>> Live, from Boston, Massachusetts, it's theCUBE. Covering AWS re:Inforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello everyone, welcome back to theCUBE's live coverage in Boston, Massachusetts, here for two days, AWS Amazon Web Services re:Inforce, their inaugural conference around security. I'm John Furrier, Dave Vellante, our next guest Andy Miller. Senior director, global public cloud at Sophos. Based out of the UK and here in Burlington, Massachusetts. Welcome to theCUBE. >> Thank you. >> Looking good, love that jacket, nice color on you! (all laughing) >> I got the memo. >> You got the memo! >> Blue jacket! >> Thanks for having me, it's great to be here. It's great to be a part of AWS's first security event, security focused event, not by coincidence, happening right here where our US headquarters is. We're very excited to be a part of it. Wanted to share with you guys, I brought you a little gift. Socks are definitely a part of our-- >> Thank you, love the socks. >> Okay, I'm wearing them tomorrow. So we'll do a little close up on that. >> They're mostly clean. >> Thank you very much. Stu Miniman will love this, he loves socks. He'll replace his Star Wars socks with those. >> Thank you, Andy. >> Andy, thanks, so I want to get your impression of the show, obviously, inaugural event. And it's interesting, you look at Amazon, we've been covering Amazon for eight years with theCUBE, prior to that, just as a company, love the company, obviously, the success of cloud is a no-brainer. But re:Invent is their name of their global conference on the commercial side, for all their customers. And everything else they call summits. This is not a summit, this is not an Amazon Web Services summit, this is a branded event with the word re, not invent, but re:Inforce so gives that call out. Good call on their front? Is it needed? Why is this show so important, what's your opinion on that? >> I think it absolutely is, it's very helpful to customers to help them to understand their responsibilities when it comes to security in the cloud. And just like re:Invent was essentially reinventing the network into a digital environment, this is reinforcing their environment and understanding what their responsibilities are, where the cloud provider's very secure infrastructure ends and where their responsibilities with applications and data that resides in the cloud starts. >> What does your data show in terms of the evolving threat landscape? I mean, there's one school of thought that says okay, security in the cloud, actually, well it was a concern early on, people say oh it's better. That maybe raises the bar and lowers the ROI for the bad guys, but what are you seeing? But at the same time it's more global and distributed which opens up holes. What are your guys seeing? >> So, what we're seeing is that, the cloud's interesting in that there's not necessarily anything that is new or unique from an attack perspective. It's more of an attack surface perspective. And what I mean by that is is that, with an on premise environment, sometimes controls are very easy to place around new instances, new workloads being stood up, a change control process that is very controlled, key carded data centers and so forth. Cloud accounts operate very differently and one of the things that makes the cloud great is the speed at which you can go to market and stand up new resources, that also creates challenges for customers when it comes to visibility and securing those assets. >> Yeah, I mean the guy from Liberty Mutual today in the keynote, said his number one challenge is just keeping up with Amazon, the pace of change, you're seeing that in your client base? And how are they dealing with it? >> Absolutely, one of the conversations that I frequently have with customers when it comes to the visibility and keeping up with angle is, I frequently will say to customers, pull out your cloud bill, if you are aware of and know everything that is on that bill and where it came from, frankly I'd be very surprised. A lot of them struggle with that, with being able to keep up with that. And it's again a double edged sword, it's great as far as a business standpoint and being able to extend your business globally within minutes, but it's also a challenge for them from a security standpoint. >> And you talk about the challenges that businesses are up against when it comes to cloud security because on premises has decades of experiences dealing with security, the old days of perimeter based security, some still do that. Now the perimeter's pretty much gone away with cloud, cloud native has a different approach. So there seems to be a lot of questions around what to do, what are those challenges in cloud security specifically, that businesses face? >> So, you hit the first one, right? The first one is this concept of I build a castle and put a big wall around it and a moat around it, no longer exists, right? The perimeter is a memory. Another one is, as I mentioned before, the speed at which resources are added to the cloud, that's difficult for customers 'cause you can't see it, you can't secure it, right? If you don't know it exists. And then the third thing is really being able to understand how you make security happen within the cloud because those tools that you used on premise and in your own perimeter, don't necessarily exactly translate to the cloud. And it's important to have solutions that are designed for that and that not only work and operate well within the cloud but also don't take away the benefits of the cloud. If you have a solution that's going to slow you down or make it where you can't innovate at the speed of the cloud, you might as well keep it on prem, you're taking away all the benefit of the cloud. >> So, are you finding, a lot of times, the early cloud days