[Music] from the cube studios in palo alto in boston bringing you data-driven insights from the cube and etr this is breaking analysis with dave vellante top security pros indicate that the solar winds hack on top of the pandemic have further heightened a change in how they think about security not only musciso secure an increasingly distributed workforce and network infrastructure but they now must be wary of software code coming from reputable vendors including the very patches designed to protect them against cyber attacks hello everyone and welcome to this week's wikibon cube insights powered by etr in this breaking analysis we'll summarize cso sentiments from a recent etr venn session and provide our quarterly update of the cyber security sector now in an upcoming episode we'll be inviting eric bradley of etr to provide deeper analysis and insights on these trends but we wanted to give you a preliminary preview of what's happening in the sector as we start off 2021. now the solar winds attack was like nothing we've ever seen before it's been covered quite widely in the press but in case you don't know the details solarwinds is a company that provides software to monitor many aspects of largely on-prem infrastructure including things like network performance log files configuration data storage servers and the like now as with all software companies solarwinds sends out regular updates and patches hackers were able to infiltrate the update and trojanize the software meaning when customers installed the updates the malware just went along for the ride now the reason this is so insidious is that often hackers they're going to target installations that haven't installed patches or updates and identified vulnerabilities in the infrastructure that haven't been addressed doors that are open that haven't been closed if you will now here the very code designed to protect against the breach actually facilitated that breach now according to experts this was quite a sophisticated attack that most believe was perpetrated by the russian hacker group cozy bear an advanced persistent threat or apt as classified by the u.s government now it's suspected that somehow they fished their way into a github repo and stole username and password access to allow them to penetrate the supply chain of software that's delivered over the internet but public information on this attack it's still spotty people are still learning now what is known is that the attackers have been lurking since march of last year and they exfiltrated lots of information from the u.s government and many other high-profile companies now here's what the csos and the etr van had to say about it let me just read some of the quotes the impact of this breach is profound it really turned a lot of heads and conventions about cyber security i don't think this threat has been exaggerated in the media we're now in a situation where we have to monitor the monitors this attack didn't have any signatures of a previous attack so you got down to the code level 80 to 90 of that code is being downloaded from the internet it's bringing devops security processes and making us rethink how to reinvent security and i'll add my business friend val berkovici said to me on twitter last year that he thinks the government hack is going to have permanent implications on how organizations approach cyber security it seems these cisos agree now the one question is what can be done about this and when you talk to security pros they'll definitely tell you they're rethinking security practices but look there's only so much you can do here's a tag cloud summarizing some of what we hear in the cube community and in the venn from etr practitioners you hear a lot about xero trust many csos are really leaning into identity access management and pam and mandates around two-factor authentication we've talked a lot about firms like octa sale point cyber arc software and microsoft is coming up more and more in this conversation especially as octa is seen as setting a price umbrella there's definitely some frustration amongst csos about octa's pricing strategies and auth 0 which does authentication as a service that's hitting our radar as well now of course endpoint security is something we've talked a lot about as the work from home trend hit during the pandemic it's become much much more important and you can see in the growth of crowdstrike and as you see in a moment we're getting some traction with vmware and carbon black in the survey data and of course titanium is another company that we've talked about csos look they're not just going to rip out what they have so companies like cisco especially with umbrella and duo they come up in the conversation as does palo alto networks we've said many times palo alto is seen as a thought leader csos like them they also like fortinet especially those that may be more cost cost conscious we see that a lot in mid-market and so on with analytics micro-segmentation cloud security with z-scaler and even rpa to automate certain tasks uipath has come up in the conversation more and more in a security context so you look at this tag cloud and there's no one answer as is often the case case with cyber security lots of tools lots of disciplines and a very capable adversary who has learned to as they say live off the land using your own infrastructure and tooling against you now the common narrative is that security is a top priority with cios and csos and budgets are going to be up so let's take a look at that well kind of here's a chart that shows the net scores or spending momentum for various sectors of the etr tech taxonomy and we've highlighted the information security segment yes it's up relative to the october survey but it really doesn't stand out i mean everything's up as we've reported coming off a down year in tech spending minus four percent last year and we're forecasting a plus six to seven percent increase this year really depending on on the pace of their recovery but the point is cyber is one of many budget organizations and organizations they're simply not going to open up a blank check to the cso now part of the reason is they're heavily invested in cyber this graphic shows several sectors in context and we've highlighted security in the red box the vertical axis that shows spending velocity and the horizontal axis is market share or presence in the data set and you can see the security it's got a big presence it's pervasive of course but it lags some of the top sectors in terms of spending velocity because look organizations they've got lots of priorities and as you'll see in a moment this space like most mature markets has some companies with off the charts spending patterns and others that lag so let's dig into that a little bit here you see that same xy graphic and we've plotted a number of security players so there's a couple of points here that we want to make first microsoft as usual is off the charts to the right and amazingly has a net score of 48 percent so highly elevated octa continues to lead this pack in net score as it has the last several surveys it's got a net score of 61.5 percent up from last quarter survey octa crowdstrike cyberark fortinet proof point and splunk are all up nicely from last quarter's survey we also really want to highlight carbon black the company's net score last quarter was 23.9 percent with 134 mentions in this quarter its net score shot up to nearly 38 so a very meaningful and noticeable move for vmware's 2.1 billion dollar acquisition that it made in the summer of 2019. so a number of companies that have momentum which stems from a rebound in tech spending but also a shift in security spend that we've highlighted and you can see a couple of legacy security firms that are also there in the chart losing momentum we've highlighted fireeye and rsa okay so now let's dig deeper into the data and the vendor performance here's a view of the data that we first showed you in 2019 it shows the net score and the shared n which identifies the number of mentions within the sector and it's an indicator of presence in the marketplace the leftmost chart is sorted by netscore and the right-hand chart is sorted by shared n so to make this chart you had to have at least an n of 50 in the survey again you can see octa sale and sale point lead in net score and microsoft has the biggest presence in the right hand side along with cisco and palo alto and something we started two years ago was if a vendor shows up in the top 10 for both net score and shared n we anointed them with four stars so these are the four star companies microsoft palo alto octa and crowdstrike which crouch by the way it fell off but it's back on and i think that was probably a survey anomaly because based on the company's financials there has been no loss of momentum for crowdstrike and we give two stars to those companies that make the top 20 in both categories so cisco because of umbrella and duo splunk proofpoint fortinet z z-scaler cyborg and carbon black vmware carbon black is new to the two-star list due to its rapid rise in net score that we just talked about now just a quick aside on carbon black at vmworld 2019 pat gelsinger told john furrier and me that he felt like he got a great deal picking up carbon black for 2.1 billion dollars now his logic was in part based on the valuation of crowdstrike at the time which is of course carbon black competitor crowdstrike as you can see on this chart had a valuation that was at nine times higher than that of carbon black and you can see from the trailing 12-month revenue that crowdstrike was a significantly larger company by more than 100 million dollars in revenue so the real story though was the company's growth crowdstrike at the time was growing much much faster than carbon black at more than a hundred percent compared to carbon blacks 22 roughly now in vmware's recent earnings call they said that carbon black had good bookings performance so who knows exactly what that means but if it were more than 22 my guess is that vmware vmware would have been more effusive in its commentary so let's assume that since the acquisition carbon black growth has been flattish you know maybe down maybe up but probably flat so vmware they're figuring out how to integrate the company and we think that as it does that it's going to use its channel of distribution and global presence to really drive carbon black sales now nonetheless we would still peg carbon black's valuation of having increased pretty substantially since the time of the acquisition perhaps in the three to five billion range we don't know for sure so but a nice pickup in our view for vmware and it'll likely grow from here based on the etr data then that's very encouraging for carbon black now let's look at how the valuations in this sector have changed since before covid here's an updated view of our valuation matrix since just before the pandemic hit in the u.s as you can see the s p is up 16 from that time frame the nas composite up 43 percent wow now look at the others only splunk really hasn't seen a huge uptick in valuation but the others have either risen noticeably like proof point cyber arc sail point they bounced up like palo alto or fortinet or exploded like crowd chat octa and z scalar you combine all these and you're talking about 114 billion dollar increase in market cap for these so one would think carbon black as a vmware asset has done pretty well along with these names and we would expect that the tech spending rebound this year combined with the heightened concerns over the solar winds hack and the tectonic shifts from the accelerated work from home and digital business transformations will continue to bode well for many of these names for quite some time all right let's wrap it up with some of the things we're watching in this space as we exit the pandemic and experience a new digital reality cyber threats have never been greater look each january if you look back on the prior year you'd be able to say the same thing for the last couple of decades and the reality is the budgets and spending on cyber they're asymmetric to the economic risks we just don't spend enough and probably can't spend enough to solve this problem csos they have to balance their legacy legacy install base security infrastructure with the shift to zero trust accelerated endpoint new access management challenges the ever expanding cloud and dot dot dot lack of talent remains the single biggest challenge for organizations which are stretch thin making investments in automation a trend that is not going to abate anytime soon in cyber all the cliches apply there is no silver bullet there is no rest for the weary the adversary they are well funded and extremely capable and they only have to succeed once to create a business disaster for an organization that has to succeed every day 24 hours a day so expect more of the same with no end in sight in terms of complexity fragmentation and whack-a-mole approaches to fighting cyber crime i hate to say this but it just means the fundamentals for the sector just keep getting better and better sorry okay that's it for this week remember all these episodes are available as podcasts wherever you listen so please subscribe i publish weekly on wikibon.com and siliconangle.com and don't forget to check out etr.plus for all the survey data and the analytics i appreciate the comments on my linkedin post you can dm me at [Music] you

>>Live from Orlando, Florida. It's the cube covering Microsoft ignite brought to you by Cohesity. >>Hello cube nation and welcome to back to the cubes live coverage of Microsoft ignite here in Orlando, Florida. I'm your host, Rebecca Knight. Along with my cohost Stu Miniman. We are closing down the second day of the three days of coverage. This is day two >>wall to wall to wall coverage. Joining us is Thomas LA rock, best job title ever, head geek at solar winds or speaker data expert and SQL rockstar and Microsoft MVP and Microsoft MVP and yes importantly and you saved me. You didn't have me on yesterday. You waited to the second day, the end of the second day. Thomas, we wanted to make sure that by the time you came on that you had got some time to really absorb some of those announcements and be ready to give us a different perspective on some of the items. All right. Precisely. So this is your 10th Microsoft ignite. It is my first go back to tech ed 2010 so yeah, my 10th consecutive between tech ed and McKnight. Thoughts, impressions of 2019, how is it different? How is the show evolving? What does the show all about? So your perspective, you know, I do a lot of events and shows and what my impression right now just over these two days is that this is one of the only shows this year I've been to where I feel the from year over year, the expo hall is say bigger. >>I mean I know it's the same size the last year. I think there's actually more vendors here this year. There are, and there's more people here. This year in the expo hall. Our traffic at the booth yesterday was amazing and continued through today. Uh, other events I've been to, I feel it's kind of shrinking a little bit. So to me the partners and the ecosystem for Microsoft in general is grow or I should just say Azure because that's what I think this show really is. Now I think the old tech ed you had mentioned was more like a windows type a show. But now this is th these shows between AWS and this, you're talking about the two biggest providers of infrastructure. This is an Azure show. Yeah. Well and Thomas, if you come follow us along, I'll be at CubeCon in two weeks and I'll be at AWS re invent. >>Yup. Right after Thanksgiving. Both of those shows are growing. The ecosystem are growing there too. So the cloud is definitely one of those. The raising tide is moving all boats. I want to poke you say Azure. Azure is definitely one of the main pieces, but you know, the applications that data are so important to your last year. AI front and center. Um, it was, it was more, you know, they didn't use the term AI as much here. You know, Satya, I was talking about, you know, tech intensity and all of the things we can do with data. So this, while a cloud is a major piece, I wouldn't call this just a cloud show because I think that would limit what we're actually talking about here. Cause there's so many of the apps and so many of the things. When I talked to some of the ecosystem providers, you know, they're looking for that solution that fits it and therefore they're go into the ecosystem and talking about all of those pieces. >>So for an infrastructure guy like me, cloud's a big piece of it, but it's way more than that. And that's one of the challenges is there's, you know, everything from, you know, the latest Azure arc all the way through big edge and mobile devices and, uh, you know, heck, there's even, you know, in the store they've got people playing Xbox. Uh, so it's, there's a lot in your Microsoft community here. So. Absolutely. So I, I didn't say cloud though. I said it's an Azure show. And then as your show is to me is almost synonymous with Microsoft and all that stuff. You see, uh, over there, that entire hall, you're right. They have all those other things. They have the, all the power apps, they have those applications, they have everything for developers that you need. But still to me, uh, so what was that stat you just gave me? >>We were debating, it's roughly eight upwards of 80% of workloads are still earth on premises, right? It's still there. So with Azure Ark now they have the ability to take an Azure surface and put it in your data center wherever you want it. So when I say it's an Azure show, it's not even that. It's just cloud. The cloud is coming to you and we see it with VMware, we see it with AWS and outposts that they have decided that 80% is a huge market and they're coming for it. Right? So, so Thomas, if you'd asked me two years ago, uh, which of the hyperscale providers as best as hybrid, my answer would have been Microsoft because they're in both places. The hybrid discussion at this show is way different. There was a lot of retooling. We talked about what was going on. Azure stacks has been there, but arc kind of is a new big push and everybody is trying to look at that and say, wait, is this a management tool? >>Is this just the latest Kubernetes flavor? In your viewpoint, how does arc fit in the Microsoft story? And you know, what should we be comparing it to from the other Amazon, VMware, you know, red hat type of pliers out there? Well Brian, >> I think it's the same thing is that, I was just saying is that arc to me, we can talk about the plumbing. So yeah, they put a fancy name on whether it's Kubernetes, Coobernetti's and all that stuff, but no arc to me is a way for Microsoft to get their hands on as many data estates as possible. Right? I know data state, right? I have a data state and it's next to my data Lake and I work at the data factory and everything's stored in the data warehouse and I shop at the data Mark. We can go on forever with this stuff, but that is the reality of the world. >>And the thing is all those things exist and they're, as your arc is, it's the ability to extend into there because what is Azure and AWS, they're nothing more than an electric company. Their utility and the utility, you're going to offer similar services and that's what they have. And of course VM Ware's in the mix as well. And it's just the ability for all those companies to have their hands on your data, wherever it is, whether it's in your data center or with them, they don't care. They just want the ability to have a piece of that data as it's in transit or at rest. >>And so what's the end there? I mean, you're making that sound like there's some sort of nefarious, uh, end game here. >>It's, I wouldn't say so. Farias I would just say it's market share. What's the end is to survive, to have the market share, to continue to build new cool things. Right. Um, I, I think the end is some consolidation. I don't think the end is, I don't know. Let's say there's five major players. I don't think those five will always exist. I think the are gonna see it shrink over time, but it really, that depends on how well they partner with each other too. Um, I think there's room for everybody, but it's just depends on where they want to say, um, if they want the co-exist or not. Right. So for some of them like VMware, that's really just kind of software, right? They're partnering with clouds. But the clouds are the infrastructure hose. And so how long does VMware really have? Now they've done the nice pivot and I think they're going to last a little bit longer. >>But had they not taken that pivot in the last year or two? I think their timeline with a much shorter, yeah, it's interesting cause we've been looking at, you talk about that cloud adoption, some of the traditional vendors out there, um, many of which are, you know, ecosystem providers that have show here it has to react and deal with the cloud. You know, everybody's jumped on the Kubernetes fly and bandwagon. Everybody's partnering especially with Azure but also AWS and the like. Um, you know, Thomas, you and your company deal with a lot of end users out there. What are they looking for when it comes to being a trusted provider? You know, who, what, what, what's there and how does Microsoft stack up? When we talk about that Satya talked about trust a lot and you know, just curious to how you see them being perceived out there and you know, when customer want to lead partner, what do they want? >>Well, uh, for us, we have, uh, I believe over 300,000 customers at this point and, uh, I think roughly 53% of them are Azure base and that's a higher percentage than what we have for AWS, for our customer base. So we have taken steps to be that trusted partner. So when these companies are going to take that 80% workload that isn't there yet, uh, just in the booth discussions this week where they come to us and they say, Hey, we're going to owe three 65, how can you help us? We're going here at small steps at the time, so that workload that will chip away at it, but we're a company that can help with that transition as people move their workloads and their systems into a place like Azure. Uh, I think what you're gonna also see is our ability to, um, help people understand wherever they want their for structure. >>So for example, last week we announced how we have 15 of our products are now, um, deployed to the Azure marketplace. So you're talking two clicks and everything's deployed for you and you're up and running. And then if you want, if you want to, you know, manage the nodes that are still in your data center, you can just point everything to go up to Azure and Azure, handle a lot of those infrastructure needs for you. So that to me is the trust where you partner with a company like Microsoft and you say, what will it take for us to get in the marketplace? What will it take for us to help help us help, help us help you get that data into your data, into your cloud, right? I think our customers really want to know that when it comes to, Hey, I got to go to Azure. Are you somebody who could help us get there and stay there and manage and monitor the stuff for us? >>I want to talk productivity because I think you have a pretty different take from Satya Nadella. So he had a, he on the, on the main stage yesterday, he said the human act, human attention to inattention is at the root of all productivity. He's, he laid out a stat when you multitask it takes 25 minutes. I'm sorry I got distracted. So it was a 25 minutes. Yes, 25 minutes and you lose 40% of your productivity with that 25 minute lapse. So I w I felt that compelling and that rang true to me. But absolutely >>it's true. So right after he got done with that, Microsoft told us the answer was they were going to take Yammer and shove it inside teams on a shoving inside outlook. I don't think we need more productivity tools. I don't think we need more ways of distracting us. They say they say, Hey, it's great. We'll put tasks from outlook right inside teams. I'm like maybe I'm in teams cause I shut down outlook because I'm distracted by email and other things right now maybe I don't need that. Is it a nice to have and it's a possible thing I guess, but at the end of the day, I don't need you shoving all these extra things into all the things. You're just making the problem worse. We need fewer productivity tools. At what point do we hit peak productivity? I guess? I think we're there. I think I have all the tools that enable me to do my job already. I don't need them all tightly integrated. I need to shut more things off. Right. In order to get stuff done. >>That's a, that's an excellent point because when I want to get work done, I go to a place where I can't get online. Right. Because that's, that's the biggest, >>that's why, uh, I work remote from home one that one of my advantages is I don't have people just walking by my desk and, and distracting me with all sorts of things. That's a huge advantage. I try to take advantage of what, cause I work remote, but for people in an office, bells, whistles, lists that and the other, you know, uh, I just, I get a cup of coffee. You know, it's, it's difficult and I'm not sure that these companies, not just Microsoft, I just don't think companies are really thinking through if they're making things better or not. Every one of them Slack, all of them, they all think that they're the one that's all you need. It's not true and it's not making things better. Yeah, it's a true, we've had good feedback about teams overall here. Especially you've talked to a number of people that are remote workers and they feel that that does help them get connected with teams and, uh, you know, in the remote areas and by itself, but, you know, create point, uh, on the productivity stuff too. >>Do you use teams to use teams? Uh, kind of reluctant at first, like, do I need the another tool? But now that, uh, we've all kind of started switching to it and my company went O three 65 as well. Some teams comes with it and, uh, I do find that very useful, um, uh, much more so than I have any of the other tools in the past. I think teams took a lot of good things from a lot of different tools and they rolled out of them to the one they, and it works for me. It doesn't work for everybody though. Right? >>Exactly. Exactly. So what, so what else are you taking away from the, from your 10th ever ignite, you go back to the office, but is your home on Monday? What kinds of conversations are you going to have most stayed with you, have most resonated you? Okay. >>For me, uh, I, I focus a lot on the data platform and uh, I think the thing that's going to resonate the most with me, it really is Azure arc and what that, what the, what that really means and getting a little more involved with, uh, understanding where they're headed with it. Like just the idea they're going to give me that one management console that can control everything. Earth and cloud. Uh, that's an interesting thing. I see. Come at me. I work for a tools vendor, so as a tools vendor, I'm sitting there going, so Microsoft's building something that gives visibility into both. Now, what does that mean for me and where we might, we want to think about pivoting to make sure that we stay ahead and keep offering value where Microsoft might have a gap. Um, so I think those are the things I'll probably be thinking about. >>My role as head geek is to, you know, help our users and the people who write the code and, you know, connect, share and learn and figure out where things are going. And also involves partnering and having conversations with folks at Microsoft, uh, to help our company, you know, continue to have that edge. So I think that's all I'll be thinking about on Monday, probably now on the plane ride home on Friday, but who knows, right. Uh, Thomas, any other final words about the community here? Uh, you know, you're a Microsoft MVP is we set up in front, uh, you know, Microsoft should get great kudos for, they put the unity in community and they talk about diversity and inclusion, something they highlight something that, at least from the viewpoint we've had, uh, they seem to be doing a good job in moving the needle here. >>But, uh, you know, as an insider to the Microsoft community, uh, anything particular that you'd call out? Well, certainly the changes and the emphasis I've seen on diversity inclusion over the years. You're absolutely right. I think, I know this, you were having some interviews earlier to have those specific discussions and, uh, it's an important conversation to have, uh, uh, as somebody who organizes events, it becomes, you know, what's the diversity, how diverse should the event be? At what point are we diverse enough? Right? And what does that really mean? And so I look at it and I say, if I'm going to run an event that caters to say an it community, well, what's the makeup of the it community? Then the speakers should represent the community that they're trying to speak to. So what I've seen over these 11 years is a lot more focus for events, especially like ones I help organize where it's like, no, what I'm going to go out and recruit the speakers that I need to represent the people that I want them to be presenting to. >>Uh, I don't think I will recall that I'm old. I don't recall a lot of things, but you know, 11 years ago when I was, when I joined to became an MVP, I, I don't think that the diversity was there and I don't think the efforts were being done. I think those efforts have come just in the past few years, four or five years maybe society as a whole, but specifically inside Microsoft and, and their programs. And I think it's fabulous. Uh, I, I think you could never be diverse enough. I guess. I don't know how to say that. I think he could always do more to, uh, include, I always say inclusion is better than the exclusion any day. You can never do enough for that. And I think Microsoft's made great efforts. I'm, I'm really proud to call myself a Microsoft MVP. Uh, I, I think it's a great program. I'm glad that I questioned, you know, their selection method maybe because they keep inviting me back, but they do and, but I love it. I, it's been a great ride, >>a great note to end on. Thomas law crock head geek. Great. Great to have you on the show. Great. Great. Thanks for having me back. I really appreciate it. I'm Rebecca Knight for Stu minimums. Come back tomorrow for more of the cubes live coverage of Microsoft ignite.

