cloud and DevSecOps Strategy at Red Hat. Hello Kirsten, welcome. >> Hello Dave, great to be here with you today. >> Let's dive right in. What technologies and practices should we be thinking about that can help improve the security posture within the software supply chain? >> So I think the most important thing for folks to think about really is adopting DevSecOps. And while organizations talk about DevSecOps, and many folks have adopted DevOps, they tend to forget the security part of DevSecOps. And so for me, DevSecOps is both DevSec, how do I shift security left into my supply chain, and SecOps which is a better understood and more common piece of the puzzle, but then closing that loop between what issues are discovered in production and feeding that back to the development team to ensure that we're really addressing that supply chain. >> Yeah I heard a stat. I don't know what the source is, I don't know if it's true, but it probably is that around 50% of the organizations in North America, don't even have a SecOps team. Now of course that probably includes a lot of smaller organizations, but the SecOps team, they're not doing DevSecOps, but so what are organizations doing for supply chain security today? >> Yeah, I think the most common practice, that people have adopted is vulnerability scanning. And so they will do that as part of their development process. They might do it at one particular point, they might do it at more than one point. But one of the challenges that, we see first of all, is that, that's the only security gate that they've integrated into their supply chain, into their pipeline. So they may be scanning code that they get externally, they may be scanning their own code. But the second challenge is that the results take so much work to triage. This is static vulnerability scanning. You get information that is not in full context, because you don't know whether a vulnerability is truly exploitable, unless you know how exposed that particular part of the code is to the internet, for example, or to other aspects. And so it's just a real challenge for organizations, who are only looking at static vulnerability data, to figure out what the right steps to take are to manage those. And there's no way we're going to wind up with zero vulnerabilities, in the code that we're all working with today. Things just move too quickly. >> Is that idea of vulnerability scanning, is it almost like sampling where you may or may not find the weakest link? >> I would say that it's more comprehensive than that. The vulnerability scanners that are available, are generally pretty strong, but they are, again, if it's a static environment, a lot of them rely on NVD database, which typically it's going to give you the worst case scenario, and by nature can't account for things like, was the software that you're scanning built with controls, mitigations built in. It's just going to tell you, this is the package, and this is the known vulnerabilities associated with that package. It's not going to tell you whether there were compiler time flags, that may be mitigated that vulnerability. And so it's almost overwhelming for organizations, to prioritize that information, and really understand it in context. And so when I think about the closed loop feedback, you really want not just that static scan, but also analysis that takes into account, the configuration of the application, and the runtime environment and any mitigations that might be present there. >> I see, thank you for that. So, given that this digital risk and software supply chains are now front and center, we read about them all the time now, how do you think organizations are responding? What's the future of software supply chain going to look like? >> That's a great one. So I think organizations are scrambling. We've certainly at Red Hat, We've seen an increase in questions, about Red Hat's own supply chain security, and we've got lots of information that we can share and make available. But I think also we're starting to see, this strong increased interest, in security bill of materials. So I actually started working with, automation and standards around security bill of materials, a number of years ago. I participated in The Linux Foundation, SPDX project. There are other projects like CycloneDX. But I think all organizations are going to need to, those of us who deliver software, we're going to need to provide S-bombs and consumers of our software should be looking for S-bombs, to help them understand, to build transparency across the projects. And to facilitate that automation, you can leverage the data, in a software package list, to get a quick view of vulnerabilities. Again, you don't have that runtime context yet, but it saves you that step, perhaps of having to do the initial scanning. And then there are additional things that folks are looking at. Attested pipelines is going to be key, for building your custom software. As you pull the code in and your developers build their solutions, their applications, being able to vet the steps in your pipeline, and attest that nothing has happened in that pipeline, is really going to be key. >> So the software bill of materials is going to give you, a granular picture of your software, and then what the chain of, providence if you will or? >> Well, an S-bomb depending on the format, an S-bomb absolutely can provide a chain of providence. But another thing when we think about it, from the security angles, so there's the providence, where did this come from? Who provided it to me? But also with that bill of materials, that list of packages, you can leverage tooling, that will give you information about vulnerability information about those packages. At Red Hat we don't think that vulnerability info should be included in the S-bomb, because vulnerability data changes everyday. But, it saves you a step potentially. Then you don't necessarily have to be so concerned about doing the scan, you can pull data about known vulnerabilities for those packages without a scan. Similarly the attestation in the pipeline, that's about things like ensuring that, the code that you pull into your pipeline is signed. Signatures are in many ways of more important piece for defining providence and getting trust. >> Got it. So I was talking to Asiso the other day, and was asking her okay, what are your main challenges, kind of the standard analyst questions, if you will. She said look, I got great people, but I just don't have enough depth of talent, to handle, the challenges I'm always sort of playing catch up. That leads one to the conclusion, okay, automation is potentially an answer to address that problem, but the same time, people have said to me, sometimes we put too much faith in automation. some say okay, hey Kirsten help me square the circle. I want to automate because I lack the talent, but it's not, it's not sufficient. What are your thoughts on automation? >> So I think in the world we're in today, especially with cloud native applications, you can't manage without automation, because things are moving too quickly. So I think the way that you assess whether automation is meeting your goals becomes critical. And so looking for external guidance, such as the NIST's Secure Software Development Framework, that can help. But again, when we come back, I think, look for an opinionated position from the vendors, from the folks you're working with, from your advisors, on what are the appropriate set of gates. And we've talked about vulnerability scanning, but analyzing the configed data for your apps it's just as important. And so I think we have to work together as an industry, to figure out what are the key security gates, how do we audit the automation, so that I can validate that automation and be comfortable, that it is actually meeting the needs. But I don't see how we move forward without automation. >> Excellent. Thank you. We were forced into digital, without a lot of thought. Some folks, it's a spectrum, some organizations are better shape than others, but many had to just dive right in without a lot of strategy. And now people have sat back and said, okay, let's be more planful, more thoughtful. So as you, and then of course, you've got, the supply chain hacks, et cetera. How do you think the whole narrative and the strategy is going to change? How should it change the way in which we create, maintain, consume softwares as both organizations and individuals? >> Yeah. So again, I think there's going to be, and there's already, need request for more transparency, from software vendors. This is a place where S-bombs play a role, but there's also a lot of conversation out there about zero trust. So what does that mean in, you have to have a relationship with your vendor, that provides transparency, so that you can assess the level of trust. You also have to, in your organization, determine to your point earlier about people with skills and automation. How do you trust, but verify? This is not just with your vendor, but also with your internal supply chain. So trust and verify remains key. That's been a concept that's been around for a while. Cloud native doesn't change that, but it may change the tools that we use. And we may also decide what are our trust boundaries. Are they where are we comfortable trusting? Where do we think that zero trust is more applicable place, a more applicable frame to apply? But I do think back to the automation piece, and again, it is hard for everybody to keep up. I think we have to break down silos, we have to ensure that teams are talking across those silos, so that we can leverage each other's skills. And we need to think about managing everything as code. What I like about the everything is code including security, is it does create auditability in new ways. If you're managing your infrastructure, and get Ops like approach your security policies, with a get Ops like approach, it provides visibility and auditability, and it enables your dev team to participate in new ways. >> So when you're talking about zero trust I think, okay, I can't trust users, I got to trust the verified users, machines, employees, my software, my partners. >> Yap >> Every possible connection point. >> Absolutely. And this is where both attestation and identity become key. So being able to, I mean, the SolarWinds team has done a really interesting set of things with their supply chain, after they were, in response to the hack they were dealing with. They're now using Tekton CD chains, to ensure that they have, attested every step in their supply chain process, and that they can replicate that with automation. So they're doing a combination of, yep. We've got humans who need to interact with the chain, and then we can validate every step in that chain. And then workload identity, is a key thing for us to think about too. So how do we assert identity for the workloads that are being deployed to the cloud and verify whether that's with SPIFFE SPIRE, or related projects verify, that the workload is the one that we meant to deploy and also runtime behavioral analysis. I know we've been talking about supply chain, but again, I think we have to do this closed loop. You can't just think about shifting security left. And I know you mentioned earlier, a lot of teams don't have SecOps, but there are solutions available, that help assess the behavior and runtime, and that information can be fed back to the app dev team, to help them adjust and verify and validate. Where do I need to tighten my security? >> Am glad you brought up the SolarWinds to Kirsten what they're doing. And as I remember after 911, everyone was afraid to fly, but it was probably the safest time in history to fly. And so same analogy here. SolarWinds probably has learned more about this and its reputation took a huge hit. But if you had to compare, what SolarWinds has learned and applied, at the speed at which they've done it with maybe, some other software suppliers, you might find that they've actually done a better job. It's just, unfortunately, that something hit that we never saw before. To me it was Stuxnet, like we'd never seen anything like this before, and then boom, we've entered a whole new era. I'll give you the last word Kirsten. >> No just to agree with you. And I think, again, as an industry, it's pushed us all to think harder and more carefully about where do we need to improve? What tools do we need to build to help ourselves? Again, S-bombs have been around, for a good 10 years or so, but they are enjoying a resurgence of importance signing, image signing, manifest signing. That's been around for ages, but we haven't made it easy to integrate that into the supply chain, and that's work that's happening today. Similarly that attestation of a supply chain, of a pipeline that's happening. So I think as a industry, we've all recognized, that we need to step up, and there's a lot of creative energy going into improving in this space. >> Excellent Kirsten Newcomer, thanks so much for your perspectives. Excellent conversation. >> My pleasure, thanks so much. >> You're welcome. And you're watching theCUBE, the leader in tech coverage. (soft music)

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey welcome back everybody, Jeff Frick here with theCUBE, we're in Las Vegas at the Bellagio, at the Qualys Security Conference, pretty amazing, it's been going on for 19 years, we heard in the keynote. It's our first time here, and we're excited to have our first guest, he was a keynote earlier this morning, the author of nine books, Richard Clarke, National Security and Cyber Risk expert, and author most recently of "The Fifth Domain." Dick, great to see you. >> Great to be with you. >> Absolutely. So you've been in this space for a very long time. >> I started doing cybersecurity in about 1996 or 1997. >> So early days. And preparing for this, I've watched some of your other stuff, and one of the things you said early on was before there was really nothing to buy. How ironic to think about that, that first there was a firewall, and basic kind of threat protection. Compare and contrast that to walking into RSA, which will be in a couple of months in Moscone, 50,000 people, more vendors than I can count on one hand, now there's too much stuff to buy. Do you look at this evolution? What's your take? And from a perspective of the CIO and the people responsible for protecting us, how should they work through this morass? >> Well, the CIO and the CFO, got used to thinking cyber security costs a little bit, 'cause you can only buy, this is 1997, you can only buy antivirus, firewall, and maybe, in 1997, you could buy an intrusion detection system. Didn't do anything, it just went "beep," but you could buy that too. So you had three things in 1997. And so that resulted in the IT budget having to take a tiny little bit of it, and put it aside for security, maybe 2%, 3% of the budget. Well, now, if you're only spending 2 or 3% of your IT budget on security, somebody owns your company, and it's not you (laughs). >> And that's 2 or 3% of the IT budget, that's not the whole budget. >> No, that's the IT budget. What we found in researching the book, is that secure companies, and there are some, there's companies that don't get hacked, or they get hacked, but the hack gets in, immediately contained, identified, quarantined. The damage is done, but it's easily repaired. Companies that are like that, the resilient companies, are spending 8%, 10%, we found companies at 12 and 17%, of their IT budget on security, and to your point, how many devices do you have to buy? You look at the floor at any of these RSA Conventions, Black Hat, or something, now there are 2000 companies at RSA, and they're all selling something, but their marketing message is all the same. So pity the poor CSO as she goes around trying to figure out, "Well, do I want to talk to that company? "What does it do?" We found that the big banks, and the big corporations, that are secure, have not three, anymore, but 75, 80, different, discreet cybersecurity products on their network, most of it software, some of it hardware. But if you've got 80 products, that's probably 60 vendors, and so you got to, for yourself, there's the big challenge, for a CSO, she's got to figure out, "What are the best products? "How do they integrate? "What are my priorities?" And, that's a tough task, I understand why a lot of the people want to outsource it, because it's daunting, especially for the small and medium-size business, you got to outsource it. >> Right, right. So the good news is, there's a silver lining. So traditionally, and you've talked about this, we talk about it all the time too, there's people that have been hacked and know it, and people that have been hacked and just don't know it yet, and the statistics are all over the map, anywhere you grab it, it used to be hundreds of days before intrusions were detected. Kind of the silver lining in your message is, with proper investments, with proper diligence and governance, you can be in that group, some they're trying to get in all the time, but you can actually stop it, you can actually contain it, you can actually minimize the damage. >> What we're saying is, used to be two kinds of companies, those that are hacked and knew it, and those that are hacked that don't, that didn't know it. Now there's a third kind of company. The company that's stopping the hack successfully, and the average, I think, is a 175 days to figure it out, now it's 175 minutes, or less. The attack gets in, there's all the five or six stages, of what's called "the attack killchain," and gets out very, very quickly. Human beings watching glass, looking at alerts, are not going to detect that and respond in time, it's got to be automated. Everybody says they got AI, but some people really do (laughs), and machine learning is absolutely necessary, to detect things out of the sea of data, 75 different kinds of devices giving you data, all of them alarming, and trying to figure out what's going on, and figure out in time, to stop that attack, quarantine it, you got to move very, very quickly, so you've got to trust machine learning and AI, you got to let them do some of the work. >> It's so funny 'cause people still are peeved when they get a false positive from their credit card company, and it's like (laughs), do you realize how many of those things are going through the system before one elevates to the level that you are actually getting an alert? >> So the problem has always been reducing the number of false positives, and identifying which are the real risks, and prioritizing, and humans can't do that anymore. >> Right, right, there's just too much data. So let's shift gears a little bit about in terms of how this has changed, and again, we hear about it over and over, right, the hacker used to be some malicious kid living in his mom's basement, being mischievous, maybe, actually doing some damage, or stealing a little money. Now it's government-funded, it's state attacks, for much more significant threats, and much more significant opportunities, targets of opportunity. You've made some interesting comments in some of your prior stuff, what's the role of the government? What's the role of the government helping businesses? What's the role of business? And then it also begs the question, all these multinational business, they don't even necessarily just exist in one place, but now, I've got to defend myself against a nation state, with, arguably, unlimited resources, that they can assign to this task. How should corporate CIOs be thinking about that, and what is the role, do you think, of the government? >> Let's say you're right. 20 years ago we actually used to see the number of cyber attacks go up on a Friday night and a Saturday night, because it was boys in their mother's basement who couldn't get a date, you know, and they were down there having fun with the computer. Now, it's not individuals who are doing the attacks. It is, as you say, nation states. It's the Russian Army, Russian Intelligence, Russian Military Intelligence, the GRU. The North Korean Army is funding its development of nuclear weapons by hacking companies and stealing money, all over the world, including central banks, in some cases. So, yeah, the threat has changed, and obviously, a nation state is going to be far more capable of attacking, military is going to be far more capable of attacking, so, CISOs say to me, "I'm being attacked by a foreign military, "isn't that the role of the Pentagon "to defend Americans, American companies?" And General Keith Alexander, who used to run Cyber Command, talks about, if a Russian bomber goes overhead, and drops a bomb on your plant, you expect the United States Air Force to intercept that Russian bomber, that's why you pay your taxes, assuming you pay taxes. What's the difference? General Alexander says, whether that's a Russian bomber attacking your plant, or a Russian cyber attack, attacking your plant, and he says, therefore, people should assume the Pentagon will protect them from foreign militaries. That sounds nice. There's a real ring of truth to that, right? But it doesn't work. I mean, how could the Pentagon defend your regional bank? How could the Pentagon defend the telephone company, or a retail store? It can't. It can barely defend itself, and they're not doing a great job of that either, defending the federal government. So, do you really want the Pentagon putting sensors on your network? Looking at your data? No, you don't. Moreover, they can't. They don't have enough people, they don't have enough skills. At the end of the day, whatever the analogy is about how the Defense Department should defend us from foreign military attack, they can't. And they shouldn't, by the way, in my view. The conclusion that that gets you to, is you got to defend yourself, and you can, right now, if you use the technology that exists. The government has a role, sure. It can provide you warnings, it can provide the community with intelligence, it can fund development and stuff, can train people, but it cannot defend your network, you have to defend your network. >> And you have municipalities, I think it's Atlanta, is the one that keeps getting hit, there's-- >> Well Louisiana, just the other night, the whole state of Louisiana government unplugged from the internet, because it was being hit by a ransomware attack. The whole city of Baltimore's been down, the whole city of Atlanta, as you said. There's a real problem here, because people, many of them are paying the ransom, and they pay the ransom, and they get their network back right away. People ask me, "Can I trust these criminals?" Well you can trust them to give you your network back, because they have a reputation to maintain. Think about that. This whole thing about ransomware depends on their reputation, the bad guys' reputation. If they get a reputation for not giving you your network back when you pay, no one's ever going to pay, so they do give it back, and sometimes that's a lot quicker, and a lot cheaper, than saying no and rebuilding your network. But if we give them the money, what are they doing with it? Yeah, they're buying Ferraris to drive round the streets of Moscow, but some of that money is going back into R&D, so they can develop more effective attacks. >> So it's an interesting take, right, so most people, I think, would say that the cybersecurity war is completely always going to be kind of cat and mouse, whack-a-mole, that the bad guys are always a little step ahead, and you're always trying to catch up, just the way the innovation cycle works. You specifically say no, that's not necessarily always true, that there are specific things you can do to, not necessarily have an impenetrable wall, but to really minimize the impact and neutralize these threats, like a super white blood cell, if you will. So what are those things that companies should be doing, to better increase their probability, their chance, of, I don't know, blocking-- >> Depends on the size of the company. >> Absorbing. >> Depends on the size of the company. But I think whether you're a small-to-medium business, or you're an enterprise, you begin in the same place. And I do this with all of my consulting contracts, I sit down with the leadership of the company individually, and I ask every one of them, "What are you worried about? "What could happen? "What could a bad guy do to you "that matters to your company?" 'Cause what matters to one company may not matter to another company. And you can't spend your entire budget defending the network, so let's figure out exactly what risk we're worried about, and what risk we're just kind of willing to tolerate. And then, we can design security around that, and sometimes that security will be outsourced, to a managed security provider. A lot of it means getting into the cloud, because if you're in Amazon or Microsoft's cloud, you've got some security automatically built in, they've got thousands of people doing the security of the cloud, and if your server's in your basement, good luck. (laughs) >> So, as you look forward, now you said you finished the book earlier in the year, it gets published, and it's out, and that's great, but as you said, it's a fast-moving train, and the spaces develops. 10 years from now, we don't want to look at 10 years from now, it's way too long. But as you look forward the next couple, two, three years, what are you keeping an eye on, that's going to be, again, another sea change of both challenge and opportunity in this space? >> The three technologies we talk about in the book, for the three-year time horizon, 'cause I can't get beyond three years, more machine learning on the defense, but also more machine learning on the offense, and where does that balance work out? To whose advantage? Secondly, quantum computing, which, we don't know how rapidly quantum computing will come onto the market, but we do know it's a risk for some people, in that it might break encryption, if the bad guys get their hands on the quantum computer, so that's a worry. But one I think most immediately, is 5G. What 5G allows people to do, is connect millions of things, at high speed, to the internet. And a lot of those things that will be connected are not defended right now, and are outside firewalls, and don't have end-point protection, and aren't really built into networks on a secure network. So I worry about 5G empowering the Internet of Things, and doing what we call expanding the attack surface, I worry about that. >> Right, Richard, well thank you for taking a few minutes, and congrats on the book, and I'm sure within a couple of years the gears will start turning and you'll put pen to paper and kick another one out for us. >> Number 10. >> All right. He's Richard, I'm Jeff, you're watching theCUBE, we're at the Qualys Security Conference at the Bellagio in Las Vegas, thanks for watching, we'll see you next time. (upbeat music)

