(upbeat music) >> The next normal is upon us. And the way we run corporate communications, brand accelerators and events has changed inextricably from 12 months ago. Will this last? Welcome to theCUBE. My name is Samme Allen. It's great to have you with us. Joining me today to discuss what looks like success for us all in terms of communications and events, we have long time industry analyst, TV host, entrepreneur and of course, many other accolades, please welcome co-founder and CEO of theCUBE, Dave Vellante. Dave, welcome to theCUBE. >> Hey Samme, thank you very much. I've been in theCUBE a lot, but really not often in this format, so thanks for having me. >> It is a pleasure to be interviewing you today. How does it feel being in the hot seat about to be grilled about the future of events? >> A little weird, little uncomfortable. But bring it on. >> So we talk about this next normal. Some people called it the new normal. We're coming out of the world of pandemic. Thank God. We are seeing returning to live events. We are seeing returning to travel. But what do you think this looks like for the big brands in terms of how they start building out their communications strategy, including events for, say, the next 12 months, the immediate strategy for the future? >> Well, that's a great question. And it's interesting when you look back in the last 12, 13, 14 months, and you compare, let's say, last April to this April in terms of the quality of the events that not only the production value, but also the content and the formats and the intensive attempt to engage with people, you're seeing people, big organizations especially, really raised the bar quite dramatically. And now just as they've sort of become comfortable with virtual events, they're trying to figure out, okay, what's next? So we've seen with theCUBE, we're getting demand now for hybrid events. We're going to be at Mobile World Congress. We're seeing other events that people are asking us to attend. We've got some events in the fall. Smatterings, you know. It's not huge. But when you talk to people, pretty much everybody now is planning on some type of physical activity in 2021. So there's huge pent-up demand. We would expect, Samme, to have these, let's call'em VIP events, where you might have an audience of, local audience, maybe it's 20, maybe it's 25 people, selected audience of CEOs or CTOs or business executives, and then broadcast that to a much wider audience. I personally think this notion of virtual events, which nobody really wanted, you know, a couple of years ago, everybody wanted belly-to-belly, I think it's here to stay, because the long tail of consumption post-event is actually paying dividens, even though it's taking much, much longer to see those results. >> And we're seeing here in the UK. As you know, I'm based in our London studio. We are, you know, we're hearing from Sir David Attenborough who pretty much everyone around the globe knows as the global voice of sustainability saying that actually what we do in the next 5 to 10 years could potentially have a much bigger impact on the world than Corona virus has done so far. Do you think brands are taking this seriously in terms of the evolution of how they communicate, how they attend events, where things like theCUBE will be placed in the future? Are you seeing that from your clients, Dave? >> You know, that's a really tough question. Because on the one hand, and I often joke that, you know, it used to be the case that, you know, the only goal of a public company was to make profit. And now, you're seeing companies from IBM and Cisco and Salesforce, name a company, a large company, they're standing up and saying ESG, diversity, inclusion, these are not only the right thing to do, but they're good business. And so tie that into your question, which is, you know, can we affect the environment, for example, maybe by, you know, being more productive with travel? And the reason I think it's such a tough question is because I think the sales people who are under such pressure to perform, and the companies are under pressure to perform, clearly can be more productive face-to-face, and they can accelerate time to close, for example. At the same time, nobody's really excited to get back on a plane on a Sunday night every week and fly back on a Friday and see their family, maybe, you know, for a day or two. So I think we've got to figure that out. And I think to answer your question specifically, I think there's no question that we can do much more virtually. And I think we will, over the next 10 years, learn how to do that in a much more productive way. >> You hit quite a true point from the brands that we've been speaking with in terms of the desire to see people, to hug people, to be in a room. I think the one thing we hear all the time is that you can't network. Well, we know you can network, because we have algorithms, we have AI and big data. But actually, that socialization. Do you think once we've all got to that first conference and then actually, we have maybe, exactly as you said, that fatigue of not being with our families when the world has changed so much, so after this initial rush, do you think that then that blend of the world of hybrid will remain stable? >> Another really tough question. I think, you know, having, for myself, I'm not fully baked. I've had my second vaccine. And so when I see people, I'm really confident. I'm kind of a, you know, chest pumper, a handshaker, a hugger, whatever. So I'm much more comfortable doing that. But we don't know what we don't know. You know, do we need a booster shot in six months? You know, what is the data telling us? The science, I mean. Everybody says follow the science. But the Alzheimer, the science doesn't know what's happening. I would say this. I think unquestionably, from a business standpoint, that this notion of being able to expose your brand to many, many more, a much, much larger audience, is going to continue. That has legs. And I think people are very comfortable that, if you do that, you're not going to limit the number of people who actually, you know, show up live. It's like when TED decided to actually broadcast, the brand went through the roof. I think the same thing will happen here that you're going to see a slow return of the face-to-face. And I think the virtual will stay. And I think they'll be related, but different teams. I mean, we've talked about this, you and I. There's different skillsets for virtual. So I can see organizations, at least I think smart ones, will invest in both. And I think we're going to see a new era of events that are going to combine virtual and physical. >> Talking about theCUBE, you know. We talked about theCUBE being, you know, they're front and center at an event to offer those expert insights. Can you see in that, well, give us your crystal ball, where's theCUBE going to be in five years time? Do you hope? And do you, where do you think it's going to be strategically wise? >> You know, the awesome thing for theCUBE is that we started in virtual events and hybrid events back in 2015. And so, but it was interesting is we sort of try to push that on our clients, and nobody wanted it. It's like I was saying before, everybody wanted physical. So when COVID hit, we were in a really good position to extend our portfolio into virtual. And that's exactly what we did with our two studios and our software stack. What was a little tricky for us was we had to retrain people. And it was like training by fire. So that took some time. And so you start to see, okay, who's, who really enjoys the virtual, who enjoys the physical. So where I see theCUBE in five years time is that hybrid combination. Very clearly, people want theCUBE at their events, because it's light. It's lights, camera, action. You know, the sports-center-like vibe with the live production, you know. But at the same time, we've got this great capability and team that can reach a much, much wider audience. And then what we've learned, the big learning or one of the big learnings from COVID in virtual was the post-event consumption, that long tail is actually quite amazing, especially if you keep nurturing it. And by the way, a lot of our clients still miss this, a lot of brands move on to the next one, move on to the next one, whereas you can see the consumption continuing. And so I think people are going to continue to fine tune that and really take advantage. So I see theCUBE in both places. And it's just, we're really excited, because it's just a great expansion of our business. >> And I think that strategy, as you said, that, you know, building out a 365 strategy when it comes down to communications and bringing people on a journey with you, which is what you're doing at theCUBE, I think that's the future. And it's an exciting future. My last question for you. You've been locked down like we all have here in the UK, You're in the US. What are you most looking forward to now you've had your second shot, the world is opening up? What's the first thing that you're going to be doing sort of post-lockdown? >> You know, I'll say this. I, again, I don't miss flying every week and dragging my big, heavy backpack through airports. What I have missed is that interaction post-event. So theCUBE is intense. You go to an event. You're doing 10 to 12 interviews a day. Sometimes three or four days. You're exhausted at the end of the day. But then you get to sit back. And that's when you go to the evening events. And you see people, for instance, that were on theCUBE. And people were pointing to you, "hey, you're theCUBE guys." And you build a really intimate relationship with them that is long lasting. And I really do miss that. We, John Furrier, my business partner and co-CEO, we've made some great business friendships that will last a lifetime. And you only form those with these face-to-face interactions. You just, as you know, Samme, you can't do it. You can't get that level of intimacy in a video call. You just can't. So I'm really looking forward to that. And maybe a little better life balance. That's what I'm most looking forward to. >> I think that's a wonderful way to close this out. So I'm looking forward to also seeing you in person, raising that glass, building those relationships. Thank you, Dave, so much for being with us today. Thank you all for watching. Stay tuned to theCUBE for breaking insights, expert insights front and center when you need them. Keep safe. And see you next time. (upbeat music)

to have Rodger Goodell fly to a tech conference to sit with you and then bring his team talk about the deal. >> Well, ya know, we've been partners with the NFL for a while with the Next Gen Stats that they use on all their telecasts and one of the things I really like about Roger is that he's very curious and very interested in technology and the first couple times I spoke with him he asked me so many questions about ways the NFL might be able to use the Cloud and digital transformation to transform their various experiences and he's always said if you have a creative idea or something you think that could change the world for us, just call me he said or text me or email me and I'll call you back within 24 hours. And so, we've spent the better part of the last year talking about a lot of really interesting, strategic ways that they can evolve their experience both for fans, as well as their players and the Player Health and Safety Initiative, it's so important in sports and particularly important with the NFL given the nature of the sport and they've always had a focus on it, but what you can do with computer vision and machine learning algorithms and then building a digital athlete which is really like a digital twin of each athlete so you understand, what does it look like when they're healthy and compare that when it looks like they may not be healthy and be able to simulate all kinds of different combinations of player hits and angles and different plays so that you could try to predict injuries and predict the right equipment you need before there's a problem can be really transformational so we're super excited about it. >> Did you guys come up with the idea or was it a collaboration between them? >> It was really a collaboration. I mean they, look, they are very focused on players safety and health and it's a big deal for their- you know, they have two main constituents the players and fans and they care deeply about the players and it's a-it's a hard problem in a sport like Football, I mean, you watch it. >> Yeah, and I got to say it does point out the use cases of what you guys are promoting heavily at the show here of the SageMaker Studio, which was a big part of your Keynote, where they have all this data. >> Andy: Right. >> And they're data hoarders, they hoard data but the manual process of going through the data was a killer problem. This is consistent with a lot of the enterprises that are out there, they have more data than they even know. So this seems to be a big part of the strategy. How do you get the customers to actually wake up to the fact that they got all this data and how do you tie that together? >> I think in almost every company they know they have a lot of data. And there are always pockets of people who want to do something with it. But, when you're going to make these really big leaps forward; these transformations, the things like Volkswagen is doing where they're reinventing their factories and their manufacturing process or the NFL where they're going to radically transform how they do players uh, health and safety. It starts top down and if the senior leader isn't convicted about wanting to take that leap forward and trying something different and organizing the data differently and organizing the team differently and using machine learning and getting help from us and building algorithms and building some muscle inside the company it just doesn't happen because it's not in the normal machinery of what most companies do. And so it always, almost always, starts top down. Sometimes it can be the Commissioner or CEO sometimes it can be the CIO but it has to be senior level conviction or it doesn't get off the ground. >> And the business model impact has to be real. For NFL, they know concussions, hurting their youth pipe-lining, this is a huge issue for them. the low level building blocks and stitch them together creatively however they see fit to create whatever's in their-in their heads. And then we have the second segment of customers that say look, I'm willing to give up some of that flexibility in exchange for getting 80% of the way there much faster.