(music) >> Live from Orlado, Florida, it's theCUBE. Covering Microsoft Ignite. Brought to you by Cohesity. and theCube's ecosystem partners. >> Welcome back, everyone, to theCube's live coverage of Microsoft Ignite. Happy hour has started. The crowd is roaring. I'm your host Rebecca Knight, along with my cohost, Stu Miniman. We are joined by Thomas LaRock. >> He is the Head Geek at SolarWinds. Thanks so much for coming on the show. >> Thanks for having me. >> Great title: Head Geek >> Yes. >> So, tell our viewers a little bit about what - tell us about SolarWinds and also about what you do. >> SolarWinds is a company that offers about forty different products to help with your enterprise infrastructure monitoring. Really unify management of your systems. Been in the business for about twenty years and I've been with them for about eight now. Head Geek is really, uh, you can equate it to being a technical evangelist. >> Okay. So you're out there trying to win the hearts and minds, trying to tell everyone what you do. >> Yes, I need you all to love me. (laughing) and love my products. >> So, Thomas, and for those who don't already follow you on Twitter, you're a SQL rockstar. >> Yes, yes [Stu] - I need to say, "thank you," because you helped connect me with a lot of the community here, especially on the data side of the house. You and I have known each other for a bunch of years. You're a Microsoft MVP. So maybe give us a little bit of community aspect: what it means to be a Microsoft MVP for those who don't know. You're an evangelist in this space and you've been on this show many times. >> I usually don't talk about myself a lot, but sure. (Rebecca laughing) Let's go for it. I've been a Microsoft data platform MVP for about 10 year now. And it was intresting when you reached out, looking to get connected. I was kind of stunned by how many people I actually knew or knew how to get in touch with for you. I help you line up, I guess, a handful of people to be on the show because you were telling me you hadn't been here at Microsoft Ignite and I just thought, "well I know people," and they should know Stu, and we should get them connected so that you guys can have some good conversations. But, yeah, it's been a wild ride for me those ten years where Microsoft awards people MVP designation. It's kind of being an evangelist for Microsoft and some of the great stuff that they've been doing over the past ten years. >> It's a phenomenal program. Most people in the technology industry know the Microsoft MVP program. I was a Vmware expert for a number of years. Many of the things were patterned off of that. John Troyer is a friend of mine. He said that was one the things he looked at. Sytrics has programs like this. Many of the vendors here have evangelists or paragons showing that technology out here. Alight. So talk a little bit about community. Talk about database space. Data and databases have been going through such, you know, explosion of what's going on out there, right? SQL's still around. It's not all cosmos and, you know, microservices-based, cloud, native architecture. >> So the SQL Server box product is still around, but what I think is more amazing to me has been the evalution of...Let's take for example, one of the announcements today, the big data cluster. So, it's essentially a container that's going to run SQL servers, Spark and Hadoop, all in one. Basically, a pod that will get deployed by kubernetes. When you wrap all that together, what you start to realize is that the pattern that Microsoft has been doing for the past few years, which is, essentially, going to where the people are. What I mean is: you have in the open-source world, you have people and developers that have embraced things like DevOps much faster than what the Windows developers have been doing. So instead of taking your time trying to drag all these people where you want them to be, they've just start building all the cool stuff where all the cool kids already are, and everybody's just going to gravitate. Data has gravity, right? So, you're building these things, and people are going to follow it. Now, it's not that they're expecting to sell a billion dollars woth of licenses. No. They just need to be a part of the conversation. So if you're a company that's using those technologies, now all of a sudden, it's like, this is an option. Are you interested in it? Microsoft is the company that's best poised to bring enterprises to the cloud. Amazon has a huge share. We all know that, but Microsoft's already that platform of choice for these enterprises. Microsoft is going to be the one to help them get to the cloud. [Stu]- Thomas, Explain what you mean by that because the strength I look at Microsoft is look, they've got your application. Business productivity: that's where they are. Apologize for cutting you off there. Is that what you mean? The applications are changing and you trusted Microsoft and the application and therefore, that's a vendor of choice. >> Absolutely. If it's already your vendor of choice then, I don't want to say, "Lock in," but if it's already your preference and if they can help get to the cloud, or in the hybrid situation or just lift and shift and just get there, then that's the one you going to want to do it. Everything they're building and all the services they're providing... At the end of the day, they and Amazon, they're the new electric company. They want data. That's the electricity. They don't care how you get it, but between... even Vmware. Between Amazon, Vmware and Microsoft, they're going to be the ones to help... They're going to be your infrastructure companies. Microsoft-managed desktop now. We'll manage your laptop for you. >> Everything that they're doing essentially like, don't even need my own IT department. Microsoft's going to be the largest MSP in history, right? That's where they're headed. They're going to manage everything for you. The data part of it, of course for me, I just love talking about data. But the data part of it...Data is essential to everything we do. It's all about the data. They're doing their best to manage it and secure it. Security is a huge thing. There were some security announcements today as well, which were awesome. The advanced threat detection, the protection that they have. I'm always amazed when I walk through the offering they have for SQL injection protection. I try and ask people, "Who's right now monitoring for SQL injection?" And they're like, "We're not doing that." For fifteen dollars a month, you could do this for your servers. They're like, "that's amazing what they're offerening." Why wouldn't you want that as a service? Why wouldn't you sign-up tomorrow for this stuff? So, I get excited about it. I think all this stuff they're building is great. The announcements today were great. I think they have more coming out over the next couple days. Or at least in the sessions, we'll start seeing a lot of hands-on stuff. I'm excited for it. >> So when you were talking about Microsoft being the automatic vendor of choice. Why wouldn't you? You treated it as a no brainer. What does Microsoft need to do to make sure customers feel that way too? >> I think Microsoft is going to do that... How I would do that. A couple ways. One, at the end of the day, Microsoft wants what we all want, what I want, is they want happy customers. So they're going to do whatever it takes so their customers are happy. So one way you do that is you get a lot of valuable feedback from customers. So, one thing Microsoft has done in the past is they've increased the amount telemetry they're collecting from their products. So they know the usage. They know what the customers want. They know what the customers need. But they also collect simple voice to the customer. You're simply asking the customer, "What do you want?" And you're doing everything you can to keep them happy. And you're finding out where the struggles are. You're helping them solve those problems. How do you not earn trust as a result of all that, right? I think that's the avenue they've been doing for, at least, ten years. Well, let's say, eight years. That's the avenue and the approach they've been doing. I'd say it's been somewhat successful. >> Thomas, as our team was preparing for this show, we understand that Microsoft has a lot of strengths, but if I look at the AI space, Microsoft is not the clear leader today. Um, we think that some of the connections that Microsoft has, everything that you said, down to the desktop. Heck, even in the consumer space, they're down to the Xbox. There's a lot of reasons why Microsoft... You can say, "Here's a path of how Microsoft could become. You know number one, number two in the AI space over time. But, we're listening to things, like the Open Data Initiative that they announced today, which, obviously, Microsoft's working with a lot of partners out there, but it's a big ecosystem. Data plays everywhere. I mean, Google obviously has strong play in data. We've talked plenty about Amazon. What does Microsoft need to do to take the strength that they have in data move forward in AI and become even stronger player in the marketplace? >> So, AI, itself, is kind of that broad term. I mean, AI is a simple if-then statement. It doesn't really have to do anything, right? So let's talk about machine learning, predictive analytics, or even deep learning. That's really the are that we're talking about. What does Microsoft have to do? Well, they have to offer the services. But they don't have offer, say, new things. They just have to offer things that already exist. For example, the idea of, um, incorperating Jupiter notebooks into the Azure Data Studio. So if that could be achieved, you know, now you're bringing the workspaces people are using into the Microsoft platform a little bit, making it a little bit easier. So instead of these people in these enterprises... They already trust Microsoft. They already have the tools. But I got to go use these other things. Well, eventually, those other things come into the Microsoft tools, and now you don't have to use that other stuff either. I would talk about the ability to publish these models as a service. I've done the Academy program. I've earned a few certifications on some of this stuff. I was amazed at how easy it was with a few clicks, you know, published as a service as an API. It's sitting there. I sent in my data and I get back a result, a prediction. I was like, that was really easy. So I know they're not the leaders, but they're making it easy, especially for somebody like me who can start at zero and get to where I need to be. They made it incredibly easy and in some cases, it was intuative. I'm like, oh, I know what to do next with this widgit I'm building. I think it will take time for them to kind of get all that stuff in place. I don't know how long. But does Microsoft have to be the leader in AI? They have the Cognitive Toolkit. They have all that stuff with Cortana. They have the data. I think the customers are coming along. I think they get there just by attrition. I'm not sure there's something they're going to build where everybody just says, "There it is." Except there's the Quantum stuff. And last year's announcement of Quantum, I thought was one of the most stunning things. It just hit me. I had no idea working on it. So, who knows? A year from now there could be something similar to that type of announcement, where we're like, now I get it, now I got to go have this thing. I don't think we all need, you know, a hotdog not hotdog app, which seems to be the bulk of the examples out there. Some of the image classification stuff that you have out there is fabulous. There are a lot of use cases for it. Um, I'm not sure how they get there. But, I do think eventually over time, the platform that they offer, they do get just through attrition. >> One of the things you brought up earlier in this conversation was the Open Source Initiative and Stu, we had expressed a bit of skepticism that it's still going to take three to five years, for, really, customers to see the value of this. But once...The announcement was made today, so now we're going to go forward with this Initiative. What do you see as the future? >> Yeah, I was trying to, even, figure it out. So it sounds like the three companies are sharing data with each other. They pledged to be open. So if you buy one of their products, that data can seamlessly go into that other product is what it sounded like. And they were open, if I heard it right, they were open to partnering with other companies as well. >> Correct. >> Yes. Yes. >> Other vendors or customers, even that could tie in into these APIs, doing everything that they're doing. Open data models. >> Speaking as a data guy, that means if I trust one, I have to trust them all. (Stu Laughing) >> Right? So I don't know. I have trus&t issues. (Rebecca laughing) >> Clearly. >> I'm a DBA, by heart, so I have trust issues. I need to know a little more about it, but on the surface, just the words, "open data," sound great. I just don't know the practical, uh, practicality of it. It sounds like it's a way for people, or these companies, to partner with each other to get more of your data into their platform and their infrastructure. >> Yeah. I think next time we have Thomas on, we're going to spend some time talking about the dark side of data. >> Yes, indeed. >> We can talk dark data. Oh, sure. (Rebecca laughing) >> Well, Thomas, it was so much fun having you on this show and I should just plug your book. You are the author of "DBA Survivor." >> I am. Yes. It was a little book. So being a DBA, uh, I had some challenges in my role and I decided, as my friend Kevin Kline put it to me, he goes, "You should write the book you wish had written for you and handed to you on day zero of being a DBA." And I said, "Oh." It took m&e, I think, like, three weeks. It was just so easyto write all of that. >> It just flowed (laughing.) >> It was just stuff I had to say. But, yeah, thank you. >> Excellent. I'm Rebecca Knight for Stu Miniman. We will have more from theCUBE's live coverage of Microsoft Ignite coming up in just a little bit. (music playing)

>> Announcer: Live from Las Vegas, it's The Cube covering AWS re:Invent 2017. Presented by AWS, Intel, and our ecosystem of partners. >> Hey, welcome back to The Cube. Continuing live coverage on day three of AWS re:Invent 2017. We have had three days of great coverage, 44,000 or plus people at this event, lots of great announcements from AWS, from their partners, and we're very excited to be joined by our next guest, Christoph Pfister, the Executive Vice President of products from SolarWinds. Thanks for stopping by and chatting with Justin and me today. >> Thank you for having me. >> So tell us, what's going on at SolarWinds? What are some of the cool things that you're here to announce? >> Right, so first of all, great show, isn't it? >> Justin: Amazing. >> Lisa: Very (mumbles). Yes. (Christoph laughs) >> And it's a great show for us because we've announced a few new products and initiatives, and amongst them, the first product that provides both powerful and affordable full-stack monitoring for DevOps people. And so we'll talk hopefully a little bit more about that in a few minutes, but that's really the heritage of SolarWinds. We provide software that's simple, yet powerful and affordable, and we've been doing that since about 1999, when the company was founded in Austin, Texas. And the big thing about this is that we build software that IT professionals love, and they love it because it's simple, approachable, affordable, yet powerful, and that has propelled us to a leadership position in Network Management, Network Monitoring. So, SolarWinds is the number one by market share in that space, and we're now aiming to bring that to the... That simplicity, that power to cloud monitoring as well. >> So, you have a great community of people-- >> Yes, huge community. >> Who love SolarWinds. Massive community, the ThWACK community, and everything that people talk about online-- >> You know the company well. That's good. >> I know the company well. I've been to Austin many times, I've been to the campus. It's a great company. So, people know those tools really well. As you say, you're very, very strong in network monitoring, so tell us a bit more about this full-stack monitoring that you're doing. What do you mean by "full-stack"? >> Yes, so if you think about some of the key trends we see in the market... Let's go top to bottom. AWS announcing all these services here at the event, machine learning services, (mumbles) services, new database stuff... Amazing. And so, all of these services gonna to make their way, eventually, into applications, into apps, right? So, there's going to be more and more apps, and these apps gonna deliver value to business, to consumers, and therefore need to run pretty much flawlessly, right? Yet, behind this usually simple user experience of these apps, these apps have become massively complex, right? So, back in the day, and I'm going to date myself a little bit now, when I started in monitoring, it was pretty simple. There was a (mumbles) server, three tiers, and the app was pretty static, right? So nowadays, it's all about microservices-- >> All those microservices. >> All these dependencies that exist, which means that if there's a failure, it may be cascading failure, and so it's much, much more difficult to figure out if your app is doing well or not. And so, monitoring becomes so much more important in that context. And by the way, here at the show, people talk about monitoring a lot, and maybe (mumbles) that I would have is that in the marketplace, one of the top eight categories that Dave (mumbles) mentioned on stage at the (mumbles) event was monitoring is the one thing in the marketplace that people just need and want, so monitoring is important, and so what we're announcing here at... What we've announced here at the show is a brand new product called AppOptics, and AppOptics converges traditional infrastructure and application performance management, and provides coverage for what we call "The Three Layers of Observability," which are metrics, logs, and transaction traces, because we think that without transaction traces in these microservices-type architectures, very, very difficult to get to the root cause of issues, and so, we aim to cover the three layers of, or the three pillars, of observability: metrics, logs and traces, with AppOptics, and do it in a way that is simple and approachable. >> What do you mean by... I think it was a press article that you were quoted in about "democratizing monitoring." What do you mean by-- >> Do you like that term? >> It's very cool. (Christoph laughs) But what does it mean? >> What does it mean? Alright, so if you think about companies with application portfolios, right, so large companies may have between 500 and 800 apps, but there's studies out there that say only about 10% to 15% are being monitored. And so, why is that? It's for two reasons in our view. One is that application performance monitoring has been very affordable, so it's a question of "If I need to buy... If you need to pay $100 a host to get application performance monitoring, then many companies are not going to do it. And second reason is approachability and simplicity, meaning if you have to instrument you app manually... And I know you guys had a guest the other day, who talked about the importance of instrumenting apps. That's totally true, but you have to make it approachable, meaning the instrumentation has to be automatic. And that's exactly what we provide. We provide automatic, one single line instrumentation for all these microservices' languages. So, we cover seven languages, we cover PHP, Python, Java, the .Net... And I'm forgetting a few, of course, and so making your application performance and infrastructure monitoring number one, cheaper... So, we start with AppOptics at $7.50 a host a month. If you compare that to the hundreds of bucks a host a month that are kind of common game in the industry right now, that's pretty disruptive. And we make it much, much quicker to instrument these apps. So, that's what we mean by democratizing application performanceand infrastructure management because we think many more companies will be able to afford it, and many more companies will be able to actually deploy this stuff in a timely manner. >> So once you've instrumented it, who's it targeted for? Because, developers love to live in code land and do everything through APIs, but operators do actually like to be able to see things in charts, and for me, I like living on the command line absolutely, but I enjoy a good picture as well, and sometimes it's much, much easier to see what's happening if I just draw a graph, rather than sitting there looking at streams of code flying by. >> Christopher: Absolutely. >> So, do you have both of those options available in a DevOps model or... >> Christoph: We totally (mumbles). Who are the people you target for? So, we target the DevOps engineers, sometimes called System Reliability Engineer, and so, we provide dashboards, like the metrics, of course, that you would traditionally want to see and see how things are going over time. We provide the traces, and also, that's very graphical, so you see how much time a transaction spends in each of the layers of the app in each of the microservices. >> Justin: Okay. >> And that's very visual as well. And then, of course, we provide RESTful APIs as well to a lot of developers to do stuff with it. >> Yeah. >> So, couple things that I heard you say in terms of the value preposition SolarWinds brings is being able to facilitate from 15% to hopefully 100% of applications being monitored. That price has really been-- >> 80% would be great. >> If we get to 80%, we'll be great. (Lisa laughs) >> Well, you said that price has been a really big inhibitor, so you guys do it for a lot less and faster. Can you give an example of a customer that you've really helped transform, so that they get much more visibility into upwards of 80% of their applications? >> Yeah, so I mean, AppOptics is just coming out, so we've announced it; it's a new product. And so, we've had tons (mumbles) in beta. The first thing that I would say is that all of them were up and running, and actually getting metrics into the dashboard in between three and five minutes, so very, very fast. (Mumbles) this one line... Auto-instrumentation really clicks. And so there's universities, there is smaller IT shops, there's big companies who are interested in that kind of stuff. In general, one of the things that people don't necessarily know about SolarWind's portfolio is we've started to invest in Cloud, in roughly 2014. We've acquired some premiere product and franchises, one of them being Pingdom, for digital experience monitoring. Another one being Papertrail, which is an amazing hosted log-management solution. And between these solutions, we have about... Slightly short of a million users already. >> Lisa: Wow. >> So, significant, significant footprint in the marketplace, and so, customers that are "cloud native," born in the cloud companies like GitHub, Spotify, AirBnb, and so... Uber, as an example... And you have the traditional companies: New York Times, BBC, packaging companies, smaller compa-- I mean, it really running the gammit of the space out there. >> What is digital experience monitoring, and how are you doing that? >> That's a great question. (Lisa laughs) >> So, we look at digital experience monitoring from two facets, really. The first facet is... So, I talked a lot about observability and sort of the white-box monitoring, where you gotta drill down into the code and the transaction, and so on, but typically one goal of monitoring is to be ahead of your consumers in terms of noticing problems. And so for that, the best way, is really, is to have synthetic transactions that simulate user behavior hitting your app. And so, that's one... Synthetic monitoring's one dimension of digital experience. But beyond that, and that's where we're investing very heavily with Pingdom is this notion of... Yeah, we talk a lot about apps, but there's lots of companies out there that are putting their stuff out on websites, right? So nowadays, if I go to the doctor and later on, I want to see my test results, it's on a website. If I go to take my car to the garage, they make appointments on a website. And many times, these people have no idea how their site is doing, what the response time is, all that kind of stuff. And that's what Pingdom provides, but what we're doing, taking it beyond the simple (mumbles) time and performance is we're marrying business metrics, like bounce rates... What's a bounce rate of the site? What's the revenue that's the site driving right now if it's a revenue-generating site, and correlating that with the performance aspects of the site. How are the transactions doing? How long does it take from the first click to the shopping cart? And so, that's what we think of as digital experience, and there's much, much more to do because, really, what you want to do at the end is to see how users flow through your webpage, and where they probably disengage, where they move somewhere else. You want to detect these spots and see if it has to do anything with the performance or the way you laid out the site. And so, digital experience monitoring, we think, is going to be huge. >> Lisa: Absolutely. Well, thank you so much for stopping by, Christoph, and speaking with Justin and me. We could keep going, but unfortunately-- >> Christoph: Yeah! >> We are out of time. >> It's so short. >> Exactly, but we look forward to having you back on the show next time. >> I'd be delighted. >> And we want to thank you for watching. I'm Lisa Martin for my co-host, Justin Warren. You're watching The Cube live from day three at AWS re:Invent 2017. Stick around, we'll be right back.

