(bright upbeat music) >> Welcome back, everybody, to the Supercloud 2. My name is Dave Vellante. And I'm pleased to welcome Nir Zuk. He's the founder and CTO of Palo Alto Networks. Nir, good to see you again. Welcome. >> Same here. Good to see you. >> So let's start with the right security architecture in the context of today's fragmented market. You've got a lot of different tools, you've got different locations, on-prem, you've got hardware and software. Tell us about the right security architecture from your standpoint. What's that look like? >> You know, the funny thing is using the word security in architecture rarely works together. (Dave chuckles) If you ask a typical information security person to step up to a whiteboard and draw their security architecture, they will look at you as if you fell from the moon. I mean, haven't you been here in the last 25 years? There's no security architecture. The architecture today is just buying a bunch of products and dropping them into the infrastructure at some relatively random way without really any guiding architecture. And that's a huge challenge in cybersecurity. It's always been, we've always tried to find ways to put an architecture into writing blueprints, whatever you want to call it, and it's always been difficult. Luckily, two things. First, there's something called zero trust, which we can talk a little bit about more, if you want, and zero trust among other things is really a way to create a security architecture, and second, because in the cloud, in the supercloud, we're starting from scratch, we can do things differently. We don't have to follow the way we've always done cybersecurity, again, buying random products, okay, maybe not random, maybe there is some thinking going into it by buying products, one of the other, dropping them in, and doing it over 20 years and ending up with a mess in the cloud, we have an opportunity to do it differently and really have an architecture. >> You know, I love talking to founders and particularly technical founders from StartupNation. I think I saw an article, I think it was Erie Levine, one of the founders or co-founders of Waze, and he had a t-shirt on, it said, "Fall in love with the problem, not the solution." Is that how you approached architecture? You talk about zero trust, it's a relatively new term, but was that in your head when you thought about forming the company? >> Yeah, so when I started Palo Alto Networks, exactly, by the way, 17 years ago, we got funded January, 2006, January 18th, 2006. The idea behind Palo Alto Networks was to create a security platform and over time take more and more cybersecurity functions and deliver them on top of that platform, by the way, as a service, SaaS. Everybody thought we were crazy trying to combine many functions into one platform, best of breed and defense in death and putting all your eggs in the same basket and a bunch of other slogans were flying around, and also everybody thought we were crazy asking customers to send information to the cloud in order to secure themselves. Of course, step forward 17 years, everything is now different. We changed the market. Almost all of cybersecurity today is delivered as SaaS and platforms are ruling more and more the world. And so again, the idea behind the platform was to over time take more and more cybersecurity functions and deliver them together, one brain, one decision being made for each and every packet or system call or file or whatever it is that you're making the decision about and it works really, really well. As a side effect, when you combine that with zero trust and you end up with, let's not call it an architecture yet. You end up with with something where any user, any location, both geographically as well as any location in terms of branch office, headquarters, home, coffee shop, hotel, whatever, so any user, any geographical location, any location, any connectivity method, whether it is SD1 or IPsec or Client VPN or Client SVPN or proxy or browser isolation or whatever and any application deployed anywhere, public cloud, private cloud, traditional data center, SaaS, you secure the same way. That's really zero trust, right? You secure everything, no matter who the user is, no matter where they are, no matter where they go, you secure them exactly the same way. You don't make any assumptions about the user or the application or the location or whatever, just because you trust nothing. And as a side effect, when you do that, you end up with a security architecture, the security architecture I just described. The same thing is true for securing applications. If you try to really think and not just act instinctively the way we usually do in cybersecurity and you say, I'm going to secure my traditional data center applications or private cloud applications and public cloud applications and my SaaS applications the same way, I'm not going to trust something just because it's deployed in the private data center. I'm not going to trust two components of an application or two applications talking to each other just because they're deployed in the same place versus if one component is deployed in one public cloud and the other component is deployed in another public cloud or private cloud or whatever. I'm going to secure all of them the same way without making any trust assumptions. You end up with an architecture for securing your applications, which is applicable for the supercloud. >> It was very interesting. There's a debate I want to pick up on what you said because you said don't call it an architecture yet. So Bob Muglia, I dunno if you know Bob, but he sort of started the debate, said, "Supercloud, think of it as a platform, not an architecture." And there are others that are saying, "No, no, if we do that, then we're going to have a bunch of more stove pipes. So there needs to be standard, almost a purist view. There needs to be a supercloud architecture." So how do you think about it? And it's a bit academic, I know, but do you think of this idea of a supercloud, this layer of value on top of the hyperscalers, do you think of that as a platform approach that each of the individual vendors are responsible for the architecture? Or is there some kind of overriding architecture of standards that needs to emerge to enable the supercloud? >> So we can talk academically or we can talk practically. >> Yeah, let's talk practically. That's who you are. (Dave laughs) >> Practically, this world is ruled by financial interests and none of the public cloud providers, especially the bigger they are has any interest of making it easy for anyone to go multi-cloud, okay? Also, on top of that, if we want to be even more practical, each of those large cloud providers, cloud scale providers have engineers and all these engineers think they're the best in the world, which they are and they all like to do things differently. So you can't expect things in AWS and in Azure and GCP and in the other clouds like Oracle and Ali and so on to be the same. They're not going to be the same. And some things can be abstracted. Maybe cloud storage or bucket storage can be abstracted with the layer that makes them look the same no matter where you're running. And some things cannot be abstracted and unfortunately will not be abstracted because the economical interest and the way engineers work won't let it happen. We as a third party provider, cybersecurity provider, and I'm sure other providers in other areas as well are trying or we're doing our best. We're not trying, we are doing our best, and it's pretty close to being the way you describe the top of your supercloud. We're building something that abstracts the underlying cloud such that securing each of these clouds, and by the way, I would add private cloud to it as well, looks exactly the same. So we use, almost always, whenever possible, the same terminology, no matter which cloud we're securing and the same policy and the same alerts and the same information and so on. And that's also very important because when you look at the people that actually end up using the product, security engineers and more importantly, SOC, security operations center analysts, they're not going to study the details of each and every cloud. It's just going to be too much. So we need to abstract it for them. >> Yeah, we agree by the way that the supercloud definition is inclusive of on-prem, you know, what you call private cloud. And I want to pick up on something else you said. I think you're right that abstracting and making consistent across clouds something like object storage, get put, you know, whether it's an S3 bucket or an Azure Blob, relatively speaking trivial. When you now bring that supercloud concept to something more complex like security, first of all, as a technically feasible and inferring the answer there is yes, and if so, what do you see as the main technical challenges of doing so? >> So it is feasible to the extent that the different cloud provide the same functionality. Then you step into a territory where different cloud providers have different paths services and different cloud providers do things a little bit differently and they have different sets of permissions and different logging that sometimes provides all the information and sometimes it doesn't. So you end up with some differences. And then the question is, do you abstract the lowest common dominator and that's all you support? Or do you find a way to be smarter than that? And yeah, whatever can be abstracted is abstracted and whatever cannot be abstracted, you find an easy way to represent that to your users, security engineers, security analysts, and so on, which is what I believe we do. >> And you do that by what? Inventing or developing technology that presents that experience to users? Could you be more specific there? >> Yeah, so different cloud providers call their storage in different names and you use different ways to configure them and the logs come out the same. So we normalize it. I mean, the keyword is probably normalization. Normalize it. And we try to, you know, then you have to pick a winner here and to use someone's terminology or you need to invent new terminology. So we try to use the terminology of the largest cloud provider so that we have a better chance of doing that but we can't always do that because they don't support everything that other cloud providers provide, but the important thing is, with or thanks to that normalization, our customers both on the engineering side and on the user side, operations side end up having to learn one terminology in order to set policies and understand attacks and investigate incidents. >> I wonder if I could pick your brain on what you see as the ideal deployment model to achieve this supercloud experience. For example, do you think instantiating your stack in multiple regions and multiple clouds is the right way to do it? Or is building a single global instance on top of the clouds a more preferable way? Are maybe other models we should consider? What do you see as the trade off of these different deployment models and which one is ideal in your view? >> Yeah, so first, when you deploy cloud security, you have to decide whether you're going to use agents or not. By agents, I mean something working, something running inside the workload. Inside a virtual machine on the container host attached to function, serverless function and so on and I, of course, recommend using agents because that enables prevention, it enables functionality you cannot get without agents but you have to choose that. Now, of course, if you choose agent, you need to deploy AWS agents in AWS and GCP agents in GCP and Azure agents in Azure and so on. Of course, you don't do it manually. You do it through the CICD pipeline. And then the second thing that you need to do is you need to connect with the consoles. Of course, that can be done over the internet no matter where your security instances is running. You can run it on premise, you can run it in one of the other different clouds. Of course, we don't run it on premise. We prefer not to run it on premise because if you're secured in cloud, you might as well run in the cloud. And then the question is, for example, do you run a separate instance for AWS for GCP or for Azure, or you want to run one instance for all of them in one of these clouds? And there are advantages and disadvantages. I think that from a security perspective, it's always better to run in one place because then when you collect the information, you get information from all the clouds and you can start looking for cross-cloud issues, incidents, attacks, and so on. The downside of that is that you need to send all the information to one of the clouds and you probably know that sending data out of the cloud costs a lot of money versus keeping it in the cloud. So theoretically, you can build an architecture where you keep the data for AWS in AWS, Azure in Azure, GCP in GCP, and then you try to run distributed queries. When you do that, you find out you'd end up paying more for the compute to do that than you would've paid for sending all the data to a central location. So we prefer the approach of running in one place, bringing all the data there, and running all the security, the machine learning or whatever, the rules or whatever it is that you're running in one place versus trying to create a distributed deployment in order to try to save some money on the data, the network data transfers. >> Yeah, thank you for that. That makes a lot of sense. And so basically, should we think about the next layer building security data lake, if you will, and then running machine learning on top of that if I can use that term of a data lake or a lake house? Is that sort of where you're headed? >> Yeah, look, the world is headed in that direction, not just the cybersecurity world. The world is headed from being rule-based to being data-based. So cybersecurity is not different and what we used to do with rules in the past, we're now doing with machine learning. So in the past, you would define rules saying, if you see this, this, and this, it's an attack. Now you just throw the data at the machine, I mean, I'm simplifying it, but you throw data at a machine. You'll tell the machine, find the attack in the data. It's not that simple. You need to build the right machine learning models. It needs to be done by people that are both cybersecurity experts and machine learning experts. We do it mostly with ex-military offensive people that take their offensive knowledge and translate it into machine learning models. But look, the world is moving in that direction and cybersecurity is moving in that direction as well. You need to collect a lot of data. Like I said, I prefer to see all the data in one place so that the machine learning can be much more efficient, pay for transferring the data, save money on the compute. >> I think the drop the mic quote it ignite that you had was within five years, your security operation is going to be AI-powered. And so you could probably apply that to virtually any job over the next five years. >> I don't know if any job. Certainly writing essays for school is automated already as we've seen with ChatGPT and potentially other things. By the way, we need to talk at some point about ChatGPT security. I don't want to think what happens when someone spends a lot of money on creating a lot of fake content and teaches ChatGPT the wrong answer to a question. We start seeing ChatGPT as the oracle of everything. We need to figure out what to do with the security of that. But yeah, things have to be automated in cybersecurity. They have to be automated. They're just too much data to deal with and it's just not even close to being good enough to wait for an incident to happen and then going investigate the incident based on the data that we have. It's better to look at all the data all the time, millions of events per second, and find those incidents before they happen. There's no way to do that without machine learning. >> I'd love to have you back and talk about ChatGPT. I know they're trying to put in some guardrails but there are a lot of unintended consequences, aren't there? >> Look, if they're not going to have a person filtering the data, then with enough money, you can create thousands or tens of thousands of pieces of articles or whatever that look real and teach the machine something that is totally wrong. >> We were talking about the hyper skills before and I agree with you. It's very unlikely they're going to get together, band together, and create these standards. But it's not a static market. It's a moving train, if you will. So assuming you're building this cross cloud experience which you are, what do you want from the hyperscalers? What do you want them to bring to the table? What is a technology supplier like Palo Alto Networks bring? In other words, where do you see ongoing as your unique value add and that moat that you're building and how will that evolve over time vis-a-vis the hyperscaler evolution? >> Yeah, look, we need APIs. The more data we have, the more access we have to more data, the less restricted the access is and the cheaper the access is to the data because someone has to pay today for some reason for accessing that data, the more secure their customers are going to be. So we need help and are helping by the way a lot, all of them in finding easy ways for customers to deploy things in the cloud, access data, and again, a lot of data, very diversified data and do it in a cost-effective way. >> And when we talk about the edge, I presume you look at the edge as just another data center or maybe it's the reverse. Maybe the data center is just another edge location, but you're seeing specific edge security solutions come out. I'm guessing that you would say, that's not what we want. Edge should be part of that architecture that we talked about earlier. Do you agree? >> Correct, it should be part of the architecture. I would also say that the edge provides an opportunity specifically for network security, whereas traditional network security would be deployed on premise. I'm talking about internet security but half network security market, and not just network security but also the other network intelligent functions like routing and QS. We're seeing a trend of pushing those to the edge of the cloud. So what you deploy on premise is technology for bringing packets to the edge of the cloud and then you run your security at the edge, whatever that edge is, whether it's a private edge or public edge, you run it in the edge. It's called SASE, Secure Access Services Edge, pronounced SASE. >> Nir, I got to thank you so much. You're such a clear thinker. I really appreciate you participating in Supercloud 2. >> Thank you. >> All right, keep it right there for more content covering the future of cloud and data. This is Dave Vellante for John Furrier. I'll be right back. (bright upbeat music)

>>The Cube presents Ignite 22, brought to you by Palo Alto Networks. >>Welcome back everyone. We're so glad that you're still with us. It's the Cube Live at the MGM Grand. This is our second day of coverage of Palo Alto Networks Ignite. This is takeaways from Ignite 22. Lisa Martin here with two really smart guys, Dave Valante. Dave, we're joined by one of our cube alumni, a friend, a friend of the, we say friend of the Cube. >>Yeah, F otc. A friend of the Cube >>Karala joins us. Guys, it's great to have you here. It's been an exciting show. A lot of cybersecurity is one of my favorite topics to talk about. But I'd love to get some of the big takeaways from both of you. Dave, we'll start with >>You. A breathing room from two weeks ago. Yeah, that was, that was really pleasant. You know, I mean, I know was, yes, you sat in the analyst program, interested in what your takeaways were from there. But, you know, coming into this, we wrote a piece, Palo Alto's Gold Standard, what they need to do to, to keep that, that status. And we hear it a lot about consolidation. That's their big theme now, which is timely, right? Cause people wanna save money, they wanna do more with less. But I'm really interested in hearing zeus's thoughts on how that's playing in the market. How customers, how easy is it to just say, oh, hey, I'm gonna consolidate. I wanna get into that a little bit with you, how well the strategy's working. We're gonna get into some of the m and a activity and really bring your perspectives to the table. Well, >>It's, it's not easy. I mean, people have been calling for the consolidation of security for decades, and it's, it's, they're the first company that's actually made it happen. Right? And, and I think this is what we're seeing here is the culmination of this long-term strategy, this company trying to build more of a platform. And they, you know, they, they came out as a firewall vendor. And I think it's safe to say they're more than firewall today. That's only about two thirds of their revenue now. So down from 80% a few years ago. And when I think of what Palo Alto has become, they're really a data company. Now, if you look at, you know, unit 42 in Cortex, the, the, the Cortex Data Lake, they've done an excellent job of taking telemetry from their products and from the acquisitions they have, right? And bringing that together into one big data lake. >>And then they're able to use that to, to do faster threat notification, forensics, things like that. And so I think the old model of security of create signatures for known threats, it's safe to say it never really worked and it wasn't ever gonna work. You had too many days, zero exploits and things. The only way to fight security today is with a AI and ML based analytics. And they have, they're the gold standard. I think the one thing about your post that I would add, they're the gold standard from a data standpoint. And that's given them this competitive advantage to go out and become a platform for security. Which, like I said, the people have tried to do that for years. And the first one that's actually done it, well, >>We've heard this from some of the startups, like Lacework will say, oh, we treat security as a data problem. Of course there's a startup, Palo Alto's got, you know, whatever, 10, 15 years of, of, of history. But one of the things I wanted to explore with you coming into this was the notion of can you be best of breed and develop a suite? And we, we've been hearing a consistent answer to that question, which is, and, and do you need to, and the answer is, well, best of breed in security requires that full spectrum, that full view. So here's my question to you. So, okay, let's take Estee win relatively new for these guys, right? Yeah. Okay. And >>And one of the few products are not top two, top three in, right? >>Exactly. Yeah. So that's why I want to take that. Yeah. Because in bakeoffs, they're gonna lose on a head-to-head best of breed. And so the customer's gonna say, Hey, you know, I love your, your consolidation play, your esty win's. Just, okay, how about a little discount on that? And you know, these guys are premium priced. Yes. So, you know, are they in essentially through their pricing strategies, sort of creating that stuff, fighting that, is that friction for them where they've got, you know, the customer says, all right, well forget it, we're gonna go stove pipe with the SD WAN will consolidate some of the stuff. Are you seeing that? >>Yeah, I, I, I still think the sales model is that way. And I think that's something they need to work on changing. If they get into a situation where they have to get down into a feature battle of my SD WAN versus your SD wan, my firewall versus your firewall, frankly they've already lost, you know, because their value prop is the suite and, and is the platform. And I was talking with the CISO here that told me, he realizes now that you don't need best of breed everywhere to have best in class threat protection. In fact, best of breed everywhere leads to suboptimal threat protection. Cuz you have all these data data sets that are in silos, right? And so from a data scientist standpoint, right, there's the good data leads to good insights. Well, partial data leads to fragmented insights and that's, that's what the best, best of breed approach gives you. And so I was talking with Palo about this, can they have this vision of being best of breed and platform? I don't really think you can maintain best of breed everywhere across this portfolio this big, but you don't need to. >>That was my second point of my question. That's the point I'm saying. Yeah. And so, cuz cuz because you know, we've talked about this, that that sweets always win in the long run, >>Sweets win. >>Yeah. But here's the thing, I, I wonder to your your point about, you know, the customer, you know, understanding that that that, that this resonates with them. I, my guess is a lot of customers, you know, at that mid-level and the fat middle are like still sort of wed, you know, hugging that, that tool. So there's, there's work to be done here, but I think they, they, they got it right Because if they devolve, to your point, if they devolve down to that speeds and feeds, eh, what's the point of that? Where's their >>Valuable? You do not wanna get into a knife fight. And I, and I, and I think for them the, a big challenge now is convincing customers that the suite, the suite approach does work. And they have to be able to do that in actual customer examples. And so, you know, I I interviewed a bunch of customers here and the ones that have bought into XDR and xor and even are looking at their sim have told me that the, the, so think of soc operations, the old way heavily manually oriented, right? You have multiple panes of glass and you know, and then you've got, so there's a lot of people work before you bring the tools in, right? If done correctly with AI and ml, the machines would do all the heavy lifting and then you'd bring people in at the end to clean up the little bits that were missed, right? >>And so you, you moved to, from something that was very people heavy to something that's machine heavy and machines can work a lot faster than people. And the, and so the ones that I've talked that have, that have done that have said, look, our engineers have moved on to a lot different things. They're doing penetration testing, they're, you know, helping us with, with strategy and they're not fighting that, that daily fight of looking through log files. And the only proof point you need, Dave, is look at every big breach that we've had over the last five years. There's some SIM vendor up there that says, we caught it. Yeah. >>Yeah. We we had the data. >>Yeah. But, but, but the security team missed it. Well they missed it because you're, nobody can look at that much data manually. And so the, I I think their approach of relying heavily on machines to fight the fight is actually the right way. >>Is that a differentiator for them versus, we were talking before we went live that you and I first hit our very first segment back in 2017 at Fort Net. Is that, where do the two stand in your >>Yeah, it's funny cuz if you talk to the two vendors, they don't really see each other in a lot of accounts because Fort Net's more small market mid-market. It's the same strategy to some degree where Fort Net relies heavily on in-house development in Palo Alto relies heavily on acquisition. Yeah. And so I think from a consistently feature set, you know, Fort Net has an advantage there because it, it's all run off their, their their silicon. Where, where Palo's able to innovate very quickly. The, it it requires a lot of work right? To, to bring the front end and back ends together. But they're serving different markets. So >>Do you see that as a differentiator? The integration strategy that Palo Alto has as a differentiator? We talk to so many companies who have an a strong m and a strategy and, and execution arm. But the challenge is always integrating the technology so that the customer to, you know, ultimately it's the customer. >>I actually think they're, they're underrated as a, an acquirer. In fact, Dave wrote a post to a prior on Silicon Angle prior to Accelerate and he, he on, you put it on Twitter and you asked people to rank 'em as an acquirer and they were in the middle of the pack, >>Right? It was, it was. So it was Oracle, VMware, emc, ibm, Cisco, ServiceNow, and Palo Alto. Yeah. Or Oracle got very high marks. It was like 8.5 out of, you know, 10. Yeah. VMware I think was 6.5. Naira was high emc, big range. IBM five to seven. Cisco was three to eight. Yeah. Yeah, right. ServiceNow was a seven. And then, yeah, Palo Alto was like a five. And I, which I think it was unfair. Well, >>And I think it depends on how you look at it. And I, so I think a lot of the acquisitions Palo Alto's made, they've done a good job of integrating the backend data and they've almost ignored the front end. And so when you buy some of the products, it's a little clunky today. You know, if you work with Prisma Cloud, it could be a little bit cleaner. And even with, you know, the SD wan that took 'em a long time to bring CloudGenix in and stuff. But I think the approach is right. I don't, I don't necessarily believe you should integrate the front end until you've integrated the back end. >>That's >>The hard part, right? Because UL ultimately what you're gonna get, you're gonna get two panes of glass and one pane of glass and it might look pretty and all mush together, but ultimately you're not solving the bigger problem, right. Of, of being able to create that big data lake to, to fight security. And so I think, you know, the approach they've taken is the right one. I think from a user standpoint, maybe it doesn't show up as neatly because you don't see the frontend integration, but the way they're doing it is the right way to do it. And I'm glad they're doing it that way versus caving to the pressures of what, you know, the industry might want or >>Showed up in the performance of the company. I mean, this company was basically gonna double revenues to 7 billion from 2020 to >>2023. Think about that at that. That makes, >>I mean that's unbelievable, right? I mean, and then and they wanna double again. Yeah. You know, so, well >>What did, what did Nikesh was quoted as saying they wanna be the first cyber company that's a hundred billion dollars. He didn't give a timeline market >>Cap. Right. >>Market cap, right. Do what I wanna get both of your opinions on what you saw and heard and felt this week. What do you think the likelihood is? And and do you have any projections on how, you know, how many years it's gonna take for them to get there? >>Well, >>Well I think so if they're gonna get that big, right? And, and we were talking about this pre-show, any company that's becoming a big company does it through ecosystem >>Bingo >>Go, right? And that when you look around the show floor, it's not that impressive. No. And if that, if there's an area they need to focus on, it's building that ecosystem. And it's not with other security vendors, it's with application vendors and it's with the cloud companies and stuff. And they've got some relationships there, but they need to do more. I actually challenge 'em on that. One of the analyst sessions. They said, look, we've got 800 cortex partners. Well where are they? Right? Why isn't there a cortex stand here with a bunch of the small companies here? So I do think that that is an area they need to focus on. If they are gonna get to that, that market caps number, they will do so do so through ecosystem. Because every company that's achieved that has done it through ecosystem. >>A hundred percent agree. And you know, if you look at CrowdStrike's ecosystem, it's, I mean, pretty similar. Yeah. You know, it doesn't really, you know, make much, much, not much different from this, but I went back and just looked at some, you know, peak valuations during the pandemic and shortly thereafter CrowdStrike was 70 billion. You know, that's what their roughly their peak Palo Alto was 56, fortune was 59 for the actually diverged. Right. And now Palo Alto has taken the, the top mantle, you know, today it's market cap's 52. So it's held 93% of its peak value. Everybody else is tanking. Even Okta was 45 billion. It's been crushed as you well know. But, so Palo Alto wasn't always, you know, the number one in terms of market cap. But I guess my point is, look, if CrowdStrike could got to 70 billion during Yeah. During the frenzy, I think it's gonna take, to answer your question, I think it's gonna be five years. Okay. Before they get back there. I think this market's gonna be tough for a while from a valuation standpoint. I think generally tech is gonna kind of go up and down and sideways for a good year and a half, maybe even two years could be even longer. And then I think there's gonna be some next wave of productivity innovation that that hits. And then you're gonna, you're almost always gonna exceed the previous highs. It's gonna take a while. Yeah. >>Yeah, yeah. But I think their ability to disrupt the SIM market actually is something that I, I believe they're gonna do. I've been calling for the death of the sim for a long time and I know some people of Palo Alto are very cautious about saying that cuz the Splunks and the, you know, they're, they're their partners. But I, I think the, you know, it's what I said before, the, the tools are catching them, but they're, it's not in a way that's useful for the IT pro and, but I, I don't think the SIM vendors have that ecosystem of insight across network cloud endpoint. Right. Which is what you need in order to make a sim useful. >>CISO at an ETR round table said, if, if it weren't for my regulators, I would chuck my sim. >>Yes. >>But that's the only reason that, that this person was keeping it. No. >>Yeah. And I think the, the fact that most of those companies have moved to a perpetual MO or a a recurring revenue model actually helps unseat them. Typically when you pour a bunch of money into something, you remember the old computer associate says nobody ever took it out cuz the sunk dollars you spent to do it. But now that you're paying an annual recurring fee, it's actually makes it easier to take out. So >>Yeah, it's just an ebb and flow, right? Yeah. Because the maintenance costs were, you know, relatively low. Maybe it was 20% of the total. And then, you know, once every five years you had to do a refresh and you were still locked into the sort of maintenance and, and so yeah, I think you're right. The switching costs with sas, you know, in theory anyway, should be less >>Yeah. As long as you can migrate the data over. And I think they've got a pretty good handle on that. So, >>Yeah. So guys, I wanna get your perspective as a whole bunch of announcements here. We've only been here for a couple days, not a big conference as, as you can see from behind us. What Zs in your opinion was Palo Alto's main message and and what do you think about it main message at this event? And then same question for you. >>Yeah, I, I think their message largely wrapped around disruption, right? And, and they, and The's keynote already talked about that, right? And where they disrupted the firewall market by creating a NextGen firewall. In fact, if you look at all the new services they added to their firewall, you, you could almost say it's a NextGen NextGen firewall. But, but I do think the, the work they've done in the area of cloud and cortex actually I think is, is pretty impressive. And I think that's the, the SOC is ripe for disruption because it's for, for the most part, most socks still, you know, run off legacy playbooks. They run off legacy, you know, forensic models and things and they don't work. It's why we have so many breaches today. The, the dirty little secret that nobody ever wants to talk about is the bad guys are using machine learning, right? And so if you're using a signature based model, all they gotta do is tweak their model a little bit and it becomes, it bypasses them. So I, I think the only way to fight the the bad guys today is with you're gonna fight fire with fire. And I think that's, that's the path they've, they've headed >>Down. Yeah. The bad guys are hiding in plain sight, you know? Yeah, >>Yeah. Well it's, it's not hard to do now with a lot of those legacy tools. So >>I think, I think for me, you know, the stat that we threw out earlier, I think yesterday at our keynote analysis was, you know, the ETR data shows that are, that are that last survey around 35% of the respondents said we are actively consolidating, sorry, 44%, sorry, 35 says who are actively consolidating vendors, redundant vendors today that number's up to 44%. Yeah. It's by far the number one cost optimization technique. That's what these guys are pitching. And I think it's gonna resonate with people and, and I think to your point, they're integrating at the backend, their beeps are technical, right? I mean, they can deal with that complexity. Yeah. And so they don't need eye candy. Eventually they, they, they want to have that cuz it'll allow 'em to have deeper market penetration and make people more productive. But you know, that consolidation message came through loud and clear. >>Yeah. The big change in this industry too is all the new startups are all cloud native, right? They're all built on Amazon or Google or whatever. Yeah. And when your cloud native and you buy a cloud native integration is fast. It's not like having to integrate this big monolithic software stack anymore. Right. So I, I think their pace of integration will only accelerate from here because everything's now cloud native. >>If a customer comes to you or when a customer comes to you and says, Zs help us with this cyber transformation we have, our board isn't necessarily aligned with our executives in terms of execution of a security strategy. How do you advise them where Palo Alto is concerned? >>Yeah. You know, a lot, a lot of this is just fighting legacy mindset. And I've, I was talking with some CISOs here from state and local governments and things and they're, you know, they can't get more budget. They're fighting the tide. But what they did find is through the use of automation technology, they're able to bring their people costs way down. Right. And then be able to use that budget to invest in a lot of new projects. And so with that, you, you have to start with your biggest pain points, apply automation where you can, and then be able to use that budget to reinvest back in your security strategy. And it's good for the IT pros too, the security pros, my advice to the IT pros is, is if you're doing things today that aren't resume building, stop doing them. Right. Find a way to automate the money your job. And so if you're patching systems and you're looking through log files, there's no reason machines can't do that. And you go do something a lot more interesting. >>So true. It's like storage guys 10 years ago, provisioning loans. Yes. It's like, stop doing that. Yeah. You're gonna be outta a job. So who, last question I have is, is who do you see as the big competitors, the horses on the track question, right? So obviously Cisco kind of service has led for a while and you know, big portfolio company, CrowdStrike coming at it from end point. You know who, who, who do you see as the real players going for that? You know, right now the market's three to 4%. The leader has three, three 4% of the market. You know who they're all going for? 10, 15, maybe 20% of the market. Who, who are the likely candidates? Yeah, >>I don't know if CrowdStrike really has the breadth of portfolio to compete long term though. I I think they've had a nice run, but I, we might start to see the follow 'em. I think Microsoft is gonna be for middle. They've laid down the gauntlet, right? They are a security vendor, right? We, we were at Reinvent and a AWS is the platform for security vendors. Yes. Middle, somewhere in the middle. But Microsoft make no mistake, they're in security. They've got some good products. I think a lot of 'em are kind of good enough and they, they tie it to the licensing and I'm not sure that works in security, but they've certainly got the ear of a lot of it pros. >>It might work in smb. >>Yeah, yeah. It, it might. And, and I do like Zscaler. I, I know these guys poo poo the proxy model, but they've, they've done about as much with prox as you can. And I, I think it's, it's a battle of, I love the, the, the near, you know, proxies are dead and Jay's model, you know, Jay over at csca, throw 'em back at 'em. So I, it's good to see that kind of fight going on between the >>Two. Oh, it's great. Well, and, and again, ZScaler's coming at it from their cloud security angle. CrowdStrike's coming at it from endpoint. I, I do think CrowdStrike has an opportunity to build out the portfolio through m and a and maybe ecosystem. And then obviously, you know, Palo Alto's getting it done. How about Cisco? >>Yeah, Cisco's interesting. And I I think if Cisco can make the network matter in security and it should, right? We're talking about how a lot of you need a lot of forensics to fight security today. Well, they're gonna see things long before anybody else because they have all that network data. If they can tie network security, I, I mean they could really have that business take off. But we've been saying that about Cisco for 20 years. >>But big install based though. Yeah. It's hard for a company, any company to say, okay, hey Cisco customer sweep the floor and come with us. That's, that's >>A tough thing. They have a lot of good peace parts, right? And like duo's a good product and umbrella's a good product. They've, they've not done a good job. >>They're the opposite of these guys. >>They've not done a good job of the backend integration and that, that's where Cisco needs to, to focus. And I do think g G two Patel there fixed the WebEx group and I think he's now, in fact when you talk to him, he's doing very little on WebEx that that group's running itself and he's more focused in security. So I, I think we could see a resurgence there. But you know, they have a, from a revenue perspective, it's a little misleading cuz they have this big legacy base that's in decline while they're moving to cloud and stuff. So, but they, but they, there's a lot of Rick there trying to, to tie to network. >>Lots of fuel for conversation. We're gonna have to carry this on, on Silicon angle.com guys. Yes. And Wi KeePon. Lets do see us. Thank you so much for joining Dave and me giving us your insights as to this event. Where are gonna be next? Are you gonna be on >>Vacation? There's nothing more fun than mean on the cube. So what's outside of that though? Yeah, you know, Christmas coming up, I gotta go see family and be the obligatory, although for me that's a lot of travel, so I guess >>More planes. Yeah. >>Hopefully not in Vegas. >>Not in Vegas. >>Awesome. Nothing against Vegas. Yeah, no, >>We love it. We love >>It. Although I will say my year started off with ces. Yeah. And it's finishing up with Palo Alto here. The bookends. Yeah, exactly. In Vegas bookends. >>Well thanks so much for joining us. Thank you Dave. Always a pleasure to host a show with you and hear your insights. Reading your breaking analysis always kicks off my prep for show. And it, it's always great to see, but predictions come true. So thank you for being my co-host bet. All right. For Dave Valante Enz as Carla, I'm Lisa Martin. You've been watching The Cube, the leader in live, emerging and enterprise tech coverage. Thanks for watching.