>> Mine from Las Vegas. It's the cute covering knowledge sixteen brought to you by service. Now carry your host, Dave Alon and Jeff Rick. >> Welcome back to knowledge. Sixteen. Everybody, This is the Cube. Silicon Angles, flagship product. We go out to the events. We extract the signal from the noise Bart Murphy is. Here's the CTO of York Risk Services group. Mark. Good to see again. Good to see you. But thank you for having me. So what's been going on this week? Busy week. What you been doing this week has >> been busy. I've been doing a couple different things. One on the CIA decisions track, you know, collaborated on with those folks and getting some sessions in from service now and then on the partner side. You know, talking to customers, checking out and enjoying the the key notes on seeing what's new on the platform. Very exciting. >> Did you see Secretary Gates last night? We were, unfortunately, >> got pulled out for a call, So I >> think that's the >> one thing I did miss. You >> want to call me on that? One of things, he said, which I want to ask you about a former CEO. See XO now? Hey, said that consensus management don't bother now speaking to watch the CEO's as the CEO, yeah, it's a >> challenge. I think you know, there's there's one component that you have to devise, a strategy that you know a sound, and you have to have some resolve to help sell it. So I see that component of it. But the other is to sell that vision and get other people bought it. So, you know, I think there is a and consensus component from that, certainly from the executive team. And then you have to go sell it to your organization as well. And I think that truly doesn't come from just talking about the vision or the business case. It's from actually delivering the software and delivering the services and doing in an incremental basis that allows them to see and gain value from that, that that's what you build your credibility up on. And I think then that's what helps sell it. >> So you've gone through a few changes personally, your company. So take us through the care works acquisition. Sure, so >> careless family companies was required by your Chris Services Group S O. We're now part of a larger organization and national organization, Although care works itself had a few of the companies that had national footprint, a majority of them were primarily based in Ohio. So strategically great fit a great company. I moved into the corporate CTO roll about Oh, a year, year and a half after the acquisition, and I've been really trying to build out the entire enterprise strategy from a night perspective because they just they had procured a lot of acquired a lot of companies over a two to three year time span. And so we need to really invest a lot of time on what the future state of it is going to look like. >> So it's interesting gone from CEO to CTO. People talk coming to Cuba to talk about the role of the CIA. He'LL talk about all the time, and there'd been someone put forth the notion that the CEO eventually is going to have to choose a path, technical path or business path. You know, maybe both at different times. Do you subscribe to that, or do you see the CEO role is continuing on a CZ? We've known it. Yeah, >> we don't have a separate CIA and CTO I oversee the including operations. To me from a title perspective, I just want to have the organization view that that role is part of innovation. We have a chief innovation officer as well, but from a technology perspective, I think it's very difficult to run operations if you don't have a good grass for the technology in the platform. So regardless of the roller or title that they gave me, I think it's more about what are you managing on? And I don't want to ever be broken up between sort of SETI role that may be more focused on newer technology projects and then a CIA on Lee based on building our run methods. I want to make sure that those organizations are always combined because you're going to build much better software if you also have to support it. We also want to make sure that the automation is in place so that we have our support organization in mind when we actually deploy new platforms, new applications, new systems. >> So you see yourself as a software company. >> You know we do. We're in the wrist services business, so we are, ah, services provider, two carriers to large self insured Teo Large Claims organization. So we see ourselves. A lot of what we do is differentiated by our technology. Whether that's, you know, better business process, outsourcing functions or ability to do Bill review faster, more accurately. So our CEO definitely sees us as a technology company, and that's why there's a lot of investment in time being put into sort of build out what that future state of it is going to look like. >> What what do you do with service now? These days? How did the acquisition affect that and where you had it? >> Well, so we just went live with Yorker Services Group on service now is Platform on Geneva, and that's actually a separate production instance that we have with care work. So we deployed the care works instance in early two thousand eleven, late two thousand ten in that time frame, and there were, you know, there's a ton of customization a lot, you know, very solid platform for that family of companies with the York. There's a much larger scope that we wanted to address so very lucky again to be in that situation because I had an opportunity to start a redo and any time that you worked on a platform and you do it for a few years and then you get a chance to actually build again. So we really took more of an enterprise. I till out of the box type of approach s O that it could be flexible enough to manage across the entire enterprise, including all the acquired companies that we plan to pull onto the platform. And then that gives us time to figure out what was really the best out of our other platform that we want to, you know, retrofit back in. But the main reason I did that is to make sure that we could get some benefit out of the platform now and work and migrate into the business. Shared services functions within York that I think we're going to benefit very, very much from the new platform. >> So you've got a mulligan of sorts a little bit. >> Yeah, I got lucky on that on a little bit of the mulligan. And, you know, again, it's all about trying to make sure that we can come in and we just went live. You know, we're gonna have our challenges, like with any organizational change management solution, even just on the same side. But the cadence in which we're putting out releases to actually improve and bring on other shared services functions, I think, is where we will gain the majority of buying. >> So this notion here talked about a lot of this conference. The single cmd b yeah, is that something that you're able to achieve or working toward? Are you there? And absolutely, it's the goal. >> I mean, I don't know if you ever achieve it. I think it does take a lot of time. So the goal is to have everything in one platform for all of our companies across the board and to help facilitate automation, whether it's with GRC with the new security product that's coming out, which is, you know, something we're looking to get deployed in. Q three Q. Three Q For hopefully sooner rather than later. I just see there's a bunch of play on the automation orchestration side as it relates to tying in and tying an audit. Tien and Security on then also looking at business shared services and you know that's a whole different world of figuring out how can we help them? And we have ah operations service and are actually part of our next release. So I'll be very interested to see. You know, they do a lot of things manually like everybody does. He'LL be very keen to see how they see the platform and what they're going to come up with us, a strategy long term for them. >> So are you mentioned a couple times that York's made a number of acquisitions your company included, and don't give twenty four looking statements? Obviously, they're going to keep rolling up more things. But if you could speak to using service now as a vehicle to better integrate acquisitions, yeah, because for a lot of companies, that's a strategy. >> Yes, so and I actually have a strategy around that leveraging the platform is one of the main reasons that want to get it in now so that it could eventually build that. My whole goal there is the Leverage Performance Analytics on the way that I envisioned. Using that is, in many of the companies that we acquire, they will operate still, stand alone from a night perspective for some period of time. You know, whether that's six months, three months, two years until we can fully integrate him, whether it's network, you know, systems consolidation you name it. It takes a long time. It's not something that we have solved. So part of it is to be able to do modeling using Performance Analytics by pulling in the data so I can get them now onto this cloud platform because they don't need to be on network. I can have them operating their work within that platform for a period of a baseline period of time. And I could start to model that using Performance Analytics to say, How would that impact our enterprise? That's allies. Does it help our enterprise? That's always. Does it degrade our enterprise? That's the lace. Are they staffed appropriately to actually meet our enterprise? That's the lace and what our enterprises slaves. Once we start collecting all this data based on how we're staffed and how we're going to, you know, fund that transaction. So, >> Bart, if I understood it correctly, you have the dual role CEO slash CTO. Okay, is that there's the CSO report into you are he does. I saw Also he >> does. And so and that's ah, new rule that we established about a little less than a year ago. There was ah VP of corporate security. But we didn't have a chief information security officer s. So I we're not got a very season, see so and working not only as an internal what we do internally. Also within our tech company as well. We started cybersecurity practice. So everything we do, we try to make sure that we can actually support our technology investments from an enterprise perspective and be able to self serve ourselves as an enterprise. So very excited about that. That's why we're getting to the security components and some other products that we think will integrate extremely well into service. Now >> let's talk about that a little bit. I want to put forth the premise. You tell me, feel free to tell me the premise doesn't hold water. But it seems to us that there's been a shift in thinking about security from we'LL focus on you know, defense, defense, defense to one of you know we're going to get infiltrated. It's all about how we respond and I as the sea xo Whatever. See so CEO Seo, I can help lead that response. It's mechanism, but it's a team sport. Is that a valid premise? >> I think it's valid. I think you know, I think it's a little it is driving some change v f ear. But, you know, I think that, you know, is certainly from an external perspective can protect yourself pretty well. You know, a lot of the breaches were actually curve, and some of the cases were internal or through third party partners. So I think there's been a lot of additional due diligence being put on organization, especially as a service organization. We work with a lot of large insurance carriers as an example. So we are getting hit with a lot more requests and a lot more sort of assessments on what our controls are in that space. So we need to be mature, and that's based no matter what, since again, we're providing services to clients in this space, and we're collecting a good amount of claim data and bill data and medical data. So I'm not as going out staying okay, just when it's gonna happen and how we handle breach. If that's the case, I'm trying to figure out what are the ways that we can proactively manage our environment and be able to respond in a much faster fashion to isolate an issue as quickly as possible, which is why I'm really excited about the automation and security component within service now because properly integrated with similar tools that we have. There's a lot that the system conduce that a human can't get too fast enough that will actually shut down to manage that risk extremely well. >> Do you believe that the board level? There's sort of open and transparent communication that that it's not about If Wade get infiltrated, its we have been infiltrated and we will continue to be infiltrated. That discussion occur. >> I think, yeah, the board level. They're certainly more aware, and not just from their participation in our board for the companies that they run themselves, because many of these folks come from companies that their run themselves. So I think there's certainly an awareness I think they're demanding and wanting to have more concrete plans on what your corporate security strategy is going to be. So we've produced a three year plan on what that is and presented that our committee and are starting to communicate that all the way up, you know, through our CEO. So I think there's more awareness I I think that for whatever reason, people think that it hasn't been working on this for some time, but they have S o. You know, there's a lot of good things that we've already done and already put in place that people just need to be made aware of it and get up to speed if you will. And then there's. Here's what we're doing to invest in trying to stop future things or to be more proactive or tow, have better control. Is better auto practices this type of >> what's the right regime for a cyber security? In other words, who should be responsible for should be a single tech group? We Should it be a wider group. What responsibility? >> And no, it's it's it's It's by committee. So our committee included, you know, our general counsel, our CEO, our chief human resource officer, our CEO. So it it's a joint effort. Certainly there's a large component of it because many of it is about your defenses in your ability to manage and maintain and keep your data secure. But security is a company wide initiative. You know everything from training all the way down the associate level to not, you know, click on bad email links, right that no matter what you do and what type of in a virus you have and you're still going to get some of those fishing emails and some of those ransomware emails in those type of components. So there's a whole education put component that goes all the way down to the associate level. If that's not understood by the management over those groups, then you know how is it going to actually be distilled down and supported? So it's a complete company effort when it comes to corporate security. >> And how about >> the business lines? Because our research shows that a lot of organizations don't you don't even have the specifically answer for your organization. Just in your experience is the CEO and the CEO. If it seems as though a lot of businesses don't understand the value of their data or the value of their I p, and as a result, don't really know how to protect it, is that something that is challenging for organism >> Asians? I think it is least when I've talked to other clients potentially, I think less today than it was even five years ago. We certainly know the value of our data. I mean, there's been too many breaches in the large breaches in the past three years to not be aware. I have had that question asked ofyou on, even for a business perspective, understand the exposure. So you know they what is that? Hundred fifty hundred twenty five dollars per claim? Potentially on the data side. So people even put metrics around. It's you, Khun. Quickly go through and established what you think your overall exposure is from a dollar perspective and that starts toe. You know, open eyes when you have millions of claims, are even more millions of bills. >> And that's your business. So you would think you have a better understanding everything most. But so for those who don't how should they go about achieving that knowledge? That awareness, >> They should find someone that, you know, maybe some type of trusted advisor. You know, whether they need to hire a consulting company whether they need to go and just converse with another AA group like a CEO group and ask Hey, have you guys done this before? There's a ton of collaboration at that level where people are asking, Hey, how did you guys come up with your security road map on What did that >> look like? Because Because the value then drives your investment decisions, right, because that's the other thing is kind of like insurance. When is enough enough, You could always been Mohr, but at some point you're gonna have diminishing returns relative to the value. But you've gotta have a basis to set a budget. So I would imagine the value of the data, the value of the risk, whether its >> value brand right, so outside of the hard costs of potentially, you know, getting credit rating or those type of components. You know, there's there's the brand discussion, and I think that's somewhat invaluable. So, you know, budgets are just over. Go spend what you want, but there's certainly a lot of awareness that money needs to be spent that area. It needs to be spent wisely, but there hasn't been an issue as to either one. We're coming up with wild budgets for security but explaining what we're doing and why, and how cost effectively we're doing. It has been very well >> in thinking about how you communicate to the board Yeah, about cyber security. What would be the top two or three things that you would recommend that a C XO should have on his or her checklist? >> One is, you know, understanding all your end point, so understanding everything that's in your network. And it's an easy to say, but it's a very hard thing to do, especially when you have external facing applications. And you have a lot of different networks, so understanding your scope of devices and understand. You know, that way you could understand, to start to collect and fill up that C M G B and understand. Okay, if I have a patch that wasn't applied, how many devices were impacted? You know, how quickly can I get those remediated s so that you know, I think understanding the technical scope of your organization is important because it's very difficult to understand your risks, you know, rating if you will. If you don't understand the tools you have in place and where your potential holes maybe, ah, and then understanding you know your core data. So you know what is in your data that would potentially create a potential risk, even a financial risk? Certainly we go through all the insurance process, right? And even insurance now for cyber liability insurance. You know, the forms for five years ago were much different than the forms that are being filled out today. Much different. A lot more detail, a lot more drill down. So even just going through that process alone drives you to actually go and collect all this information that I'm talking about today, you know, so understanding your internal environment in understanding you know, those endpoints understanding the scope of your data management. And then I think it's around developing a sound strategy that is not just short term but short term and long term, with investments not just in tools, but also processes training those components. >> Did you look a tte security and responding to security is part of, ah, business continuity, as opposed to sort of a bespoke initiative. It is, There's business >> continuity and d are both have components of security, but it is truly what a way to ensure that you're you stay in business, right, and and And if people don't view it that way, then there's a lot of organizations that have been either crippled, not necessary put out of business but impacted extremely large. You know, financial impact with unmanaged breaches that actually went on way too long, right? And they weren't able to detect it, you know? So I think that there's a component there where you have to really think about what's the scope of the work, what the scope of the risk and how much do we need to invest? >> And you see service now. And I'm spending so much time in security this week because I'm excited about what I saw on Monday at the financial analyst meeting and who, talking to folks about this very important topic, you see, service now is playing a role in solving this problem. >> I do because we're a big user of GRC. So we already went down the audit route with service now years ago s Oh, this is just another extension I see of not just audit controls but being more proactive on the security side. And so, since all of our information is in this platform anyhow, we have a ton of opportunity toe automate and manage a lot of the things that again could have potentially gone unnoticed for a period of time simply because a manpower or logs if you ever had a review logs from some of these devices. I mean, trying to find the needle in the haystack is very difficult. So tools are extremely important in this space. Humans cannot meet this challenge alone at all. >> You just make a tad cloud. You wish, right? Awesome. Bart, this is I'LL give you the last word so that your impressions on knowledge sixteen. >> I'm excited, You know, the way it's grown again The way that they're really being purposeful about how they're building out their platform and truly trying to solve the enterprise problems to me is just it shows a very strategic, well thought out plan by service now. And as customers, you know and partners, you know, that's that's what you want to see from a company. So for me, I'm just very pleased where the platforms going. It's exciting how much they've grown. But the way that they've been able to invest in the right things, I feel and truly integrate things into the platform, even acquisitions that they had on and truly make it part of the platform versus and add on, I think, is really differentiating them from a lot of products that have grown in a similar matter but become unwieldy to manage because they're just pieced together. So I'm very, very excited, >> Fantastic. The cube securing knowledge for our audience that Bart, you have full of a lot of knowledge and really appreciate you coming on the Cuban and sharing. >> Yeah, appreciate it. Nice seeing you guys. >> All right, Keep it right there, everybody. We'LL be back with our next guests right after this. We're live knowledge. Sixteen from the Mandalay Bay Hotel in Las Vegas, right back. >> Every once in a while.

(soft techno upbeat music) >> Hi there. Welcome back to Las Vegas. This is Dave Villante with Paul Gillon. Reinvent day one and a half. We started last night, Monday, theCUBE after dark. Now we're going wall to wall. Today. Today was of course the big keynote, Adam Selipsky, kind of the baton now handing, you know, last year when he did his keynote, he was very new. He was sort of still getting his feet wet and finding his guru swing. Settling in a little bit more this year, learning a lot more, getting deeper into the tech, but of course, sharing the love with other leaders like Peter DeSantis. Tomorrow's going to be Swamy in the keynote. Adrian Cockcroft is here. Former AWS, former network Netflix CTO, currently an analyst. You got your own firm now. You're out there. Great to see you again. Thanks for coming on theCUBE. >> Yeah, thanks. >> We heard you on at Super Cloud, you gave some really good insights there back in August. So now as an outsider, you come in obviously, you got to be impressed with the size and the ecosystem and the energy. Of course. What were your thoughts on, you know what you've seen so far, today's keynotes, last night Peter DeSantis, what stood out to you? >> Yeah, I think it's great to be back at Reinvent again. We're kind of pretty much back to where we were before the pandemic sort of shut it down. This is a little, it's almost as big as the, the largest one that we had before. And everyone's turned up. It just feels like we're back. So that's really good to see. And it's a slightly different style. I think there were was more sort of video production things happening. I think in this keynote, more storytelling. I'm not sure it really all stitched together very well. Right. Some of the stories like, how does that follow that? So there were a few things there and some of there were spelling mistakes on the slides, you know that ELT instead of ETL and they spelled ZFS wrong and something. So it just seemed like there was, I'm not quite sure just maybe a few things were sort of rushed at the last minute. >> Not really AWS like, was it? It's kind of remind the Patriots Paul, you know Bill Belichick's teams are fumbling all over the place. >> That's right. That's right. >> Part of it may be, I mean the sort of the market. They have a leader in marketing right now but they're going to have a CMO. So that's sort of maybe as lack of a single threaded leader for this thing. Everything's being shared around a bit more. So maybe, I mean, it's all fixable and it's mine. This is minor stuff. I'm just sort of looking at it and going there's a few things that looked like they were not quite as good as they could have been in the way it was put together. Right? >> But I mean, you're taking a, you know a year of not doing Reinvent. Yeah. Being isolated. You know, we've certainly seen it with theCUBE. It's like, okay, it's not like riding a bike. You know, things that, you know you got to kind of relearn the muscle memories. It's more like golf than is bicycle riding. >> Well I've done AWS keynotes myself. And they are pretty much scrambled. It looks nice, but there's a lot of scrambling leading up to when it actually goes. Right? And sometimes you can, you sometimes see a little kind of the edges of that, and sometimes it's much more polished. But you know, overall it's pretty good. I think Peter DeSantis keynote yesterday was a lot of really good meat there. There was some nice presentations, and some great announcements there. And today I was, I thought I was a little disappointed with some of the, I thought they could have been more. I think the way Andy Jesse did it, he crammed more announcements into his keynote, and Adam seems to be taking sort of a bit more of a measured approach. There were a few things he picked up on and then I'm expecting more to be spread throughout the rest of the day. >> This was more poetic. Right? He took the universe as the analogy for data, the ocean for security. Right? The Antarctic was sort of. >> Yeah. It looked pretty, >> yeah. >> But I'm not sure that was like, we're not here really to watch nature videos >> As analysts and journalists, You're like, come on. >> Yeah, >> Give it the meat >> That was kind the thing, yeah, >> It has always been the AWS has always been Reinvent has always been a shock at our approach. 