>> Hi, my name is Andy Clemenko. I'm a Senior Solutions Engineer at StackRox. Thanks for joining us today for my talk on labels, labels, labels. Obviously, you can reach me at all the socials. Before we get started, I like to point you to my GitHub repo, you can go to andyc.info/dc20, and it'll take you to my GitHub page where I've got all of this documentation, socials. Before we get started, I like to point you to my GitHub repo, you can go to andyc.info/dc20, (upbeat music) >> Hi, my name is Andy Clemenko. I'm a Senior Solutions Engineer at StackRox. Thanks for joining us today for my talk on labels, labels, labels. Obviously, you can reach me at all the socials. Before we get started, I like to point you to my GitHub repo, you can go to andyc.info/dc20, and it'll take you to my GitHub page where I've got all of this documentation, I've got the Keynote file there. YAMLs, I've got Dockerfiles, Compose files, all that good stuff. If you want to follow along, great, if not go back and review later, kind of fun. So let me tell you a little bit about myself. I am a former DOD contractor. This is my seventh DockerCon. I've spoken, I had the pleasure to speak at a few of them, one even in Europe. I was even a Docker employee for quite a number of years, providing solutions to the federal government and customers around containers and all things Docker. So I've been doing this a little while. One of the things that I always found interesting was the lack of understanding around labels. So why labels, right? Well, as a former DOD contractor, I had built out a large registry. And the question I constantly got was, where did this image come from? How did you get it? What's in it? Where did it come from? How did it get here? And one of the things we did to kind of alleviate some of those questions was we established a baseline set of labels. Labels really are designed to provide as much metadata around the image as possible. I ask everyone in attendance, when was the last time you pulled an image and had 100% confidence, you knew what was inside it, where it was built, how it was built, when it was built, you probably didn't, right? The last thing we obviously want is a container fire, like our image on the screen. And one kind of interesting way we can kind of prevent that is through the use of labels. We can use labels to address security, address some of the simplicity on how to run these images. So think of it, kind of like self documenting, Think of it also as an audit trail, image provenance, things like that. These are some interesting concepts that we can definitely mandate as we move forward. What is a label, right? Specifically what is the Schema? It's just a key-value. All right? It's any key and pretty much any value. What if we could dump in all kinds of information? What if we could encode things and store it in there? And I've got a fun little demo to show you about that. Let's start off with some of the simple keys, right? Author, date, description, version. Some of the basic information around the image. That would be pretty useful, right? What about specific labels for CI? What about a, where's the version control? Where's the source, right? Whether it's Git, whether it's GitLab, whether it's GitHub, whether it's Gitosis, right? Even SPN, who cares? Where are the source files that built, where's the Docker file that built this image? What's the commit number? That might be interesting in terms of tracking the resulting image to a person or to a commit, hopefully then to a person. How is it built? What if you wanted to play with it and do a git clone of the repo and then build the Docker file on your own? Having a label specifically dedicated on how to build this image might be interesting for development work. Where it was built, and obviously what build number, right? These kind of all, not only talk about continuous integration, CI but also start to talk about security. Specifically what server built it. The version control number, the version number, the commit number, again, how it was built. What's the specific build number? What was that job number in, say, Jenkins or GitLab? What if we could take it a step further? What if we could actually apply policy enforcement in the build pipeline, looking specifically for some of these specific labels? I've got a good example of, in my demo of a policy enforcement. So let's look at some sample labels. Now originally, this idea came out of label-schema.org. And then it was a modified to opencontainers, org.opencontainers.image. There is a link in my GitHub page that links to the full reference. But these are some of the labels that I like to use, just as kind of like a standardization. So obviously, Author's, an email address, so now the image is attributable to a person, that's always kind of good for security and reliability. Where's the source? Where's the version control that has the source, the Docker file and all the assets? How it was built, build number, build server the commit, we talked about, when it was created, a simple description. A fun one I like adding in is the healthZendpoint. Now obviously, the health check directive should be in the Docker file. But if you've got other systems that want to ping your applications, why not declare it and make it queryable? Image version, obviously, that's simple declarative And then a title. And then I've got the two fun ones. Remember, I talked about what if we could encode some fun things? Hypothetically, what if we could encode the Compose file of how to build the stack in the first image itself? And conversely the Kubernetes? Well, actually, you can and I have a demo to show you how to kind of take advantage of that. So how do we create labels? And really creating labels as a function of build time okay? You can't really add labels to an image after the fact. The way you do add labels is either through the Docker file, which I'm a big fan of, because it's declarative. It's in version control. It's kind of irrefutable, especially if you're tracking that commit number in a label. You can extend it from being a static kind of declaration to more a dynamic with build arguments. And I can show you, I'll show you in a little while how you can use a build argument at build time to pass in that variable. And then obviously, if you did it by hand, you could do a docker build--label key equals value. I'm not a big fan of the third one, I love the first one and obviously the second one. Being dynamic we can take advantage of some of the variables coming out of version control. Or I should say, some of the variables coming out of our CI system. And that way, it self documents effectively at build time, which is kind of cool. How do we view labels? Well, there's two major ways to view labels. The first one is obviously a docker pull and docker inspect. You can pull the image locally, you can inspect it, you can obviously, it's going to output as JSON. So you going to use something like JQ to crack it open and look at the individual labels. Another one which I found recently was Skopeo from Red Hat. This allows you to actually query the registry server. So you don't even have to pull the image initially. This can be really useful if you're on a really small development workstation, and you're trying to talk to a Kubernetes cluster and wanting to deploy apps kind of in a very simple manner. Okay? And this was that use case, right? Using Kubernetes, the Kubernetes demo. One of the interesting things about this is that you can base64 encode almost anything, push it in as text into a label and then base64 decode it, and then use it. So in this case, in my demo, I'll show you how we can actually use a kubectl apply piped from the base64 decode from the label itself from skopeo talking to the registry. And what's interesting about this kind of technique is you don't need to store Helm charts. You don't need to learn another language for your declarative automation, right? You don't need all this extra levels of abstraction inherently, if you use it as a label with a kubectl apply, It's just built in. It's kind of like the kiss approach to a certain extent. It does require some encoding when you actually build the image, but to me, it doesn't seem that hard. Okay, let's take a look at a demo. And what I'm going to do for my demo, before we actually get started is here's my repo. Here's a, let me actually go to the actual full repo. So here's the repo, right? And I've got my Jenkins pipeline 'cause I'm using Jenkins for this demo. And in my demo flask, I've got the Docker file. I've got my compose and my Kubernetes YAML. So let's take a look at the Docker file, right? So it's a simple Alpine image. The org statements are the build time arguments that are passed in. Label, so again, I'm using the org.opencontainers.image.blank, for most of them. There's a typo there. Let's see if you can find it, I'll show you it later. My source, build date, build number, commit. Build number and get commit are derived from the Jenkins itself, which is nice. I can just take advantage of existing URLs. I don't have to create anything crazy. And again, I've got my actual Docker build command. Now this is just a label on how to build it. And then here's my simple Python, APK upgrade, remove the package manager, kind of some security stuff, health check getting Python through, okay? Let's take a look at the Jenkins pipeline real quick. So here is my Jenkins pipeline and I have four major stages, four stages, I have built. And here in build, what I do is I actually do the Git clone. And then I do my docker build. From there, I actually tell the Jenkins StackRox plugin. So that's what I'm using for my security scanning. So go ahead and scan, basically, I'm staging it to scan the image. I'm pushing it to Hub, okay? Where I can see the, basically I'm pushing the image up to Hub so such that my StackRox security scanner can go ahead and scan the image. I'm kicking off the scan itself. And then if everything's successful, I'm pushing it to prod. Now what I'm doing is I'm just using the same image with two tags, pre-prod and prod. This is not exactly ideal, in your environment, you probably want to use separate registries and non-prod and a production registry, but for demonstration purposes, I think this is okay. So let's go over to my Jenkins and I've got a deliberate failure. And I'll show you why there's a reason for that. And let's go down. Let's look at my, so I have a StackRox report. Let's look at my report. And it says image required, required image label alert, right? Request that the maintainer, add the required label to the image, so we're missing a label, okay? One of the things we can do is let's flip over, and let's look at Skopeo. Right? I'm going to do this just the easy way. So instead of looking at org.zdocker, opencontainers.image.authors. Okay, see here it says build signature? That was the typo, we didn't actually pass in. So if we go back to our repo, we didn't pass in the the build time argument, we just passed in the word. So let's fix that real quick. That's the Docker file. Let's go ahead and put our dollar sign in their. First day with the fingers you going to love it. And let's go ahead and commit that. Okay? So now that that's committed, we can go back to Jenkins, and we can actually do another build. And there's number 12. And as you can see, I've been playing with this for a little bit today. And while that's running, come on, we can go ahead and look at the Console output. Okay, so there's our image. And again, look at all the build arguments that we're passing into the build statement. So we're passing in the date and the date gets derived on the command line. With the build arguments, there's the base64 encoded of the Compose file. Here's the base64 encoding of the Kubernetes YAML. We do the build. And then let's go down to the bottom layer exists and successful. So here's where we can see no system policy violations profound marking stack regimes security plugin, build step as successful, okay? So we're actually able to do policy enforcement that that image exists, that that label sorry, exists in the image. And again, we can look at the security report and there's no policy violations and no vulnerabilities. So that's pretty good for security, right? We can now enforce and mandate use of certain labels within our images. And let's flip back over to Skopeo, and let's go ahead and look at it. So we're looking at the prod version again. And there's it is in my email address. And that validated that that was valid for that policy. So that's kind of cool. Now, let's take it a step further. What if, let's go ahead and take a look at all of the image, all the labels for a second, let me remove the dash org, make it pretty. Okay? So we have all of our image labels. Again, author's build, commit number, look at the commit number. It was built today build number 12. We saw that right? Delete, build 12. So that's kind of cool dynamic labels. Name, healthz, right? But what we're looking for is we're going to look at the org.zdockerketers label. So let's go look at the label real quick. Okay, well that doesn't really help us because it's encoded but let's base64 dash D, let's decode it. And I need to put the dash r in there 'cause it doesn't like, there we go. So there's my Kubernetes YAML. So why can't we simply kubectl apply dash f? Let's just apply it from standard end. So now we've actually used that label. From the image that we've queried with skopeo, from a remote registry to deploy locally to our Kubernetes cluster. So let's go ahead and look everything's up and running, perfect. So what does that look like, right? So luckily, I'm using traefik for Ingress 'cause I love it. And I've got an object in my Kubernetes YAML called flask.doctor.life. That's my Ingress object for traefik. I can go to flask.docker.life. And I can hit refresh. Obviously, I'm not a very good web designer 'cause the background image in the text. We can go ahead and refresh it a couple times we've got Redis storing a hit counter. We can see that our server name is roundrobing. Okay? That's kind of cool. So let's kind of recap a little bit about my demo environment. So my demo environment, I'm using DigitalOcean, Ubuntu 19.10 Vms. I'm using K3s instead of full Kubernetes either full Rancher, full Open Shift or Docker Enterprise. I think K3s has some really interesting advantages on the development side and it's kind of intended for IoT but it works really well and it deploys super easy. I'm using traefik for Ingress. I love traefik. I may or may not be a traefik ambassador. I'm using Jenkins for CI. And I'm using StackRox for image scanning and policy enforcement. One of the things to think about though, especially in terms of labels is none of this demo stack is required. You can be in any cloud, you can be in CentOs, you can be in any Kubernetes. You can even be in swarm, if you wanted to, or Docker compose. Any Ingress, any CI system, Jenkins, circle, GitLab, it doesn't matter. And pretty much any scanning. One of the things that I think is kind of nice about at least StackRox is that we do a lot more than just image scanning, right? With the policy enforcement things like that. I guess that's kind of a shameless plug. But again, any of this stack is completely replaceable, with any comparative product in that category. So I'd like to, again, point you guys to the andyc.infodc20, that's take you right to the GitHub repo. You can reach out to me at any of the socials @clemenko or andy@stackrox.com. And thank you for attending. I hope you learned something fun about labels. And hopefully you guys can standardize labels in your organization and really kind of take your images and the image provenance to a new level. Thanks for watching. (upbeat music) >> Narrator: Live from Las Vegas It's theCUBE. Covering AWS re:Invent 2019. Brought to you by Amazon Web Services and Intel along with it's ecosystem partners. >> Okay, welcome back everyone theCUBE's live coverage of AWS re:Invent 2019. This is theCUBE's 7th year covering Amazon re:Invent. It's their 8th year of the conference. I want to just shout out to Intel for their sponsorship for these two amazing sets. Without their support we wouldn't be able to bring our mission of great content to you. I'm John Furrier. Stu Miniman. We're here with the chief of AWS, the chief executive officer Andy Jassy. Tech athlete in and of himself three hour Keynotes. Welcome to theCUBE again, great to see you. >> Great to be here, thanks for having me guys. >> Congratulations on a great show a lot of great buzz. >> Andy: Thank you. >> A lot of good stuff. Your Keynote was phenomenal. You get right into it, you giddy up right into it as you say, three hours, thirty announcements. You guys do a lot, but what I liked, the new addition, the last year and this year is the band; house band. They're pretty good. >> Andy: They're good right? >> They hit the queen notes, so that keeps it balanced. So we're going to work on getting a band for theCUBE. >> Awesome. >> So if I have to ask you, what's your walk up song, what would it be? >> There's so many choices, it depends on what kind of mood I'm in. But, uh, maybe Times Like These by the Foo Fighters. >> John: Alright. >> These are unusual times right now. >> Foo Fighters playing at the Amazon Intersect Show. >> Yes they are. >> Good plug Andy. >> Headlining. >> Very clever >> Always getting a good plug in there. >> My very favorite band. Well congratulations on the Intersect you got a lot going on. Intersect is a music festival, I'll get to that in a second But, I think the big news for me is two things, obviously we had a one-on-one exclusive interview and you laid out, essentially what looks like was going to be your Keynote, and it was. Transformation- >> Andy: Thank you for the practice. (Laughter) >> John: I'm glad to practice, use me anytime. >> Yeah. >> And I like to appreciate the comments on Jedi on the record, that was great. But I think the transformation story's a very real one, but the NFL news you guys just announced, to me, was so much fun and relevant. You had the Commissioner of NFL on stage with you talking about a strategic partnership. That is as top down, aggressive goal as you could get to have Rodger Goodell fly to a tech conference to sit with you and then bring his team talk about the deal. >> Well, ya know, we've been partners with the NFL for a while with the Next Gen Stats that they use on all their telecasts and one of the things I really like about Roger is that he's very curious and very interested in technology and the first couple times I spoke with him he asked me so many questions about ways the NFL might be able to use the Cloud and digital transformation to transform their various experiences and he's always said if you have a creative idea or something you think that could change the world for us, just call me he said or text me or email me and I'll call you back within 24 hours. And so, we've spent the better part of the last year talking about a lot of really interesting, strategic ways that they can evolve their experience both for fans, as well as their players and the Player Health and Safety Initiative, it's so important in sports and particularly important with the NFL given the nature of the sport and they've always had a focus on it, but what you can do with computer vision and machine learning algorithms and then building a digital athlete which is really like a digital twin of each athlete so you understand, what does it look like when they're healthy and compare that when it looks like they may not be healthy and be able to simulate all kinds of different combinations of player hits and angles and different plays so that you could try to predict injuries and predict the right equipment you need before there's a problem can be really transformational so we're super excited about it. >> Did you guys come up with the idea or was it a collaboration between them? >> It was really a collaboration. I mean they, look, they are very focused on players safety and health and it's a big deal for their- you know, they have two main constituents the players and fans and they care deeply about the players and it's a-it's a hard problem in a sport like Football, I mean, you watch it. >> Yeah, and I got to say it does point out the use cases of what you guys are promoting heavily at the show here of the SageMaker Studio, which was a big part of your Keynote, where they have all this data. >> Andy: Right. >> And they're data hoarders, they hoard data but the manual process of going through the data was a killer problem. This is consistent with a lot of the enterprises that are out there, they have more data than they even know. So this seems to be a big part of the strategy. How do you get the customers to actually wake up to the fact that they got all this data and how do you tie that together? >> I think in almost every company they know they have a lot of data. And there are always pockets of people who want to do something with it. But, when you're going to make these really big leaps forward; these transformations, the things like Volkswagen is doing where they're reinventing their factories and their manufacturing process or the NFL where they're going to radically transform how they do players uh, health and safety. It starts top down and if the senior leader isn't convicted about wanting to take that leap forward and trying something different and organizing the data differently and organizing the team differently and using machine learning and getting help from us and building algorithms and building some muscle inside the company it just doesn't happen because it's not in the normal machinery of what most companies do. And so it always, almost always, starts top down. Sometimes it can be the Commissioner or CEO sometimes it can be the CIO but it has to be senior level conviction