(upbeat music) >> Welcome to this special Cube conversation here in Palo Alto, California. I'm John Furrier, host of theCUBE, we have two special guests, Karim Toubba, CEO of Kenna Security, and Caroline Japic, CMO, Kenna Security. Great to see you guys, thanks for coming on, appreciate you taking the time, appreciate it. >> Thanks for having us. >> So RSA is coming up, big show, security's at the top of the list of all companies. You guys have a very interesting company. Risk based vulnerability management is like the core secret sauce, but there's a lot going on. Take a minute to talk about your company. What do you guys do? Why do you exist? >> Yeah, sure. Thanks for having us. Some, the security landscape as you very well know, pretty crowded space, a lot of different vendors, a lot of technologies that enterprises and organisations have to deal with. What we do has a lot of complexity behind it, but in an app practicality for enterprises is actually quite simple. They have many, many data sources that are finding problems for them, mapping to their attack surface, what are misconfigurations? Where are there vulnerabilities in your network or your host, where there vulnerabilities in your applications, we taking all of that data, specifically from 48 different data sources, we map it to what attackers are doing in the wild, run it through a lens of risk, and then enable the collaboration between I.T. and security, on what to focus on at the tip of the spear with a high degree of fidelity and efficacy so that they know that they can't fix everything, but prioritize the things that matter and are going to move the meter the most. >> So you guys have emerged as one of those kind of new models, the new guard of security, it's interesting, it's been around for 10 years, but yet a lot's changed in 10 years but a lot of evolving. Risk based vulnerability management is the buzzword, R-B- >> V-M >> Okay, really comes from the founder of the company. Why is this becoming an important theme? Because you got endpoints, you got all kinds of predictive stuff with data, you got surface area is growing, but what specifically about this approach makes it unique and popular? >> Yeah, I think what's happening is if you, to really answer that question, you have to look at two different ends of the spectrum in terms of the business, the security side and the IT DevOps and application development side. And at the core of that is what was largely traditional tension. If you think about security teams, operations teams, incident response teams, and if you sit down with them and understand what they do on a day to day basis, beyond the incident response and reaction side, they have a myriad of tools and technologies that discover problems, typically millions of issues. Then you go to the IT side, and the application and DevOps side, and they care about building the next application, making sure the systems are up and running. And what happens is they, we've gotten to the point where they can't possibly fix everything security is asking them to fix, and that's created a lot of tension, people have woken up, started to realize that that tension has to give way to collaboration. And the only way you can do that is enable security to detect all the problems, but then very quickly focus and prioritize on the things that matter, and then go to IT and then tell them specifically what to fix so that they have a high degree of precision and understanding, that the needle will be moved relative to what they're asking them to do. >> So is it the timing of the marketplace and the evolution of the business where it used to be IT that handled it, and now security has gotten broader in its scope, that there's now too many cooks in the kitchen, so to speak? >> Yeah, it's gotten broader in its scope, and there's also been a realization that if you think about the security problem statement, they find all the problems, but if you if you peel back the layers, you quickly realize, they own very little the remediation path. Who fixes-- >> John: They being IT? >> They being security. >> John: Okay. >> Yeah, so it's actually quite fascinating. If you think about who fixes a vulnerability on an operating system like Windows or Linux, it's the IT team. If you think about who fixes or upgrades a Java library or rewrites an application it's DevOps or the application developers, but security's finding all the problems. So they're realizing, as they deploy more tools, find more issues, and increase the amount of data, they've got to get very precise and really enable an entirely new way of collaborating with IT so that they can get them to focus on the things that matter the most. >> Karim, I want to dig into some of the complexity, but first want to get the Caroline on the brand, and the marketing challenge because it's almost an easy job in the sense, because there's a lot of security problems out there to solve, but it's also hard on the other side, is that, where's the differentiation? There's so many vendors out, there's a lot of noise. How are you looking at the marketplace? Because you guys are emerging in with nice, lift on the value proposition, you won some recent awards. How do you view the marketplace? RSA is going to be packed with vendors, it's going to be wall to wall, we get put in the corner, we are going to have small space for theCUBE, but there's a lot there and customers are being bombarded. How are you marketing the value proposition? >> You are right. There's so much noise out there, but we are very clear and precise on the value we bring to our customers, we also let our customers tell the story. So whether it's HSBC, or SunTrust, or Levi, we work with them very closely with those CSOs, with their head of IT to understand their challenges, and then to bring those stories to life so we can help other companies because our biggest challenge is that people just don't know that there's a better solution to this problem. This problem's been around a long time, it's getting worse