100, 150 announcements. And they're really, that kind of pressure seems to be off them now. Their position at the top of the market seems to be unshakeable. There's no clear competition that's creeping up behind them. So how does that affect the messaging you think that AWS brings to market when it doesn't really have to prove that it's a leader anymore? It can go after maybe more of the niche markets or fix the stuff that's a little broken more fine tuning than grandiose statements. >> I think so AWS for a long time was so far out that they basically said, "We don't think about the competition, we are listen to the customers." And that was always the statement that works as long as you're always in the lead, right? Because you are introducing the new idea to the customer. Nobody else got there first. So that was the case. But in a few areas they aren't leading. Right? You could argue in machine learning, not necessarily leading in sustainability. They're not leading and they don't want to talk about some of these areas and-- >> Database. I mean arguably, >> They're pretty strong there, but the areas when you are behind, it's like they kind of know how to play offense. But when you're playing defense, it's a different set of game. You're playing a different game and it's hard to be good at both. I think and I'm not sure that they're really used to following somebody into a market and making a success of that. So there's something, it's a little harder. Do you see what I mean? >> I get opinion on this. So when I say database, David Foyer was two years ago, predicted AWS is going to have to converge somehow. They have no choice. And they sort of touched on that today, right? Eliminating ETL, that's one thing. But Aurora to Redshift. >> Yeah. >> You know, end to end. I'm not sure it's totally, they're fully end to end >> That's a really good, that is an excellent piece of work, because there's a lot of work that it eliminates. There's are clear pain points, but then you've got sort of the competing thing, is like the MongoDB and it's like, it's just a way with one database keeps it simple. >> Snowflake, >> Or you've got on Snowflake maybe you've got all these 20 different things you're trying to integrate at AWS, but it's kind of like you have a bag of Lego bricks. It's my favorite analogy, right? You want a toy for Christmas, you want a toy formula one racing car since that seems to be the theme, right? >> Okay. Do you want the fully built model that you can play with right now? Or do you want the Lego version that you have to spend three days building. Right? And AWS is the Lego technique thing. You have to spend some time building it, but once you've built it, you can evolve it, and you'll still be playing those are still good bricks years later. Whereas that prebuilt to probably broken gathering dust, right? So there's something about having an vulnerable architecture which is harder to get into, but more durable in the long term. And so AWS tends to play the long game in many ways. And that's one of the elements that they do that and that's good, but it makes it hard to consume for enterprise buyers that are used to getting it with a bow on top. And here's the solution. You know? >> And Paul, that was always Andy Chassy's answer to when we would ask him, you know, all these primitives you're going to make it simpler. You see the primitives give us the advantage to turn on a dime in the marketplace. And that's true. >> Yeah. So you're saying, you know, you take all these things together and you wrap it up, and you put a snowflake on top, and now you've got a simple thing or a Mongo or Mongo atlas or whatever. So you've got these layered platforms now which are making it simpler to consume, but now you're kind of, you know, you're all stuck in that ecosystem, you know, so it's like what layer of abstractions do you want to tie yourself to, right? >> The data bricks coming at it from more of an open source approach. But it's similar. >> We're seeing Amazon direct more into vertical markets. They spotlighted what Goldman Sachs is doing on their platform. They've got a variety of platforms that are supposedly targeted custom built for vertical markets. How do successful do you see that play being? Is this something that the customers you think are looking for, a fully integrated Amazon solution? >> I think so. There's usually if you look at, you know the MongoDB or data stacks, or the other sort of or elastic, you know, they've got the specific solution with the people that really are developing the core technology, there's open source equivalent version. The AWS is running, and it's usually maybe they've got a price advantage or it's, you know there's some data integration in there or it's somehow easier to integrate but it's not stopping those companies from growing. And what it's doing is it's endorsing that platform. So if you look at the collection of databases that have been around over the last few years, now you've got basically Elastic Mongo and Cassandra, you know the data stacks as being endorsed by the cloud vendors. These are winners. They're going to be around for a very long time. You can build yourself on that architecture. But what happened to Couch base and you know, a few of the other ones, you know, they don't really fit. Like how you going to bait? If you are now becoming an also ran, because you didn't get cloned by the cloud vendor. So the customers are going is that a safe place to be, right? >> But isn't it, don't they want to encourage those partners though in the name of building the marketplace ecosystem? >> Yeah. >> This is huge. >> But certainly the platform, yeah, the platform encourages people to do more. And there's always room around the edge. But the mainstream customers like that really like spending the good money, are looking for something that's got a long term life to it. Right? They're looking for a long commitment to that technology and that it's going to be invested in and grow. And the fact that the cloud providers are adopting and particularly AWS is adopting some of these technologies means that is a very long term commitment. You can base, you know, you can bet your future architecture on that for a decade probably. >> So they have to pick winners. >> Yeah. So it's sort of picking winners. And then if you're the open source company that's now got AWS turning up, you have to then leverage it and use that as a way to grow the market. And I think Mongo have done an excellent job of that. I mean, they're top level sponsors of Reinvent, and they're out there messaging that and doing a good job of showing people how to layer on top of AWS and make it a win-win both sides. >> So ever since we've been in the business, you hear the narrative hardware's going to die. It's just, you know, it's commodity and there's some truth to that. But hardware's actually driving good gross margins for the Cisco's of the world. Storage companies have always made good margins. Servers maybe not so much, 'cause Intel sucked all the margin out of it. But let's face it, AWS makes most of its money. We know on compute, it's got 25 plus percent operating margins depending on the seasonality there. What do you think happens long term to the infrastructure layer discussion? Okay, commodity cloud, you know, we talk about super cloud. Do you think that AWS, and the other cloud vendors that infrastructure, IS gets commoditized and they have to go up market or you see that continuing I mean history would say that still good margins in hardware. What are your thoughts on that? >> It's not commoditizing, it's becoming more specific. We've got all these accelerators and custom chips now, and this is something, this almost goes back. I mean, I was with some micro systems 20,30 years ago and we developed our own chips and HP developed their own chips and SGI mips, right? We were like, the architectures were all squabbling of who had the best processor chips and it took years to get chips that worked. Now if you make a chip and it doesn't work immediately, you screwed up somewhere right? It's become the technology of building these immensely complicated powerful chips that has become commoditized. So the cost of building a custom chip, is now getting to the point where Apple and Amazon, your Apple laptop has got full custom chips your phone, your iPhone, whatever and you're getting Google making custom chips and we've got Nvidia now getting into CPUs as well as GPUs. So we're seeing that the ability to build a custom chip, is becoming something that everyone is leveraging. And the cost of doing that is coming down to startups are doing it. So we're going to see many, many more, much more innovation I think, and this is like Intel and AMD are, you know they've got the compatibility legacy, but of the most powerful, most interesting new things I think are going to be custom. And we're seeing that with Graviton three particular in the three E that was announced last night with like 30, 40% whatever it was, more performance for HPC workloads. And that's, you know, the HPC market is going to have to deal with cloud. I mean they are starting to, and I was at Supercomputing a few weeks ago and they are tiptoeing around the edge of cloud, but those supercomputers are water cold. They are monsters. I mean you go around supercomputing, there are plumbing vendors on the booth. >> Of course. Yeah. >> Right? And they're highly concentrated systems, and that's really the only difference, is like, is it water cooler or echo? The rest of the technology stack is pretty much off the shelf stuff with a few tweets software. >> You point about, you know, the chips and what AWS is doing. The Annapurna acquisition. >> Yeah. >> They're on a dramatically different curve now. I think it comes down to, again, David Floyd's premise, really comes down to volume. The arm wafer volumes are 10 x those of X 86, volume always wins. And the economics of semis. >> That kind of got us there. But now there's also a risk five coming along if you, in terms of licensing is becoming one of the bottlenecks. Like if the cost of building a chip is really low, then it comes down to licensing costs and do you want to pay the arm license And the risk five is an open source chip set which some people are starting to use for things. So your dis controller may have a risk five in it, for example, nowadays, those kinds of things. So I think that's kind of the the dynamic that's playing out. There's a lot of innovation in hardware to come in the next few years. There's a thing called CXL compute express link which is going to be really interesting. I think that's probably two years out, before we start seeing it for real. But it lets you put glue together entire rack in a very flexible way. So just, and that's the entire industry coming together around a single standard, the whole industry except for Amazon, in fact just about. >> Well, but maybe I think eventually they'll get there. Don't use system on a chip CXL. >> I have no idea whether I have no knowledge about whether going to do anything CXL. >> Presuming I'm not trying to tap anything confidential. It just makes sense that they would do a system on chip. It makes sense that they would do something like CXL. Why not adopt the standard, if it's going to be as the cost. >> Yeah. And so that was one of the things out of zip computing. The other thing is the low latency networking with the elastic fabric adapter EFA and the extensions to that that were announced last night. They doubled the throughput. So you get twice the capacity on the nitro chip. And then the other thing was this, this is a bit technical, but this scalable datagram protocol that they've got which basically says, if I want to send a message, a packet from one machine to another machine, instead of sending it over one wire, I consider it over 16 wires in parallel. And I will just flood the network with all the packets and they can arrive in any order. This is why it isn't done normally. TCP is in order, the packets come in order they're supposed to, but this is fully flooding them around with its own fast retry and then they get reassembled at the other end. So they're not just using this now for HPC workloads. They've turned it on for TCP for just without any change to your application. If you are trying to move a large piece of data between two machines, and you're just pushing it down a network, a single connection, it takes it from five gigabits per second to 25 gigabits per second. A five x speed up, with a protocol tweak that's run by the Nitro, this is super interesting. >> Probably want to get all that AIML that stuff is going on. >> Well, the AIML stuff is leveraging it underneath, but this is for everybody. Like you're just copying data around, right? And you're limited, "Hey this is going to get there five times faster, pushing a big enough chunk of data around." So this is turning on gradually as the nitro five comes out, and you have to enable it at the instance level. But it's a super interesting announcement from last night. >> So the bottom line bumper sticker on commoditization is what? >> I don't think so. I mean what's the APIs? Your arm compatible, your Intel X 86 compatible or your maybe risk five one day compatible in the cloud. And those are the APIs, right? That's the commodity level. And the software is now, the software ecosystem is super portable across those as we're seeing with Apple moving from Intel to it's really not an issue, right? The software and the tooling is all there to do that. But underneath that, we're going to see an arms race between the top providers as they all try and develop faster chips for doing more specific things. We've got cranium for training, that instance has they announced it last year with 800 gigabits going out of a single instance, 800 gigabits or no, but this year they doubled it. Yeah. So 1.6 terabytes out of a single machine, right? That's insane, right? But what you're doing is you're putting together hundreds or thousands of those to solve the big machine learning training problems. These super, these enormous clusters that they're being formed for doing these massive problems. And there is a market now, for these incredibly large supercomputer clusters built for doing AI. That's all bandwidth limited. >> And you think about the timeframe from design to tape out. >> Yeah. >> Is just getting compressed It's relative. >> It is. >> Six is going the other way >> The tooling is all there. Yeah. >> Fantastic. Adrian, always a pleasure to have you on. Thanks so much. >> Yeah. >> Really appreciate it. >> Yeah, thank you. >> Thank you Paul. >> Cheers. All right. Keep it right there everybody. Don't forget, go to thecube.net, you'll see all these videos. Go to siliconangle.com, We've got features with Adam Selipsky, we got my breaking analysis, we have another feature with MongoDB's, Dev Ittycheria, Ali Ghodsi, as well Frank Sluman tomorrow. So check that out. Keep it right there. You're watching theCUBE, the leader in enterprise and emerging tech, right back. (soft techno upbeat music)

(bright music) (crowd talking indistinctly in the background) >> Hey guys, welcome back to Detroit, Michigan. theCUBE is live at KubeCon + CloudNativeCon 2022. You might notice something really unique here. Lisa Martin with our newest co-host of theCUBE, Savannah Peterson! Savannah, it's great to see you. >> It's so good to be here with you (laughs). >> I know, I know. We have a great segment coming up. I always love talking couple things, cars, one, two, with companies that have been around for a hundred plus years and how they've actually transformed. >> Oh yeah. >> Ford is here. You have a great story about how you, about Ford. >> Ford brought me to Detroit the first time. I was here at the North American International Auto Show. Some of you may be familiar, and the fine folks from Ford brought me out to commentate just like this, as they were announcing the Ford Bronco. >> Satish: Oh wow. >> Which I am still lusting after. >> You don't have one yet? >> For the record. No, I don't. My next car's got to be an EV. Although, ironically, there's a Ford EV right behind us here on set today. >> I know, I know. >> Which we were both just contemplating before we went live. >> It's really shiny. >> We're going to have to go check it out. >> I have to check it out. Yep, we'll do that. Yeah. Well, please welcome our two guests from Ford, Satish Puranam, is here, The Technical Leader at Cloud and Rebecca Risk, Principal Architect, developer relations. We are so excited to have you guys on the program. >> Clearly. >> Thanks for joining us. (all laugh) >> Thank you for having us. >> I love you're Ford enthusiasts! Yeah, that's awesome. >> I drive a Ford. >> Oh, awesome! Thank you. >> I can only say that's one car company here. >> That's great. >> Yes, yes. >> Great! Thank you a lot. >> Thank you for your business! >> Absolutely. (all laugh) >> So, Satish, talk to us a little bit about- I mean I think of Cloud as a car company but it seems like it's a technology company that makes cars. >> Yes. Talk to us about Ford as a Cloud first, technology driven company, and then we're going to talk about what you're doing with Red Hat and Boston University. >> Yeah, I'm like everything that all these cars that you're seeing, beautiful right behind us it's all built on, around, and with technology, right? So there's so much code goes into these cars these days, it's probably, it's mind boggling to think that probably your iPhones might be having less code as opposed to these cars. Everything from control systems, everything is code. We don't do any more clay models. Everything is done digital, 3D, virtual reality and all that stuff. So all that takes code, all of that takes technology. And we have been in that journey for the last- since 2016 when we started our first mobile app and all that stuff. And of late we have been like, heavily invested in Google. Moving a lot of these experiences, data acquisition systems AI/ML modeling for like all the autonomous cars. It's all technology and like from the day it is conceived, to the day it is marketed, to the day when you show up for a servicing, and hopefully soon how you can buy and you know, provide feedback to us, is all technology that drives all of this stuff. So it's amazing for us to see everything that we go and immerse ourselves in the technology. There is a real life thing that we can see what we all do for it, right? So- >> Yes, we're only sorry that our audience can't actually see the car, >> Yep. >> but we'll get some B-roll for you later on. Rebecca, talk a little bit about your role. Here we are at KubeCon, Savannah and I and John were talking when we went live this morning, that this is huge. That the show floor is massive, a lot bigger than last year. The collaboration and the spirit of the community is not only alive and well, as we heard in the keynote this morning, it's thriving. >> Yeah. >> Talk about developer relations at Ford and what you are helping to drive in your role. >> Yeah, so my team is all about helping developers work faster with different platforms that my team curates and produces, so that our developers don't have to deal with all of the details of setting up their environments to actually code. And we have really great people, kind of the top software developers in the company, are part of my team to produce those products that other people can use, and accelerate their development. And we have a great relationship with the developers in the company and outside with the different vendor relationships that we have, to make sure that we're always producing the next platform with the next tech stack that our developers will want to continue to use to produce the really great products that we are all about making at Ford. >> Let's dig in there a little bit because I'm curious and I suspect you both had something to do with it. How did you approach your Cloud Native transformation and how do you evaluate new technologies for the team? >> It's sometimes- many a times I would say it's like dogfooding and like experimentation. >> Yeah. Isn't anything in innovation a lot of- >> Yeah, a lot of experimentation. We started our, as I said, the Cloud Native journey back in 2016 with Cloud Foundry and things, technologies around that. Soon realized, that there was like a lot of buzz around that time. Twelve-Factor was a thing, Stateless was a thing. And then all those Stateful needs to drive the Stateless. So where do we do that thing? And the next logical iteration was Kubernetes was bursting upon the scene at that time. So we started doing a lot of experimentation. >> Like the Kool-Aid man, burst on the Kubernetes scene- >> Exactly right. >> Through the wall. >> So, the question is like, why can't we do? I think we were like crazy enough to say that Kubernetes people are talking about our serverless or Twelve-Factor on Kubernetes. We are crazy enough to do Stateful on Kubernetes and we've been doing it successfully for five years. So it's a lot about experimentation. I think good chunk of experiments that we do do not yield the results that we get, but many a times, some of them are like Gangbusters. Like, other aspects that we've been doing of late is like partnering with Becky and rest of the organization, right? Because they are the people who are like closest to the developers. We are somewhat behind the scenes doing some things but it is Becky and the rest of the architecture teams who are actually front and center with the customers, right? So it is the collaborative effort that we've been working through past few years that has been really really been useful and coming around and helping us to make some of these products really beautiful. >> Yeah, well you make a lot of beautiful products. I think we've all, I think we've all seen them. Something that I think is really interesting and part of why I was so excited for this interview, and kind of nudged John out, was because you've been- Ford has been investing in technology in a committed way for decades and I don't think most people are aware of that. When I originally came out to Dearborn, I learned that you've had a head of VR who happens to be a female. For what it's worth, Elizabeth, who's been running VR for you for two and a half decades, for 25 years. >> Satish: Yep. >> That is an impressive commitment. What is that like from a culture perspective inside of Ford? What is the attitude around innovation and technology? >> So I've been a long time Ford employee. I just celebrated my 29th year. >> Oh, wow! >> Congratulations! >> Wow, congrats! That's a huge deal. >> Yeah, it's a huge deal. I'm so proud of my career and all that Ford has brought to me and it's just a testament. I have many colleagues like me who've been there for their whole career or have done other things and come to Ford and then spent another 20 years with us because we foster the culture that makes you want to stay. We have development programs to allow you to upscale and change your role and learn new things and play with the new technologies that people are interested in doing and really make an impact to our community of developers at Ford or the company itself and the results that we're delivering. So to have that, you know, culture for so many years that people really love to work. They love to work with the people that they're working with. They love to stay engaged and they love the fact that you can have many different careers within the same umbrella, which we call the "blue oval". And that's really why I've been there for so long. I think I probably had 13 very unique and different jobs along the way. It's as if I left, and you know shopped around my skills elsewhere. But I didn't ever have to leave the company. It's been fabulous. >> The cultural change and adoption of- embracing modern technology- Cloud Native automotive software is impressive because a lot of historied companies, you guys have been there a long time, have challenges with that because it's really hard to get an entire moving, you'll call it the blue oval, to change and adapt- >> Savannah: I love that. >> and be willing to experiment. So that that is impressive. Talk about, you go by Becky, so I'll call you Becky, >> Rebecca/Becky: Yeah. >> The developer culture in terms of the developers really being the center of the nucleus of influencing the direction in which the company's going. I imagine that they probably are fairly influential. >> Yeah, so I had a very- one of the unique positions I held was a culture change for our department, Information Technology in 2016. >> Satish: Yeah. >> As the teacher was involved with moving us to the cloud, I was responsible- >> You are the transformation team! This is beautiful. I love this. We've got the right people on the show. >> Yeah, we do. >> I was responsible for changing the culture to orient our employees to pay attention to what do we want to create for tomorrow? What are the kind of skills we need to trust each other to move quickly. And that was completely unique. >> Satish: Yeah. >> Like I had men in the trenches delivering software before that, and then plucked out because they wanted someone, you know who had authentic experience with our development team to be that voice. And it was such a great investment that Ford continues to do is invest in our culture transformation. Because with each step forward that we do, we have to refine what our priorities are. And you do that through culture transformation and culture management. And that's been, I think really, the key to our successful pivots that we've made over the last six years that we've been able to continue to refine and hone where we really want to go through that culture movement. >> Absolutely. I think if I could add another- >> Please. >> spotlight to it is like the biggest thing about Ford has been among various startup-like culture, right? So the idea is that we encourage people to think outside the box, right? >> Savannah: Or outside the oval? >> Right! (laughs) >> Lisa: Outside the oval, yes! >> Absolutely! Right. >> So the question is like, you can experiment with various things, new technologies and you will get all the leadership support to go along with it. I think that is very important too and like we can be in the trenches and talk about all of these nice little things but who the heck would've thought that, you know Kubernetes was announced in 2015, in late 2016, we have early dev Kubernetes clusters already running. 