(uplifting music) >> Welcome everyone to CUBEConversation here in Palo Alto, California, theCUBE Studios, I'm John Furrier, the co-host of theCUBE and co-founder of SiliconANGLE Media. Our next guest is Mike Kail, the CTO of Cybric, a security company industry veteran, welcome, good to see you. Glad we got you, get some time, your time today. >> No, absolutely John, thanks for having me. >> Yeah, so you've been through -- seen a lot of growth in the waves. The big web scale, and now as we go full cloud and hybrid cloud, private cloud and public cloud, whole new paradigm shift on security. Many have Dave Velante ask Pat Gelsinger many times, do we need a security do over? The general consensus from everyone is, yes. (laughing) We need a do over. What's the state of the market with security right now as people scratch their head, they've been throwing the kitchen sink at everything, but yet, the attacks are still up. That's not good, so what's the solution? What's going on? >> I mean I think a level set like we've talked about the definition of insanity is doing the same thing over and over, and in security for sure, we've been doing the same thing. We have firewalls, nextgen firewalls, endpoint, you know, product X, product Y, this has got a better algorithm. Has anything really helped? I think in this post Equifax world, and now post SEC world, things are not getting better. We need to step back, and I think we need to really think about how do we bring security assurance into the assembly and delivery of applications, and move it back into the code as well, which is our thesis on shifting left and embedding security into the SDLC. I think there needs to be some design thinking around security as well. Today it's like this fear, uncertainty, and doubt -- it's sold on fear, and that bad things are happening. Let's bring the conversation into visibility. >> I mean, there's so many different lifecycles you've mentioned is really key, and I think I want to just drill down on that because the observation, I'll get your reaction on this, is security shouldn't be a cost center, security should be tied to core objectives of a company, should be reporting to the board, C-level type access should be invested in. At the same time, the architecture of security, not just organizationally funded, cloud and datacenter need to be looked at holistically. There's no one product. So that means okay, one, that's the customer viewpoint, but then you got to actually put the software out there. So, what's your reaction to that trend of security being not actually part of the IT department whether it is or not is irrelevant, it's more of, how it's viewed. Are you staffing properly? How are you staffing? Is it a cost center, or is it tied to an objective? Does it have free reign to set up policies, standards, et cetera? What's your thoughts on this? >> I think, and I've talked about this recently, the technology is there. The culture is lagging behind. Security's always been -- >> Culture is lagging or not? >> Is lagging. Security is traditionally been kind of this -- Like IT was in the past, pre-DevOps culture, security is the Department of No. Coming in and not thinking about driving business revenue and outcome, but pointing fingers and accusing people and yelling at people. It creates this contentious environment, and there needs to be collaboration around, like, how do we drive the business forward with security assurance not insurance? The latter is not helping. >> So, that's a good point, I want to drill down on DevOps, you mentioned DevOps, that's -- you and I have talked about this before at events. DevOps movement has happened. It's happening, and continuing to happen at scale. DevOps is pretty much on the agenda, make it happen. But, it's hard to get DevOps going when there's so much push on application development, so, you have old school transitional application development now with DevOps, and then you got pressure for security. It seems to be a lot on the plate of executives and staffs to balance all of that. So how do you roll up the best security into a DevOps culture, in your opinion? >> I think you have to start embedding security into the DevOps culture and the software development lifecycle, and create this collaborative culture of DevSecOps. >> What is DevSecOps? >> It's making -- you think about the core tenents of DevOps being collaboration, automation, measurement, and sharing. Security needs to take that same approach. So instead of adding or bolting on security at the end of your development and delivery cycle, let's bring it in and find defects early on from what we talk about, from code commit, to build, to delivery, and correlate across all of those instead of these disparate tasks and manual tasks that are done today. >> Where are we on this? First, by the way, I agree with you, I love that idea, because you're bringing agility concepts to security. How far -- what's the progress on this relative to the industry adoption? Is it kind of pioneering right now stage, is it a small group of people, remember, go back to 2008, you remember, the cloud