>> Announcer: TheCUBE presents Ignite22, brought to you by Palo Alto Networks. >> Hey, welcome back to Vegas. Great to have you. We're pleased that you're watching theCUBE. Lisa Martin and Dave Vellante. Day two of theCUBE's coverage of Palo Alto Ignite22 from the MGM Grand. Dave, we're going to be talking about data. >> You know I love data. >> I do know you love data. >> Survey data- >> There is a great new survey that Palo Alto Networks just published yesterday, "What's next in cyber?" We're going to be digging through it with their CMO. Who better to talk about data with than a CMO that has a PhD in machine learning? We're very pleased to welcome to the program, Zeynep Ozdemir, CMO of Palo Alto Networks. Great to have you. Thank you for joining us. >> It's a pleasure to be here. >> First, I got to ask you about your PhD. Your background as a CMO is so interesting and unique. Give me a little bit of a history on that. >> Oh, absolutely, yes. Yes, I admit that I'm a little bit of an untraditional marketing leader. I spent probably the first half of my career as a software engineer and a research scientist in the area of machine learning and speech signal processing, which is very uncommon, I admit that. Honestly, it has actually helped me immensely in my current role. I mean, you know, you've spoken to Lee Klarich, I think a little while ago. We have a very tight and close partnership with product and engineering teams at Palo Alto Networks. And, you know, cybersecurity is a very complex topic. And we're at a critical juncture right now where all of these new technologies, AI, machine learning, cloud computing, are going to really transform the industry. And I think that I'm very lucky, as somebody who's very technically competent in all of those areas, to partner with the best people and the leading company right now. So, I'm very happy that my technical background is actually helping in this journey. >> Dave: Oh, wait, aren't you like a molecular biologist, or something? >> A reformed molecular...yes. >> Yes. >> Okay. Whoa, okay. (group laughs) >> But >> Math guy over here. >> Yeah. You guys just, the story that I tease is... the amount of data in there is unbelievable. This has just started in August, so a few months ago. >> Zeynep: Yeah. >> Fresh data. You surveyed 1300 CXOs globally. >> Zeynep: That's right. >> Across industries and organizations are saying, you know, hybrid work and remote work became status quo like that. >> Yes. >> Couple years ago everyone shifted to multicloud and of course the cyber criminals are sophisticated, and they're motivated, and they're well funded. >> Zeynep: That's right. >> What are some of the things that you think that the survey really demonstrated that validate the direction that Palo Alto Networks is going in? >> That's right. That's right. So we do these surveys because first and foremost, we have to make sure we're aligned with our customers in terms of our product strategy and the direction. And we have to confirm and validate our very strong opinions about the future of the cybersecurity industry. So, but this time when we did this survey, we just saw some great insights, and we decided we want to share it with the broader industry because we obviously want to drive thought leadership and make sure everybody is in the same level field. Some interesting and significant results with this one. So, as you said, this was 1300 C level cybersecurity decision makers and executives across the world. So we had participants from Europe, from Japan, from Asia Pacific, Latin America, in addition to North America. So one of the most significant stats or data points that we've seen was the fact that out of everybody interviewed, 96% of participants had experienced one or more cybersecurity breaches in the past 12 months. That was more than what we expected, to be honest with you. And then 57% of them actually experienced three or more. So those stats are really worth sharing in terms of where the state of cybersecurity is. What also was personally interesting to me was 33% of them actually experienced an operational disruption as a result of a breach, which is a big number. It's one third of participants. So all of these were very interesting. We asked them more detailed questions around you know, how many...like obviously all of them are trying to respond to this situation. They're trying different technologies, different tools and it seems like they're in a point where they're almost have too many tools and technologies because, you know, when you have too many tools and technologies, there's the operational overhead of integrating them. It creates blind spots between them because those tools aren't really communicating with each other. So what we heard from the responders was that on average they were on like 32 tools, 22% was on 50 or more tools, which is crazy. But what the question we asked them was, you know, are you, are you looking to consolidate? Are you looking to go more tools or less tools? Like what are your thoughts on that? And a significant majority of them, like about 77% said they are actively trying to reduce the number of technologies that they're trying to use because they want to actually achieve better security outcomes. >> I wonder if you could comment on this. So early on in the pandemic, we have a partner, survey partner ETR, Enterprise Technology Research. And we saw a real shift of course, 'cause of hybrid work toward endpoint security, cloud security, they were rearchitecting their networks, a new focus on, you know, different thinking about network security and identity. >> Yeah. >> You play in all of those in partner for identity. >> Zeynep: Yeah. >> I almost, my question is, is was there kind of a knee jerk reaction to get point tools to plug some of those holes? >> Zeynep: Yes. >> And now they're...'cause we said at the time, this is a permanent shift in thinking. What we didn't think through it's coming to focus here at this conference is, okay, we did that, but now we created another problem. >> Zeynep: Yeah. Yeah. >> Now we're- >> Yes, yes. You're very right. I think, and it's very natural to do this, right? >> Sure. >> Every time a problem pops up, you want to fix it as quickly as possible. And you look... you survey who can help you with that. And then you kind of get going because cybersecurity is one of those areas where you can't really wait and do, you know, take time to fix those problems. So that happened a lot and it is happening. But what happened as a result of that. For example, I'll give you a data point from the actual survey that answers this very question. When we asked these executives what keeps them like up at night, like what's their biggest concern? A significant majority of them said, oh we're having difficulty with data management. And what that means is that all these tools that they've deployed, they're generating a lot of insights and data, but they're disconnected, right? So there is no one place where you can say, look at it holistically and come to conclusions very fast about how threat actors are moving in an organization. So that's a direct result of this proliferation of tools, if you will. And you're right. And it will...it's a natural thing to deploy products very quickly. But then you have to take a step back and say, how do I make this more effective? How do I bring things together, bring all my data together to be able to get to threats detect threats much faster? >> An unintended consequence of that quick fix. >> And become cyber resilient. We've been hearing a lot about cyber resiliency. >> Yes, yes. >> Recently and something that I was noting in the survey is only 25% of execs said, yeah, our cyber resilience and readiness is high. And you found that there was a lack of alignment between the boards and the executive levels. And we actually spoke with I think BJ yesterday on how are you guys and even some of your partners >> Yeah. >> How are you helping facilitate that alignment? We know security's always a board level- >> Zeynep: Yes. >> Conversation, but the lack of alignment was kind of surprising to me. >> Yeah. Well I think the good news is that I think we... cybersecurity is taking its place in board discussions more and more. Whether there's alignment or not, at least it's a topic, right? >> Yeah. That was also out of the survey that we saw. I think yes, we have a lot of, a big role to play in helping security executives communicate better with boards and c-level executives in their organizations. Because as we said, it's a very complex topic, and it has to be taken from two angles. When there's...it's a board level discussion. One, how are you reducing risk and making sure that you're resilient. Two, how do you think about return on investment and you know, what's the right level of investment and is that investment going to get us the return that we need? >> What do you think of this? So there's another interesting stat here. What keeps executives up at night? >> Mmhm. >> You mentioned difficulty of data management. Normally, the CISO response to what's your number one problem is lack of talent. >> Zeynep: Number three there, yes. Yeah. >> And it is maybe somewhat related to difficulty of data management, but maybe people have realized, you know what? I'm never going to solve this problem by throwing bodies at it. >> Yeah. >> I got to think of a better way to consolidate my data. Maybe partner with a company that can help me do that. And then the second one was scared of being left behind changes in the tech stack. So we're moving so fast to digitize. >> Zeynep: Yes. >> And security's still an afterthought. And so it's almost as though they're kind of rethinking the problems 'cause they know that they can't just solve the issue by throwing, you know, more hires at it 'cause they can't find the people. >> That is...you're absolutely spot on. The thing about cybersecurity skills gap, it's a reality. It's very real. It's a hard place to be. It's hard to ramp up sometimes. Also, there's a lot of turnover. But you're right in the sense that a lot of the manual work that is needed for cybersecurity, it's actually more sort of much easier to tackle with machines- >> Yeah. >> Than humans. It's a funny double click on the stat you just gave. In North America, the responders when we asked them like how they're coping with the skills shortage, they said we're automating more. So we're using more AI, we're using more process automation to make sure we do the heavy lifting with machines and then only present to the people what they're very good at, is making judgements, right? Very sort of like last minute judgment calls. In the other parts of the world, the top answer to that question is how you're tackling cybersecurity skill shortage was, we're actually trying to provide higher wages and better benefits to the existing p... so there's a little bit of a gap between the two. But I think, I think the world is moving towards the former, which is let's do as much as we can with AI and machines and automation in general and then let's make sure we're more in an automation assisted world versus a human first world. >> We also saw on the survey that ransomware was, you know, the big concern in the United States. Not as much, not that it's not a concern >> Lisa: Yeah. >> In other parts of the world. >> Zeynep: Yeah. >> But it wasn't number one. Why do you think that is? Is it 'cause maybe the US has more to lose? Is it, you know, more high profile or- >> Yeah. Look, I mean, yes you're right? So most responders said number one is ransomware. That's my biggest concern going into 2023. And it was for JAPAC and I think EMEA, Europe, it was supply chain attacks. >> Dave: Right. >> So I think US has been hit hard by ransomware in the past year. I think it's like fresh memory and that's why it rose to the top in various verticals. So I'm not surprised with that outcome. I think supply chain is more of a... we've, you know, we've been hit hard globally by that, and it's very new. >> Lisa: Yeah. >> So I think a lot of the European and JAPAC responders are responding to it from a perspective of, this is a problem I still don't know how to solve. You know, like, and it's like I need the right infrastructure to...and I need the right visibility into my software supply chain. It's very top of mind. So those were some of the differences, but you're right. That was a very interesting regional distinction as well. >> How do you take this data and then bring it back to your customers to kind of close the loop? Do you do that? Do you say, okay, hey, we're going to share this data with you, get realtime feedback- >> Zeynep: Yes. >> Dave: We often like to do that with data- >> Zeynep: Absolutely. >> Say okay...'cause you know, when you do a survey like this, you're like, oh, I wish we asked A, B and C. But it gives you, informs you as to where to double click. Is there a system to do that? Or process to do that? >> Yes. Our hope and goal is to do this every year and see how things are changing and then do some historical analysis as to how things are changing as well. But as I said in the very beginning, I think we take this and we say, okay, there's a lot of alignment in these areas, especially for us for our products to see if where our products are deployed to see if some of those numbers vary, you know, per product. Because we address as a company, we address a lot of these concerns. So then it's very encouraging to say, okay, with certain customers, we're going to go, we're going to have develop certain metrics and we're going to measure how much of a difference we're making with these stats. >> Well, I mean, if you can show that you're consolidating- >> Yeah. >> You know, the number of tools and show the business impact- >> Right. >> Exactly. >> Home run. >> Exactly. Yes- >> Speaking of business outcomes, you know, we have so many conversations around everything needs to be outcome-based. Can security become an enabler of business outcomes for organizations? >> Absolutely. Security has to be an enabler. So it's, you know, back to the security lagging behind the evolution of the digital transformation, I don't think it's possible to move fast without having security move fast with digital transformation. I don't think anybody would raise their hands and say, I'm just going to have the most creative, most interesting digital transformation journey. But, you know, security is say, so I think we're past that point where I think generally people do agree that security has to run as fast as digital transformation and really enable those business outcomes that everybody's proud of. So Yes. Yes it is. >> So...sorry. So chicken and egg, digital transformation, cyber transformation. >> Zeynep: Yes. >> Lisa: How are they related? Is one digital leading? >> They are two halves of the perfect solution. They have to coexist because otherwise if you're taking a lot of risk with your digital transformation, is it really worth going through a digital transformation? >> Yeah. >> Yeah. >> So there's a board over here. I'm looking at it and it started out blank. >> Yes. >> And it's what's next in cyber and basically- >> That's this. Yes. >> People can come through and they can write down, and there's some great stuff in there: 5G, cloud native, some technical stuff, automated meantime to repair or to remediation. >> Yeah. >> Somebody wrote AWS. The AWS guys left their mark, which is kind of cool. >> Zeynep: That's great. >> And so I'm wondering, so we always talk about... we just talked about earlier that cyber is a board...has become a board level you know, issue. I think even go back mid last decade, it was really starting to gain strength. What I'm looking for, and I dunno if there's anything in here that suggests this is going beyond the board. So it becomes this top down thing, not just the the SOC, not just the, you know, IT, not just the board. Now it's top down maybe it's bottom up, middle out. The awareness across the organization. >> Zeynep: Absolutely. >> And that's something that I think is that is a next big thing in cyber. I believe it's coming. >> Cybersecurity awareness is a topic. And you know, there are companies who do that, who actually educate just all of us who work for corporations on the best way to tackle, especially when the human is the source and the reason knowingly or unknowing, mostly unknowingly of cyber attacks. Their education and awareness is critical in preventing a lot of this...before our, you know tools even get in. So I agree with you that there is a cybersecurity awareness as a topic is going to be very, very popular in the future. >> Lena Smart is the CISO of MongoDB does... I forget what she calls it, but she basically takes the top security people in the company like the super geeks and puts 'em with those that know nothing about security, and they start having conversations. >> Zeynep: Yeah. >> And then so they can sort of be empathic to each other's point of view. >> Zeynep: Absolutely. >> And that's how she gets the organization to become cyber aware. >> Yes. >> It's brilliant. >> It is. >> So simple. >> Exactly. Well that's the beauty in it is the simplicity. >> Yeah. And there are programs just to put a plug. There are programs where you can simulate, for example, phishing attacks with your, you know employee base and your workforce. And then teach them at that moment when they fall for it, you know, what they should have done. >> I think I can make a family game night. >> Yeah. Yeah. (group laughs) >> I'm serious. That's a good little exercise For everybody. >> Yes. Yeah, exactly. >> It really is. Especially as the sophistication and smishing gets more and more common these days. Where can folks go to get their hands on this juicy survey that we just unpacked? >> We have it online, so if you go to the Palo Alto Networks website, there's a big link to the survey from there. So for sure there's a summary version that you can come in and you can have access to all the stats. >> Excellent. Zeynep, it's been such a pleasure having you on the program dissecting what's keeping CXOs up at night, what Palo Alto Networks is doing to really help organizations digitally transform cyber transformation and achieve that nirvana of cyber resilience. We appreciate so much your insights. >> Thanks very much. It's been the pleasure. >> Dave: Good to have you. >> Thank you >> Zeynep Ozdemir and Dave Vellante. I'm Lisa Martin. You're watching theCUBE, the leader in live and emerging tech coverage. (upbeat music)

>> Announcer: TheCUBE presents Ignite '22, brought to you by Palo Alto Networks. >> Welcome back to Las Vegas. It's theCUBE covering Palo Alto Networks '22, from the MGM Grand, Lisa Martin with Dave Vellante. Dave, we are going to unpack in the next few minutes what we heard and saw at day one of Palo Alto Networks, Ignite. A lot of great conversations, some great guests on the program today. >> Yeah last event, CUBE event of the year. Probably last major tech event of the year. It's kind of an interesting choice of timing, two weeks after reInvent. But you know, this crowd is it's a lot of like network engineers, SecOps pros. There's not a lot of suits here. I think they were here yesterday, all the partners. >> Yeah. >> We talked to Carl Sunderland about, Hey, these, these guys want to know how do I grow my business? You know, so it was a lot of C level executives talking about their business, and how they partner with Palo Alto to grow. The crowd today is really, you know hardcore security professionals. >> Yeah. >> So we're hearing a story of consolidation. >> Yes. >> No surprise. We've talked about that and reported on it, you know, quite extensively. The one big takeaway, and I want, I came in, as you know, wanting to understand, okay, can you through m and a maintain, you know, build a suite of great, big portfolio and at the same time maintain best of breed? And the answer was consistent. We heard it from Nikesh, we heard it from Nir Zuk. The answer was you can't be best of breed without having that large portfolio, single data lake, you know? Single version of the truth, of there is such a thing. That was interesting, that in security, you have to have that visibility. I would imagine, that's true for a lot of things. Data, see what Snowflake and Databricks are both trying to do, now AWS. So to join, we heard that last week, so that was one of the big takeaways. What were your, some of your thoughts? >> Just impressed with the level of threat intelligence that Unit 42 has done. I mean, we had Wendy Whitmer on, and she was one of the alumni, great guest. The landscape has changed so dramatically. Every business, in any industry, nobody's safe. They have such great intelligence on what's going on with malware, with ransomware, with Smishing, that they're able to get, help organizations on their way to becoming cyber resilient. You know, we've been talking a lot about cyber resiliency lately. I always want to understand, well what does it mean? How do different organizations and customers define it? Can they actually really get there? And Wendy talked about yes, it is a journey, but organizations can achieve cyber resiliency. But they need to partner with Palo Alto Networks to be able to understand the landscape and ensure that they've got security established across their organization, as it's now growingly Multicloud. >> Yeah, she's a blonde-haired Wonder Woman, superhero. I always ask security pros that question. But you know, when you talk to people like Wendy Whitmore, Kevin Mandy is somebody else. And the people at AWS, or the big cloud companies, who are on the inside, looking at the threat intelligence. They have so much data, and they have so much knowledge. They can, they analyze, they could identify the fingerprints of nation states, different, you know, criminal organizations. And the the one thing, I think it was Wendy who said, maybe it was somebody else, I think it was Wendy, that they're they're tearing down and reforming, right? >> Yes. >> After they're discovered. Okay, they pack up and leave. They're like, you know, Oceans 11. >> Yep. >> Okay. And then they recruit them and bring them back in. So that was really fascinating. Nir Zuk, we'd never had him on theCUBE before. He was tremendous founder and and CTO of Palo Alto Networks, very opinionated. You know, very clear thinker, basically saying, look you're SOC is going to be run by AI >> Yeah. >> within the next five years. And machines are going to do things that humans can't do at scale, is really what he was saying. And then they're going to get better at that, and they're going to do other things that you have done well that they haven't done well, and then they're going to do well. And so, this is an interesting discussion about you know, I remember, you know we had an event with MIT. Eric Brynjolfsson and Andy McAfee, they wrote the book "Second Machine Age." And they made the point, machines have always replaced humans. This is the first time ever that machines are replacing humans in cognitive functions. So what does that mean? That means that humans have to rely on, you know, creativity. There's got to be new training, new thinking. So it's not like you're going to be out of a job, you're just going to be doing a different job. >> Right. I thought Nir Zuk did a great job of explaining that. We often hear people that are concerned with machines taking jobs. He did a great job of, and you did a great recap, of articulating the value that both bring, and the opportunities to the humans that the machines actually deliver as well. >> Yeah so, you know, we didn't, we didn't get deep into the products today. Tomorrow we're going to have a little bit more deep dive on products. We did, we had some partners on, AWS came on, talked about their ecosystem. BJ Jenkins so, you know, BJ Jenkins again I mean super senior executive. And if I were Nikesh, he's doing exactly what I would do. Putting him on a plane and saying, go meet with customers, go make rain, right? And that's what he's doing is, he's an individual who really knows how to interact with the C-suite, has driven value, you know, over the years. So they've got that angle goin', they're driving go to market. They've got the technology piece and they've, they got to build out the ecosystem. That I think is the big opportunity for them. You know, if they're going to double as a company, this ecosystem has to quadruple. >> Yeah, yeah. >> In my opinion. And I, we saw the same thing at CrowdStrike. We said the same thing about Service Now in 2013. And so, what's happened is the GSIs, the global system integrators start to get involved. They start to partner with them and then they get to get that flywheel effect. And then there's a supercloud, I think that, you know I think Nir Zuk said, Hey, we are basically building out that, he didn't use the term supercloud. But, we're building out that cross cloud capability. You don't need another stove pipe for the edge. You know, so they got on-prem, they got AWS, Azure, you said you have to, absolutely have to run on Microsoft. 'Cause I don't believe today, right? Today they run on, I heard somebody say they run on AWS and Google. >> Yeah. >> I haven't heard much about Microsoft. >> Right. >> Both AWS and Google are here. Microsoft, the bigger competitor in security, but Nir Zuk was unequivocal. Yes, of course you have to run, you got to run it on an Alibaba cloud. He didn't say that, but if you want to secure the China cloud, you got to run on Alibaba. >> Absolutely. >> And Oracle he said. Didn't mention IBM, but no reason they can't run on IBM's cloud. But unless IBM doesn't want 'em to. >> Well they're very customer focused and customer first. So it'll be interesting to see if customers take them in that direction. >> Well it's a good point, right? If customers say, Hey we want you running in this cloud, they will. And, but he did call out Oracle, which I thought was interesting. And so, Oracle's all about mission critical data, mission critical apps. So, you know, that's a good sign. You know, I mean there's so much opportunity in cyber, but so much confusion. You know, sneak had a raise today. It was a down round, no surprise there. But you know, these companies are going to start getting tight on cash, and you've seen layoffs, right? And so, I dunno who said it, I think it was Carl at the end said in a downturn, the strongest companies come out stronger. And that's generally, generally been the case. That kind of rich get richer. We see that in the last downturn? Yes and no, to a certain extent. It's still all about execution. I mean I think about EMC coming out of the last downturn. They did come out stronger and then they started to rocket, but then look what happened. They couldn't remain independent. They were just using m and a as a technique to hide the warts. You know so, what Nir Zuk said that was most interesting to me is when we acquire, we acquire with the intent of integrating. ServiceNow has a similar philosophy. I think that's why they've been somewhat successful. And Oracle, for sure, has had a similar philosophy. So, and that idea of shifting labor into vendor R and D has always been a winning formula. >> I think we heard that today. Excited for day two tomorrow. We've got some great conversations. We're going to be able to talk with some customers, the chief product officer is on. So we have more great content coming from our last live show over the year. Dave, it's been great co-hosting day one with you. Look forward to doing it tomorrow. >> Yeah, thanks for doing this. >> All right. >> All right. For Dave Vellante, I'm Lisa Martin. You've been watching theCUBE, the leader in live enterprise and emerging tech coverage. See you tomorrow. (gentle music fades)