or it doesn't get off the ground. >> And the business model impact has to be real. For NFL, they know concussions, hurting their youth pipe-lining, this is a huge issue for them. This is their business model. >> They lose even more players to lower extremity injuries. And so just the notion of trying to be able to predict injuries and, you know, the impact it can have on rules and the impact it can have on the equipment they use, it's a huge game changer when they look at the next 10 to 20 years. >> Alright, love geeking out on the NFL but Andy, you know- >> No more NFL talk? >> Off camera how about we talk? >> Nobody talks about the Giants being 2 and 10. >> Stu: We're both Patriots fans here. >> People bring up the undefeated season. >> So Andy- >> Everybody's a Patriot's fan now. (Laughter) >> It's fascinating to watch uh, you and your three hour uh, Keynote, uh Werner in his you know, architectural discussion, really showed how AWS is really extending its reach, you know, it's not just a place. For a few years people have been talking about you know, Cloud is an operational model its not a destination or a location but, I felt it really was laid out is you talked about Breadth and Depth and Werner really talked about you know, Architectural differentiation. People talk about Cloud, but there are very-there are a lot of differences between the vision for where things are going. Help us understand why, I mean, Amazon's vision is still a bit different from what other people talk about where this whole Cloud expansion, journey, put ever what tag or label you want on it but you know, the control plane and the technology that you're building and where you see that going. >> Well I think that, we've talked about this a couple times we have two macro types of customers. We have those that really want to get at the low level building blocks and stitch them together creatively however they see fit to create whatever's in their-in their heads. And then we have the second segment of customers that say look, I'm willing to give up some of that flexibility in exchange for getting 80% of the way there much faster. In an abstraction that's different from those low level building blocks. And both segments of builders we want to serve and serve well and so we've built very significant offerings in both areas. I think when you look at microservices um, you know, some of it has to do with the fact that we have this very strongly held belief born out of several years of Amazon where you know, the first 7 or 8 years of Amazon's consumer business we basically jumbled together all of the parts of our technology in moving really quickly and when we wanted to move quickly where you had to impact multiple internal development teams it was so long because it was this big ball, this big monolithic piece. And we got religion about that in trying to move faster in the consumer business and having to tease those pieces apart. And it really was a lot of impetus behind conceiving AWS where it was these low level, very flexible building blocks that6 don't try and make all the decisions for customers they get to make them themselves. And some of the microservices that you saw Werner talking about just, you know, for instance, what we-what we did with Nitro or even what we did with Firecracker those are very much about us relentlessly working to continue to uh, tease apart the different components. And even things that look like low level building blocks over time, you build more and more features and all of the sudden you realize they have a lot of things that are combined together that you wished weren't that slow you down and so, Nitro was a completely re imagining of our Hypervisor and Virtualization layer to allow us, both to let customers have better performance but also to let us move faster and have a better security story for our customers. >> I got to ask you the question around transformation because I think that all points, all the data points, you got all the references, Goldman Sachs on stage at the Keynote, Cerner, I mean healthcare just is an amazing example because I mean, that's demonstrating real value there there's no excuse. I talked to someone who wouldn't be named last night, in and around the area said, the CIA has a cost bar like this a cost-a budget like this but the demand for mission based apps is going up exponentially, so there's need for the Cloud. And so, you see more and more of that. What is your top down, aggressive goals to fill that solution base because you're also a very transformational thinker; what is your-what is your aggressive top down goals for your organization because you're serving a market with trillions of dollars of spend that's shifting, that's on the table. >> Yeah. >> A lot of competition now sees it too, they're going to go after it. But at the end of the day you have customers that have a demand for things, apps. >> Andy: Yeah. >> And not a lot of budget increase at the same time. This is a huge dynamic. >> Yeah. >> John: What's your goals? >> You know I think that at a high level our top down aggressive goals are that we want every single customer who uses our platform to have an outstanding customer experience. And we want that outstanding customer experience in part is that their operational performance and their security are outstanding, but also that it allows them to build, uh, build projects and initiatives that change their customer experience and allow them to be a sustainable successful business over a long period of time. And then, we also really want to be the technology infrastructure platform under all the applications that people build. And we're realistic, we know that you know, the market segments we address with infrastructure, software, hardware, and data center services globally are trillions of dollars in the long term and it won't only be us, but we have that goal of wanting to serve every application and that requires not just the security operational premise but also a lot of functionality and a lot of capability. We have by far the most amount of capability out there and yet I would tell you, we have 3 to 5 years of items on our roadmap that customers want us to add. And that's just what we know today. >> And Andy, underneath the covers you've been going through some transformation. When we talked a couple of years ago, about how serverless is impacting things I've heard that that's actually, in many ways, glue behind the two pizza teams to work between organizations. Talk about how the internal transformations are happening. How that impacts your discussions with customers that are going through that transformation. >> Well, I mean, there's a lot of- a lot of the technology we build comes from things that we're doing ourselves you know? And that we're learning ourselves. It's kind of how we started thinking about microservices, serverless too, we saw the need, you know, we would have we would build all these functions that when some kind of object came into an object store we would spin up, compute, all those tasks would take like, 3 or 4 hundred milliseconds then we'd spin it back down and yet, we'd have to keep a cluster up in multiple availability zones because we needed that fault tolerance and it was- we just said this is wasteful and, that's part of how we came up with Lambda and you know, when we were thinking about Lambda people understandably said, well if we build Lambda and we build this serverless adventure in computing a lot of people were keeping clusters of instances aren't going to use them anymore it's going to lead to less absolute revenue for us. But we, we have learned this lesson over the last 20 years at Amazon which is, if it's something that's good for customers you're much better off cannibalizing yourself and doing the right thing for customers and being part of shaping something. And I think if you look at the history of technology you always build things and people say well, that's going to cannibalize this and people are going to spend less money, what really ends up happening is they spend less money per unit of compute but it allows them to do so much more that they ultimately, long term, end up being more significant customers. >> I mean, you are like beating the drum all the time. Customers, what they say, we encompass the roadmap, I got that you guys have that playbook down, that's been really successful for you. >> Andy: Yeah. >> Two years ago you told me machine learning was really important to you because your customers told you. What's the next traunch of importance for customers? What's on top of mind now, as you, look at- >> Andy: Yeah. >> This re:Invent kind of coming to a close, Replay's tonight, you had conversations, you're a tech athlete, you're running around, doing speeches, talking to customers. What's that next hill from if it's machine learning today- >> There's so much I mean, (weird background noise) >> It's not a soup question (Laughter) And I think we're still in the very early days of machine learning it's not like most companies have mastered it yet even though they're using it much more then they did in the past. But, you know, I think machine learning for sure I think the Edge for sure, I think that um, we're optimistic about Quantum Computing even though I think it'll be a few years before it's really broadly useful. We're very um, enthusiastic about robotics. I think the amount of functions that are going to be done by these- >> Yeah. >> robotic applications are much more expansive than people realize. It doesn't mean humans won't have jobs, they're just going to work on things that are more value added. We're believers in augmented virtual reality, we're big believers in what's going to happen with Voice. And I'm also uh, I think sometimes people get bored you know, I think you're even bored with machine learning already >> Not yet. >> People get bored with the things you've heard about but, I think just what we've done with the Chips you know, in terms of giving people 40% better price performance in the latest generation of X86 processors. It's pretty unbelievable in the difference in what people are going to be able to do. Or just look at big data I mean, big data, we haven't gotten through big data where people have totally solved it. The amount of data that companies want to store, process, analyze, is exponentially larger than it was a few years ago and it will, I think, exponentially increase again in the next few years. You need different tools and services. >> Well I think we're not bored with machine learning we're excited to get started because we have all this data from the video and you guys got SageMaker. >> Andy: Yeah. >> We call it the stairway to machine learning heaven. >> Andy: Yeah. >> You start with the data, move up, knock- >> You guys are very sophisticated with what you do with technology and machine learning and there's so much I mean, we're just kind of, again, in such early innings. And I think that, it was so- before SageMaker, it was so hard for everyday developers and data scientists to build models but the combination of SageMaker and what's happened with thousands of companies standardizing on it the last two years, plus now SageMaker studio, giant leap forward. >> Well, we hope to use the data to transform our experience with our audience. And we're on Amazon Cloud so we really appreciate that. >> Andy: Yeah. >> And appreciate your support- >> Andy: Yeah, of course. >> John: With Amazon and get that machine learning going a little faster for us, that would be better. >> If you have requests I'm interested, yeah. >> So Andy, you talked about that you've got the customers that are builders and the customers that need simplification. Traditionally when you get into the, you know, the heart of the majority of adoption of something you really need to simplify that environment. But when I think about the successful enterprise of the future, they need to be builders. how'l I normally would've said enterprise want to pay for solutions because they don't have the skill set but, if they're going to succeed in this new economy they need to go through that transformation >> Andy: Yeah. >> That you talk to, so, I mean, are we in just a total new era when we look back will this be different than some of these previous waves? >> It's a really good question Stu, and I don't think there's a simple answer to it. I think that a lot of enterprises in some ways, I think wish that they could just skip the low level building blocks and only operate at that higher level abstraction. That's why people were so excited by things like, SageMaker, or CodeGuru, or Kendra, or Contact Lens, these are all services that allow them to just send us data and then run it on our models and get back the answers. But I think one of the big trends that we see with enterprises is that they are taking more and more of their development in house and they are wanting to operate more and more like startups. I think that they admire what companies like AirBnB and Pintrest and Slack and Robinhood and a whole bunch of those companies, Stripe, have done and so when, you know, I think you go through these phases and eras where there are waves of success at different companies and then others want to follow that success and replicate it. And so, we see more and more enterprises saying we need to take back a lot of that development in house. And as they do that, and as they add more developers those developers in most cases like to deal with the building blocks. And they have a lot of ideas on how they can creatively stich them together. >> Yeah, on that point, I want to just quickly ask you on Amazon versus other Clouds because you made a comment to me in our interview about how hard it is to provide a service to other people. And it's hard to have a service that you're using yourself and turn that around and the most quoted line of my story was, the compression algorithm- there's no compression algorithm for experience. Which to me, is the diseconomies of scale for taking shortcuts. >> Andy: Yeah. And so I think this is a really interesting point, just add some color commentary because I think this is a fundamental difference between AWS and others because you guys have a trajectory over the years of serving, at scale, customers wherever they are, whatever they want to do, now you got microservices. >> Yeah. >> John: It's even more complex. That's hard. >> Yeah. >> John: Talk about that. >> I think there are a few elements to that notion of there's no compression algorithm for experience and I think the first thing to know about AWS which is different is, we just come from a different heritage and a different background. We ran a business for a long time that was our sole business that was a consumer retail business that was very low margin. And so, we had to operate at very large scale given how many people were using us but also, we had to run infrastructure services deep in the stack, compute storage and database, and reliable scalable data centers at very low cost and margins. And so, when you look at our business it actually, today, I mean its, its a higher margin business in our retail business, its a lower margin business in software companies but at real scale, it's a high volume, relatively low margin business. And the way that you have to operate to be successful with those businesses and the things you have to think about and that DNA come from the type of operators we have to be in our consumer retail business. And there's nobody else in our space that does that. So, you know, the way that we think about costs, the way we think about innovation in the data center, um, and I also think the way that we operate services and how long we've been operating services as a company its a very different mindset than operating package software. Then you look at when uh, you think about some of the uh, issues in very large scale Cloud, you can't learn some of those lessons until you get to different elbows of the curve and scale. And so what I was telling you is, its really different to run your own platform for your own users where you get to tell them exactly how its going to be done. But that's not the way the real world works. I mean, we have millions of external customers who use us from every imaginable country and location whenever they want, without any warning, for lots of different use cases, and they have lots of design patterns and we don't get to tell them what to do. And so operating a Cloud like that, at a scale that's several times larger than the next few providers combined is a very different endeavor and a very different operating rigor. >> Well you got to keep raising the bar you guys do a great job, really impressed again. Another tsunami of announcements. In fact, you had to spill the beans earlier with Quantum the day before the event. Tight schedule. I got to ask you about the musical festival because, I think this is a very cool innovation. It's the inaugural Intersect conference. >> Yes. >> John: Which is not part of Replay, >> Yes. >> John: Which is the concert tonight. Its a whole new thing, big music act, you're a big music buff, your daughter's an artist. Why did you do this? What's the purpose? What's your goal? >> Yeah, it's an experiment. I think that what's happened is that re:Invent has gotten so big, we have 65 thousand people here, that to do the party, which we do every year, its like a 35-40 thousand person concert now. Which means you have to have a location that has multiple stages and, you know, we thought about it last year and when we were watching it and we said, we're kind of throwing, like, a 4 hour music festival right now. There's multiple stages, and its quite expensive to set up that set for a party and we said well, maybe we don't have to spend all that money for 4 hours and then rip it apart because actually the rent to keep those locations for another two days is much smaller than the cost of actually building multiple stages and so we thought we would try it this year. We're very passionate about music as a business and I think we-I think our customers feel like we've thrown a pretty good music party the last few years and we thought we would try it at a larger scale as an experiment. And if you look at the economics- >> At the headliners real quick. >> The Foo Fighters are headlining on Saturday night, Anderson Paak and the Free Nationals, Brandi Carlile, Shawn Mullins, um, Willy Porter, its a good set. Friday night its Beck and Kacey Musgraves so it's a really great set of um, about thirty artists and we're hopeful that if we can build a great experience that people will want to attend that we can do it at scale and it might be something that both pays for itself and maybe, helps pay for re:Invent too overtime and you know, I think that we're also thinking about it as not just a music concert and festival the reason we named it Intersect is that we want an intersection of music genres and people and ethnicities and age groups and art and technology all there together and this will be the first year we try it, its an experiment and we're really excited about it. >> Well I'm gone, congratulations on all your success and I want to thank you we've been 7 years here at re:Invent we've been documenting the history. You got two sets now, one set upstairs. So appreciate you. >> theCUBE is part of re:Invent, you know, you guys really are apart of the event and we really appreciate your coming here and I know people appreciate the content you create as well. >> And we just launched CUBE365 on Amazon Marketplace built on AWS so thanks for letting us- >> Very cool >> John: Build on the platform. appreciate it. >> Thanks for having me guys, I appreciate it. >> Andy Jassy the CEO of AWS here inside theCUBE, it's our 7th year covering and documenting the thunderous innovation that Amazon's doing they're really doing amazing work building out the new technologies here in the Cloud computing world. I'm John Furrier, Stu Miniman, be right back with more after this short break. (Outro music)