was a clouderati, was a hand full of people. I would go to San Francisco, there'd be six of us. Then NGR would come on, then there's Heroku, then there's like Rackspace, and then Amazon was still kind of rising up. It feels like DevOps, DevSecOps, is beyond that, I mean, where is the progress? >> I think out in the real world, especially outside of Silicon Valley, it's still really early days. People are trying to understand, but as we were chatting about before the show, I feel like in the past few months there's definitely momentum gaining rapidly. I think with conferences like DevSecCon, Security Boulevard coming out from Alan Schimmel and his team, like there's building more and more awareness, and we're been trying to drive it as well. So I think it's like the early days of cloud. You'll see that, "Okay, there's a bunch of -- okay I don't think this is a real thing", and now people are like, "Okay, now I need to do it, I don't want to be the next Equifax, or large breach. So how do I bring security in without being heavy handed." >> Interesting you mentioned Equifax, I mean our reporting soon to be showing, will demonstrate that a lot what's been reported is actually not what really happened at this. They've been sucked dry 10 times over, and that the state actors involved as a franchise in all of this, it's beyond -- Amazing how complicated this -- these hacks are, so how does a company, prepare against the coordination at that level - I mean, it's massive, I mean, someone dropped the ball on the VPN side, but I mean, clearly, they were out-maneuvered, outfoxed if you will. >> Well, I mean I think it has to come from the top, like security has to stop being quote unquote important, and become a priority. Not the number one priority, but you have to think about it with respect to business risk. And Equifax aside, a lot of companies just have poor hygiene. They don't practice good security hygiene across all of the attack vectors. If you look at now, the rise of the developer, Docker containers, moving to cloud, mobile, there's all of these ways in, and the hackers only have to be right once. We on the defensive side, have to be right all the time. >> Hygiene is a great term, but if it's also maybe even more than that. It's like they just need an IQ as well, so you got to have, you've got this growth in Kubernetes, you got containers, you got a lot going on at layer four and above in the stack, that are opportunities as you said, the tech's out there. So, again, back to the organizational mindset, because this is where DevOps really kind of kicked ass, you had an organizational mindset, then you had showcases, people built their own stuff. You go back to the early pioneers, you were involved with a few of them, Facebook built their own stuff, because they had to. >> Mike: Yeah, there was nothing else. >> There was nothing else, so they had to build it. Now a lot of the successes in the web scale days were examples of that. So is that a similar paradigm, are people building their own, are you guys working with one, is that right? How should people think about how to look for use cases, how should they look for successes, who's doing anything? Can you point to any examples of that's kickass DevSecOps? >> I mean, obviously I'm biased, but I think -- >> (laughing) >> the Cybric platform is really trying to take all of the different disparate tools and hyperconverge them onto an automation orchestration platform. Now you can be at all parts of the SDLC, and give the CIO and CSO visibility. I think the visibility aspect with the move to cloud and containers, and Kubernetes, and you name your favorite technology, there's a lack of visibility. You can't secure what you don't know about. >> Take a minute to talk about Cybric for a minute, 'cause you brought up the product, I want to just double down on that. What do you guys do, what's the product, just give a quick one minute, two minutes, update on for the folks on what you guys do. >> Sure, so we're a cloud security as a service platform, so it's delivered SAS, that has a policy driven framework to automate code and application security testing and scanning from code commit, to build assembly, to application delivery, and correlate that testing and the results and provide you, your business resiliency. So we talk about internal rate of detection, internal rate of remediation, and if you can narrow that window, you become much more resilient. >> Alright, so, let me give you an example. Just throw this out since we're here. A little test here -- Test your security mojo here. I go to China. I happen to bring my phone and my Mac, I connect to the -- oh, free Wifi! Boom, I get a certificate, my phone updates from Apple, I think I'm on a free WiFi network, it's a certificate from China, I get the certificate here, they read all my mail while I'm over there, but I'm not done, I come home. And I go back to the enterprise. How do you guys help me, the company identify that I'm now infected at maybe the firmware level or you know, I mean, that's -- what people are talking about all the time right now. You're