(upbeat music playing) >> Narrator: theCUBE presents Ignite 22, brought to you by Palo Alto Networks. >> Hey guys, girls, welcome back. It's theCUBE Live in Las Vegas at the MGM Grand for Palo Alto Networks Ignite 22. Lisa Martin here with Dave Vellante. Dave, We've had some great conversations. This is day one of two days of cube coverage. We're talking with Palo Alto executives, their partner network, their customers, going to be learning a lot about what they've been doing to really be that golden nugget. >> Yeah. We've talked, Lisa, about how Palo Alto Networks is affecting a TAM expansion strategy through acquisitions and integration and company CDW, that I remember, you know, been around a long time. I remember back in the Comdex days talk about transformation of a company. Really excited to have them on. >> We're going to talk about that. Stephanie Hagopian is here, the VP of Security at CDW. >> Stephanie, >> Hey it's great to have you on the program. >> It's so nice to be here. Thank you. >> So lots going on. CDW has made several acquisitions in the past couple of quarters alone as it relates to security. Talk to us about what's going on. >> Yes. So we are way more than the computer warehouse that you used to know. The computer catalog days, we've moved beyond that. We've made a lot of strategic acquisitions in the past several quarters. The reason for that is we're trying to change our image and our brand and how, more importantly, we engage with our customers in security. We used to traditionally be, you know, kind of at the end of the procurement cycle with our customers, and we want to be an advisor. We want to really sell solutions and help influence the outcomes that our clients are trying to achieve when it comes to, not just security, but also risk, governance, threatened vulnerability management, how are they dealing with major issues around zero trust and building a zero trust framework for a company. >> Lisa: And I imagine these acquisitions, that really from a catalyst perspective was really driven >> Yeah. by the customers and what they were >> absolutely wanting to see and feel and hear and be able to do. >> Absolutely. So the acquisitions have given us over 400 delivery resources, consultants, advisors people who can actually engage with our clients who have real life experience, have worked with global organizations, some of the biggest companies in the world in order to solve their problems. And using that experience to be able to to really create higher value, you know as we interact and engage. >> Dave: You were telling us, Stephanie, that you actually came into CDW through an acquisition. >> I did. >> And I think if you go back 10 years ago when the cloud was just sort of hitting its steep steep ramp, and it looked, it was pretty obvious. And at the same time you had what we affectionately called you know, box sellers. And it was very clear that if they didn't transform their businesses and you know, the, they a lot of 'em were small, regional companies. They had the owners had big houses and big boats but the companies were going to go away if they didn't transform. So it's interesting to me that you've chosen security and governance in some of the really most difficult areas to as part of that transformation. Where did that come from, from your perspective and you know, why security and why such challenging areas? >> Well, I've been part of security in the security industry for over 20 years, and I've loved the fact it is challenging. It's what, it's what makes us so important and critical to our clients. Security's not an easy problem to solve. And it, it's because the landscape keeps changing. The advent of cloud and now hybrid infrastructure creates endless challenges for our customers. Threat actors change. We have insider threats, we have external threats. There's all sorts of risk when you talk about third parties and how third parties interact with organizations. We have supply chain management. And now that we've moved into this hybrid work environment of virtual, not virtual. You know, we have people kind of engaging within organizations in different ways. There's just a lot of risk associated with that. It's not easy and you have to engage with stakeholders across the entire organization. You have to understand how legal thinks of this and compliance and HR. It's not just an IT issue, it's a business issue. And we understand that and it's just, it's so interesting for us to engage with our customers on critical initiatives and security is at the top of the list. It's not just a, a CISO or even a CIO problem anymore. Boards care about this, >> Lisa: Right? >> We make or break companies with cybersecurity and risk strategies. That's why it's so critical. So we consider ourselves to be a high priority for every single organization, big or small. >> Lisa: From a security perspective, what's the common denominator among industries that you're seeing? >> Oh, I mean, we see, in terms of common denominator, I think every single organization's contending with ransomware. >> Ah >> That's probably number one. Breaches. You know, how do you prevent bad actors from doing something, you know, that's threatening to information sensitive data, especially consumer data. Third party risk is a big topic, and how to secure hybrid cloud infrastructures which is a key part of, you know, Palo's strategy as well. And we realize that. >> Why do they buy from CDW? Pitch me. I'm a customer, what can you do for me? >> Yeah. Because we want to partner. So we, we provide true advisory and consulting services to our customers. We aren't there just to make a sale and walk away. We want long-term commitments and long-term partnerships with our customer base. We're there to, to give them outcomes, right? And to align to their priorities and their challenges. It's, it's not a one and done for us. This is about a long-term partnership and that's what makes us so different. And we're now through the acquisition strategies. We're the largest security integrator in North America in terms of our revenue and our size just our sheer size and capability and the amount of full-time employees we have dedicated to this part of our business. So they know they can trust us and that we can scale. >> Dave: Do you? Is is it a, a teach me how to fish strategy? Or is it also if >> Yeah, >> if you want to have, if I, if I as a customer want to have you continue to manage or at least provide some kind of managed services, where's the the line? >> Stephanie: Yeah. So we are incredibly unique in the way we've built out our security practice in that we, we do both. And we want our clients to understand that there are going to be elements of what they do that they want to keep in house from a security perspective. That is why, and it also came from an acquisition, we have a workforce development team for security. We actually are a Palo authorized training partner. And we're incredibly proud of that fact because we don't just want to configure technology. We want to enable our customers to enhance and maintain their investments with Palo and with all technologies, with all of security. At the same time, we know they can't do everything in-house, and it just might make more sense to do manage through us. So we have end-to-end managed capabilities as well and we continue to enhance that part of our business. >> So a lot, a lot of opportunities for customers there. Talk a little bit about the Palo Alto Network's extension of the value prop that you just talked about. >> Oh yes. We love, you know, Palo is taking a platform approach and really focusing on helping customers rationalize their IT infrastructure around security. We're doing the same exact thing and focusing on zero trust is huge. We're, we're having those conversations with our customers as well. We want them to take their Palo investment and try to create a platform approach because there's simplicity and cost savings in that. The security conversations becoming a CFO conversation, right? We love rationalizing those technology investments in a way that makes sense. And we're right in line with Palo in that we want to provide those capabilities end to end and we want to ensure they integrate and use that all of the capabilities within your platform to the extent of that investment, right? We want them to use everything and not just parts of the technology or just do a partial deployment. We want them to use everything that it functionally is available to them through that investment. >> Dakesh, in his keynote this morning, said the answer is not just more people. I know there's this, this, this gap between the number of required number of cyber professionals that we need and >> Stephanie: Oh yeah. >> And how many employees we have, et cetera, et cetera. However, you just can't get there overnight. So that's where service providers, you know, come in. >> Stephanie: It's huge. >> I saw a stat recently, I think it said 50% of organizations in North America don't have a SOC. >> That's true. >> Okay. So they, they need managed services. So, >> Stephanie: They do. >> What are you seeing with some of the small and mid-size companies >> Stephanie: Managed >> and, and and how does, how is that, how is that going? We're entering a new era with, >> Stephanie: Yeah with, you know, cloud can can be a, a great help and and reduce the IT load internally. >> Yeah. >> Dave: What, what's the dynamic like in the customer base? >> Smaller customers especially they just can't attract the cyber talent. It's a high demand field because there just aren't many people who have that capability, right? For us, providing managed a managed SOC is huge. One of our key acquisitions, Sirius, was our largest acquisition recently, brought us a 24 7 managed SOC capability. And that's exactly what our mid-size customers want and demand and what they need, and it's more cost effective. And now they don't have to worry about being a security business. That's not what they are. They need to run their businesses and that's what we provide through managed capabilities especially for that customer base in particular. >> Lisa: And and >> Dave: How about the really small customers, right? Who, who, you know, they're in some ways the most vulnerable. >> Yeah >> Right? >> In many ways >> They don't have the budgets they're kind of working hand to mouth. How, how do you help them? >> Stephanie: Yeah. Yeah. So we, we provide cost effective managed capabilities. So there's managed for enterprise, there's managed for mid-market, but then for small medium businesses they want something that is at the right price point. And that's what we're doing actually in co-development with Palos. That's why we're expanding, not just our professional services capabilities with the Palo platform, but also providing managed support for every aspect of the platform so that customers don't need to invest in full-time employees to do that. They can, they have a predictable cost model that's affordable, that they can leverage over time. So we're very intent on making sure we're fulfilling that not just for our big customers but also for SMB and our, and small businesses as well. >> So you really have that whole suite taken care of >> The whole suite, yeah. I want to talk about some of the the large enterprises for a second. I saw a survey recently that, you know, you talked about security is a board level conversation. It is. >> Stephanie: Very much so. >> We talk about that all the time, CFO conversation but the survey that I saw recently was that there's not there's lack of alignment on boards with the executive suite where security is concerned. Are you seeing that and how can CDW and the Palo Alto partnership help gain that important alignment? >> Stephanie: Yeah So we, we face this all the time. What's on the CISO whiteboard might not be on the CFO's whiteboard or the, the board's whiteboard right? We love, and this is the whole part of our strategy and our strategy partnering with Palo, is that we want to engage further up on the, on the cycle. The, you know, we don't want to to talk to them at the end of the purchasing cycle because we're not providing value. >> Lisa: Yeah. >> We want to help advise them and build the business case. And by them, I mean our CISOs are, you know the heads of network security. You know, their are various stakeholders that we want to engage with to help them build the business case and the justification so that they are speaking the same language as the board member, the CFO. And we do that in many ways. I think the biggest is that we've we've built a global security strategy office that encompasses practitioners. So these are former CISOs, CIOs CTOs who have sat in their shoes and done what they've done. And we bring that experience to bear, coincidentally but not so coincidentally, Palo has the same capability. So Palo's also has a team of field CISOs and former practitioners. So we're partnering together to make sure that we're enabling our customers in, in providing the right value statements and the the right ROI within the the board meetings so that they get that investment right. And they're able to do what they need to do to secure the infrastructure. >> Dave: I mean, historically the business case has been we're going to help you not get breached, and you're going to reduce your, your, your loss >> Stephanie: (indistinct) still relevant. >> And, and I'm, and it's still very relevant. Is there any sort of on the other side of the algebra algebraic equation where actually having this kind of security practice can actually drive productivity >> Absolutely. >> Or or even drive revenue and can you talk about that part of the equation? >> Stephanie: Yeah, security as an industry, we're we've gotten a lot smarter. We understand it's not just about the compliance aspect or the data privacy aspect. It's very important to your point, you know breach prevention is certainly, you know, a a great justification. It's also about automation. So you think of SOAR, right? Providing automation and visibility and dashboard views into who's doing what actually really reduces administrative overhead. We, you know, we want to re-allow our clients to repurpose individuals because there are a finite amount of people in the security industry to focus on higher value tasks. So we're enabling just a lot of cost savings through that. Self-service is a big piece of this. You know, when you think about security we bring along a lot of automation, self-service automation of business logic, and business process. There's a huge value in cost savings attached to that. So that's huge. That's a huge part of the security conversation. >> I was reading, you talked about the cybersecurity skills gap and I was reading some interesting numbers that there's 26 million developers in the world less than 3 million cybersecurity professionals. >> Stephanie: Yeah. >> Talk to us about one of your favorite customer stories where you think CDW and Palo really nailed it in terms of helping organization drive that value the top line value, the bottom line value while enabling them with your expertise. >> Oh my gosh, I don't even want to focus on one because since we became a Palo authorized training partner we have worked with over a hundred clients. We just started this this year and we've helped over a hundred clients and thousands of people get enabled on on Palo firewall configuration and training and development. So we've co, we've partnered together as and we've impacted over a hundred organizations this year in making sure their people are enabled and they're, they're going from that I'm a developer generic to I'm a security professional. So we're helping to close that cybersecurity workforce gap. And we're just so excited at the scale we've been able to do that in such a short amount of time that, I mean, if you think about next year and the year following I mean it's going to be thousands of different clients. But you think about each client, we're impact we're, we're holding classes with 30 plus people. So we've already impacted thousands of people which is amazing. >> Right? So the idea to scale the program in in calendar year 2023 >> Absolutely. We're going to, we, we tried it. This was a trial run and it was amazingly successful trial run. So we're incredibly excited to scale this even more and continue to provide, you know, that element, that workforce development element, that training element for the entire Palo's stack, not just elements of it. >> Lisa: Excellent. Stephanie, thank you so much for joining us on the program. >> Stephanie: Thank you. >> Sharing what CDW and Palo Alto Networks are doing together. The what's in it for me from a customer perspective, big impact there. We appreciate your insights. >> Thank you so much. >> Dave: Great to have you >> Lisa: Our pleasure. >> It's great to have, great to be here. >> Yeah. For our guest and for Dave Vellante, I'm Lisa Martin. You're watching theCUBE, the leader in live and emerging tech coverage.

(light music) (airy white noise rumbling) >> Hey everyone, welcome back to Las Vegas. It's theCUBE. We're here, day four of our coverage of AWS re:Invent 22. There's been about, we've heard, north of 55,000 folks here in person. We're seeing only a fraction of that but it's packed in the expo center. We're at the Venetian Expo, Lisa Martin, Dave Vellante. Dave, we've had such great conversations as we always do on theCUBE. With the AWS ecosystem, we're going to be talking with another partner on that ecosystem and what they're doing to innovate together next. >> Well, we know security is the number one topic on IT practitioners, mine, CIOs, CISOs. We also know that they don't have the bench strength, that's why they look to manage service providers, manage service security providers. It's a growing topic, we've talked about it. We talked about it at re:Inforce earlier this year. I think it was July, actually, and August, believe it or not, not everybody was at the Cape. It was pretty well attended conference and that's their security focus conference, exclusive on security. But there's a lot of security here too. >> Lot of security, we're going to be talking about that next. We have two guests from Capgemini joining us. Mike Wasielewski, the head of cloud security, and NextGen secure architectures, welcome Mike. Anne Saunders also joins us, the Director of Cybersecurity Technology Partnerships at Capgemini, welcome Anne. >> Thank you. >> Dave: Hey guys. >> So, day four of the show, how you feeling? >> Anne: Pretty good. >> Mike: It's a long show. >> It is a long, and it's still jamming in here. Normally on the last day, it dwindles down. Not here. >> No, the foot traffic around the booth and around the totality of this expo floor has been amazing, I think. >> It really has. Anne, I want to start with you. Capgemini making some moves in the waves in the cloud and cloud security spaces. Talk to us about what Cap's got going on there. >> Well, we actually have a variety of things going on. Very much partner driven. The SOC Essentials offering that Mike's going to talk about shortly is the kind of the starter offer where we're going to build from and build out from. SOC Essentials is definitely critical for establishing that foundation. A lot of good stuff coming along with partners. Since I manage the partners, I'm kind of keen on who we get involved with and how we work with them to build out value and focus on our overall cloud security strategy. Mike, you want to talk about SOC Essentials? >> Yeah, well, no, I mean, I think at Capgemini, we really say cybersecurity is part of our DNA and so as we look at what we do in the cloud, you'll find that security has always been an underpinning to a lot of what we deliver, whether it's on the DevSecOps services, migration services, stuff like that. But what we're really trying to do is be intentional about how we approach the security piece of the cloud in different ways, right? Traditional infrastructure, you mentioned the totality of security vendors here and at re:Inforce. We're really seeing that you have to approach it differently. So we're bringing together the right partners. We're using what's part of our DNA to really be able to drive the next generation of security inside those clouds for our clients and customers. So as Anne was talking about, we have a new service called the Capgemini Cloud SOC Essentials, and we've really brought our partners to bear, in this case Trend Micro, really bringing a lot of their intelligence and building off of what they do so that we can help customers. Services can be pretty expensive, right, when you go for the high end, or if you have to try to run one yourself, there's a lot of time, I think you mentioned earlier, right, the people's benches. It's really hard to have a really good cybersecurity people in those smaller businesses. So what we're trying to do is we're really trying to help companies, whether you're the really big buyers of the world or some of the smaller ones, right? We want to be able to give you the visibility and ability to deliver to your customers securely. So that's how we're approaching security now and we're cloud SOC Essentials, the new thing that we're announcing while we were here is really driving out of. >> When I came out of re:Invent, when you do these events, you get this Kool-Aid injection and after a while you're like hm, what did I learn? And one of the things that struck me in talking to people is you've got the shared responsibility model that the cloud has sort of created and I know there's complexities across cloud but let's just keep it at cloud generically for a moment. And then you've got the CISO, the AppDev, AppSecDev group is being asked to do a lot. They're kind of being dragged into security that's really not their wheelhouse and then you've got audit which is like the last line of defense. And so one of the things that struck me at re:Inforce is like, okay, Amazon, great job for their portion of the shared responsibility model but I didn't hear a lot in terms of making the CISO's life easier and I'm guessing that's where you guys come in. I wonder if you could talk about that trend, that conceptual layers that I just laid out and where you guys fit. >> Mike: Sure, so I think first and foremost, I always go back to a quote from, I think it's attributed to Peter Drucker, whether that's right or wrong, who knows? But culture eats strategy for breakfast, right? And I think what we've seen in our conversations with whether you're talking to the CISO, the application team, the AppDev team, wherever throughout the organization, we really see that culture is what's going to drive success or failure of security in the org, and so what we do is we really do bring that totality of perspective. We're not just cloud, not just security, not just AppDev. We can really bring across the totality of the Capgemini estate. So that when we go, and you're right, a CISO says, I'm having a hard time getting the app people to deliver what I need. If you just come from a security perspective, you're right, that's what's going to happen. So what we try to do is so, we've got a great DevSecOps service, for example in the cloud where we do that. We bring all the perspectives together, how do we align KPIs? That's a big problem, I think, for what you're seeing, making CISO's lives easier, is about making sure that the app team KPIs are aligned with the CISO's but also the CISO's KPIs are aligned with the app teams. And by doing that, we have had really great success in a number of organizations by giving them the tools then and the people on our side to be able to make those alignments at the business level, to drive the right business outcome, to drive the right security outcome, the right application outcome. That's where I think we've really come to play. >> Absolutely, and I will say from a partnering perspective, what's key in supporting that strategy is we will learn from our partners, we lean on our partners to understand what the trends they're seeing and where they're having an impact with regards to supporting the CISO and supporting the overall security strategy within a company. I mean, they're on the cutting edge. We do a lot to track their technology roadmaps. We do a lot to track how they build their buyer personas and what issues they're dealing with and what issues they're prepared to deal with regards to where they're investing and who's investing in them. A lot of strategy around which partner to bring in and support, how we're going to address the challenges, the CISO and the IT teams are having to kind of support that overall. Security is a part of everything, DNA kind of strategy. >> Yeah, do you have a favorite example, Anne, of a partner that came in with Capgemini, helped a customer really be able to do what Capgemini is doing and that is, have cybersecurity be actually part of their DNA when there's so many challenges, the skills gap. Any favorite example that really you think articulates how you're able to enable organizations to achieve just that? >> Anne: Well, actually the SOC Essentials offering that we're rolling out is a prime example of that. I mean, we work very, very closely with Trend on all fronts with regards to developing it. It's one of those completely collaborative from day one to going to the customer and that it's almost that seamless connectivity and just partnering at such a strategic level is a great example of how it's done right, and when it's done right, how successful it can be. >> Dave: Why Trend Micro? Because I mean, I'm sure you've seen, I think that's Optiv, has the eye test with all the tools and you talk to CISOs, they're like really trying to consolidate those tools. So I presume there's a portfolio play there, but tell us, tell the audience a little bit more about why Trend Micro and I mean your branding with them, why those guys? >> Well, it goes towards the technology, of course, and all the development they've done and their position within AWS and how they address assuring security for our clients who are moving onto and running their estates on AWS. There's such a long heritage with regards to their technology platform and what they've developed, that deep experience, that kind of the strength of the technology because of the longevity they've had and where they sit within their domain. I try to call partners out by their domain and their area of expertise is part of the reason, I mean. >> Yeah, I think another big part of it is Gartner is expecting, I think they published this out in the next three years, we expect to see another consolidation both inside of the enterprises as well as, I look back a couple years, when Palo Alto went on a very nice spending spree, right? And put together a lot of really great companies that built their Prisma platform. So what I think one of the reasons we picked Trend in this particular case is as we look forward for our customers and our clients, not just having point solutions, right? This isn't just about endpoint protection, this isn't just about security posture management. This is really who can take the totality of the customer's problems and deliver on the right outcomes from a single platform, and so when we look at companies like Trend, like Palo, some of the bigger partners for us, that's where we try to focus. They're definitely best in breed and we bring those to our customers too for certain things. But as we look to the future, I think really finding those partners that are going to be able to solve a swath of problems at the right price point for their customers, that is where I think we see the industry moving. >> Dave: And maybe be around as an independent company. Was that a factor as well? I mean, you see Thoma Bravo buying up all his hiring companies and right, so, and maybe they're trying to create something that could be competitive, but you're saying Trend Micros there, so. >> Well I think as Anne mentioned, the 30 year heritage, I think, of Trend Micro really driving this and I've done work with them in various past things. There's also a big part of just the people you like, the people that are good to work with, that are really trying to be customer obsessed, going back right, at an AWS event, the ones that get the cloud tend to be able to follow those Amazon LPs as well, right, just kind of naturally, and so I think when you look at the Trend Micros of the world, that's where that kind of cloud native piece comes out and I like working with that. >> In this environment, the macro environment, lets talk a bit, earning season, it's really mixed. I mean you're seeing some really good earnings, some mixed earnings, some good earnings with cautious guidance. So nobody really (indistinct), and it was for a period time there was a thinking that security was non-discretionary and it's clearly non-discretionary, but the CISO, she or he, doesn't have unlimited budgets, right? So what are you seeing in terms of how are customers dealing with this challenging macro environment? Is it through tools consolidation? Is that a play that's going on? What are you seeing in the customer base? >> Anne: I see ways, and we're working through this right now where we're actually weaving cybersecurity in at the very beginning of how we're designing offers across our entire offer portfolio, not just the cybersecurity business. So taking that approach in the long run will help contain costs and our hope, and we're already seeing it, is it's actually helping change the perception that security's that cost center and that final obstacle you have to get over and it's going to throw your margins off and all that sort of stuff. >> Dave: I like that, its at least is like a security cover charge. You're not getting in unless we do the security thing. >> Exactly, a security cover charge, that's what you should call it. >> Yeah. >> Like it. >> Another piece though, you mentioned earlier about making CISO's life easier, right? And I think, as Anne did a really absolutely true about building it in, not to the security stack but application developers, they want visibility they want observability, they want to do it right. They want CI/CD pipeline that can give them confidence in their security. So should the CISO have a budget issue, right? And they can't necessarily afford, but the application team as they're looking at what products they want to purchase, can I get a SaaS or a DaaS, right? The static or dynamic application security testing in my product up front and if the app team buys into that methodology, the CISO convinces them, yes, this is important. Now I've got two budgets to pull from, and in the end I end up with a cheaper, a lower cost of a service. So I think that's another way that we see with like DevSecOps and a few other services, that building in on day one that you mentioned. >> Lisa: Yeah. >> Getting both teams involved. >> Dave: That's interesting, Mike, because that's the alignment that you were talking about earlier in the KPIs and you're not a tech vendor saying, buy my product, you guys have deep consultancy backgrounds. >> Anne: And the customer appreciates that. >> Yeah. >> Anne: They see us as looking out for their best interest when we're trying to support them and help them and bringing it to the table at the very beginning as something that is there and we're conscientious of, just helps them in the long run and I think, they're seeing that, they appreciate that. >> Dave: Yeah, you can bring best practice around measurements, alignment, business process, stuff like that. Maybe even some industry expertise which you're not typically going to get from a product company. >> Well, one thing you just mentioned that I love talking about with Capgemini is the industry expertise, right? So when you look at systems integrators, there are a lot of really, really good ones. To say otherwise would be foolish. But Capgemini with our acquisition of Altran, a couple years ago, I think think it was, right? How many other GSIs or SIs are actually building silicon for IoT chips? So IoT's huge right now, the intelligent industry moving forward is going to drive a lot of those business outcomes that people are looking for. Who else can say we've built an autonomous vehicle, Capgemini can. Who can say that we've built the IoT devices from the ground up? We know not just how to integrate them into AWS, into the IoT services in the cloud, but to build and have that secure development for the firmware and all and that's where I think our customers really look to us as being those industry experts and being able to bring that totality of our business to bear for what they need to do to achieve their objectives to deliver to their customer. >> Dave: That's interesting. I mean, using silicon as a differentiator to drive a lot of business outcomes and security. >> Mike: Absolutely. >> I mean you see what Amazon's doing in silicon, Look at Apple. Look at what Tesla's doing with silicon. >> Dave: That's where you're seeing a lot of people start focusing 'cause not everybody can do it. >> Yeah. >> It's hard. >> Right. >> It's hard. >> And you'll see some interesting announcements from us and some interesting information and trends that we'll be driving because of where we're placed and what we have going around security and intelligent industry overall. We have a lot of investment going on there right now and again, from the partner perspective, it's an ecosystem of key partners that collectively work together to kind of create a seamless security posture for an intelligent industry initiative with these companies that we're working with. >> So last question, probably toughest question, and that's to give us a 30 second like elevator pitch or a billboard and I'm going to ask you, Anne, specifically about the SOC Essentials program powered by Trend Micro. Why should organizations look to that? >> Organizations should move to it or work with us on it because we have the expertise, we have the width and breadth to help them fill the gaps, be those eyes, be that team, the police behind it all, so to speak, and be the team behind them to make sure we're giving them the right information they need to actually act effectively on maintaining their security posture. >> Nice and then last question for you, Mike is that billboard, why should organizations in any industry work with Capgemini to help become an intelligent industrial player. >> Mike: Sure, so if you look at our board up top, right, we've got our tagline that says, "get the future you want." And that's what you're going to get with Capgemini. It's not just about selling a service, it's not just about what partners' right in reselling. We don't want that to be why you come to us. You, as a company have a vision and we will help you achieve that vision in a way that nobody else can because of our depth, because of the breadth that we have that's very hard to replicate. >> Awesome guys, that was great answers. Mike, Anne, thank you for spending some time with Dave and me on the program today talking about what's new with Capgemini. We'll be following this space. >> All right, thank you very much. >> For our guests and for Dave Vellante, I'm Lisa Martin, you're watching theCUBE, the leader in live enterprise and emerging tech coverage. (gentle light music)