2017, we are live with workloads on Kubernetes! >> Savannah: Early adopters over here. >> Yeah. >> Yeah. >> I'm like all of this thing doesn't happen without lot of foresight and support from the leadership, but it's also the grassroot efforts that is encouraged all along to be on the front end of all of these things and try different things. Some of them may not work >> Savannah: Right. >> But that's okay. But how do we know we are doing something, if you're not failing? We have to fail in order to do something, right? >> Lisa: I always say- >> So I think that's been a great thing that is encouraged very often and otherwise I would not be doing, I've done a whole bunch of stuff at Ford. Without that kind of ability to support and have an appetite for, some of those things would not have been here at all. >> I always say failure is not a bad F-word. >> Satish: Yep. >> Savannah: I love that. >> But what you're talking about there is kind of like driving this hot wheel of experimentation. You have to have the right culture and the mindset- >> Satish: Absolutely. >> to do that. Try fail, move on, learn, iterate, go. >> Satish: Correct. >> You guys have a great partnership with Red Hat and Boston University. You're speaking about that later today. >> Satish: Yes. >> Unpack that for us. What, from a technical perspective, what are you doing and what's it resulting in? >> Yeah, I think the biggest thing is Becky was talking about as during this transformation journey, is lot has changed in very small amount of time. So we traditionally been like, "Hey, here's a spreadsheet of things I need you to deliver for me" to "Here is a catalog of things, you can get it today and be successful with it". That is frightening to several of our developers. The goal, one of the things that we've been working with Q By Example, Red Hat and all the thing, is that how can we lower the bar for the developers, right? Kubernetes is great. It's also a wall of YAML. >> It's extremely complex, number one complaint. >> The question is how can I zero on? I'm like, if we go back think like when we talk about in cars with human-machine interfaces, which parts do I need to know? Here's the steering wheel, here's the gas pedal, or here's the brake. As long as you know these two, three different things you should be fairly be okay to drive those things, right? So the idea of some of the things with enablementing we are trying to do is like reduce that barrier, right? Reduce- lower the bar so that more people can participate in it. >> One of the ways that you did that was Q By Example, right, QBE? >> Satish: Yes, Yes. >> Can you tell us a little bit more about that as you finish this answer? >> Yeah, I think the biggest thing with Q By Example is like Q By Example gives you the small bite-sized things about Kubernetes, right? >> Savannah: Great place to start. >> But what we wanted to do is that we wanted to reinforce that learning by turning into a real world living example app. We took part info, we said, Hey, what does it look like? How do I make sure that it is highly available? How do I make sure that it is secure? Here is an example YAML of it that you can literally verbatim copy and paste into your editor and click run and then you will get an instant gratification feedback loop >> I was going to say, yeah, they feel like you're learning too! >> Yes. Right. So the idea would be is like, and then instead of giving you just a boring prose text to read, we actually drop links to relevant blog posts saying that, hey you can just go there. And that has been inspirational in terms of like and reinforcing the learning. So that has been where we started working with the Boston University, Red Hat and the community around all of that stuff. >> Talk a little bit about, Becky, about some of the business outcomes. You mentioned things like upskilling the workforce which is really nice to hear that there's such a big focus on it. But I imagine too, there's more participation in the community, but also from an end customer perspective. Obviously, everything Ford's doing is to serve the end customers >> Becky: Right. How does this help the end customer have that experience that they really, these days, demand with patience being something that, I think, is gone because of the pandemic? >> Right? Right. So one of the things that my team does is we create the platforms that help Accelerate developers be successful and it helps educate them more quickly on appropriate use of the platforms and helps them by adopting the platforms to be more secure which inherently lead to the better results for our end customers because their data is secure because the products that they have are well created and they're tested thoroughly. So we catch all those things earlier in the cycle by using these platforms that we help curate and produce. And that's really important because, like you had mentioned, this steep learning curve associated with Kubernetes, right? >> Savannah: Yeah. >> So my team is able to kind of help with that abstraction so that we solve kind of the higher complex problems for them so that developers can move faster and then we focus our education on what's important for them. We use things like Q By Example, as a source instead of creating that content ourselves, right? We are able to point them to that. So it's great that there's that community and we're definitely involved with that. But that's so important to help our developers be successful in moving as quickly as they want and not having 20,000 people solve the same problems. >> Satish: (chuckles) Yeah. >> Each individually- >> Savannah: you don't need to! >> and sometimes differently. >> Savannah: We're stronger together, you know? >> Exactly. >> The water level rises together and Ford is definitely a company that illustrates that by example. >> Yeah, I'm like, we can't make a better round wheel right? >> Yeah! So, we have to build upon what we have already been built ahead of us. And I think a lot of it is also about how can we give back and participate in the community, right? So I think that is paramount for us as like, here we are in Detroit so we're trying to recruit and show people that you know, everything that we do is not just old car and sheet metal >> Savannah: Combustion. >> and everything and right? There's a lot of tech goes and sometimes it is really, really cool to do that. And biggest thing for us is like how can we involve our community of developers sooner, earlier, faster without actually encumbering them and saying that, hey here is a book, go master it. We'll talk two months later. So I think that has been another journey. I think that has been a biggest uphill challenge for us is that how can we actually democratize all of these things for everybody. >> Yeah. Well no one better to try than you I would suspect. >> We can only try and hope everything turns out well, right? >> You know, as long as there's room for the bumpers on the lane for if you fail. >> Exactly. >> It sounds like you're driving the program in the right direction. Closing question for you, what's next? Is electric the future? Is Kubernetes the future? What's Ford all in on right now, looking forward? (crowd murmuring in the background) >> Data is the king, right? >> Savannah: Oh, okay, yes! >> Data is a new currency. We use that for several things to improve the cars improve the quality of autonomous driving Is Level 5 driving here? Maybe will be here soon, we'll see. But we are all working towards it, right? So machine learning, AI feedback. How do you actually post sale experience for example? So all of these are all areas that we are working to. We are, may not be getting like Kubernetes in a car but we are putting Kubernetes in plants. Like you order a Marquis or you order a Bronco, you see that here. Here's where in the assembly line your car is. It's taking pictures. It's actually taking pictures on Kubernetes platform. >> That's pretty cool. >> And it is tweeting for you on the Twitter and the social media platform. So there's a lot of that. So it is real and we are doing it. We need more help. A lot of the community efforts that we are seeing and a lot of the innovation that is happening on the floor here, it's phenomenal. The question is how we can incorporate those things into our workflows. >> Yeah, well you have the right audience for that here. You also have the right attitude, >> Exactly. >> the right appetite, and the right foundation. Becky, last question for you. Top three takeaways from your talk today. If you're talking to the developer community you want to inspire: Come work for us! What would you say? >> If you're ready to invest in yourself and upskill and be part of something that is pretty remarkable, come work for us! We have many, many different technical career paths that you can follow. We invest in our employees. When you master something, it's time for you to move on. We have career growth for you. It's been a wonderful gift to me and my family and I encourage everyone to check us out careers.ford.com or stop by our booth if you're happen to be here in person. >> Satish: Absolutely! >> We have our curated job openings that are specific for this community, available. >> Satish: Absolutely. >> Love it. Perfect close. Nailed pitch there. I'm sure you're all going to check out their job page. (all laugh) >> Exactly! And what you talked about, the developer experience, the customer experience are inextricably linked and you guys are really focused on that. Congratulations on all the work that you've done. We got to go get a selfie with that car girl. >> Yes, we do. >> Absolutely. >> We got to show them, we got to show the audience what it looks like on the inside too. We'll do a little IG video. (Lisa laughs) >> Absolutely. >> We will show you that for our guests and my cohost, Savannah Peterson. Lisa Martin here live in Detroit with theCUBE at KubeCon and CloudNativeCon 2022. The one and only John Furrier, who you know gets FOMO, is going to be back with me next. So stick around. (all laugh) (bright music)

>>The cybersecurity landscape continues to be one characterized by a series of point tools designed to do a very specific job, often pretty well, but the mosaic of tooling is grown over the years causing complexity in driving up costs and increasing exposures. So the game of Whackamole continues. Moreover, the way organizations approach security is changing quite dramatically. The cloud, while offering so many advantages, has also created new complexities. The shared responsibility model redefines what the cloud provider secures, for example, the S three bucket and what the customer is responsible for eg properly configuring the bucket. You know, this is all well and good, but because virtually no organization of any size can go all in on a single cloud, that shared responsibility model now spans multiple clouds and with different protocols. Now that of course includes on-prem and edge deployments, making things even more complex. Moreover, the DevOps team is being asked to be the point of execution to implement many aspects of an organization's security strategy. >>This extends to securing the runtime, the platform, and even now containers which can end up anywhere. There's a real need for consolidation in the security industry, and that's part of the answer. We've seen this both in terms of mergers and acquisitions as well as platform plays that cover more and more ground. But the diversity of alternatives and infrastructure implementations continues to boggle the mind with more and more entry points for the attackers. This includes sophisticated supply chain attacks that make it even more difficult to understand how to secure components of a system and how secure those components actually are. The number one challenge CISOs face in today's complex world is lack of talent to address these challenges. And I'm not saying that SecOps pros are not talented. They are. There just aren't enough of them to go around and the adversary is also talented and very creative and there are more and more of them every day. >>Now, one of the very important roles that a technology vendor can play is to take mundane infrastructure security tasks off the plates of SEC off teams. Specifically we're talking about shifting much of the heavy lifting around securing servers, storage, networking, and other infrastructure and their components onto the technology vendor via r and d and other best practices like supply chain management. And that's what we're here to talk about. Welcome to the second part in our series, A Blueprint for Trusted Infrastructure Made Possible by Dell Technologies and produced by the Cube. My name is Dave Ante and I'm your host now. Previously we looked at what trusted infrastructure means and the role that storage and data protection play in the equation. In this part two of the series, we explore the changing nature of technology infrastructure, how the industry generally in Dell specifically, are adapting to these changes and what is being done to proactively address threats that are increasingly stressing security teams. >>Now today, we continue the discussion and look more deeply into servers networking and hyper-converged infrastructure to better understand the critical aspects of how one company Dell is securing these elements so that dev sec op teams can focus on the myriad new attack vectors and challenges that they faced. First up is Deepak rang Garage Power Edge security product manager at Dell Technologies. And after that we're gonna bring on Mahesh Nagar oim, who was consultant in the networking product management area at Dell. And finally, we're close with Jerome West, who is the product management security lead for HCI hyperconverged infrastructure and converged infrastructure at Dell. Thanks for joining us today. We're thrilled to have you here and hope you enjoy the program. Deepak Arage shoes powered security product manager at Dell Technologies. Deepak, great to have you on the program. Thank you. >>Thank you for having me. >>So we're going through the infrastructure stack and in part one of this series we looked at the landscape overall and how cyber has changed and specifically how Dell thinks about data protection in, in security in a manner that both secures infrastructure and minimizes organizational friction. We also hit on the storage part of the portfolio. So now we want to dig into servers. So my first question is, what are the critical aspects of securing server infrastructure that our audience should be aware of? >>Sure. So if you look at compute in general, right, it has rapidly evolved over the past couple of years, especially with trends toward software defined data centers and with also organizations having to deal with hybrid environments where they have private clouds, public cloud locations, remote offices, and also remote workers. So on top of this, there's also an increase in the complexity of the supply chain itself, right? There are companies who are dealing with hundreds of suppliers as part of their supply chain. So all of this complexity provides a lot of opportunity for attackers because it's expanding the threat surface of what can be attacked, and attacks are becoming more frequent, more severe and more sophisticated. And this has also triggered around in the regulatory and mandates around the security needs. >>And these regulations are not just in the government sector, right? So it extends to critical infrastructure and eventually it also get into the private sector. In addition to this, organizations are also looking at their own internal compliance mandates. And this could be based on the industry in which they're operating in, or it could be their own security postures. And this is the landscape in which servers they're operating today. And given that servers are the foundational blocks of the data center, it becomes extremely important to protect them. And given how complex the modern server platforms are, it's also extremely difficult and it takes a lot of effort. And this means protecting everything from the supply chain to the manufacturing and then eventually the assuring the hardware and software integrity of the platforms and also the operations. And there are very few companies that go to the lens that Dell does in order to secure the server. We truly believe in the notion and the security mentality that, you know, security should enable our customers to go focus on their business and proactively innovate on their business and it should not be a burden to them. And we heavily invest to make that possible for our customers. >>So this is really important because the premise that I set up at the beginning of this was really that I, as of security pro, I'm not a security pro, but if I were, I wouldn't want to be doing all this infrastructure stuff because I now have all these new things I gotta deal with. I want a company like Dell who has the resources to build that security in to deal with the supply chain to ensure the providence, et cetera. So I'm glad you you, you hit on that, but so given what you just said, what does cybersecurity resilience mean from a server perspective? For example, are there specific principles that Dell adheres to that are non-negotiable? Let's say, how does Dell ensure that its customers can trust your server infrastructure? >>Yeah, like when, when it comes to security at Dell, right? It's ingrained in our product, so that's the best way to put it. And security is nonnegotiable, right? It's never an afterthought where we come up with a design and then later on figure out how to go make it secure, right? Our security development life cycle, the products are being designed to counter these threats right from the big. And in addition to that, we are also testing and evaluating these products continuously to identify vulnerabilities. We also have external third party audits which supplement this process. And in addition to this, Dell makes the commitment that we will rapidly respond to any mitigations and vulnerability, any vulnerabilities and exposures found out in the field and provide mitigations and patches for in attacking manner. So this security principle is also built into our server life cycle, right? Every phase of it. >>So we want our products to provide cutting edge capabilities when it comes to security. So as part of that, we are constantly evaluating what our security model is done. We are building on it and continuously improving it. So till a few years ago, our model was primarily based on the N framework of protect, detect and rigor. And it's still aligns really well to that framework, but over the past couple of years we have seen how computers evolved, how the threads have evolved, and we have also seen the regulatory trends and we recognize the fact that the best security strategy for the modern world is a zero trust approach. And so now when we are building our infrastructure and tools and offerings for customers, first and foremost, they're cyber resilient, right? What we mean by that is they're capable of anticipating threats, withstanding attacks and rapidly recurring from attacks and also adapting to the adverse conditions in which they're deployed. The process of designing these capabilities and identifying these capabilities however, is done through the zero press framework. And that's very important because now we are also anticipating how our customers will end up using these capabilities at there and to enable their own zero trust IT environments and IT zero trusts deployments. We have completely adapted our security approach to make it easier for customers to work with us no matter where they are in their journey towards zero trust option. >>So thank you for that. You mentioned the, this framework, you talked about zero trust. When I think about n I think as well about layered approaches. And when I think about zero trust, I think about if you, if you don't have access to it, you're not getting access, you've gotta earn that, that access and you've got layers and then you still assume that bad guys are gonna get in. So you've gotta detect that and you've gotta response. So server infrastructure security is so fundamental. So my question is, what is Dell providing specifically to, for example, detect anomalies and breaches from unauthorized activity? How do you enable fast and easy or facile recovery from malicious incidents? >>Right? What is that is exactly right, right? Breachers are bound to happen. And given how complex our current environment is, it's extremely distributed and extremely connected, right? Data and users are no longer contained with an offices where we can set up a perimeter firewall and say, Yeah, everything within that is good. We can trust everything within it. That's no longer true. The best approach to protect data and infrastructure in the current world is to use a zero trust approach, which uses the principles. Nothing is ever trusted, right? Nothing is trusted implicitly. You're constantly verifying every single user, every single device, and every single access in your system at every single level of your ID environment. And this is the principles that we use on power Edge, right? But with an increased focus on providing granular controls and checks based on the principles of these privileged access. >>So the idea is that service first and foremost need to make sure that the threats never enter and they're rejected at the point of entry. But we recognize breaches are going to occur and if they do, they need to be minimized such that the sphere of damage cost by attacker is minimized. So they're not able to move from one part of the network to something else laterally or escalate their privileges and cause more damage, right? So the impact radius for instance, has to be radius. And this is done through features like automated detection capabilities and automation, automated remediation capabilities. So some examples are as part of our end to end boot resilience process, we have what they call a system lockdown, right? We can lock down the configuration of the system and lock on the form versions and all changes to the system. And we have capabilities which automatically detect any drift from that lockdown configuration and we can figure out if the drift was caused to authorized changes or unauthorized changes. >>And if it is an unauthorize change can log it, generate security alerts, and we even have capabilities to automatically roll the firm where, and always versions back to a known good version and also the configurations, right? And this becomes extremely important because as part of zero trust, we need to respond to these things at machine speed and we cannot do it at a human speed. And having these automated capabilities is a big deal when achieving that zero trust strategy. And in addition to this, we also have chassis inclusion detection where if the chassis, the box, the several box is opened up, it logs alerts, and you can figure out even later if there's an AC power cycle, you can go look at the logs to see that the box is opened up and figure out if there was a, like a known authorized access or some malicious actor opening and chain something in your system. >>Great, thank you for that lot. Lot of detail and and appreciate that. I want to go somewhere else now cuz Dell has a renowned supply chain reputation. So what about securing the, the supply chain and the server bill of materials? What does Dell specifically do to track the providence of components it uses in its systems so that when the systems arrive, a customer can be a hundred percent certain that that system hasn't been compromised, >>Right? And we've talked about how complex the modern supply chain is, right? And that's no different for service. We have hundreds of confidence on the server and a lot of these form where in order to be configured and run and this former competence could be coming from third parties suppliers. So now the complexity that we are dealing with like was the end to end approach. And that's where Dell pays a lot of attention into assuring the security approach approaching. And it starts all the way from sourcing competence, right? And then through the design and then even the manufacturing process where we are wetting the personnel leather factories and wetting the factories itself. And the factories also have physical controls, physical security controls built into them and even shipping, right? We have GPS tagging of packages. So all of this is built to ensure supply chain security. >>But a critical aspect of this is also making sure that the systems which are built in the factories are delivered to the customers without any changes or any tapper. And we have a feature called the secure component verification, which is capable of doing this. What the feature does this, when the system gets built in a factory, it generates an inventory of all the competence in the system and it creates a cryptographic certificate based on the signatures presented to this by the competence. And this certificate is stored separately and sent to the customers separately from the system itself. So once the customers receive the system at their end, they can run out to, it generates an inventory of the competence on the system at their end and then compare it to the golden certificate to make sure nothing was changed. And if any changes are detected, we can figure out if there's an authorized change or unauthorize change. >>Again, authorized changes could be like, you know, upgrades to the drives or memory and ized changes could be any sort of temper. So that's the supply chain aspect of it. And bill of metal use is also an important aspect to galing security, right? And we provide a software bill of materials, which is basically a list of ingredients of all the software pieces in the platform. So what it allows our customers to do is quickly take a look at all the different pieces and compare it to the vulnerability database and see if any of the vulner, which have been discovered out in the wild affected platform. So that's a quick way of figuring out if the platform has any known vulnerabilities and it has not been patched. >>Excellent. That's really good. My last question is, I wonder if you, you know, give us the sort of summary from your perspective, what are the key strengths of Dell server portfolio from a security standpoint? I'm really interested in, you know, the uniqueness and the strong suit that Dell brings to the table, >>Right? Yeah. We have talked enough about the complexity of the environment and how zero risk is necessary for the modern ID environment, right? And this is integral to Dell powered service. And as part of that like you know, security starts with the supply chain. We already talked about the second component verification, which is a beneath feature that Dell platforms have. And on top of it we also have a silicon place platform mode of trust. So this is a key which is programmed into the silicon on the black service during manufacturing and can never be changed after. And this immutable key is what forms the anchor for creating the chain of trust that is used to verify everything in the platform from the hardware and software integrity to the boot, all pieces of it, right? In addition to that, we also have a host of data protection features. >>Whether it is protecting data at risk in news or inflight, we have self encrypting drives, which provides scalable and flexible encryption options. And this couple with external key management provides really good protection for your data address. External key management is important because you know, somebody could physically steam the server, walk away, but then the keys are not stored on the server, it stood separately. So that provides your action layer of security. And we also have dual layer encryption where you can compliment the hardware encryption on the secure encrypted drives with software level encryption. Inion to this we have identity and access management features like multifactor authentication, single sign on roles, scope and time based access controls, all of which are critical to enable that granular control and checks for zero trust approach. So I would say like, you know, if you look at the Dell feature set, it's pretty comprehensive and we also have the flexibility built in to meet the needs of all customers no matter where they fall in the spectrum of, you know, risk tolerance and security sensitivity. And we also have the capabilities to meet all the regulatory requirements and compliance requirements. So in a nutshell, I would say that, you know, Dell Power Service cyber resident infrastructure helps accelerate zero tested option for customers. >>Got it. So you've really thought this through all the various things that that you would do to sort of make sure that your server infrastructure is secure, not compromised, that your supply chain is secure so that your customers can focus on some of the other things that they have to worry about, which are numerous. Thanks Deepak, appreciate you coming on the cube and participating in the program. >>Thank you for having >>You're welcome. In a moment I'll be back to dig into the networking portion of the infrastructure. Stay with us for more coverage of a blueprint for trusted infrastructure and collaboration with Dell Technologies on the cube. Your leader in enterprise and emerging tech coverage.