>>don't talk mhm, >>Okay, thing is my presentation on coherent nonlinear dynamics and combinatorial optimization. This is going to be a talk to introduce an approach we're taking to the analysis of the performance of coherent using machines. So let me start with a brief introduction to easing optimization. The easing model represents a set of interacting magnetic moments or spins the total energy given by the expression shown at the bottom left of this slide. Here, the signal variables are meditate binary values. The Matrix element J. I. J. Represents the interaction, strength and signed between any pair of spins. I. J and A Chive represents a possible local magnetic field acting on each thing. The easing ground state problem is to find an assignment of binary spin values that achieves the lowest possible value of total energy. And an instance of the easing problem is specified by giving numerical values for the Matrix J in Vector H. Although the easy model originates in physics, we understand the ground state problem to correspond to what would be called quadratic binary optimization in the field of operations research and in fact, in terms of computational complexity theory, it could be established that the easing ground state problem is np complete. Qualitatively speaking, this makes the easing problem a representative sort of hard optimization problem, for which it is expected that the runtime required by any computational algorithm to find exact solutions should, as anatomically scale exponentially with the number of spends and for worst case instances at each end. Of course, there's no reason to believe that the problem instances that actually arrives in practical optimization scenarios are going to be worst case instances. And it's also not generally the case in practical optimization scenarios that we demand absolute optimum solutions. Usually we're more interested in just getting the best solution we can within an affordable cost, where costs may be measured in terms of time, service fees and or energy required for a computation. This focuses great interest on so called heuristic algorithms for the easing problem in other NP complete problems which generally get very good but not guaranteed optimum solutions and run much faster than algorithms that are designed to find absolute Optima. To get some feeling for present day numbers, we can consider the famous traveling salesman problem for which extensive compilations of benchmarking data may be found online. A recent study found that the best known TSP solver required median run times across the Library of Problem instances That scaled is a very steep route exponential for end up to approximately 4500. This gives some indication of the change in runtime scaling for generic as opposed the worst case problem instances. Some of the instances considered in this study were taken from a public library of T SPS derived from real world Veil aside design data. This feels I TSP Library includes instances within ranging from 131 to 744,710 instances from this library with end between 6880 13,584 were first solved just a few years ago in 2017 requiring days of run time and a 48 core to King hurts cluster, while instances with and greater than or equal to 14,233 remain unsolved exactly by any means. Approximate solutions, however, have been found by heuristic methods for all instances in the VLS i TSP library with, for example, a solution within 0.14% of a no lower bound, having been discovered, for instance, with an equal 19,289 requiring approximately two days of run time on a single core of 2.4 gigahertz. Now, if we simple mindedly extrapolate the root exponential scaling from the study up to an equal 4500, we might expect that an exact solver would require something more like a year of run time on the 48 core cluster used for the N equals 13,580 for instance, which shows how much a very small concession on the quality of the solution makes it possible to tackle much larger instances with much lower cost. At the extreme end, the largest TSP ever solved exactly has an equal 85,900. This is an instance derived from 19 eighties VLSI design, and it's required 136 CPU. Years of computation normalized to a single cord, 2.4 gigahertz. But the 24 larger so called world TSP benchmark instance within equals 1,904,711 has been solved approximately within ophthalmology. Gap bounded below 0.474%. Coming back to the general. Practical concerns have applied optimization. We may note that a recent meta study analyzed the performance of no fewer than 37 heuristic algorithms for Max cut and quadratic pioneer optimization problems and found the performance sort and found that different heuristics work best for different problem instances selected from a large scale heterogeneous test bed with some evidence but cryptic structure in terms of what types of problem instances were best solved by any given heuristic. Indeed, their their reasons to believe that these results from Mexico and quadratic binary optimization reflected general principle of performance complementarity among heuristic optimization algorithms in the practice of solving heart optimization problems there. The cerise is a critical pre processing issue of trying to guess which of a number of available good heuristic algorithms should be chosen to tackle a given problem. Instance, assuming that any one of them would incur high costs to run on a large problem, instances incidence, making an astute choice of heuristic is a crucial part of maximizing overall performance. Unfortunately, we still have very little conceptual insight about what makes a specific problem instance, good or bad for any given heuristic optimization algorithm. This has certainly been pinpointed by researchers in the field is a circumstance that must be addressed. So adding this all up, we see that a critical frontier for cutting edge academic research involves both the development of novel heuristic algorithms that deliver better performance, with lower cost on classes of problem instances that are underserved by existing approaches, as well as fundamental research to provide deep conceptual insight into what makes a given problem in, since easy or hard for such algorithms. In fact, these days, as we talk about the end of Moore's law and speculate about a so called second quantum revolution, it's natural to talk not only about novel algorithms for conventional CPUs but also about highly customized special purpose hardware architectures on which we may run entirely unconventional algorithms for combinatorial optimization such as easing problem. So against that backdrop, I'd like to use my remaining time to introduce our work on analysis of coherent using machine architectures and associate ID optimization algorithms. These machines, in general, are a novel class of information processing architectures for solving combinatorial optimization problems by embedding them in the dynamics of analog, physical or cyber physical systems, in contrast to both MAWR traditional engineering approaches that build using machines using conventional electron ICS and more radical proposals that would require large scale quantum entanglement. The emerging paradigm of coherent easing machines leverages coherent nonlinear dynamics in photonic or Opto electronic platforms to enable near term construction of large scale prototypes that leverage post Simoes information dynamics, the general structure of of current CM systems has shown in the figure on the right. The role of the easing spins is played by a train of optical pulses circulating around a fiber optical storage ring. A beam splitter inserted in the ring is used to periodically sample the amplitude of every optical pulse, and the measurement results are continually read into a refugee A, which uses them to compute perturbations to be applied to each pulse by a synchronized optical injections. These perturbations, air engineered to implement the spin, spin coupling and local magnetic field terms of the easing Hamiltonian, corresponding to a linear part of the CME Dynamics, a synchronously pumped parametric amplifier denoted here as PPL and Wave Guide adds a crucial nonlinear component to the CIA and Dynamics as well. In the basic CM algorithm, the pump power starts very low and has gradually increased at low pump powers. The amplitude of the easing spin pulses behaviors continuous, complex variables. Who Israel parts which can be positive or negative, play the role of play the role of soft or perhaps mean field spins once the pump, our crosses the threshold for parametric self oscillation. In the optical fiber ring, however, the attitudes of the easing spin pulses become effectively Qantas ized into binary values while the pump power is being ramped up. The F P J subsystem continuously applies its measurement based feedback. Implementation of the using Hamiltonian terms, the interplay of the linear rised using dynamics implemented by the F P G A and the threshold conversation dynamics provided by the sink pumped Parametric amplifier result in the final state of the optical optical pulse amplitude at the end of the pump ramp that could be read as a binary strain, giving a proposed solution of the easing ground state problem. This method of solving easing problem seems quite different from a conventional algorithm that runs entirely on a digital computer as a crucial aspect of the computation is performed physically by the analog, continuous, coherent, nonlinear dynamics of the optical degrees of freedom. In our efforts to analyze CIA and performance, we have therefore turned to the tools of dynamical systems theory, namely, a study of modifications, the evolution of critical points and apologies of hetero clinic orbits and basins of attraction. We conjecture that such analysis can provide fundamental insight into what makes certain optimization instances hard or easy for coherent using machines and hope that our approach can lead to both improvements of the course, the AM algorithm and a pre processing rubric for rapidly assessing the CME suitability of new instances. Okay, to provide a bit of intuition about how this all works, it may help to consider the threshold dynamics of just one or two optical parametric oscillators in the CME architecture just described. We can think of each of the pulse time slots circulating around the fiber ring, as are presenting an independent Opio. We can think of a single Opio degree of freedom as a single, resonant optical node that experiences linear dissipation, do toe out coupling loss and gain in a pump. Nonlinear crystal has shown in the diagram on the upper left of this slide as the pump power is increased from zero. As in the CME algorithm, the non linear game is initially to low toe overcome linear dissipation, and the Opio field remains in a near vacuum state at a critical threshold. Value gain. Equal participation in the Popeo undergoes a sort of lazing transition, and the study states of the OPIO above this threshold are essentially coherent states. There are actually two possible values of the Opio career in amplitude and any given above threshold pump power which are equal in magnitude but opposite in phase when the OPI across the special diet basically chooses one of the two possible phases randomly, resulting in the generation of a single bit of information. If we consider to uncoupled, Opio has shown in the upper right diagram pumped it exactly the same power at all times. Then, as the pump power has increased through threshold, each Opio will independently choose the phase and thus to random bits are generated for any number of uncoupled. Oppose the threshold power per opio is unchanged from the single Opio case. Now, however, consider a scenario in which the two appeals air, coupled to each other by a mutual injection of their out coupled fields has shown in the diagram on the lower right. One can imagine that depending on the sign of the coupling parameter Alfa, when one Opio is lazing, it will inject a perturbation into the other that may interfere either constructively or destructively, with the feel that it is trying to generate by its own lazing process. As a result, when came easily showed that for Alfa positive, there's an effective ferro magnetic coupling between the two Opio fields and their collective oscillation threshold is lowered from that of the independent Opio case. But on Lee for the two collective oscillation modes in which the two Opio phases are the same for Alfa Negative, the collective oscillation threshold is lowered on Lee for the configurations in which the Opio phases air opposite. So then, looking at how Alfa is related to the J. I. J matrix of the easing spin coupling Hamiltonian, it follows that we could use this simplistic to a p o. C. I am to solve the ground state problem of a fair magnetic or anti ferro magnetic ankles to easing model simply by increasing the pump power from zero and observing what phase relation occurs as the two appeals first start delays. Clearly, we can imagine generalizing this story toe larger, and however the story doesn't stay is clean and simple for all larger problem instances. And to find a more complicated example, we only need to go to n equals four for some choices of J J for n equals, for the story remains simple. Like the n equals two case. The figure on the upper left of this slide shows the energy of various critical points for a non frustrated and equals, for instance, in which the first bifurcated critical point that is the one that I forget to the lowest pump value a. Uh, this first bifurcated critical point flows as symptomatically into the lowest energy easing solution and the figure on the upper right. However, the first bifurcated critical point flows to a very good but sub optimal minimum at large pump power. The global minimum is actually given by a distinct critical critical point that first appears at a higher pump power and is not automatically connected to the origin. The basic C am algorithm is thus not able to find this global minimum. Such non ideal behaviors needs to become more confident. Larger end for the n equals 20 instance, showing the lower plots where the lower right plot is just a zoom into a region of the lower left lot. It can be seen that the global minimum corresponds to a critical point that first appears out of pump parameter, a around 0.16 at some distance from the idiomatic trajectory of the origin. That's curious to note that in both of these small and examples, however, the critical point corresponding to the global minimum appears relatively close to the idiomatic projector of the origin as compared to the most of the other local minima that appear. We're currently working to characterize the face portrait topology between the global minimum in the antibiotic trajectory of the origin, taking clues as to how the basic C am algorithm could be generalized to search for non idiomatic trajectories that jump to the global minimum during the pump ramp. Of course, n equals 20 is still too small to be of interest for practical optimization applications. But the advantage of beginning with the study of small instances is that we're able reliably to determine their global minima and to see how they relate to the 80 about trajectory of the origin in the basic C am algorithm. In the smaller and limit, we can also analyze fully quantum mechanical models of Syrian dynamics. But that's a topic for future talks. Um, existing large scale prototypes are pushing into the range of in equals 10 to the 4 10 to 5 to six. So our ultimate objective in theoretical analysis really has to be to try to say something about CIA and dynamics and regime of much larger in our initial approach to characterizing CIA and behavior in the large in regime relies on the use of random matrix theory, and this connects to prior research on spin classes, SK models and the tap equations etcetera. At present, we're focusing on statistical characterization of the CIA ingredient descent landscape, including the evolution of critical points in their Eigen value spectra. As the pump power is gradually increased. We're investigating, for example, whether there could be some way to exploit differences in the relative stability of the global minimum versus other local minima. We're also working to understand the deleterious or potentially beneficial effects of non ideologies, such as a symmetry in the implemented these and couplings. Looking one step ahead, we plan to move next in the direction of considering more realistic classes of problem instances such as quadratic, binary optimization with constraints. Eso In closing, I should acknowledge people who did the hard work on these things that I've shown eso. My group, including graduate students Ed winning, Daniel Wennberg, Tatsuya Nagamoto and Atsushi Yamamura, have been working in close collaboration with Syria Ganguly, Marty Fair and Amir Safarini Nini, all of us within the Department of Applied Physics at Stanford University. On also in collaboration with the Oshima Moto over at NTT 55 research labs, Onda should acknowledge funding support from the NSF by the Coherent Easing Machines Expedition in computing, also from NTT five research labs, Army Research Office and Exxon Mobil. Uh, that's it. Thanks very much. >>Mhm e >>t research and the Oshie for putting together this program and also the opportunity to speak here. My name is Al Gore ism or Andy and I'm from Caltech, and today I'm going to tell you about the work that we have been doing on networks off optical parametric oscillators and how we have been using them for icing machines and how we're pushing them toward Cornum photonics to acknowledge my team at Caltech, which is now eight graduate students and five researcher and postdocs as well as collaborators from all over the world, including entity research and also the funding from different places, including entity. So this talk is primarily about networks of resonate er's, and these networks are everywhere from nature. For instance, the brain, which is a network of oscillators all the way to optics and photonics and some of the biggest examples or metal materials, which is an array of small resonate er's. And we're recently the field of technological photonics, which is trying thio implement a lot of the technological behaviors of models in the condensed matter, physics in photonics and if you want to extend it even further, some of the implementations off quantum computing are technically networks of quantum oscillators. So we started thinking about these things in the context of icing machines, which is based on the icing problem, which is based on the icing model, which is the simple summation over the spins and spins can be their upward down and the couplings is given by the JJ. And the icing problem is, if you know J I J. What is the spin configuration that gives you the ground state? And this problem is shown to be an MP high problem. So it's computational e important because it's a representative of the MP problems on NPR. Problems are important because first, their heart and standard computers if you use a brute force algorithm and they're everywhere on the application side. That's why there is this demand for making a machine that can target these problems, and hopefully it can provide some meaningful computational benefit compared to the standard digital computers. So I've been building these icing machines based on this building block, which is a degenerate optical parametric. Oscillator on what it is is resonator with non linearity in it, and we pump these resonate er's and we generate the signal at half the frequency of the pump. One vote on a pump splits into two identical photons of signal, and they have some very interesting phase of frequency locking behaviors. And if you look at the phase locking behavior, you realize that you can actually have two possible phase states as the escalation result of these Opio which are off by pie, and that's one of the important characteristics of them. So I want to emphasize a little more on that and I have this mechanical analogy which are basically two simple pendulum. But there are parametric oscillators because I'm going to modulate the parameter of them in this video, which is the length of the string on by that modulation, which is that will make a pump. I'm gonna make a muscular. That'll make a signal which is half the frequency of the pump. And I have two of them to show you that they can acquire these face states so they're still facing frequency lock to the pump. But it can also lead in either the zero pie face states on. The idea is to use this binary phase to represent the binary icing spin. So each opio is going to represent spin, which can be either is your pie or up or down. And to implement the network of these resonate er's, we use the time off blood scheme, and the idea is that we put impulses in the cavity. These pulses air separated by the repetition period that you put in or t r. And you can think about these pulses in one resonator, xaz and temporarily separated synthetic resonate Er's if you want a couple of these resonator is to each other, and now you can introduce these delays, each of which is a multiple of TR. If you look at the shortest delay it couples resonator wanted to 2 to 3 and so on. If you look at the second delay, which is two times a rotation period, the couple's 123 and so on. And if you have and minus one delay lines, then you can have any potential couplings among these synthetic resonate er's. And if I can introduce these modulators in those delay lines so that I can strength, I can control the strength and the phase of these couplings at the right time. Then I can have a program will all toe all connected network in this time off like scheme, and the whole physical size of the system scales linearly with the number of pulses. So the idea of opium based icing machine is didn't having these o pos, each of them can be either zero pie and I can arbitrarily connect them to each other. And then I start with programming this machine to a given icing problem by just setting the couplings and setting the controllers in each of those delight lines. So now I have a network which represents an icing problem. Then the icing problem maps to finding the face state that satisfy maximum number of coupling constraints. And the way it happens is that the icing Hamiltonian maps to the linear loss of the network. And if I start adding gain by just putting pump into the network, then the OPI ohs are expected to oscillate in the lowest, lowest lost state. And, uh and we have been doing these in the past, uh, six or seven years and I'm just going to quickly show you the transition, especially what happened in the first implementation, which was using a free space optical system and then the guided wave implementation in 2016 and the measurement feedback idea which led to increasing the size and doing actual computation with these machines. So I just want to make this distinction here that, um, the first implementation was an all optical interaction. We also had an unequal 16 implementation. And then we transition to this measurement feedback idea, which I'll tell you quickly what it iss on. There's still a lot of ongoing work, especially on the entity side, to make larger machines using the measurement feedback. But I'm gonna mostly focused on the all optical networks and how we're using all optical networks to go beyond simulation of icing Hamiltonian both in the linear and non linear side and also how we're working on miniaturization of these Opio networks. So the first experiment, which was the four opium machine, it was a free space implementation and this is the actual picture off the machine and we implemented a small and it calls for Mexico problem