with a lot of so called crapplications, just going to the cloud, okay. So maybe not as much credit card information, so maybe it's not as valuable, but are you seeing, people hitting the cloud more today than, say, certain on prem environments? Is it escalating, what does your data show? >> So, there was a study done not too long ago that showed past and projected cloud growth from 2017 to 2022. And what was interesting was the cloud services revenue growth was expected to grow by double, the cloud security spending was expected to grow by more than three times. And we think that was in large part of customers understanding their responsibilities in the shared security model, but also a product of exactly what you say, crapplications, right? One of our first customers that I think of was a convenience store chain, the very first things they moved, store locator and nutritional information applications. If something went wrong with those, yes, it's not great for your business if they can't find your store, but it's not credit card data, it's not personal information so on and so forth. As businesses start moving really key to the business applications, ERP systems, things like that, with real data that's at risk, that's where their focus on security is real strong. >> So there's a lot of confusion out there. And as I walk around the show floor here, I see, we secure the cloud, we the secure the cloud, no we secure the cloud! And I hear from Amazon we have a shared responsibility model, we secure the infrastructure, a lot of customers think, hey, Amazon has great security, so does Google, so does Microsoft, I'll put it in the cloud, I'll be good to go. Help us clear up some of that confusion, what's your point of view on that? >> Yeah, I think that when you look at it, customers were at one point extremely afraid of the cloud. And the cloud providers themselves did a great job of talking about why you could trust their infrastructure. In the process, I think customers have a difficult time understanding where their responsibility begins. And what we always like to say is, the cloud provider's responsible for the security of the cloud, you, Mr. Customer, are responsible for the security in the cloud. And the reason that's important is, the fact is the cloud providers could potentially provide the security in the cloud, but the measure of control that they would have over the applications that you build, the applications that you deploy, who you give access to and what you allow them to do would be so great, I don't think it would be a really positive experience for customers. >> Too many permutations. Just 'cause, criticism early on in cloud security wasn't that the security was bad, it was that, I couldn't enforce the edicts of my organization, there weren't enough features and now today, it's like you're drinking from this fire hose of features. So is that really the issue? It's up to you to figure out what works for your organization and then apply it. We heard today, you've got to opt in for things like encryption. Make sure you opt in to each availability zone. So that's a individual customer choice. Amazon provides the tools, okay, but then where do you pick up? Where does Sophos pick up? >> So, that's a great segue, so, as an example, our new Sophos Cloud Optics product does a great job with that, for instance uses the AWS CIS benchmarks. And that is a heavy heavy document that may be difficult for a customer to ingest, but we can run it against all of your workloads, your S3 buckets and see that you're in compliance with that CIS benchmark policy. That's a great place to start. Maybe you have some compliance regulations that you have to follow that have a security component to it such as BCI for example. And they would lead you towards things like identity and access management, they would lead you towards, am I following a good password policy? A good updating policy, am I sure that my S3 buckets are encrypted and not accessible to the internet without some sort of protection in place? All those things. >> The evolving cloud security landscape's changing on the threats side. You've got now detection, alerts, all these things are going on. You guys have some data on the cyber criminal activity. Up, down, is it more complex, harder to crack? Is there people cracking it? Certainly we know people are always trying, you can attack anything, we've seen foreign states enabling these groups out there, you've seen all kinds of cyber criminals, what's the data showing? >> So, the data shows, I think the most compelling thing. We did a study that we commissioned earlier this year where we placed workloads in 10 of AWS's most popular data centers around the world. And what we saw was, the first attempt to compromise one of those assets took all of 52 seconds. 52 seconds after we launched it there was an attempt to compromise it. More compelling was the fact that, on average it took a sum total of 40 minutes was the average time before an attempt to compromise took place. And, on top of that, once the asset was discovered, on average every 13 times every single minute of every single hour of every single day over a 30 day period, someone was attempting to compromise this. We ended up totalling over five million attempted compromises in a 30 day period on 10 assets. So, I think the biggest thing is not so much the techniques, but the level of automation that the bad guys have going on, they know that there are assets out there, that are not in a state that they necessarily should be and they are doing their level best to find them as absolutely quick as possible. >> What makes the cloud so attractive to the cyber criminals? >> I think the biggest thing is that as customers go from the crapplication into some real applications, they know that there is