every day, we're reading about the vulnerabilities that are happening on a regular basis, and we're here to let people know we can fix it, and we can do it in a pretty quick and painless way. >> You had mentioned before we came on camera that when you you're getting known, as the brand gets out there, but when you're in the deals, you win. Could you guys share some commentary on why that's the case? Why are you winning? >> Yeah, by the way, just to piggyback off that a little bit, there is a really interesting paradigm happening within the security space, if you look at the latest publications, I don't know, there are 1400 of us all buzzing around with the same words? I think what Caroline and the team have done an exceptional job on, particularly in relative to the positioning is, we don't want to scare people into looking at Kenna. We want to be more ethereal than that and make them understand that we're ushering in a new way away from tension to an era of collaboration with IT, DevOps and application teams. That's very different than telling somebody in your messaging, Hey, did you hear the latest attack that happened at XYZ? >> Yeah. >> That sort of fear and marketing through FUD, is creating a lot of challenges for organizations, and candidly, is making CISOs and other people in security close the door. >> I've definitely heard that, do you think that's happening a lot? >> I think that's happening a lot. I think we're sort of, I like to think that Caroline and the team are sort of at the forefront of leading that initiative, and you can, and we're doing it in every way possible to really sort of tell a much more positive story about how security can be smarter and spin in a positive light, and in fact, the technology is enabling that, so it's consistent. >> We live in dark times. Unfortunately, a lot of people like, if it bleeds, it leads, and that's a really kind of bad way to look at it. But back to your point about tension and collaborations, I think that's an interesting thread. There's a ton of tension out there, that's real, from the CISO's perspective. Because there's too many teams, I mean, you got, Blue Team, Red Team, IT, governance, compliance, full stack developers, app. So you have now too many teams, too many tools that have been bought and it's like, people have all these platforms, they're drowning in this. How do you guys solve that problem? >> Yeah, it's back to that point of collaboration, and what we've really found that's been interesting in solving that problem, because what we're doing if you step back, is, we're bringing in all these data sources, and where that tension comes in, if you unpack it a little bit, is from different people coming in with different data sources. So IT comes to the table about what to fix, with their own point of view, security comes with their own point of view, application teams come with their own point of view, governance and compliance comes with their point of view. What we do is we come in and even though we're technology, we're really aligning people in process. We're saying, "Look, we're going to to amass all that data, "we're going to very quickly use machine learning "and a bunch of algorithms to sift through "millions of pieces of data "and divine what actually matters." It's empirical, it's evidence based, and we align all the organizations around that filter through risks so that there's agreement on how to measure that, what to prioritize, what to action and what the results look like. And when it turns out that when you get a bunch of people across an organization, to get aligned around data that they all agree with as the source of truth, it gets much easier to get them to really focus on the things that ultimately matter. >> It's a single version of the truth, right? It's a single version that they all can work from. Security isn't telling IT, "This should be your priority today," when they say, "You don't know what my priorities are," is actually the data that's telling them what their priorities are by role, and that's really important and really gets past all the, the friction and the fighting in between the teams. >> Yeah, that's great point, back to my other question when I get back to you Caroline, is what is the success formula look like for you guys? Why are you winning? What are the feedback you're hearing from your customers? Because at the end of the day, references are important, but also, success is a tell sign. So what's the reasons behind the success? >> Yeah, I'll let Karim talk about being face to face with customers, because he does that all the time. But what we're saying is that, the customers are resonating with the story that we're telling, they understand they have the problem we're laying out in a very simple way for, to be able to solve their solution, and that's working. We've redone our positioning, our messaging, we've trained our sales team, people understand the value we can bring, and that's what we're communicating, and that's what's working. >> Karim, please add on that, I want to get more into this. >> Yeah, and on the customer side, what we see and I'll give you a pretty classic example for us with a very large bank that's a customer of ours. We actually started on the security side, right? We sold to their deputy CISO to deploy, and then eventually, they doubled down and then deployed globally across 64 countries. And that happened sponsored by the CIO. Now we're a security company, so you ask the question, well, why did that get driven in that structure? And why did that deal go down ultimately in that way? And what was the real value? The value to the security person was clear, I want to aggregate 10 to 12 different data sources, I want to prioritize, I want to collaborate with IT. The value to the CIO was the CIO happens to own all the application developers and all the IT people and the security people on a global basis. And so what they wanted to do, is they wanted to understand what the risk was for each of the lines of businesses