(upbeat music) >> Hey, everyone. Welcome back to theCUBE's day one coverage of Cloud Native SecurityCon 2023. This has been a great conversation that we've been able to be a part of today. Lisa Martin with John Furrier and Dave Vellante. Dave and John, I want to get your take on the conversations that we had today, starting with the keynote that we were able to see. What are your thoughts? We talked a lot about technology. We also talked a lot about people and culture. John, starting with you, what's the story here with this inaugural event? >> Well, first of all, there's two major threads. One is the breakout of a new event from CloudNativeCon/KubeCon, which is a very successful community and events that they do international and in North America. And that's not stopping. So that's going to be continuing to go great. This event is a breakout with an extreme focus on security and all things security around that ecosystem. And with extensions into the Linux Foundation. We heard Brian Behlendorf was on there from the Linux Foundation. So he was involved in Hyperledger. So not just Cloud Native, all things containers, Kubernetes, all things Linux Foundation as an open source. So, little bit more of a focus. So I like that piece of it. The other big thread on this story is what Dave and Yves were talking about on our panel we had earlier, which was the business model of security is real and that is absolutely happening. It's impacting business today. So you got this, let's build as fast as possible, let's retool, let's replatform, refactor and then the reality of the business imperative. To me, those are the two big high-order bits that are going on and that's the reality of this current situation. >> Dave, what are your top takeaways from today's day one inaugural coverage? >> Yeah, I would add a third leg of the stool to what John said and that's what we were talking about several times today about the security is a do-over. The Pat Gelsinger quote, from what was that, John, 2011, 2012? And that's right around the time that the cloud was hitting this steep part of the S-curve and do-over really has meant in looking back, leveraging cloud native tooling, and cloud native technologies, which are different than traditional security approaches because it has to take into account the unique characteristics of the cloud whether that's dynamic resource allocation, unlimited resources, microservices, containers. And while that has helped solve some problems it also brings new challenges. All these cloud native tools, securing this decentralized infrastructure that people are dealing with and really trying to relearn the security culture. And that's kind of where we are today. >> I think the other thing too that I had Dave is that was we get other guests on with a diverse opinion around foundational models with AI and machine learning. You're going to see a lot more things come in to accelerate the scale and automation piece of it. It is one thing that CloudNativeCon and KubeCon has shown us what the growth of cloud computing is is that containers Kubernetes and these new services are powering scale. And scale you're going to need to have automation and machine learning and AI will be a big part of that. So you start to see the new formation of stacks emerging. So foundational stacks is the machine learning and data apps are coming out. It's going to start to see more apps coming. So I think there's going to be so many new applications and services are going to emerge, and if you don't get your act together on the infrastructure side those apps will not be fully baked. >> And obviously that's a huge risk. Sorry, Dave, go ahead. >> No, that's okay. So there has to be hardware somewhere. You can't get away with no hardware. But increasingly the security architecture like everything else is, is software-defined and makes it a lot more flexible. And to the extent that practitioners and organizations can consolidate this myriad of tools that they have, that means they're going to have less trouble learning new skills, they're going to be able to spend more time focused and become more proficient on the tooling that is being applied. And you're seeing the same thing on the vendor side. You're seeing some of these large vendors, Palo Alto, certainly CrowdStrike and fundamental to their strategy is to pick off more and more and more of these areas in security and begin to consolidate them. And right now, that's a big theme amongst organizations. We know from the survey data that consolidating redundant vendors is the number one cost saving priority today. Along with, at a distant second, optimizing cloud costs, but consolidating redundant vendors there's nowhere where that's more prominent than in security. >> Dave, talk a little bit about that, you mentioned the practitioners and obviously this event bottoms up focused on the practitioners. It seems like they're really in the driver's seat now. With this being the inaugural Cloud Native SecurityCon, first time it's been pulled out of an elevated out of KubeCon as a focus, do you think this is about time that the practitioners are in the driver's seat? >> Well, they're certainly, I mean, we hear about all the tech layoffs. You're not laying off your top security pros and if you are, they're getting picked up very quickly. So I think from that standpoint, anybody who has deep security expertise is in the driver's seat. The problem is that driver's seat is pretty hairy and you got to have the stomach for it. I mean, these are technical heroes, if you will, on the front lines, literally saving the world from criminals and nation-states. And so yes, I think Lisa they have been in the driver's seat for a while, but it it takes a unique person to drive at those speeds. >> I mean, the thing too is that the cloud native world that we are living in comes from cloud computing. And if you look at this, what is a practitioner? There's multiple stakeholders that are being impacted and are vulnerable in the security front at many levels. You have application developers, you got IT market, you got security, infrastructure, and network and whatever. So all that old to new is happening. So if you look at IT, that market is massive. That's still not transformed yet to cloud. So you have companies out there literally fully exposed to ransomware. IT teams that are having practices that are antiquated and outdated. So security patching, I mean the blocking and tackling of the old securities, it's hard to even support that old environment. So in this transition from IT to cloud is changing everything. And so practitioners are impacted from the devs and the ones that get there faster and adopt the ways to make their business better, whether you call it modern technology and architectures, will be alive and hopefully thriving. So that's the challenge. And I think this security focus hits at the heart of the reality of business because like I said, they're under threats. >> I wanted to pick up too on, I thought Brian Behlendorf, he did a forward looking what could become the next problem that we really haven't addressed. He talked about generative AI, automating spearphishing and he flat out said the (indistinct) is not fixed. And so identity access management, again, a lot of different toolings. There's Microsoft, there's Okta, there's dozens of companies with different identity platforms that practitioners have to deal with. And then what he called free riders. So these are folks that go into the repos. They're open source repos, and they find vulnerabilities that developers aren't hopping on quickly. It's like, you remember Patch Tuesday. We still have Patch Tuesday. That meant Hacker Wednesday. It's kind of the same theme there going into these repos and finding areas where the practitioners, the developers aren't responding quickly enough. They just don't necessarily have the resources. And then regulations, public policy being out of alignment with what's really needed, saying, "Oh, you can't ship that fix outside of Germany." Or I'm just making this up, but outside of this region because of a law. And you could be as a developer personally liable for it. So again, while these practitioners are in the driver's seat, it's a hairy place to be. >> Dave, we didn't get the word supercloud in much on this event, did we? >> Well, I'm glad you brought that up because I think security is the big single, biggest challenge for supercloud, securing the supercloud with all the diversity of tooling across clouds and I think you brought something up in the first supercloud, John. You said, "Look, ultimately the cloud, the hyperscalers have to lean in. They are going to be the enablers of supercloud. They already are from an infrastructure standpoint, but they can solve this problem by working together. And I think there needs to be more industry collaboration. >> And I think the point there is that with security the trend will be, in my opinion, you'll see security being reborn in the cloud, around zero trust as structure, and move from an on-premise paradigm to fully cloud native. And you're seeing that in the network side, Dave, where people are going to each cloud and building stacks inside the clouds, hyperscaler clouds that are completely compatible end-to-end with on-premises. Not trying to force the cloud to be working with on-prem. They're completely refactoring as cloud native first. And again, that's developer first, that's data first, that's security first. So to me that's the tell sign. To me is if when you see that, that's good. >> And Lisa, I think the cultural conversation that you've brought into these discussions is super important because I've said many times, bad user behavior is going to trump good security every time. So that idea that the entire organization is responsible for security. You hear that all the time. Well, what does that mean? It doesn't mean I have to be a security expert, it just means I have to be smart. How many people actually use a VPN? >> So I think one of the things that I'm seeing with the cultural change is face-to-face problem solving is one, having remote teams is another. The skillset is big. And I think the culture of having these teams, Dave mentioned something about intramural sports, having the best people on the teams, from putting captains on the jersey of security folks is going to happen. I think you're going to see a lot more of that going on because there's so many areas to work on. You're going to start to see security embedded in all processes. >> Well, it needs to be and that level of shared responsibility is not trivial. That's across the organization. But they're also begs the question of the people problem. People are one of the biggest challenges with respect to security. Everyone has to be on board with this. It has to be coming from the top down, but also the bottom up at the same time. It's challenging to coordinate. >> Well, the training thing I think is going to solve itself in good time. And I think in the fullness of time, if I had to predict, you're going to see managed services being a big driver on the front end, and then as companies realize where their IP will be you'll see those managed service either be a core competency of their business and then still leverage. So I'm a big believer in managed services. So you're seeing Kubernetes, for instance, a lot of managed services. You'll start to see more, get the ball going, get that rolling, then build. So Dave mentioned bottoms up, middle out, that's how transformation happens. So I think managed services will win from here, but ultimately the business model stuff is so critical. >> I'm glad you brought up managed services and I want to add to that managed security service providers, because I saw a stat last year, 50% of organizations in the US don't even have a security operations team. So managed security service providers MSSPs are going to fill the gap, especially for small and midsize companies and for those larger companies that just need to augment and compliment their existing staff. And so those practitioners that we've been talking about, those really hardcore pros, they're going to go into these companies, some large, the big four, all have them. Smaller companies like Arctic Wolf are going to, I think, really play a key role in this decade. >> I want to get your opinion Dave on what you're hoping to see from this event as we've talked about the first inaugural standalone big focus here on security as a standalone. Obviously, it's a huge challenge. What are you hoping for this event to get groundswell from the community? What are you hoping to hear and see as we wrap up day one and go into day two? >> I always say events like this they're about educating, aspiring to action. And so the practitioners that are at this event I think, I used to say they're the technical heroes. So we know there's going to be another Log4j or a another SolarWinds. It's coming. And my hope is that when that happens, it's not an if, it's a when, that the industry, these practitioners are able to respond in a way that's safe and fast and agile and they're able to keep us protected, number one and number two, that they can actually figure out what happened in the long tail of still trying to clean it up is compressed. That's my hope or maybe it's a dream. >> I think day two tomorrow you're going to hear more supply chain, security. You're going to start to see them focus on sessions that target areas if within the CNCF KubeCon + CloudNativeCon area that need support around containers, clusters, around Kubernetes cluster. You're going to start to see them laser focus on cleaning up the house, if you will, if you can call it cleaning up or fixing what needs to get fixed or solved what needs to get solved on the cloud native front. That's going to be urgent. And again, supply chain software as Dave mentioned, free riders too, just using open source. So I think you'll see open source continue to grow, but there'll be an emphasis on verification and certification. And Docker has done a great job with that. You've seen what they've done with their business model over hundreds of millions of dollars in revenue from a pivot. Catch a few years earlier because they verify. So I think we're going to be in this verification blue check mark of code era, of code and software. Super important bill of materials. They call SBOMs, software bill of materials. People want to know what's in their software and that's going to be, again, another opportunity for machine learning and other things. So I'm optimistic that this is going to be a good focus. >> Good. I like that. I think that's one of the things thematically that we've heard today is optimism about what this community can generate in terms of today's point. The next Log4j is coming. We know it's not if, it's when, and all organizations need to be ready to Dave's point to act quickly with agility to dial down and not become the next headline. Nobody wants to be that. Guys, it's been fun working with you on this day one event. Looking forward to day two. Lisa Martin for Dave Vellante and John Furrier. You're watching theCUBE's day one coverage of Cloud Native SecurityCon '23. We'll see you tomorrow. (upbeat music)

>>Hello and welcome back to the Cube's coverage of AWS Reinvent 2022. I'm John Furrier, host of the Cube. We got a great conversation with Patrick Kauflin, vice president of Go to Market Strategy and specialization at Splunk. We're talking about the open cybersecurity scheme of framework, also known as the O C sf, a joint strategic collaboration between Splunk and aws. It's got a lot of traction momentum. Patrick, thanks for coming on the cube for reinvent coverage. >>John, great to be here. I'm excited for this. >>You know, I love this open source movement and open source and continues to add value, almost sets the standards. You know, we were talking at the CNCF Linux Foundation this past fall about how standards are coming outta open source. Not so much the the classic standards groups, but you start to see the developers voting with their code groups deciding what to adopt de facto standards and security is a real key part of that where data becomes key for resilience. And this has been the top conversation at reinvent and all around the industry, is how to make data a key part of building into cyber resilience. So I wanna get your thoughts about the problem that you see that's emerging that you guys are solving with this group kind of collaboration around the ocs f >>Yeah, well look, John, I I think, I think you, you've already, you've already hit the high notes there. Data is proliferating across the enterprise. The attack surface area is rapidly expanding. The threat landscape is ever changing. You know, we, we just had a, a lot of scares around open SSL before that we had vulnerabilities and, and Confluence and Atlassian, and you go back to log four J and SolarWinds before that and, and challenges with the supply chain. In this year in particular, we've had a, a huge acceleration in, in concerns and threat vectors around operational technology. In our customer base alone, we saw a huge uptake, you know, and double digit percentage of customers that we're concerned about the traditional vectors like, like ransomware, like business email compromise, phishing, but also from insider threat and others. So you've got this, this highly complex environment where data continues to proliferate and flow through new applications, new infrastructure, new services, driving different types of outcomes in the digitally transformed enterprise of today. >>And, and what happens there is, is our customers, particularly in security, are, are left with having to stitch all of this together. And they're trying to get visibility across multiple different services, infrastructure applications across a number of different point solutions that they've bought to help them protect, defend, detect, and respond better. And it's a massive challenge. And you know, when our, when our customers come to us, they are often looking for ways to drive more consolidation across a variety of different solutions. They're looking to drive better outcomes in terms of speed to detection. How do I detect faster? How do I bind the thing that when bang in the night faster? How do I then fix it quickly? And then how do I layer in some automation so hopefully I don't have to do it again? Now, the challenge there that really OCF Ocsf helps to, to solve is to do that effectively, to detect and to respond at the speed at which attackers are demanding. >>Today we have to have normalization of data across this entire landscape of tools, infrastructure, services. We have to have integration to have visibility, and these tools have to work together. But the biggest barrier to that is often data is stored in different structures and in different formats across different solution providers, across different tools that are, that are, that our customers are using. And that that lack of data, normalization, chokes the integration problem. And so, you know, several years ago, a number of very smart people, and this was, this was a initiative s started by Splunk and AWS came together and said, look, we as an industry have to solve this for our customers. We have to start to shoulder this burden for our customers. We can't, we can't make our customers have to be systems integrators. That's not their job. Our job is to help make this easier for them. And so OCS was born and over the last couple of years we've built out this, this collaboration to not just be AWS and Splunk, but over 50 different organizations, cloud service providers, solution providers in the cybersecurity space have come together and said, let's decide on a single unified schema for how we're gonna represent event data in this industry. And I'm very proud to be here today to say that we've launched it and, and I can't wait to see where we go next. >>Yeah, I mean, this is really compelling. I mean, it's so much packed in that, in that statement, I mean, data normalization, you mentioned chokes, this the, the solution and integration as you call it. But really also it's like data's not just stored in silos. It may not even be available, right? So if you don't have availability of data, that's an important point. Number two, you mentioned supply chain, there's physical supply chain that's coming up big time at reinvent this time as well as in open source, the software supply chain. So you now have the perimeter's been dead for multiple years. We've been talking with that for years, everybody knows that. But now combined with the supply chain problem, both physical and software, there's so much more to go on. And so, you know, the leaders in the industry, they're not sitting on their hands. They know this, but they're just overloaded. So, so how do leaders deal with this right now before we get into the ocs f I wanna just get your thoughts on what's the psychology of the, of the business leader who's facing this landscape? >>Yeah, well, I mean unfortunately too many leaders feel like they have to face these trade offs between, you know, how and where they are really focusing cyber resilience investments in the business. And, and often there is a siloed approach across security, IT developer operations or engineering rather than the ability to kind of drive visibility integration and, and connection of outcomes across those different functions. I mean, the truth is the telemetry that, that you get from an application for application performance monitoring or infrastructure monitoring is often incredibly valuable when there's a security incident and vice versa. Some of the security data that, that you may see in a security operation center can be incredibly valuable in trying to investigate a, a performance degradation in an application and understanding where that may come from. And so what we're seeing is this data layer is collapsing faster than the org charts are or the budget line items are in the enterprise. And so at Splunk here, you know, we believe security resilience is, is fundamentally a data problem. And one of the things that we do often is, is actually help connect the dots for our customers and bring our customers together across the silos they may have internally so that they can start to see a holistic picture of what resilience means for their enterprise and how they can drive faster detection outcomes and more automation coverage. >>You know, we recently had an event called Super Cloud, we're going into the next gen kind of a cloud, how data and security are all kind of part of this NextGen application. It's not just us. And we had a panel that was titled The Innovators Dilemma, kind of talk about you some of the challenges. And one of the panelists said, it's not the innovator's dilemma, it's the integrator's dilemma. And you mentioned that earlier, and I think this a key point right now into integration is so critical, not having the data and putting pieces together now open source is becoming a composability market. And I think having things snap together and work well, it's a platform system conversation, not a tool conversation. So I really wanna get into where the OCS f kind of intersects with this area people are working on. It's not just solution architects or cloud cloud native SREs, especially where DevSecOps is. So this that's right, this intersection is critical. How does Ocsf integrate into that integration of the data making that available to make machine learning and automation smarter and more relevant? >>Right, right. Well look, I mean, I I think that's a fantastic question because, you know, we talk about, we use Bud buzzwords like machine learning and, and AI all the time. And you know, I know they're all over the place here at Reinvent and, and the, there's so much promise and hope out there around these technologies and these innovations. However, machine learning AI is only as effective as the data is clean and normalized. And, and we will not realize the promise of these technologies for outcomes in resilience unless we have better ways to normalize data upstream and better ways to integrate that data to the downstream tools where detection and response is happening. And so Ocsf was really about the industry coming together and saying, this is no longer the job of our customers. We are going to create a unified schema that represents the, an event that we will all bite down on. >>Even some of us are competitors, you know, this is, this is that, that no longer matters because at the point, the point is how do we take this burden off of our customers and how do we make the industry safer together? And so 15 initial members came together along with AWS and Splunk to, to start to create that, that initial schema and standardize it. And if you've ever, you know, if you've ever worked with a bunch of technical grumpy security people, it's kind of hard to drive consensus about around just about anything. But, but I, I'm really happy to see how quickly this, this organization has come together, has open sourced the schema, and, and, and just as you said, like I think this, this unlocks the potential for real innovation that's gonna be required to keep up with the bad guys. But right now is getting stymied and held back by the lack of normalization and the lack of integration. >>I've always said Splunk was a, it eats data for breakfast, lunch, and dinner and turns it into insights. And I think you bring up the silo thing. What's interesting is the cross company sharing, I think this hits point on, so I see this as a valuable opportunity for the industry. What's the traction on that? Because, you know, to succeed it does take a village, it takes a community of security practitioners and, and, and architects and developers to kind of coalesce around this defacto movement has been, has been the uptake been good? How's traction? Can you share your thoughts on how this is translating across companies? >>Yeah, absolutely. I mean, look, I, I think cybersecurity has a, has a long track record of, of, of standards development. There's been some fantastic standards recently. Things like sticks and taxi for threat intelligence. There's been things like the, you know, the Mir attack framework coming outta mi mir and, and, and the adoption, the traction that we've seen with Attack in particular has been amazing to, to watch how that has kind of roared onto the scene in the last couple of years and has become table stakes for how you do security operations and incident response. And, you know, I think with ocs f we're gonna see something similar here, but, you know, we are in literally the first innings of, of this. So right now, you know, we're architecting this into our, into every part of our sort of backend systems here at Polan. I know our our collaborators at AWS and elsewhere are doing it too. >>And so I think it starts with bringing this standard now that the standard exists on a, you know, in schema format and there, there's, you know, confluence and Jira tickets around it, how do we then sort of build this into the code of, of the, the collaborators that have been leading the way on this? And you know, it's not gonna happen overnight, but I think in the coming quarters you'll start to see this schema be the standard across the leaders in this space. Companies like Splunk and AWS and others who are leading the way. And often that's what helps drive adoption of a standard is if you can get the, the big dogs, so to speak, to, to, to embrace it. And, and, you know, there's no bigger one than aws and I think there's no, no more important one than Splunk in the cybersecurity space. And so as we adopt this, we hope others will follow. And, and like I said, we've got over 50 organizations contributing to it today. And so I think we're off to a running >>Start. You know, it's interesting, choking innovation or having things kind of get, get slowed down has really been a problem. We've seen successes recently over the past few years. Like Kubernetes has really unlocked and accelerated the cloud native worlds of runtime with containers to, to kind of have the consensus of the community to say, Hey, if we just do this, it gets better. I think this is really compelling with the o the ocs F because if people can come together around this and get unified as well as all the other official standards, things can go highly accelerated. So I think, I think it looks really good and I think it's great initiative and I really appreciate your insight on that, on, on your relationship with Amazon. Okay. It's not just a partnership, it's a strategic collaboration. Could you share that relationship dynamic, how to start, how's it going, what's strategic about it? Share to the audience kind of the relationship between Splunk and a on this important OCS ocsf initiative. >>Look, I, I mean I think this, this year marks the, the 10th year anniversary that, that Splunk and AWS have been collaborating in a variety of different ways. I, I think our, our companies have a fantastic and, and long standing relationship and we've, we've partnered on a number of really important projects together that bring value obviously to our individual companies, but also to our shared customers. When I think about some of the most important customers at Splunk that I spend a significant amount of time with, I I I know how many of those are, are AWS customers as well, and I know how important AWS is to them. So I think it's, it's a, it's a collaboration that is rooted in, in a respect for each other's technologies and innovation, but also in a recognition that, that our shared customers want to see us work better together over time. And it's not, it's not two companies that have kind of decided in a back room that they should work together. It's actually our customers that are, that are pushing us. And I think we're, we're both very customer centric organizations and I think that has helped us actually be better collaborators and better partners together because we're, we're working back backwards from our customers >>As security becomes a physical and software approach. We've seen the trend where even Steven Schmidt at Amazon Web Services is, is the cso, he is not the CSO anymore. So, and I asked him why, he says, well, security's also physical stuff too. So, so he's that's right. Whole lens is now expanded. You mentioned supply chain, physical, digital, this is an important inflection point. Can you summarize in your mind why open cybersecurity schema for is important? I know the unification, but beyond that, what, why is this so important? Why should people pay attention to this? >>You know, I, if, if you'll let me be just a little abstract in meta for a second. I think what's, what's really meaningful at the highest level about the O C S F initiative, and that goes beyond, I think, the tactical value it will provide to, to organizations and to customers in terms of making them safer over the coming years and, and decades. I think what's more important than that is it's really the, one of the first times that you've seen the industry come together and say, we got a problem. We need to solve. That, you know, doesn't really have anything to do with, with our own economics. Our customers are, are hurt. And yeah, some of us may be competitors, you know, we got different cloud service providers that are participating in this along with aws. We got different cybersecurity solution providers participating in this along with Splunk. >>But, but folks who've come together and say, we can actually solve this problem if, if we're able to kind of put aside our competitive differences in the markets and approach this from the perspective of what's best for information security as a whole. And, and I think that's what I'm most proud of and, and what I hope we can do more of in other places in this industry, because I think that kind of collaboration from real market leaders can actually change markets. It can change the, the, the trend lines in terms of how we are keeping up with the bad guys. And, and I'd like to see a lot more of >>That. And we're seeing a lot more new kind of things emerging in the cloud next kind of this next generation architecture and outcomes are happening. I think it's interesting, you know, we always talk about sustainability, supply chain sustainability about making the earth a better place. But you're hitting on this, this meta point about businesses are under threat of going under. I mean, we want to keep businesses to businesses to be sustainable, not just, you know, the, the environment. So if a business goes outta business business, which they, their threats here are, can be catastrophic for companies. I mean, there is, there is a community responsibility to protect businesses so they can sustain and and stay Yeah. Stay producing. This is a real key point. >>Yeah. Yeah. I mean, look, I think, I think one of the things that, you know, we, we, we complain a lot of in, in cyber security about the lack of, of talent, the talent shortage in cyber security. And every year we kinda, we kind of whack ourselves over the head about how hard it is to bring people into this industry. And it's true. But one of the things that I think we forget, John, is, is how important mission is to so many people in what they do for a living and how they work. And I think one of the things that cybersecurity is strongest in information Security General and has been for decades is this sense of mission and people work in this industry be not because it's, it's, it's always the, the, the most lucrative, but because it, it really drives a sense of safety and security in the enterprises and the fabric of the economy that we use every day to go through our lives. And when I think about the spun customers and AWS customers, I think about the, the different products and tools that power my life and, and we need to secure them. And, and sometimes that means coming to work every day at that company and, and doing your job. And sometimes that means working with others better, faster, and stronger to help drive that level of, of, of maturity and security that this industry >>Needs. It's a human, is a human opportunity, human problem and, and challenge. That's a whole nother segment. The role of the talent and the human machines and with scale. Patrick, thanks so much for sharing the information and the insight on the Open cybersecurity schema frame and what it means and why it's important. Thanks for sharing on the Cube, really appreciate it. >>Thanks for having me, John. >>Okay, this is AWS Reinvent 2022 coverage here on the Cube. I'm John Furry, you're the host. Thanks for watching.