on the machine. So one problem for one experiment and we ran the machine 1000 times, we looked at the state and we always saw it oscillate in one of these, um, ground states of the icing laboratoria. So then the measurement feedback idea was to replace those couplings and the controller with the simulator. So we basically simulated all those coherent interactions on on FB g. A. And we replicated the coherent pulse with respect to all those measurements. And then we injected it back into the cavity and on the near to you still remain. So it still is a non. They're dynamical system, but the linear side is all simulated. So there are lots of questions about if this system is preserving important information or not, or if it's gonna behave better. Computational wars. And that's still ah, lot of ongoing studies. But nevertheless, the reason that this implementation was very interesting is that you don't need the end minus one delight lines so you can just use one. Then you can implement a large machine, and then you can run several thousands of problems in the machine, and then you can compare the performance from the computational perspective Looks so I'm gonna split this idea of opium based icing machine into two parts. One is the linear part, which is if you take out the non linearity out of the resonator and just think about the connections. You can think about this as a simple matrix multiplication scheme. And that's basically what gives you the icing Hambletonian modeling. So the optical laws of this network corresponds to the icing Hamiltonian. And if I just want to show you the example of the n equals for experiment on all those face states and the history Graham that we saw, you can actually calculate the laws of each of those states because all those interferences in the beam splitters and the delay lines are going to give you a different losses. And then you will see that the ground states corresponds to the lowest laws of the actual optical network. If you add the non linearity, the simple way of thinking about what the non linearity does is that it provides to gain, and then you start bringing up the gain so that it hits the loss. Then you go through the game saturation or the threshold which is going to give you this phase bifurcation. So you go either to zero the pie face state. And the expectation is that Theis, the network oscillates in the lowest possible state, the lowest possible loss state. There are some challenges associated with this intensity Durban face transition, which I'm going to briefly talk about. I'm also going to tell you about other types of non aerodynamics that we're looking at on the non air side of these networks. So if you just think about the linear network, we're actually interested in looking at some technological behaviors in these networks. And the difference between looking at the technological behaviors and the icing uh, machine is that now, First of all, we're looking at the type of Hamilton Ian's that are a little different than the icing Hamilton. And one of the biggest difference is is that most of these technological Hamilton Ian's that require breaking the time reversal symmetry, meaning that you go from one spin to in the one side to another side and you get one phase. And if you go back where you get a different phase, and the other thing is that we're not just interested in finding the ground state, we're actually now interesting and looking at all sorts of states and looking at the dynamics and the behaviors of all these states in the network. So we started with the simplest implementation, of course, which is a one d chain of thes resonate, er's, which corresponds to a so called ssh model. In the technological work, we get the similar energy to los mapping and now we can actually look at the band structure on. This is an actual measurement that we get with this associate model and you see how it reasonably how How? Well, it actually follows the prediction and the theory. One of the interesting things about the time multiplexing implementation is that now you have the flexibility of changing the network as you are running the machine. And that's something unique about this time multiplex implementation so that we can actually look at the dynamics. And one example that we have looked at is we can actually go through the transition off going from top A logical to the to the standard nontrivial. I'm sorry to the trivial behavior of the network. You can then look at the edge states and you can also see the trivial and states and the technological at states actually showing up in this network. We have just recently implement on a two D, uh, network with Harper Hofstadter model and when you don't have the results here. But we're one of the other important characteristic of time multiplexing is that you can go to higher and higher dimensions and keeping that flexibility and dynamics, and we can also think about adding non linearity both in a classical and quantum regimes, which is going to give us a lot of exotic, no classical and quantum, non innate behaviors in these networks. Yeah, So I told you about the linear side. Mostly let me just switch gears and talk about the nonlinear side of the network. And the biggest thing that I talked about so far in the icing machine is this face transition that threshold. So the low threshold we have squeezed state in these. Oh, pios, if you increase the pump, we go through this intensity driven phase transition and then we got the face stays above threshold. And this is basically the mechanism off the computation in these O pos, which is through this phase transition below to above threshold. So one of the characteristics of this phase transition is that below threshold, you expect to see quantum states above threshold. You expect to see more classical states or coherent states, and that's basically corresponding to the intensity off the driving pump. So it's really hard to imagine that it can go above threshold. Or you can have this friends transition happen in the all in the quantum regime. And there are also some challenges associated with the intensity homogeneity off the network, which, for example, is if one opioid starts oscillating and then its intensity goes really high. Then it's going to ruin this collective decision making off the network because of the intensity driven face transition nature. So So the question is, can we look at other phase transitions? Can we utilize them for both computing? And also can we bring them to the quantum regime on? I'm going to specifically talk about the face transition in the spectral domain, which is the transition from the so called degenerate regime, which is what I mostly talked about to the non degenerate regime, which happens by just tuning the phase of the cavity. And what is interesting is that this phase transition corresponds to a distinct phase noise behavior. So in the degenerate regime, which we call it the order state, you're gonna have the phase being locked to the phase of the pump. As I talked about non degenerate regime. However, the phase is the phase is mostly dominated by the quantum diffusion. Off the off the phase, which is limited by the so called shallow towns limit, and you can see that transition from the general to non degenerate, which also has distinct symmetry differences. And this transition corresponds to a symmetry breaking in the non degenerate case. The signal can acquire any of those phases on the circle, so it has a you one symmetry. Okay, and if you go to the degenerate case, then that symmetry is broken and you only have zero pie face days I will look at. So now the question is can utilize this phase transition, which is a face driven phase transition, and can we use it for similar computational scheme? So that's one of the questions that were also thinking about. And it's not just this face transition is not just important for computing. It's also interesting from the sensing potentials and this face transition, you can easily bring it below threshold and just operated in the quantum regime. Either Gaussian or non Gaussian. If you make a network of Opio is now, we can see all sorts off more complicated and more interesting phase transitions in the spectral domain. One of them is the first order phase transition, which you get by just coupling to Opio, and that's a very abrupt face transition and compared to the to the single Opio phase transition. And if you do the couplings right, you can actually get a lot of non her mission dynamics and exceptional points, which are actually very interesting to explore both in the classical and quantum regime. And I should also mention that you can think about the cup links to be also nonlinear couplings. And that's another behavior that you can see, especially in the nonlinear in the non degenerate regime. So with that, I basically told you about these Opio networks, how we can think about the linear scheme and the linear behaviors and how we can think about the rich, nonlinear dynamics and non linear behaviors both in the classical and quantum regime. I want to switch gear and tell you a little bit about the miniaturization of these Opio networks. And of course, the motivation is if you look at the electron ICS and what we had 60 or 70 years ago with vacuum tube and how we transition from relatively small scale computers in the order of thousands of nonlinear elements to billions of non elements where we are now with the optics is probably very similar to 70 years ago, which is a table talk implementation. And the question is, how can we utilize nano photonics? I'm gonna just briefly show you the two directions on that which we're working on. One is based on lithium Diabate, and the other is based on even a smaller resonate er's could you? So the work on Nana Photonic lithium naive. It was started in collaboration with Harvard Marko Loncar, and also might affair at Stanford. And, uh, we could show that you can do the periodic polling in the phenomenon of it and get all sorts of very highly nonlinear processes happening in this net. Photonic periodically polls if, um Diabate. And now we're working on building. Opio was based on that kind of photonic the film Diabate. And these air some some examples of the devices that we have been building in the past few months, which I'm not gonna tell you more about. But the O. P. O. S. And the Opio Networks are in the works. And that's not the only way of making large networks. Um, but also I want to point out that The reason that these Nana photonic goblins are actually exciting is not just because you can make a large networks and it can make him compact in a in a small footprint. They also provide some opportunities in terms of the operation regime. On one of them is about making cat states and Opio, which is, can we have the quantum superposition of the zero pie states that I talked about and the Net a photonic within? I've It provides some opportunities to actually get closer to that regime because of the spatial temporal confinement that you can get in these wave guides. So we're doing some theory on that. We're confident that the type of non linearity two losses that it can get with these platforms are actually much higher than what you can get with other platform their existing platforms and to go even smaller. We have been asking the question off. What is the smallest possible Opio that you can make? Then you can think about really wavelength scale type, resonate er's and adding the chi to non linearity and see how and when you can get the Opio to operate. And recently, in collaboration with us see, we have been actually USC and Creole. We have demonstrated that you can use nano lasers and get some spin Hamilton and implementations on those networks. So if you can build the a P. O s, we know that there is a path for implementing Opio Networks on on such a nano scale. So we have looked at these calculations and we try to estimate the threshold of a pos. Let's say for me resonator and it turns out that it can actually be even lower than the type of bulk Pip Llano Pos that we have been building in the past 50 years or so. So we're working on the experiments and we're hoping that we can actually make even larger and larger scale Opio networks. So let me summarize the talk I told you about the opium networks and our work that has been going on on icing machines and the measurement feedback. And I told you about the ongoing work on the all optical implementations both on the linear side and also on the nonlinear behaviors. And I also told you a little bit about the efforts on miniaturization and going to the to the Nano scale. So with that, I would like Thio >>three from the University of Tokyo. Before I thought that would like to thank you showing all the stuff of entity for the invitation and the organization of this online meeting and also would like to say that it has been very exciting to see the growth of this new film lab. And I'm happy to share with you today of some of the recent works that have been done either by me or by character of Hong Kong. Honest Group indicates the title of my talk is a neuro more fic in silica simulator for the communities in machine. And here is the outline I would like to make the case that the simulation in digital Tektronix of the CME can be useful for the better understanding or improving its function principles by new job introducing some ideas from neural networks. This is what I will discuss in the first part and then it will show some proof of concept of the game and performance that can be obtained using dissimulation in the second part and the protection of the performance that can be achieved using a very large chaos simulator in the third part and finally talk about future plans. So first, let me start by comparing recently proposed izing machines using this table there is elected from recent natural tronics paper from the village Park hard people, and this comparison shows that there's always a trade off between energy efficiency, speed and scalability that depends on the physical implementation. So in red, here are the limitation of each of the servers hardware on, interestingly, the F p G, a based systems such as a producer, digital, another uh Toshiba beautification machine or a recently proposed restricted Bozeman machine, FPD A by a group in Berkeley. They offer a good compromise between speed and scalability. And this is why, despite the unique advantage that some of these older hardware have trust as the currency proposition in Fox, CBS or the energy efficiency off memory Sisters uh P. J. O are still an attractive platform for building large organizing machines in the near future. The reason for the good performance of Refugee A is not so much that they operate at the high frequency. No, there are particular in use, efficient, but rather that the physical wiring off its elements can be reconfigured in a way that limits the funding human bottleneck, larger, funny and phenols and the long propagation video information within the system. In this respect, the LPGA is They are interesting from the perspective off the physics off complex systems, but then the physics of the actions on the photos. So to put the performance of these various hardware and perspective, we can look at the competition of bringing the brain the brain complete, using billions of neurons using only 20 watts of power and operates. It's a very theoretically slow, if we can see and so this impressive characteristic, they motivate us to try to investigate. What kind of new inspired principles be useful for designing better izing machines? The idea of this research project in the future collaboration it's to temporary alleviates the limitations that are intrinsic to the realization of an optical cortex in machine shown in the top panel here. By designing a large care simulator in silicone in the bottom here that can be used for digesting the better organization principles of the CIA and this talk, I will talk about three neuro inspired principles that are the symmetry of connections, neural dynamics orphan chaotic because of symmetry, is interconnectivity the infrastructure? No. Next talks are not composed of the reputation of always the same types of non environments of the neurons, but there is a local structure that is repeated. So here's the schematic of the micro column in the cortex. And lastly, the Iraqi co organization of connectivity connectivity is organizing a tree structure in the brain. So here you see a representation of the Iraqi and organization of the monkey cerebral cortex. So how can these principles we used to improve the performance of the icing machines? And it's in sequence stimulation. So, first about the two of principles of the estimate Trian Rico structure. We know that the classical approximation of the car testing machine, which is the ground toe, the rate based on your networks. So in the case of the icing machines, uh, the okay, Scott approximation can be obtained using the trump active in your position, for example, so the times of both of the system they are, they can be described by the following ordinary differential equations on in which, in case of see, I am the X, I represent the in phase component of one GOP Oh, Theo f represents the monitor optical parts, the district optical Parametric amplification and some of the good I JoJo extra represent the coupling, which is done in the case of the measure of feedback coupling cm using oh, more than detection and refugee A and then injection off the cooking time and eso this dynamics in both cases of CNN in your networks, they can be written as the grand set of a potential function V, and this written here, and this potential functionally includes the rising Maccagnan. So this is why it's natural to use this type of, uh, dynamics to solve the icing problem in which the Omega I J or the eyes in coping and the H is the extension of the icing and attorney in India and expect so. Not that this potential function can only be defined if the Omega I j. R. A. Symmetric. So the well known problem of this approach is that this potential function V that we obtain is very non convicts at low temperature, and also one strategy is to gradually deformed this landscape, using so many in process. But there is no theorem. Unfortunately, that granted conventions to the global minimum of There's even Tony and using this approach. And so this is why we propose, uh, to introduce a macro structures of the system where one analog spin or one D O. P. O is replaced by a pair off one another spin and one error, according viable. And the addition of this chemical structure introduces a symmetry in the system, which in terms induces chaotic dynamics, a chaotic search rather than a learning process for searching for the ground state of the icing. Every 20 within this massacre structure the role of the er variable eyes to control the amplitude off the analog spins toe force. The amplitude of the expense toe become equal to certain target amplitude a uh and, uh, and this is done by modulating the strength off the icing complaints or see the the error variable E I multiply the icing complaint here in the dynamics off air d o p. O. On then the dynamics. The whole dynamics described by this coupled equations because the e I do not necessarily take away the same value for the different. I thesis introduces a symmetry in the system, which in turn creates security dynamics, which I'm sure here for solving certain current size off, um, escape problem, Uh, in which the X I are shown here and the i r from here and the value of the icing energy showing the bottom plots. You see this Celtics search that visit various local minima of the as Newtonian and eventually finds the global minimum? Um, it can be shown that this modulation off the target opportunity can be used to destabilize all the local minima off the icing evertonians so that we're gonna do not get stuck in any of them. On more over the other types of attractors I can eventually appear, such as limits I contractors, Okot contractors. They can also be destabilized using the motivation of the target and Batuta. And so we have proposed in the past two different moderation of the target amateur. The first one is a modulation that ensure the uh 100 reproduction rate of the system to become positive on this forbids the creation off any nontrivial tractors. And but in this work, I will talk about another moderation or arrested moderation which is given here. That works, uh, as well as this first uh, moderation, but is easy to be implemented on refugee. So this couple of the question that represent becoming the stimulation of the cortex in machine with some error correction they can be implemented especially efficiently on an F B. G. And here I show the time that it takes to simulate three system and also in red. You see, at the time that it takes to simulate the X I term the EI term, the dot product and the rising Hamiltonian for a system with 500 spins and Iraq Spain's equivalent to 500 g. O. P. S. So >>in >>f b d a. The nonlinear dynamics which, according to the digital optical Parametric amplification that the Opa off the CME can be computed in only 13 clock cycles at 300 yards. So which corresponds to about 0.1 microseconds. And this is Toby, uh, compared to what can be achieved in the measurements back O C. M. In which, if we want to get 500 timer chip Xia Pios with the one she got repetition rate through the obstacle nine narrative. Uh, then way would require 0.5 microseconds toe do this so the submission in F B J can be at least as fast as ah one g repression. Uh, replicate pulsed laser CIA Um, then the DOT product that appears in this differential equation can be completed in 43 clock cycles. That's to say, one microseconds at 15 years. So I pieced for pouring sizes that are larger than 500 speeds. The dot product becomes clearly the bottleneck, and this can be seen by looking at the