(bright upbeat music) >> Welcome back everyone to theCUBE's live coverage here in Las Vegas for wall-to-wall coverage. It is re:Invent 2022, our 10th year with theCUBE. Dave and I started this journey 10 years ago here at re:Invent. There are two sets, here, a set upstairs. Great content, I'm here with Paul Gillin, my cohost. Paul's out reporting on the floor, doing some interviews. Paul, what do you think so far? It's pretty crazy activity going on here. >> Well, the activity hasn't declined at all. I mean here we are in day three of the show and it's just as busy out there as it was in day one. And there's just an energy here that you can feel, it's palpable. There is a lot of activity around developers, a lot around data. Which actually brings us a good segue into our next guest because one of the leaders in data management in the cloud is MariaDB. And John Bakke is the CRO at MariaDB, and here to talk to us about your cloud version and how open source is going for you. >> Yeah, thanks for having me. >> Paul: Thanks for joining us. >> To get the update on the product, what do you guys do on the relation to AWS? How's that going? Give us a quick update. >> In the relational database? >> No, no. The relationship with AWS >> Oh, with AWS? >> And SkySQL, what's the update? >> There's no relationship that we have that's more important than the AWS relationship. We're building our cloud, our premier cloud service called SkySQL on AWS. And they offer the best in class infrastructure for a SaaS company to build what they're building. And for us, it's a database service, right? And then beyond that, they help you from the business side, right? They try to get you lined up in the marketplace and make it possible for you to work best with customers. And then from a customer perspective, they're super helpful in not only finding prospective customers, but making that customer successful. 'Cause everybody's got a vested interest in the outcome. Right? >> Yeah, a little tongue twister there. Relational data-based relationship. We've got relational databases, we've got unstructured, data is at the center of the value proposition. Swami's keynote today and the Adam CEO's keynote, data and security dominated the keynotes >> John: Yes. >> and the conversations. So, this is real. The customers are really wanting to accelerate the developer experience, >> John: Yep. >> Developer pipe lining, more code faster, more horsepower under the hood. But this data conversation, it just never goes away. The world's keeping on coming around. >> John: It never goes away. I've been in this business for almost 30 years and we're still talking about the same key factors, right? Reliability, availability, performance, security. These things are pervasive in the data management because it's such a critical aspect to success. >> Yeah, in this case of SkySQL, you have both a transactional and an analytical engine in one. >> John: That's correct. >> Right? >> John: Yep. >> And that was a, what has the customer adoption been like of that hybrid, or I guess not a hybrid, but a dual function? >> Yeah. So the thing that makes that important is that instead of having siloed services, you have integrated data services. And a lot of times when you ask a question that's analytical it might depend on a transaction. And so, that makes the entire experience best for the developer, right? So, to take that further, we also, in SkySQL, offer a geospatial offering that integrates with all of that. And then we even take it further than that with distributed database with Xpand or ready to be Xpand. >> A lot of discussion. Geospatial announcement today on stage, just the diversity of data, and your experience in the industry. There's not the one database that rule them all anymore. There's a lot of databases out there. How are customers dealing with, I won't say database for all, 'Cause you need databases. And then you've got real time transactional, you got batch going on, you got streaming data, all kinds of data use cases now, all kind of having to be rolled together. What's your reaction? What's your take on the state of data and databases? >> Yeah, yeah, yeah. So when I started in this business, there were four databases, and now there's 400 databases. And the best databases really facilitate great application development. So having as many of those services in real time or in analytics as possible means that you are a database for everyone or for all users, right? And customers don't want to use multiple databases. Sometimes they feel like they're forced to do that, but if you're like MariaDB, then you offer all of those capabilities in an integrated way that makes the developer move faster. >> Amazon made a number of announcements this morning in the data management area, including geospatial support on RDS, I believe. How do you, I guess, coordinate yourself, your sales message with their sales message, given that you are partners, but they are competing with you in some ways? >> Yeah, there's always some cooperatition, I guess, that happens with AWS in the various product silos that they're offering their customers. For us, we're one of thousands of obviously partners that they have. And we're out there trying to do what our customers want, which is to have those services integrated, not glued together with a variety of different integration software. We want it integrated in the service so that it's one data provision, data capability for the application developer. It makes for a better experience for the developer in the end. >> On the customer side, what's the big activity? I mean, you got the on-premises database, you've got the cloud. When should a customer decide, or what's the signals to them that they should either move to the cloud, or change, be distributed? What are some of the forcing functions? What does the mark look like? >> Yeah, I've come a long way on this, but my opinion is that every customer should be in the cloud. And the reason simply is the economies that are involved, the pace of execution, the resilience and dependability of the cloud, Amazon being the leader in that space. So if you were to ask me, right now is the time to be in SkySQL because it's the premier data service in the cloud. So I would take my customer out of their on-prem and put them all in AWS, on SkySQL, if I could. Not everybody's ready for that, but my opinion is that the security is there, the reliability, the privacy, all of the things that maybe are legacy concerns, it's all been proven to be adequate and probably even better because of all of the economies of scale that you get out of being in the cloud just generally. >> Now, MariaDB, you started on-premise though. You still have a significant customer base on-premise. What, if anything are you doing to encourage them to migrate to the cloud? >> Well, so we have hundreds and hundreds of customers as MariaDB, and we weren't the first database company to put their database in the cloud, but watching it unfold helped us realize that we're going to put MariaDB in its best form factor in SkySQL. It's the only place you could get the enterprise version of MariaDB in a cloud service, right? So when we look at our customers on-prem, we're constantly telling them, obviously, that we have a cloud service. When they subscribe, we show them the efficiencies and the economies, and we do get customers that are moving. We had a customer go to Telefonica over in the UK that moved from an on-premise to manage their wifi services across Europe. And they're very happy. They were one of our very first SkySQL customers. And that has routinely proven itself to be a path towards not only a better operation for the customer, they're up more, they have fewer outages because they're not inflicting their own self wounds that they have in their own data center. They're running on world class infrastructure on world class databases. >> What are some of those self wounds? Is it personnel, kind of manual mistakes, just outages, reliability? What's the real cause, and then what's the benefit alternative in the cloud that is outside? >> Yeah. I mean, I think, when you repeat the same database implementation over and over on the infrastructure, it gets tested thousands and thousands of times. Whereas if I'm a database team and I install it once, I've tested it one time, and I can't account for all of the things that might happen in the future. So the benefit of the cloud is that you just get that repeat ability that happens and all of the sort of the kinks and bugs and issues are worked out of the system. And that's why it's just fundamentally better. We get 99.9999% uptime because all of those mistakes have been made, solved, and fixed. >> Fully managed, obviously. >> Yes. Right. >> Huge benefit. >> John: Right. >> And people are moving, it's just a great benefit. >> John: Yeah. >> So I'm a fan obviously. I think it's a great way to go. I got to ask about the security though, because big conversation here is security. What's the security posture? What's the security story to customers with SkySQL and MariaDB? >> Right, right, right. So we've taken the server, which was the initial product that MariaDB was founded upon, right? And we've come a long way over the several years that we've been in business. In SkySQL, we have SOC 2 compliance, for example. So we've gone through commercial certifications to make sure that customers can depend that we are following processes, we have technology in place in order to secure and protect their data. And in that environment, it is repeatable. So every time a customer uses our DBaaS infrastructure, databases a service infrastructure called SkySQL, they're benefiting from all of the testing that's been done. They go there and do that themselves, they would've to go through months and months of processes in order to reach the same level of protection. >> Now MariaDB is distributed by design. Is that right? >> Yes. So we have a distributed database, it's called Xpand, MariaDB Xpand. And it's an option inside of SkySQL. It's the same cost as MariaDB server, but Xpand is distributed. And the easiest way to understand what distributed database is is to understand what it is not first. What it is not is like every other cloud database. So most of the databases strangely in the cloud are not distributed databases. They have one single database node in a cluster that is where all of the changes and rights happen. And that creates a bottleneck in the database. And that's why there's difficulties in scale. AWS actually talked about this in the keynote which is the difficulty around multi writer in the cloud. And that's what Xpand does. And it spreads out the reads and the rights to make it scalable, more performant, and more resilient. One node goes down, still stays up, but you get the benefit of the consistency and the parallelization that happens in Xpand. >> So when would a customer choose Xpand versus SkySQL Vanilla? >> So we have, I would say a lot of times, but the profile of our customers are typically like financial services, trade stores. We have Samsung Cloud, 500,000 transactions per second in an expand cluster where they run sort of their Samsung cloud for their mobile device unit. We have many customers like that where it's a commercial facing website often or a service where the brand depends on uptime. Okay. So if you're in exchange or if you are a mobile device company or an IOT company, you need those databases to be working all the time and scale broadly and have high performance. >> So you have resiliency built in essentially? >> Yes, yeah. And that's the major benefit of it. It hasn't been solved by anybody other than us in the cloud to be quite honest with you. >> That's a differentiator for sure. >> It is a huge differentiator, and there are a lot of interested parties. We're going to see that be the next discussion probably next year when we come back is, what's the state of distributed database? Because it's really become really the tip of the spear with the database industry right now. >> And what's the benefits of that? Just quickly describe why that's important? >> Obviously the performance and the resilience are the two we just talked about, but also the efficiency. So if you have a multi-node cluster of a single master database, that gets replicated four times, five times over, five times the cost. And so we're taking cost out, adding performance in. And so, you're really seeing a revolution there because you're getting a lot more for a lot less. And whenever you do that, you win the game. Right? >> Awesome. Yeah, that's true. And it seems like, okay, that might be more costly but you're not replicating. >> That's right. >> That's the key. >> Replicating just enough to be resilient but not excessively to be overly redundant. Right. >> Yeah. I find that the conversation this year is starting to unpack some of these cloud native embedded capabilities inside AWS. So are you guys doing more around, on the customer side, around marketplace? Are you guys, how do people consume products? >> Yeah. It's really both. So sometimes they come to us from AWS. AWS might say, "Hey, you know what," "we don't really have an answer." And that's specifically true on the expand side. They don't really have that in their list of databases yet. Right. Hopefully, we'll get out in front of them. But they oftentimes come through our front door where they're a MariaDB customer already, right? There's over a hundred thousand production systems with MariaDB in the world, and hundreds of thousands of users of the database. So they know our brand, not quite as well as AWS, but they know our brand... >> You've got a customer base. >> We do. Right. I mean people love MariaDB. They just think it's the database that they use for application development all the time. And when they see us release an offering like Xpand just a few years ago, they're interested, they want to use that. They want to see how that works. And then when they take it into production and it works as advertised, of course, success happens. Right? >> Well great stuff, John. Great to have you on theCUBE. Paul, I guess time we do the Insta challenge here. New format on theCUBE, we usually say at the end, summarize what's most important story for you or show, what's the bumper sticker? We kind of put it around more of an Instagram reel. What's your sizzle reel? What's your thought leadership statement? 30 seconds >> John: Thought leadership. >> John? >> So the thought leadership is really in scaling the cloud to the next generation. We believe MariaDB's Xpand product will be the the technology that fronts the next wave of database solutions in the cloud. And AWS has become instrumental in helping us do that with their infrastructure and all the help that they give us, I think at the end of the day, when the story on Xpand is written, it's going to be a very fun ride over the next few years. >> John, thank you. CRO, chief revenue officer of MariaDB, great to have you on. >> Thank you. >> 34-year veteran or so in databases. (laughs) >> You're putting a lot of age on me. I'm 29. I'm 29 again. (all laugh) >> I just graduated high school and I've been doing this for 10 years. Great to have you on theCUBE. Thanks for coming on. >> Thanks guys. Yeah. >> Thanks for sharing. >> Appreciate it. >> I'm John Furrier with Paul Gillin here live on the floor, wall-to-wall coverage. We're already into like 70 videos already. Got a whole another day, finish out day three. Keep watching theCUBE, thanks for watching. We'll be right back. (calm music)

(intro upbeat music) >> TheCUBE presents UiPath Forward5, Brought to you by UiPath. >> Welcome to day two of Forward5 UiPath Customer Conference. You're watching theCUBE. My name is Dave Vellante. My co-host is David Nicholson. Yesterday, Dave, we heard about the extension into an enterprise platform. We heard about, from the two CEOs, a new go-to-market strategy. We heard from a lot of customers how they're implementing UiPath generally and automation, specifically, scaling, hyper-automation, and all the buzzwords you hear. Todd Foley is the CDO and CSO of Lydonia Technologies and Devika Saharya is the director of ERP and RPA at MongoDB. Folks, welcome to theCUBE. Thanks for taking time out of your busy day and coming on. >> Thank you Dave. >> Thank you so much. >> So let's start with the roles. So Devika, ERP and RPA. >> Yes. >> It's like peanut butter and jelly, or how do those things relate? What's your, what's your role? >> Absolutely. So I started at Mongo as an ERP manager, and you know, as we were growing, the one thing that came out of, you know, the every year goals for the company, one big goal that came out was how we have to scale. There are so many barriers to scale. How can we become a billion dollar company? What do we need to do? And when we started drilling down into, you know, different areas, we figured it out that people do a lot of stuff manually. It's like comparing sheets, you know, copying data from one place to the other, and so on and so forth. So one thing that we realized was we definitely need some kind of automation. At that time, we didn't know about automation, but we did our own market research and here we are. >> Let's automate. Yeah, right. (Devika laughs) Sounds easy. All right, thank you. Todd, CDO, Chief Data or Chief Dig, and CSO, I'm assuming Chief Data? >> Chief Data. >> And the Chief Information Security Officer. Tell us about Lydonia and also your role. >> Sure, Lydonia, we started just over three years ago. We looked at the RPA market. We saw great opportunity, but we also saw a challenge. We saw that a lot of people had deployed RPA but weren't getting the promised, you know, immediate ROI, rapid deployment that was out there. And when we looked at it, we saw that it really wasn't a technical challenge. Sometimes it was how technology was applied, but there were a lot of things that people were doing in their process and how they were treating RPA, often as if it were traditional technology that slowed them down. So we built our practice, our company, around the idea of being able to help people scale very quickly and drive that faster. And we're finding now with the RPA being pretty ubiquitous, that it's the one thing that's in the greatest demand among our clients. >> Okay, so you're the implementation partner for Mongo, is that right? >> We are. >> Okay, so relatively new. Very new actually, but a specialist. Why'd you choose Lydonia? >> So, that's an interesting question. When we came last year to UiPath Forward, we were looking for, you know, the right kind of people who can, you know, put us on track. We had the technology, we had everything in place, we did the POC, everybody liked it, but we didn't know how to, you know, basically go in that direction. We were missing that direction. And then we, you know, we were doing our homework here, we found, we accidentally stumbled with Lydonia, and I had follow up conversations with Todd, and they were just so tapered. I knew exactly what Todd was explaining me, and we knew we are, we are in safe hands. >> So, where did you start? >> So we, the first thing that we did was a POC for the finance side of business. And right after that POC, we realized that, you know, how much time people were actually investing manually, like things that were done in three to four days was turning into a 30 minute process. And that gave us, you know, the idea that we should start drilling down into different departments and try to find where there are, you know, areas where we can improve. And we did all of that. And then we met with Todd, and Todd explained that how his Reignite process works. So we took Reignite as our first step and, you know, took it from there. We chose one department, we worked with them. We had about 10 processes highlighted, thanks to Todd, he worked with them, and he literally drilled and nailed it down that what we need to do. And as of today, all those 10 are automated. >> Wow. Okay. >> Todd, does this interaction between Lydonia and MongoDB, as a customer, apply equally in the field when you're going out and talking to clients that might be running MongoDB, they might be customers of MongoDB, they may have financial applications that are backended with MongoDB, is there a synergy there that you've been able to gain? >> I think there is. I think there's one thing that's kind of unique about RPA, and that the traditional questions around integration and applicability aren't as important when you have a platform that can work with anything that people can use. I think also, you know, when we look at what we typically do with people, some of the things we see at Mongo are very common use cases you know, across all of our clients. So I, there's definitely the ability for us to take things we've done and have clients get leverage out of them. At the same time, the platform itself is, makes it different than a traditional model where, you know if somebody has worked in a particular area or built an automation for a particular application, there's some kind of utility to do it faster for another client. What we find is that that's not really the case. And that oftentimes we'll compete with people who use different tool sets than UiPath who have that kind of value story around having done it before, we come in and we do it twice as fast as they could. >> So you've, you're a veteran of complex integrations. >> Oh yeah. (Todd laughs) >> I know that from our paths have crossed in the past. So you're saying that in this world of RPA, that this tool set like UiPath as a platform, we've been talking a lot about the difference between being a tool set and being a platform. >> Right. >> That this platform can sort of hover above things without that same layer of complexity, or level of complexity, that you've experienced in the past. Because that speaks to the idea that UiPath, as a platform, is going to work moving forward in a big way. >> Exactly, right. I think we've seen for years and years that regardless of the type of development environment you're using, a developer's value sometimes is based on what reusable libraries they've created, what they have to cut and paste from their old code to be able to do things faster. The challenge with that is it has to be maintained, when things change, they've got to update those libraries. It's a value prop that's very high touch. With UiPath, they've created the ultimate in reusability. The platform, especially since they acquired cloud elements and built all of those API integrations into their platform. The platform maintains the reusability and the libraries in such a way where they're drag and drop from a development standpoint and you don't have to maintain them. It's the ultimate expression of reusability as a platform. >> Yeah, cloud elements, API automation, obviously a key pick by UiPath. Devika, what's the scale of your operation today? Like how many bots and where do you see it going? >> Yes. So we, we started with one bot. Last year we experimented a lot that, you know, we were just trying to make our footprint in the company, trying to understand that, you know, people understand what RPA is, what UiPath is. Initially we got a lot of pushback. We got a pushback from our security team as well, because they could not understand, you know, that what UiPath is and how secure it is. And we had to explain them that how we would host it over AWS, how we will work, how we will not save passwords, et cetera. When we did all of that and they got comfort, we started picking, you know, very small processes around to show, you know, people the capability of RPA and UiPath per se. When we did that, people started just coming with bigger processes, and one specific team that I can think of came that we do, you know, fuzzy logic in Excel, and we do it twice a week, but it takes a lot of time. We automated it, they run it daily, every single day, two times now. And the exponential growth that we saw just with that one automation was mind boggling. I couldn't believe that, you know. We were tracking our insights and we were like, oh my God, what happened? It just blew out of proportion. >> Okay. So then did you need more bots? Are you still running one bot, or? >> Nope. Now at the moment we have nine. >> Okay. >> And we are still looking to grow. >> Okay. So the initial friction, you said there was some, you know, concern, it was primarily security or were there others, people afraid they're going to lose their jobs? Was there any of that? >> There was no risk of losing the job. The major, you know, pushback was, one was from security, the other one was from different system owners because a lot of people were not sure why we want UI access, or why we want API access, and why are we accessing their systems? What type of information we are trying to gather out of their systems. Are we writing into their system? Because a lot of people have issues when we start saying that we will write or override data. So most of the processes that we are working around are either writing, comparing, and reading and comparing, and if it is writing, we take special permission that this is what we are going to do. >> So what did you have to do to get through the security mottle, a AWS SOC 2 report, did you have to show them the UiPath pen test? >> Absolutely. >> Did you have to change any of your processes? What was that sort of punch list like? >> Everything. >> Yeah. >> So we had to start from pen test. We had to start, we had to explain that UiPath is in the process of, you know, acquiring SOC. We also explained that how things are hosted on AWS. We had to, you know, bring our consultants in who explained that how on, on AWS, this will be a very secured way of doing things. And when we did our first process, which was actually for the auditors, which is, you know, interesting. >> Yeah. >> What we did was we did segregation of duties, which I think is very important in every field and every sphere we work in. So for example, the the writeup that we were building for auditors, we made sure that it is approved by a physical or a human, you know, and not everything is done by the bot. The biggest piece of the puzzle was writing, you know, because it was taking a lot of time. People were going into different systems, gathering information, putting it on Excel, and then you know, comparing and submitting it to PWC. >> When you say write, you mean any update to a system of record? >> Correct. >> Required some scrutiny? >> Some scrutiny, yes, yes. >> Okay, initially by a human until there was comfort level and then it's like these bots know what they're doing. >> Correct, correct. >> Okay. And now you're a NetSuite customer, correct? >> Yes. >> That's your ERP? >> That's right. >> Now we were talking about Oracle is going to acquire OCR capabilities. Will that, and we've been talking, Dave and I, a week about, okay well ServiceNow has, you know, RPA, and Salesforce, and SAP, et cetera. How will that affect your thinking about adopting UiPath? >> I don't think it should matter because I think all these systems kind of coexist in a bigger ecosystem, you know, and I also feel that all these systems have their own plus points and minus points. Not one system in, per se, can do everything within a company. So it could be that, for example, NetSuite might be very strong for financials in the space we are in, but not extremely good around sales and marketing. So for that company chose Salesforce. So you know, you have those smaller smaller multiple systems that build into a bigger ecosystem, right. And I think the other piece of the puzzle is that UiPath helps bridge that gap between these systems. You know, it could happen that certain things can get integrated, certain things cannot because of the nature of business, the nature of work that the teams are trying to do. And I think UiPath is leveraging that gap, you know, and putting, you know, those strings together. >> As you scale - >> Mm hmm. >> How will, and Todd I presume you're going to assist in this process, but how will you decide what processes to prioritize, and is that a process driven decision? Is it data led? Both? If so, what kind of data? Can you describe how you guys are going to approach that? >> Yep. Todd, would you like to take that first before I start? >> Sure, yeah. >> Maybe some best practices and then we can maybe get specific to Mongo. >> Absolutely. Our guidance is always that it should be a business decision, right? And it should be data driven, based on a business defined metric around the business case for that particular automation. Our guidance to customers is don't automate it unless you know why you're automating it, and what the value is. We see sometimes there are challenges with people being able to articulate the business case for an automation, and it can almost always be resolved by having that business case be the first step, and qualifying and identifying an automation candidate. >> And how does that apply to Mongo? Do you, where are you thinking about scaling, in your opinion? >> It's interesting because, you know, initially we thought that we will, you know, explore one area in MongoDB. And the other thing that we did was we did road shows. So because we had to create some awareness in the company that we have UiPath there's something called bots. There's something called, you know, automation that we can do, so we created a presentation with small demos inside it and, you know, circulated it within the company. Different departments tried to explain what we can achieve. And based off of that, you know, we came up with a laundry list of all the automations that different departments needed. And out of that, you know, we started doing the business case, the value, you know, trying to come up with complexity, effort. We did a full estimation matrix and based off of that we came, okay, these are the top 20 that we should build first. And as soon as we built those top 20, we saw a skyrocket, you know, growth and - >> And you're looking for hard dollars, right? >> Yes, yes. Absolutely. >> Okay, just to be clear. >> Devika, I think Mongo also is great at taking a data driven approach to looking at their program. Do you want to share how you do that? >> Yes, absolutely. So one thing that we were very sure was we have to talk in terms of numbers because that's the only solid way to see growth. And what we did was, you know, we got insights, we started doing full metrics in terms of dollar saved, hour saved, and we are trying to track how every process is impacting, you know, in the grand scheme of things. Like say for example, for finance, are we shortening the close cycle in any shape or form by doing these two or three automations that we are doing? And I'm happy to report that we have really shortened our close cycle from where we started. >> Your quarter end or month end close. >> Correct, yes. >> Daily? You at the daily close yet, (all laugh) or the "John Chambers"? >> Drive everyone nuts. First I have to say, I could feel the audience sort of smiling as they see, as they hear from MongoDB, disruptor of legacy databases being cautious in their internal approach to change. As everyone else is. >> Exactly, yeah. >> But Todd, just sort of, double clicking on this idea of kind of stove pipes of capabilities in the RPA space. I mean OCR, being added to NetSuite, I'm not sure if that's the greatest example, but the point is Lydonia will work with all of those technologies to synthesize something. Is that correct? Or are you a UiPath only? >> Both. So we exclusively use UiPath with our customers. We don't use other RPA platforms. >> Okay. >> And we don't because, not because we can't, but because we don't believe that anything else is going to be as quick or as effective. Also, it's the only platform that is as broad and comprehensive as it needs to be to deliver outcomes to our customers. We have partnerships with other companies that have gaps where UiPath isn't currently playing, but the number of companies and the number of gaps has shrunk down to almost nothing these days. And we're well placed as UiPath continues to grow their platform to take advantage of that and leverage that to deliver outcomes to customers. >> It was a great story of starting small, being careful. >> Yes. >> And prudent, from a security standpoint, especially as a public company. And then it sounds like there's virtually unlimited opportunity. >> Yes, absolutely, absolutely. >> For you guys. Great story, thank you very much for sharing it. Appreciate it. >> Thank you. >> All right, good luck. All right, thank you for watching. Keep it right there. Dave Nicholson and Dave Vellante will be back from UiPath Forward5 from the Venetian in Las Vegas. Be right back. (upbeat music playing)

>>Hi, we're back day two of Falcon, 2022. We're live from the area in Las Vegas, Silicon angles, the queue. My name is Dave Lanta and Rob Picard is here. He's the security lead for Vanta a company that CrowdStrike just made an investment in. Rob. Thanks for coming to the cube. >>Thank you very much. Happy to be here. So >>That's big news. You know, you got a, a big name, like CrowdStrike strategic investment. Tell us about that. >>Yeah, it's very exciting because CrowdStrike obviously is, you know, a major name in the security space and Vanta is a really leading the way in a lot of the compliance automation, but being able to sort of dip into that, that security space more and more having crowd strike behind us is huge. >>What is compliant? Compliance automation. Tell us more about what Vanta does. Yeah. >>So Vanta ultimately is a tool that gives you an automatic way to prepare for your SOC two audit or your ISO 27 0 1 audit or, you know, insert long list of dozens of standards we're working on here. But in the olden days you would provide a thousand screenshots to an auditor that proves that for the past year, past six months, you've been doing what you say you're doing, Banta just plugs directly into your systems and proves that evidence to them without the need for all of >>That. Okay. So software's a service and you yeah. Software charge monthly or okay. >>Yeah, something like that. >>Educate me if I'm cloud first or cloud only can't I just pull a SOC report off of AWS and send that to the auditors and say, here you go, >>That'll help. Right? Like if you, if you do that, if you're in AWS and you pull their, you know, I think their security hub, you can pull some of these controls in. Right. But the question is, what do you do then about your endpoints, right? What do you do about, Hey, did we off board everybody from all of the systems we have enabled, right? All of the SAS systems we use. And so what van does is we integrate with AWS, but we also integrate with every other system you're using, including your HR system and your identity provider, to make sure that, Hey, you know, all of these things are, are working in sync to ensure your compliance. So >>You're relatively new parent, but you ever, you know, the book, if you give a mouse, a cookie, you will, you will, the whole thing is you give a mouse, a cookie, and then 8 million things happen, all these other dependencies. And it goes around and around and around. Yes. He's gonna want some milk. Okay. I feel like it's the same thing in your world, right? I mean, there is, is, is there an end, when do you know you're done? >>Yeah. I mean, ultimately, you know, you're done when the O auditor hands you, your sock to report, you know, you have your at stage, you say, Hey, I'm sock too compliant. Or, you know, your ISO cert, but even then it's gonna keep going. Right. I think the tricky part is there are some key systems that you, you want to have, you know, your eyes on and you wanna be monitoring and making sure that Hey, in a year from now, when that audit happens, I'm not gonna be surprised at what they find. Right. And those are gonna be your cloud provider. Right. Those are gonna be your HR system telling you when people joined, when people left, and those are gonna be your identity provider and your endpoints, right. >>Are you guys obviously compliance experts? Is, is it really a matter of sort of codifying that expertise? Or is there a machine intelligence component involved, you know, discovery? How does it work? >>That's a great question, actually. And I think part of it is, you know, encoding that expertise in the product and making sure that, you know, there's not necessarily, you know, if you ask any given sock to auditor for like, Hey, what controls should I be using that you're gonna audit me against? And it's your job to come up with the control. So they'll provide you some, you know, their set, but it's gonna be different between them, right? The standard itself is not a list of controls, but what we can do is we can provide you that list of controls and say like, Hey, we've actually worked with a ton of auditors and they've worked with us and we can say, this is what you need to do to get started here. And then if you have custom controls to add later, you want you, you can do that. >>But so there's part of that's encoding the expertise, but then part of it is just understanding the world of, of the auditors enough that we can help guide you through it. Because, you know, like you said, you can go to AWS, you can get download a report, right. That says, look, I have, you know, these, so two controls past right now, but the question is, you know, you still have to then go hand that to an auditor, have conversations with them, get through all of their questions back to you. And that can get really, really in the weeds. So we have like teams of experts who sit on calls with auditors and customers and help them through this stuff when needed. Right. And hopefully it's not needed as much when you're, you know, automating most of it. So >>That's a, a component of your offering is, is a services capability. Is that part of the offering? Is that a for pay service? >>Yeah. So, you know, you have to talk to the sales team to understand how they bundle it all, but, you know, essentially we have these professional services teams and these partners that jump in, I think a lot of times it really is just, Hey, like the auditor asks this question. We don't know how to answer it. We'll send somebody to jump on, >>Let's jump on a call. Exactly. But if you need more intense, you >>Know, work services, then maybe that's available. Yeah. >>Okay. And, and is there a privacy aspect of your software? >>Yeah. So Vanta software does actually also support GDPR and CCPA to kind of help you. You know, it's hard to get your head around that stuff. You wanna talk about like encoding expertise, you know, having people inside Vanta who can talk through the product and say like, Hey, this is what we need to test for in a customer's environment. And this is what we need to point to that maybe, you know, you can't automatically test for, but we can give them some template policies or, or procedures for them to have in their company. And we can provide all of that to try to, to help you feel good about, Hey, we're, we're compliant with GDPR or we're compliant with CCPA and we're not gonna have problems here. And, >>And da is data, data sovereignty I presume is, is part of that. Like, >>You know, data sovereignty, man. I'm not the expert on data sovereignty. I'll tell you that. But I know that is definitely a part of that. I don't know, you know, how deep it goes when it comes to, you know, the requirements of any given company. >>Well, it's tricky because a lot of it hasn't been tested in the, in courts of law. That's just sort of guidelines there. Yeah. And then a lot of times you don't, how do you really know where the data is? Right. I mean, you kind of can infer it, but, >>And you can get real clever. You can start encrypting data that sits somewhere here, but you have the keys over here and say, no, no, no, the keys are in the right country. You know, that counts, >>Right. It gets real tricky. It's not really been tested that the logic of that, what are the hard parts of what you guys do and, and, and what makes you different from everybody else out there? >>Yeah. I mean, I think I'd say a couple things are, are really hard about what we do, right. One is maintaining good reputations with auditors because the goal is ultimately that an auditor sees Vanta and they say, okay, Vanta says that checkbox is checked. I don't have to worry about it. And that's where we are with so many auditors today. Right. But that wasn't like that in the beginning, in the beginning, it was, you know, Hey, we're showing you the code that actually looks and checks that box. Right. But the other hard part is just integrating with the long tail of systems that every customer needs, right? Like if you use a certain HR system and we don't support it, then that's gonna really dampen your value that you get outta the product. So the engineering challenges, maintaining a reliable set of both high quality tests and high quality integrations with these surfaces, >>What are the synergies with, with CrowdStrike kind of, you know, it's, maybe it seems obvious, but explain where you pick up and where they leave off. >>Yeah. I think that's a, that's a great point. So, you know, we have a very, like a very, a very simple agent that will run. If you need something on your laptop that says, Hey, look, this laptop, the disc is encrypted, right? The screen lock is set appropriately for my controls, right? So we have some, some basic capabilities it's based on OS query for, for those interested, but it's not a full fledged endpoint protection platform. Right. And that's where something like CrowdStrike can come in where we can integrate with them and say, okay, Hey, if you're ready to move on to something, that's, that's a little bit more full-fledged and a little bit more of a, you know, gonna protect you against malware and that sort of thing. Then you can move onto CrowdStrike and we can integrate directly with them and we can pull all the information we need and we can check all those boxes for you that say, Hey, you have appropriate malware protection, you have discs encrypted, you have whatever it may be. Right. We can pull that information from them. And we can also help you make sure that the people have access to CrowdStrike itself in your company are the right set of people. >>Who do you sell to, do you sell to the audit function within a company? Or do you sell directly to big auditors? Both. >>So it's, we're mainly selling to the whoever's responsible for getting that. So to getting that ISO, getting GDPR, you know, all these sorts of things at a company, right? So for a small business, right, a startup that's like two people could >>Be the developer >>Team. Exactly. We're selling either to the founders or developers or something like that. And we're saying, Hey, you don't wanna think about this at all. We can get you like 80% of the way there without having to send a single screenshot. And then there's like 20% of like, all right, we'll help you, you know, partner you with the right auditor. That's good for your company and, and get you over the line. But then as we go and we sell to a mid-market company, or, you know, even potentially an enterprise, we're talking to people who have very specific expertise in either security or compliance, who also don't wanna have to do all this manual work. >>And it's a pure SAS model. It runs in the cloud. How does it work? I just pointed at whatever software I want to, to, to, to get, you know, certified >>That's exactly right. It's, it's pure SAS. You go to, you know, the app do vanda.com. You log in and then you go to the integrations page, right. You're, you're starting fresh. And you say, okay, well, AWS, here's how you integrate AWS. Right? We use there assume role functionality and stuff like that to pull in, you know, read only data from AWS. And then you can also go to your Okta and you can say, okay, well, I can connect here through Okta, through, you know, an Okta app or I can connect to my Google through an oof that has the right permissions. So we try to just limit the amount of permissions we have or the scope of our, our, you know, roles. But really it's just, you know, it's all API based integrations that we then just pull the data. We need to prove that you're doing what you say you're doing all >>Well, Rob, congratulations on the funding and the activity here at, at CrowdStrike. Good show. So, you know, good luck to you in the future. >>Thank you very much. All right. >>You're very welcome. All right. Keep it right there, Dave. Valante for the cube. We'll be right back, but right after this strip break from Falcon 22, live from the area in Las Vegas,