>>Good afternoon, brilliant humans, and welcome back to the Cube. We're live in Detroit, Michigan at Cub Con, and I'm joined by John Furrier. John three exciting days buzzing. How you doing? >>That's great. I mean, we're coming down to the third day. We're keeping the energy going, but this segment's gonna be awesome. The CD foundation's doing amazing work. Developers are gonna be running businesses and workflows are changing. Productivity's the top conversation, and you're gonna start to see a coalescing of the communities who are continuous delivery, and it's gonna be awesome. >>And, and our next guess is an outstanding person to talk about this. We are joined by Stephen Chin, the chair of the CD Foundation. Steven, thanks so much for being here. >>No, no, my pleasure. I mean, this has been an amazing week quote that CubeCon with all of the announcements, all of the people who came out here to Detroit and, you know, fantastic. Like just walking around, you bump into all the right people here. Plus we held a CD summit zero day events, and had a lot of really exciting announcements this week. >>Gotta love the shirt. I gotta say, it's one of my favorites. Love the logos. Love the love the branding. That project got traction. What's the news in the CD foundation? I tried to sneak in the back. I got a little laid into your co-located event. It was packed. Everyone's engaged. It was really looked, look really cool. Give us the update. >>What's the news? Yeah, I know. So we, we had a really, really powerful event. All the key practitioners, the open source leads and folks were there. And one of, one of the things which I think we've done a really good job in the past six months with the CD foundation is getting back to the roots and focusing on technical innovation, right? This is what drives foundations, having strong projects, having people who are building innovation, and also bringing in a new innovation. So one of the projects which we added to the CD foundation this week is called Persia. So it's a, it's a decentralized package repository for getting open source libraries. And it solves a lot of the problems which you get when you have centralized infrastructure. You don't have the right security certificates, you don't have the right verification libraries. And these, these are all things which large companies provision and build out inside of their infrastructure. But the open source communities don't have the benefit of the same sort of really, really strong architecture. A lot of, a lot of the systems we depend upon. It's >>A good point, yeah. >>Yeah. I mean, if you think about the systems that developers depend upon, we depend upon, you know, npm, ruby Gems, Mayn Central, and these systems been around for a while. Like they serve the community well, right? They're, they're well supported by the companies and it's, it's, it's really a great contribution that they give us. But every time there's an outage or there's a security issue, guess, guess how many security issues that our, our research team found at npm? Just ballpark. >>74. >>So there're >>It's gotta be thousands. I mean, it's gotta be a lot of tons >>Of Yeah, >>They, they're currently up to 60,000 >>Whoa. >>Vulnerable, malicious packages in NPM and >>Oh my gosh. So that's a super, that's a jar number even. I know it was gonna be huge, but Holy mo. >>Yeah. So that's a software supply chain in actually right there. So that's, that's open source. Everything's out there. What's, how do, how does, how do you guys fix that? >>Yeah, so per peria kind of shifts the whole model. So when, when you think about a system that can be sustained, it has to be something which, which is not just one company. It has to be a, a, a set of companies, be vendor neutral and be decentralized. So that's why we donated it to the Continuous Delivery Foundation. So that can be that governance body, which, which makes sure it's not a single company, it is to use modern technologies. So you, you, you just need something which is immutable, so it can't be changed. So you can rely on it. It has to have a strong transaction ledger so you can see all of the history of it. You can build up your software, build materials off of it, and it, it has to have a strong peer-to-peer architecture, so it can be sustained long term. >>Steven, you mentioned something I want to just get back to. You mentioned outages and disruption. I, you didn't, you didn't say just the outages, but this whole disruption angle is interesting if something happens. Talk about the impact of the developer. They stalled, inefficiencies create basically disruption. >>No, I mean, if, if, so, so if you think about most DevOps teams in big companies, they support hundreds or thousands of teams and an hour of outage. All those developers, they, they can't program, they can't work. And that's, that's a huge loss of productivity for the company. Now, if you, if you take that up a level when MPM goes down for an hour, how many millions of man hours are wasted by not being able to get your builds working by not being able to get your codes to compile. Like it's, it's >>Like, yeah, I mean, it's almost hard to fathom. I mean, everyone's, It's stopped. Exactly. It's literally like having the plug pulled >>Exactly on whenever you're working on, That's, that's the fundamental problem we're trying to solve. Is it, it needs to be on a, like a well supported, well architected peer to peer network with some strong backing from big companies. So the company is working on Persia, include J Frog, which who I work for, Docker, Oracle. We have Deploy hub, Huawei, a whole bunch of other folks who are also helping out. And when you look at all of those folks, they all have different interests, but it's designed in a way where no single party has control over the network. So really it's, it's a system system. You, you're not relying upon one company or one logo. You're relying upon a well-architected open source implementation that everyone can rely >>On. That's shared software, but it's kind of a fault tolerant feature too. It's like, okay, if something happens here, you have a distributed piece of it, decentralized, you're not gonna go down. You can remediate. All right, so where's this go next? I mean, cuz we've been talking about the role of developer. This needs to be a modern, I won't say modern upgrade, but like a modern workflow or value chain. What's your vision? How do you see that? Cuz you're the center of the CD foundation coming together. People are gonna be coalescing multiple groups. Yeah. >>What's the, No, I think this is a good point. So there, there's a, a lot of different continuous delivery, continuous integration technologies. We're actually, from a Linux Foundation standpoint, we're coalescing all the continued delivery events into one big conference >>Next. You just made an announcement about this earlier this week. Tell us about CD events. What's going on, what's in, what's in the cooker? >>Yeah, and I think one of the big announcements we had was the 0.1 release of CD events. And CD events allows you to take all these systems and connect them in an event scalable, event oriented architecture. The first integration is between Tecton and Capin. So now you can get CD events flowing cleanly between your, your continuous delivery and your observability. And this extends through your entire DevOps pipeline. We all, we all need a standards based framework Yep. For how we get all the disparate continuous integration, continuous delivery, observability systems to, to work together. That's also high performance. It scales with our needs and it, it kind of gives you a future architecture to build on top of. So a lot of the companies I was talking with at the CD summit Yeah. They were very excited about not only using this with the projects we announced, but using this internally as an architecture to build their own DevOps pipelines on. >>I bet that feels good to hear. >>Yeah, absolutely. Yeah. >>Yeah. You mentioned Teton, they just graduated. I saw how many projects have graduated? >>So we have two graduated projects right now. We have Jenkins, which is the first graduated project. Now Tecton is also graduated. And I think this shows that for Tecton it was, it was time, the very mature project, great support, getting a lot of users and having them join the set of graduated projects. And the continuous delivery foundation is a really strong portfolio. And we have a bunch of other projects which also are on their way towards graduation. >>Feels like a moment of social proof I bet. >>For you all. Yeah, yeah. Yeah. No, it's really good. Yeah. >>How long has the CD Foundation been around? >>The CD foundation has been around for, i, I won't wanna say the exact number of years, a few years now. >>Okay. >>But I, I think that it, it was formed because what we wanted is we wanted a foundation which was purpose built. So CNCF is a great foundation. It has a very large umbrella of projects and it takes kind of that big umbrella approach where a lot of different efforts are joining it, a lot of things are happening and you can get good traction, but it produces its own bottlenecks in process. Having a foundation which is just about continuous delivery caters to more of a DevOps, professional DevOps audience. I think this, this gives a good platform for best practices. We're working on a new CDF best practices Yeah. Guide. We're working when use cases with all the member companies. And it, it gives that thought leadership platform for continuous delivery, which you need to be an expert in that area >>And the best practices too. And to identify the issues. Because at the end of the day, with the big thing that's coming out of this is velocity and more developers coming on board. I mean, this is the big thing. More people doing more. Yeah. Well yeah, I mean you take this open source continuous thunder away, you have more developers coming in, they be more productive and then people are gonna even either on the DevOps side or on the straight AP upside. And this is gonna be a huge issue. And the other thing that comes out that I wanna get your thoughts on is the supply chain issue you talked about is hot verifications and certifications of code is such big issue. Can you share your thoughts on that? Because Yeah, this is become, I won't say a business model for some companies, but it's also becoming critical for security that codes verified. >>Yeah. Okay. So I, I think one of, one of the things which we're specifically doing with the Peria project, which is unique, is rather than distributing, for example, libraries that you developed on your laptop and compiled there, or maybe they were built on, you know, a runner somewhere like Travis CI or GitHub actions, all the libraries being distributed on Persia are built by the authorized nodes in the network. And then they're, they're verified across all of the authorized nodes. So you nice, you have a, a gar, the basic guarantee we're giving you is when you download something from the Peria network, you'll get exactly the same binary as if you built it yourself from source. >>So there's a lot of trust >>And, and transparency. Yeah, exactly. And if you remember back to like kind of the seminal project, which kicked off this whole supply chain security like, like whirlwind it was SolarWinds. Yeah. Yeah. And the exact problem they hit was the build ran, it produced a result, they modified the code of the bill of the resulting binary and then they signed it. So if you built with the same source and then you went through that same process a second time, you would've gotten a different result, which was a malicious pre right. Yeah. And it's very hard to risk take, to take a binary file Yep. And determine if there's malicious code in it. Cuz it's not like source code. You can't inspect it, you can't do a code audit. It's totally different. So I think we're solving a key part of this with Persia, where you're freeing open source projects from the possibility of having their binaries, their packages, their end reduces, tampered with. And also upstream from this, you do want to have verification of prs, people doing code reviews, making sure that they're looking at the source code. And I think there's a lot of good efforts going on in the open source security foundation. So I'm also on the governing board of Open ssf >>To Do you sleep? You have three jobs you've said on camera? No, I can't even imagine. Yeah. Didn't >>You just spin that out from this open source security? Is that the new one they >>Spun out? Yeah, So the Open Source Security foundation is one of the new Linux Foundation projects. They, they have been around for a couple years, but they did a big reboot last year around this time. And I think what they really did a good job of now is bringing all the industry players to the table, having dialogue with government agencies, figuring out like, what do we need to do to support open source projects? Is it more investment in memory, safe languages? Do we need to have more investment in, in code audits or like security reviews of opensource projects. Lot of things. And all of those things require money investments. And that's what all the companies, including Jay Frogger doing to advance open source supply chain security. I >>Mean, it's, it's really kind of interesting to watch some different demographics of the developers and the vendors and the customers. On one hand, if you're a hardware person company, you have, you talk zero trust your software, your top trust, so your trusted code, and you got zero trust. It's interesting, depending on where you're coming from, they're all trying to achieve the same thing. It means zero trust. Makes sense. But then also I got code, I I want trust. Trust and verified. So security is in everything now. So code. So how do you see that traversing over? Is it just semantics or what's your view on that? >>The, the right way of looking at security is from the standpoint of the hacker, because they're always looking for >>Well said, very well said, New >>Loop, hope, new loopholes, new exploits. And they're, they're very, very smart people. And I think when you, when you look some >>Of the smartest >>Yeah, yeah, yeah. I, I, I work with, well former hackers now, security researchers, >>They converted, they're >>Recruited. But when you look at them, there's like two main classes of like, like types of exploits. So some, some attacker groups. What they're looking for is they're looking for pulse zero days, CVEs, like existing vulnerabilities that they can exploit to break into systems. But there's an increasing number of attackers who are now on the opposite end of the spectrum. And what they're doing is they're creating their own exploits. So, oh, they're for example, putting malicious code into open source projects. Little >>Trojan horse status. Yeah. >>They're they're getting their little Trojan horses in. Yeah. Or they're finding supply chain attacks by maybe uploading a malicious library to NPM or to pii. And by creating these attacks, especially ones that start at the top of the supply chain, you have such a large reach. >>I was just gonna say, it could be a whole, almost gives me chills as we're talking about it, the systemic, So this is this >>Gnarly nation state attackers, like people who wanted serious >>Damages. Engineered hack just said they're high, highly funded. Highly skilled. Exactly. Highly agile, highly focused. >>Yes. >>Teams, team. Not in the teams. >>Yeah. And so, so one, one example of this, which actually netted quite a lot of money for the, for the hacker who exposed it was, you guys probably heard about this, but it was a, an attack where they uploaded a malicious library to npm with the same exact namespace as a corporate library and clever, >>Creepy. >>It's called a dependency injection attack. And what happens is if you, if you don't have the right sort of security package management guidelines inside your company, and it's just looking for the latest version of merging multiple repositories as like a, like a single view. A lot of companies were accidentally picking up the latest version, which was out in npm uploaded by Alex Spearson was the one who did the, the attack. And he simultaneously reported bug bounties on like a dozen different companies and netted 130 k. Wow. So like these sort of attacks that they're real Yep. They're exploitable. And the, the hackers >>Complex >>Are finding these sort of attacks now in our supply chain are the ones who really are the most dangerous. That's the biggest threat to us. >>Yeah. And we have stacker ones out there. You got a bunch of other services, the white hat hackers get the bounties. That's really important. All right. What's next? What's your vision of this show as we end Coan? What's the most important story coming outta Coan in your opinion? And what are you guys doing next? >>Well, I, I actually think this is, this is probably not what most hooks would say is the most exciting story to con, but I find this personally the best is >>I can't wait for this now. >>So, on, on Sunday, the CNCF ran the first kids' day. >>Oh. >>And so they had a, a free kids workshop for, you know, underprivileged kids for >>About, That's >>Detroit area. It was, it was taught by some of the folks from the CNCF community. So Arro, Eric hen my, my older daughter, Cassandra's also an instructor. So she also was teaching a raspberry pie workshop. >>Amazing. And she's >>Here and Yeah, Yeah. She's also here at the show. And when you think about it, you know, there's always, there's, there's, you know, hundreds of announcements this week, A lot of exciting technologies, some of which we've talked about. Yeah. But it's, it's really what matters is the community. >>It this is a community first event >>And the people, and like, if we're giving back to the community and helping Detroit's kids to get better at technology, to get educated, I think that it's a worthwhile for all of us to be here. >>What a beautiful way to close it. That is such, I'm so glad you brought that up and brought that to our attention. I wasn't aware of that. Did you know that was >>Happening, John? No, I know about that. Yeah. No, that was, And that's next generation too. And what we need, we need to get down into the elementary schools. We gotta get to the kids. They're all doing robotics club anyway in high school. Computer science is now, now a >>Sport, in my opinion. Well, I think that if you're in a privileged community, though, I don't think that every school's doing robotics. And >>That's why Well, Cal Poly, Cal Poly and the universities are stepping up and I think CNCF leadership is amazing here. And we need more of it. I mean, I'm, I'm bullish on this. I love it. And I think that's a really great story. No, >>I, I am. Absolutely. And, and it just goes to show how committed CNF is to community, Putting community first and Detroit. There has been such a celebration of Detroit this whole week. Stephen, thank you so much for joining us on the show. Best Wishes with the CD Foundation. John, thanks for the banter as always. And thank you for tuning in to us here live on the cube in Detroit, Michigan. I'm Savannah Peterson and we are having the best day. I hope you are too.