the skating off the time the numbers of clock cycles a text to compute either the non in your optical parts or the dog products, respect to the problem size. And And if we had infinite amount of resources and PGA to simulate the dynamics, then the non illogical post can could be done in the old one. On the mattress Vector product could be done in the low carrot off, located off scales as a look at it off and and while the guide off end. Because computing the dot product involves assuming all the terms in the product, which is done by a nephew, GE by another tree, which heights scarce logarithmic any with the size of the system. But This is in the case if we had an infinite amount of resources on the LPGA food, but for dealing for larger problems off more than 100 spins. Usually we need to decompose the metrics into ah, smaller blocks with the block side that are not you here. And then the scaling becomes funny, non inner parts linear in the end, over you and for the products in the end of EU square eso typically for low NF pdf cheap PGA you the block size off this matrix is typically about 100. So clearly way want to make you as large as possible in order to maintain this scanning in a log event for the numbers of clock cycles needed to compute the product rather than this and square that occurs if we decompose the metrics into smaller blocks. But the difficulty in, uh, having this larger blocks eyes that having another tree very large Haider tree introduces a large finding and finance and long distance start a path within the refugee. So the solution to get higher performance for a simulator of the contest in machine eyes to get rid of this bottleneck for the dot product by increasing the size of this at the tree. And this can be done by organizing your critique the electrical components within the LPGA in order which is shown here in this, uh, right panel here in order to minimize the finding finance of the system and to minimize the long distance that a path in the in the fpt So I'm not going to the details of how this is implemented LPGA. But just to give you a idea off why the Iraqi Yahiko organization off the system becomes the extremely important toe get good performance for similar organizing machine. So instead of instead of getting into the details of the mpg implementation, I would like to give some few benchmark results off this simulator, uh, off the that that was used as a proof of concept for this idea which is can be found in this archive paper here and here. I should results for solving escape problems. Free connected person, randomly person minus one spring last problems and we sure, as we use as a metric the numbers of the mattress Victor products since it's the bottleneck of the computation, uh, to get the optimal solution of this escape problem with the Nina successful BT against the problem size here and and in red here, this propose FDJ implementation and in ah blue is the numbers of retrospective product that are necessary for the C. I am without error correction to solve this escape programs and in green here for noisy means in an evening which is, uh, behavior with similar to the Cartesian mission. Uh, and so clearly you see that the scaring off the numbers of matrix vector product necessary to solve this problem scales with a better exponents than this other approaches. So So So that's interesting feature of the system and next we can see what is the real time to solution to solve this SK instances eso in the last six years, the time institution in seconds to find a grand state of risk. Instances remain answers probability for different state of the art hardware. So in red is the F B g. A presentation proposing this paper and then the other curve represent Ah, brick a local search in in orange and silver lining in purple, for example. And so you see that the scaring off this purpose simulator is is rather good, and that for larger plant sizes we can get orders of magnitude faster than the state of the art approaches. Moreover, the relatively good scanning off the time to search in respect to problem size uh, they indicate that the FPD implementation would be faster than risk. Other recently proposed izing machine, such as the hope you know, natural complimented on memories distance that is very fast for small problem size in blue here, which is very fast for small problem size. But which scanning is not good on the same thing for the restricted Bosman machine. Implementing a PGA proposed by some group in Broken Recently Again, which is very fast for small parliament sizes but which canning is bad so that a dis worse than the proposed approach so that we can expect that for programs size is larger than 1000 spins. The proposed, of course, would be the faster one. Let me jump toe this other slide and another confirmation that the scheme scales well that you can find the maximum cut values off benchmark sets. The G sets better candidates that have been previously found by any other algorithms, so they are the best known could values to best of our knowledge. And, um or so which is shown in this paper table here in particular, the instances, uh, 14 and 15 of this G set can be We can find better converse than previously known, and we can find this can vary is 100 times faster than the state of the art algorithm and CP to do this which is a very common Kasich. It s not that getting this a good result on the G sets, they do not require ah, particular hard tuning of the parameters. So the tuning issuing here is very simple. It it just depends on the degree off connectivity within each graph. And so this good results on the set indicate that the proposed approach would be a good not only at solving escape problems in this problems, but all the types off graph sizing problems on Mexican province in communities. So given that the performance off the design depends on the height of this other tree, we can try to maximize the height of this other tree on a large F p g a onda and carefully routing the components within the P G A and and we can draw some projections of what type of performance we can achieve in the near future based on the, uh, implementation that we are currently working. So here you see projection for the time to solution way, then next property for solving this escape programs respect to the prime assize. And here, compared to different with such publicizing machines, particularly the digital. And, you know, 42 is shown in the green here, the green line without that's and, uh and we should two different, uh, hypothesis for this productions either that the time to solution scales as exponential off n or that the time of social skills as expression of square root off. So it seems, according to the data, that time solution scares more as an expression of square root of and also we can be sure on this and this production show that we probably can solve prime escape problem of science 2000 spins, uh, to find the rial ground state of this problem with 99 success ability in about 10 seconds, which is much faster than all the other proposed approaches. So one of the future plans for this current is in machine simulator. So the first thing is that we would like to make dissimulation closer to the rial, uh, GOP oh, optical system in particular for a first step to get closer to the system of a measurement back. See, I am. And to do this what is, uh, simulate Herbal on the p a is this quantum, uh, condoms Goshen model that is proposed described in this paper and proposed by people in the in the Entity group. And so the idea of this model is that instead of having the very simple or these and have shown previously, it includes paired all these that take into account on me the mean off the awesome leverage off the, uh, European face component, but also their violence s so that we can take into account more quantum effects off the g o p. O, such as the squeezing. And then we plan toe, make the simulator open access for the members to run their instances on the system. There will be a first version in September that will be just based on the simple common line access for the simulator and in which will have just a classic or approximation of the system. We don't know Sturm, binary weights and museum in term, but then will propose a second version that would extend the current arising machine to Iraq off F p g. A, in which we will add the more refined models truncated, ignoring the bottom Goshen model they just talked about on the support in which he valued waits for the rising problems and support the cement. So we will announce later when this is available and and far right is working >>hard comes from Universal down today in physics department, and I'd like to thank the organizers for their kind invitation to participate in this very interesting and promising workshop. Also like to say that I look forward to collaborations with with a file lab and Yoshi and collaborators on the topics of this world. So today I'll briefly talk about our attempt to understand the fundamental limits off another continues time computing, at least from the point off you off bullion satisfy ability, problem solving, using ordinary differential equations. But I think the issues that we raise, um, during this occasion actually apply to other other approaches on a log approaches as well and into other problems as well. I think everyone here knows what Dorien satisfy ability. Problems are, um, you have boolean variables. You have em clauses. Each of disjunction of collaterals literally is a variable, or it's, uh, negation. And the goal is to find an assignment to the variable, such that order clauses are true. This is a decision type problem from the MP class, which means you can checking polynomial time for satisfy ability off any assignment. And the three set is empty, complete with K three a larger, which means an efficient trees. That's over, uh, implies an efficient source for all the problems in the empty class, because all the problems in the empty class can be reduced in Polian on real time to reset. As a matter of fact, you can reduce the NP complete problems into each other. You can go from three set to set backing or two maximum dependent set, which is a set packing in graph theoretic notions or terms toe the icing graphs. A problem decision version. This is useful, and you're comparing different approaches, working on different kinds of problems when not all the closest can be satisfied. You're looking at the accusation version offset, uh called Max Set. And the goal here is to find assignment that satisfies the maximum number of clauses. And this is from the NPR class. In terms of applications. If we had inefficient sets over or np complete problems over, it was literally, positively influenced. Thousands off problems and applications in industry and and science. I'm not going to read this, but this this, of course, gives a strong motivation toe work on this kind of problems. Now our approach to set solving involves embedding the problem in a continuous space, and you use all the east to do that. So instead of working zeros and ones, we work with minus one across once, and we allow the corresponding variables toe change continuously between the two bounds. We formulate the problem with the help of a close metrics. If if a if a close, uh, does not contain a variable or its negation. The corresponding matrix element is zero. If it contains the variable in positive, for which one contains the variable in a gated for Mitt's negative one, and then we use this to formulate this products caused quote, close violation functions one for every clause, Uh, which really, continuously between zero and one. And they're zero if and only if the clause itself is true. Uh, then we form the define in order to define a dynamic such dynamics in this and dimensional hyper cube where the search happens and if they exist, solutions. They're sitting in some of the corners of this hyper cube. So we define this, uh, energy potential or landscape function shown here in a way that this is zero if and only if all the clauses all the kmc zero or the clauses off satisfied keeping these auxiliary variables a EMS always positive. And therefore, what you do here is a dynamics that is a essentially ingredient descend on this potential energy landscape. If you were to keep all the M's constant that it would get stuck in some local minimum. However, what we do here is we couple it with the dynamics we cooperated the clothes violation functions as shown here. And if he didn't have this am here just just the chaos. For example, you have essentially what case you have positive feedback. You have increasing variable. Uh, but in that case, you still get stuck would still behave will still find. So she is better than the constant version but still would get stuck only when you put here this a m which makes the dynamics in in this variable exponential like uh, only then it keeps searching until he finds a solution on deer is a reason for that. I'm not going toe talk about here, but essentially boils down toe performing a Grady and descend on a globally time barren landscape. And this is what works. Now I'm gonna talk about good or bad and maybe the ugly. Uh, this is, uh, this is What's good is that it's a hyperbolic dynamical system, which means that if you take any domain in the search space that doesn't have a solution in it or any socially than the number of trajectories in it decays exponentially quickly. And the decay rate is a characteristic in variant characteristic off the dynamics itself. Dynamical systems called the escape right the inverse off that is the time scale in which you find solutions by this by this dynamical system, and you can see here some song trajectories that are Kelty because it's it's no linear, but it's transient, chaotic. Give their sources, of course, because eventually knowledge to the solution. Now, in terms of performance here, what you show for a bunch off, um, constraint densities defined by M overran the ratio between closes toe variables for random, said Problems is random. Chris had problems, and they as its function off n And we look at money toward the wartime, the wall clock time and it behaves quite value behaves Azat party nominally until you actually he to reach the set on set transition where the hardest problems are found. But what's more interesting is if you monitor the continuous time t the performance in terms off the A narrow, continuous Time t because that seems to be a polynomial. And the way we show that is, we consider, uh, random case that random three set for a fixed constraint density Onda. We hear what you show here. Is that the right of the trash hold that it's really hard and, uh, the money through the fraction of problems that we have not been able to solve it. We select thousands of problems at that constraint ratio and resolve them without algorithm, and we monitor the fractional problems that have not yet been solved by continuous 90. And this, as you see these decays exponentially different. Educate rates for different system sizes, and in this spot shows that is dedicated behaves polynomial, or actually as a power law. So if you combine these two, you find that the time needed to solve all problems except maybe appear traction off them scales foreign or merely with the problem size. So you have paranormal, continuous time complexity. And this is also true for other types of very hard constraints and sexual problems such as exact cover, because you can always transform them into three set as we discussed before, Ramsey coloring and and on these problems, even algorithms like survey propagation will will fail. But this doesn't mean that P equals NP because what you have first of all, if you were toe implement these equations in a device whose behavior is described by these, uh, the keys. Then, of course, T the continue style variable becomes a physical work off. Time on that will be polynomial is scaling, but you have another other variables. Oxidative variables, which structured in an exponential manner. So if they represent currents or voltages in your realization and it would be an exponential cost Al Qaeda. But this is some kind of trade between time and energy, while I know how toe generate energy or I don't know how to generate time. But I know how to generate energy so it could use for it. But there's other issues as well, especially if you're trying toe do this son and digital machine but also happens. Problems happen appear. Other problems appear on in physical devices as well as we discuss later. So if you implement this in GPU, you can. Then you can get in order off to magnitude. Speed up. And you can also modify this to solve Max sad problems. Uh, quite efficiently. You are competitive with the best heuristic solvers. This is a weather problems. In 2016 Max set competition eso so this this is this is definitely this seems like a good approach, but there's off course interesting limitations, I would say interesting, because it kind of makes you think about what it means and how you can exploit this thes observations in understanding better on a low continues time complexity. If you monitored the discrete number the number of discrete steps. Don't buy the room, Dakota integrator. When you solve this on a digital machine, you're using some kind of integrator. Um and you're using the same approach. But now you measure the number off problems you haven't sold by given number of this kid, uh, steps taken by the integrator. You find out you have exponential, discrete time, complexity and, of course, thistles. A problem. And if you look closely, what happens even though the analog mathematical trajectory, that's the record here. If you monitor what happens in discrete time, uh, the integrator frustrates very little. So this is like, you know, third or for the disposition, but fluctuates like crazy. So it really is like the intervention frees us out. And this is because of the phenomenon of stiffness that are I'll talk a little bit a more about little bit layer eso. >>You know, it might look >>like an integration issue on digital machines that you could improve and could definitely improve. But actually issues bigger than that. It's It's deeper than that, because on a digital machine there is no time energy conversion. So the outside variables are efficiently representing a digital machine. So there's no exponential fluctuating current of wattage in your computer when you do this. Eso If it is not equal NP then the exponential time, complexity or exponential costs complexity has to hit you somewhere. And this is how um, but, you know, one would be tempted to think maybe this wouldn't be an issue in a analog device, and to some extent is true on our devices can be ordered to maintain faster, but they also suffer from their own problems because he not gonna be affect. That classes soldiers as well. So, indeed, if you look at other systems like Mirandizing machine measurement feedback, probably talk on the grass or selected networks. They're all hinge on some kind off our ability to control your variables in arbitrary, high precision and a certain networks you want toe read out across frequencies in case off CM's. You required identical and program because which is hard to keep, and they kind of fluctuate away from one another, shift away from one another. And if you control that, of course that you can control the performance. So actually one can ask if whether or not this is a universal bottleneck and it seems so aside, I will argue next. Um, we can recall a fundamental result by by showing harder in reaction Target from 1978. Who says that it's a purely computer science proof that if you are able toe, compute the addition multiplication division off riel variables with infinite precision, then you could solve any complete problems in polynomial time. It doesn't actually proposals all where he just chose mathematically that this would be the case. Now, of course, in Real warned, you have also precision. So the next question is, how does that affect the competition about problems? This is what you're after. Lots of precision means information also, or entropy production. Eso what you're really looking at the relationship between hardness and cost of computing off a problem. Uh, and according to Sean Hagar, there's this left branch which in principle could be polynomial time. But the question whether or not this is achievable that is not achievable, but something more cheerful. That's on the right hand side. There's always going to be some information loss, so mental degeneration that could keep you away from possibly from point normal time. So this is what we like to understand, and this information laws the source off. This is not just always I will argue, uh, in any physical system, but it's also off algorithm nature, so that is a questionable area or approach. But China gets results. Security theoretical. No, actual solar is proposed. So we can ask, you know, just theoretically get out off. Curiosity would in principle be such soldiers because it is not proposing a soldier with such properties. In principle, if if you want to look mathematically precisely what the solar does would have the right properties on, I argue. Yes, I don't have a mathematical proof, but I have some arguments that that would be the case. And this is the case for actually our city there solver that if you could calculate its trajectory in a loss this way, then it would be, uh, would solve epic complete problems in polynomial continuous time. Now, as a matter of fact, this a bit more difficult question, because time in all these can be re scared however you want. So what? Burns says that you actually have to measure the length of the trajectory, which is a new variant off the dynamical system or property dynamical system, not off its parameters ization. And we did that. So Suba Corral, my student did that first, improving on the stiffness off the problem