>>The cybersecurity landscape continues to be one characterized by a series of point tools designed to do a very specific job, often pretty well, but the mosaic of tooling is grown over the years causing complexity in driving up costs and increasing exposures. So the game of Whackamole continues. Moreover, the way organizations approach security is changing quite dramatically. The cloud, while offering so many advantages, has also created new complexities. The shared responsibility model redefines what the cloud provider secures, for example, the S three bucket and what the customer is responsible for eg properly configuring the bucket. You know, this is all well and good, but because virtually no organization of any size can go all in on a single cloud, that shared responsibility model now spans multiple clouds and with different protocols. Now that of course includes on-prem and edge deployments, making things even more complex. Moreover, the DevOps team is being asked to be the point of execution to implement many aspects of an organization's security strategy. >>This extends to securing the runtime, the platform, and even now containers which can end up anywhere. There's a real need for consolidation in the security industry, and that's part of the answer. We've seen this both in terms of mergers and acquisitions as well as platform plays that cover more and more ground. But the diversity of alternatives and infrastructure implementations continues to boggle the mind with more and more entry points for the attackers. This includes sophisticated supply chain attacks that make it even more difficult to understand how to secure components of a system and how secure those components actually are. The number one challenge CISOs face in today's complex world is lack of talent to address these challenges. And I'm not saying that SecOps pros are not talented, They are. There just aren't enough of them to go around and the adversary is also talented and very creative, and there are more and more of them every day. >>Now, one of the very important roles that a technology vendor can play is to take mundane infrastructure security tasks off the plates of SEC off teams. Specifically we're talking about shifting much of the heavy lifting around securing servers, storage, networking, and other infrastructure and their components onto the technology vendor via r and d and other best practices like supply chain management. And that's what we're here to talk about. Welcome to the second part in our series, A Blueprint for Trusted Infrastructure Made Possible by Dell Technologies and produced by the Cube. My name is Dave Ante and I'm your host now. Previously we looked at what trusted infrastructure means and the role that storage and data protection play in the equation. In this part two of the series, we explore the changing nature of technology infrastructure, how the industry generally in Dell specifically, are adapting to these changes and what is being done to proactively address threats that are increasingly stressing security teams. >>Now today, we continue the discussion and look more deeply into servers networking and hyper-converged infrastructure to better understand the critical aspects of how one company Dell is securing these elements so that dev sec op teams can focus on the myriad new attack vectors and challenges that they faced. First up is Deepak rang Garage Power Edge security product manager at Dell Technologies. And after that we're gonna bring on Mahesh Nagar oim, who was consultant in the networking product management area at Dell. And finally, we're close with Jerome West, who is the product management security lead for HCI hyperconverged infrastructure and converged infrastructure at Dell. Thanks for joining us today. We're thrilled to have you here and hope you enjoy the program. Deepak Arage shoes powered security product manager at Dell Technologies. Deepak, great to have you on the program. Thank you. >>Thank you for having me. >>So we're going through the infrastructure stack and in part one of this series we looked at the landscape overall and how cyber has changed and specifically how Dell thinks about data protection in, in security in a manner that both secures infrastructure and minimizes organizational friction. We also hit on the storage part of the portfolio. So now we want to dig into servers. So my first question is, what are the critical aspects of securing server infrastructure that our audience should be aware of? >>Sure. So if you look at compute in general, right, it has rapidly evolved over the past couple of years, especially with trends toward software defined data centers and with also organizations having to deal with hybrid environments where they have private clouds, public cloud locations, remote offices, and also remote workers. So on top of this, there's also an increase in the complexity of the supply chain itself, right? There are companies who are dealing with hundreds of suppliers as part of their supply chain. So all of this complexity provides a lot of opportunity for attackers because it's expanding the threat surface of what can be attacked, and attacks are becoming more frequent, more severe and more sophisticated. And this has also triggered around in the regulatory and mandates around the security needs. >>And these regulations are not just in the government sector, right? So it extends to critical infrastructure and eventually it also get into the private sector. In addition to this, organizations are also looking at their own internal compliance mandates. And this could be based on the industry in which they're operating in, or it could be their own security postures. And this is the landscape in which servers they're operating today. And given that servers are the foundational blocks of the data center, it becomes extremely important to protect them. And given how complex the modern server platforms are, it's also extremely difficult and it takes a lot of effort. And this means protecting everything from the supply chain to the manufacturing and then eventually the assuring the hardware and software integrity of the platforms and also the operations. And there are very few companies that go to the lens that Dell does in order to secure the server. We truly believe in the notion and the security mentality that, you know, security should enable our customers to go focus on their business and proactively innovate on their business and it should not be a burden to them. And we heavily invest to make that possible for our customers. >>So this is really important because the premise that I set up at the beginning of this was really that I, as of security pro, I'm not a security pro, but if I were, I wouldn't want to be doing all this infrastructure stuff because I now have all these new things I gotta deal with. I want a company like Dell who has the resources to build that security in to deal with the supply chain to ensure the providence, et cetera. So I'm glad you you, you hit on that, but so given what you just said, what does cybersecurity resilience mean from a server perspective? For example, are there specific principles that Dell adheres to that are non-negotiable? Let's say, how does Dell ensure that its customers can trust your server infrastructure? >>Yeah, like when, when it comes to security at Dell, right? It's ingrained in our product, so that's the best way to put it. And security is nonnegotiable, right? It's never an afterthought where we come up with a design and then later on figure out how to go make it secure, right? Our security development life cycle, the products are being designed to counter these threats right from the big. And in addition to that, we are also testing and evaluating these products continuously to identify vulnerabilities. We also have external third party audits which supplement this process. And in addition to this, Dell makes the commitment that we will rapidly respond to any mitigations and vulnerability, any vulnerabilities and exposures found out in the field and provide mitigations and patches for in attacking manner. So this security principle is also built into our server life cycle, right? Every phase of it. >>So we want our products to provide cutting edge capabilities when it comes to security. So as part of that, we are constantly evaluating what our security model is done. We are building on it and continuously improving it. So till a few years ago, our model was primarily based on the N framework of protect, detect and rigor. And it's still aligns really well to that framework, but over the past couple of years, we have seen how computers evolved, how the threads have evolved, and we have also seen the regulatory trends and we recognize the fact that the best security strategy for the modern world is a zero trust approach. And so now when we are building our infrastructure and tools and offerings for customers, first and foremost, they're cyber resilient, right? What we mean by that is they're capable of anticipating threats, withstanding attacks and rapidly recurring from attacks and also adapting to the adverse conditions in which they're deployed. The process of designing these capabilities and identifying these capabilities however, is done through the zero press framework. And that's very important because now we are also anticipating how our customers will end up using these capabilities at there and to enable their own zero trust IT environments and IT zero trusts deployments. We have completely adapted our security approach to make it easier for customers to work with us no matter where they are in their journey towards zero trust option. >>So thank you for that. You mentioned the, this framework, you talked about zero trust. When I think about n I think as well about layered approaches. And when I think about zero trust, I think about if you, if you don't have access to it, you're not getting access, you've gotta earn that, that access and you've got layers and then you still assume that bad guys are gonna get in. So you've gotta detect that and you've gotta response. So server infrastructure security is so fundamental. So my question is, what is Dell providing specifically to, for example, detect anomalies and breaches from unauthorized activity? How do you enable fast and easy or facile recovery from malicious incidents, >>Right? What is that is exactly right, right? Breachers are bound to happen and given how complex our current environment is, it's extremely distributed and extremely connected, right? Data and users are no longer contained with an offices where we can set up a perimeter firewall and say, Yeah, everything within that is good. We can trust everything within it. That's no longer true. The best approach to protect data and infrastructure in the current world is to use a zero trust approach, which uses the principles. Nothing is ever trusted, right? Nothing is trusted implicitly. You're constantly verifying every single user, every single device, and every single access in your system at every single level of your ID environment. And this is the principles that we use on power Edge, right? But with an increased focus on providing granular controls and checks based on the principles of these privileged access. >>So the idea is that service first and foremost need to make sure that the threats never enter and they're rejected at the point of entry, but we recognize breaches are going to occur and if they do, they need to be minimized such that the sphere of damage cost by attacker is minimized so they're not able to move from one part of the network to something else laterally or escalate their privileges and cause more damage, right? So the impact radius for instance, has to be radius. And this is done through features like automated detection capabilities and automation, automated remediation capabilities. So some examples are as part of our end to end boot resilience process, we have what they call a system lockdown, right? We can lock down the configuration of the system and lock on the form versions and all changes to the system. And we have capabilities which automatically detect any drift from that lockdown configuration and we can figure out if the drift was caused to authorized changes or unauthorized changes. >>And if it is an unauthorize change can log it, generate security alerts, and we even have capabilities to automatically roll the firm where, and always versions back to a known good version and also the configurations, right? And this becomes extremely important because as part of zero trust, we need to respond to these things at machine speed and we cannot do it at a human speed. And having these automated capabilities is a big deal when achieving that zero trust strategy. And in addition to this, we also have chassis inclusion detection where if the chassis, the box, the several box is opened up, it logs alerts, and you can figure out even later if there's an AC power cycle, you can go look at the logs to see that the box is opened up and figure out if there was a, like a known authorized access or some malicious actor opening and chain something in your system. >>Great, thank you for that lot. Lot of detail and and appreciate that. I want to go somewhere else now cuz Dell has a renowned supply chain reputation. So what about securing the, the supply chain and the server bill of materials? What does Dell specifically do to track the providence of components it uses in its systems so that when the systems arrive, a customer can be a hundred percent certain that that system hasn't been compromised, >>Right? And we've talked about how complex the modern supply chain is, right? And that's no different for service. We have hundreds of confidence on the server and a lot of these form where in order to be configured and run and this former competence could be coming from third parties suppliers. So now the complexity that we are dealing with like was the end to end approach and that's where Dell pays a lot of attention into assuring the security approach approaching and it starts all the way from sourcing competence, right? And then through the design and then even the manufacturing process where we are wetting the personnel leather factories and wetting the factories itself. And the factories also have physical controls, physical security controls built into them and even shipping, right? We have GPS tagging of packages. So all of this is built to ensure supply chain security. >>But a critical aspect of this is also making sure that the systems which are built in the factories are delivered to the customers without any changes or any tapper. And we have a feature called the secure component verification, which is capable of doing this. What the feature does this, when the system gets built in a factory, it generates an inventory of all the competence in the system and it creates a cryptographic certificate based on the signatures presented to this by the competence. And this certificate is stored separately and sent to the customers separately from the system itself. So once the customers receive the system at their end, they can run out to, it generates an inventory of the competence on the system at their end and then compare it to the golden certificate to make sure nothing was changed. And if any changes are detected, we can figure out if there's an authorized change or unauthorize change. >>Again, authorized changes could be like, you know, upgrades to the drives or memory and ized changes could be any sort of temper. So that's the supply chain aspect of it and bill of metal use is also an important aspect to galing security, right? And we provide a software bill of materials, which is basically a list of ingredients of all the software pieces in the platform. So what it allows our customers to do is quickly take a look at all the different pieces and compare it to the vulnerability database and see if any of the vulner which have been discovered out in the wild affected platform. So that's a quick way of figuring out if the platform has any known vulnerabilities and it has not been patched. >>Excellent. That's really good. My last question is, I wonder if you, you know, give us the sort of summary from your perspective, what are the key strengths of Dell server portfolio from a security standpoint? I'm really interested in, you know, the uniqueness and the strong suit that Dell brings to the table, >>Right? Yeah. We have talked enough about the complexity of the environment and how zero risk is necessary for the modern ID environment, right? And this is integral to Dell powered service. And as part of that like you know, security starts with the supply chain. We already talked about the second component verification, which is a beneath feature that Dell platforms have. And on top of it we also have a silicon place platform mode of trust. So this is a key which is programmed into the silicon on the black service during manufacturing and can never be changed after. And this immutable key is what forms the anchor for creating the chain of trust that is used to verify everything in the platform from the hardware and software integrity to the boot, all pieces of it, right? In addition to that, we also have a host of data protection features. >>Whether it is protecting data at risk in news or inflight, we have self encrypting drives which provides scalable and flexible encryption options. And this couple with external key management provides really good protection for your data address. External key management is important because you know, somebody could physically steam the server walk away, but then the keys are not stored on the server, it stood separately. So that provides your action layer of security. And we also have dual layer encryption where you can compliment the hardware encryption on the secure encrypted drives with software level encryption. Inion to this we have identity and access management features like multifactor authentication, single sign on roles, scope and time based access controls, all of which are critical to enable that granular control and checks for zero trust approach. So I would say like, you know, if you look at the Dell feature set, it's pretty comprehensive and we also have the flexibility built in to meet the needs of all customers no matter where they fall in the spectrum of, you know, risk tolerance and security sensitivity. And we also have the capabilities to meet all the regulatory requirements and compliance requirements. So in a nutshell, I would say that you know, Dell Power Service cyber resident infrastructure helps accelerate zero tested option for customers. >>Got it. So you've really thought this through all the various things that that you would do to sort of make sure that your server infrastructure is secure, not compromised, that your supply chain is secure so that your customers can focus on some of the other things that they have to worry about, which are numerous. Thanks Deepak, appreciate you coming on the cube and participating in the program. >>Thank you for having >>You're welcome. In a moment I'll be back to dig into the networking portion of the infrastructure. Stay with us for more coverage of a blueprint for trusted infrastructure and collaboration with Dell Technologies on the cube, your leader in enterprise and emerging tech coverage. We're back with a blueprint for trusted infrastructure and partnership with Dell Technologies in the cube. And we're here with Mahesh Nager, who is a consultant in the area of networking product management at Dell Technologies. Mahesh, welcome, good to see you. >>Hey, good morning Dell's, nice to meet, meet to you as well. >>Hey, so we've been digging into all the parts of the infrastructure stack and now we're gonna look at the all important networking components. Mahesh, when we think about networking in today's environment, we think about the core data center and we're connecting out to various locations including the cloud and both the near and the far edge. So the question is from Dell's perspective, what's unique and challenging about securing network infrastructure that we should know about? >>Yeah, so few years ago IT security and an enterprise was primarily putting a wrapper around data center out because it was constrained to an infrastructure owned and operated by the enterprise for the most part. So putting a rapid around it like a parameter or a firewall was a sufficient response because you could basically control the environment and data small enough control today with the distributed data, intelligent software, different systems, multi-cloud environment and asset service delivery, you know, the infrastructure for the modern era changes the way to secure the network infrastructure In today's, you know, data driven world, it operates everywhere and data has created and accessed everywhere so far from, you know, the centralized monolithic data centers of the past. The biggest challenge is how do we build the network infrastructure of the modern era that are intelligent with automation enabling maximum flexibility and business agility without any compromise on the security. We believe that in this data era, the security transformation must accompany digital transformation. >>Yeah, that's very good. You talked about a couple of things there. Data by its very nature is distributed. There is no perimeter anymore, so you can't just, as you say, put a rapper around it. I like the way you phrase that. So when you think about cyber security resilience from a networking perspective, how do you define that? In other words, what are the basic principles that you adhere to when thinking about securing network infrastructure for your customers? >>So our belief is that cybersecurity and cybersecurity resilience, they need to be holistic, they need to be integrated, scalable, one that span the entire enterprise and with a co and objective and policy implementation. So cybersecurity needs to span across all the devices and running across any application, whether the application resets on the cloud or anywhere else in the infrastructure. From a networking standpoint, what does it mean? It's again, the same principles, right? You know, in order to prevent the threat actors from accessing changing best destroy or stealing sensitive data, this definition holds good for networking as well. So if you look at it from a networking perspective, it's the ability to protect from and withstand attacks on the networking systems as we continue to evolve. This will also include the ability to adapt and recover from these attacks, which is what cyber resilience aspect is all about. So cybersecurity best practices, as you know, is continuously changing the landscape primarily because the cyber threats also continue to evolve. >>Yeah, got it. So I like that. So it's gotta be integrated, it's gotta be scalable, it's gotta be comprehensive, comprehensive and adaptable. You're saying it can't be static, >>Right? Right. So I think, you know, you had a second part of a question, you know, that says what do we, you know, what are the basic principles? You know, when you think about securing network infrastructure, when you're looking at securing the network infrastructure, it revolves around core security capability of the devices that form the network. And what are these security capabilities? These are access control, software integrity and vulnerability response. When you look at access control, it's to ensure that only the authenticated users are able to access the platform and they're able to access only the kind of the assets that they're authorized to based on their user level. Now accessing a network platform like a switch or a rotor for example, is typically used for say, configuration and management of the networking switch. So user access is based on say roles for that matter in a role based access control, whether you are a security admin or a network admin or a storage admin. >>And it's imperative that logging is enable because any of the change to the configuration is actually logged and monitored as that. Talking about software's integrity, it's the ability to ensure that the software that's running on the system has not been compromised. And, and you know, this is important because it could actually, you know, get hold of the system and you know, you could get UND desire results in terms of say validation of the images. It's, it needs to be done through say digital signature. So, so it's important that when you're talking about say, software integrity, a, you are ensuring that the platform is not compromised, you know, is not compromised and be that any upgrades, you know, that happens to the platform is happening through say validated signature. >>Okay. And now, now you've now, so there's access control, software integrity, and I think you, you've got a third element which is i I think response, but please continue. >>Yeah, so you know, the third one is about civil notability. So we follow the same process that's been followed by the rest of the products within the Dell product family. That's to report or identify, you know, any kind of a vulnerability that's being addressed by the Dell product security incident response team. So the networking portfolio is no different, you know, it follows the same process for identification for tri and for resolution of these vulnerabilities. And these are addressed either through patches or through new reasons via networking software. >>Yeah, got it. Okay. So I mean, you didn't say zero trust, but when you were talking about access control, you're really talking about access to only those assets that people are authorized to access. I know zero trust sometimes is a buzzword, but, but you I think gave it, you know, some clarity there. Software integrity, it's about assurance validation, your digital signature you mentioned and, and that there's been no compromise. And then how you respond to incidents in a standard way that can fit into a security framework. So outstanding description, thank you for that. But then the next question is, how does Dell networking fit into the construct of what we've been talking about Dell trusted infrastructure? >>Okay, so networking is the key element in the Dell trusted infrastructure. It provides the interconnect between the service and the storage world. And you know, it's part of any data center configuration for a trusted infrastructure. The network needs to have access control in place where only the authorized nels are able to make change to the network configuration and logging off any of those changes is also done through the logging capabilities. Additionally, we should also ensure that the configuration should provide network isolation between say the management network and the data traffic network because they need to be separate and distinct from each other. And furthermore, even if you look at the data traffic network and now you have things like segmentation isolated segments and via VRF or, or some micro segmentation via partners, this allows various level of security for each of those segments. So it's important you know, that, that the network infrastructure has the ability, you know, to provide all this, this services from a Dell networking security perspective, right? >>You know, there are multiple layer of defense, you know, both at the edge and in the network in this hardware and in the software and essentially, you know, a set of rules and a configuration that's designed to sort of protect the integrity, confidentiality, and accessibility of the network assets. So each network security layer, it implements policies and controls as I said, you know, including send network segmentation. We do have capabilities sources, centralized management automation and capability and scalability for that matter. Now you add all of these things, you know, with the open networking standards or software, different principles and you essentially, you know, reach to the point where you know, you're looking at zero trust network access, which is essentially sort of a building block for increased cloud adoption. If you look at say that you know the different pillars of a zero trust architecture, you know, if you look at the device aspect, you know, we do have support for security for example, we do have say trust platform in a trusted platform models tpms on certain offer products and you know, the physical security know plain, simple old one love port enable from a user trust perspective, we know it's all done via access control days via role based access control and say capability in order to provide say remote authentication or things like say sticky Mac or Mac learning limit and so on. >>If you look at say a transport and decision trust layer, these are essentially, you know, how do you access, you know, this switch, you know, is it by plain hotel net or is it like secure ssh, right? And you know, when a host communicates, you know, to the switch, we do have things like self-signed or is certificate authority based certification. And one of the important aspect is, you know, in terms of, you know, the routing protocol, the routing protocol, say for example BGP for example, we do have the capability to support MD five authentication between the b g peers so that there is no, you know, manages attack, you know, to the network where the routing table is compromised. And the other aspect is about second control plane is here, you know, you know, it's, it's typical that if you don't have a control plane here, you know, it could be flooded and you know, you know, the switch could be compromised by city denial service attacks. >>From an application test perspective, as I mentioned, you know, we do have, you know, the application specific security rules where you could actually define, you know, the specific security rules based on the specific applications, you know, that are running within the system. And I did talk about, say the digital signature and the cryptographic check that we do for authentication and for, I mean rather for the authenticity and the validation of, you know, of the image and the BS and so on and so forth. Finally, you know, the data trust, we are looking at, you know, the network separation, you know, the network separation could happen or VRF plain old wheel Ls, you know, which can bring about sales multi 10 aspects. We talk about some microsegmentation as it applies to nsx for example. The other aspect is, you know, we do have, with our own smart fabric services that's enabled in a fabric, we have a concept of c cluster security. So all of this, you know, the different pillars, they sort of make up for the zero trust infrastructure for the networking assets of an infrastructure. >>Yeah. So