(upbeat music) >> Hi, everyone, welcome to this program sponsored by HPE. I'm your host, Lisa Martin. We're here talking about being confident and trusting your server security with HPE. I have two guests here with me to talk about this important topic. Cole Humphreys joins us, global server security product manager at HPE, and Ann Potten, trusted supply chain program lead at HPE. Guys, it's great to have you on the program, welcome. >> Hi, thanks. >> Thank you. It's nice to be here. >> Ann let's talk about really what's going on there. Some of the trends, some of the threats, there's so much change going on. What is HPE seeing? >> Yes, good question, thank you. Yeah, you know, cybersecurity threats are increasing everywhere and it's causing disruption to businesses and governments alike worldwide. You know, the global pandemic has caused limited employee availability originally, this has led to material shortages, and these things opens the door perhaps even wider for more counterfeit parts and products to enter the market, and these are challenges for consumers everywhere. In addition to this, we're seeing the geopolitical environment has changed. We're seeing rogue nation states using cybersecurity warfare tactics to immobilize an entity's ability to operate, and perhaps even use their tactics for revenue generation. The Russian invasion of Ukraine is one example. But businesses are also under attack, you know, for example, we saw SolarWinds' software supply chain was attacked two years ago, which unfortunately went unnoticed for several months. And then, this was followed by the Colonial Pipeline attack and numerous others. You know, it just seems like it's almost a daily occurrence that we hear of a cyberattack on the evening news. And, in fact, it's estimated that the cyber crime cost will reach over $10.5 trillion by 2025, and will be even more profitable than the global transfer of all major illegal drugs combined. This is crazy. You know, the macro environment in which companies operate in has changed over the years. And, you know, all of these things together and coming from multiple directions presents a cybersecurity challenge for an organization and, in particular, its supply chain. And this is why HPE is taking proactive steps to mitigate supply chain risk, so that we can provide our customers with the most secure products and services. >> So, Cole, let's bring you into the conversation. Ann did a great job of summarizing the major threats that are going on, the tumultuous landscape. Talk to us, Cole, about the security gap. What is it, what is HPE seeing, and why are organizations in this situation? >> Hi, thanks, Lisa. You know, what we're seeing is as this threat landscape increases to, you know, disrupt or attempt to disrupt our customers, and our partners, and ourselves, it's a kind of a double edge, if you will, because you're seeing the increase in attacks, but what you're not seeing is an equal to growth of the skills and the experiences required to address the scale. So it really puts the pressure on companies, because you have a skill gap, a talent gap, if you will, you know, for example, there are projected to be 3 1/2 million cyber roles open in the next few years, right? So all this scale is growing, and people are just trying to keep up, but the gap is growing, just literally the people to stop the bad actors from attacking the data. And to complicate matters, you're also seeing a dynamic change of the who and the how the attacks are happening, right? The classic attacks that you've seen, you know, in the espionage in all the, you know, the history books, those are not the standard plays anymore. You'll have, you know, nation states going after commercial entities and, you know, criminal syndicates, as Ann alluded to, that there's more money in it than the international drug trade, so you can imagine the amount of criminal interest in getting this money. So you put all that together and the increasing of attacks it just is really pressing down as literally, I mean, the reports we're reading over half of everyone. Obviously, the most critical infrastructure cares, but even just mainstream computing requirements need to have their data protected, "Help me protect my workloads," and they don't have the people in-house, right? So that's where partnership is needed, right? And that's where we believe, you know, our approach with our partner ecosystem this is not HPE delivering everything ourself, but all of us in this together is really what we believe the only way we're going to be able to get this done. >> So, Cole, let's double-click on that, HPE and its partner ecosystem can provide expertise that companies in every industry are lacking. You're delivering HPE as a 360-degree approach to security. Talk about what that 360-degree approach encompasses. >> Thank you, it is an approach, right? Because I feel that security it is a thread that will go through the entire construct of a technical solution, right? There isn't a, "Oh, if you just buy this one server with this one feature, you don't have to worry about anything else." It's really it's everywhere, at least the way we believe it, it's everywhere. And in a 360-degree approach, the way we like to frame it, is it's this beginning with our supply chain, right? We take a lot of pride in the designs, you know, the really smart engineering teams, the designer, technology, our awesome, world-class global operations team working in concert to deliver some of these technologies into the market, that is, you know, a great capability, but also a huge risk to customers. 'Cause that is the most vulnerable place that if you inject some sort of malware or tampering at that point, you know, the rest of the story really becomes mute, because you've already defeated, right? And then, you move in to you physically deployed that through our global operations, now you're in an operating environment. That's where automation becomes key, right? We have software innovations in, you know, our iLO product of management inside those single servers, and we have really cool new GreenLake for compute operations management services out there that give customers more control back and more information to deal with this scaling problem. And then, lastly, as you begin to wrap up, you know, the natural life cycle, and you need to move to new platforms and new technologies, we think about the exit of that life cycle, and how do we make sure we dispose of the data and move those products into a secondary life cycle, so that we can move back into this kind of circular 360-degree approach. We don't want to leave our customers hanging anywhere in this entire journey. >> That 360-degree approach is so critical, especially given, as we've talked about already in this segment, the changes, the dynamics in the environment. Ann, as Cole said, this 360-degree approach that HPE is delivering is beginning in the manufacturing supply chain, seems like the first line of defense against cyberattackers. Talk to us about why that's important and where did the impetus come from? Was that COVID, was that customer demand? >> Yep, yep. Yeah, the supply chain is critical, thank you. So in 2018, we could see all of these cybersecurity issues starting to emerge and predicted that this would be a significant challenge for our industry. So we formed a strategic initiative called the Trusted Supply Chain Program designed to mitigate cybersecurity risk in the supply chain, and really starting with the product life cycle, starting at the product design phase and moving through sourcing and manufacturing, how we deliver products to our customers and, ultimately, a product's end of life that Cole mentioned. So in doing this, we're able to provide our customers with the most secure products and services, whether they're buying their servers for their data center or using our own GreenLake services. So just to give you some examples, something that is foundational to our Trusted Supply Chain Program we've built a very robust cybersecurity supply chain risk management program that includes assessing our risk at all factories and our suppliers, okay? We're also looking at strengthening our software supply chain by developing mechanisms to identify software vulnerabilities and hardening our own software build environments. To protect against counterfeit parts, that I mentioned in the beginning, from entering our supply chain, we've recently started a blockchain program so that we can identify component provenance and trace parts back to their original manufacturers. So our security efforts, you know, continue even after product manufacturing. We offer three different levels of secured delivery services for our customers, including, you know, a dedicated truck and driver, or perhaps even an exclusive use vehicle. We can tailor our delivery services to whatever the customer needs. And then, when a product is at its end of life, products are either recycled or disposed using our approved vendors. So our servers are also equipped with the One-Button Secure Erase that erases every byte of data, including firmware data. And talking about products, we've taken additional steps to provide additional security features for our products. Number one, we can provide platform certificates that allow the user to cryptographically verify that their server hasn't been tampered with from the time it left the manufacturing facility to the time that it arrives at the customer's facility. In addition to that, we've launched a dedicated line of trusted supply chain servers with additional security features, including Secure Configuration Lock, Chassis Intrusion Detection, and these are assembled at our U.S. factory by U.S. vetted employees. So lots of exciting things happening within the supply chain not just to shore up our own supply chain risk, but also to provide our customers with the most secure product. And so with that, Cole, do you want to make our big announcement? >> All right, thank you. You know, what a great setup though, because I think you got to really appreciate the whole effort that we're putting into, you know, bringing these online. But one of the, just transparently, the gaps we had as we proved this out was, as you heard, this initial proof was delivered with assembly in the U.S. factory employees. You know, fantastic program, really successful in all our target industries and even expanding to places we didn't really expect it to. But it's kind of going to the point of security isn't just for one industry or one set of customers, right? We're seeing it in our partners, we're seeing it in different industries than we have in the past. But the challenge was we couldn't get this global right out the gate, right? This has been a really heavy, transparently, a U.S. federal activated focus, right? If you've been tracking what's going on since May of last year, there's been a call to action to improve the nation's cybersecurity. So we've been all in on that, and we have an opinion and we're working hard on that, but we're a global company, right? How can we get this out to the rest of the world? Well, guess what? This month we figured it out and, well, it's take a lot more than this month, we did a lot of work, but we figured it out. And we have launched a comparable service globally called Server Security Optimization Service, right? HPE Server Security Optimization Service for ProLiant. I like to call it, you know, SSOS Sauce, right? Do you want to be clever? HPE Sauce that we can now deploy globally. We get that product hardened in the supply chain, right? Because if you take the best of your supply chain and you take your technical innovations that you've innovated into the server, you can deliver a better experience for your customers, right? So the supply chain equals server technology and our awesome, you know, services teams deliver supply chain security at that last mile, and we can deliver it in the European markets and now in the Asia Pacific markets, right? We could ship it from the U.S. to other markets, so we could always fulfill this promise, but I think it's just having that local access into your partner ecosystem and stuff just makes more sense. But it is a big deal for us because now we have activated a meaningful supply chain security benefit for our entire global network of partners and customers and we're excited about it, and we hope our customers are too. >> That's huge, Cole and Ann, in terms of the significance of the impact that HPE is delivering through its partner ecosystem globally as the supply chain continues to be one of the terms on everyone's lips here. I'm curious, Cole, we just couple months ago, we're at Discover, can you talk about what HPE is doing here from a security perspective, this global approach that it's taking as it relates to what HPE was talking about at Discover in terms of we want to secure the enterprise to deliver these experiences from edge to cloud. >> You know, I feel like for me, and I think you look at the shared-responsibility models and, you know, other frameworks out there, the way I believe it to be is it's a solution, right? There's not one thing, you know, if you use HPE supply chain, the end, or if you buy an HPE ProLiant, the end, right? It is an integrated connectedness with our as-a-service platform, our service and support commitments, you know, our extensive partner ecosystem, our alliances, all of that comes together to ultimately offer that assurance to a customer, and I think these are specific meaningful proof points in that chain of custody, right? That chain of trust, if you will. Because as the world becomes more zero trust, we are going to have to prove ourselves more, right? And these are those kind of technical credentials, and identities and, you know, capabilities that a modern approach to security need. >> Excellent, great work there. Ann, let's go ahead and take us home. Take the audience through what you think, ultimately, what HPE is doing really infusing security at that 360-degree approach level that we talked about. What are some of the key takeaways that you want the audience that's watching here today to walk away with? >> Right, right, thank you. Yeah, you know, with the increase in cybersecurity threats everywhere affecting all businesses globally, it's going to require everyone in our industry to continue to evolve in our supply chain security and our product security in order to protect our customers and our business continuity. Protecting our supply chain is something that HPE is very committed to and takes very seriously. So, you know, I think regardless of whether our customers are looking for an on-prem solution or a GreenLake service, you know, HPE is proactively looking for and mitigating any security risk in the supply chain so that we can provide our customers with the most secure products and services. >> Awesome, Anne and Cole, thank you so much for joining me today talking about what HPE is doing here and why it's important, as our program is called, to be confident and trust your server security with HPE, and how HPE is doing that. Appreciate your insights and your time. >> Thank you so much for having us. >> Thank you, Lisa. >> For Cole Humphreys and Anne Potten, I'm Lisa Martin, we want to thank you for watching this segment in our series, Be Confident and Trust Your Server Security with HPE. We'll see you soon. (gentle upbeat music)

(electronic music) >> Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS re:Inforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here, she's the chief information security officer at MongoDB rocket ship company We covered MongoDB World earlier this year, June, down in New York. Lena, thanks for coming to theCUBE. >> Thank you for having me. >> You're very welcome, I enjoyed your keynote yesterday. You had a big audience, I mean, this is a big deal. >> Yeah. >> This is the cloud security conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security, how it used to be an afterthought, used to be the responsibility of a small group of people. >> Yeah. >> You know, it used to be a bolt on. >> Yep. >> That's changed dramatically and that change has really accelerated through the pandemic. >> Yep. >> Just describe that change from your perspective. >> So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess? So he's worked for, MongoDB be twice before, his name is Chris Sandalo, and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while and having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So us combined is like indestructible, we we're a great team. >> Is your scope of responsibility, obviously you're protecting Mongo, >> Yeah. >> How much of your role extends into the product? >> So we have a product security team that report into Sahir Azam, our chief product officer. I think you even spoke to him. >> Yeah, he's amazing. >> He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer facing. I'm also to a certain extent customer facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance risk and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. And I think that's really important. We have to listen to what our customers want, but also internally. You know, what our internal groups need as well to help them grow. >> I remember last year, Re:invent 2021, I was watching a talk on security. It was the, I forget his name, but it was the individual who responsible for data center security. And one of the things he said was, you know, look it's not at the end of the day, the technology's important but it's not the technology. It's how you apply the tools and the practices and the culture- >> Right. That you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. >> Yes. >> Let's put it that way. So talk about the challenges of building that culture, how you go about that, and how you sustain that cultural aspect. >> So, I think having the security champion program, so that's just, it's like one of my babies, that and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually people grade themselves, when they join us, we give them a little tick box. Like five is, I walk in security water. One is, I can spell security but I'd like to learn more. Mixing those groups together has been game changing for us. We now have over a hundred people who volunteer their time, with their supervisors permission, they help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them- And we have people from product as security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security program stronger. As I say, that's been a game changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through this Champions program. >> Makes a lot of sense. You take somebody who walks on water in security, mix them with somebody who really doesn't know a lot about it but wants to learn and then can ask really basic questions, and then the experts can actually understand better how to communicate. >> Absolutely. >> To that you know that 101 level. >> It's absolutely true. Like my mom lives in her iPad. She worships her iPad. Unfortunately she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to- So she's a one, and I might be a five, that's hard. That's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. >> My mom, rest her soul, when she first got a- we got her a Macintosh, this was years and years and years ago, and we were trying to train her over the phone, and said, mom, just grab the mouse. And she's like, I don't like mice. (Lena laughs) There you go. I know, I know, Lena, what that's like. Years ago, it was early last decade, we started to think about, wow, security really has to become a board level item. >> Yeah. >> And it really wasn't- 2010, you know, for certain companies. But really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. >> Yes. >> We had this conversation, and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely. Here's how you know, here. This is the criticality. Now it's totally changed. >> Right. >> I mean, it's now a board level item. But how do you communicate to the C-Suite, the board? How often do you do that? What do you recommend is the right regime? And I know there's not any perfect- there's got to be situational, but how do you approach it? >> So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killalea. You know, Amazon alum, I mean, just genius. And he, and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday. So this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked and that's not a good thing. Where, at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence. So I actually get their attention for at least an hour once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting. So they know what we're going to talk about and we know what their concerns are. And so you're not going in like, oh my gosh, what what's going to happen for this hour? We come prepared. We have statistics. We can show them where we're growing. We can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has has helped me mature my role 10 times. And then also we have the chance to ask them, well what are your other CISOs doing? You know, they're members of other boards. So I can say to Dave, for example, you know, what's so-and-so doing at Datadog? Or Tom Killelea, what's the CISO of Capital One doing? And they help me make a lot of those connections as well. I mean, the CISO world is small and me being a female in the world with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's the Irish girl. Yeah. She's Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dev is a huge, huge fan of security and GRC. It's no longer that box ticking exercise that I used to feel security was, you know, if you heated your SOC2 type two in FinTech, oh, you were good to go. You know, if you did a HERC set for the power industry. All right, right. You know, we can move on now. It's not that anymore. >> Right. It's every single day. >> Yeah. Of course. Dev is Dev at the Chario. Dev spelled D E V. I spell Dave differently. My Dave. But, Lena, it sounds like you present a combination of metrics, so, the board, you feel like that's appropriate to dig into the metrics. But also I'm presuming you're talking strategy, potentially, you know, gaps- >> Road roadmaps, the whole nine yards. Yep. >> What's the, you know, I look at the budget scenario. At the macro level, CIOs have told us, they came into the year saying, hey we're going to grow spending at the macro, around eight percent, eight and a half percent. That's dialed down a little bit post Ukraine and the whole recession and Fed tightening. So now they're down maybe around six percent. So not dramatically lower, but still. And they tell us security is still the number one priority. >> Yes. >> That's been the case for many, many quarters, and actually years, but you don't have an unlimited budget. >> Sure >> Right. It's not like, oh, here is an open checkbook. >> Right. >> Lena, so, how does Mongo balance that with the other priorities in the organization, obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now, is it, you know continuing on in 2022 despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? >> We would never tap the breaks. I mean, this is something that's- So my other half works in the finance industry still. So we have, you know, interesting discussions when it comes to geopolitics and financial politics and you know, Dev, the chairman of the board, all very technical people, get that security is going to be taken advantage of if we're seeing to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We are not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team: treat this money as if it's your own. As if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO, or the CISO of the company that's supplying it, and saying are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you, X company, to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership, and I mean, that's how some of this stuff builds, and so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible, yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new and they know the board is never going to say no, but at some point, people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us what the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO but I've got a dotted line to the CTO. So I'm, you know, I'm one of the few people at this level that's got my feet in both camps. You know budgets are talked at Dev's level. So, you know, it's really important that we get the spend right. >> And that value is essentially, as I was kind of alluding to before, it's decreasing the value equation for the hackers, for the adversary. >> Hopefully, yes. >> Right? Who's the- of course they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like, when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. >> Yes. >> You know, AWS likes to educate people and back then it was like, okay, hey, by the way, you know you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary. >> Right, right. >> There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO but because of the shared responsibility model, CISO is now the second line of defense >> Yes. Does that change your role? Does it make it less complicated in a way? Maybe, you know, more complicated because you now got to get your DevSecOps team? The developers are now much more involved in security? How is that shifting, specifically in the context of your relationship with AWS? >> It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ or you know, our account manager, its not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from. And you know, how far are we shifting left? Are we actually shifting right now? It's like, you know, get the balance, right? You can't be too much to one side. But I think in terms of where we're teaching the developers, you know, we are a company by developers for developers. So, we get it, we understand where they're coming from, and we try and be as proactive as AWS is. >> When you obviously the SolarWinds hack was a a major mile- I think in security, there's always something in the headlines- >> Yes. But when you think of things like, you know, Stuxnet, you know, Log4J, obviously Solarwinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and you know, much more automated. It's always been automated attacks, but you know island hopping and infiltrating and self-forming malware and really sophisticated techniques. >> Yep. >> How are you thinking about that supply chain, bill of materials from inside Mongo and ultimately externally to your customers? >> So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure. And that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure that the steel we were buying was the steel we were using. And so that became the H bomb. The hardware bill of materials, bad name. But, you know, we remember what it stood for. And then fast forward: President Biden's executive order. SBOs front and center, cloud first front and center. It's like, this is perfect. And so I was actually- I actually moderated a panel earlier this year at Homeland Security Week in DC, where we had a sneak CISA, So Dr. Allen Friedman from CISA, and also Patrick Weir from OWASP for the framework, CISA for the framework as well, and just the general guidance, and Snake for the front end. That was where my head was going. And MongoDB is the back-end database. And what we've done is we've taken our work with Snake and we now have a proof of concept for SBOs. And so I'm now trying to kind of package that, if you like, as a program and get the word out that SBOs shouldn't be something to be afraid of. If you want to do business with the government you're going to have to create one. We are offering a secure repository to store that data, the government could have access to that repository and see that data. So there's one source of truth. And so I think SBOs is going to be really interesting. I know that, you know, some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely- I've just, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another Log4j, there's always going to be another Log4j, we know that. we don't know everything, the unknown unknown, but at least if we're prepared to go find stuff quicker than we were then before Log4j, I think having SBOs on hand, having that one source of truth, that one repository, I think is going to make it so much easier to find those things. >> Last question, what's the CISO's number one challenge? Either yours or the CISO, generally. >> Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And, you know, we're sometimes like meerkats, you know. there's meerkats, you see like this, it's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. >> Last question, part B. As a hot technology company, that's, you know, rising star, you know not withstanding the tech lash and the stock market- >> Yeah. >> But Mongo's growing, you know, wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest, biggest challenge. Do you find that that's not the challenge for you? >> Not at all. I think on two fronts, one, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they'd already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. >> I was so looking forward to interviewing you, Lena, thanks so much for coming. >> Thank you, this was a pleasure. >> It was really great to have you. >> Thank you so much. Thank you. >> You're really welcome. All right, keep it right there. This is Dave Villante for theCUBE. We'll be right back at AWS Re:inforce22 right after this short break.