smiling, he's like, yeah that happens. >> First of all, I would never let you leave to go to a country like that without a burner phone and a burner laptop, but not take -- and don't log into anything, don't connect to anything. >> Is that -- >> It's about building awareness, so I -- >> Hold on in all seriousness that's essentially best practice in your opinion? Not to have your laptop in China, is that the thing? >> Yeah, I don't think, you're not going to be safe. Like, there's so many ways to subvert you, whether you accidentally connect to public WiFi, you join the wrong network, somebody steals your laptop, I mean, there's just all the -- there's a lot of things that bad things that can happen, and not much upside for you. >> Okay, so now back to the enterprise, so I get back in, what kind of security -- how do you guys look at that, so if you're doing agile or DevSecOps, Is there software that does that, is it the methodology, is there mechanisms, how do companies think through some basic things like that, that entry point? Because then that becomes an insider threat from a backdoor. >> Right, so I think you have to have this continuous scanning approach. The days of doing append test on your application once a quarter, meanwhile hackers are doing it continuously behind the scenes, you have to close that chasm. But I think we need to start early on and build awareness to developers. One reporter used the anaology, it's like spell check from Microsoft Word. Now as I'm committing code, I can run a scan and say okay you have this vulnerability, here's how to go remediate it, and you do that, and we don't impact velocity. >> So you have to be on top of a lot of things. But that also is into the team's approach. What is the product that you guys have? Is it software, is it -- a box, how do you guys -- what's the business model for Cybric? >> We're software that overlays into the SDLC, and we plug in at this keypoints of the SDLC. So committing into your code repo, such as GitHub or BitBucket, at the artifact build stage, so Jenkins, Travis Circle -- >> So you're at the binary level? >> Yeah. >> Okay. >> So there we look for open source and third party library and do source code composition of the artifact. Now you make sure that you're not vulnerable to Apache Struts, you have updated and patched to the latest version. Then pre-delivery, we replicate your application environment, and aggressively scan for the OWASP Top 10. So SQL injection, cross site scripting -- >> Yeah. >> And alert you, and allow you to play offense. So we now remediate the vulnerability before it's ever exposed to production. >> Where are you guys winning, give some examples of when someone needs to get you guys in, is it a full on transformational thing, can I come in and engage with Cybric immediately in little kind of POCs, what's the normal use case that you guys are engaging with companies on? >> It really depends where you are in your company with this whole DevOps, DevSecOps migration, but we're agnostic to the methodology in your environments, so we can start at the far right, and just do AppSec scanning, we can start at the middle of the build, at the left, code, or all of that. There's this notion of I have to be ready for security, you don't have to be ready. We help you -- The hardest part is getting started, and we help you get started. You'll see a blog post or an article from us say, "Stop the fudge, just get started." That's how you have to approach this. This paralysis that exists has to end. >> That's not what the paralysis thing -- Pretend I'm a customer for a second, Mike, I'm burnt out, I got a gun to my head every day, I come in, I got every single security vendor lining up begging for my attention, why should I pay attention to you? What's in it for me? How do you answer that? >> So first of all, you know, what do you want to achieve? What is your current state? Where are your code repos, where are your application deployments, what are you doing today? How do we make that a continuous process? It's understanding the environment, having some situational awareness and a bit of EQ. Instead of going in and pounding on them with a product. >> Do you guys then go in and train my staff, I'm trying to think what's the commitment from me, what do I need to do? >> It's -- our policies are very simple, you define a target which is your source repo, your build system, or your application, you define the tool or integration you want to run, so I want to run Metasploit against my application, I want to do it every hour, and I want to be notified via a Slack Channel notification. >> That sounds really easy to implement. It sounds -- >> It's four steps. Literally a POC takes 15 minutes to onboard. >> So what's the outcome, what's some of the successes you've had after a POC? It sounds complicated but it really the methodology really is more of a mindset for the organization, so I love the DevOps angle on that, but okay, I can get in, I kick the tires, I do the four steps, I go, "Oh this is awesome." What happens next, what normally goes on? >> What often happens in