(upbeat music) >> Welcome back to Fal.Con 22. We're here at the ARIA hotel in Las Vegas. We're here in Las Vegas, a lot. Dave Nicholson, Dave Alante. Fal.Con 22, wall to wall coverage, you're watching theCUBE. Anthony Kunya is here. He's the chief information security officer at Mercury Financial. And he's joined by his deputy CISO, Alex Arengo. Welcome, gentlemen. >> Good to see you. >> Thank you very much. Good to be here. Thank you for the opportunity to speak. >> Yeah, so this is a great event. This is our first time being at the, a CrowdStrike customer event. We do a lot of security shows, but this is really intimate. We got a high flying company. Tell us first about, of Mercury Financial. What are you guys all about? >> Oh, that's a fantastic question. Let's leeway into that. So Mercury Financial is a credit card company that serves people who are near prime. So be it some kind of hardship in their life. They had something impacted, be a financial impact, maybe a medical impact, an emergency, something, a death family where somehow their credit was impacted. We give 'em the opportunity through our motto, better credit, better life, to build up that credit score to add livelihood to their ability to be financially stable. >> I mean, I think this is huge because you know, so many people it's like, okay, one strike and you're out. >> Right. >> You know, that's just not right. You got- >> No, not at all. >> You got to give people another chance. And so there's so much talent out there. I think about some of the mistakes I made, Dave, when I was a younger man, but- >> No comment. >> Right. So I heard a stat today that I thought was great. Did you guys see the keynote? >> Yes. >> Of course. >> So in the keynote, the, they did the thing at Black Hat but they said what's XDR and I thought- Anthony] Oh goodness. >> My favorite, and I'm not going to ask you what XDR is. >> Okay, good, thank God. >> But my favorite answer was a holistic approach to endpoint security. And, you know, I think as a CISO you have to take a holistic approach to a security- >> Of course. >> Okay. >> Maybe talk about, a little bit about how you do that. >> Wow, a holistic approach I would say and I could, I'll give you an opportunity to speak as well, but a holistic approach it's people processes in technology. So a holistic approach would be, it isn't one box that you check. It's not a technology that is a silver bullet that fixes anything. Those technologies, those services are implemented by people. So good training, our human firewall, the forefront of implementing those technologies to build those processes and incorporate people and a level of sincerity and integrity that we build. So I feel like a holistic approach is both cyber culture to build the cyber resilience program that we so dearly need. >> And I could spend all day talking about security organizations, SecOps, DevSecOps, data SecOps, et cetera, but, but Alex, how, what is your role as the deputy CISO? How do you compliment what Anthony does? >> I got to bring it all together, right? So technically, what are we putting in place? What are the requirements that these stakeholders have? Their needs, their wants. We all have something that we need and want in our environment as an employee, as a customer, as a stakeholder. How do do we get that to market? How can we get it there quickly? You know, and it's really about finding the partners that can get us there, right? That can leverage us, that can force multiply us. >> Yes. >> You know, give my people more time to get the work done, the good work. >> Right, the hard work, of course. >> So paint a picture. You know, we hear a lot about all the different, the bevy of tools, the, how complicated CISOs tell us all the time, that we just don't have enough talent. We're looking for partners to help us compromise, but paint a picture of your environment and how you guys use CrowdStrike. >> Oh, that's a good one. Do you want to take this one? >> Great one, right? I mean, we leverage CrowdStrike at every way we can. We're a Fal.Con complete customer. So they're an extension of our team. They're an extension of our SOC right? >> Yeah. >> We leverage them for many things. We leverage them to understand the risk in our environment. Where we're at in zero trust. How we can really bring a lot of the new processes that the business wants to market, right? How can we get there as fast as possible? Can we make it secure, right? I'm a Mercury card customer also. So I'm, I have a vested interested in that. And I like to drive that, that's, so it comes down to can you align your holistic approach, or your organizational goals and bring that to a really good security product that is world class? >> And I can add a little bit to that as well. So I look at it as a triangle. So we leverage Fal.Con complete as that first level, tier one triage, people who do and understand the product extremely well, we leverage them quite a bit. We also have a VSOC service that we have this like, consider tier two or the middle of the triangle, by Verse, right? >> Yeah. >> Fantastic boutique security company that just has been working with us year over year, innovation, strategic initiatives, always there to play. And then Alex Arengo, and the threat management team, is our top tier, that's tier three, that's the top of the pyramid. By the time it bubbles up to Alex, that's when the real work happens, everyone's triaging, collecting data, putting together pieces. And then Alex and his teammates, and people that he's trained, fantastic, comes and puts it all together and paints a picture so we can then take that information and describe it in layman's terms, simple terms, to the business, to make them understand the level of risk, what we have to do to get to, and through that attack, or that indication of compromise, et cetera, so that we can remediate it, rectify it. >> Right, it's building that security culture foundation, right? It's getting everyone to buy into that. >> Yeah. >> It's a holistic approach and it's really the best way to do it, right? You get bought in from the stakeholders understand what they need to do, and what the goals of the business are. And it really works really well >> We journey together. >> We build a program together. >> Dave, I think that that cultural aspect is critical. Cause I've said many times, bad user behavior trumps good security every time. >> Yeah, absolutely. >> Oh goodness. >> Every time. >> Nicely put, I like that. >> So, I know we're early in the week still, but we did have the keynote. Is there anything that you are hearing, in terms of vision, that peaks your interest specifically, and then also sort of the follow up question is, are you guys kind of like lifeguards who can't ever relax at the beach? >> That's why I have a deputy CISO. Well, nobody can take time off, we have to share this. Of course we do. Most definitely. What would you say would be the next, most innovative thing that were looking for? >> Yeah, what's the next big thing, as far as you're concerned? >> The next biggest thing is definitely building the relationships we have. As we bring in new technologies, we go even more Cloud native. How do we leverage that expertise, that of the partners that we're bringing on board like Zscaler, CrowdStrike, Verse, right? How do we make them a part of the team, and make them perform, bring that world class quality talent across the spectrum, you know, from DevOps to that security analyst, picking up the phone and saying, I'm not really sure what's going on, but there's a culture that's built there where everybody comes to the table to feed, right? We all eat together. >> The ecosystem. >> Yes. >> That is the tooling that we leverage day in and day out. That's how we sleep at night. We have to pick our partners. >> You know, we talked about the ecosystem up front, and you look around, you can see the ecosystem and it's growing. >> Yes. >> And I predict it's going to grow a lot more. >> Yes. >> That's, and it has to, right? I mean, exactly what you're saying is that no one company can do it alone. And we heard, you know, we heard, it is confusing. You hear CrowdStrike's doing Identity, but then they partner with Okta. Right, and they're here out on the floor. So that's what you guys need. Talk a little bit more about the importance of ecosystem and partnerships from your perspective. >> Oh I got a good one for this. So I use the metaphor of having a restaurant. So we run a restaurant really well. We know what we want in the menu. We have a chef, we know how we want to put together, but we need excellent ingredients. You make muffins well. Bring your muffin into the restaurant. That brings and builds that rapport. That I want the menu to be rich and empower people to come in and say, you know, I've never had scallops or octopus before, I hear you guys make it better than anyone else, well, our ingredients are fantastic. Therefore, no matter what we do when we present it, it's perfect, it's palatable. >> Yeah. That's great. You're not making ice cream, but you're serving it. >> I can't, if you ever want to show us. >> We're just converging our bakery, you know? >> Yeah, yeah, yeah, salt, salt is the key. >> We're just working the bakery part out, yeah. >> Okay, I want to ask you about Cloud because you know, in 2010, 2011, when you talk to a financial services firm, Cloud, no, that's an evil word, now everybody's Cloud first. George Kurts talks about how, I mean essentially CrowdStrike is dogmatic. We are Cloud native. We have a Cloud native architecture. I know Gartner has this term CNAP or Cloud native application platform. So what does the Cloud mean to you guys? How does it fit in? What does Cloud native architecture do for you? >> It lets us converge everything we've been talking about. How do we, you know, that's a really big struggle that all security teams are having at, having today. How do I converge threat intelligence? How do I converge the environment that I'm in? How do I converge the threat intel that's coming in, right? All this, you're getting, security teams are constantly on a swivel, right? They're looking left, they're looking right. They're trying to identify what to do first. And you bring in the right partners. >> Yes. >> And you get in, you build the right program. You cement that culture internally. And it really provides dividends. >> You know what I think as well, Dave, is in the past, everyone was more data center based. >> Right. >> The Cloud was like a thing we'd forklift, we'd move over, we were born in the Cloud. So Cloud native Application protection is something that we need and will drive innovation. Will align with our strategic initiatives. We need people to think like the Cloud is what's happening. Super Cloud, some of the things that we spoke about. >> Yeah, so I was at, when we were at reinforced, I had this new mental model emerge, and it sort of hit me in the face. And you tell me, I'd love to talk to practitioners to say, yeah, that makes sense or, no, that's crap. So it seems like the Cloud has become the first line of defense for CISOs. Now you're Cloud first or Cloud native, so, okay. But then now you've got the shared responsibility model. And I don't know if you use multiple Clouds. Do you use multiple Clouds? >> We cannot say. >> Cannot say, okay, let's assume for a second, your, some of your colleagues, CISO colleagues, use multiple Clouds. >> They should, okay, sure. >> Now they've got multiple shared responsibility models. Now you've got also the application development team. They're being asked to be the pivot point to actually execute, they got to secure the platform. They got to secure the containers, their run time. >> Workloads, yes. >> And then you got audit behind you is kind of the last line of defense. So things are shifting. Describe sort of the organizational dynamic that you see, not necessarily specific to Mercury Financial, or that would be cool, but generally in the industry. >> Oh, I would say, I could say this, that having Cloud, multitenancy Cloud or the super Cloud model where we could abstract our services our protection, the different levels of security tooling, being able to abstract and speak a common language where you could run in Azure, GCP or AWS, and still have a common language that you can interpret and leverage between all the tooling would be something I would love to see. >> That's Super Cloud >> A magical, that is that. >> That is a Cloud interpreter essentially. >> I think we use different words, but yes. >> A PAs layer, super PAs layer, sorry to take it too far. >> Yeah, like, I want to be able to abstract it and speak a language that would work in any of the- >> What does that do for you as a technology practitioner? >> Well, imagine if you had to speak three different languages with three different people, get lost in translation. If we could speak a common language across all the different platforms and all the different footprints, it would be easier to define our security posture. Where are we? Are we secure? You might say security groups in AWS, it might be, mean something else, but it's still a level of protection that surrounds the end point, right? Something that would abstract that level would be very fun. Very good for me. >> It's, you know, it's pretty easy to understand your use case for this. When you're talking about here we are, Mercury Financial, you have the most sensitive financial information about people, right? >> Right, absolutely. >> A data breach where all of the information about your customers getting out there on the dark web. Right? Heart attack time. >> Instantly. >> What are some things that people might not think about though, that are going on in your world? What would surprise someone who maybe isn't a security specialist in terms of the things that you're dealing with as far as threats are concerned? >> I'm going to leave that on you. >> Can you think of some examples of things that you could, you know, obviously generic examples. >> Right. >> Yes. >> I'm going to point to the number one and two most common ways that applications and businesses are getting owned right now. And that's misconfigurations on your web app or a vulnerable application or phishing. And those are both very important things, right? A lot of development teams, they want to get things to market as soon as possible. And maybe security's on the back foot. It's about building that culture and to, you know, being Cloud native helps you have a, you can provide different tool sets to your organization that helps you understand that posture and makes you help those business decisions. Are we in a good posture to go forward right now? That's a big question that I think most security organizations need to ask themselves and the need to hold other stakeholders accountable. >> So phishing and the concept of social engineering, still alive and well? >> Oh, goodness. >> Always. >> Everything starts with people. The human firewall has to be front of mind. Security can't be an afterthought or a bolt on, that's something that you think about, well, I guess if I have to meet our compliance, it doesn't work with us. >> Comes back to the culture that you're actually talking about before. >> 100%, yeah, cyber resiliency starts with cyber culture. >> Kevin Mandy has said it today. I, never underestimate the adversary. The adversary- >> Of course. >> Is highly capable, motivated, big ROI and it just keeps getting bigger. The more technology gets embedded into our lives. The more lucrative hacking becomes. >> And more attack vectors. We have more areas that we could be potentially penetrated. >> They have a lot of time. Those threat actors have a lot of time. >> They do have a lot of time, yeah. >> Right. >> Right and to your point, you're constantly on the swivel. Right, you don't have time. >> Right. >> No, we don't. >> So do your responsibilities touch on things like fraud detection as well? >> Yeah, oh, that- >> Is that a silly question? I'm thinking- >> Yeah, no, it really is, so- >> No, not at all. >> Or there isn't segregation between what we would think of as IT and the credit card transaction that fires up a red flag. >> Those are integrated. >> It's definitely important. And in any business, right? Is to, like I mentioned, I use this word a lot converge, right? It's converging that intel, that fraud intelligence and making it into a process where we're reducing the risk and the losses that the business is incurring. >> Yes. >> It's so important, right? That we build that culture within the fraud teams, the operational teams, the, you know really anybody who has a really large stake in whatever the business product is. And, you know, being Cloud native, bringing in the right partners, building that security culture. I mean, that's the biggest one. >> Yeah, we've flown. >> It's last and definitely not least, it is, the culture's where you need to be. >> Absolutely. >> You know, you guys, I'm sure, you know, work with a lot of different vendors, a lot of tools, or sometimes the tools are point tools, they're best to breed. CrowdStrike says it wants to be a generational company. >> Oh, yeah. >> It says this notion of an unstoppable breach is a myth. You guys can't live that way. You have to assume you're going to breach but can CrowdStrike be a generational company? >> I think they've proven themselves. They've been around over a decade now. it's 11 years. They just had their birthday yesterday, right? >> Yeah. >> Or anniversary, the company started? >> Yeah. 11 years, yeah. >> I absolutely, and I also agree to add it a little bit part, from the fraud part. I think CrowdStrike would be an integral piece of the overall solution that we have. It hits so many different aspects and looks at so many different potential attack vectors. I keep using that word, but I think integrating fraud in other parts and other functions of the business will start to see that they can leverage CrowdStrike. That there's tooling within CrowdStrike innovatively, like ahead of the game. And I always like that about CrowdStrike, being way ahead of the game and thinking in front of our adversaries. I think other departments will be like, what tools do you have, how can we use them? This is fantastic, this makes us feel better. We don't have to worry about that. We can focus in on what we're good at and build that best of breed solution. So fraud can focus on fraud and you can leverage the tooling and the infrastructure that we provide them together holistically to build a security program that's beyond reproach. >> Guys, we got to go, great perspectives. Always love having the practitioners on. >> Yeah, thank you. >> I really appreciate your time, thank you. >> Yeah, absolutely, always a pleasure. Thank you so much for your time. >> Anthony, Alex, Dave and Dave will be right back, right after this short break. You're watching theCUBE from Fal.Con 2022 from the ARIA in Las Vegas. >> Cheers my friend. >> Yeah, of course. (cheerful music)

(upbeat music) >> Hello, everyone. Welcome back to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of the ongoing series covering the exciting startups from the AWS ecosystem. And talking about cybersecurity. I'm your host, John Furrier. Excited to have two great guests. Ed Casmer, founder and CEO of Cloud Storage Security, back CUBE alumni, and also James Johnson, AVP of Research and Development at iPipeline. Here to talk about cloud storage security antivirus on S3. James, thanks for joining us today. >> Thank you, John. >> Thank you. >> So the topic here is cloud security, storage security. Ed, we had a great CUBE conversation previously, earlier in the month. Companies are modernizing their apps and migrating the cloud. That's fact. Everyone kind of knows that. >> Yeah. >> Been there, done that. Clouds have the infrastructure, they got the OS, they got protection, but the end of the day, the companies are responsible and they're on the hook for their own security of their data. And this is becoming more permanent now that you have hybrid cloud, cloud operations, cloud native applications. This is the core focus right now in the next five years. This is what everyone's talking about. Architecture, how to build apps, workflows, team formation. Everything's being refactored around this. Can you talk about how organizations are adjusting and how they view their data security in light of how applications are being built and specifically around the goodness of say S3? >> Yep, absolutely. Thank you for that. So we've seen S3 grow 20,000% over the last 10 years. And that's primarily because companies like James with iPipeline are delivering solutions that are leveraging this object storage more and above the others. When we look at protection, we typically fall into a couple of categories. The first one is, we have folks that are worried about the access of the data. How are they dealing with it? And so they're looking at configuration aspects. But the big thing that we're seeing is that customers are blind to the fact that the data itself must also be protected and looked at. And so we find these customers who do come to the realization that it needs to happen, finding out, asking themselves, how do I solve for this? And so they need lightweight, cloud native built solutions to deliver that. >> So what's the blind spot? You mentioned there's a blind spot. They're kind of blind to that. What specifically are you seeing? >> Well so, when we get into these conversations, the first thing that we see with customers is I need to predict how I access it. This is everyone's conversation. Who are my users? How do they get into my data? How am I controlling that policy? Am I making sure there's no east-west traffic there, once I've blocked the north-south? But what we really find is that the data is the key packet of this whole process. It's what gets consumed by the downstream users. Whether that's an employee, a customer, a partner. And so it's really, the blind spot is the fact that we find most customers not looking at whether that data is safe to use. >> It's interesting. When you talk about that, I think about all the recent breaches and incidents. "Incidents," they call them. >> Yeah. >> They've really been around user configurations. S3 buckets not configured properly. >> Absolutely. >> And this brings up what you're saying, is that the users and the customers have to be responsible for the configurations, the encryption, the malware aspect of it. Don't just hope that AWS has the magic to do it. Is that kind of what you're getting at here? Is that the similar, am I correlating that properly? >> Absolutely. That's perfect. And we've seen it. We've had our own customers, luckily iPipeline's not one of them, that have actually infected their end users because they weren't looking at the data. >> And that's a huge issue. So James, let's get in, you're a customer partner. Talk about your relationship with these guys and what's it all about? >> Yeah, well, my pipeline is building a digital ecosystem for life insurance and wealth management industries to enable the sale of life insurance to under-insured and uninsured Americans, to make sure that they have the coverage that they need, should something happen. And our solutions have been around for many years. In a traditional data center type of an implementation. And we're in process now of migrating that to the cloud, moving it to AWS, in order to give our customers a better experience, a better resiliency, better reliability. And with that, we have to change the way that we approach file storage and how we approach scanning for vulnerabilities in those files that might come to us via feeds from third parties or that are uploaded directly by end users that come to us from a source that we don't control. So it was really necessary for us to identify a solution that both solved for these vulnerability scanning needs, as well as enabling us to leverage the capabilities that we get with other aspects of our move to the cloud and being able to automatically scale based on load, based on need, to ensure that we get the performance that our customers are looking for. >> So tell me about your journey to the cloud, migrating to the cloud and how you're using S3 specifically. What led you to determine the need for the cloud based AV solution? >> So when we looked to begin moving our applications to the cloud, one of the realizations that we had is that our approach to storing certain types of data was a bit archaic. We were storing binary files in a database, which is not the most efficient way to do things. And we were scanning them with the traditional antivirus engines that would've been scaled in traditional ways. So as our need grew, we would need to spin up additional instances of those engines to keep up with load. And we wanted a solution that was cloud native and would allow us to scan more dynamically without having to manage the underlying details of how many engines do I need to have running for a particular load at a particular time and being able to scan dynamically. And also being able to move that out of the application layer, being able to scan those files behind the scenes. So scanning in, when the file's been saved in S3, it allows us to scan and release the file once it's been deemed safe rather than blocking the user while they wait for that scan to take place. >> Awesome. Well, thanks for sharing that. I got to ask Ed, and James, same question next. It's, how does all this factor in to audits and self compliance? Because when you start getting into this level of sophistication, I'm sure it probably impacts reporting workflows. Can you guys share the impact on that piece of it? The reporting? >> Yeah. I'll start with a comment and James will have more applicable things to say. But we're seeing two things. One is, you don't want to be the vendor whose name is in the news for infecting your customer base. So that's number one. So you have to put something like this in place and figure that out. The second part is, we do hear that under SOC 2, under PCI, different aspects of it, there are scanning requirements on your data. Traditionally, we've looked at that as endpoint data and the data that you see in your on-prem world. It doesn't translate as directly to cloud data, but it's certainly applicable. And if you want to achieve SOC 2 or you want to achieve some of these other pieces, you have to be scanning your data as well. >> Furrier: James, what's your take? As practitioner, you're living it. >> Yeah, that's exactly right. There are a number of audits that we go through where this is a question that comes up both from a SOC perspective, as well as our individual customers who reach out and they want to know where we stand from a security perspective and a compliance perspective. And very often this is a question of how are you ensuring that data that is uploaded into the application is safe and doesn't contain any vulnerabilities. >> James, if you don't mind me asking, I have to kind of inquire because I can imagine that you have users on your system but also you have third parties, relationships. How does that impact this? What's the connection? >> That's a good question. We receive data from a number of different locations from our customers directly, from their users and from partners that we have as well as partners that our customers have. And as we ingest that data, from an implementation perspective, the way we've approached this, there's a minimal impact there in each one of those integrations. Because everything comes into the S3 bucket and is scanned before it is available for consumption or distribution. But this allows us to ensure that no matter where that data is coming from, that we are able to verify that it is safe before we allow it into our systems or allow it to continue on to another third party whether that's our customer or somebody else. >> Yeah, I don't mean to get in the weeds there, but it's one of those things where, this is what people are experiencing right now. Ed, we talked about this before. It's not just siloed data anymore. It's interactive data. It's third party data from multiple sources. This is a scanning requirement. >> Agreed. I find it interesting too. I think James brings it up. We've had it in previous conversations that not all data's created equal. Data that comes from third parties that you're not in control of, you feel like you have to scan. And other data you may generate internally. You don't have to be as compelled to scan that although it's a good idea, but you can, as long as you can sift through and determine which data is which and process it appropriately, then you're in good shape. >> Well, James, you're living the cloud security, storage security situation here. I got to ask you, if you zoom out and not get in the weeds and look at the board room or the management conversation. Tell me about how you guys view the data security problem. I mean, obviously it's important. So can you give us a level of how important it is for iPipeline and with your customers and where does this S3 piece fit in? I mean, when you guys look at this holistically, for data security, what's the view, what's the conversation like? >> Yeah. Well, data security is critical. As Ed mentioned a few minutes ago, you don't want to be the company that's in the news because some data was exposed. That's something that nobody has the appetite for. And so data security is first and foremost in everything that we do. And that's really where this solution came into play, in making sure that we had not only a solution but we had a solution that was the right fit for the technology that we're using. There are a number of options. Some of them have been around for a while. But this was focused on S3, which we were using to store these documents that are coming from many different sources. And we have to take all the precautions we can to ensure that something that is malicious doesn't make its way into our ecosystem or into our customers' ecosystems through us. >> What's the primary use case that you see the value here with these guys? What's the aha moment that you had? >> With the cloud storage security specifically, it goes beyond the security aspects of being able to scan for vulnerable files, which is, there are a number of options and they're one of those. But for us, the key was being able to scale dynamically without committing to a particular load whether that's under committing or overcommitting. As we move our applications from a traditional data center type of installation to AWS, we anticipated a lot of growth over time and being able to scale up very dynamically, literally moving a slider within the admin console, was key to us to be able to meet our customer's needs without overspending, by building up something that was dramatically larger than we needed in our initial rollout. >> Not a bad testimonial there, Ed. >> I mean, I agree. >> This really highlights the applications using S3 more in the file workflow for the application in real time. This is where you start to see the rise of ransomware other issues. And scale matters. Can you share your thoughts and reaction to what James just said? >> Yeah. I think it's critical. As the popularity of S3 has increased, so has the fact that it's an attack vector now. And people are going after it whether that's to plant bad malicious files, whether it's to replace code segments that are downloaded and used in other applications, it is a very critical piece. And when you look at scale and you look at the cloud native capability, there are lots of ways to solve it. You can dig a hole with a spoon, but a shovel works a lot better. And in this case, we take a simple example like James. They did a weekend migration, so they've got new data coming in all the time, but we did a massive migration 5,000 files a minute being ingested. And like he said, with a couple of clicks, scale up, process that over sustained period of time and then scale back down. So I've said it before, I said it on the previous one. We don't want to get in the way of someone's workflow. We want to help them secure their data and do it in a timely fashion that they can continue with their proper processing and their normal customer responses. >> Frictionless has to be key. I know you're in the marketplace with your antivirus for S3 on the AWS. People can just download it. So people are interested, go check it out. James, I got to ask you and maybe Ed can chime in over the top, but it seems so obvious. Data. Secure the data. Why is it so hard? Why isn't this so obvious? What's the problem? Why is it so difficult? Why are there so many different solutions? It just seems so obvious. You know, you got ransomware, you got injection of different malicious payloads. There's a ton of things going on around the data. Why is, this so obvious? Why isn't it solved? >> Well, I think there have been solutions available for a long time. But the challenge, the difficulty that I see, is that it is a moving target. As bad actors learn new vulnerabilities, new approaches and as new technology becomes available, that opens additional attack vectors. >> Yeah. >> That's the challenge, is keeping up on the changing world including keeping up on the new ways that people are finding to exploit vulnerabilities. >> And you got sensitive data at iPipeline. You do a lot of insurance, wealth management, all kinds of sensitive data, super valuable. This brings me up, reminds me of the Sony hack Ed, years ago. Companies are responsible for their own militia. I mean, cybersecurity is no government help for sure. I mean, companies are on the hook. As we mentioned earlier at the top of this interview, this really is highlighted that IT departments have to evolve to large scale cloud, cloud native applications, automation, AI machine learning all built in, to keep up at the scale. But also from a defense standpoint. I mean, James you're out there, you're in the front lines, you got to defend yourself basically, and you got to engineer it. >> A hundred percent. And just to go on top of what James was saying is, I think there, one of the big factors and we've seen this. There's skill shortages out there. There's also just a pure lack of understanding. When we look at Amazon S3 or object storage in general, it's not an executable file system. So people sort of assume that, oh, I'm safe. It's not executable. So I'm not worried about it traversing my storage network. And they also probably have the assumption that the cloud providers, Amazon is taking care of this for them. And so it's this aha moment. Like you mentioned earlier, that you start to think, oh it's not about where the data is sitting per se. It's about scanning it as close to the storage spot. So when it gets to the end user, it's safe and secure. And you can't rely on the end user's environment and system to be in place and up to date to handle it. So it's that really, that lack of understanding that drives some of these folks into this. But for a while, we'll walk into customers and they'll say the same thing you said, John. Why haven't I been doing this for so long? And it's because they didn't understand that it was such a risk. That's where that blind spot comes in. >> James, it's just a final note on your environment. What's your goals for the next year? How's things going over there on your side? How you look at the security posture? What's on your agenda for the next year? How are you guys looking at the next level? >> Yeah. Well, our goal as it relates to this is to continue to move our existing applications over to AWS to run natively there. Which includes moving more data into S3 and leveraging the cloud storage security solution to scan that and ensure that there are no vulnerabilities that are getting in. >> And the ingestion, is there like a bottlenecks log jams? How do you guys see that scaling up? I mean, what's the strategy there? Just add more S3? >> Well, S3 itself scales automatically for us and the cloud storage solution gives us leverage to pull to do that. As Ed mentioned, we ingested a large amount of data during our initial migration which created a bottleneck for us. As we were preparing to move our users over, we were able to make an adjustment in the admin console and spin up additional processes entirely behind the scenes and broke the log jam. So I don't see any immediate concerns there, being able to handle the load. >> The term cloud native and hyperscale native, cloud native, one cloud's hybrid. All these things are native. We have antivirus native coming soon. And I mean, this is what we're basically doing is making it native into the workflows. Security native. And soon there's going to be security clouds out there. We're starting to see the rise of these new solutions. Can you guys share any thoughts or vision around how you see the industry evolving and what's needed? What's working and what's needed? Ed, we'll start with you. What's your vision? >> So I think the notion of being able to look at and view the management plane and control that has been where we're at right now. That's what everyone seems to be doing and going after. I think there are niche plays coming up. Storage is one of them, but we're going to get to a point where storage is just a blanket term for where you put your stuff. I mean, it kind of already is that. But in AWS, it's going to be less about S3. Less about work docs, less about EVS. It's going to be just storage and you're going to need a solution that can span all of that to go along with where we're already at the management plane. We're going to keep growing the data plane. >> James, what's your vision for what's needed in the industry? What's the gaps, what's working, and where do you see things going? >> Yeah, well, I think on the security front specifically, Ed's probably a little bit better equipped to speak to them than I am since that his primary focus. But I see the need for just expanded solutions that are cloud native that fit and fit nicely with the Amazon technologies. Whether that comes from Amazon or other partners like Cloud Storage Security to fill those gaps. We are focused on the financial services and insurance industries. That's our niche. And we look to other partners like Ed to help be the experts in these areas. And so that's really what I'm looking for, is the experts that we can partner with that are going to help fill those gaps as they come up and as they change in the future. >> Well, James, I really appreciate you coming on, sharing your story and I'll give you the final word. Put a quick, spend a minute to talk about the company. I know Cloud Storage Security is an AWS partner with the security software competency and is one of I think 16 partners listed in the competency and the data category. So take a minute to explain what's going on with the company, where people can find more information, how they buy and consume the products. >> Okay. >> Put the plug in. >> Yeah, thank you for that. So we are a fast growing startup. We've been in business for two and a half years now. We have achieved our security competency as John indicated. We're one of 16 data protection security competent ISV vendors globally. And our goal is to expand and grow a platform that spans all storage types that you're going to be dealing with and answer basic questions. What do I have and where is it? Is it safe to use? And am I in proper control of it? Am I being alerted appropriate? So we're building this storage security platform, very laser focused on the storage aspect of it. And if people want to find out more information, you're more than welcome to go and try the software out on Amazon marketplace. That's basically where we do most of our transacting. So find it there. Start of free trial. Reach out to us directly from our website. We are happy to help you in any way that you need it. Whether that's storage assessments, figuring out what data is important to you and how to protect it. >> All right, Ed. Thank you so much. Ed Casmer, founder and CEO of Cloud Storage Security. And of course James Johnson, AVP of Research and Development, iPipeline customer. Gentlemen, thank you for sharing your story and featuring the company and the value proposition, certainly needed. This is season two, episode four. Thanks for joining us. Appreciate it. >> Casmer: Thanks John. >> Okay. I'm John Furrier. That is a wrap for this segment of the cybersecurity season two, episode four. The ongoing series covering the exciting startups from Amazon's ecosystem. Thanks for watching. (upbeat music)