>> From theCUBE studios in Palo Alto in Boston bringing you data driven insights from theCUBE and ETR. This is breaking analysis with Dave Vellante. >> Despite fears of inflation, supply chain issues skyrocketing energy and home prices and global instability caused by the Ukraine crisis CIOs and IT buyers continue to expect overall spending to increase more than 6% in 2022. Now, while this is lower than our 8% prediction that we made earlier this year in January, it remains in line with last year's roughly six to 7% growth and is holding firm with the expectations reported by tech executives on the ETR surveys last quarter. Hello and welcome to this week's wiki bond cube insights powered by ETR in this breaking analysis, we'll update you on our latest look at tech spending with a preliminary take from ETR's latest macro drill down survey. We'll share some insights to which vendors have shown the biggest change in spending trajectory. And we'll tap our technical analysts to get a read on what they think it means for technology stocks going forward. The IT spending sentiment among IT buyers remains pretty solid. >> In the past two months, we've had conversations with dozens of CIOs, chief digital officers data executives, IT managers, and application developers, and across the board, they've indicated that for now at least their spending levels remain largely unchanged. The latest ETR drill down data which will share shortly, confirms these anecdotal checks. However, the interpretation of this data it's somewhat nuanced. Part of the reason for the spending levels being you know reasonably strong and holding up is inflation. Stuff costs more so spending levels are higher forcing IT managers to prioritize. Now security remains the number one priority and is less susceptible to cuts, cloud migration, productivity initiatives and other data projects remain top priorities. >> So where are CIO's robbing from Peter to pay Paul to focus on these priorities? Well, we've seen a slight uptick in certain speculative. IT projects being put on hold or frozen for a period of time. And according to ETR survey data we've seen some hiring freezes reported and this is especially notable in the healthcare sector. ETR also surveyed its buyer base to find out where they were adjusting their budgets and the strategies and tactics they were using to do so. Consolidating IT vendors was by far the most cited tactic. Now this makes sense as companies in an effort to negotiate better deals will often forego investments in newer so-called best of breed products and services, and negotiate bundles from larger suppliers. You know, even though they might not be as functional, the buyers >> can get a better deal if they bundle together from one of their larger suppliers. Think Microsoft or a Dell or other, you know, large companies. ETR survey respondents also cited cutting the cloud bill where discretionary spending was in play was another strategy or tactic that they were using. We certainly saw this with some of the largest snowflake customers this past quarter. Where even though they were still growing consumption rapidly certain snowflake customers dialed down their consumption and pushed spending off to future quarters. Now remember in the case of snowflake, anyway, customers negotiate consumption rates and their pricing based on a total commitment over a period of time. So while they may consume less in one quarter, over the lifetime of the contract, snowflake, as do many other cloud companies, have good visibility on the lifetime value of a deal. Now this next chart shows the latest ETR spending expectations among more than 900 respondents. The bars represent spending growth expectations from the periods of December, 2021 that's the gray bars, March of 2022 survey in the blue, and the most recent June data, That's the yellow bar. So you can see spending expectations for the quarter is down slightly in the mid 5% range. But overall for the year expectations remain in the mid 6% range. Now it's down from 8%, 8.3% in December where it looked like 2022 was going to really be a breakout year and have more momentum than even last year. Now, remember this was before Russia invaded Ukraine which occurred in mid-February of this year. So expectations were a little higher. So look, generally speaking CIOs have told us that their CFOs and CEOs have lowered their earnings outlooks and communicated that to Wall Street. They've told us that unless and until these revised forecasts appear at risk, they continue to expect their budget levels to remain pretty constant. Now there's still plenty of momentum and spending velocity on specific vendor platforms. Let's take a look at that. >> This chart shows the companies with the greatest spending momentum as measured by ETRs proprietary net score methodology. Net score essentially measures the net percent of customers spending more on a particular platform. That measurement is shown on the Y axis. The red line there that's inserted that red dotted line at 40%, we consider to be a highly elevated mark. And the green dots are companies in the ETR survey that are near or above that line. The X axis measures the presence in the data set, how much, you know sort of pervasiveness, if you will, is in the data. It's kind of a proxy for market presence. Now, of course we all know Kubernetes is not a company, but it remains an area where organizations are spending lots of resources and time particularly to modernize and mobilize applications. Snowflake remains the company which leads all firms in spending velocity, but as you'll see momentarily, despite its highest position relative to everybody else in the survey, it's still down from its previous levels in the high seventies and low 80% range. AWS is incredibly impressive because it has an elevated level but also a big presence in the data set in the survey. Same with Microsoft, same with ServiceNow which also stands out. And you can see the other smaller vendors like HashiCorp which is increasingly being seen as a strategic cross cloud enabler. They're showing, spending momentum. The RPA vendors you see in there automation anywhere and UI path are in the mix with numerous security companies, CrowdStrike, CyberArk, Netskope, Cloudflare, Tenable Okta, Zscaler Palo Alto networks, Sale Point Fortunate. A big number of cybersecurity firms hovering at or above that 40% mark you can see pure storage remains elevated as do PagerDuty and Coupa. So plenty of good news here, despite the recent tech crash. So that was the good, here's the not so good. So >> there is no 40% line on this chart because all these companies are well below that line. Now this doesn't mean these companies are bad companies. They just don't have the spending velocity of the ones we showed earlier. A good example here is Oracle. Look how they stand out on the X axis with a huge market presence. And Oracle remains an incredibly successful company selling to high end customers and really owning that mission critical data and application space. And remember ETR measures spending activity, but not actual spending dollars. So Oracle is skewed as a result because Oracle customers spend big bucks. But the fact is that Oracle has a large legacy install base that pulls down their growth rates. And that does show up in the ETR survey data. Broadcom is another example. They're one of the most successful companies in the industry, and they're not going after growth at all costs at all. They're going after EBITDA and of course ETR doesn't measure EBIT. So just keep that in mind, as you look at this data. Now another way to look at the data and the survey, is exploring the net score movement over the last period amongst companies. So how are they moving? What's happening to the net score over time. And this chart shows the year over year >> net score change for vendors that participate in at least three sectors within the ETR taxonomy. Remember ETR taxonomy has 12, 15 different segments. So the names above or below the gray dotted line are those companies where the net score has increased or decreased meaningfully. So to the earlier chart, it's all relative, right? Look at Oracle. While having lower net scores has also shown a more meaningful improvement in net score than some of the others, as have SAP and Teradata. Now what's impressive to me here is how AWS, Microsoft, and Google are actually holding that dotted line that gray line pretty well despite their size and the other ironically interesting two data points here are Broadcom and Nutanix. Now Broadcom, of course, as we've reported and dug into, is buying VMware and, and of, of course most customers are concerned about getting hit with higher prices. Once Broadcom takes over. Well Nutanix despite its change in net scores, in a good position potentially to capture some of that VMware business. Just yesterday, I talked to a customer who told me he migrated his entire portfolio off VMware using Nutanix AHV, the Acropolis hypervisor. And that was in an effort to avoid the VTEX specifically. Now this was a smaller customer granted and it's not representative of what I feel is Broadcom's ICP the ideal customer profile, but look, Nutanix should benefit from the Broadcom acquisition. If it can position itself to pick up the business that Broadcom really doesn't want. That kind of bottom of the pyramid. One person's trash is another's treasure as they say, okay. And here's that same chart for companies >> that participate in less than three segments. So, two or one of the segments in the ETR taxonomy. Only three names are seeing positive movement year over year in net score. SUSE under the leadership of amazing CEO, Melissa Di Donato. She's making moves. The company went public last year and acquired rancher labs in 2020. Look, we know that red hat is the big dog in Kubernetes but since the IBM acquisition people have looked to SUSE as a possible alternative and it's showing up in the numbers. It's a nice business. It's going to do more than 600 million this year in revenue, SUSE that is. It's got solid double digit growth in kind of the low teens. It's profitability is under pressure but they're definitely a player that is found a niche and is worth watching. The SolarWinds, What can I say there? I mean, maybe it's a dead cat bounce coming off the major breach that we saw a couple years ago. Some of its customers maybe just can't move off the platform. Constant contact we really don't follow and don't really, you know, focus on them. So, not much to say there. Now look at all the high priced earning stocks or infinite PE stocks that have no E and divide by zero or a negative number and boom, you have infinite PE and look at how their net scores have dropped. We've reported extensively on snowflake. They're still number one as we showed you earlier, net score, but big moves off their highs. Okta, Datadog, Zscaler, SentinelOne Dynatrace, big downward moves, and you can see the rest. So this chart really speaks to the change in expectations from the COVID bubble. Despite the fact that many of these companies CFOs would tell you that the pandemic wasn't necessarily a tailwind for them, but it certainly seemed to be the case when you look back in some of the ETR data. But a big question in the community is what's going to happen to these tech stocks, these tech companies in the market? We reached out to both Eric Bradley of ETR who used to be a technical analyst on Wall Street, and the long time trader and breaking analysis contributor, Chip Symington to get a read on what they thought. First, you know the market >> first point of the market has been off 11 out of the past 12 weeks. And bare market rallies like what we're seeing today and yesterday, they happen from time to time and it was kind of expected. Chair Powell's testimony was broadly viewed as a positive by the street because higher interest rates appear to be pushing commodity prices down. And a weaker consumer sentiment may point to a less onerous inflation outlook. That's good for the market. Chip Symington pointed out to breaking analysis a while ago that the NASDAQ has been on a trend line for the past six months where its highs are lower and the lows are lower and that's a bad sign. And we're bumping up against that trend line here. Meaning if it breaks through that trend it could be a buying signal. As he feels that tech stocks are oversold. He pointed to a recent bounce in semiconductors and cited the Qualcomm example. Here's a company trading at 12 times forward earnings with a sustained 14% growth rate over the next couple of years. And their cash flow is able to support their 2.4, 2% annual dividend. So overall Symington feels this rally was absolutely expected. He's cautious because we're still in a bear market but he's beginning to, to turn bullish. And Eric Bradley added that He feels the market is building a base here and he doesn't expect a 1970s or early 1980s year long sideways move because of all the money that's still in the system. You know, but it could bounce around for several months And remember with higher interest rates there are going to be more options other than equities which for many years has not been the case. Obviously inflation and recession. They are like two looming towers that we're all watching closely and will ultimately determine if, when, and how this market turns around. Okay, that's it for today. Thanks to my colleagues, Stephanie Chan, who helps research breaking analysis topics sometimes, and Alex Myerson who is on production in the podcast. Kristin Martin and Cheryl Knight they help get the word out and do all of our newsletters. And Rob Hof is our Editor in Chief over at siliconangle.com and does some wonderful editing for breaking analysis. Thank you. Remember, all these episodes are available as podcasts wherever you listen. All you got to do is search breaking analysis podcasts. I publish each week on wikibon.com and Siliconangle.com. And of course you can reach me by email at david.vellante@siliconangle.com or DM me at DVellante comment on my LinkedIn post and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for the CUBE insights powered by ETR. Stay safe, be well. And we'll see you next time. (soft music)

(upbeat music) >> Hello, welcome to this CUBE Conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE. We're here with Tim Everson, CISO at Kalahari Resorts & Conventions. Tim, great to see you. Thanks for coming on theCUBE. >> Thank you for having me. Looking forward to it. >> So, you know, RSA is going on this week. We're talking a lot about security. You've got a lot of conferences. Security is a big scale now across all enterprises, all businesses. You're in the hospitality, you got conventions. You're in the middle of it. You have an interesting environment. You've got a lot of diverse use cases. And you've got a lot of needs. They're always changing. I mean, you talk about change. You've got a network that has to be responsive, robust and support a lot of tough customers who want to have fun or do business. >> Exactly, yeah. We have customers that come in, that we were talking about this before the segment. And we have customers that come in that bring their own Roku Sticks their own Amazon devices. All these different things they bring in. You know, our resort customers need dedicated bandwidth. So they need dedicated network segments stood up at a moment's notice to do the things they're doing and run the shows they're showing. So it's never, never ending. It's constantly changing in our business. And there's just data galore to keep an eye on. So it's really interesting. >> Can you scope the scale of the current cybersecurity challenges these days in the industry? Because they're wide and far, they're deep. You got zero trust on one end, which is essentially don't trust anything. And then you got now on the software supply chain, things like more trust. So you got the conflict between a direction that's more trusted and then zero trust, and everything in between. From, endpoint protection. It's a lot going on. What's the scale of this situation right now in cyber? >> You know, right now everything's very, very up in the air. You talk about zero trust. And zero trust can be defined a lot of ways depending on what security person you talk to today. So, I won't go into my long discussion about zero trust but suffice to say, like I said zero trust can be perceived so many different ways. From a user perspective, from a network perspective, from an end point. I look more broadly at the regulatory side of things and how that affects things too. Because, regulations are changing daily. You've got your GDPRs, your CCPAs, your HIPAA regulations, PCI. All these different things that affect businesses, and affect businesses different ways. I mean, at Kalahari we're vulnerable or we're not vulnerable, but we're subject to a lot of these different regulations, more so than other people. You wouldn't expect a lot of hotels to have HIPAA regulations for instance. We have health people at our resorts. So we actually are subject to HIPAA in a lot of cases. So there's a lot of these broad scenarios that apply and they come into play with all different industries. And again, things you don't expect. So, when you see these threats coming, when you see all the hacks coming. Even today I got an email that the Marriott breach data from a few years ago, or the MGM breach from a few years ago. We've got all these breaches out there in the world, are coming back to the surface and being looked at again. And our users and our guests and our corporate partners, and all these different people see those things and they rely on us to protect them. So it makes that scope just exponentially bigger. >> Yeah, there's so many threads to pull on here. One is, you know we've observed certainly with the pandemic and then now going forward is that if you weren't modern in your infrastructure, in your environment, you are exposed. Even, I'm not talking old and antiquated like in the dark ages IT. We're talking like really state of the art, current. If you're lagging just by a few years, the hackers have an advantage. So, the constant bar raising, leveling up on technology is part of this arms race against the bad guys. >> Absolutely. And you said it, you talked earlier about the supply chain. Supply chain, these attacks that have come through the SolarWinds attacks and some of these other supply chain attacks that are coming out right now. Everybody's doing their best to stay on top of the latest, greatest. And the problem with that is, when you rely on other vendors and other companies to be able to help you do that. And you're relying on all these different tool sets, the supply chain attack is hugely critical. It makes it really, really important that you're watching where you're getting your software from, what they're doing with it, how they secure it. And that when you're dealing with your vendors and your different suppliers, you're making sure that they're securing things as well as you are. And it just, it adds to the complexity, it adds to the footprint and it adds to the headache that a lot of these security teams have. Especially small teams where they don't have the people to manage those kind of contacts. >> It's so interesting, I think zero trust is a knee jerk reaction to the perimeter being gone. It's like, you got to People love the zero trust. Oh it's like, "We're going to protect this that nobody, and then vet them in." But once you're trusted, trust also is coming in to play here. And in your environment, you're a hotel, you're a convention. You have a lot of rotation of guests coming in. Very much high velocity. And spear phishing and phishing, I could be watching and socially engineering someone that could be on your property at any given time. You got to be prepared for that. Or, you got ransomware coming around the corners or heavily. So, you got the ransomware threat and you got potentially spear phishing that could be possible at your place. These are things that are going on, right? That you got to protect for. What's your reaction to that? >> Absolutely. We see all those kind of attacks on a daily basis. I see spear phishing attacks. I see, web links and I chase them down and see what's going on. I see that there's ransomware trying to come in. We see these things every single day. And the problem you have with it is not only, especially in a space where you have a high volume of customers and a high turnover of customers like you're talking about that are in and out of our resorts, in and out of our facilities. Those attacks aren't just coming from our executives and their email. We can have a guest sitting on a guest network, on a wireless network. Or on one of our business center machines, or using our resort network for any one of a number of the conference things that they're doing and the different ports that we have to open and the different bandwidth scenarios that you've got dealing with. All of these things come into play because if any attack comes from any of those channels you have to make sure that segmentation is right, that your tooling is proper and that your team is aware and watching for it. And so it does. It makes it a very challenging environment to be in. >> You know, I don't want to bring up the budget issue but I'll bring up the budget issue. You can have unlimited budget because there's so many tools out there and platforms now. I mean, if you've look at the ecosystem map of the cybersecurity landscape that you have to navigate through as a customer. You've got a lot of people knocking on your door to sell you stuff. So I have to ask you, what is the scale? I mean, you can't have unlimited budget. But the reality is you have to kind of, do the right thing. What's the most helpful kind of tools and platforms for you that you've seen that you've had experience with? Where's this going in terms of the most effective mechanisms and software and platforms that are available out there? >> From the security perspective specifically, the three things that are most important to me are visibility. Whether it's asset visibility or log visibility. You know, being able to see the data, being able to see what's going on. End user. Making sure that the end user has been trained, is aware and that you're watching them. Because the end user, the human is always the weakest link. The human doesn't have digital controls that can be hard set and absolutely followed. The human changes every day. And then our endpoint security solutions. Those are the three biggest things for me. You know, you have your network perimeter, your firewalls. But attackers aren't always looking for those. They're coming from the inside, they're finding a way around those. The biggest three things for me are endpoint, visibility and the end user. >> Yeah, it's awesome. And a lot of companies are really looking at their posture right now. So I would ask you as a CISO, who's in the front end of all this great stuff and protecting your networks and all your environments and the endpoints and assets. What advice would you have for other CISOs who are kind of trying to level up to where you're at, in terms of rethinking their security posture? What advice would you give them? >> The advice I would give you is surround yourself with people that are like-minded on the security side. Make sure that these people are aware but that they're willing to grow. Because security's always changing. If you get a security person that's dead set that they're going to be a network security person and that's all they're going to do. You know, you may have that need and you may fill it. But at the end of the day, you need somebody who's open rounded and ready to change. And then you need to make sure that you can have somebody, and the team that you work with is able to talk to your executives. It never fails, the executives. They understand security from the standpoint of the business, but they don't necessarily understand security from the technical side. So you have to make sure that you can cross those two boundaries. And when you grow your team you have to make sure that that's the biggest focus. >> I have to ask the pandemic question, but I know cybersecurity hasn't changed. In fact, it's gotten more aggressive in the pandemic. How has the post pandemic or kind of like towards the tail end of where we're at now, affect the cybersecurity landscape? Has it increased velocity? Has it changed any kind of threat vectors? Has it changed in any way? Can you share your thoughts on what happened during the pandemic and now has we come out of it into the next, well post pandemic? >> Absolutely. It affected hospitality in a kind of unique way. Because, a lot of the different governments, state, federal. I'm in Ohio. I work out of our Ohio resort. A lot of the governments literally shut us down or limited severely how many guests we could have in. So on the one hand you've got less traffic internal over the network. So you've got a little bit of a slow down there. But on the flip side it also meant a lot of our workers were working from home. So now you've got a lot of remote access coming in. You've got people that are trying to get in from home and work machines. You have to transition call centers and call volume and all of the things that come along with that. And you have to make sure that that human element is accounted for. Because, again, you've got people working from home, you no longer know if the person that's calling you today, if it's not somebody you're familiar with you don't know if that person is Joe Blow from the front desk or if that person's a vendor or who they are. And so when you deal with a company with 5,000 ish employees or 10,000 that some of these bigger companies are. 15,000, whatever the case may be. You know, the pandemic really put a shift in there because now you're protecting not only against the technologies, but you're dealing with all of the scams, all of the phishing attempts that are coming through that are COVID related. All of these various things. And it really did. It threw a crazy mix into cybersecurity. >> I can imagine that the brain trust over there is prior thinking, "Hey, we were a hybrid experience." Now, if people who have come and experienced our resorts and conventions can come in remotely, even in a hybrid experience with folks that are there. You've seen a lot of hybrid events for instance go on, where there's shared experience. I can almost imagine your service area is now extending to the homes of those guests. That you got to start thinking differently. Has that been something that you guys are looking at? >> We're looking at it from the standpoint of trying to broaden some of the events. In the case of a lot of our conventions, things of that nature. The conventions that aren't actually Kalahari's run conventions, we host them, we manage them. But it does... When you talk about workers coming from home to attend these conventions. Or these telecommuters that are attending these conventions. It does affect us in the stance that, like I said we have to provision network for these various events. And we have to make sure that the network and the security around the network are tight. So it does. It makes a big deal as far as how Kalahari does its business. Being able to still operate these different meetings and different conventions, and being able to host remotely as well. You know, making sure that telecommunications are available to them. Making sure that network access and room access are available to them. You know for places where we can't gather heavily in meetings. You know, these people still being able to be near each other, still being able to talk, but making sure that that technology is there between them. >> Well, Tim is great to have you on for this CUBE Conversation. CISO from the middle of all the action. You're seeing a lot. There's a lot of surface area you got to watch. There's a lot of data you got to observe. You got to get that visibility. You can only protect what you can see, and the more you see the better it is. The better the machine learning. You brought up the the common area about like-minded individuals. I want to just ask