the past is you run a test and you're inundated with results, it's -- you know, there's critical warnings, some informational, and some like blood red ones. But you don't know where to start on prioritizing them. We've normalized the output of all these tools so now you know where exactly to start. What are the important vulnerabilities to start with, and go down, versus throwing this over the fence to dev, and upsetting them, and having a contentious conversation. So we implicitly foster the collaborative nature of DevSecOps. >> Cool. So competition. Who do you guys compete with, how do you guys -- Who do you run into the field against, what are customers looking at that would compare to you guys that people could think about? >> I think our biggest competition to be honest is the companies that want to -- that tried to do that themselves. The DIYs are not invented here. I mean, we've talked to a couple companies, they've tried to do this for two years, and they failed, and, you know, outside of us trying to sell something, like, is that really in your company's best interest to have a team dedicated to building this platform. I think there's a couple other big companies out there that do part of it, but like we architected this from the ground up to be unique and somewhat differentiated in very crowded security market. >> What's your general advice, you know, a friend comes to you, CIO friend, hey Mike, you know dude, bottom line, what's going on with security? How do you -- what's your view of the landscape right now because it certainly is noisy, again like I said, the number of software tools, and billions of hundreds of billions of dollars being spent according to Gardner, yet the exploits are still up, so it's not like having any effect. (laughing) Someone's winning. So if there's more tools, either something's -- tools are ineffective or there's just more volume on attacks, probably both, but -- You go, Oh my God, there's nothing really going on here. There's no innovation. What's the landscape look like, how do you describe that in kind of simple terms and less security landscape? Crazy out of control chaotic, I mean, what's -- >> I mean, if you go to RSA and walk the floor, it's like all of the same buzzwords got exploded, and there's no real solutions that address the near -- like we talked about, I said earlier, the definition of insanity is doing the same thing over and over, we keep deploying the same products and having the same results, and not being more secure. I think there needs to be a rationalization process. You can't just go buy tools and expect them to solve all of your problems. You have to have a strategic framework instead of a tactical approach. >> Alright, so I'll say to you, as another example, I got IoT on my agenda, I got a lot of industrial equipment, that's now going to connect to the IP network, used to go to some of it's own proprietary backhaul, but now I'm on the IP network. Mike, how does this play into that? Obviously it's going to open up some more surface area for attacks, how do you guys work with that? >> I think it goes back to that having this continuous security scanning, if you have all of these IoT devices, you have to know how they're operating. You can't just send a bunch of log data to your SIM and try to extract that signal from the noise and overwhelm your security operation center. How do you run that through the kind of of a, let's call it map reduce for lack of a better term, to extract that signal from the noise and find out is this device talking to this one, is that correct, or is this anomalous? But it has to be continuous, that cannot be periodic. >> Obviously data is important, my final question to end the segment is, the role of data and the role of DevOps is impactive to the security practice. What's the reality, where are we? First inning, second inning? Data obviously important, comment on that, and then DevOps impact to security. Obviously you see momentum. What's your thoughts? >> I don't think we've got out of the dugout yet, to start the first inning -- >> (laughing) >> Which is exciting in some ways if you're a start-up. Or depressing if you're an enterprise. But we have to take a different approach going back to how we started this conversation. The current approaches aren't working. We have to think differently about this. >> Okay, so we're in the early innings, I'm a pioneer, an early adopter, because I'm desperate or I really want to be progressive, why am I calling Cybric? >> I think because you want -- you understand that security needs to be more of a priority, you want to shift that left, and find defects and vulnerabilities early on in your product -- Lifecycle. If you're a head of product, wouldn't you want to have some security assurance before I delay your delivery date because the security team comes in and finds a bunch of vulnerabilities the day before your launch. >> So security as a service as you said. Mike Kail with Cybric, CTO, bringing his expert opinion here into theCUBEConversation here at Palo Alto, I'm John Furrier, thanks for watching. (upbeat music)