thank you for that. There's a, there's a lot to unpack there. You know, one of the premise, the premise really of this, this, this, this segment that we're setting up in this series is really that everything you just mentioned, or a lot of things you just mentioned used to be the responsibility of the security team. And, and the premise that we're putting forth is that because security teams are so stretched thin, you, you gotta shift the vendor community. Dell specifically is shifting a lot of those tasks to their own r and d and taking care of a lot of that. So, cuz scop teams got a lot of other stuff to, to worry about. So my question relates to things like automation, which can help and scalability, what about those topics as it relates to networking infrastructure? >>Okay, our >>Portfolio, it enables state of the automation software, you know, that enables simplifying of the design. So for example, we do have, you know, you know the fabric design center, you know, a tool that automates the design of the fabric and you know, from a deployment and you know, the management of the network infrastructure that are simplicities, you know, using like Ansible s for Sonic for example are, you know, for a better sit and tell story. You know, we do have smart fabric services that can automate the entire fabric, you know, for a storage solution or for, you know, for one of the workloads for example. Now we do help reduce the complexity by closely integrating the management of the physical and the virtual networking infrastructure. And again, you know, we have those capabilities using Sonic or Smart Traffic services. If you look at Sonic for example, right? >>It delivers automated intent based secure containerized network and it has the ability to provide some network visibility and Avan has and, and all of these things are actually valid, you know, for a modern networking infrastructure. So now if you look at Sonic, you know, it's, you know, the usage of those tools, you know, that are available, you know, within the Sonic no is not restricted, you know, just to the data center infrastructure is, it's a unified no, you know, that's well applicable beyond the data center, you know, right up to the edge. Now if you look at our north from a smart traffic OS 10 perspective, you know, as I mentioned, we do have smart traffic services which essentially, you know, simplifies the deployment day zero, I mean rather day one, day two deployment expansion plans and the lifecycle management of our conversion infrastructure and hyper and hyper conversion infrastructure solutions. And finally, in order to enable say, zero touch deployment, we do have, you know, a VP solution with our SD van capability. So these are, you know, ways by which we bring down the complexity by, you know, enhancing the automation capability using, you know, a singular loss that can expand from a data center now right to the edge. >>Great, thank you for that. Last question real quick, just pitch me, what can you summarize from your point of view, what's the strength of the Dell networking portfolio? >>Okay, so from a Dell networking portfolio, we support capabilities at multiple layers. As I mentioned, we're talking about the physical security for examples, say disabling of the unused interface. Sticky Mac and trusted platform modules are the things that to go after. And when you're talking about say secure boot for example, it delivers the authenticity and the integrity of the OS 10 images at the startup. And Secure Boot also protects the startup configuration so that, you know, the startup configuration file is not compromised. And Secure port also enables the workload of prediction, for example, that is at another aspect of software image integrity validation, you know, wherein the image is data for the digital signature, you know, prior to any upgrade process. And if you are looking at secure access control, we do have things like role based access control, SSH to the switches, control plane access control that pre do tags and say access control from multifactor authentication. >>We do have various tech ads for entry control to the network and things like CSE and PRV support, you know, from a federal perspective we do have say logging wherein, you know, any event, any auditing capabilities can be possible by say looking at the clog service, you know, which are pretty much in our transmitter from the devices overts for example, and last we talked about say network segment, you know, say network separation and you know, these, you know, separation, you know, ensures that are, that is, you know, a contained say segment, you know, for a specific purpose or for the specific zone and, you know, just can be implemented by a, a micro segmentation, you know, just a plain old wheel or using virtual route of framework VR for example. >>A lot there. I mean I think frankly, you know, my takeaway is you guys do the heavy lifting in a very complicated topic. So thank you so much for, for coming on the cube and explaining that in in quite some depth. Really appreciate it. >>Thank you indeed. >>Oh, you're very welcome. Okay, in a moment I'll be back to dig into the hyper-converged infrastructure part of the portfolio and look at how when you enter the world of software defined where you're controlling servers and storage and networks via software led system, you could be sure that your infrastructure is trusted and secure. You're watching a blueprint for trusted infrastructure made possible by Dell Technologies and collaboration with the cube, your leader in enterprise and emerging tech coverage, your own west product management security lead at for HCI at Dell Technologies hyper-converged infrastructure. Jerome, welcome. >>Thank you Dave. >>Hey Jerome, in this series of blueprint for trusted infrastructure, we've been digging into the different parts of the infrastructure stack, including storage servers and networking, and now we want to cover hyperconverged infrastructure. So my first question is, what's unique about HCI that presents specific security challenges? What do we need to know? >>So what's unique about hyper-converge infrastructure is the breadth of the security challenge. We can't simply focus on a single type of IT system. So like a server or storage system or a virtualization piece of software, software. I mean HCI is all of those things. So luckily we have excellent partners like VMware, Microsoft, and internal partners like the Dell Power Edge team, the Dell storage team, the Dell networking team, and on and on. These partnerships in these collaborations are what make us successful from a security standpoint. So let me give you an example to illustrate. In the recent past we're seeing growing scope and sophistication in supply chain attacks. This mean an attacker is going to attack your software supply chain upstream so that hopefully a piece of code, malicious code that wasn't identified early in the software supply chain is distributed like a large player, like a VMware or Microsoft or a Dell. So to confront this kind of sophisticated hard to defeat problem, we need short term solutions and we need long term solutions as well. >>So for the short term solution, the obvious thing to do is to patch the vulnerability. The complexity is for our HCI portfolio. We build our software on VMware, so we would have to consume a patch that VMware would produce and provide it to our customers in a timely manner. Luckily VX rail's engineering team has co engineered a release process with VMware that significantly shortens our development life cycle so that VMware would produce a patch and within 14 days we will integrate our own code with the VMware release we will have tested and validated the update and we will give an update to our customers within 14 days of that VMware release. That as a result of this kind of rapid development process, VHA had over 40 releases of software updates last year for a longer term solution. We're partnering with VMware and others to develop a software bill of materials. We work with VMware to consume their software manifest, including their upstream vendors and their open source providers to have a comprehensive list of software components. Then we aren't caught off guard by an unforeseen vulnerability and we're more able to easily detect where the software problem lies so that we can quickly address it. So these are the kind of relationships and solutions that we can co engineer with effective collaborations with our, with our partners. >>Great, thank you for that. That description. So if I had to define what cybersecurity resilience means to HCI or converged infrastructure, and to me my takeaway was you gotta have a short term instant patch solution and then you gotta do an integration in a very short time, you know, two weeks to then have that integration done. And then longer term you have to have a software bill of materials so that you can ensure the providence of all the components help us. Is that a right way to think about cybersecurity resilience? Do you have, you know, a additives to that definition? >>I do. I really think that's site cybersecurity and resilience for hci because like I said, it has sort of unprecedented breadth across our portfolio. It's not a single thing, it's a bit of everything. So really the strength or the secret sauce is to combine all the solutions that our partner develops while integrating them with our own layer. So let me, let me give you an example. So hci, it's a, basically taking a software abstraction of hardware functionality and implementing it into something called the virtualized layer. It's basically the virtual virtualizing hardware functionality, like say a storage controller, you could implement it in hardware, but for hci, for example, in our VX rail portfolio, we, our Vxl product, we integrated it into a product called vsan, which is provided by our partner VMware. So that portfolio of strength is still, you know, through our, through our partnerships. >>So what we do, we integrate these, these security functionality and features in into our product. So our partnership grows to our ecosystem through products like VMware, products like nsx, Horizon, Carbon Black and vSphere. All of them integrate seamlessly with VMware and we also leverage VMware's software, part software partnerships on top of that. So for example, VX supports multifactor authentication through vSphere integration with something called Active Directory Federation services for adfs. So there's a lot of providers that support adfs including Microsoft Azure. So now we can support a wide array of identity providers such as Off Zero or I mentioned Azure or Active Directory through that partnership. So we can leverage all of our partners partnerships as well. So there's sort of a second layer. So being able to secure all of that, that provides a lot of options and flexibility for our customers. So basically to summarize my my answer, we consume all of the security advantages of our partners, but we also expand on them to make a product that is comprehensively secured at multiple layers from the hardware layer that's provided by Dell through Power Edge to the hyper-converged software that we build ourselves to the virtualization layer that we get through our partnerships with Microsoft and VMware. >>Great, I mean that's super helpful. You've mentioned nsx, Horizon, Carbon Black, all the, you know, the VMware component OTH zero, which the developers are gonna love. You got Azure identity, so it's really an ecosystem. So you may have actually answered my next question, but I'm gonna ask it anyway cuz you've got this software defined environment and you're managing servers and networking and storage with this software led approach, how do you ensure that the entire system is secure end to end? >>That's a really great question. So the, the answer is we do testing and validation as part of the engineering process. It's not just bolted on at the end. So when we do, for example, VxRail is the market's only co engineered solution with VMware, other vendors sell VMware as a hyper converged solution, but we actually include security as part of the co-engineering process with VMware. So it's considered when VMware builds their code and their process dovetails with ours because we have a secure development life cycle, which other products might talk about in their discussions with you that we integrate into our engineering life cycle. So because we follow the same framework, all of the, all of the codes should interoperate from a security standpoint. And so when we do our final validation testing when we do a software release, we're already halfway there in ensuring that all these features will give the customers what we promised. >>That's great. All right, let's, let's close pitch me, what would you say is the strong suit summarize the, the strengths of the Dell hyper-converged infrastructure and converged infrastructure portfolio specifically from a security perspective? Jerome? >>So I talked about how hyper hyper-converged infrastructure simplifies security management because basically you're gonna take all of these features that are abstracted in in hardware, they're now abstracted in the virtualization layer. Now you can manage them from a single point of view, whether it would be, say, you know, in for VX rail would be b be center, for example. So by abstracting all this, you make it very easy to manage security and highly flexible because now you don't have limitations around a single vendor. You have a multiple array of choices and partnerships to select. So I would say that is the, the key to making it to hci. Now, what makes Dell the market leader in HCI is not only do we have that functionality, but we also make it exceptionally useful to you because it's co engineered, it's not bolted on. So I gave the example of spo, I gave the example of how we, we modify our software release process with VMware to make it very responsive. >>A couple of other features that we have specific just to HCI are digitally signed LCM updates. This is an example of a feature that we have that's only exclusive to Dell that's not done through a partnership. So we digitally signed our software updates so the user can be sure that the, the update that they're installing into their system is an authentic and unmodified product. So we give it a Dell signature that's invalidated prior to installation. So not only do we consume the features that others develop in a seamless and fully validated way, but we also bolt on our own a specific HCI security features that work with all the other partnerships and give the user an exceptional security experience. So for, for example, the benefit to the customer is you don't have to create a complicated security framework that's hard for your users to use and it's hard for your system administrators to manage it all comes in a package. So it, it can be all managed through vCenter, for example, or, and then the specific hyper, hyper-converged functions can be managed through VxRail manager or through STDC manager. So there's very few pains of glass that the, the administrator or user ever has to worry about. It's all self contained and manageable. >>That makes a lot of sense. So you've got your own infrastructure, you're applying your best practices to that, like the digital signatures, you've got your ecosystem, you're doing co-engineering with the ecosystems, delivering security in a package, minimizing the complexity at the infrastructure level. The reason Jerome, this is so important is because SecOps teams, you know, they gotta deal with cloud security, they gotta deal with multiple clouds. Now they have their shared responsibility model going across multiple cl. They got all this other stuff that they have to worry, they gotta secure the containers and the run time and and, and, and, and the platform and so forth. So they're being asked to do other things. If they have to worry about all the things that you just mentioned, they'll never get, you know, the, the securities is gonna get worse. So what my takeaway is, you're removing that infrastructure piece and saying, Okay guys, you now can focus on those other things that is not necessarily Dell's, you know, domain, but you, you know, you can work with other partners to and your own teams to really nail that. Is that a fair summary? >>I think that is a fair summary because absolutely the worst thing you can do from a security perspective is provide a feature that's so unusable that the administrator disables it or other key security features. So when I work with my partners to define, to define and develop a new security feature, the thing I keep foremost in mind is, will this be something our users want to use and our administrators want to administer? Because if it's not, if it's something that's too difficult or onerous or complex, then I try to find ways to make it more user friendly and practical. And this is a challenge sometimes because we are, our products operate in highly regulated environments and sometimes they have to have certain rules and certain configurations that aren't the most user friendly or management friendly. So I, I put a lot of effort into thinking about how can we make this feature useful while still complying with all the regulations that we have to comply with. And by the way, we're very successful in a highly regulated space. We sell a lot of VxRail, for example, into the Department of Defense and banks and, and other highly regulated environments and we're very successful there. >>Excellent. Okay, Jerome, thanks. We're gonna leave it there for now. I'd love to have you back to talk about the progress that you're making down the road. Things always, you know, advance in the tech industry and so would appreciate that. >>I would look forward to it. Thank you very much, Dave. >>You're really welcome. In a moment I'll be back to summarize the program and offer some resources that can help you on your journey to secure your enterprise infrastructure. I wanna thank our guests for their contributions in helping us understand how investments by a company like Dell can both reduce the need for dev sec up teams to worry about some of the more fundamental security issues around infrastructure and have greater confidence in the quality providence and data protection designed in to core infrastructure like servers, storage, networking, and hyper-converged systems. You know, at the end of the day, whether your workloads are in the cloud, on prem or at the edge, you are responsible for your own security. But vendor r and d and vendor process must play an important role in easing the burden faced by security devs and operation teams. And on behalf of the cube production content and social teams as well as Dell Technologies, we want to thank you for watching a blueprint for trusted infrastructure. Remember part one of this series as well as all the videos associated with this program and of course today's program are available on demand@thecube.net with additional coverage@siliconangle.com. And you can go to dell.com/security solutions dell.com/security solutions to learn more about Dell's approach to securing infrastructure. And there's tons of additional resources that can help you on your journey. This is Dave Valante for the Cube, your leader in enterprise and emerging tech coverage. We'll see you next time.

(lively electronic music) >> Hello, everyone, welcome to the Closing Statement. This program, produced by theCUBE, is called Managing Your Risk Across the Extended Attack Surface with Armis Asset Intelligence Platform. You heard a lot about Armis vulnerability management from the CTO and the Co founder. They have big time customers, testimonials, offering them all up and a big demo to show you how easy their agent list program works and how easy it is to get time to value. It looks like they got a lot of traction with big time customers which is great for the industry to keep pushing ahead with these new security capabilities. This is a big problem that they solve. Having visibility into the entire asset base kind of on this discovery basis brings a Google Maps vibe to lay out all the assets and then understand the context of those. This has kind of given new kind of visibilities to take better action to understand what to protect and when to protect it. Critical assets versus non-critical. Which alerts to look at, what not to. All the data is there on a dashboard so this should help security professionals and operations teams be faster, smarter, more efficient, and enable their developers to develop the best solutions. This is a win for security owners, and managers, and operators, and developers, and you got a great company like ARMIS bringing on a great solution with this new platform. Let's see how it does. They have a bold customer base, and a strong management team, and great technology. This is a keep special program, John Furrier host. Thanks for watching. If you want a deeper dive into the subject, go check out their website armis.com/avm, you can just get a solution brief on all their material, and there's plenty of people to talk to. Thanks for watching. (lively electronic music)

(upbeat music) >> Welcome to this Cube Conversation about women in tech and women in cybersecurity, two things I'm very passionate about. Lisa Martin here, with two guests, Debbie Briggs joins us, the Area Vice President, and Chief Security Officer at NETSCOUT, and Tyler Cohen Wood is here as well, the Founder and CEO of MyConnectedHealth. Ladies, it's an honor to have you on the program. I'm excited to talk to you. >> Thank you so much for having us. >> Completely agree. Tyler and I talked a couple of minutes last week and she has a lot to offer to this. >> I know, I was looking at both of your backgrounds. Very impressive. Tyler, starting with you. I see that you are a nationally recognized Cybersecurity Intelligence, National Security Expert, and former Director of Cyber Risk Management for AT&T. And I also saw that you just won a Top 50 Women in Tech Influencers to Follow for 2021 Award. Congratulations, that's amazing. I would love to know way back in the day, how did you even first become interested in tech? >> Well, it was kind of inevitable that I would go into something like tech because as a kid, I was kind of nerdy. I was obsessed with "Star Trek". I would catalog my "Star Trek" tapes by Stardate. I was just really into it. But when I was in college, I mean, it was the late 90's. Cybersecurity just really wasn't a thing. So I went into music and I worked for a radio station. I loved it, but the format of the radio station changed and I wanted to do something different. And I thought, well, computers. I'll move to San Francisco, and I'm sure I can get a job, 'cause they were hiring anyone with a brain, 'cause it was really the dot com boom. And that's really how I got into it. It was just kind of one of those things. (laughs) >> Did you have, was it like network connection, going from music to tech is quite a jump? >> It's a huge jump. It was, but you know, I was young. I was still fresh out of school. I was really interested in learning and I really wanted to get involved in cyber in some capacity, because I became really fascinated with it. So it was just kind of one of those things, that just sort of happened. >> What an interesting talk about a zig-zaggy path. That's a very, very interesting one. And I have to talk about music with you later. That would be interesting. And Debbie, you also have, as Tyler does, 20 years plus experience in cybersecurity. You've been with NETSCOUT since '04. Were you always interested in tech? Did you study engineering or computer science in school, Debbie? >> Yeah, so I think my interest in tech, just like Tyler started at a very young age. I was always interested in how things worked and how people worked. And some day over a drink, I will tell you some funny stories about things I took apart in my parents house, to figure out how it worked. (Lisa and Tyler laughing) They still don't know it. So I guess I- >> I love that. >> I just love that putting it back together, but I took a more traditional route than Tyler did. I do have a degree in Computer Science, went to school a little bit earlier than Tyler. What I would say is, when I was in college, the Computer Science Center was in the basement of the library and we had these really tiny windows and they sort of hit you in the dark. And I think it was my senior year and I went, "I don't want to sit in a room by myself and write code all day and talk to no one." So, you know, I'm a senior and I'm like, "Okay, I got to, this is not, I did not want to write code all day." And so I happened to fall into a great company and moved onto PCs. And from there went to messaging, to networking and into that, I fell into cybersecurity. So I took that more traditional route and I think I've done every job in IT, except for programming, which is what I really got my degree in. >> But you realized early on, you know, "I don't quite think this is for me." And that's an important thing for anybody in any career, to really listen to your gut. It's telling you something. I love how you both got into cybersecurity, which is now, especially in the last 18 months, with what we've seen with the threat landscape, such an incredible opportunity for anyone. But I'd like to know there's not a lot of women in tech, as we know we've been talking about this for a long time now. We've got maybe a quarter of women at the technology roles are filled by women. Tyler, talk to me about some of the challenges that you faced along your journey to get where you are today. >> Well, I mean, you know, like I said, when I started, it was like 1999, 2000. And there were even less women in cybersecurity and in these tech roles than there are now. And you know, it was difficult because, you know, I remember at my first job, I was so interested in learning about Unix and I would learn everything, I read everything about it. And I ended up getting promoted over all of my male colleagues. And you know, it was really awkward because there was the assumption, they would just say things like, "Oh, well you got that because you're a woman." And that was not the case, but it's that type of stereotyping, you know, that we've had to deal with in this industry. Now I do believe that is changing. And I've seen a lot of evidence of that. We're getting there, but we're not there yet. >> And I agree. I agree completely with what Tyler said. You know, when I started, you were the only woman in the room, you got promoted over your male counterparts. You know, I would say even 10 years ago, you know, someone was like, "Well, you could go for any CISCO role and you'd get the job because you're a woman." And I've had to go and say, "No, I might get an interview because I'm a woman, but you don't get the job just because, you know, you check a box." You know, some of that is still out there, but Tyler you're right, things are changing. I think, you know, three things that we all need to focus in on to continue to move us forward and get more women into tech is the first thing is we have to start younger. I think by high school, a lot of girls and young women have been turned off by technology. So maybe, we need to start in the middle school and ensuring that we've got young girls interested. The second thing is, is we have to have mentors. And I always say, if you're in the security industry, you have to turn around and help the next person out. And if that person is a woman, that's great, but we have to mentor others. And it can be young girls, it could be young gentlemen, but we need to mentor that next group up. And you know, if you're in the position to offer internships during the summer, we don't have to stay to the traditional role and go, "Oh, let me hire just intern from the you know IT, they're getting degrees in IT." You can get creative. And my best worker right now was an intern that worked for me, was an intern for me six years ago. And she has a degree in Finance, so nontraditional route into cyber security. And the third thing I think we need to do is, is there things the industry could do to change things and make things, I don't want to say even 'cause they're not uneven, but for example, I forget what survey it was, but if a woman reads a job description and I can do half of it, I'm not going to apply because I don't feel I'll qualify, where men, on the other hand, if they can do three out of ten they'll apply. So do we need to look at the way we write job descriptions, and use different words, you know, rather than must have these skills. You know, sort of leave it a little bit open, like here are the skills we'd like you to have, or have, you know, a handful of the following. So soften some of those job descriptions. And the second thing is once we get women in, we have to be a little bit more, I'll say inclusive. So, if you're a high tech company, look at, you know, your sales organization. When you go to big shows, do you pay more attention to men on the floor than women on the floor? If you have a sales event where you get different customers together, is it a golf outing or is it something that's maybe a little bit more inclusive than just male? So those are the three things I think as an industry we have to focus in on, start younger, get them, you know, work on mentorships specifically in cyber, and the third thing is, look at some of the things that we're doing, as companies both in our HR and sales practices. >> That's a great, that last piece of advice, Debbie is fantastic. That's one that I hadn't thought about, but you're right. If a job description is written, for must have all of these things and a woman that goes, "I only got three out of the ten. I'm not going to even get past, you know, the recruiter here." How can we write things differently? I also loved your idea of bringing in people with diverse backgrounds. I've been in marketing for 16 years and I've met very few people that actually have marketing degrees, a lot of people. So you get that diversity of thought. Tyler, what are some of your thoughts about how we can help expand the role of women in technology? Do you agree with some of the things that Debbie said? >> I love what Debbie said. I agree 100%. And I started laughing because I was thinking about all the golf outings that I've been on and I don't play golf. (all laughing) I think that there is an untapped resource because there's a lot of women who are now interested in changing their careers and that's a big pool of people. And I think that making it more accessible and making it so that people understand what the different cyber security or cyber