you on the final point here, on hiring and talent coming into the marketplace. I mean, this younger generation coming out of university and college is, or not even going to school. There's no cyber degree. I mean, there are now. But I mean, the world's changing. It's easy to level up. So, skill sets you can't get a degree in certain things. I mean, you got to have a broad set. What do you look for in talent? Is there a trend you see in terms of what makes a good cybersecurity professional, developer, analyst? Is there roles that you see emerging that you think people should pay attention to? What's your take on this as someone who's looking at the future? And- >> You know, it's very interesting that you bring this up. I actually have two of my team members, one directly working for me and another team member at Kalahari that are currently going through college degree programs for cybersecurity. And I wrote recommendations for them. I've worked with them, I'm helping them study. But as you bring people up, you know the other thing I do is I mentor at a couple of the local technical schools as well. I go in, I talk to people, I help them design their programs. And the biggest thing I try to get across to them is, number one, if you're in the learning side of it. Not even talking about the hiring side of it. If you're in the learning side of it, you need to come into it with a kind of an understanding to begin with to where you want to fit into security. You know, do you want to be an attacker, a defender, a manager? Where do you want to be? And then you also need to look at the market and talk to the businesses in the area. You know, I talk to these kids regularly about what their need is. Because if you're in school and you're taking Cisco classes, and focusing on firewalls and what an organization needs as somebody who can read log and do things like that. Or somebody who can do pen testing. You know, that's a huge thing. So I would say if you're on the hiring side of that equation, you know. Like you said, there's no super degrees that I can speak to. There's a lot of certifications. There's a lot of different things like that. The goal for me is finding somebody who can put hands to the ground and feet to the ground, and show me that they know what they know. You know, I'll pull somebody in, I'll ask them to show me a certain specific or I'll ask them for specific information and try to feel that out. Because at the end of the day, there's no degree that's going to protect my network. There's no degree that's a hundred percent going to understand Kalahari, for instance. So I want to make sure that the people I talk to, I get a broad interview scope, I get a number of people to talk to. And really get a feel for what it is they know, and what tools they want to work with and make sure it's going to align with us. >> Well, Tim, that's great that you do that. I think the industry needs that. And I think that's really paying it forward, by getting in and using your time to help shape the young curriculums and the young guns out there. It's interesting you know, like David Vellante and I talk on theCUBE all the time. Cyber is like sports. If you're playing football, you got to know the game. If you're playing football and you come in as a baseball player, the skills might not translate, right? So it's really more of, categorically cyber has a certain pattern to it. Math, open mindedness, connecting dots, seeing things around corners. Maybe it's more holistic views, if you're at the visibility level or getting the weeds with data. A lot of different skill sets needed. The aperture of the job requirements are changing a lot. >> They are. And you know, you touched on that really well. You know, they talk about hacking and the hacker mindset. You know, all the security stuff revolves around hacker. And people mislabel hacker. Hacking in general is making something do something that it wasn't originally designed to do. And when I hire people in security, I want people that have that mindset. I want people that not only are going to work with the tool set we have, and use that mathematical ability and that logic and that reasoning. But I want them to use a reasoning of, "Hey, we have this tool here today. How can this tool do what I want it do but what else can it do for me?" Because like any other industry we have to stretch our dollar. So if I have a tool set that can meet five different needs for me today, rather than investing in 16 different tool sets and spreading that data out and spreading all the control around. Let's focus on those tool sets and let's focus on using that knowledge and that adaptive ability that the human people have on the security side, and put that to use. Make them use the tools that work for them but make 'em develop things, new tools, new methods, new techniques that help us get things across. >> Grow the capabilities, protect, trust all things coming in. And Tim, you're a tech athlete, as we say and you've got a great thing going on over there. And again, congratulations on the work you're doing on the higher ed and the education side and the Kalahari Resorts & Conventions. Thanks for coming on theCUBE. I really appreciate the insight you're sharing. Thank you. >> Thanks for having me. >> Okay. I'm John Furrier here in Palo Alto for theCUBE. Thanks for watching. (somber music)

(bright upbeat music) >> Welcome back to theCUBE's coverage of VeeamON 2022. We're here at the Aria in Las Vegas. This is day two, Dave Vallante with David Nicholson. You know with theCUBE, we talked about the cloud a lot and the company that started the cloud, AWS. Jeanna James is here. She's the Global Alliance Manager at AWS and a data protection expert. Great to see you. Thanks for coming on theCUBE again. >> Thanks so much for having me, Dave. It's great to be here in person with everyone. >> Yes, you know, we've done a few events live more than a handful. Thanks a lot to AWS. We've done a number. We did the DC Summits. Of course, re:Invent was huge out here last year. That was right in between the sort of variant Omicron hitting. And it was a great, great show. We thought, okay, now we're back. And of course we're kind of back, but we're here and it's good to have you. So Veeam, AWS, I mean, they certainly embrace the cloud. What's your relationship there? >> Yeah, so Veeam is definitely a strong partner with AWS. And as you know, AWS is really a, you know, we have so many different services, and our customers and our partners are looking at how can I leverage those services and how do I back this up, right? Whether they're running things on premises and they want to put a copy of the data into Amazon S3, Amazon S3 Infrequent Access or Amazon S3 Glacier Deep Archive, all of these different technologies, you know Veeam supports them to get a copy from on-prem into AWS. But then the great thing is, you know, it's nice to have a copy of your data in the cloud but you might want to be able to do something with it once it gets there, right? So Veeam supports things like Amazon EC2 and Amazon EKS and EKS Anywhere. So those customers can actually recover their data directly into Amazon EC2 and EKS Anywhere. >> So we, of course, talked a lot about ransomware and that's important in that context of what you just mentioned. What are you seeing with the customers when you talk to them about ransomware? What are they asking AWS to do? Maybe we could start unpacking that a bit. >> Yeah, ransomware is definitely a huge topic today. We're constantly having that conversation. And, you know, five years ago there was a big malware attack that was called the NotPetya virus. And at that time it was based on Petya which was a ransomware virus, and it was designed to go in and, you know, lock in the data but it also went after the backup data, right? So it hold all of that data hostage so that people couldn't recover. Well, NotPetya was based on that but it was worse because it was the seek and destroy virus. So with the ransomware, you can pay a fee and get your data back. But with this NotPetya, it just went in, it propagated itself. It started installing on servers and laptops, anything it could touch and just deleting everything. And at that time, I actually happened to be in the hospital. So hospitals, all types of companies got hit by this attack. And my father had been rushed to the emergency room. I happened to be there. So I saw live what really was happening. And honestly, these network guys were running around shutting down laptops, taking them away from doctors and nurses, shutting off desktops. Putting like taping on pictures that said, do not turn on, right? And then, the nurses and staff were having to kind of take notes. And it was just, it was a mess, it was bad. >> Putting masks on the laptops essentially. >> Yeah, so just-- >> Disinfecting them or trying to. Wow, unplugging things from the network. >> Yes, because, you know, and that attack really demonstrated why you really need a copy of the data in the cloud or somewhere besides tape, right? So what happened at that time is if you lose 10 servers or something, you might be able to recover from tape, but if you lose a hundred or a thousand servers and all of your laptops, all in hours, literally a matter of hours, that is a big event, it's going to take time to recover. And so, you know, if you put a copy of the backup data in Amazon S3 and you can turn on that S3 Object Lock for immutability, you're able to recover in the cloud. >> So, can we go back to this hospital story? 'Cause that takes us inside the disaster potential. So they shut everything down, basically shut down the network so they could figure out what's going on and then fence it off, I presume. So you got, wow, so what happened? First of all, did they have to go manual, I mean? >> They had to do everything manually. It was really a different experience. >> Going back to the 1970s, I mean. >> It was, and they didn't know really how to do it, right? So they basically had kind of yellow notepads and they would take notes. Well, then let's say the doctor took notes, well, then the nurse couldn't read the notes. And even over the PA, you know, there was an announcement and it was pretty funny. Don't send down lab work request with just the last name. We need to know the first name, the last name, and the date of birth. There are multiple Joneses in this hospital so yeah (giggles). >> This is going to sound weird. But so when I was a kid, when you worked retail, if there was a charge for, you know, let's say $5.74 and, you know, they gave you, you know, amount of money, you would give them, you know, the penny back, count up in your head that's 75, give them a quarter and then give them the change. Today, of course, it works differently. The computer tells you, how much change to give. It's like they didn't know what to do. They didn't know how to do it manually 'cause they never had the manual process. >> That's exactly right. Some of the nurses and doctors had never done it manually. >> Wow, okay, so then technically they have to figure out what happened so that takes some time. However they do that. That's kind of not your job, right? I dunno if you can help with that or not. Maybe Amazon has some tooling to do that, probably does. And then you've got to recover from somewhere, not tape ideally. That's like the last resort. You put it on a Chevy Truck, Chevy Truck Access Method called CTAM, ship it in. That takes days, right? If you're lucky. So what's the ideal recovery. I presume it's a local copy somewhere. >> So the ideal-- >> It's fenced. >> In that particular situation, right? They had to really air gap so they couldn't even recover on those servers and things like that-- >> Because everything was infected on on-prem. >> Because everything was just continuing to propagate. So ideally you would have a copy of your data in AWS and you would turn on Object Lock which is the immutability, very simple check mark in Veeam to enable that. And that then you would be able to kick off your restores in Amazon EC2, and start running your business so. >> Yeah, this ties into the discussion of the ransomware survey where, you know, NotPetya was not seeking to extort money, it was seeking to just simply arrive and destroy. In the ransomware survey, some percentage of clients who paid ransom, never got their data back anyway. >> Oh my. >> So you almost have to go into this treating-- >> Huge percentage. >> Yeah, yeah, yeah. >> Like a third. >> Yeah, when you combine the ones where there was no request for ransom, you know, for any extorted funds, and then the ones where people paid but got nothing back. I know Maersk Line, the shipping company is a well studied example of what happened with NotPetya. And it's kind of chilling because what you describe, people running around shutting down laptops because they're seeing all of their peers' screens go black. >> Yes, that's exactly what's happening. >> And then you're done. So that end point is done at that point. >> So we've seen this, I always say there are these milestones in attacks. I mean, Stuxnet proved what a nation state could do and others learned from that, NotPetya, now SolarWinds. And people are freaking out about that because it's like maybe we haven't seen the last of that 'cause that was highly stealth, not a lot of, you know, Russian language in the malware. They would delete a lot of the malware. So very highly sophisticated island hopping, self forming malware. So who knows what's next? We don't know. And so you're saying the ideal is to have an air gap that's physically separate. maybe you can have one locally as well, we've heard about that too, and then you recover from that. What are you seeing in terms of your customers recovering from that? Is it taking minutes, hours, days? >> So that really de depends on the customers SLAs, right? And so with AWS, we offer multiple tiers of storage classes that provide different SLA recovery times, right? So if you're okay with data taking longer to recovery, you can use something like Amazon S3 Glacier Deep Archive. But if it's mission critical data, you probably want to put it in Amazon S3 and turn on that Object Lock for immutability sake. So nothing can be overwritten or deleted. And that way you can kick off your recoveries directly in AWS. >> One of the demos today that we saw, the recovery was exceedingly fast with a very small data loss so that's obviously a higher level SLA. You got to get what you pay for. A lot of businesses need that. I think it was like, I didn't think it was, they said four minutes data loss which is good. I'm glad they didn't say zero data loss 'cause there's really no such thing. So you've got experience, Jeanna, in the data protection business. How have you seen data protection evolve in the last decade and where do you see it going? Because let's face it, I mean when AWS started, okay, it had S3, 15 years ago, 16 years ago, whatever it was. Now, it's got all these tools as you mentioned. So you've learned, you've innovated along with your customers. You listened to your customers. That's your whole thing, customer obsession. >> That's right. >> What are they telling you? What do you see as the future? >> Definitely, we see more and more containerization. So you'll see with the Kasten by Veeam product, right? The ability to protect Amazon EKS, and Amazon EKS Anywhere, we see customers really want to take advantage of the ability to containerize and not have to do as much management, right? So much of what we call undifferentiated heavy lifting, right? So I think you'll see continued innovation in the area of containerization, you know, serverless computing. Obviously with AWS, we have a lot going on with artificial intelligence and machine learning. And, you know, the backup partners, they really have a unique capability in that they do touch a lot of data, right? So I think in the future, you know, things around artificial intelligence and machine learning and data analytics, all of those things could certainly be very applicable for folks like Veeam. >> Yeah, you know, we give a lot of, we acknowledge that backup is different from recovery but we often fall prey to making the mistake of saying, oh, well your data is available in X number of minutes. Well, that's great. What's it available to? So let's say I have backed up to S3 and it's immutable. By the way my wife keeps calling me and saying she wants mutability for me. (Jeanna laughs) I'm not sure if that's a good thing or not. But now I've got my backup in S3, begs the question, okay, well, now what do I do with it? Well, guess what you mentioned EC2. >> That's right. >> The ability exists to create a restore environment so that not only is the data available but the services are actually online and available-- >> That's right-- >> Which is what you want with EKS and Kasten. >> So if the customer is running, you know, Kubernetes, they're able to recover as well. So yes, definitely, I see more and more services like that where customers are able to recover their environment. It might be more than just a server, right? So things are changing. It's not just one, two, three, it's the whole environment. >> So speaking of the future, one of the last physical theCUBE interviews that Andy Jassy did with us. John Furrier and myself, we were asking about the edge and he had a great quote. He said, "Oh yeah, we look at the data center as just another edge node." I thought that was good classic Andy Jassy depositioning. And so it was brilliant. But nonetheless, we've talked a little bit about the edge. I was interviewing Verizon last week, and they told me they're putting outposts everywhere, like leaning in big time. And I was saying, okay, but outpost, you know, what can you do with outpost today? Oh, you can run RDS. And, you know, there's a few ecosystem partners that support it, and he's like, oh no, we're going to push Amazon. So what are you seeing at the edge in terms of data protection? Are customers giving you any feedback at this point? >> Definitely, so edge is a big deal, right? Because some workloads require that low latency, and things like outpost allow the customers to take advantage of the same API sets that they love in, you know, AWS today, like S3, right? For example. So they're able to deploy an outpost and meet some of those specific guidelines that they might have around compliance or, you know, various regulations, and then have that same consistent operational stance whether they're on-prem or in AWS. So we see that as well as the Snowball devices, you know, they're being really hardened so they can run in areas that don't have connected, you know, interfaces to the internet, right? So you've got them running in like ships or, you know, airplanes, or a field somewhere out in nowhere of this field, right? So lots of interesting things going on there. And then of course with IoT and the internet of things and so many different devices out there, we just see a lot of change in the industry and how data is being collected, how data's being created so a lot of excitement. >> Well, so the partners are key for outposts obviously 'cause you can't do it all yourself. It's almost, okay, Amazon now in a data center or an edge node. It's like me skating. It's like, hmm, I'm kind of out of my element there but I think you're learning, right? So, but partners are key to be able to support that model. >> Yes, definitely our partners are key, Veeam, of course, supports the outpost. They support the Snowball Edge devices. They do a lot. Again, they pay attention to their customers, right? Their customers are moving more and more workloads into AWS. So what do they do? They start to support those workloads, right? Because the customers also want that consistent, like we say, the consistent APIs with AWS. Well, they also want the consistent data protection strategy with Veeam. >> Well, the cloud is expanding. It's no longer just a bunch of remote services somewhere out there in the cloud. It's going to data centers. It's going out to the edge. It's going to local zones. You guys just announced a bunch of new local zones. I'm sure there are a lot of outposts in there, expanding your regions. Super cloud is forming right before our eyes. Jeanna, thanks so much for coming to theCUBE. >> Thank you. It's been great to be here. >> All right, and thank you for watching theCUBE's coverage. This is day two. We're going all day here, myself, Dave Nicholson, cohost. Check out siliconangle.com. For all the news, thecube.net, wikibon.com. We'll be right back right after this short break. (bright upbeat music)

>> From theCUBE Studios in Palo Alto in Boston, bringing you data driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. >> Cybersecurity stocks have been sending mixed signals as of late, mostly negative like much of tech, but some such as Palo Alto Networks, despite a tough go of it recently have held up better than most tech names. Others like CrowdStrike, had been out performing Broader Tech in March, but then flipped in May. Okta's performance was pretty much tracking along with CrowdStrike for most of the past several months, a little bit below, but then the Okta hack changed the trajectory of that name. Zscaler has crossed the critical billion dollar ARR revenue milestone, and now sees a path to five billion dollars in revenue, but the company stock fell sharply after its last earnings report and has been on a down trend since last November. Meanwhile, CyberArk's recent beat and raise, was encouraging and the stock acted well after its last report. Security remains the number one initiative priority amongst IT organizations and the spending momentum for many high flying cyber names remain strong. So what gives in cyber security? Hello, and welcome to this week's Wikibon CUBE insights powered by ETR. In this breaking analysis, we focus on security and will update you on the latest data from ETR to try to make sense out of the market and read into what this all means in both the near and long term, for some of our favorite names in cyber. First, the news. There's always something happening in security news cycles. The big recent news is new President Rodrigo Chavez declared a national emergency in Costa Rica due to the preponderance of Russian cyber attacks on the country's critical infrastructure. Such measures are normally reserved for natural disasters like earthquakes, but this move speaks to the nature of today's cyber threats. Of no surprise is modern superpower warfare even for a depleted power like Russia almost certainly involves cyber warfare as we continue to see in Ukraine. Privately held Arctic Wolf Networks hired Dustin Williams as its new CFO. Williams has taken three companies to IPO, including Nutanix in 2016, a very successful IPO for that company. Whether AWN chooses to pull the trigger this year or will wait until markets are less choppy or obviously remains to be seen. But it's a pretty clear sign the company is headed to IPO at some point. Now, big point of discussion this week at Red Hat Summit in Boston and the prior week at Dell technologies world was security. In the case of Red Hat, securing the digital supply chain was the main theme. And from Dell building, many security features into its storage arrays and cyber resilience services into its as a service offering called Apex. And we're seeing a trend where buyers want to reduce the number of bespoke tools they use if they, in fact can. Here's IDC's Jim Mercer, sharing data from a recent survey they conducted on the topic. Play the clip. >> Interestingly, we did a survey, I think around last August or something. And one of the questions was around where do you want your security, right? Where do you want to get your DevSecOps security from? Do you want to get it from individual vendors, right? Or do you want to get it from like your platforms that you're using and deploying changes in Kubernetes? >> Great question. What did they say? >> The majority of them, they're hoping they can get it built into the platform. That's really what they want-- >> Now, whether that's actually achievable is debatable because you have so much innovation and investment going on from the likes of startups and for instance, lace work or sneak and security companies that you see even trying to build platforms, you've got CrowdStrike, Okta, Zscaler and many others, trying to build security platforms and put it all under their umbrella. Now the last point will hit here is there was a lot of buzz in the news about Okta. The reaction to what was a relatively benign hack was pretty severe and probably overblown, but Okta's stock is paying the price of what is generally considered a blown communications plan versus a technical failure. Remember, identity is not an easy thing to rip and replace and Okta remains a best-of-breed player and leader in the space. So we're going to look at some ETR data later in this segment to try and make sense of the recent action in the market and certain names. Speaking of which let's take a look at how some of the names in cybersecurity have fared relative to some of the indices and relative indicators that we like to look at. Here's a Google finance comparison for a number of stocks and names in the bottom there you can see we plot the hack ETF which tracks security stocks. This is a year to date view. And so we don't show it here but the tech heavy NASDAQ is off around 26% year to date whereas the cyber ETF that we're showing is down 18%, okay. So cyber holding up a little bit better than broader tech as we've reported earlier, was actually much better and still seems to be a gap there, but the data are mixed. You can see Okta is way off relative to its peers. That's a combination of the breach that we talked about but also the run up in the stock since COVID. CrowdStrike was actually faring better but broke this month, we'll see how it's upcoming earnings announcements are received when it announces on June 2nd after the close. Palo Alto in the light blue has done better than most and until recently was holding up quite well. And of course, Sailpoint is another identity specialist, it is kind of off the charts here because it's going private with the acquisition by Thoma Bravo at nearly seven billion dollars. So you see some mixed signals in cyber these past several months and weeks. And so we're trying to understand what that all means. So let's take a look at the survey data and see how spending momentum is holding up. As we've reported IT spending forecast, at the macro level, they've come off their 8% highs from the end of the year, the ETRS December survey, but robust tech spending is still there. It's expected at nearly seven percent and this is amongst 1200 ETR respondents. Here's a picture from the ETR survey of the cybersecurity landscape. That y-axis that's net score or a measure of spending momentum and that horizontal access is overlap. We used to talk about it as a market share which is a measure of pervasiveness in the data set. That dotted red line at 40% indicates an elevated spending momentum level on the vertical axis and we filter the names and limited to only those with a hundred or more responses in the ETR survey. Then the pictures still pretty crowded as you can see. You got lots of companies above the red dotted line, including Microsoft which is up into the right, they're so far off the chart, it's just amazing. But also Palo Alto and Okta, Auth0, which of course is now owned by Okta, Zscaler, CyberArk is making moves. Sailpoint and Cloudflare, they're all above that magic 40% line. Now, you look at Cisco, it shows a very large presence in the horizontal axis in the data set. And it's got pretty respectable momentum and you see Splunk doing okay, no before and tenable just below that 40% line and a lot of names in the very respectable 20% zone. And we've included some legacy names just for context that fall below the zero percent line with a negative net score. And that means a larger proportion, that negative net score means a larger proportion of their customers in the survey are spending less than those that are spending more. Now, typically for these legacy names you're going to have a huge proportion of customers