they had within organization so that they can hold the business users accountable to paying a small tax for security, not just developing the next billion dollar high net worth application, which is extremely important to those businesses, but at the same time, ensuring that they're secure. And so that leverage when you start with security, and then branch out in other organizations, especially in large, multinational organizations, is really where the the real value comes into the platform. >> So if I hear you correctly, you come in for security, okay, we can get rid of the noise, help you out, check, win, and then the rest of the organization doesn't have security teams per se, >> Karim: Correct. >> Needs security to be built in from day one. >> Karim: Correct. >> You're providing a cross connect of value to the other teams? >> That's right. >> It's almost like, security is code, if you will. >> Karim: That's right. And nowhere is that more evident in our utilization statistics. So we're a SaaS platform, so of course we, like many other SaaS companies do a bunch of analytics on utilization of our customers, more often than not, in our large scale enterprises, we actually have more IT and non security users logging into Kenna, in a self service model, because they're the ones, back to the point you made earlier, that are actually driving the remediation path. >> Take us through how that works. So say I'm interested, okay, you sold me on it, great, I need the pain relief on the security side, I need the enablement and empowerment on the collaboration side, what do I do? Do I just plug my databases into you? Is it API driven? Are you on Amazon? Are you on Azure? What's cloud? What am I dealing with? Take me through the engagement. >> Yeah, so we're 100% cloud based platform. Multi cloud, so we can deploy in AWS, we can deploy in Google et cetera. And then what we do is we effectively through a bunch of API's called connectors that are transparent to the customers, we enable them to bring in their data. So this is everything from traditional scanning data like Qualys, Rapid7, Tenable, more, newer data like CrowdStrike, Tanium, DaaS SaaS, software composition analysis tools, WhiteHat, Veracode, Black Duck, Sonatype, you name it. The list goes on, specifically, there's about 48 of them. All of that is basically helps us understand what the totality of the attack surface is. That's very useful for security because they're using multiple tools. We then overlay what we call exploit and tell, this is the data that tells us about what attackers are doing in the wild. Specifically, we have 5 billion pieces of data that tell us about what vulnerabilities are being popped, what's the rate of change, what malware are they being embedded in? That use, that information is used through machine learning to help us prioritize and risk score each of the findings we get from the customer tools. And then where it pivots over to IT, is we then allow them to take all of that data and that metadata and asset criticality into what we call risk meters. So they're basically aligned with where, how IT operates. So for example, if you own all the Linux infrastructure in the cloud, you log in, you'll only see the risk across the infrastructure you own. Whereas if Caroline owns all the endpoint real estate across Windows, she logs in and understands what her risk is across Windows. And then we of course, integrate in the ticketing systems to drive the remediation and report up to executives and then over to security, about what the workflow you-- >> So you guys really focusing not so much on the security knock or the sock, it's more on indexing, if you will, for lack of a better description, the surface area, >> Karim: Correct. >> And getting that prepared from a visibility standpoint to acquire the data. >> Karim: That's right. >> And then leveraging that across-- >> Across the organizations, yeah. >> Did I get that, right? >> It's exactly right. And if you ask, if you again, double click deeper on that, what's fascinating to watch, so we have a an annual, or bi annual report that we do called prioritization or prediction, or P2P. And this is all of our customer data completely anonymized in a warehouse, and then we run a bunch of reports, and lot of the analytics we ran initially were around security. Now we're starting to pivot in IT. If you look at our latest report, one of the most interesting things I found in my time here is that the average large scale enterprise has actually no more than 10% remediation capacity, right? So what does that tell you? That tells you that 90% of the problems are going to go unsolved, which pinpoints why it's even more important to have specific prioritization on the things that matter. >> They solve the right 10%. >> At the right time too, >> At the right time. >> 10% capacity, operating capacity, assuming some automation that might take care of some of the low hanging fruit >> Exactly. >> Through DevOps or automation. You can focus on those 10% at the right time, which by the way, if you use that capacity for the wrong problems at the wrong time, it's wasted capacity. >> Karim: That's right. >> That's what you guys are trying to get at, right? >> Karim: That's exactly right, work smarter, not harder. >> So Kenna security, what's the vision? What's the next step? Why should someone care about working with you guys? Why is it important to engage you guys? What's the big deal? Is it the risk based vulnerability, kind of origination invention, which is the core or the DNA, or is it something bigger? What's the vision? What's the why? Yeah, well look for us, we started, our company was actually founded by a gentleman by the name Ed Bellis, who's the ex chief security officer at Orbitz, and he founded the company out of a need. We started very early in the traditional pure vulnerability space. This was like calling Classic Qualys, Rapid7, Tenable. We then expanded into the application world. So this is starting to take in, moving up stack if you