jobs are, because a lot of people just assume that it's coding, or it's, you know, working on AI, but that's not necessarily true. I mean, there's so many different avenues. There's marketing, there's forensics, there's incident response. I mean, I could go on and on and on. And oftentimes if people don't know that these types of jobs exist, they're not even going to look for them. So making that more well-known, what the different types of opportunities are to people, I think that that would help kind of open more doors. >> And that goes along beautifully with what Debbie was talking about with respect to mentorship. And I would even add sponsorship in there, but becoming a sponsor of a younger female, who's maybe considering tech or is already in tech to help her navigate the career. Look for the other opportunities. Tyler, as you mentioned, there's a lot to cybersecurity, that is beyond coding and AI for example. So maybe getting the awareness out there more. Did either of you have sponsors when you were early in your career? Are you a sponsor now? Debbie, let's start with you. >> So, I'll answer your first question. I guess I was really fortunate that my first job out of college, I had an internship and I happened to have a female boss. And so, although we may not have called it sponsorship or mentor, she taught me and showed me that, you know, women can be leaders. And she always believed in us and always pushed us to do things beyond what we may have thought we were capable of. Throughout the years, someone once told me that we should all have our own personal board of directors. You know, a group of people that when we're making a decision, that may be life-changing or we're unsure, rather than just having one mentor, having a group of people that you, that you know, they don't have to be in cybersecurity. Yeah, I want someone that's on my board of directors that maybe, is a specialist in cybersecurity, but having other executives in other companies, that can also give you that perspective. You know, so I've always had a personal board of directors. I think I've had three or four different mentors. Some of them, I went out and found. Some of them I have joined organizations that have been fortunate enough to become not only a mentor, but a mentee. And I've kept those relationships up over three or four years. And all those people are now on my personal board of directors, that, you know, if I have a life-changing question, I've got a group of people that I can go back on. >> That is brilliant advice. I love that having a... Isn't that great Tyler? Having a personal- >> Yes Yes! >> Board of directors, especially as we look at cybersecurity and the cybersecurity skills gap Tyler has been, I think it's in its 5th year now, which is there's so much opportunity. What we saw in the threat landscape in the last 18, 19 months during the pandemic was this explosion and the attack surface, ransomware becoming a word that even my mom knows these days. What do you advise Tyler for, you talked about really making people much more aware of all of the opportunities within cyber, but when you think about how you would get women interested in cybersecurity specifically, what are some of the key pieces of advice you would offer? >> Well, again, I think I love the board of directors. I love that. That is brilliant, but I really think that it is about finding mentors, and it is about doing the research, and really asking questions. Because if you reach out to someone on LinkedIn, you know, they may just not respond, but chances are some someone will and, you know, most people in this community are very willing to help. And, you know, I found that to be great. I mean, I've got my board of directors too. I realize that now. (Debbie laughs) But I also like to help other people as well, that are just kind of entering into the field or if they're changing their careers. And it's not necessarily just women, it's people that are interested in getting into an aspect of this industry. And this is a industry where, you know, you can jump from this, to this, to this, to this. I mean, I think that I've had six different major career shifts still within the cybersecurity realm. So, just because you start off doing one thing doesn't mean that that's what you're going to do forever. There're so many different areas. And it's really interesting. I think about my 11 year old niece and she may very well have a job someday, that doesn't even exist right now. That's how quickly cyber and everything connected is moving. And if you think about it, we are connected, there is a cyber component to every single thing that we do, and that's going to continue to expand and continue to grow. And we need more people to be interested, and to want to get into these careers. And I think also it's important for younger girls to let them know these careers are really fun and they're extremely rewarding. And I mean, I hate to use this as an incentive, but there's also a lot of money that can be made too, and that's an incentive to get, you know, women and girls into these careers as well. >> And Tyler, I think you're right. In addition to that, you're always going to have a job. And I think cyber is a great career for someone that are lifelong learners, because like you said, your 11 year old niece, the job, when she graduates from college, she may have, probably doesn't even exist today. And so I think you have to be a lifelong learner. I think one of the things that people may not be aware of is, you know, for women who may have gone the non-traditional route and got degrees later in life, or took time off to raise children and want to come back to work, cyber security is something that, you know, doesn't have to be a nine to five job. I have, it happens to be a gentlemen on my team, who has to get kids on the bus and off the bus. And so we figured out how, you know, he gets up and he works for a couple hours, puts kids on the bus, is in the office. And then he gets the kids off. And once they've had dinner and gone to bed, he puts in a couple more hours. And I think, you know, people need to be aware of, there is some flexibility, there is flexibility in cyber jobs. I mean, it's not a nine to five job, it's not like banking. Well, if you were teller, and your hours are when the bank is open, cyber is 7/24 and jobs can be flexible. And I think people need to be aware of that. >> I agree on the flexibility front, and people also need to be flexible themselves. I do want to ask you both, we're getting low on time, but I've got to ask you, how do you get the confidence, to be, like you said, back in the day, in the room, maybe the only female and I've been in that as well, even in marketing, product marketing years ago. How do you get the confidence to continue moving forward? Even as someone says, "You're only here because you're a female." Tyler, what's your advice to help young women and young men as well fight any sort of challenges that are coming their way? >> I had a mentor when I first moved to the Defense Intelligence Agency, I had an Office Chief and she said to me, "Tyler, you're a Senior Intelligence Officer, you always take a seat at the table. Do not let anyone tell you that you cannot have a seat at the table." And you know, that was good advice. And I think confidence is great. But courage is something that's much more important, because courage is what leads up to confidence. And you really have to believe in yourself and do things that you know are right for you, not because you think it's going to make other people happy. And I think, you know, as women, it's really finding that courage to be brave and to be strong and to be willing to stand out, you know, alone on something, because it's what you care about and what you believe in. And that's really what helps kind of motivate me. >> I love that courage. Debbie, what are your thoughts? >> (laughs) So I was going to say, this is going to be really hard to believe, but when I was 16 years old, I was so shy that if I went to a restaurant and someone served me stone cold food, I wouldn't say a word. I would just eat it. If I bought something in a store and I didn't like it, I'd refuse, I just couldn't bring myself to go to that customer service desk and return it. And my first job in high school, was it a fast food place. And I worked for a gentleman who was a little bit of a tyrant, but you know, I learned how to get a backbone very quickly. And I would have to say now looking back, he was probably my first mentor without even trying to do that. He mentored me on how to believe in myself and how to stand up for what's right. So, Tyler, I completely agree with you. And you know, that's something that people think when they get a mentorship, sometimes it's someone going to mentor them on, you know, something tactical, something they want to know how to do, but sometimes what you need to be mentored in, could be, "How do I believe in myself?" Or "How do I find the courage to be that the only female in the room?" And I think that is where some of that mentorship comes from and, you know, I think, you know, if we go back to mentoring at the middle school, there's lots of opportunities, career fairs, the first robotically, get the middle school level, gives all of us an opportunity to sort of mentor girls at that level. And for all the guys out there who have daughters, this is, you know, how to... It's not like you can get a parenting checklist, "Teach my kid courage." And Tyler, I love that word, but I think that's something that we all need to aspire to bring out in others. >> I love that. I love that. >> Okay with that, I think I love both of your stories, are zig-zaggy in certain ways, one in a more direct cybersecurity path, Debbie with yours. Tyler, yours, very different coming from the music industry. But you both have such great advice. It's really, I would say, I'm going to add that, open your mind to be open to, you can do anything. As Tyler said, there's a very great possibility that right now the job that your niece who's 11 is going to get in the next 10 years, doesn't exist yet. How exciting is that? To have the opportunity to be open-minded enough and flexible enough to say, "I'm going to try that." And I'm going to learn from my mentors, whether it's a fast food cook, which I wouldn't think would be a direct mentor, and recognizing years later, "Wow, what an impact that person had on me, having the courage to do what I have." And so I would ask you like each one more question in terms of just your inspiration for what you're currently doing. Debbie, as the leader of security for NETSCOUT, what inspires you to continue in your current role and seek more? >> So, I'm a lifelong learner. So, I love to learn cybersecurity. You know, every day is a different day. So, it's definitely the ability to continue to learn and to do new things. But the second thing is, is I think I've always been, I don't want to call it a fixer-upper because cybersecurity isn't a fixer-upper, I'm just always wanted to improve upon things. If I've seen something that I think can do better, or a product that could have something new or better in it, you know, that's what excites me is to give people that feedback and to improve on what we've had out there. You know, you had mentioned, we've got this block of jobs that we can't fill. We have to give feedback and how we get the tools and what we have today smarter, so that if there are less of us, we're working smarter and not harder. And so if there is some low-level tasks that we could put back into tools, and talk to vendors and have them do this for us, that's how I think we start to get our way sort of out of the hole. Tyler, any thoughts on that? >> I again, I love that answer. I mean, I think for me, you know, I do like, it's that problem solving thing too. But for me it's also about, it's about compassion. And when I see, you know, a story of some child that's been involved in some kind of cyber bullying attack, or a company that has been broken into, I want to do whatever I can to help people, and to teach people to really protect themselves, so that they feel empowered and they're not afraid of cyber security. So for me, it's also really that drive to really make a difference and really help people. >> And you've both done, I'm sure, so much of that made such a big difference in many communities in which you're involved. I thank you so much for sharing your journeys with me on the program today, and giving such great pointed advice to young men and women, and even some of the older men and women out there that might be kind of struggling about, where do I go next? Your advice is brilliant, ladies. Thank you so much. It's been a pleasure talking with you. >> Thank you. >> Thank you. >> For Debbie Briggs and Tyler Cohen Wood, I'm Lisa Martin. You've been watching this Cube Conversation. (upbeat music)

(upbeat music) >> Welcome to this Cube Conversation about women in tech and women in cybersecurity, two things I'm very passionate about. Lisa Martin here, with two guests, Debbie Briggs joins us, the Area Vice President, and Chief Security Officer at NETSCOUT, and Tyler Cohen Wood is here as well, the Founder and CEO of MyConnectedHealth. Ladies, it's an honor to have you on the program. I'm excited to talk to you. >> Thank you so much for having us. >> Completely agree. Tyler and I talked a couple of minutes last week and she has a lot to offer to this. >> I know, I was looking at both of your backgrounds. Very impressive. Tyler, starting with you. I see that you are a nationally recognized Cybersecurity Intelligence, National Security Expert, and former Director of Cyber Risk Management for AT&T. And I also saw that you just won a Top 50 Women in Tech Influencers to Follow for 2021 Award. Congratulations, that's amazing. I would love to know way back in the day, how did you even first become interested in tech? >> Well, it was kind of inevitable that I would go into something like tech because as a kid, I was kind of nerdy. I was obsessed with "Star Trek". I would catalog my "Star Trek" tapes by Stardate. I was just really into it. But when I was in college, I mean, it was the late 90's. Cybersecurity just really wasn't a thing. So I went into music and I worked for a radio station. I loved it, but the format of the radio station changed and I wanted to do something different. And I thought, well, computers. I'll move to San Francisco, and I'm sure I can get a job, 'cause they were hiring anyone with a brain, 'cause it was really the dot com boom. And that's really how I got into it. It was just kind of one of those things. (laughs) >> Did you have, was it like network connection, going from music to tech is quite a jump? >> It's a huge jump. It was, but you know, I was young. I was still fresh out of school. I was really interested in learning and I really wanted to get involved in cyber in some capacity, because I became really fascinated with it. So it was just kind of one of those things, that just sort of happened. >> What an interesting talk about a zig-zaggy path. That's a very, very interesting one. And I have to talk about music with you later. That would be interesting. And Debbie, you also have, as Tyler does, 20 years plus experience in cybersecurity. You've been with NETSCOUT since '04. Were you always interested in tech? Did you study engineering or computer science in school, Debbie? >> Yeah, so I think my interest in tech, just like Tyler started at a very young age. I was always interested in how things worked and how people worked. And some day over a drink, I will tell you some funny stories about things I took apart in my parents house, to figure out how it worked. (Lisa and Tyler laughing) They still don't know it. So I guess I- >> I love that. >> I just love that putting it back together, but I took a more traditional route than Tyler did. I do have a degree in Computer Science, went to school a little bit earlier than Tyler. What I would say is, when I was in college, the Computer Science Center was in the basement of the library and we had these really tiny windows and they sort of hit you in the dark. And I think it was my senior year and I went, "I don't want to sit in a room by myself and write code all day and talk to no one." So, you know, I'm a senior and I'm like, "Okay, I got to, this is not, I did not want to write code all day." And so I happened to fall into a great company and moved onto PCs. And from there went to messaging, to networking and into that, I fell into cybersecurity. So I took that more traditional route and I think I've done every job in IT, except for programming, which is what I really got my degree in. >> But you realized early on, you know, "I don't quite think this is for me." And that's an important thing for anybody in any career, to really listen to your gut. It's telling you something. I love how you both got into cybersecurity, which is now, especially in the last 18 months, with what we've seen with the threat landscape, such an incredible opportunity for anyone. But I'd like to know there's not a lot of women in tech, as we know we've been talking about this for a long time now. We've got maybe a quarter of women at the technology roles are filled by women. Tyler, talk to me about some of the challenges that you faced along your journey to get where you are today. >> Well, I mean, you know, like I said, when I started, it was like 1999, 2000. And there were even less women in cybersecurity and in these tech roles than there are now. And you know, it was difficult because, you know, I remember at my first job, I was so interested in learning about Unix and I would learn everything, I read everything about it. And I ended up getting promoted over all of my male colleagues. And you know, it was really awkward because there was the assumption, they would just say things like, "Oh, well you got that because you're a woman." And that was not the case, but it's that type of stereotyping, you know, that we've had to deal with in this industry. Now I do believe that is changing. And I've seen a lot of evidence of that. We're getting there, but we're not there yet. >> And I agree. I agree completely with what Tyler said. You know, when I started, you were the only woman in the room, you got promoted over your male counterparts. You know, I would say even 10 years ago, you know, someone was like, "Well, you could go for any CISCO role and you'd get the job because you're a woman." And I've had to go and say, "No, I might get an interview because I'm a woman, but you don't get the job just because, you know, you check a box." You know, some of that is still out there, but Tyler you're right, things are changing. I think, you know, three things that we all need to focus in on to continue to move us forward and get more women into tech is the first thing is we have to start younger. I think by high school, a lot of girls and young women have been turned off by technology. So maybe, we need to start in the middle school and ensuring that we've got young girls interested. The second thing is, is we have to have mentors. And I always say, if you're in the security industry, you have to turn around and help the next person out. And if that person is a woman, that's great, but we have to mentor others. And it can be young girls, it could be young gentlemen, but we need to mentor that next group up. And you know, if you're in the position to offer internships during the summer, we don't have to stay to the traditional role and go, "Oh, let me hire just intern from the you know IT, they're getting degrees in IT." You can get creative. And my best worker right now was an intern that worked for me, was an intern for me six years ago. And she has a degree in Finance, so nontraditional route into cyber security. And the third thing I think we need to do is, is there things the industry could do to change things and make things, I don't want to say even 'cause they're not uneven, but for example, I forget what survey it was, but if a woman reads a job description and I can do half of it, I'm not going to apply because I don't feel I'll qualify, where men, on the other hand, if they can do three out of ten they'll apply. So do we need to look at the way we write job descriptions, and use different words, you know, rather than must have these skills. You know, sort of leave it a little bit open, like here are the skills we'd like you to have, or have, you know, a handful of the following. So soften some of those job descriptions. And the second thing is once we get women in, we have to be a little bit more, I'll say inclusive. So, if you're a high tech company, look at, you know, your sales organization. When you go to big shows, do you pay more attention to men on the floor than women on the floor? If you have a sales event where you get different customers together, is it a golf outing or is it something that's maybe a little bit more inclusive than just male? So those are the three things I think as an industry we have to focus in on, start younger, get them, you know, work on mentorships specifically in cyber, and the third thing is, look at some of the things that we're doing, as companies both in our HR and sales practices. >> That's a great, that last piece of advice, Debbie is fantastic. That's one that I hadn't thought about, but you're right. If a job description is written, for must have all of these things and a woman that goes, "I only got three out of the ten. I'm not going to even get past, you know, the recruiter here." How can we write things differently? I also loved your idea of bringing in people with diverse backgrounds. I've been in marketing for 16 years and I've met very few people that actually have marketing degrees, a lot of people. So you get that diversity of thought. Tyler, what are some of your thoughts about how we can help expand the role of women in technology? Do you agree with some of the things that Debbie said? >> I love what Debbie said. I agree 100%. And I started laughing because I was thinking about all the golf outings that I've been on and I don't play golf. (all laughing) I think that there is an untapped resource because there's a lot of women who are now interested in changing their careers and that's a big pool of people. And I think that making it more accessible and making it so that people understand what the different cyber security or cyber jobs are, because a lot of people just assume that it's coding, or it's, you know, working on AI, but that's not necessarily true. I mean, there's so many different avenues. There's marketing, there's forensics, there's incident response. I mean, I could go on and on and on. And oftentimes if people don't know that these types of jobs exist, they're not even going to look for them. So making that more well-known, what the different types of opportunities are to people, I think that that would help kind of open more doors. >> And that goes along beautifully with what Debbie was talking about with respect to mentorship. And I would even add sponsorship in there, but becoming a sponsor of a younger female, who's maybe considering tech or is already in tech to help her navigate the career. Look for the other opportunities. Tyler, as you mentioned, there's a lot to cybersecurity, that is beyond coding and AI for example. So maybe getting the awareness out there more. Did either of you have sponsors when you were early in your career? Are you a sponsor now? Debbie, let's start with you. >> So, I'll answer your first question. I guess I was really fortunate that my first job out of college, I had an internship and I happened to have a female boss. And so, although we may not have called it sponsorship or mentor, she taught me and showed me that, you know, women can be leaders. And she always believed in us and always pushed us to do things beyond what we may have thought we were capable of. Throughout the years, someone once told me that we should all have our own personal board of directors. You know, a group of people that when we're making a decision, that may be life-changing or we're unsure, rather than just having one mentor, having a group of people that you, that you know, they don't have to be in cybersecurity. Yeah, I want someone that's on my board of directors that maybe, is a specialist in cybersecurity, but having other executives in other companies, that can also give you that perspective. You know, so I've always had a personal board of directors. I think I've had three or four different mentors. Some of them, I went out and found. Some of them I have joined organizations that have been fortunate enough to become not only a mentor, but a mentee. And I've kept those relationships up over three or four years. And all those people are now on my personal board of directors, that, you know, if I have a life-changing question, I've got a group of people that I can go back on. >> That is brilliant advice. I love that having a... Isn't that great Tyler? Having a personal- >> Yes Yes! >> Board of directors, especially as we look at cybersecurity and the cybersecurity skills gap Tyler has been, I think it's in its 5th year now, which is there's so much opportunity. What we saw in the threat landscape in the last 18, 19 months during the pandemic was this explosion and the attack surface, ransomware becoming a word that even my mom knows these days. What do you advise Tyler for, you talked about really making people much more aware of all of the opportunities within cyber, but when you think about how you would get women interested in cybersecurity specifically, what are some of the key pieces of advice you would offer? >> Well, again, I think I love the board of directors. I love that. That is brilliant, but I really think that it is about finding mentors, and it is about doing the research, and really asking questions. Because if you reach out to someone on LinkedIn, you know, they may just not respond, but chances are some someone will and, you know, most people in this community are very willing to help. And, you know, I found that to be great. I mean, I've got my board of directors too. I realize that now. (Debbie laughs) But I also like to help other people as well, that are just kind of entering into the field or if they're changing their careers. And it's not necessarily just women, it's people that are interested in getting into an aspect of this industry. And this is a industry where, you know, you can jump from this, to this, to this, to this. I mean, I think that I've had six different major career shifts still within the cybersecurity realm. So, just because you start off doing one thing doesn't mean that that's what you're going to do forever. There're so many different areas. And it's really interesting. I think about my 11 year old niece and she may very well have a job someday, that doesn't even exist right now. That's how quickly cyber and everything connected is moving. And if you think about it, we are connected, there is a cyber component to every single thing that we do, and that's going to continue to expand and continue to grow. And we need more people to be interested, and to want to get into these careers. And I think also it's important for younger girls to let them know these careers are really fun and they're extremely rewarding. And I mean, I hate to use this as an incentive, but there's also a lot of money that can be made too, and that's an incentive to get, you know, women and girls into these careers as well. >> And Tyler, I think you're right. In addition to that, you're always going to have a job. And I think cyber is a great career for someone that are lifelong learners, because like you said, your 11 year old niece, the job, when she graduates from college, she may have, probably doesn't even exist today. And so I think you have to be a lifelong learner. I think one of the things that people may not be aware of is, you know, for women who may have gone the non-traditional route and got degrees later in life, or took time off to raise children and want to come back to work, cyber security is something that, you know, doesn't have to be a nine to five job. I have, it happens to be a gentlemen on my team, who has to get kids on the bus and off the bus. And so we figured out how, you know, he gets up and he works for a couple hours, puts kids on the bus, is in the office. And then he gets the kids off. And once they've had dinner and gone to bed, he puts in a couple more hours. And I think, you know, people need to be aware of, there is some flexibility, there is flexibility in cyber jobs. I mean, it's not a nine to five job, it's not like banking. Well, if you were teller, and your hours are when the bank is open, cyber is 7/24 and jobs can be flexible. And I think people need to be aware of that. >> I agree on the flexibility front, and people also need to be flexible themselves. I do want to ask you both, we're getting low on time, but I've got to ask you, how do you get the confidence, to be, like you said, back in the day, in the room, maybe the only female and I've been in that as well, even in marketing, product marketing years ago. How do you get the confidence to continue moving forward? Even as someone says, "You're only here because you're a female." Tyler, what's your advice to help young women and young men as well fight any sort of challenges that are coming their way? >> I had a mentor when I first moved to the Defense Intelligence Agency, I had an Office Chief and she said to me, "Tyler, you're a Senior Intelligence Officer, you always take a seat at the table. Do not let anyone tell you that you cannot have a seat at the table." And you know, that was good advice. And I think confidence is great. But courage is something that's much more important, because courage is what leads up to confidence. And you really have to believe in yourself and do things that you know are right for you, not because you think it's going to make other people happy. And I think, you know, as women, it's really finding that courage to be brave and to be strong and to be willing to stand out, you know, alone on something, because it's what you care about and what you believe in. And that's really what helps kind of motivate me. >> I love that courage. Debbie, what are your thoughts? >> (laughs) So I was going to say, this is going to be really hard to believe, but when I was 16 years old, I was so shy that if I went to a restaurant and someone served me stone cold food, I wouldn't say a word. I would just eat it. If I bought something in a store and I didn't like it, I'd refuse, I just couldn't bring myself to go to that customer service desk and return it. And my first job in high school, was it a fast food place. And I worked for a gentleman who was a little bit of a tyrant, but you know, I learned how to get a backbone very quickly. And I would have to say now looking back, he was probably my first mentor without even trying to do that. He mentored me on how to believe in myself and how to stand up for what's right. So, Tyler, I completely agree with you. And you know, that's something that people think when they get a mentorship, sometimes it's someone going to mentor them on, you know, something tactical, something they want to know how to do, but sometimes what you need to be mentored in, could be, "How do I believe in myself?" Or "How do I find the courage to be that the only female in the room?" And I think that is where some of that mentorship comes from and, you know, I think, you know, if we go back to mentoring at the middle school, there's lots of opportunities, career fairs, the first robotically, get the middle school level, gives all of us an opportunity to sort of mentor girls at that level. And for all the guys out there who have daughters, this is, you know, how to... It's not like you can get a parenting checklist, "Teach my kid courage." And Tyler, I love that word, but I think that's something that we all need to aspire to bring out in others. >> I love that. I love that. >> Okay with that, I think I love both of your stories, are zig-zaggy in certain ways, one in a more direct cybersecurity path, Debbie with yours. Tyler, yours, very different coming from the music industry. But you both have such great advice. It's really, I would say, I'm going to add that, open your mind to be open to, you can do anything. As Tyler said, there's a very great possibility that right now the job that your niece who's 11 is going to get in the next 10 years, doesn't exist yet. How exciting is that? To have the opportunity to be open-minded enough and flexible enough to say, "I'm going to try that." And I'm going to learn from my mentors, whether it's a fast food cook, which I wouldn't think would be a direct mentor, and recognizing years later, "Wow, what an impact that person had on me, having the courage to do what I have." And so I would ask you like each one more question in terms of just your inspiration for what you're currently doing. Debbie, as the leader of security for NETSCOUT, what inspires you to continue in your current role and seek more? >> So, I'm a lifelong learner. So, I love to learn cybersecurity. You know, every day is a different day. So, it's definitely the ability to continue to learn and to do new things. But the second thing is, is I think I've always been, I don't want to call it a fixer-upper because cybersecurity isn't a fixer-upper, I'm just always wanted to improve upon things. If I've seen something that I think can do better, or a product that could have something new or better in it, you know, that's what excites me is to give people that feedback and to improve on what we've had out there. You know, you had mentioned, we've got this block of jobs that we can't fill. We have to give feedback and how we get the tools and what we have today smarter, so that if there are less of us, we're working smarter and not harder. And so if there is some low-level tasks that we could put back into tools, and talk to vendors and have them do this for us, that's how I think we start to get our way sort of out of the hole. Tyler, any thoughts on that? >> I again, I love that answer. I mean, I think for me, you know, I do like, it's that problem solving thing too. But for me it's also about, it's about compassion. And when I see, you know, a story of some child that's been involved in some kind of cyber bullying attack, or a company that has been broken into, I want to do whatever I can to help people, and to teach people to really protect themselves, so that they feel empowered and they're not afraid of cyber security. So for me, it's also really that drive to really make a difference and really help people. >> And you've both done, I'm sure, so much of that made such a big difference in many communities in which you're involved. I thank you so much for sharing your journeys with me on the program today, and giving such great pointed advice to young men and women, and even some of the older men and women out there that might be kind of struggling about, where do I go next? Your advice is brilliant, ladies. Thank you so much. It's been a pleasure talking with you. >> Thank you. >> Thank you. >> For Debbie Briggs and Tyler Cohen Wood, I'm Lisa Martin. You've been watching this Cube Conversation. (upbeat music)