(upbeat music) >> Hello and welcome to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of the ongoing series covering the exciting hot startups from the AWS ecosystem. Here we're talking about cybersecurity in this episode. I'm your host, John Furrier here we're excited to have CUBE alumni who's back Snehal Antani who's the CEO and co-founder of Horizon3.ai talking about exploitable weaknesses and vulnerabilities with autonomous pen testing. Snehal, it's great to see you. Thanks for coming back. >> Likewise, John. I think it's been about five years since you and I were on the stage together. And I've missed it, but I'm glad to see you again. >> Well, before we get into the showcase about your new startup, that's extremely successful, amazing margins, great product. You have a unique journey. We talked about this prior to you doing the journey, but you have a great story. You left the startup world to go into the startup, like world of self defense, public defense, NSA. What group did you go to in the public sector became a private partner. >> My background, I'm a software engineer by education and trade. I started my career at IBM. I was a CIO at GE Capital, and I think we met once when I was there and I became the CTO of Splunk. And we spent a lot of time together when I was at Splunk. And at the end of 2017, I decided to take a break from industry and really kind of solve problems that I cared deeply about and solve problems that mattered. So I left industry and joined the US Special Operations Community and spent about four years in US Special Operations, where I grew more personally and professionally than in anything I'd ever done in my career. And exited that time, met my co-founder in special ops. And then as he retired from the air force, we started Horizon3. >> So there's really, I want to bring that up one, 'cause it's fascinating that not a lot of people in Silicon Valley and tech would do that. So thanks for the service. And I know everyone who's out there in the public sector knows that this is a really important time for the tactical edge in our military, a lot of things going on around the world. So thanks for the service and a great journey. But there's a storyline with the company you're running now that you started. I know you get the jacket on there. I noticed get a little military vibe to it. Cybersecurity, I mean, every company's on their own now. They have to build their own militia. There is no government supporting companies anymore. There's no militia. No one's on the shores of our country defending the citizens and the companies, they got to offend for themselves. So every company has to have their own military. >> In many ways, you don't see anti-aircraft rocket launchers on top of the JP Morgan building in New York City because they rely on the government for air defense. But in cyber it's very different. Every company is on their own to defend for themselves. And what's interesting is this blend. If you look at the Ukraine, Russia war, as an example, a thousand companies have decided to withdraw from the Russian economy and those thousand companies we should expect to be in the ire of the Russian government and their proxies at some point. And so it's not just those companies, but their suppliers, their distributors. And it's no longer about cyber attack for extortion through ransomware, but rather cyber attack for punishment and retaliation for leaving. Those companies are on their own to defend themselves. There's no government that is dedicated to supporting them. So yeah, the reality is that cybersecurity, it's the burden of the organization. And also your attack surface has expanded to not just be your footprint, but if an adversary wants to punish you for leaving their economy, they can get, if you're in agriculture, they could disrupt your ability to farm or they could get all your fruit to spoil at the border 'cause they disrupted your distributors and so on. So I think the entire world is going to change over the next 18 to 24 months. And I think this idea of cybersecurity is going to become truly a national problem and a problem that breaks down any corporate barriers that we see in previously. >> What are some of the things that inspired you to start this company? And I loved your approach of thinking about the customer, your customer, as defending themselves in context to threats, really leaning into it, being ready and able to defend. Horizon3 has a lot of that kind of military thinking for the good of the company. What's the motivation? Why this company? Why now? What's the value proposition? >> So there's two parts to why the company and why now. The first part was what my observation, when I left industry realm or my military background is watching "Jack Ryan" and "Tropic Thunder" and I didn't come from the military world. And so when I entered the special operations community, step one was to keep my mouth shut, learn, listen, and really observe and understand what made that community so impressive. And obviously the people and it's not about them being fast runners or great shooters or awesome swimmers, but rather there are learn-it-alls that can solve any problem as a team under pressure, which is the exact culture you want to have in any startup, early stage companies are learn-it-alls that can solve any problem under pressure as a team. So I had this immediate advantage when we started Horizon3, where a third of Horizon3 employees came from that special operations community. So one is this awesome talent. But the second part that, I remember this quote from a special operations commander that said we use live rounds in training because if we used fake rounds or rubber bullets, everyone would act like metal of honor winners. And the whole idea there is you train like you fight, you build that muscle memory for crisis and response and so on upfront. So when you're in the thick of it, you already know how to react. And this aligns to a pain I had in industry. I had no idea I was secure until the bad guy showed up. I had no idea if I was fixing the right vulnerabilities, logging the right data in Splunk, or if my CrowdStrike EDR platform was configured correctly, I had to wait for the bad guys to show up. I didn't know if my people knew how to respond to an incident. So what I wanted to do was proactively verify my security posture, proactively harden my systems. I needed to do that by continuously pen testing myself or continuously testing my security posture. And there just wasn't any way to do that where an IT admin or a network engineer could in three clicks have the power of a 20 year pen testing expert. And that was really what we set out to do, not build a autonomous pen testing platform for security people, build it so that anybody can quickly test their security posture and then use the output to fix problems that truly matter. >> So the value preposition, if I get this right is, there's a lot of companies out there doing pen tests. And I know I hate pen tests. They're like, cause you do DevOps, it changes you got to do another pen test. So it makes sense to do autonomous pen testing. So congratulations on seeing that that's obvious to that, but a lot of other have consulting tied to it. Which seems like you need to train someone and you guys taking a different approach. >> Yeah, we actually, as a company have zero consulting, zero professional services. And the whole idea is that build a true software as a service offering where an intern, in fact, we've got a video of a nine year old that in three clicks can run pen tests against themselves. And because of that, you can wire pen tests into your DevOps tool chain. You can run multiple pen tests today. In fact, I've got customers running 40, 50 pen tests a month against their organization. And that what that does is completely lowers the barrier of entry for being able to verify your posture. If you have consulting on average, when I was a CIO, it was at least a three month lead time to schedule consultants to show up and then they'd show up, they'd embarrass the security team, they'd make everyone look bad, 'cause they're going to get in, leave behind a report. And that report was almost identical to what they found last year because the older that report, the one the date itself gets stale, the context changes and so on. And then eventually you just don't even bother fixing it. Or if you fix a problem, you don't have the skills to verify that has been fixed. So I think that consulting led model was acceptable when you viewed security as a compliance checkbox, where once a year was sufficient to meet your like PCI requirements. But if you're really operating with a wartime mindset and you actually need to harden and secure your environment, you've got to be running pen test regularly against your organization from different perspectives, inside, outside, from the cloud, from work, from home environments and everything in between. >> So for the CISOs out there, for the CSOs and the CXOs, what's the pitch to them because I see your jacket that says Horizon3 AI, trust but verify. But this trust is, but is canceled out, just as verify. What's the product that you guys are offering the service. Describe what it is and why they should look at it. >> Yeah, sure. So one, when I back when I was the CIO, don't tell me we're secure in PowerPoint. Show me we're secure right now. Show me we're secure again tomorrow. And then show me we're secure again next week because my environment is constantly changing and the adversary always has a vote and they're always evolving. And this whole idea of show me we're secure. Don't trust that your security tools are working, verify that they can detect and respond and stifle an attack and then verify tomorrow, verify next week. That's the big mind shift. Now what we do is-- >> John: How do they respond to that by the way? Like they don't believe you at first or what's the story. >> I think, there's actually a very bifurcated response. There are still a decent chunk of CIOs and CSOs that have a security is a compliance checkbox mindset. So my attitude with them is I'm not going to convince you. You believe it's a checkbox. I'll just wait for you to get breached and sell to your replacement, 'cause you'll get fired. And in the meantime, I spend all my energy with those that actually care about proactively securing and hardening their environments. >> That's true. People do get fired. Can you give an example of what you're saying about this environment being ready, proving that you're secure today, tomorrow and a few weeks out. Give me an example. >> Of, yeah, I'll give you actually a customer example. There was a healthcare organization and they had about 5,000 hosts in their environment and they did everything right. They had Fortinet as their EDR platform. They had user behavior analytics in place that they had purchased and tuned. And when they ran a pen test self-service, our product node zero immediately started to discover every host on the network. It then fingerprinted all those hosts and found it was able to get code execution on three machines. So it got code execution, dumped credentials, laterally maneuvered, and became a domain administrator, which in IT, if an attacker becomes a domain admin, they've got keys to the kingdom. So at first the question was, how did the node zero pen test become domain admin? How'd they get code execution, Fortinet should have detected and stopped it. Well, it turned out Fortinet was misconfigured on three boxes out of 5,000. And these guys had no idea and it's just automation that went wrong and so on. And now they would've only known they had misconfigured their EDR platform on three hosts if the attacker had showed up. The second question though was, why didn't they catch the lateral movement? Which all their marketing brochures say they're supposed to catch. And it turned out that that customer purchased the wrong Fortinet modules. One again, they had no idea. They thought they were doing the right thing. So don't trust just installing your tools is good enough. You've got to exercise and verify them. We've got tons of stories from patches that didn't actually apply to being able to find the AWS admin credentials on a local file system. And then using that to log in and take over the cloud. In fact, I gave this talk at Black Hat on war stories from running 10,000 pen tests. And that's just the reality is, you don't know that these tools and processes are working for you until the bad guys have shown. >> The velocities there. You can accelerate through logs, you know from the days you've been there. This is now the threat. Being, I won't say lazy, but just not careful or just not thinking. >> Well, I'll do an example. We have a lot of customers that are Horizon3 customers and Splunk customers. And what you'll see their behavior is, is they'll have Horizon3 up on one screen. And every single attacker command executed with its timestamp is up on that screen. And then look at Splunk and say, hey, we were able to dump vCenter credentials from VMware products at this time on this host, what did Splunk see or what didn't they see? Why were no logs generated? And it turns out that they had some logging blind spots. So what they'll actually do is run us to almost like stimulate the defensive tools and then see what did the tools catch? What did they miss? What are those blind spots and how do they fix it. >> So your price called node zero. You mentioned that. Is that specifically a suite, a tool, a platform. How do people consume and engage with you guys? >> So the way that we work, the whole product is designed to be self-service. So once again, while we have a sales team, the whole intent is you don't need to have to talk to a sales rep to start using the product, you can log in right now, go to Horizon3.ai, you can run a trial log in with your Google ID, your LinkedIn ID, start running pen test against your home or against your network against this organization right now, without talking to anybody. The whole idea is self-service, run a pen test in three clicks and give you the power of that 20 year pen testing expert. And then what'll happen is node zero will execute and then it'll provide to you a full report of here are all of the different paths or attack paths or sequences where we are able to become an admin in your environment. And then for every attack path, here is the path or the kill chain, the proof of exploitation for every step along the way. Here's exactly what you've got to do to fix it. And then once you've fixed it, here's how you verify that you've truly fixed the problem. And this whole aha moment is run us to find problems. You fix them, rerun us to verify that the problem has been fixed. >> Talk about the company, how many people do you have and get some stats? >> Yeah, so we started writing code in January of 2020, right before the pandemic hit. And then about 10 months later at the end of 2020, we launched the first version of the product. We've been in the market for now about two and a half years total from start of the company till present. We've got 130 employees. We've got more customers than we do employees, which is really cool. And instead our customers shift from running one pen test a year to 40, 50 pen test. >> John: And it's full SaaS. >> The whole product is full SaaS. So no consulting, no pro serve. You run as often as you-- >> Who's downloading, who's buying the product. >> What's amazing is, we have customers in almost every section or sector now. So we're not overly rotated towards like healthcare or financial services. We've got state and local education or K through 12 education, state and local government, a number of healthcare companies, financial services, manufacturing. We've got organizations that large enterprises. >> John: Security's diverse. >> It's very diverse. >> I mean, ransomware must be a big driver. I mean, is that something that you're seeing a lot. >> It is. And the thing about ransomware is, if you peel back the outcome of ransomware, which is extortion, at the end of the day, what ransomware organizations or criminals or APTs will do is they'll find out who all your employees are online. They will then figure out if you've got 7,000 employees, all it takes is one of them to have a bad password. And then attackers are going to credential spray to find that one person with a bad password or whose Netflix password that's on the dark web is also their same password to log in here, 'cause most people reuse. And then from there they're going to most likely in your organization, the domain user, when you log in, like you probably have local admin on your laptop. If you're a windows machine and I've got local admin on your laptop, I'm going to be able to dump credentials, get the admin credentials and then start to laterally maneuver. Attackers don't have to hack in using zero days like you see in the movies, often they're logging in with valid user IDs and passwords that they've found and collected from somewhere else. And then they make that, they maneuver by making a low plus a low equal a high. And the other thing in financial services, we spend all of our time fixing critical vulnerabilities, attackers know that. So they've adapted to finding ways to chain together, low priority vulnerabilities and misconfigurations and dangerous defaults to become admin. So while we've over rotated towards just fixing the highs and the criticals attackers have adapted. And once again they have a vote, they're always evolving their tactics. >> And how do you prevent that from happening? >> So we actually apply those same tactics. Rarely do we actually need a CVE to compromise your environment. We will harvest credentials, just like an attacker. We will find misconfigurations and dangerous defaults, just like an attacker. We will combine those together. We'll make use of exploitable vulnerabilities as appropriate and use that to compromise your environment. So the tactics that, in many ways we've built a digital weapon and the tactics we apply are the exact same tactics that are applied by the adversary. >> So you guys basically simulate hacking. >> We actually do the hacking. Simulate means there's a fakeness to it. >> So you guys do hack. >> We actually compromise. >> Like sneakers the movie, those sneakers movie for the old folks like me. >> And in fact that was my inspiration. I've had this idea for over a decade now, which is I want to be able to look at anything that laptop, this Wi-Fi network, gear in hospital or a truck driving by and know, I can figure out how to gain initial access, rip that environment apart and be able to opponent. >> Okay, Chuck, he's not allowed in the studio anymore. (laughs) No, seriously. Some people are exposed. I mean, some companies don't have anything. But there's always passwords or so most people have that argument. Well, there's nothing to protect here. Not a lot of sensitive data. How do you respond to that? Do you see that being kind of putting the head in the sand or? >> Yeah, it's actually, it's less, there's not sensitive data, but more we've installed or applied multifactor authentication, attackers can't get in now. Well MFA only applies or does not apply to lower level protocols. So I can find a user ID password, log in through SMB, which isn't protected by multifactor authentication and still upon your environment. So unfortunately I think as a security industry, we've become very good at giving a false sense of security to organizations. >> John: Compliance drives that behavior. >> Compliance drives that. And what we need. Back to don't tell me we're secure, show me, we've got to, I think, change that to a trust but verify, but get rid of the trust piece of it, just to verify. >> Okay, we got a lot of CISOs and CSOs watching this showcase, looking at the hot startups, what's the message to the executives there. Do they want to become more leaning in more hawkish if you will, to use the military term on security? I mean, I heard one CISO say, security first then compliance 'cause compliance can make you complacent and then you're unsecure at that point. >> I actually say that. I agree. One definitely security is different and more important than being compliant. I think there's another emerging concept, which is I'd rather be defensible than secure. What I mean by that is security is a point in time state. I am secure right now. I may not be secure tomorrow 'cause something's changed. But if I'm defensible, then what I have is that muscle memory to detect, respondent and stifle an attack. And that's what's more important. Can I detect you? How long did it take me to detect you? Can I stifle you from achieving your objective? How long did it take me to stifle you? What did you use to get in to gain access? How long did that sit in my environment? How long did it take me to fix it? So on and so forth. But I think it's being defensible and being able to rapidly adapt to changing tactics by the adversary is more important. >> This is the evolution of how the red line never moved. You got the adversaries in our networks and our banks. Now they hang out and they wait. So everyone thinks they're secure. But when they start getting hacked, they're not really in a position to defend, the alarms go off. Where's the playbook. Team springs into action. I mean, you kind of get the visual there, but this is really the issue being defensible means having your own essentially military for your company. >> Being defensible, I think has two pieces. One is you've got to have this culture and process in place of training like you fight because you want to build that incident response muscle memory ahead of time. You don't want to have to learn how to respond to an incident in the middle of the incident. So that is that proactively verifying your posture and continuous pen testing is critical there. The second part is the actual fundamentals in place so you can detect and stifle as appropriate. And also being able to do that. When you are continuously verifying your posture, you need to verify your entire posture, not just your test systems, which is what most people do. But you have to be able to safely pen test your production systems, your cloud environments, your perimeter. You've got to assume that the bad guys are going to get in, once they're in, what can they do? So don't just say that my perimeter's secure and I'm good to go. It's the soft squishy center that attackers are going to get into. And from there, can you detect them and can you stop them? >> Snehal, take me through the use. You got to be sold on this, I love this topic. Alright, pen test. Is it, what am I buying? Just pen test as a service. You mentioned dark web. Are you actually buying credentials online on behalf of the customer? What is the product? What am I buying if I'm the CISO from Horizon3? What's the service? What's the product, be specific. >> So very specifically and one just principles. The first principle is when I was a buyer, I hated being nickled and dimed buyer vendors, which was, I had to buy 15 different modules in order to achieve an objective. Just give me one line item, make it super easy to buy and don't nickel and dime me. Because I've spent time as a buyer that very much has permeated throughout the company. So there is a single skew from Horizon3. It is an annual subscription based on how big your environment is. And it is inclusive of on-prem internal pen tests, external pen tests, cloud attacks, work from home attacks, our ability to harvest credentials from the dark web and from open source sources. Being able to crack those credentials, compromise. All of that is included as a singles skew. All you get as a CISO is a singles skew, annual subscription, and you can run as many pen tests as you want. Some customers still stick to, maybe one pen test a quarter, but most customers shift when they realize there's no limit, we don't nickel and dime. They can run 10, 20, 30, 40 a month. >> Well, it's not nickel and dime in the sense that, it's more like dollars and hundreds because they know what to expect if it's classic cloud consumption. They kind of know what their environment, can people try it. Let's just say I have a huge environment, I have a cloud, I have an on-premise private cloud. Can I dabble and set parameters around pricing? >> Yes you can. So one is you can dabble and set perimeter around scope, which is like manufacturing does this, do not touch the production line that's on at the moment. We've got a hospital that says every time they run a pen test, any machine that's actually connected to a patient must be excluded. So you can actually set the parameters for what's in scope and what's out of scope up front, most again we're designed to be safe to run against production so you can set the parameters for scope. You can set the parameters for cost if you want. But our recommendation is I'd rather figure out what you can afford and let you test everything in your environment than try to squeeze every penny from you by only making you buy what can afford as a smaller-- >> So the variable ratio, if you will is, how much they spend is the size of their environment and usage. >> Just size of the environment. >> So it could be a big ticket item for a CISO then. >> It could, if you're really large, but for the most part-- >> What's large? >> I mean, if you were Walmart, well, let me back up. What I heard is global 10 companies spend anywhere from 50 to a hundred million dollars a year on security testing. So they're already spending a ton of money, but they're spending it on consultants that show up maybe a couple of times a year. They don't have, humans can't scale to test a million hosts in your environment. And so you're already spending that money, spend a fraction of that and use us and run as much as you want. And that's really what it comes down to. >> John: All right. So what's the response from customers? >> What's really interesting is there are three use cases. The first is that SOC manager that is using us to verify that their security tools are actually working. So their Splunk environment is logging the right data. It's integrating properly with CrowdStrike, it's integrating properly with their active directory services and their password policies. So the SOC manager is using us to verify the effectiveness of their security controls. The second use case is the IT director that is using us to proactively harden their systems. Did they install VMware correctly? Did they install their Cisco gear correctly? Are they patching right? And then the third are for the companies that are lucky to have their own internal pen test and red teams where they use us like a force multiplier. So if you've got 10 people on your red team and you still have a million IPs or hosts in your environment, you still don't have enough people for that coverage. So they'll use us to do recon at scale and attack at scale and let the humans focus on the really juicy hard stuff that humans are successful at. >> Love the product. Again, I'm trying to think about how I engage on the test. Is there pilots? Is there a demo version? >> There's a free trials. So we do 30 day free trials. The output can actually be used to meet your SOC 2 requirements. So in many ways you can just use us to get a free SOC 2 pen test report right now, if you want. Go to the website, log in for a free trial, you can log into your Google ID or your LinkedIn ID, run a pen test against your organization and use that to answer your PCI segmentation test requirements, your SOC 2 requirements, but you will be hooked. You will want to run us more often. And you'll get a Horizon3 tattoo. >> The first hits free as they say in the drug business. >> Yeah. >> I mean, so you're seeing that kind of response then, trial converts. >> It's exactly. In fact, we have a very well defined aha moment, which is you run us to find, you fix, you run us to verify, we have 100% technical win rate when our customers hit a find, fix, verify cycle, then it's about budget and urgency. But 100% technical win rate because of that aha moment, 'cause people realize, holy crap, I don't have to wait six months to verify that my problems have actually been fixed. I can just come in, click, verify, rerun the entire pen test or rerun a very specific part of it on what I just patched my environment. >> Congratulations, great stuff. You're here part of the AWS Startup Showcase. So I have to ask, what's the relationship with AWS, you're on their cloud. What kind of actions going on there? Is there secret sauce on there? What's going on? >> So one is we are AWS customers ourselves, our brains command and control infrastructure. All of our analytics are all running on AWS. It's amazing, when we run a pen test, we are able to use AWS and we'll spin up a virtual private cloud just for that pen test. It's completely ephemeral, it's all Lambda functions and graph analytics and other techniques. When the pen test ends, you can delete, there's a single use Docker container that gets deleted from your environment so you have nothing on-prem to deal with and the entire virtual private cloud tears itself down. So at any given moment, if we're running 50 pen tests or a hundred pen tests, self-service, there's a hundred virtual private clouds being managed in AWS that are spinning up, running and tearing down. It's an absolutely amazing underlying platform for us to make use of. Two is that many customers that have hybrid environments. So they've got a cloud infrastructure, an Office 365 infrastructure and an on-prem infrastructure. We are a single attack platform that can test all of that together. No one else can do it. And so the AWS customers that are especially AWS hybrid customers are the ones that we do really well targeting. >> Got it. And that's awesome. And that's the benefit of cloud? >> Absolutely. And the AWS marketplace. What's absolutely amazing is the competitive advantage being part of the marketplace has for us, because the simple thing is my customers, if they already have dedicated cloud spend, they can use their approved cloud spend to pay for Horizon3 through the marketplace. So you don't have to, if you already have that budget dedicated, you can use that through the marketplace. The other is you've already got the vendor processes in place, you can purchase through your existing AWS account. So what I love about the AWS company is one, the infrastructure we use for our own pen test, two, the marketplace, and then three, the customers that span that hybrid cloud environment. That's right in our strike zone. >> Awesome. Well, congratulations. And thanks for being part of the showcase and I'm sure your product is going to do very, very well. It's very built for what people want. Self-service get in, get the value quickly. >> No agents to install, no consultants to hire. safe to run against production. It's what I wanted. >> Great to see you and congratulations and what a great story. And we're going to keep following you. Thanks for coming on. >> Snehal: Phenomenal. Thank you, John. >> This is the AWS Startup Showcase. I'm John John Furrier, your host. This is season two, episode four on cybersecurity. Thanks for watching. (upbeat music)