off the integrations, using implicit solvers and some smart tricks such that you actually are closer to the actual trajectory and using the same approach. You know what fraction off problems you can solve? We did not give the length of the trajectory. You find that it is putting on nearly scaling the problem sites we have putting on your skin complexity. That means that our solar is both Polly length and, as it is, defined it also poorly time analog solver. But if you look at as a discreet algorithm, if you measure the discrete steps on a digital machine, it is an exponential solver. And the reason is because off all these stiffness, every integrator has tow truck it digitizing truncate the equations, and what it has to do is to keep the integration between the so called stability region for for that scheme, and you have to keep this product within a grimace of Jacoby in and the step size read in this region. If you use explicit methods. You want to stay within this region? Uh, but what happens that some off the Eigen values grow fast for Steve problems, and then you're you're forced to reduce that t so the product stays in this bonded domain, which means that now you have to you're forced to take smaller and smaller times, So you're you're freezing out the integration and what I will show you. That's the case. Now you can move to increase its soldiers, which is which is a tree. In this case, you have to make domain is actually on the outside. But what happens in this case is some of the Eigen values of the Jacobean, also, for six systems, start to move to zero. As they're moving to zero, they're going to enter this instability region, so your soul is going to try to keep it out, so it's going to increase the data T. But if you increase that to increase the truncation hours, so you get randomized, uh, in the large search space, so it's it's really not, uh, not going to work out. Now, one can sort off introduce a theory or language to discuss computational and are computational complexity, using the language from dynamical systems theory. But basically I I don't have time to go into this, but you have for heart problems. Security object the chaotic satellite Ouch! In the middle of the search space somewhere, and that dictates how the dynamics happens and variant properties off the dynamics. Of course, off that saddle is what the targets performance and many things, so a new, important measure that we find that it's also helpful in describing thesis. Another complexity is the so called called Makarov, or metric entropy and basically what this does in an intuitive A eyes, uh, to describe the rate at which the uncertainty containing the insignificant digits off a trajectory in the back, the flow towards the significant ones as you lose information because off arrows being, uh grown or are developed in tow. Larger errors in an exponential at an exponential rate because you have positively up north spawning. But this is an in variant property. It's the property of the set of all. This is not how you compute them, and it's really the interesting create off accuracy philosopher dynamical system. A zay said that you have in such a high dimensional that I'm consistent were positive and negatively upon of exponents. Aziz Many The total is the dimension of space and user dimension, the number off unstable manifold dimensions and as Saddam was stable, manifold direction. And there's an interesting and I think, important passion, equality, equality called the passion, equality that connect the information theoretic aspect the rate off information loss with the geometric rate of which trajectory separate minus kappa, which is the escape rate that I already talked about. Now one can actually prove a simple theorems like back off the envelope calculation. The idea here is that you know the rate at which the largest rated, which closely started trajectory separate from one another. So now you can say that, uh, that is fine, as long as my trajectory finds the solution before the projective separate too quickly. In that case, I can have the hope that if I start from some region off the face base, several close early started trajectories, they kind of go into the same solution orphaned and and that's that's That's this upper bound of this limit, and it is really showing that it has to be. It's an exponentially small number. What? It depends on the end dependence off the exponents right here, which combines information loss rate and the social time performance. So these, if this exponents here or that has a large independence or river linear independence, then you then you really have to start, uh, trajectories exponentially closer to one another in orderto end up in the same order. So this is sort off like the direction that you're going in tow, and this formulation is applicable toe all dynamical systems, uh, deterministic dynamical systems. And I think we can We can expand this further because, uh, there is, ah, way off getting the expression for the escaped rate in terms off n the number of variables from cycle expansions that I don't have time to talk about. What? It's kind of like a program that you can try toe pursuit, and this is it. So the conclusions I think of self explanatory I think there is a lot of future in in, uh, in an allo. Continue start computing. Um, they can be efficient by orders of magnitude and digital ones in solving empty heart problems because, first of all, many of the systems you like the phone line and bottleneck. There's parallelism involved, and and you can also have a large spectrum or continues time, time dynamical algorithms than discrete ones. And you know. But we also have to be mindful off. What are the possibility of what are the limits? And 11 open question is very important. Open question is, you know, what are these limits? Is there some kind off no go theory? And that tells you that you can never perform better than this limit or that limit? And I think that's that's the exciting part toe to derive thes thes this levian 10.

[Music] [Music] [Applause] [Music] me [Music] [Applause] [Music] [Music] so [Music] [Music] [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] me [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] [Music] [Applause] so [Music] [Music] [Music] [Music] so [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] um [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] so so [Applause] so [Music] so welcome to cyber security insights we're excited to talk to you today about some of the key developments in the cyber security area let me start off by saying you know security's always been a board room topic boards care about it but right now it's actually getting even more important given what's happening covered 19 given the risk the world faces the fact that 70 percent of the workforce is now really working from home at vmware we have all of our employees working for we made that a mandate not just required but we're taking a cautious approach as to how they come back that's the reality of many of our customers but the bad guys are not staying still 148 increase in ransomware during this time they're just looking for every way to take advantage of innocent people working at home and then we've seen 52 percent increase of all attacks in the march time frame targeting the financial sector so it's very important that you we have a different approach to security because our belief is the security industry has been broken uh you'll see on this chart 5000 odd vendors 15 or 20 different categories and it's often i described like going to a doctor to stay healthy and she tells you you've got to take 5 000 tablets and you fall off your chest and that's just not possible you know so how do you prevent staying having 5000 tablets taking 5000 tablets to stay healthy you eat your vegetables your fruit your proteins drink your water you make it part of your hygiene and that's what needs to happen in security we've got to move away from this bolted on approach siloed approach where you've got you know various differences feels like even 5000 tablets 5000 security tools are all kind of like healthcare deem themselves very important and also from security that's just focused on threats and the new approach needs to be one that's more built-in intrinsically part of the platform like making a part of your diet more unified as opposed to just siloed across all of the key pillars of security and a lot more context-centric rather than just threat centric to do this we've been looking at kind of the value proposition of vmware we're you know about a 10.8 billion dollar company and have played across these three or four layers off being a digital foundation for the world any cloud any app any device with intrinsic security you've seen this from us several uh over the last several years what we've sought to do is layer into that diagram five or six important control points in security that we think are going to be super important to make security intrinsic let's start off on the bottom right corner of this with network security we think a new approach for network security means that if you look at data center networking or firewalls or load balancing or sd-wan what is a 30 billion dollar opportunity a new approach you know could be one way you could have in one platform all of those capabilities in something that's more software-defined that's what we've been doing uh in with nsx a platform some customers call us sort of the tesla of networking because we're taking a somewhat you know traditional hardware-defined approach to networking and building a more software-defined networking stack for security much the same way a tesla is building a software-defined car if you go to the left-hand side you see kind of the endpoints but it's two different forms of endpoint an endpoint that's on the client side near the device a laptop tablet a phone or a endpoint that's closer to the server a workload or a container and in both areas we believe we have an opposition proposition to really be the best uh security solution for endpoint and workload security identity we think there's a tremendous opportunity to be the best solution that not just some ourselves but also partners with the best of breed players for example um octa or azure active directory in cloud security we're going to do a lot ourselves for example cloud security posture management but we're also going to partner with the likes of well web gateways and and proxies like z scale or netscope and then analytics is the big kahuna because the more data that you have the more equipped you are to prevent breaches and what we believe here is this notion of what the analysts are now calling xdr collecting telemetry from all of these control points which we have exposure to network endpoint workload identity cloud and having one big data lake where you reason over this with a variety of behavioral and ai algorithms and then provide the best way by which you can protect customers from possible future security events this is something we well best because we actually collecting the most telemetry of anybody from disparate different sources and you're gonna only see this increase so vmware's proposition uh as you look at this we today have a billion dollar security business i know you're gonna listen to that and say wow where did that come from some customers call us one of the best kept uh security secrets in the industry uh a significant about that comes from network security a growing part of it now comes from endpoint security we think the opportunity is to take that billion dollar business it's about 20 000 odd customers and double or triple that by really focusing in these five or six control points you're going to see us build the best products in each of these categories but one that's intrinsic and also works between them in ways that are incredible let me give you a couple examples with carbon black we're going to make it agentless on the server side with vsphere nobody else can do that we're going to do that and you're going to see that very soon with carbon black we're going to make it unified with workspace 1 on the console so you have a unified approach there on both the console and the agent something that you also start seeing from us very soon these are things that nobody else in users can do network security you're going to see from one platform data center networking load balancing firewalls and sd-wan beautiful security-centric networking story so this is the approach for folks and now i think as we listen to several of the thought leaders and analysts you're going to hear them get into this story in more detail thank you very much let's continue in this show cyber security insights and now we'd like to explore the unified approach of security and i.t how do you unify them as a foundation for success our special guest today is chris sherman who's senior analyst at forrester and a pretty renowned security uh researcher and thought leader himself chris welcome to the show great to be here with you sanjay you know i'm sitting here in my living room in cleveland ohio as we uh ride down the curve right fighting off a cabin fever and staying healthy hope you're doing the same chris i'm doing well but listen i look at your beautiful looking um you know i can't confess that my background is my natural i've got a virtual background is that actually your living room or is that a virtual background it is this is my living room we built the house last year and it's also my little private iot lab because you know i'm a huge nerd and i love my devices we've been you know kind of a big fan of a lot of the forester research zero trust security you mentioned your research and iot uh i.t security and i'd like to explore this a little further with you chris i'm a big fan of your research read a lot of your stuff uh but let's kind of focus in you know clearly in this time having security strategy and i.t strategy be together in this current climate many organizations have had to pivot uh due to covert 19. you know one example is employees having to work at home which raises a whole host of cyber security issues and you know having reviewed the research results it makes them i think even more relevant the need for security and i.t to join forces i believe right now to defeating the cyber criminals during the pandemic um so that we don't have this risk and quite frankly you know we've been finding the risk is even higher because the bad guys aren't sleeping uh even if there's a crisis going on so maybe you can tell us a little bit more about this research and your findings absolutely yeah so you know i think the genesis of this research really started with a conversation i had with some of your team members back in november uh we talked about you know the high level of friction between these two teams right between i.t and security and frankly the lack of support that a lot of the existing tools in the market really have for you know integrating the two and when you look across the industry there really aren't a whole lot of resources for buyers or you know technology strategists that you know want to understand these dynamics and you know this is really what led to vmware commissioning forester to uh you know this past february to survey over 1400 security and it ops decision makers across the globe we really wanted to probe those dynamics right you know what's holding companies back from eliminating this friction right this really was actually the largest sample size of any commissioned study that i've been a part of here at forester and it really led to some excellent results and and data as you know from the uh published research i'm looking forward to to reading them and knowing more about it and you know i think if you think about the research and uh you know there's a shift in security driving alignment and collaboration security and it's you know kind of the top initiative we see in the next 12 months uh maybe even tell us about why the relationship between these security and id teams um you know are important whys have been strained across both you know all three of people process and technology yeah i mean so i team security really are two sides of the same coin right but unfortunately their teams have struggled to work well together for many years according to our survey date it's gotten to the point where 83 of both team staff report a negative relationship between the two it's very unfortunate but there are many reasons for this you know many reasons for this friction especially with the vp director and manager roles between the security and the ite teams you know at a high level most of this is driven by the fact that security and i.t have differing priorities right our data backs us up you know you have i.t on one side that's focused on technology efficiency and uptime and from our conversations with it staff it's clear you know they view security as philosophically opposite you know to this right often as roadblocks to accomplishing their goals and then on the other side security's top priority is as you'd expect responding to security events and incidents and preventing compromises and this difference in priorities is the source of a lot of friction also both security and i.t staff are really unhappy with the technology that the tools specifically that they're using or the security tools the c cios and csos you know that we talked to all had the same complaint they have too many disjointed tools in fact the average across our study was 27 security products on average in each organization and even the most established security solutions like take firewalls for example you know it caused some serious angst right we found that only 52 percent of respondents felt that their firewalls were satisfactory in terms of the performance and the security uh efficacy i think you know listen a couple of points i'll point point out from what you talked about that resonate deeply with us one is when you talked about uh i don't know it was 25 or 27 odd tools i'd be surprised the number of csos i talked to who say it's in the dozens one i think i always sort of keep a record for the number of tools i've heard one tell me it was like 100 different security tools i asked you know him was there a hundred different consoles so it's just the number of tools and consoles uh the other one that you resonated with me was even in one of the more mature areas like firewalls you would have thought oh people are really happy there we find the same level of dissatisfaction with people saying listen traditional hardware-based approaches appliance-based approaches lots of policy way way too complicated um now let's talk a little bit about staffing i think it's it's you know listen at the end of the day security is a team sport it does depend on products and processes and technology but there's also people and you know we security teams are understaffed they're increasingly dealing with a complex portfolio of these non-integrated products how uh is this impacting teams and what can companies you do as you advise them to reduce complexity from the plethora of different products that are often point products today well you're right right finding and training the right item security staff is really critical to the success of the respective teams unfortunately this continues to be a major pain point right across the whole industry in fact 64 of the security teams that we surveyed and 53 of the it teams reported they're understaffed but yeah i mean amid this global pandemic when most organizations are focused on surviving and you know maybe keeping the lights on or i guess in this case maybe the vpn's running right and getting by with limited resources and protecting an increasingly remote workforce it's much more difficult to collaborate and work together across teams but our data showed that one of the major results of this you know the formation of communication silos you know teams aren't communicating enough right they're they're communicating within their or organization designed for their particular use case right with very little integration and collaboration across those silos and you know this is where tools could help right most of the time though they the tools actually just reflect or amplify those silos by reinforcing the division right between the two teams ultimately organizations may be looking for technologies that can support the needs of both it and security right this will help alleviate any tension that might arise over things like competition over limited resources right ideally once the teams come together and agree on goals as well as objectives and and measures of success for that matter right they can address their technology stack inherent complexity wisely said listen the security attacks are becoming more sophisticated uh organizations are considering now i think the approach as you've described is a unified strategy to address these critical issues uh can you tell us more about how you've seen these unified approaches to security strategy being effective well so i mean it seems like we've been talking about unifying the tools and strategies by you know i.t ops and security for years right but it's only been recently that we've seen the two sides really demonstrate any appetite to actually do so unfortunately most of the tools again right on the market are focused on one or the other and integrations are only starting to really accelerate to the point where our true unified vision is even possible this not only aligns teams under common goals right having a common tool set but it also aligns workflows between those two teams and helps foster collaboration uh listen uh you mentioned a couple of these these examples are really good for people to kind of grop you know in this have you uh outside of these exams or any other sort of tangible results uh that you think companies can expect