>>from around the globe. It's the Cube with coverage of Yukon and Cloud. Native Con North America. 2020. Virtual Brought to You by Red Hat, The Cloud, Native Computing Foundation and Ecosystem Partners. Hey, welcome back, everybody. Jeffrey here with the Cube coming to you from our Palo Alto studios with our ongoing coverage of Q. Khan Cloud, Native Con 2020 North America. Of course, it's virtual like everything else is in 2020 but we're excited to be back. It's a terrific show, and we're excited our next guest. So let's introduce him. And we've got Sam Warner, the VP of offering manager and business line executive for storage for IBM. Sam. Great to see you. >>Great to be here. >>And also joining us is Brent Compton. He's a senior director of data services for Redhead. Great. See you, Brent. >>Thank you. >>So let's let's jump into it. Cloud Native. Everything's about cloud native. Everything's about containers. Everything is about kind of container ization and flexibility. But then there's this thing in the back and called storage. We actually have toe keep this stuff and record this stuff and have data protection for this stuff in business resiliency love to jump into it, so lets you know where does storage fit within a container world? And how is the growth of containers and the adoption containers really had you rethink the way that you think about storage and how clients you think about stories saying, Let's start with you >>e mean, it's a great question. And first off, I'm really excited about another cube con. Uh, we did Europe now, uh, doing North America so very excited to be, you know, seeing all the you know, all the news and all the people talking about the advancements around kubernetes. And we're very excited about it now. You asked a very good question. Important question. We're seeing an acceleration of digital transformation, and the people that are going through this digital transformation are using containers to now modernize the rest of their infrastructure. The interesting thing about it, though, is those initiatives are being driven out of the application teams. The business lines in an organization, and a lot of them don't understand that there's a lot of complexity to this storage piece here. So the storage teams I talked to are all of a sudden getting these initiatives thrown on them or a kind of halfway their strategy. And they're scratching their heads, trying to figure out now how they can support these applications with persistent storage. Because that's not where containers started. They started with micro services, and now now they're in a quandary. They have to deliver a certain S L. A to their customers, and they're trying to figure out how they do it in this new environment, which in a lot of cases, has been designed outside of their scope. So they're seeing issues with data protection. Some of the kind of core things that they've been dealing with for years are now. They're now having to solve all over again. So that's what we're working on helping them with reinventing how storage is deployed to help them deliver the same level of security, availability and everything they have in the past. Uh, in these new environments, >>right? So, yeah, e say you've been involved in this for a long time. You know, you've worked in hyper converge. You've worked in big data. You know, the evolution of big data continues to change, as ultimately we want to get people the information to make good decisions, but we've gone through a lot of integrations over the years. So how is it different? You know? Now how is it different with containers? What can we finally do you as a as an architect that we couldn't do before? >>Infrastructure is code. That's, I think, one of the fundamental differences of the storage admin of yesteryear versus storage admin of today today, Azaz Sam mentioned As people are developing and deploying applications, those applications need to dynamically provisioned the infrastructure dynamically provisioned what they need from compute dynamically provisioned what they need from storage dynamically provisioned network paths and so that that that element of infrastructure is code. A dynamically provisioned infrastructure is very different from well from yesterday, when applications or teams needed to. Well, when they needed storage, they would you know, they would file a ticket and typically wait. Now they make an a p A. Now they make an A p. I call and storage is dynamically provisioned and provided to their application. >>But what what I think hard to understand for the layman. And maybe it's just me, right? I It's very easy to understand dynamic infrastructure around, um compute right, I'm Pepsi. I'm running it out for the Super Bowl. I need I know how much people are gonna hit by hit my site and it's kind of easy to understand. Dynamic provisioning around networking again for the same example. What's less easy to understand its dynamic provisioning for storage? It's one thing to say, you know, there's a there's a pool of storage resource is that I'm going to dynamically provisioned for this particular after this particular moment. But one of the whole things about the dynamic is not only is it available when you need it, but I could make it big, and conversely, I could make it smaller go away. I get that for servers, and I kind of get that for networking, supporting an application and that example I just talked about. But we can't It doesn't go away a lot of the time for storage, right? That's important data that's maybe feeding another process. There's all kinds of rules and regulations, So when you talk about dynamic infrastructure for storage, it makes a lot of sense for grabbing some to provision for some new application. But it's >>hard to >>understand in terms of true dynamics in terms of either scaling down or scaling up or turning off when I don't particularly need that much capacity or even that application right now, how does it work within storage versus No, just servers or I'm grabbing them and then I'm putting it back in the pool. >>Let me start on this one, and then I'm gonna hand it off to Brent. Um, you know, let's not forget, by the way, that enterprises have very significant investments in infrastructure and they're able to deliver six nines of availability on their storage. And they have d are worked out in all of their security, encryption, everything. It's already in place, and they're sure that they can deliver on their SLS. So they want to start with that. You have to leverage that investment. So first of all, you have to figure out how to automate that into the environment, that existing sand, and that's where things like uh, a P I s the container storage interface CS I drivers come in. IBM provides that across your entire portfolio, allowing you to integrate your storage into a kubernetes environment into an open shipped environment so that it can be automated, but you have to go beyond that and be able to extend that environment, then into other infrastructure, for example, into a public cloud. So with the IBM flash system, family with our spectrum virtualized software were actually able to deploy that storage layer not only on Prem on our award winning a race, but we can also do it in the cloud. So we allow you to take your existing infrastructure investments and integrate that into your communities environment and using things like danceable, fully automated environment. I'll get into data protection before we're done talking. But I do want Brent to talk a bit about how container native storage comes into that next as well. On how you can start building out new environments for, uh, for your applications. >>Yeah, What the two of you are alluding to is effectively kubernetes services layer, which is not storage. It consumes storage from the infrastructure, Assam said. Just because people deploy Kubernetes cluster doesn't mean that they go out and get an entirely new infrastructure for that. If they're deploying their kubernetes cluster on premises, they have servers. If they're deploying their kubernetes cluster on AWS or an azure on G C P. They have infrastructure there. Uh, what the two of you are alluding to is that services layer, which is independent of storage that can dynamically provisioned, provide data protection services. As I mentioned, we have good stuff to talk about their relative to data protection services for kubernetes clusters. But that's it's the abstraction layer or data services layer that sits on top of storage, which is different. So the basics of storage underneath in the infrastructure, you know, remain the same, Jeff. But the how that storage is provisioned and this abstraction layer of services which sits on top of the storage storage might be IBM flash system array storage, maybe E m c sand storage, maybe a W S E B s. That's the storage infrastructure. But this abstraction layer that sits on top this data services layer is what allows for the dynamic interaction of applications with the underlying storage infrastructure. >>And then again, just for people that aren't completely tuned in, Then what's the benefit to the application developer provider distributor with that type of an infrastructure behind And what can they do that they just couldn't do before? >>Well, I mean Look, we're, uh, e I mean, we're trying to solve the same problem over and over again, right? It's always about helping application developers build applications more quickly helps them be more agile. I t is always trying to keep up with the application developer and always struggles to. In fact, that's where the emergency cloud really came from. Just trying to keep up with the developer eso by giving them that automation. It gives them the ability to provision storage in real time, of course, without having open a ticket like friends said. But really, the Holy Grail here is getting to a developed once and deploy anywhere model. That's what they're trying to get to. So having an automated storage layer allows them to do that and ensure that they have access to storage and data, no matter where their application gets it >>right, Right, that pesky little detail. When I have to develop that up, it does have to sit somewhere and and I don't think storage really has gotten enough of of the bright light, really in kind of this app centric, developer centric world, we talk all the time about having compute available and and software defined networking. But you know, having this software defined storage that lives comfortably in this container world is pretty is pretty interesting. In a great development, I want to shift gears a >>little bit. Just one thing. Go >>ahead, >>plus one to Sam's comments. There all the application developer wants, they want an A P I and they want the same a p I to provision the storage regardless of where their app is running. The rest of the details they usually don't care about. Sure. They wanted to perform what not give him an A p I and make it the same regardless of where they're running the app. >>Because not only do they want to perform, they probably just presume performance, right? I mean, that's the other thing is that the best in class quickly becomes presumed baseline in a very short short period of time. So you've got to just you just got to just deliver the goods, right? They're gonna get frustrated and not be productive. But I wanted to shift gears up a little bit and talk about some of the macro trends. Right? We're here towards the end of 2020. Obviously, Cove It had a huge impact on business and a lot of different ways. And it's really evolved from March, this light switch moment. Everybody work from home, too. Now, this kind of extended time, that's probably gonna go on for a while. I'm just curious some of the things that you've seen with your customers not so much at the beginning, because that was that was a special and short period of time. But mawr, as we've extended and and are looking to, um, probably extended this for a while, you know, What is the impact of this increased work from home increase attack surface? You know, some of these macro things that we're seeing that cove it has caused and any other kind of macro trends beyond just this container ization that you guys were seeing impacting your world. Start with you, Sam. >>You know, I don't think it's actually changed what people were going to do or the strategy. What I've seen it do is accelerate things and maybe changed the way they're getting their, uh and so they're actually a lot of enterprises were running into challenges more quickly than they thought they would. And so they're coming to us and asking us to help them. Saw them, for example, backing up their data and these container environments as you move mission critical applications that maybe we're gonna move more slowly. They're realizing that as they've moved them, they can't get the level of data protection they need. And that's why actually we just announced it at the end of October. Updates to our modern data protection portfolio. It now is containerized. It could be deployed very easily in an automated fashion, but on top of that, it integrates down into the A P. I layer down into CSE drivers and allows you to do container where snapshots of your applications so you could do operational recovery. If there's some sort of an event you can recover from that you can do D R. And you can even use it for data migration. So we're helping them accelerate. So the biggest I think requests I'm getting from our customers, and how can you help us accelerate? And how can you help us fix these problems that we went running into as we tried to accelerate our digital transformation? >>Brent, Anyone that you wanna highlight? >>Mm. Okay. Ironically, one of my team was just speaking with one of the cruise lines, um, two days ago. We all know what's happened them. So if we just use them as an example, I'm clearly our customers need to do things differently now. So plus one to Sam's statement about acceleration on I would add another word to that which is agility, you know, frankly, they're having to do things in ways they never envisioned 10 months ago. So there need to cut cycle times to deploy effectively new ways of how they transact business has resulted in accelerated poll for these types of infrastructure is code technologies. >>That's great. The one that jumped in my mind. Sam, is you were talking. We've we've had a lot of conversations. Obvious security always comes up on baking security and is is a theme. But ransomware as a specific type of security threat and the fact that these guys not only wanna lock up your data, but they want to go in and find the backup copies and and you know and really mess you up so it sounds like that's even more important to have the safe. And we're hearing, you know, all these conversations about air gaps and dynamic air gaps and, you know, can we get air gaps and some of these infrastructure set up so that we can, you know, put put those backups? Um, and recovery data sets in a safe place so that if we have a ransomware issue, getting back online is a really, really important thing, and it seems to just be increasing every day. We're seeing things, you know, if you can actually break the law sometimes if you if you pay the ransom because where these people operate, there's all kind of weird stuff that's coming out of. Ransomware is a very specific, you know, kind of type of security threat that even elevates, you know, kind of business continuity and resiliency on a whole nother level for this one particular risk factor. When if you're seeing some of that as well, >>it's a great point. In fact, it's clearly an industry that was resilient to a pandemic because we've seen it increase things. Is organized crime at this point, right? This isn't the old days of hackers, you know, playing around this is organized crime and it is accelerating. And that's one thing. I'm really glad you brought up. It's an area we've been really focused on across our whole portfolio. Of course, IBM tape offers the best most of the actual riel air gapping, physical air gapping We could take a cartridge offline. But beyond that we offer you the ability to dio you know, different types of logical air gaps, whether it's to a cloud we support. In fact, we just announced Now the spectrum protect. We have support for Google Cloud. We already supported AWS Azure IBM Cloud. So we give you the ability to do logical air gapping off to those different cloud environments. We give you the ability to use worm capability so you can put your backups in a vault that can't be changed. So we give you lots of different ways to do it. In our high end enterprise storage, we offer something called Safeguarded copy where we'll actually take data off line that could be recovered almost instantly. Something very unique to our storage that gives you, for the most mission critical applications. The fastest path recovery. One of things we've seen is some of our customers have done a great job creating a copy. But when the event actually happens, they find is gonna take too long to recover the data and they end up having to pay the ransom anyway. So you really have to think through an Indian strategy on we're able to help customers do a kind of health checks of their environment and figure out the right strategy. We have some offerings to help come in and do that for our customers. >>Shift gears a little bit, uh, were unanswerable fest earlier this year and a lot of talk about automation. Obviously, answer was part of the Red Hat family, which is part of the IBM family. But, you know, we're seeing Mawr and Mawr conversations about automation about, you know, moving the mundane and the air prone and all the things that we shouldn't be doing as people and letting people doom or high value stuff. When if you could talk a little bit about the role of automation, that the kind of development of automation and how you're seeing that, you know, impact your deployments, >>right? You want to take that one first? >>Yeah, sure. Um, s o the first is, um when you think about individual kubernetes clusters. There's a level of automation that's required there. I mean, that's the fundamental. I mean, back to the infrastructure is code that's inherently. That's automation. To effectively declare the state of what you want your application, your cluster to be, and that's the essence of kubernetes. You declare what the state is, and then you pass that declaration to kubernetes, and it makes it so. So there's the kubernetes level automation. But then there's, You know what happens for larger enterprises when you have, you know, tens or hundreds of kubernetes clusters. Eso That's an area of Jeff you mentioned answerable. Now that's an area of with, you know, the work, the red hats doing the community for multi cluster management, actually in the community and together with IBM for automating the management of multiple clusters. And last thing I'll touch on here is that's particularly important as you go to the edge. I mean, this is all well and good when you're talking about, you know, safe raised floor data center environments. But what happens when you're tens or hundreds or even thousands of kubernetes clusters are running in an oil field somewhere? Automation becomes not only nice to have, but it's fundamental to the operation. >>Yeah, but let me just add onto that real quick. You know, it's funny, because actually, in this cove it era, you're starting to see that same requirement in the data center in the core data center. In fact, I would say that because there's less bodies now in the data center, more people working remotely. The automation in need for automation is actually actually accelerating as well. So I think what you said is actually true for the core data center now as well, >>right? So I wanna give you guys the last word before before we close the segment. Um, I'm gonna start with you, Brent. Really, From a perspective of big data and you've been involved again in big data for a long time. As you look back, it kind of the data warehouse era. And then we had kind of this whole rage with the Hadoop era, and, you know, we just continue to get more and more sophisticated with big data processes and applications. But at the end of the day, still about getting the right data to the right person at the right time to do something about it. I wonder if if you can, you know, kind of reflect over that journey and where we are now in terms of this mission of getting, you know, the right data to the right person at the right time so they could make the right decision. >>I think I'll close with accessibility. Um, that Z these days, we you know, the data scientists and data engineers that we work with. The key problem that they have is is accessibility and sharing of data. I mean, this has been wonderfully manifest. In fact, we did some work with the province of Ontario. You could look that stop hashtag house my flattening eso the work with them to get a pool of data. Scientists in the community in the province of Ontario, Canada, toe work together toe understand how to track co vid cases s such so that government could make intelligent responses and policy based on based on the fax so that that need highlights the accessibility that's required from today's, you know, yesteryear. It was maybe, uh, smaller groups of individual data scientists working in silos. Now it's people across industry as manifest by that That need accessibility as well as agility. They need to be able to spin up an environment that will allow them to in this case, um, to develop and deploy inference models using shared data sets without going through years of design. So accessibility on back to the back to the the acceleration and agility that Sam talked about. So I'll close with those words >>That's great. And the consistent with the democratization of two is another word that we're here, you know, over and over again in terms of, you know, getting it out of the hands of the data scientists and getting it into the hands of the people who are making frontline business decisions every day. And Sam for you, for your clothes. I love for you Thio reflect on kind of the changing environment in terms of your requirements for the types of workloads that you now are, you know, looking to support. So it's not just taking care of the data center and relatively straightforward stuff. But you've got hybrid. You've got multi cloud, not to mention all the media, the developments in the media between tape and obviously flash, um, spinning, spinning drives. But you know, really, We've seen this huge thing with flash. But now, with cloud and the increased kind of autumn autonomy ization of of units to be able to apply big batches in small batches to particular workloads across all these different requirements. When if you could just share a little bit about how you guys are thinking about, you know, modernizing storage and moving storage forward. What are some of your what are some of your your priorities? What are you looking forward to, uh, to be able to deliver, You know, basically the stuff underneath all these other applications. I mean, applications basically is data whether you I and some in some computer on top. You guys something underneath the whole package? >>Yeah. Yeah. You know, first of all, you know, back toe what Brent was saying, Uh, data could be the most valuable asset of an enterprise. You could give an enterprising, incredible, uh, competitive advantage as an incumbent if you could take advantage of that data using modern analytics and a I. So it could be your greatest asset. And it can also be the biggest inhibitor to digital transformation. If you don't figure out how to build a new type of modern infrastructure to support access to that data and support these new deployment models of your application. So you have to think that through. And that's not just for your big data, which the big data, of course, is extremely important and growing at incredible pace. All this unstructured data, You also have to think about your mission critical applications. We see a lot of people going through their transformation and modernization of S a p with move toe s four Hana. They have to think about how that fits into a multi cloud environment. They need to think about the life cycle of their data is they go into these new modern environments. And, yes, tape is still a very vibrant part of that deployment. So what we're working on an IBM has always been a leader in software defined storage. We have an incredible portfolio of capabilities. We're working on modernizing that software to help you automate your infrastructure. And sure, you can deliver enterprise class sls. There's no nobody's going to alleviate the requirements of having, you know, near perfect availability. You don't because you're moving into a kubernetes environment. Get a break on your downtime. So we're able to give that riel enterprise class support for doing that. One of the things we just announced that the end of October was we've containerized our spectrum scale client, allowing you now toe automate the deployment of your cluster file system through communities. So you'll see more and more of that. We're offering you leading modern native protection for kubernetes will be the first to integrate with OCP and open ship container storage for data protection. And our flashes from family will continue to be on the leading edge of the curve around answerable automation and C s I integration with who are already so we'll continue to focus on that and ensure that you could take advantage of our world class storage products in your new modern environment. And, of course, giving you that portability between on from in any cloud that you choose to run in >>exciting times. No, no shortage of job security for you, gentlemen, that's for sure. All right, Well, Brent, Sam, thanks for taking a few minutes and, uh, is great to catch up. And again. Congratulations on the success. Thank you. Thank you. Thank you. Alrighty, Sammy's Brent. I'm Jeff, You're watching the cubes. Continuing coverage of Q. Khan Cloud, Native Con North America 2020. Thanks for watching. We'll see you next time.