will full stack, as the environment moves to cloud, as the environment moves to containers, as the environment moves to configuration management as the environment moves to a much more ephemeral state, that will drive an entirely new set of data sources that will drive an entirely different new set of priorities all aligned with the same model of risk. So our view of the future is that we are the platform that enables the organization to understand the totality of the attack surface, that enables collaboration across all the groups that deal with technology within enterprises, and allows them to really prioritize and understand risk in a way that not only fosters the collaboration, but gives you that return on investment that candidly ultimately CIOs are looking for. >> Caroline the story from a marketing perspective, what's the story you're trying to tell? >> We started this space, our founder Ed Bellis is the father of risk based vulnerability management and he loves it when I say that, but it's 100% true. We are continuing down this path, I mean, there are so many companies that have this problem that don't know that there's a better way to solve it. And so for now, our mission is to make sure that we're educating those people, they understand what's possible to do today, and then continuing from there, so. >> Well, I really appreciate you guys coming in and introducing and sharing more about Kenna Security, we've been seeing successes. I'm going to ask you about what you guys think about RSA, I'd love to get both you guys to weigh in. But before we get to the RSA kind of what's coming, take a quick minute to plug the company. What do you guys looking to do? You hiring? You just got some funding? Give the quick pitches. >> Yeah, sure, we did. We just closed $48 million series D round. We had all of our investors and a new investor, Sorenson Ventures come in. We also had two strategic investors, Citi and HSBC, because we do quite well, that very good validation. And we're also quite prominent in the financial services vertical, it helps that. And so for us, it's really about scaling, right? Scaling people, scaling the technology, scaling capabilities-- >> John: Across the board. >> Across the board. >> Engineering, obviously. >> Engineering, sales, geographies, it's really about getting the word out there and then being able to follow that up with the feed on the street that matter. >> We're definitely hiring, but we're also growing through OEMs. So we have a relationship with VMware, they're embedding us into their app defense products, and so if you buy app defense from VMware, you are buying Kenna whether you know it or not. >> So you're going to be an ingredient in other products. >> That's right. >> And or direct or indirect, probably some channel ecosystem opportunities? >> That's right. >> So we're growing on the technology partner OEM front, definitely interested in talking to companies that are interested on that front. >> We should do a whole segment on my fascination with what I call tier two or tier 1B clouds, specialty clouds, security clouds. So maybe do that another time. Okay, final question for you guys. RSA is coming this year 2020, and then a series of other events. Cloud Security has been a hot topic since re:Inforce last year was launched, we were there, kicking off theCUBE in security. What do you guys expect this year at RSA? What do you think the big themes are going to be? The hype? The meat on the bone? What's the real deal? What's the hype? What do you guys think is going to happen? >> Karim: I'll let you start. >> Yeah, I can tell you our theme is the right fight club. Because we are focused on the right fight that you need to have every day inside your enterprise. It's not focused on all the vulnerabilities that are hitting you because they're hundreds of thousands of them, millions of them, and there's going to be more every single day, it's about fighting the right fight. So if you come by our booth, you'll see that, it's going to be very exciting-- >> And of course, don't talk about the Fight Club vulnerabilities. (Karim laughs) >> You know the rules of the fight club. >> The first rule is to talk to Kenna about the right fight club. That is the first rule. >> That's cool. >> Yeah, I mean, it's interesting. Every, as you very well know, every year when people walk away from RSA, there's a few blogs that are written about what was the theme this year, I suspect this year's in security specifically, is going to be about AI driven security. We've been starting to see that for a while, it started to bleed into last year's event. I think for us in particular, we have a very particular point of view, and our book point of view is that doesn't matter if it's ML, if it's AI, or what type of algorithms you're running, the question is, what's the value? What is the value when you have 1400 people all screaming to get in the door of an organization? Everybody really has to begin to answer that question fundamentally. And I think the people that have that position in the market are the people that are going to be able to stand out. It's interesting, as always the hype with AI, but it's interesting, I was just trying to figure out when the term there is no perimeter was kind of first coined in theCUBE, I'm thinking probably about five years ago, it really became a narrative and then more recently, with the cloud, the perimeter is dead. Edge is out there. >> Karim: Right. >> So this is, what's the gestation period of real scalable security post perimeter is dead. It's interesting, is it years, is it seems to be hitting this year. It seems to be the point where, okay, I tried everything, now I've got to be data driven or figure out a way to map the surface area. >> That's right. >> End to end. Well, thanks to Kenna Security coming in, a solution for figuring out the vulnerabilities with a real invention. We're going to be covering security at RSA with Kenna Security and others. Thanks for watching, this is theCUBE. (upbeat music)