who have flat spending that kind of fat middle and that's why they sort of don't have that highly elevated score, but they're still viable as they get the recurring revenue each year. But the bottom line is that spending remains robust for some of the top names that we've talked about earlier despite their rocky stock performance. Now, let's filter this data a bit more to make it a little bit easier to read. So to do that, we take out Microsoft because they're just so dominant and we cherry pick some names to make the data more consumable and scannable. The other data point we've added is Okta's net score breakdown, the multicolored rows there, that row in the bottom right. Net score, it measures the percent of customers that are adding the platform new, that's the lime green, at 18% for Okta. The forest green is at 42%. That's the percent of customers in the survey that are spending six percent or more. The gray is flat spending. That's 32% for Okta, this past survey. The pink is customers that are spending less, that's three percent. They're spending six percent or worse in the survey, so only three percent for Okta. And the bright red at three percent is decommissioning the platform. You subtract the reds from the greens and you get a net score, well, into the 50s for Okta and you can see. We highlight Okta here because it's a name that we've been following for quite some time and customers have given us really solid feedback on the technology and up until the hack, they're affinity to Okta, but that seems to be continuing. We'll talk more about that. This recent breach to Okta has caused us to take a closer look. And you may recall, we reported with our ETR colleague, Eric Bradley. The breach was announced right in the middle of ETR collecting data in the last survey. And while we did see a noticeable downtick right after the announcement, the exposure of the hack and Okta's net score just after the breach was disclosed, you can see the combination of Okta and Auth0 remains very strong. I asked Eric Bradley this morning what he thought about Okta, and he pointed out that you can't evaluate this company on its price to earnings ratio. But it's forward sales multiple is now below 7X. And while attractive, these high flyers at some point, Eric says, they got to start making a profit. So you going to hold that thought, we'll come back to that. Now, another cut of the ETR data to look at our four star security names here. A while back we developed a methodology to try and cut through the noise of the crowded security sector using the ETR data to evaluate two key metrics; net score and shared N. Net score again is, spending momentum, the latter is an indicator of presence in the data set which is a proxy for market presence. Okay, we assigned those companies that cracked the top 10 in both net score and shared N, we give them four stars, okay, if they make the top 10. This chart here shows the April survey data for those companies with an N that's greater than, equal to a hundred responses. So again, we're filtering on those with a hundred or more responses. The table on the left that you see there, that's sorted by net score, okay. So we're sorting by spending momentum. And then the one on the right is sorted by shared N, so their presence in the data set. Seven companies hit the top 10 for both categories; Palo Alto Network, Splunk, CrowdStrike Okta, Proofpoint, Fortinet and Zscaler. Now, remember, take a look, Okta excludes Auth0, in this little methodology that we came up with. Auth0 didn't make the cuts but it hits the top 10 for net score. So if you add in Auth0's 112 N there that you see on the right. You add that into Okta, we put Okta in the number two spot in the survey on the right most table with the shared N of 354. Only Cisco has a higher presence in the data set. And you can see Cisco in the left lands just below that red dotted line. That's the top 10 in security. So if we were to combine Okta and Auth0 as one, Cisco would make the cut and earn four stars. Now, some other notables are CyberArk, which is just below the red line on the right most chart with an impressive 177 shared N. Again, if you combine Auth0 and Okta, CyberArk makes the four star grade because it's in the top 10 for net score on the left. And Sailpoint is another notable with a net score above 50% and it's got a shared N of 122, which is respectable. So despite the market's choppy waters, we're seeing some positive signs in the survey data for some of the more prominent names that we've been following for the last couple of years. So what does this mean for the markets going forward? As always, when we see these confusing signs we like to reach out to the network and one of the sharpest traders out there is Chip Simonton. We've quoted him before and we like to share some of his insights. And so we're going to highlight some of that here. So technically, almost every good tech stock is oversold. And as such, he suggested we might see a bounce here. We certainly are seeing that on this Friday, the 13th. But the right call tactically has been to sell into the rally these past several months, so we'll see what happens on Monday. The key issue with the name like Okta and some other momentum names like CrowdStrike and Zscaler is that when money comes back into tech, it's likely going to go to the FAANG stocks, the Facebook, Apple, Amazon, Netflix, Google, and of course, you put Microsoft in there as well. And we'll see about Amazon, by the way, it's kind of out of favor right now, as everyone's focused on the retail side of the business meanwhile it's cloud business is booming and that's where all the profit is. We think that should be the real focus for Amazon. But the point is, for these momentum names in cybersecurity that don't make money, they face real headwinds, as growth is slowing overall and interest rates rise, that makes the net present value of these investments much less attractive. We've talked about that before. But longer term, we agree with Chip Simonton that these are excellent companies and they will weather the storm and we think they're going to lead their respective markets. And in cyber, we would expect continued M&A activity, which could act as a booster shot in the arms of these names. Now in 2019, we saw the ETR data, it pointed to CrowdStrike, Zscaler, Okta and others in the security space. Some of those names that really looked to us like they were moving forward and the pandemic just created a surge in these names and admittedly they got out over their skis. But the data suggests that these leading companies have continued momentum and the potential for stay in power. Unlike the SolarWinds hack, it seems at this point anyway that Okta will recover in the market. For the reasons that we cited, investors, they might stay away for some time but longer term, there's a shift in CSO security strategies that appear to be permanent. They're really valuing cloud-based modern platforms, these platforms will likely continue to gain share and carry their momentum forward. Okay, that's it for now, thanks to Stephanie Chan, who helps with the background research and with social, Kristen Martin and Cheryl Knight help get the word out and do some great work as well. Alex Morrison is on production and handles all of our podcast. Alex, thank you. And Rob Hof is our Editor in Chief at SiliconANGLE. Remember, all these episodes, they're available as podcast, you can pop in the headphones and listen, just search "Breaking Analysis Podcast." I publish each week on wikibon.com and SiliconANGLE.com. Don't forget to check out etr.ai, best in the business for real customer data. It's an awesome platform. You can reach me at dave.vellante@siliconangle.com or @dvellante. You can comment on our LinkedIn posts. This is Dave Vellante for the CUBEinsights powered by ETR. Thanks for watching. And we'll see you next time. (bright upbeat music)

(upbeat music) >> Welcome back. We're winding down theCUBE's coverage of Red Hat Summit 2022. We're here at the Seaport in Boston. It's been two days of a little different Red Hat Summit. We're used to eight, 9,000 people. It's much smaller event this year, fewer developers or actually in terms of the mix, a lot more suits this year, which is kind of interesting to see that evolution and a big virtual audience. And I love the way, the keynotes we've noticed are a lot tighter. They're pithy, on time, they're not keeping us in the hall for three hours. So we appreciate that kind of catering to the virtual audience. Dave Vellante here with my co-host, Paul Gillin. As to say things are winding down, there was an analyst event here today, that's ended, but luckily we have Jim Mercer here as a research director at IDC. He's going to share maybe some of the learnings from that event today and this event overall, we're going to talk about DevSecOps. And Kirsten Newcomer is director of security, product management and hybrid platforms at Red Hat. Folks, welcome. >> Thank you. >> Thank you. >> Great to see you. >> Great to be here. >> Security's everywhere, right? You and I have spoken about the supply chain hacks, we've done some sort of interesting work around that and reporting around that. I feel like SolarWinds created a new awareness. You see these moments, it's Stuxnet, or WannaCry and now is SolarWinds very insidious, but security, Red Hat, it's everywhere in your portfolio. Maybe talk about the strategy. >> Sure, absolutely. We feel strongly that it's really important that security be something that is managed in a holistic way present throughout the application stack, starting with the operating system and also throughout the life cycle, which is partly where DevSecOps comes in. So Red Hat has kind of had a long history here, right? Think SELinux and Red Hat Enterprise Linux for mandatory access control. That's been a key component of securing containers in a Kubernetes environment. SELinux has demonstrated the ability to prevent or mitigate container escapes to the file system. And we just have continued to work up the stack as we go, our acquisition of stack rocks a little over a year ago, now known as Red Hat Advanced Cluster Security, gives us the opportunity to really deliver on that DevSecOps component. So Kubernetes native security solution with the ability to both help shift security left for the developers by integrating in the supply chain, but also providing a SecOps perspective for the operations and the security team and feeding information between the two to really try and do that closed infinity loop and then an additional investment more recently in sigstore and some technologies. >> Interesting. >> Yeah, is interesting. >> Go ahead. >> But Shift Left, explain to people what you mean by Shift Left for people might not be familiar with that term. >> Fair enough. For many, many years, right, IT security has been something that's largely been part of an operations environment and not something that developers tended to need to be engaged in with the exception of say source code static analysis tools. We started to see vulnerability management tools get added, but even then they tend to come after the application has been built. And I even ran a few years ago, I ran into a customer who said my security team won't let me get this information early. So Shift Left is all about making sure that there are security gates in the app dev process and information provided to the developer as early as possible. In fact, even in the IDE, Red Hat code ready dependency analytics does that, so that the developers are part of the solution and don't have to wait and get their apps stalled just before it's ready to go into deployment. >> Thank you. You've also been advocating for supply chain security, software supply chain. First of all, explain what a software supply chain is and then, what is unique about the security needs of that environment? >> Sure. And the SolarWinds example, as Dave said, really kind of has raised awareness around this. So just like we use the term supply chain, most people given kind of what's been happening with the pandemic, they've started hearing that term a lot more than they used to, right? So there's a supply chain to get your groceries, to the grocery store, food to the grocery store. There's a supply chain for manufacturing, where do the parts come for the laptops that we're all using, right? And where do they get assembled? Software has a supply chain also, right? So for years and even more so now, developers have been including open source components into the applications they build. So some of the supplies for the applications, the components of those applications, they can come from anywhere in the world. They can come from a wide range of open source projects. Developers are adding their custom code to that. All of this needs to be built together, delivered together and so when we think about a supply chain and the SolarWinds hack, right, there are a couple of elements of supply chain security that are particularly key. The executive order from May of last year, I think was partly in direct response to the SolarWinds hack. And it calls out that we need a software bill of materials. Now again, in manufacturing that's something folks are used to, I actually had the opportunity to contribute to the software package data exchange format, SPDX when it was first started, I've lost track of when that was. But an S-bomb is all about saying, what are all of those components that I'm delivering in my solution? It might be an application layer. It might be the host operating system layer, but at every layer. And if I know what's in what I'm delivering, I have the opportunity to learn more information about those components to track where does Log4Shell, right? When the Log4j or Spring4Shell, which followed shortly thereafter. When those hit, how do I find out which solutions that I'm running have the vulnerable components in them and where are they? The software bill of materials helps with that but you also have to know where, right. And that's the Ops side. I feel like I missed a piece of your question. >> No, it's not a silver bullet though, to your point and Log4j very widely used, but let's bring Jim into the conversation. So Jim, we've been talking about some of these trends, what's your focus area of research? What are you seeing as some of the mega trends in this space? >> I mean, I focus in DevOps and DevSecOps and it's interesting just talking about trends. Kirsten was mentioning the open source and if you look back five, six, seven years ago and you went to any major financial institution, you asked them if they use an open source. Oh, no. >> True. >> We don't use that, right. We wrote it all here. It's all from our developers-- >> Witchcraft. >> Yeah, right, exactly. But the reality is, they probably use a little open source back then but they didn't realize it. >> It's exactly true. >> However, today, not only are they not on versed to open source, they're seeking it out, right. So we have survey data that kind of indicates... A survey that was run kind of in late 2021 that shows that 70% of those who responded said that within the next two years 90% of their applications will be made up of open source. In other words, the content of an application, 10% will be written by themselves and 90% will come from other sources. So we're seeing these more kind of composite applications. Not, everybody's kind of, if you will, at that 90%, but applications are much more composite than they were before. So I'm pulling in pieces, but I'm taking the innovation of the community. So I not only have the innovation of my developers, but I can expand that. I can take the innovation to the community and bring that in and do things much quicker. I can also not have my developers worry about things that, maybe just kind of common stuff that's out there that might have already been written. In other words, just focus on the business logic, don't focus on, how to get orders or how to move widgets and those types of things that everybody does 'cause that's out there in open source. I'll just take that, right. I'll take it, somebody's perfected it, better than I'll ever do. I'll take that in and then I'll just focus and build my business logic on top of that. So open source has been a boom for growth. And I think we've heard a little bit of that (Kirsten laughs) in the last two days-- >> In the Keynotes. >> From Red Hat, right. But talking about the software bill of materials, and then you think about now I taking all that stuff in, I have my first level open source that I took in, it's called it component A. But behind component A is all these transitive dependencies. In other words, open source also uses open source, right? So there's this kind of this, if you will, web or nest, if you want to call it that, of transitive dependencies that need to be understood. And if I have five, six layers deep, I have a vulnerability in another component and I'm over here. Well, guess what? I picked up that vulnerability, right. Even though I didn't explicitly go for that component. So that's where understanding that software bill of materials is really important. I like to explain it as, during the pandemic, we've all experienced, there was all this contact tracing. It was a term where all came to mind. The software bill of materials is like the contact tracing for your open source, right. >> Good analogy. >> Anything that I've come in contact with, just because I came in contact with it, even though I didn't explicitly go looking for COVID, if you will, I got it, right. So in the same regard, that's how I do the contact tracing for my software. >> That 90% figure is really striking. 90% open source use is really striking, considering that it wasn't that long ago that one of the wraps on open source was it's insecure because anybody can see the code, therefore anybody can see the vulnerabilities. What changed? >> I'll say that, what changed is kind of first, the understanding that I can leapfrog and innovate with open source, right? There's more open source content out there. So as organizations had to digitally transform themselves and we've all heard the terminology around, well, hey, with the pandemic, we've leapfrog up five years of digital transformation or something along those lines, right? Open source is part of what helps those teams to do that type of leapfrog and do that type of innovation. You had to develop all of that natively, it just takes too long, or you might not have the talent to do it, right. And to find that talent to do it. So it kind of gives you that benefit. The interesting thing about what you mentioned there was, now we're hearing about all these vulnerabilities, right, in open source, that we need to contend with because the bad guys realize that I'm taking a lot of open source and they're saying, geez, that's a great way to get myself into applications. If I get myself into this one open source component, I'll get into thousands or more applications. So it's a fast path into the supply chain. And that's why it's so important that you understand where your vulnerabilities are in the software-- >> I think the visibility cuts two ways though. So when people say, it's insecure because it's visible. In fact, actually the visibility helps with security. The reality that I can go see the code, that there is a community working on finding and fixing vulnerabilities in that code. Whereas in code that is not open source it's a little bit more security by obscurity, which isn't really security. And there could well be vulnerabilities that a good hacker is going to find, but are not disclosed. So one of the other things we feel strongly about at Red Hat, frankly, is if there is a CVE that affects our code, we disclose that publicly, we have a public CVE database. And it's actually really important to us that we share that, we think we share way more information about issues in our code than most other users or consumers of open source and we work that through the broad community as well. And then also for our enterprise customers, if an issue needs to be fixed, we don't just fix it in the most recent version of the open source. We will backport that fix. And one of the challenges, if you're only addressing the most recent version, that may not be well tested, it might have other bugs, it might have other issues. When we backport a security vulnerability fix, we're able to do that to a stable version, give the customers the benefit of all the testing and use that's gone on while also fixing. >> Kirsten, can you talk about the announcements 'cause everybody's wondering, okay, now what do I do about this? What technology is there to help me? Obviously this framework, you got to follow the right processes, skill sets, all that, not to dismiss that, that's the most important part, but the announcements that you made at Red Hat Summit and how does the StackRox acquisition fit into those? >> Sure. So in particular, if we stick with DevSecOps a minute, but again, I'll do. Again for me, DevSecOps is the full life cycle and many people think of it as just that Shift Left piece. But for me, it's the whole thing. So StackRox ACS has had the ability to integrate into the CI/CD pipeline before we bought them. That continues. They don't just assess for vulnerabilities, but also for application misconfigurations, excess proof requests and helm charts, deployment YAML. So kind of the big, there are two sort of major things in the DevSecOps angle of the announcement or the supply chain angle of the announcement, which is the investment that we've been making in sigstore, signing, getting integrity of the components, the elements you're deploying is important. I have been asked for years about the ability to sign container images. The reality is that the signing technology and Red Hat signs everything we ship and always have, but the signing technology wasn't designed to be used in a CI/CD pipeline and sigstore is explicitly designed for that use case to make it easy for developers, as well as you can back it with full CO, you can back it with an OIDC based signing, keyless signing, throw away the key. Or if you want that enterprise CA, you can have that backing there too. >> And you can establish that as a protocol where you must. >> You can, right. So our pattern-- >> So that would've helped with SolarWinds. >> Absolutely. >> Because they were putting in malware and then taking it out, seeing what happened. My question was, could sigstore help? I always evaluate now everything and I'm not a security expert, but would this have helped with SolarWinds? A lot of times the answer is no. >> It's a combination. So a combination of sigstore integrated with Tekton Chains. So we ship Tekton, which is a Kubernetes supply chain pipeline. As OpenShift pipelines, we added chains to that. Chains allows you to attest every step in your pipeline. And you're doing that attestation by signing those steps so that you can validate that those steps have not changed. And in fact, the folks at SolarWinds are using Tekton Chains. They did a great talk in October at KubeCon North America on the changes they've made to their supply chain. So they're using both Tekton Chains and sigstore as part of their updated pipeline. Our pattern will allow our customers to deploy OpenShift, advanced cluster manager, advanced cluster security and Quay with security gates in place. And that include a pipeline built on Tekton with Tekton Chains there to sign those steps in the pipeline to enable signing of the code that's moving through that pipeline to store that signature in Quay and to validate the image signature upon deployment with advanced cluster security. >> So Jim, your perspective on this, Red Hat's, I mean, you care about security, security's everywhere, but you're not a security company. You follow security companies. There's like far too many of them. CISOs all say my number one challenge is lack of talent, but I have all these tools to deal with. You see new emerging companies that are doing pretty well. And then you see a company that's highly respected, like an Okta screw up the communications on a pretty benign hack. Actually, when you peel the onion on that, it's just this mess (chuckles) and it doesn't seem like it's going to get any simpler. Maybe the answer is companies like Red Hat kind of absorbing that and taking care of it. What do you see there? I mean, maybe it's great for business 'cause you've got so many companies. >> There's a lot of companies and there's certainly a lot of innovation out there and unique ways to make security easier, right. I mean, one of the keys here is to be able to make security easier for developers, right. One of the challenges with adopting DevSecOps is if DevSecOps creates a lot of friction in the process, it's hard to really... I can do it once, but I can't keep doing that and get the same kind of velocity. So I need to take the friction out of the process. And one of the challenges a lot of organizations have, and I've heard this from the development side, but I've also heard it from the InfoSec side, right. Because I take inquiry for people on InfoSec, and they're like, how do I get these developers to do what I want? And part of the challenge they have is like, I got these teams using these tools. I got those teams using those tools. And it's a similar challenge that we saw on DevOps where there's just too many, if you will, too many dang tools, right. So that is a challenge for organizations is, they're trying to kind of normalize the tools. Interestingly, we did a survey, I think around last August or something. And one of the questions was around, where do you want your security? Where do you want to get your DevSecOps security from, do you want to get it from individual vendors? Or do you want to get it from like, your platforms that you're using and deploying changes in Kubernetes. >> Great question. What did they say? >> The majority of them, they're hoping they can get it built into the platform. That's really what they want. And you see a lot of the security vendors are trying to build security platforms. Like we're not just assess tool, we're desk, we're this, whatever. And they're building platforms to kind of be that end-to-end security platform, trying to solve that problem, right, to make it easier to kind of consume the product overall, without a bunch of individual tools along the way. But certainly tool sprawl is definitely a challenge out there. Just one other point around the sigstore stuff which I love. Because that goes back to the supply chain and talking about digital providence, right. Understanding where things... How do I validate that what I gave you is what you thought it was, right. And what I like about it with Tekton Chains is because there's a couple things. Well, first of all, I don't want to just sign things after I built the binary. Well, I mean, I do want to sign it, but I want to just sign things once, right. Because all through the process, I think of it as a manufacturing plant, right. I'm making automobiles. If I check the quality of the automobile at one stage and I don't check it to the other, things have changed, right. How do I know that I did something wasn't compromised, right. So with sigstore kind of tied in with Tekton Chains, kind of gives me that view. And the other aspect I like it about is, this kind of transparency in the log, right-- >> The report component. >> Exactly. So I can see what was going on. So there is some this kind of like public scrutiny, like if something bad happened, you could go back and see what happened there and it wasn't as you were expected. >> As with most discussions on this topic, we could go for an hour because it's really important. And thank you guys for coming on and sharing your perspectives, the data. >> Our pleasure. >> And keep up the good work. Kirsten, it's on you. >> Thanks so much. >> The IDC survey said it, they want it in platforms. You're up. >> (laughs) That's right. >> All right. Good luck to both you. >> Thank you both so much. >> All right. And thank you for watching. We're back to wrap right after this short break. This is Dave Vellante for Paul Gill. You're watching theCUBE. (upbeat music)