>>Hey everyone. Welcome to the cubes presentation of the AWS startup showcase. This is season two, episode four, where we continue to talk with the AWS ecosystem partners, this topic, cybersecurity protect and detect against threats. I'm your host, Lisa Martin. I've got a new guest with me. Ryan Ferris joins me the VP of products and engineering at Anisha. Ryan. Welcome to the program. Great to have you. >>Thank you so much for having me. >>So let's dig right in. Why are software vendors turning to Anisha to help them address and access the nearly for over 200 billion market public sector, federal market for cloud services? What is that key event? >>Yeah, it's it. If you know anything about FedRAMP and if you've looked into it, it takes a long time to achieve Fedra. So when customers kind of go into this cold and they're from Mars and they're like, what is bed? They usually find that it's an 18 month journey, maybe a 24 month journey. And so Anisha helps shorten that journey with lower costs and faster time to market. So if you're waiting for our revenue stream from say a government entity, we can get you there faster and get you to a, a state of Fedra certified in a shorter time period. And that's the value problem. >>Faster time to value is critical for organizations. So let's look at this journey as you talked about it, what does the path to compliance look like for specifically for AWS customers with a nation and without help us understand the value add? >>Yeah. So if you're doing it without Angen or if you're just kind of doing it yourself, which some customers choose to do, then they have to go on that journey and kind of learn about three primary things. One thing is how do I just write the entire package? Like there there's a thing called an SSP or a, a system security plan. And that thing is maybe seven or 800 pages long. And you have to offer that all by yourself so you can get help with that or not. That's sort of the academic and, and, and tech writing piece of it. There's another piece of it around what does my environment look like? So as I am ruling out this Fedra solution, what are each piece in my environment that needs to be compliant with Fedra? And it's a voluminous amount of things can be either a dozen or maybe up to a hundred things that you have to tweak and change. So there's a technical deployment store here as well. And then the third thing is keeping you compliant in your AWS environment after you've achieved kind of that readiness state. So the journey does not stop once you achieve Fedra, ATO, it goes on and on and on, and Anisha helps customers kind of maintain and keep them there in that fully compliance state after achieving ATO, >>What's the timeframe for AWS customers in terms of going, alright, we realize we're going on this journey. It's challenging. We need An's help. What's the timeframe to get them actually certified. >>Yeah. We look at the timeframe between the moment you deploy and the moment you start writing about that tech, that Fedra package and when you're audit ready, and in the best case scenario, that could be a few months, right? But you're always, your mileage may vary based on kind of your application readiness and how ready you are to pursue that journey. So the fastest happy path is a few months to audit, audit an audit ready state, but then you have, you kinda have to go through a process whereby you're in the queue for Fedra. And that can kind of take maybe an extra few months, but it really is that that three month accelerated timeframe in the best case scenario, >>Got it. Three months accelerated timeframe. Are there other compliance standards that besides Fedra that you help organizations get compliance with? >>Right. So it's a great question. So FedRAMP in and of itself is just really hard to get to. It's just so many things that you have to do, but if you get to that state, it's based off of a standard called missed 853 specifically rev four, that's kind of a mouthful, but once you achieve that state, there's basically 325 controls that come along with fed moderate. And that buys you a lot of leverage in leeway in mapping and sort of crosswalking to other compliance levels. So if you achieve that state, you buy a lot of, kind of goodness with things that map to either PCI or even HIPAA or SOC two. And, and so you, you kind of get a big benefit and sort of a big bang for your buck by having achieved that, that state for Fedra. >>So from an AWS customer, talk to me about, obviously we talked about the time to value the speed with which you enable organizations to achieve compliance and, and readiness. What what's in it for me in terms of working with a nation as an AWS customer. >>Yeah. For, so for AWS specifically our stack, well, we have kind of two versions of our stack. One is meant for Azure and it's kind of cookie cutter and meant for folks that have an entrenched Azure footprint. The other is it's the majority of our market it's folks that want to in accelerator footprint in AWS. So what's in it for you is that Anan kind of presents something that looks pretty similar to a landing zone, but it's a little bit more peppered with complexity and with tuned configurations. So if you're an AWS customer and let's see you've had an environment for the last 5, 6, 7 years, we help you kind of take that environment and enhance it and become FedRAMP ready in a much faster state. And we are leveraging and utilizing a lot of native AWS core services like ECR, for example, is one we're just starting to lean into AWS inspector for bone scans, those types of things. And then kind of when you get up to that audit, ready state and through ATO, we aggregate a lot of that vulnerability information and vulnerability scanning information into a parable readable, actionable format. And most of those things, those gatherings of data are AWS specific functions that we kind of piggyback on. So we're heavily into cloud trail and, and quite heavy into kind of using the things that are already at our fingertips just by deploying into AWS. >>Yeah. Leveraging what they already are familiar with kind of meeting the customers where they are. I think these days is such an important factor to help organizations make the changes as quickly and dynamically as they need to. >>That's right. Yeah. That's perfect. Yeah. A lot of customers, you know, when, when they start on the journey, they kind of, they, they sort of uncover the, uncover the details around, well, I have an application and this application has existed for six or seven years. How do I get this thing FedRAMP ready? And what does onboarding mean to your stack? We try to make that specific step as easy as possible. So when I'm on the phone with prospects and I'm talking to 'em about embarking on a journey, I kind of get them to a mental model where they treat their application VPC or their application environment as sort of a, and we deploy a separate VPC into their, into their cloud account. And then we peer that information. It's kind of getting into the mechanics a little bit, but we try to make it as easy as possible to start doing the things that we're obliged to do for FedRAMP, for their application, like bone scans and, and operationalization of logging and things like that. And then we pull that information into our AIAN managed BPC. And I think once customers really start to understand and sort of synthesize that mental model, then they kind of have this Baha moment. They're like, oh, okay. Now I, now I really understand how your platform can accelerate this journey into a period that is no more than say two or three months of onboarding >>No more than two or three months. That's, that's a nice kind of guarantee for organizations who are you typically engaging with? Is it the CISO level or are there other folks involved in this conversation? >>Yeah, I, the CISO is probably the best persona to engage with, but it so varies from customer to customer and you never really know who's really gonna, oftentimes it's the CEO or, or sometimes it's a champion that might be the CFO or someone that's incentivized to really start getting market share for federal customers that they don't have access to. That might even be a VP of engineering that we're, that we're conversing with. But most often I think the CISO is central because the CISO of course wants to give in details of what does the staff consist of and exactly how are you helping me with this big burden of continuous monitoring that fed Fedra makes me do. And, and where, where do you fit in that story? So it's usually the CSO, >>Usually the CSO, but some of the other personas that you mentioned sounds like it's definitely a C level or at least a, an executive level conversation. >>It is. Yeah. I'll try to divide that a little bit from my persona. Like I, I run engineering and product. I'm usually dealing with a rather talking to and engaging with the CSO, but the folks that cut the check are either either the CEO or the CFO that really want to widen that kind of revenue stream that they don't have access to. And they're the real decision making personas in this deal. Now, after the decision decision is made, then, you know, they're vetting through VPs of engineering or engineering leaders or the CSO. So like the, the folks that pull the purse strings are usually, you know, the ones that are cutting the check to make this investment that is usually the CSO or rather CEO and the CFO. >>Got it. Okay. So if I'm an AWS customer and I'm on this journey for fed re certification, I've, I've been on it for a while. How do I know it's time to raise my hand or pick up the phone and call Anisha? >>Yeah. You know, some customers that we speak with have already tried to do it and maybe they've failed. Maybe they've been like 12 or 14 months into the journey. And they've said things like, we just don't know how to put the package together, or maybe they've engaged with the third party auditor. And the third party auditor has said, sorry, you guys need to go back to the drawing board or maybe they've missed a good percentage of the technical requirements and they need some consultation and advice or a cookie cutter approach. So it kind of, every journey is different when we are engaging. Sometimes folks are just coming in completely cold or maybe they failed. But the more interesting ones, and I think when we can look a little bit more like heroes are the ones that have tried it, and then a year later they come back, they come back to an, and they want that accelerated goodness. >>Do you have a favorite customer story that you think really articulates the value either from a customer who came in cold or a customer who came in after trying it on their own or with another partner for a year that you think really demonstrates the value that AIAN delivers? >>Yeah. There is a customer story that's sort of top of mind and it's, I think the guy primarily stuck in what tooling I'll anonymize the customer, but this customer kind of chose the wrong level of tooling as they embarked on their journey. And by tooling, I mean, let me get a little bit more specific here. You can't just choose any vulnerability scanner, for instance, if it's a SAS product, or if it's sending data or requests outside of your Fedra boundary, then you're gonna run into trouble. And this reference customer, or this prospect at the time kind of had a lot of friction there. So as they were bumping up against that three Pao deadline, they realized they had a lot of work to do. And we simplified that, that part of the journey substantially for them by essentially selecting and spoon feeding them and, and sort of accelerating that part of the deployment and technical journey for them. And they were very delighted by that part of it. >>When you're talking with customers who are in, in a state of, of change and fluxes, who isn't these days, we've seen the acceleration of digital transformation considerably over the last couple of years. How do you talk with them about a nation as an enabler of their digital transformation overall? >>Yeah. Digital transformation. It's a, it's a broad word. Isn't it like for, for customers that are moving from an on-prem world into the cloud world, you have this great opportunity to kind of start from scratch. And so for Anisha, we are deploying and maybe not start from scratch, but when you're moving from an on-prem environment into the cloud, your footprint, you have this really nice opportunity to embrace more of AWS core services and to kind of rebuild things, kind of make your architecture drastically improved, or like look different to be more supportable and like less operational overhead. And so when an nation presents itself as sort of this platform in a walled garden environment, some customers have this aha moment that like, if you're gonna move either a portion of your environment or a specific application to the cloud, AIAN really helps you establish that security within that boundary and that footprint in a, in a much more accelerated fashion, then if you were selecting each part of your security infrastructure and then trying to implement it by hand, and that's kind of where we shine. >>Got it. We talked about the personas that you're typically engaging with depending on the organization, but how do you help enterprise companies who say Anisha, we wanna improve DevOps efficiency. We wanna get our applications secure that are running on AWS and those that we may wanna move to AWS in the future. >>Yeah. This gets into futures a little bit, but part of our roadmap, a little bit of a, a kind of a look around the corner for our roadmap is that since we know so much about the FedRAMP environment and FedRAMP moderate and the standard called this 853, it's a really powerful security view. And it's also a really powerful compliance view. So, you know, as I was saying before that, if you achieve a lot of depth and excellence in nest 853, it buys you a lot of kind of crosswalk and applicability for SOC two and HIPAA and PCI. So for DevOps organizations and for just engineering organizations that want more pre-pro insight, there's no reason why you can't just deploy our platform and our stack in a pre fraud environment to get that security signaling such that you can catch things early and prevent maybe spillage or leakage or security issues to go into production. So one of the things that we're doing on a roadmap is a, a feature that we call compliance insights, whereby we present a frame of missed 853 RAV4 that you can deploy into any environment. And that particularly helps the DevOps role by saying, well, if I just, for example, exposed an S3 bucket to world, then I can catch that configuration, that compliance product and catch it, trap it and fix before it leaks out to. >>So you talked a little bit about kind of some of the things that are coming up on a, on the product side, what's next for Anisha, as we look at we're rounding out calendar year 22 coming into 2023, there's still so much change in the market. We've got to embrace that. What's next for the company. What can we expect from the VP of products and engineering? >>Yeah, I think in two, two big areas here, we're gonna double down on our Fedra offering offering, and just continuously improve it and improve it. We're pretty tempted to lean in more heavily to CMMC. We hear a lot about CMMC kind of on the periphery, but we just haven't quite felt the market pressure to really go after that. But there's definitely something there. And I would anticipate some offering that maps to that specific compliance that, that compliance framework. And then in the enterprise, we just month after month, we discuss more about how we can create more flexibility in our platform, such that commercial customers can get more of that goodness, and sort of more of that consolidation and time to market, particularly for small and mid-sized customers. So we'll be releasing more of those pieces of functionality in 2023 as well. >>So the commercial folks be on the lookout for that. >>Yes, absolutely. That's a huge untapped market for us. We're super excited about it and we'll be a little cagey on in our plans until we kind of get through this early availability period and then probably make a bigger splash in the first half of 2023. >>That sounds appropriate. Where can the audience go to learn more about what you guys are doing and maybe get ahead on some of those teaser that you just mentioned? >>Yeah. I think our marketing folks will push out more data sheets and marketing material on what's to come. And if you ever wanted to be part of this early availability program that I just discussed, or that I mentioned, you can always go to anan.com and ping us, and we'd be happy to have a conversation with you and we'll lift up the hood and allow you to look under there for, and just carry on the conversation around what's to come. >>All right, getting a peek of what's under the hood. That's always exciting, Ryan, thank you for joining me on this program. AWS startup showcase. We appreciate your time, your insights and a peek into what's going on at Anisha. >>Awesome. It was a pleasure. Thank you so much. >>Likewise. We wanna thank you for watching the AWS startup showcase for Ryan Ferris. I'm Lisa Martin stick right here on the, for great content coming your way. Take care.

(upbeat intro music) >> Hello, everyone. Welcome back to theCube's presentation of the AWS Startup Showcase. This is season two, episode four, of the ongoing series covering the exciting startups from the a AWS ecosystem. Talk about cybersecurity. I'm your host, John Furrier. Here, excited to have two great guests. Ed Casmer, Founder & CEO of Cloud Storage Security. Back, Cube alumni. And also James Johnson, AVP of Research & Development, iPipeline here. Here to talk about Cloud Storage Security, antivirus on S3. Gents, thanks for joining us today. >> Thank you, John. >> Thank you. >> So, the topic here is cloud security, storage security. Ed, we had a great Cube conversation previously, earlier in the month. You know, companies are modernizing their apps and migrating to the cloud. That's fact. Everyone kind of knows that. Been there, done that. You know, clouds have the infrastructure, they got the OS, they got protection. But, the end of the day, the companies are responsible and they're on the hook for their own security of their data. And this is becoming more preeminent now that you have hybrid cloud, cloud operations, cloud-native applications. This is the core focus right now. In the next five years. This is what everyone's talking about. Architecture, how to build apps, workflows, team formation. Everything's being refactored around this. Can you talk about how organizations are adjusting, and how they view their data security in light of how applications are being built and specifically, around the goodness of say, S3? >> Yep, absolutely. Thank you for that. So, we've seen S3 grow 20,000% over the last 10 years. And that's primarily because companies like James with iPipeline, are delivering solutions that are leveraging this object storage more and above the others. When we look at protection, we typically fall into a couple of categories. The first one is, we have folks that are worried about the access of the data. How are they dealing with it? So, they're looking at configuration aspects. But, the big thing that we're seeing is that customers are blind to the fact that the data itself must also be protected and looked at. And, so, we find these customers who do come to the realization that it needs to happen. Finding out like how asking themselves, "How do I solve for this?" And, so, they need lightweight, cloud-native built solutions to deliver that. >> So, what's the blind spot? You mentioned there's a blind spot. They're kind of blind to that. What specifically are you seeing? >> Well, so when we get into these conversations, the first thing that we see with customers is, "I need to predict how I access it." This is everyone's conversation. "Who are my users? How do they get into my data? How am I controlling that policy? Am I making sure there's no east-west traffic there, once I've blocked the north-south?" But, what we really find is that the data is the key packet of this whole process. It's what gets consumed by the downstream users. Whether that's an employee, a customer, a partner. And, so, it's really the blind spot is the fact that we find most customers not looking at whether that data is safe to use. >> It's interesting. You know, when you talk about that, I think about like all the recent breaches and incidents. "Incidents" they call them. >> Yeah. >> They're really been around user configurations. S3 buckets not configured properly. And this brings up what you're saying, is that the users and the customers have to be responsible for the configurations, the encryption, the malware aspect of it. Don't just hope that AWS has the magic to do it. Is that kind of what you're getting at here? Is that the similar? Am I correlating that properly? >> Absolutely. That's perfect. And, and we've seen it. We've had our own customers, luckily, iPipeline's not one of them, that have actually infected their end users, because they weren't looking at the data. >> Yeah. And that's a huge issue. So, James, let's get in, you're a customer-partner. Talk about your relationship with these guys and what's it all about? >> Yeah. Well, iPipeline is building a digital ecosystem for life insurance and wealth management industries to enable the sale of life insurance to underinsured and uninsured Americans, to make sure that they have the coverage that they need should something happen. And, our solutions have been around for many years in a traditional data center type of an implementation. And, we're in process now of migrating that to the cloud, moving it to AWS. In order to give our customers a better experience, better resiliency, better reliability. And, with that, we have to change the way that we approach file storage and how we approach scanning for vulnerabilities in those files that might come to us via feeds from third parties, or that are uploaded directly by end users that come to us from a source that we don't control. So, it was really necessary for us to identify a solution that both solved for these vulnerability scanning needs, as well as enabling us to leverage the capabilities that we get with other aspects of our move to the cloud. Being able to automatically scale based on load, based on need. To ensure that we get the performance that our customers are looking for. >> So, tell me about your journey to the cloud, migrating to the cloud, and how you're using S3. Specifically, what led you to determine the need for the cloud-based AV solution? >> Yeah. So, when we looked to begin moving our applications to the cloud, one of the realizations that we had is that our approach to storing certain types of data, was a bit archaic. We were storing binary files in a database, which is not the most efficient way to do things. And, we were scanning them with the traditional antivirus engines, that would've been scaled in traditional ways. So, as our need grew, we would need to spin up additional instances of those engines to keep up with load. And we wanted a solution that was cloud-native, and would allow us to scan more dynamically without having to manage the underlying details of how many engines do I need to have running for a particular load at a particular time, and being able to scan dynamically and also being able to move that out of the application layer, being able to scan those files behind the scenes. So, scanning in, when the file's been saved in S3. It allows us to scan and release the file once it's been deemed safe, rather than blocking the user while they wait for that scan to take place. >> Awesome. Well, thanks for sharing that. I got to ask Ed and James, same question. And next is, how does all this factor into audits and self-compliance? Because, when you start getting into this level of sophistication, I'm sure it probably impacts reporting, workflows. Can you guys share the impact on that piece of it? The reporting. >> Yeah, I'll start with a comment, and James will have more applicable things to say. But, we're seeing two things. One, is you don't want to be the vendor whose name is in the news for infecting your customer base. So, that's number one. so you have to put something like this in place and figure that out. The second part is, we do hear that under SOC 2, under PCI, different aspects of it, there are scanning requirements on your data. Traditionally, we've looked at that as endpoint data and the data that you see in your on-prem world. It doesn't translate as directly to cloud data, but, it's certainly applicable. And if you want to achieve SOC 2 or you want to achieve some of these other pieces, you have to be scanning your data as well. >> James, what's your take? As practitioner, you're living it. >> Yeah. That's exactly right. There are a number of audits that we go through, where this is a question that comes up both from a SOC perspective, as well as our individual customers, who reach out, and they want to know where we stand from a security perspective and a compliance perspective. And, very often, this is a question of "How are you ensuring that the data that is uploaded into the application is safe and doesn't contain any vulnerabilities?" >> James, if you don't mind me asking. I have to kind of inquire, because I can imagine that you have users on your system, but also you have third parties, relationships. How does that impact this? What's the connection? >> That's a good question. We receive data from a number of different locations. From our customers directly, from their users, and from partners that we have, as well as partners that our customers have. And, as we ingest that data, from an implementation perspective, the way we've approached this, there's minimal impact there in each one of those integrations, because everything comes into the S3 bucket and is scanned before it is available for consumption or distribution. But, this allows us to ensure that no matter where that data is coming from, that we are able to verify that it is safe before we allow it into our systems or allow it to continue on to another third party, whether that's our customer or somebody else. >> Yeah. I don't mean to get in the weeds there, but it's one of those things where, you know, this is what people are experiencing right now. You know, Ed, we talked about this before. It's not just siloed data anymore. It's interactive data. It's third party data from multiple sources. This is a scanning requirement. >> Agreed. I find it interesting, too. I think James brings it up. We've had it in previous conversations, that not all data's created equal. Data that comes from third parties that you're not in control of, you feel like you have to scan and other data you may generate internally. You don't, have to be as compelled to scan that, although it's a good idea. But it's, you can kind of, as long as you can sift through and determine which data is which, and process it appropriately, then you're in good shape. >> Well, James. You're living the cloud security storage security situation, here. I got to ask you if you zoom out, not get in the weeds, and look at kind of the boardroom or the management conversation. Tell me about how you guys view the data security problem. I mean, obviously it's important, right? So, can you give us a level of, you know, how important it is for iPipeline and with your customers and where does this S3 piece fit in? I mean, when you guys look at this holistically, for data security, what's the view? What's the conversation like? >> Yeah. Well, data security is critical. As Ed mentioned a few minutes ago, you don't want to be the company that's in the news because some data was exposed. That's something that nobody has the appetite for. And, so, data security is, first and foremost, in everything that we do. And that's really where this solution came into play and making sure that we had not only a solution, but, we had a solution that was the right fit for the technology that we're using. There are a number of options. Some of them have been around for a while. But this is focused on S3, which we were using to store these documents that are coming from many different sources. And, you know, we have to take all the precautions we can to ensure that something that is malicious doesn't make its way into our ecosystem or into our customers' ecosystems through us. >> What's the primary use case that you see the value here with these guys? What's the "aha" moment that you had? >> With the Cloud Storage Security, specifically, it was really, it goes beyond the security aspects of being able to scan for vulnerable files, which is there are a number of options and, and they're one of those. But for us, the key was being able to scale dynamically without committing to a particular load, whether that's under committing or over committing. As we move our applications from a traditional data center type of installation to AWS, we anticipated a lot of growth over time. And being able to scale up very dynamically, you know, literally moving a slider within the admin console was key to us, to be able to meet our customer's needs without overspending. By building up something that was, dramatically larger than we needed in our initial rollout. >> Not a bad testimonial there, Ed. I mean. >> I agree. >> This is really highlights the applications using S3 more in the file workflow for the application in real time. This is where you start to see the rise of ransomware, other issues and scale matters. Can you share your thoughts and reaction to what James just said? >> Yeah, I think it's critical. I mean, as the popularity of S3 has increased, so has the fact that it's an attack vector now, and people are going after it. Whether that's to plant bad, malicious files, whether it's to replace code segments that are downloaded and used in other applications, it is a very critical piece. And when you look at scale, and you look at the cloud-native capability, there are lots of ways to solve it. You can dig a hole with a spoon, but a shovel works a lot better. And, in this case, you know, we take a simple example like James. They did a weekend migration, so, they've got new data coming in all the time. But, we did a massive migration. 5,000 files a minute being ingested. And, like he said, with a couple of clicks, scale up, process that over a sustained period of time, and then scale back down. So, you know, I've said it before. I said it on the previous one. We don't want to get in the way of someone's workflow. We want to help them secure their data and do it in a timely fashion, that they can continue with their proper processing and their normal customer responses. >> Yeah. Friction always has to be key. I know you're in the marketplace with your antivirus, for S3 on AWS. People can just download it. So, people are interested, go check it out. James, I got to ask you, and maybe Ed can chime in over the top, but, it seems so obvious. Data. Secure the data. Why is it so hard? Why isn't this so obvious? What's the problem? Why is it so difficult? Why are there so many different solutions? It just seems so obvious. You know, you got ransomware, you got injection of different malicious payloads. There's a ton of things going around around the data. Why is this? This is so obvious. Why isn't it solved? >> Well, I think there have been solutions available for a long time. That the challenge, the difficulty that I see is, that it is a moving target. As bad actors learn new vulnerabilities, new approaches. And as new technology becomes available, that opens additional attack vectors. That's the challenge. Is keeping up on the changing world. Including keeping up on the new ways that people are finding to exploit vulnerabilities. >> Yeah. And you got sensitive data at iPipeline. You do a lot of insurance, wealth management, all kinds of sensitive data, super valuable. You know, just brings me up, reminds me of the Sony hack, Ed, years ago. You know, companies are responsible for their own militia. I mean, cybersecurity, there's no government help for sure. I mean, companies are on the hook, as we mentioned earlier at the top of this interview. This really is highlighted that, IT departments and are, have to evolve to large scale cloud, you know, cloud-native applications, automation, AI machine learning all built in, to keep up at the scale. But, also, from a defense standpoint, I mean, James, you're out there, you're in the front lines. You got to defend yourself, basically, and you got to engineer it. >> A hundred percent. And just to go on top of what James was saying is, I think they're one of the big factors, and we've seen this. There's skill shortages out there. There's also just a pure lack of understanding. When we look at Amazon S3 or object storage in general, it's not an executable file system. So, people sort of assume that, "Oh, I'm safe. It's not executable. So, I'm not worried about it traversing my storage network." And they also probably have the assumption that the cloud providers, Amazon, is taking care of this for 'em. And, so, it's this "aha" moment, like you mentioned earlier. That you start to think, "Oh, it's not about where the data is sitting, per se, it's about scanning it as close to the storage spot. So, when it gets to the end user, it's safe and secure. And you can't rely on the end users' environment and system to be in place and up to date to handle it. So, it's that really, that lack of understanding that drives some of these folks into this, but for a while, we'll walk into customers and they'll say the same thing you said, John. "Why haven't I been doing this for so long?" And, it's because they didn't understand that it was such a risk. That's where that blind spot comes in. >> James, it's just a final note on your environment. What's your goals for the next year? How's things going over there in your side? How do you look at the security posture? What's on your agenda for the next year? How do you guys looking at the next level? >> Yeah, well, our goal as it relates to this is, to continue to move our existing applications over to AWS, to run natively there, which includes moving more data into S3 and leveraging the cloud storage security solution to scan that and ensure that it's, that there are no vulnerabilities that are getting in. >> And the ingestion? Is there like a bottlenecks, log jams? How do you guys see that scaling up? I mean, what's the strategy there? More, just add more S3? >> Well, S3 itself scales automatically for us and, the Cloud Storage Solution gives us levers to pull to do that. As Ed mentioned, we ingested a large amount of data during our initial migration, which created a bottleneck for us, as we were preparing to move our users over. We were able to, you know, make an adjustment in the admin console and spin up additional processes entirely behind the scenes and broke the log jam. So, I don't see any immediate concerns there. Being able to handle the load. >> You know, the term cloud-native and, you know, hyperscale-native, cloud-native, OneCloud, it's hybrid. All these things are native. We have anti-virus native coming soon. And I mean, this is what we're. You're basically doing is making it native into the workflows. Security native, and soon there's going to be security clouds out there. We're starting to see the rise of these new solutions. Can you guys share any thoughts or vision around how you see the industry evolving and what's needed, what's working and what's needed? Ed, we'll start with you. What's your vision? >> So, I think the notion of being able to look at and view the management plane and control that, has been where we're at right now. that's what everyone seems to be doing and going after. I think there are niche plays coming up, storage is one of them. But, we're going to get to a point where storage is just a blanket term for where you put your stuff. I mean, it kind of already is that, but, in AWS, it's going to be less about S3, less about work docs, less about EVS. It's going to be just storage and you're going to need a solution that can span all of that, to go along with where we're already at at the management plane. We're going to keep growing the data plane. >> James, what's your vision for what's needed in the industry? What's the gaps? What's working? And where do you see things going? >> Yeah, well, I think on the security front, specifically, Ed's probably a little bit better equipped to speak to them than I am. Since that's his primary focus. But I see the need for just expanded solutions that are cloud-native, that fit and fit nicely with the Amazon technologies, Whether that comes from Amazon or other partners like Cloud Storage Security, to fill those gaps. We're focused on, you know, the financial services and insurance industries. That's our niche. And we look to other partners, like Ed, to help be the experts in these areas. And so that's really what I'm looking for is, you know, the experts that we can partner with that are going to help fill those gaps as they come up and as they change in the future. >> Well, James, I really appreciate you coming on sharing your story. Ed, I'll give you the final word. Put a quick, spend a minute to talk about the company. I know Cloud Storage Security is an AWS partner, with the Security Software Competency. And is one of, I think, 16 partners listed in the competency and data category. So, take a minute to explain, you know, what's going on with the company, where people can find more information, how they buy and consume the products. >> Okay. >> Put the plug in. >> Yeah, thank you for that. So, we are a fast growing startup. We we've been in business for two and a half years, now. We have achieved our Security Competency. As John indicated, we're one of 16 data protection, Security Competent ISV vendors, globally. And, our goal is to expand and grow a platform that spans all storage types that you're going to be dealing with. And answer basic questions. "What do I have and where is it? Is it safe to use?" And, "Am I in proper control of it? Am I being alerted appropriately?" You know, so we're building this storage security platform, very laser-focused on the storage aspect of it. And, if people want to find out more information, you're more than welcome to go and try the software out on Amazon Marketplace. That's basically where we do most of our transacting. So, find it there, start a free trial, reach out to us directly from our website. We are happy to help you in any way that you need it, whether that's storage assessments, figuring out what data is important to you, and how to protect it. >> All right, Ed, thank you so much. Ed Casmer. Founder & CEO of Cloud Storage Security and of course James Johnson, AVP Research & Development, iPipeline customer. Gentlemen, thank you for sharing your story and featuring the company and the value proposition. It's certainly needed. This is season two, episode four. Thanks for joining us. Appreciate it. >> Thanks, John. >> Okay. I'm John Furrier. That is a wrap for this segment of the cybersecurity, season two, episode four. The ongoing series covering the exciting startups from Amazon's ecosystem. Thanks for watching. (gentle outro music)