a lot of data there. They also know that customers are, well this is a newer platform for them, and they may be struggling with understanding exactly what they need to do differently than they did on prem in order to secure it. >> So follow up on that, how do you approach cloud security and how is different than on prem? >> So, the biggest difference is can it work within the fabric of the cloud? Is there tight integration with the things that the cloud providers offer? And do you not in any way hamper the great things about the cloud, scalability, the option to be available in a matter of seconds? If you are hampering that, then that's not security that's really going to work well, it's the whole benefit of the cloud in the first place, right? >> So sum up your cloud solution, what's the big problem that you guys solve? >> So, we have several different solutions that are available from a next generation firewall to our host protection. Our newest offering Sophos Cloud Optics, is really about helping them to gain that visibility, to understand exactly what they have running in the cloud, present a topology map that shows them how it connects, how it communicates, both internally and to the outside world. And then to constantly and continuously evaluate where they are in a security posture. >> So that's visibility into threats? >> Yep and for posture as well. >> Help look for quality alerts. >> Yep. >> Okay, so what's the customer orientation right now? Red, yellow, green? (he laughs) It seems to me it's always red. We asked someone earlier, what's a good day in security? And it's like, when we're still in business. There's a lot of pressure, again, hacking just shows you, it's easy to attack, certainly seconds to minutes, things are being compromised. It's going to happen on premise as well. What's the state of the union in your view? >> I think for customers there is a feeling sometimes and I think we as security vendors need to be careful about this, of not presenting the world as impossible to secure because I believe that it is absolutely possible to secure the world. I think there are some things that customers need to do, I think it's difficult for them sometimes to cut through some of the misinformation, the marketing spin and so on and so forth that's out there, but it's really incumbent upon them to look and read through the materials that are provided by the cloud providers to understand where their responsibilities begin and end. And then find the solutions that they've always used on prem and been successful with, that are ported to the cloud. And if they're not ported to the cloud to look for a different vendor. >> So why Sophos? >> So, Sophos has been around for 30 years. We have along history, we've been a security company, always a security company. And we have frankly what is a rather long track record in the cloud, we first ported our firewall to the cloud six years ago, we've continued to innovate in the cloud. We are able to do things that other vendors are not to support things that customers want to do, autoscaling, outbound gateway, things like that. And we continue to innovate that platform as well as add key pieces to our platform such as our Cloud Optics, which interestingly enough, came to us as we were shopping for it as a customer to support our own central infrastructure that runs in AWS. Our security guys thought, hey we need a product that will help us with visibility and posture management. And then they turned to the organization and said, hey this is great product, we ought to look at buying this company and that's how that acquisition came about. >> And so what's new with the company? What's going on, what are you guys doing? Got a lot here at Amazon, what other things you working on that's important to tell? >> Yeah, we're basically at this point, with that acquisition of Optics happened, it was a company called Avid Secure. That just went down in January this year, we released in the first week of April. Our own skinned Sophos version of the product. And we're really looking to continue that innovation. Our theme this year for our company was evolve. We feel that as the world evolves, security evolves and we have to evolve as well. And so there's a real focus on constantly evolving our products, innovating and trying to stay one step ahead of the bad guys, unfortunately. >> Andy, you've been around, we've been around, we've seen all waves come and go. Client server mainframe all the way back into those days to now. What do you think the most important story in the security industry is these days? What needs to be told that either is being told or needs to be amplified or isn't being told, what do you think's the high order bid in terms of the most important story? >> I think there's two fronts to that. One is as I mentioned, evolve was a big point of discussion in our internal meetings as well as our partner conferences. And helping customers to understand that their world has to evolve as well. The idea of a perimeter for instance, there are lot of companies that still try to stick to that idea of I can build a wall around my business. And the reality is is between mobile devices, between every employee practically has a laptop now, the idea of keeping that castle wall around your business is just unrealistic and so, customers have to understand that. They also have to understand that a migration to the cloud is inevitable and the sooner that they embrace that, the sooner they'll get the benefits of it and the sooner that they can begin the journey to the cloud. We feel it's inevitable. >> Andy, great insight, the evolving security threat landscape here on theCUBE. Live coverage covering AWS re:Inforce. Be right back with more after a short break, I'm John Furrier with Dave Vellante, we'll be right back.