(upbeat music) >> Hey everyone. And welcome to this CUBE Conversation which is part of the AWS startup showcase. Season two, episode four of our ongoing series. The theme of this episode is cybersecurity, detect and protect against threats. I'm your host, Lisa Martin, and I'm pleased to be joined by the founder and CEO of Hunters.AI, Uri May. Uri, welcome to theCUBE. It's great to have you here. >> Thank you, Lisa. It's great to be here. >> Tell me a little bit about your background and the founders story. This company was only founded in 2018, so you're quite young. But gimme that backstory about what you saw in the market that really determined, this is needed. >> Yeah, absolutely. So, I mean, I think the biggest thing for us was the understanding that significant things have happened in the cybersecurity landscape for customers and technology stayed the same. I mean, we tried on solving the same... We tried on solving a big problem with the same old tools when we actually noticed that the problem has changed significantly. And we saw that change happening in two different dimensions. The first is the types of attacks that we're defending against. A decade ago, we were mostly focused on these highly sophisticated nation state efforts that included unknown techniques and tactics and highly sophisticated kind of methods. Nowadays, we're talking a lot about cyber crime gangs, whoops of people that are financially motivated or using off the shelf tools, of the shelf malware, coordinating in the dark web, attacking for money and ransom basically, versus sophisticated intelligence kind of objectives. And in the same time of that happening, we also saw what we like to refer to as explosion of the securities stack. So some of our customers are using more than 60 or 70 different security tools that are generating sometimes tens of terabytes a day of flows. That explosion of data, together with a very persistent and consistent threat that is continuously affecting customers, create a very different environment, where you need to analyze a big variety of data and you need to constantly defend yourself against stuff that are happening all the time. And that was kind of like our wake moment when we understand that the tools that are out there now might have been the right tools a decade ago, they are probably not the right tools to solve the problem now. So yeah, I think that that was kind of what led us to Hunters. And in the same time, and I think that that's my personal kind of story behind it. We used to talk a lot about the fact that we want to solve a fundamental problem. And we, as part of the ideation around Hunters and us zooming in on exactly the areas that we want to focus on in security, we talked with a lot of CSOs, we talked with a lot of industry experts, everyone directed us to the security operation center. I mean the notion that there's a lot of tools and there's always going to be a lot of tools, but eventually decisions are being made by people that are running security operation center, that are actually acting as the first line of defense. And that's where you feel that the processes are woke. That's where you feel that that technology doesn't really meet the rabel, and the rabel doesn't really meet the hold. And for us, it was a very clear sign that this is where we need to focus on. And that set us on a journey to explore red hunting and then understand that we can solve something bigger than that. And then eventually get to where we are today, which is go to market around. So holistic a platform that can help SOC analysts doing the day to day job defending the organizations. >> So you saw back in 2018, probably even before that that the SIEM market was prime and right for disruption. And only in a four year time period, there's been some pretty significant milestones and accomplishment that the team at Hunters has made in that short timeframe. Talk to me about some of those big milestones that the company has reached in just four years. >> Yeah, I think that the biggest thing and I know that it's going to sound like a cliche, but we're actually believing that I think it's the team. I mean, we're able to go to an organization of around 150 employees. All over the world, the course, I think I mean the last time that I checked, like 15 countries. That's the most amazing feeling that you can have. That ability to attract people to a single mission from all over the world and to get them collaborate and do amazing things and achieve unbelievable accomplishment. I think that's the biggest thing. The other thing for us was customers. I mean, think about it like, SIEM it's such a central and critical system. So for us as a young startup from Tel Aviv to go out to Enterprise America and convince the biggest enterprise around the world to rip and replace the the existing solutions that are being built by the biggest software brands out there and install Hunters instead, that's a huge leap of trust, that we are very grateful for, and we're trying to handle with a lot of care and a lot of responsibility. And obviously, I think that other than that, is all of the investors that we were able to attract that basically enabled all of that customer acquisition and team building and product development. And we're very fortunate to work with the biggest names out there, both from a strategic perspective and also from tier one VCs from mainly from the U.S., but from all over the world, actually that are backing us. >> Great customers, solid foundation. Hunters is built for the clouds, is powered by Snowflake. This is AWS built. Talk to me about what's in it for me from an AWS customer perspective. What's that value in it for them? >> Yeah, so I think that the most important thing, in my opinion, at least, is the security value that you're getting from it. Other than the fact that Hunters is a multi-tenant SaaS application running in AWS, it's also a system that is highly tuned and specifically built to be very effective against detecting threats inside AWS environments. So we invested a lot of time in research, in analyzing the way attackers are operating inside cloud environments, specifically in AWS. And then we model these techniques and tactics and procedures into the system. We're leveraging data sets like AWS CloudRail and CloudWatch and VPC Flow Logs, obviously AWS GuardDuty which is an amazing detection system that AWS offer to its customer, and we're able to leverage it, correlate it with other signals. And at the same time, there's also the commercial aspect and the business aspect. I mean, we're allowing AWS customers to leverage the AWS credits to the marketplace to fund same projects like Hunters that comes with a lot of efficiencies also. And with a lot of additional capabilities like I mentioned earlier. >> So let's crack open Hunters.AI. What makes this approach different? You talked about the challenges that you guys saw in the market that were gaps there, and why technology needed to come in from a disruption standpoint. But describe the differentiators. When you're talking to perspective customers, what are those key differentiators that Hunters brings to the table? >> Yeah, absolutely. So we like to divide it into three main pillars. The first pillar is everything that we do with data, that is very different from our competitors. We believe that data should be completely liberated from the analytical layer. And that's why we're storing data in a dedicated data warehouse. Snowflake, as you mentioned earlier, is one of our go to data warehouses. And that give customers the ability to own their own data. So you as a customer can opt in into using Hunters on top of your Snowflake. It's not the only way. You can also get Snowflake bundled as part of that, your Hunter subscription, but for some customers that ability to reduce vendor lock risk on data on your own and also level security data for other kind of workflows is something that is really huge. So that's the first thing that is very different. The second thing is what we like to call security engineering as a service. So when you buy Hunters, you don't just buy a data platform. You actually buy a system, a SOC platform that is already populated with use cases. So what we are saying is that in today's world the threats that we're handling as a SOC, as security operations center professionals are actually shared by 80% of the customers out there. So 80% of the customers share around 80% of the threat. And what we're basically saying is let us as a vendor, solve the detection response around that 80%. So you as a customer could focus on the 20% that is unique to your environment. Then in a lot of cases generate 80% of the impact. So that means that you are getting a lot of rebuilt tools and detections, data modeling to your integrations, automatic investigations, scoring correlations. All of these things are being continuously deployed and delivered by us because we're multi tenant SaaS. And also allowing you again to get this effortless tail key kind of solution that is very different from your experience with your current SIEM tools that usually involves a lot of tuning, professional services, configuration, et cetera. And the last aspect of it, is everything that we're doing around automation. We're leveraging very unique graph technology and what we call automatic investigation enrichments that allows us to take all of these signals that we're extracting from all over the attacks, of say AWS included, but also the endpoint and the email and the network and IOT environments and whatever automatically investigate them, load them into a graph and then automatically correlate them to what we call stones, which are basically representation of incidents that are happening across your tax office. And that's a very unique capability that we bring into the table that demonstrates our focus on the analytical lens. So it's not just log aggregation, and querying and dashboarding kind of system. It's actually a security analytic system that is able to drive real insights on top of the data that you're plugging into it. >> So talk to me, Uri, when you're in customer conversations these days the market is there's so many dynamics and flux that customers are dealing with. Obviously, the threat landscape continues to expand and really become quite amorphous as that perimeter blends. What are some of the specific challenges that security operation center or SOC teams come to you saying, help us eliminate this. We have so many tools, we've probably got limited resources. What are those challenges and how does Hunters really wipe those off the plate? >> Yeah, so I think the first and foremost has to do with the second pillar that I mentioned earlier and that's security engineering. So for most security operations centers and most organizations around the world, the feeling is that they're kind of like stuck on this third wheel. They keep on buying tools and then implementing these tools and then writing rules and then generating noise and then fine tuning the rules. And then testing the rules and understanding that the fine tuning actually generated misdetections. And they're kind of like stuck on this vicious side. And no one can really help because a lot of the stuff that they're building, they're building it in their environment. And what we're saying is that, let us do it for you. Well, that 80% that we've mentioned earlier and allows you to really focus on the stuff that you're doing and even offset your talent. So, we're not talking about really a talent reduction. Because everyone needs more talent in cybersecurity nowadays but we're talking a lot about offset. I mean, if we had a team of five people investing efforts in building walls, building automation, and now three or four of these people can go and do advanced investigations, instant response, threat hunting interval, that's meaningful. For a lot of SOCs, in a lot of cases that means either identifying and analyzing a threat in time or missing it. So, I mean, I think that that's the biggest thing. And the other thing has to do with the first thing that I mentioned earlier, and these are the data challenges. Data challenges in terms of cost, performance, the ability to absorb data sets that today's tools can't really support. I mean, for example, one of the biggest data sets that we're loading that is tremendously helpful is raw data for EDR products. Raw data for EDR products in large enterprises can get to 10, 15, 20 terabytes a day. In today's SIEMs and SOC platforms that the customers are using, this thing is just as prohibited from SOC. They can't really analyze it because it's so costly. So what we're saying is a lot of what we're seeing is a lot of customers, either not analyzing it at all, or saving it for a very little amount of time, account of days. Because they can't support the retention around it. So the ability to store huge data sets for longer period of time makes it something that a lot of big enterprises need. And to be honest, I think that in the next couple of years they would also be forced to have these kind of capabilities, even from a compliance perspective. >> So in terms of outcomes, I'm hearing reduction in costs really helping security teams utilize their resources, the ability to analyze growing volumes of data. That's only going to continue to increase as we know. Is there a customer story, Uri that you have that really, where the value proposition of Hunters really shines through? >> Yeah, I think that one thing comes to mind from those hospitality vertical and actually it's a reference customer. I mean, we can share the name. His name is booking.com. It's also publicly shown on our website. And they think the coolest thing that we were able to do with booking is give them that capability to stay up to date with the threats that they're facing. So it's not just that we saved a lot of efforts from them because we came with a lot of out of the box capabilities that they can use. We also kept them up to date with everything that they were facing. And there was a couple of cases, where we were able to detect threats that were very recently from threat perspective. Based on our ability to invest research time and efforts in everything that is going on in the ecosystem and the feedback that we got from the customer, and it's not a single of feedback. Like we're getting it a lot, is that, without you guys we wouldn't be able to do the effective research and then the implementation of this and the threat modeling and the implementation of these things in time. And walking with you kind of like made the difference between analyzing it and reacting in time and potentially blocking like a very serious bridge versus maybe finding out when it's too late. >> Huge impact there. And I'm kind of thinking, Hunters aim, might be one of the reasons that booking.com's tagline it's booking.com, booking.yeah. Yeah, we're secure. We know if we can demonstrate that to everyone that uses our service. I noticed kind of wrapping things up here, Uri. I noticed that back in I think it was January of 2022, Hunters raised about 60 million in series C. You talked about kind of being in the GTM phase, where are some of those strategic investments? What have you been doing, focusing on this year and what's to come as we round out 22? >> Yeah, absolutely. So, I mean, there's a lot of building going on. Yeah. Still, right. I mean, we're getting into that scale mode and scale phase but we're very much also building our capabilities, building our infrastructure, building our teams, building our business processes. So there's a lot of efforts going into that, but in the same time, I mean, we've being able to vary, to depending our relationship with DataBlitz which is a very important partner of us. And we got some big news coming up on that. And they were a strategic investor that participated in our series C. And in the same time we're walking in the air market which is a very interesting market for us. And we get a lot of support from one other strategic investor that joined the series C, Deutsche Telekom. And they are a huge provider in IT and security in email, other than doing a lot of other things and including T-systems and T-Mobile and everything that has to do with that. So we're getting a lot of support from them. And regardless, I think, and that ties back to what we've mentioned earlier, the ability for us to come to really big customers with the quality of investors that we have is a very important external validation. It's basically saying like this company is here to stay. We're aiming at disrupting the market. We're building something big. You can count on us by replacing this critical system that we're talking about. And sometimes it makes a difference, like sometimes for some of the customers, it means that this is something that I can rely on. Like it's not a startup that is going to be sold two months after I'm deploying it. And it's not a founder that is going to disappear on me. And for a lot of customers, these things happen, especially in an ecosystem like cybersecurity, that is so big with such a huge variety of different systems. So, yeah, I think that we're getting ready for that scale mode and hopefully it'll happen sooner than what we think. >> A lot of growth already as we mentioned in the beginning of the program. Since just 2018 it sounds like from a foundation perspective, you guys are strong, you're rocking away and ready to really take things into 2023 with such force. Uri, thank you so much for joining me on the program, talking about what Hunters.AI is up to and how you're different and why you're disrupting the SIEM market. We appreciate your insights and your time. >> Absolutely. Lisa, the pleasure was all mine. Thank you for having me. >> Likewise. For Uri May, I'm Lisa Martin. Thank you for watching our CUBE Conversation as part of the AWS startup showcase. Keep it right here for more actions on theCUBE, your leader in tech coverage. (upbeat music)

(upbeat music) >> Hey everyone, welcome to this CUBE conversation. I'm John Furrier, your host of theCUBE here in Palo Alto, California. We've got Sam Kassoumeh, co-founder and chief operating office at SecurityScorecard here remotely coming in. Thanks for coming on Sam. Security, Sam. Thanks for coming on. >> Thank you, John. Thanks for having me. >> Love the security conversations. I love what you guys are doing. I think this idea of managed services, SaaS. Developers love it. Operation teams love getting into tools easily and having values what you guys got with SecurityScorecard. So let's get into what we were talking before we came on. You guys have a unique solution around ratings, but also it's not your grandfather's pen test want to be security app. Take us through what you guys are doing at SecurityScorecard. >> Yeah. So just like you said, it's not a point in time assessment and it's similar to a traditional credit rating, but also a little bit different. You can really think about it in three steps. In step one, what we're doing is we're doing threat intelligence data collection. We invest really heavily into R&D function. We never stop investing in R&D. We collect all of our own data across the entire IPV force space. All of the different layers. Some of the data we collect is pretty straightforward. We might crawl a website like the example I was giving. We might crawl a website and see that the website says copyright 2005, but we know it's 2022. Now, while that signal isn't enough to go hack and break into the company, it's definitely a signal that someone might not be keeping things up to date. And if a hacker saw that it might encourage them to dig deeper. To more complex signals where we're running one of the largest DNS single infrastructures in the world. We're monitoring command and control malware and its behaviors. We're essentially collecting signals and vulnerabilities from the entire IPV force space, the entire network layer, the entire web app player, leaked credentials. Everything that we think about when we talk about the security onion, we collect data at each one of those layers of the onion. That's step one. And we can do all sorts of interesting insights and information and reports just out of that thread intel. Now, step two is really interesting. What we do is we go identify the attack surface area or what we call the digital footprint of any company in the world. So as a customer, you can simply type in the name of a company and we identify all of the domains, sub domains, subsidiaries, organizations that are identified on the internet that belong to that organization. So every digital asset of every company we go out and we identify that and we update that every 24 hours. And step three is the rating. The rating is probabilistic and it's deterministic. The rating is a benchmark. We're looking at companies compared to their peers of similar size within the same industry and we're looking at how they're performing. And it's probabilistic in the sense that companies that have an F are about seven to eight times more likely to experience a breach. We're an A through F scale, universally understood. Ds and Fs, more likely to experience a breach. A's we see less breaches now. Like I was mentioning before, it doesn't mean that an F is always going to get hacked or an A can never get hacked. If a nation state targets an A, they're going to eventually get in with enough persistence and budget. If the pizza shop on the corner has an F, they may never get hacked because no one cares, but natural correlation, more doors open to the house equals higher likelihood someone unauthorized is going to walk in. So it's really those three steps. The collection, we map it to the surface area of the company and then we produce a rating. Today we're rating about 12 million companies every single day. >> And how many people do you have as customers? >> We have 50,000 organizations using us, both free and paid. We have a freemium tier where just like Yelp or a LinkedIn business profile. Any company in the world has a right to go claim the score. We never extort companies to fix the score. We never charge a company to see the score or fix it. Any company in a world without paying us a cent can go in. They can understand what we're seeing about them, what a hacker could see about their environment. And then we empower them with the tools to fix it and they can fix it and the score will go up. Now companies pay us because they want enterprise capabilities. They want additional modules, insights, which we can talk about. But in total, there's about 50,000 companies that at any given point in time, they're monitoring about a million and a half organizations of the 12 million that we're rating. It sounds like Google. >> If you want to look at it. >> Sounds like Google Search you got going on there. You got a lot of search and then you create relevance, a score, like a ranking. >> That's precisely it. And that's exactly why Google ventures invested in us in our Series B round. And they're on our board. They looked and they said, wow, you guys are building like a Google Search engine over some really impressive threat intelligence. And then you're distilling it into a score which anybody in the world can easily understand. >> Yeah. You obviously have page rank, which changed the organic search business in the late 90s, early 2000s and the rest is history. AdWords. >> Yeah. >> So you got a lot of customer growth there potentially with the opt-in customer view, but you're looking at this from the outside in. You're looking at companies and saying, what's your security posture? Getting a feel for what they got going on and giving them scores. It sounds like it's not like a hacker proof. It's just more of a indicator for management and the team. >> It's an indicator. It's an indicator. Because today, when we go look at our vendors, business partners, third parties were flying blind. We have no idea how they're doing, how they're performing. So the status quo for the last 20 years has been perform a risk assessments, send a questionnaire, ask for a pen test and an audit evidence. We're trying to break that cycle. Nobody enjoys it. They're long tail. It's a trust without verification. We don't really like that. So we think we can evolve beyond this point in time assessment and give a continuous view. Now, today, historically, we've been outside in. Not intrusive, and we'll show you what a hacker can see about an environment, but we have some cool things percolating under the hood that give more of a 360 view outside, inside, and also a regulatory compliance view as well. >> Why is the compliance of the whole third party thing that you're engaging with important? Because I mean, obviously having some sort of way to say, who am I dealing with is important. I mean, we hear all kinds of things in the security landscape, oh, zero trust, and then we hear trust, supply chain, software risk, for example. There's a huge trust factor there. I need to trust this tool or this container. And then you got the zero trust, don't trust anything. And then you've got trust and verify. So you have all these different models and postures, and it just seems hard to keep up with. >> Sam: It's so hard. >> Take us through what that means 'cause pen tests, SOC reports. I mean the clouds help with the SOC report, but if you're doing agile, anything DevOps, you basically would need to do a pen test like every minute. >> It's impossible. The market shifted to the cloud. We watched and it still is. And that created a lot of complexity, not to date myself. But when I was starting off as a security practitioner, the data center used to be in the basement and I would have lunch with the database administrator and we talk about how we were protecting the data. Those days are long gone. We outsource a lot of our key business practices. We might use, for example, ADP for a payroll provider or Dropbox to store our data. But we've shifted and we no longer no who that person is that's protecting our data. They're sitting in another company in another area unknown. And I think about 10, 15 years ago, CISOs had the realization, Hey, wait a second. I'm relying on that third party to function and operate and protect my data, but I don't have any insight, visibility or control of their program. And we were recommended to use questionnaires and audit forms, and those are great. It's good hygiene. It's good practice. Get to know the people that are protecting your data, ask them the questions, get the evidence. The challenge is it's point in time, it's limited. Sometimes the information is inaccurate. Not intentionally, I don't think people intentionally want to go lie, but Hey, if there's a $50 million deal we're trying to close and it's dependent on checking this one box, someone might bend a rule a little bit. >> And I said on theCUBE publicly that I think pen test reports are probably being fudged and dates being replicated because it's just too fast. And again, today's world is about velocity on developers, trust on the code. So you got all kinds of trust issues. So I think verification, the blue check mark on Twitter kind of thing going on, you're going to see a lot more of that and I think this is just the beginning. I think what you guys are doing is scratching the surface. I think this outside in is a good first step, but that's not going to solve the internal problem that still coming and have big surface areas. So you got more surface area expanding. I mean, IOT's coming in, the Edge is coming fast. Never mind hybrid on-premise cloud. What's your organizations do to evaluate the risk and the third party? Hands shaking, verification, scorecards. Is it like a free look here or is it more depth to it? Do you double click on it? Take us through how this evolves. >> John it's become so disparate and so complex, Because in addition to the market moving to the cloud, we're now completely decentralized. People are working from home or working hybrid, which adds more endpoints. Then what we've learned over time is that it's not just a third party problem, because guess what? My third parties behind the scenes are also using third parties. So while I might be relying on them to process my customer's payment information, they're relying on 20 vendors behind the scene that I don't even know about. I might have an A, they might have an A. It's really important that we expand beyond that. So coming out of our innovation hub, we've developed a number of key capabilities that allow us to expand the value for the customer. One, you mentioned, outside in is great, but it's limited. We can see what a hacker sees and that's helpful. It gives us pointers where to maybe go ask double click, get comfort, but there's a whole nother world going on behind the firewall inside of an organization. And there might be a lot of good things going on that CISO security teams need to be rewarded for. So we built an inside module and component that allows teams to start plugging in the tools, the capabilities, keys to their cloud environments. And that can show anybody who's looking at the scorecard. It's less like a credit score and more like a social platform where we can go and look at someone's profile and say, Hey, how are things going on the inside? Do they have two-factor off? Are there cloud instances configured correctly? And it's not a point in time. This is a live connection that's being made. This is any point in time, we can validate that. The other component that we created is called an evidence locker. And an evidence locker, it's like a secure vault in my scorecard and it allows me to upload things that you don't really stand for or check for. Collateral, compliance paperwork, SOC 2 reports. Those things that I always begrudgingly email. I don't want to share with people my trade secrets, my security policies, and have it sit on their exchange server. So instead of having to email the same documents out, 300 times a month, I just upload them to my evidence locker. And what's great is now anybody following my scorecard can proactively see all the great things I'm doing. They see the outside view. They see the inside view. They see the compliance view. And now they have the holy grail view of my environment and can have a more intelligent conversation. >> Access to data and access methods are an interesting innovation area around data lineage. Tracing is becoming a big thing. We're seeing that. I was just talking with the Snowflake co-founder the other day here in theCUBE about data access and they're building a proprietary mesh on top of the clouds to figure out, Hey, I don't want to give just some tool access to data because I don't know what's on the other side of those tools. Now they had a robust ecosystem. So I can see this whole vendor risk supply chain challenge around integration as a huge problem space that you guys are attacking. What's your reaction to that? >> Yeah. Integration is tricky because we want to be really particular about who we allow access into our environment or where we're punching holes in the firewall and piping data out out of the environment. And that can quickly become unwieldy just with the control that we have. Now, if we give access to a third party, we then don't have any control over who they're sharing our information with. When I talk to CISOs today about this challenge, a lot of folks are scratching their head, a lot of folks treat this as a pet project. Like how do I control the larger span beyond just the third parties? How do I know that their software partners, their contractors that they're working with building their tools are doing a good job? And even if I know, meaning, John, you might send me a list of all of your vendors. I don't want to be the bad guy. I don't really have the right to go reach out to my vendors' vendors knocking on their door saying, hi, I'm Sam. I'm working with John and he's your customer. And I need to make sure that you're protecting my data. It's an awkward chain of conversation. So we're building some tools that help the security teams hold the entire ecosystem accountable. We actually have a capability called automatic vendor discovery. We can go detect who are the vendors of a company based on the connections that we see, the inbound and outbound connections. And what often ends up happening John is we're bringing to the attention to our customers, awareness about inbound and outbound connections. They had no idea existed. There were the shadow IT and the ghost vendors that were signed without going through an assessment. We detect those connections and then they can go triage and reduce the risk accordingly. >> I think that risk assessment of vendors is key. I was just reading a story about this, about how a percentage, I forget the number. It was pretty large of applications that aren't even being used that are still on in companies. And that becomes a safe haven for bad actors to hang out and penetrate 'cause they get overlooked 'cause no one's using them, but they're still online. And so there's a whole, I called cleaning up the old dead applications that are still connected. >> That happens all the time. Those applications also have applications that are dead and applications that are alive may also have users that are dead as well. So you have that problem at the application level, at the user level. We also see a permutation of what you describe, which is leftover artifacts due to configuration mistakes. So a company just put up a new data center, a satellite office in Singapore and they hired a team to go install all the hardware. Somebody accidentally left an administrative portal exposed to the public internet and nobody knew the internet works, the lights are on, the office is up and running, but there was something that was supposed to be turned off that was left turned on. So sometimes we bring to company's attention and they say, that's not mine. That doesn't belong to me. And we're like, oh, well, we see some reason why. >> It's his fault. >> Yeah and they're like, oh, that was the contractor set up the thing. They forgot to turn off the administrative portal with the default login credentials. So we shut off those doors. >> Yeah. Sam, this is really something that's not talked about a lot in the industry that we've become so reliant on managed services and other people, CISOs, CIOs, and even all departments that have applications, even marketing departments, they become reliant on agencies and other parties to do stuff for them which inherently just increases the risk here of what they have. So there inherently could be as secure as they could be, but yet exposed completely on the other side. >> That's right. We have so many virtual touch points with our partners, our vendors, our managed service providers, suppliers, other third parties, and all the humans that are involved in that mix. It creates just a massive ripple effect. So everybody in a chain can be doing things right. And if there's one bad link, the whole chain breaks. I know it's like the cliche analogy, but it rings true. >> Supply chain trust again. Trust who you trust. Let's see how those all reconcile. So Sam, I have to ask you, okay, you're a former CISO. You've seen many movies in the industry. Co-founded this company. You're in the front lines. You've got some cool things happening. I can almost imagine the vision is a lot more than just providing a rating and score. I'm sure there's more vision around intelligence, automation. You mentioned vault, wallet capabilities, exchanging keys. We heard at re:Inforce automated reasoning, metadata reasoning. You got all kinds of crypto and quantum. I mean, there's a lot going on that you can tap into. What's your vision where you see SecurityScorecard going? >> When we started the company, the rating was the thing that we sold and it was a language that helped technical and non-technical folks alike level the playing field and talk about risk and use it to drive their strategy. Today, the rating just opens the door to that discussion and there's so much additional value. I think in the next one to two years, we're going to see the rating becomes standardized. It's going to be more frequently asked or even required or leveraged by key decision makers. When we're doing business, it's going to be like, Hey, show me your scorecard. So I'm seeing the rating get baked more and more the lexicon of risk. But beyond the rating, the goal is really to make a world a safer place. Help transform and rise the tide. So all ships can lift. In order to do that, we have to help companies, not only identify the risk, but also rectify the risk. So there's tools we build to really understand the full risk. Like we talked about the inside, the outside, the fourth parties, fifth parties, the real ecosystem. Once we identified where are all the Fs and bad things, will then what? So couple things that we're doing. We've launched a pro serve arm to help companies. Now companies don't have to pay to fix the score. Anybody, like I said, can fix the score completely free of charge, but some companies need help. They ask us and they say, Hey, I'm looking for a trusted advisor. A Sherpa, a guide to get me to a better place or they'll say, Hey, I need some pen testing services. So we've augmented a service arm to help accelerate the remediation efforts. We're also partnered with different industries that use the rating as part of a larger picture. The cyber rating isn't the end all be all. When companies are assessing risk, they may be looking at a financial ratings, ESG ratings, KYC AML, cyber security, and they're trying to form a complete risk profile. So we go and we integrate into those decision points. Insurance companies, all the top insurers, re-insurers, brokers are leveraging SecurityScorecard as an ingredient to help underwrite for cyber liability insurance. It's not the only ingredient, but it helps them underwrite and identify the help and price the risk so they can push out a policy faster. First policy is usually the one that's signed. So time to quote is an important metric. We help to accelerate that. We partner with credit rating agencies like Fitch, who are talking to board members, who are asking, Hey, I need a third party, independent verification of what my CISO is saying. So the CISO is presenting the rating, but so are the proxy advisors and the ratings companies to the board. So we're helping to inform the boards and evolve how they're thinking about cyber risk. We're helping with the insurance space. I think that, like you said, we're only scratching the surface. I can see, today we have about 50,000 companies that are engaging a rating and there's no reason why it's not going to be in the millions in just the next couple years here. >> And you got the capability to bring in more telemetry and see the new things, bring that into the index, bring that into the scorecard and then map that to potential any vulnerabilities. >> Bingo. >> But like you said, the old days, when you were dating yourself, you were in a glass room with a door lock and key and you can see who's two folks in there having lunch, talking database. No one's going to get hurt. Now that's gone, right? So now you don't know who's out there and machines. So you got humans that you don't know and you got machines that are turning on and off services, putting containers out there. Who knows what's in those payloads. So a ton of surface area and complexity to weave through. I mean only is going to get done with automation. >> It's the only way. Part of our vision includes not attempting to make a faster questionnaire, but rid ourselves of the process all altogether and get more into the continuous assessment mindset. Now look, as a former CISO myself, I don't want another tool to log into. We already have 50 tools we log into every day. Folks don't need a 51st and that's not the intent. So what we've done is we've created today, an automation suite, I call it, set it and forget it. Like I'm probably dating myself, but like those old infomercials. And look, and you've got what? 50,000 vendors business partners. Then behind there, there's another a hundred thousand that they're using. How are you going to keep track of all those folks? You're not going to log in every day. You're going to set rules and parameters about the things that you care about and you care depending on the nature of the engagement. If we're exchanging sensitive data on the network layer, you might care about exposed database. If we're doing it on the app layer, you're going to look at application security vulnerabilities. So what our customers do is they go create rules that say, Hey, if any of these companies in my tier one critical vendor watch list, if they have any of these parameters, if the score drops, if they drop below a B, if they have these issues, pick these actions and the actions could be, send them a questionnaire. We can send the questionnaire for you. You don't have to send pen and paper, forget about it. You're going to open your email and drag the Excel spreadsheet. Those days are over. We're done with that. We automate that. You don't want to send a questionnaire, send a report. We have integrations, notify Slack, create a Jira ticket, pipe it to ServiceNow. Whatever system of record, system of intelligence, workflow tools companies are using, we write in and allow them to expedite the whole. We're trying to close the window. We want to close the window of the attack. And in order to do that, we have to bring the attention to the people as quickly as possible. That's not going to happen if someone logs in every day. So we've got the platform and then that automation capability on top of it. >> I love the vision. I love the utility of a scorecard, a verification mark, something that could be presented, credential, an image, social proof. To security and an ongoing way to monitor it, observe it, update it, add value. I think this is only going to be the beginning of what I would see as much more of a new way to think about credentialing companies. >> I think we're going to reach a point, John, where and some of our customers are already doing this. They're publishing their scorecard in the public domain, not with the technical details, but an abstracted view. And thought leaders, what they're doing is they're saying, Hey, before you send me anything, look at my scorecard securityscorecard.com/securityrating, and then the name of their company, and it's there. It's in the public domain. If somebody Googles scorecard for certain companies, it's going to show up in the Google Search results. They can mitigate probably 30, 40% of inbound requests by just pointing to that thing. So we want to give more of those tools, turn security from a reactive to a proactive motion. >> Great stuff, Sam. I love it. I'm going to make sure when you hit our site, our company, we've got camouflage sites so we can make sure you get the right ones. I'm sure we got some copyright dates. >> We can navigate the decoys. We can navigate the decoys sites. >> Sam, thanks for coming on. And looking forward to speaking more in depth on showcase that we have upcoming Amazon Startup Showcase where you guys are going to be presenting. But I really appreciate this conversation. Thanks for sharing what you guys are working on. We really appreciate. Thanks for coming on. >> Thank you so much, John. Thank you for having me. >> Okay. This is theCUBE conversation here in Palo Alto, California. Coming in from New York city is the co-founder, chief operating officer of securityscorecard.com. I'm John Furrier. Thanks for watching. (gentle music)