uh as they bring together their security and id strategies and make them more unified what are the results from your research you think customers can expect to gain yeah there are several other you know clear benefits right that we identified in this research right the benefits to unifying the tech stacks between it ops and security our research showed that companies with a unified strategy reported fewer security incidents fewer data breaches which makes sense right given how critical endpoint configuration and overall i.t hygiene is to the security posture of an organization also you know building security capabilities directly into the it infrastructure helps to motivate non-security staff to take some ownership right over basic security fundamentals and this all helps speed right this this increases the speed to you know both detect new threats and uh respond once they're you know identified you know time to containment right this was also validated by our survey data a common strategy really can empower both to you know mitigate risk ensure continuous compliance and improve you know their threat response uh workflows you know between the two teams really companies need to find tools that meet the needs of both teams and at the end of the day as you pointed out security is a team sport right we all benefit from working together to protect the business and its employees right from malicious actors especially in these difficult times that's great chris thank you for uh your research um um so i just encourage all of you are listening um if you want to um you know get chris's research um you know go to this url on the screen here and you'll be able to download it uh we're excited about it i mean listen you know personally when i watch it teams and security teams sometimes sort of spar each other um you know i i i think that increasingly whether the security team reports under the cio sometimes that's the case sometimes security teams report into the chief legal officer or they report maybe into the cfo wherever reporting structures are only you have to build a team sport because there's aspect of this that's policy aspects of this that are technology there are aspects of this that are people uh thank you for this research chris as always i'm a fan of uh the stuff as are all of we and what you're right so it's always good to be able to see more this is also much of the other extended uh forest to work like zero trust that have become kind of the things that i've seen now becoming more pervasive in the industry so thank you all for listening to this uh and we hope we'll continue to serve you in the course of this program cyber security insights with more insights like this it's my pleasure right now to also continue this uh cyber security insights series now with a wonderful interview um with the head of security and infrastructure at circle k suzanne hall um i've had a chance to briefly meet her prior to this and she's got an incredible vision of how infrastructure security comes together uh in the context of retail so i'm looking forward to the discussion suzanne thank you for joining us today thanks sanjay glad to be here great hey listen maybe i'll start with um you know circle okay some folks may know you in the locality in the areas where they shop or whatever have you but many folks around the country may not and we're assuming there'll be a very large audience watching this tell us a little bit about the company what you guys do uh what's your vision and how are you serving uh customers and consumers oh terrific oh well yeah so circle k uh many people do not realize it's actually a canadian-owned company we are a global uh convenience and fuel service organization uh with with offices all across north america uh large part of northern europe um and with franchises in a large part of asia as well we're the second largest convenience store company in the world and the 11th largest retailer we yeah we acquired circle k the brand um back in the early 2000's and uh our goals right now over the next five years are to try and double in size um which is a pretty aggressive goal goal considering uh our organization which really is taking a you know 60 billion dollar organization and trying to double that in the next five years so wish us luck let's focus now a little bit more on the infrastructure and security part of it um it's interesting that you own both as you think about those areas um you know how are they linked together and what have you been doing to tie uh infrastructure topics and security topics which are often you know you have a ciso and then a cto owns infrastructure in your case you own both and i think it's a classic way in which you know we're trying to kind of get traditional it teams the security work world to go you're living it then you're breathing and you're implementing your team uh how is it working out and how are you making it work yeah oh sorry it was actually a key part of me being attracted to the to this world i've been here about 18 months um i really feel for certain organizations culturally if you can make it work where security operations can function together um it really empowers your security team to move things quickly and it also gives me the opportunity to take ultimately super scarce resources from the security side and build uh more security acumen within my network teams and my hosting teams and my infra um so that i get actually really smart technologists that also get security collaborating with really great security folks that also get technology there's a lot of synergies that i that i get from that from combining these two organizations and where circle k was before i got here you know we we um did need to rapidly mature a lot of our security program um because it had just um grown uh i think the organization grew beyond the competencies of the security team before i got here and so by having both sides of that house i was really able to move things quickly um kind of i don't have to i don't have to uh negotiate between the network team and the hosting team the security team because they all report up to me and i get i get to pick who wins all the time so it works really well i'd love to talk to you but just cover it it's on on everybody's mind it's changed transformed how we all work you and i are doing this interview work from home uh if we were doing it in different concerts i have to come to you or come to us we have done this in the studio together or in an event um and certainly it's you know kind of changing the ways in which we work and family life and so on and so forth but how is it changing your business how is it changing your i.t organization uh and how have you had to adapt to um you know this time that we're sheltering place work at home yeah well it's really it's changed everything for us as i'm sure for for most of your of your clients as well um you know obviously serp okay being convenience we are uh on the front lines we are open across the globe we may have some small stores that may get closed for periodic periods of time or maybe some shortened hours but we've got convenience workers and gas station workers working around the globe through coven so we've had to change how the stores look and feel um we've had to rapidly deploy things like curbside delivery to really adjust to uh customers um wants and expectations and then we've had to take the entire back office and put people working at home which was not our culture um before this all happened and we had to do that almost like in watching a wave go across the globe as it started uh offices started closing in northern europe first uh and then and then all the way through to ireland and then and then obviously the east coast and canada and all the way through to the west coast so um we actually had a very short period of time to create a remote working uh operation um luckily enough um we had some really talented folks we put a couple different solutions in place and uh within two weeks or so we were able to get everybody working remotely that could work remotely and then that really empowered us to support all those operations folks that needed to get things like plexiglass into the stores hand sanitizers into the stores masks uh um into the stores uh to serve our customers and to serve our staff i'd like to move on um then to the um the kind of the context of this infrastructure and i.t workers and security work i.t teams and security teams working better together one of the things we find often and we did some research with forester that where companies performed well and had great you know security prevention practices breaches places where i t and security work well together and traditionally often csos uh may be separate from the infrastructure team sometimes csos don't even report into ci support elsewhere and that can be uh not intensely so sometimes intentionally but often just a silo or a warring mentality you're good evidence now where you're bringing these together let's talk a little away from technology for a second and the people process collaboration how have you been able to bring these cultures together so that they work together for the common good of either cost saving protection whatever have you yeah you know um and so i've had the benefit of being a cso and a cio and a couple different organizations and also i was in i was in consulting for many years i worked for a big four uh from a letter of cyber practice with one of the big four firms and i'll tell you cyber programs uh move fast forward best when there's a couple of key elements in place and the first one is you have to have shared goals anytime that the cyber team is trying to implement something um in that the network team isn't on board with or the network team picked a tool they don't want to implement the tool that the cyber team is as um and has selected i mean that's that's always a recipe for failure so somehow you have to really work on aligned goals and i do that even though i own the infrastructure teams and the security teams um nobody's successful if we're not all successful together and really focusing on what does success look like for for each one of the each one of our areas and look sometimes you know we do have to take some uh educated risks in the environment you know for responding to things quickly but we also don't take we don't um let those risks sort of linger and and never get remediated right so we really work together to make sure that any new risks that we're taking on we have a focus on how we're going to mitigate that and we hold ourselves accountable and um and the network team is equally accountable for responding to security events as a security team is the key element i also say to my security teams is when you're working with production operations teams and and folks you've got to have skin in the game you've got to recognize that they're trying to keep systems up and running 24 7 you know for the operations of the organization right so we can take credit cards and cash in the stores and make the sales and deliver the goods and services when we need to if the security team isn't seen as fully on board with that mission and that um that responsibility then there's there's a non-equity sort of relationship going on between the two different teams so you really need to bring them all together and make sure that everybody um understands supports each other's wins and goals it's awesome that you've been a cio and a ciso and you've seen all of these in various different companies i'm sure maybe in smaller bigger wherever have you so you're able to really relate to that uh i find the csos i talk to uh most of my relationships in the years past have been with cfos and cios uh i set myself a personal goal this year as we started getting more into security as i've been shaping that strategy of the company to meet a thousand cesars i was 15 years ago at symantec and most of the csos i know are retired and moved on so uh it's a good new way of my understanding and i find as i talk to them so refreshing the ones who are strategic like yourself uh have had tremendous experience in id or are also owned them and are able to paint a vision that's very collaborative as to as opposed to ones who don't then are also able to strategically bring teams together so it's really good to to see that i'd like to kind of just work a little bit more into security because i mean your strategy plays into the reason we're quite carbon black um and you i have some obviously you know knowledge and investment vmware but i'm listening as i was listening to prior to getting on to this you know program together you're probably doing more with carbon black which is awesome i mean it'll probably strengthen our relationship with vmware too and of course but we can talk a little bit about that what's been your history carbon black why you picked them and where do you see that going on the endpoint security um and then i'll talk a little bit about how we're trying to try that into infrastructure too yeah so um so my relationship with carbon black goes back to uh almost right after i first arrived at circle k um obviously i know uh from having come from consulting a number of different uh tools and products out there um although carbon black always had a really good reputation and strength and um i went to carbon black pretty early on and said you know here's my here's my situation i've got a little bit of carbon black and a little bit of other things in different places i really want to standardize on a single tool i really want to get to a better visibility of my overall network and of my of my risks and ultimately i want to have a single pane of glass but um that you know i've got folks working from an eyes on 24 7. um you know carbon black hands a table really quickly and had a great vision uh for how they could get us uh standardized across some different versions that we had um and when i said okay i want to do this in six weeks or fewer um they didn't say we can't make that happen um i think a lot of people on my team wish that they'd said that we can't make that happen but um but now we were able to really rather quickly um deploy and and get up to speed across all of our stores across all of our networks all of our you know we're a very distributed organization i've got offices all across north america and europe um and uh and we were able to in six weeks get get standardized and get things up and running and i had gained great visibility uh in that and i'm a big believer when looking at all sorts of tools whether they're input tools or security tools that you know you can tell whether or not you've picked the right solution if it's fit for purpose relatively quickly if it feels like it's too hard to implement if it just feels like it's you're not getting the value out of out of something in a relatively quick period of time you really do need to look at whether or not the tool you're looking at is fit for purpose in your environment and i would say the carbon black team and the carbon black tool that made it really easy for us and um you know it's giving us great visibility we have been able to uh detect and respond to a number of different instances you know retail is a very uh high threat high target industry these days um so it's been it's been super helpful in us defending um circle k in our environment and with 130 000 employees i suspect your number of endpoints are in the tens of thousands on the client side and probably just as many in terms of server-side endpoints right so your your kind of surface area of potential endpoints is pretty large oh indeed and you know but you know you have over 15 000 stores every store has multiple point of sale systems and at multiple uh computers laptops tablets devices um and that's and that's even before i go out into the uh what we call the forecourt which is where the gas dispensers and pumps are so yeah it's very complex well listen we look forward to that journey together part of what she has talked about here is a key part to our vision uh folks listening to this is to basically bring together security to make it key parts of the infrastructure both in the endpoint the network and the cloud thank you for your partnership i look forward to getting to know you and your team better um thank you also for all you're doing to serve the community during these tough times especially those workers at circle key that are the front line in the stores we appreciate you tremendously and we look forward to continuing this dialogue thank you very much thank you thank you everybody for watching this cyber security insight segments titled security as a team sport we talked about the shift in security and how security is moving to a shared responsibility model in this team sport in this segment we also discussed the benefits of a consolidated security and an i.t strategy that allows for fewer breaches and a faster response to security incidents as key benefits that have implemented a common strategy for those who have done this i encourage all of you to watch this part two of cyber security insights the securities of dual mission and we will have two security leaders discussing how security helps not only protect but help drives the business forward thank you all for watching this segment [Music] you

I'm going alive I'm live right now let's send you this link and see if you can get on here so this is private see if I can break this out this is [Music] [Music] [Music] [Music] hello they're coming you live from Chuck alley studio here in Mountain View California and I'm on YouTube live I hope I'm not securing anything outta been out there for two minutes now let's be able to do a live private stream and be able to have that account that link to people - yeah okay yes you see me voice what's up what's up what's up so this is a private link I don't know if you can hear me that's a private link and if you give the link to whoever you want to see it oh you can't hear me hmm one two one two one two three four stop that

[Music] hi and welcome to this cube conversations in the cube in the cube Studios in Palo Alto California I'm your host Sonia - Gauri and today we're joined by Justin Warren the chief analyst and managing director for pivot 9 Justin welcome to the cube thanks for having me absolutely so tell us more about pivot 9 and more about your role yes so I found a pivot 9 back in 2011 and we help customers with their positioning in marketing and their messaging that's most of what we do these days we have a background in infrastructure enterprise consulting so we most of our clients tend to be focused on the enterprise and we also perform a bunch of analyst services basic research and understanding what the market is doing which helps us to to advise our clients on what makes a good position and message to take into the market that's great and you also founded this company so tell us about how you started this company and how you navigated funding well we're entirely so funded and have been profitable for for a while now it was kind of an accident in in the early days my background was in all traditional kind of consulting working with his clients on actually building infrastructure so I've done time in the trenches in in most of the different fields so I was once a DBA rapidly de-skilling and I got bored and decided that fairly company seemed like a good idea which was of course insane as anyone who is founded the company will gladly tell you but it has worked out okay for me in the end that's great and you're also you also do a couple other things you're a co-host on the cube or you're a host on the cube and you're also contributor of Forbes so tell us about how you got into hosting the cube and how that experience has been like for you host oh you can it was was kind of a happy accident I had known Stu for many years and an opportunity came up which I happened to be at a conference that he was he was at and said hey would you like to come on the cube and do a little bit of hosting and I will we said yes and have been doing a bit of it ever since every every now and again so yeah well it's when I happened to be at the same place and I do go to most of the major tech conferences it's it's always a pleasure to come on and guest host the Q but a little bit that's awesome and we love having you on the cube and you're also contributor on Forbes so tell us more about what articles you write what what topics in fields you mostly focus on yes oh uh mostly there I focus on enterprise and and cloud a little bit of networking and information security those are my interests and and it's my background so I know the enterprise technology field pretty well and now it's just interesting it gives me an opportunity to talk to a lot of different customers and find out or both customers and vendors and find out how they think about the market what what are they trying to build why are they trying to do that and whenever I'm talking to them I'm always trying to find a way that I can educate the audience about what what this means for them so it does dovetail nicely with the work we do through pivot nine but I just found it personally interesting and quite useful to be able to communicate what people are really doing and why it's why it's a good idea I think a lot of my readers value that that honesty and the insight that they get from that writing I certainly that's what they've told me so I like listening to customer feedback so if they tell me that I start to suck then I'll have to change what I do it but until when I'll keep doing it the way up and doing it that's awesome Justin thank you so much for being on the Kuban we really appreciate you have having you here no problem thank you so much absolutely thank you so much for watching the cube this has been a cube conversation at the cube studios and pellet [Music] you [Music]

[Music] hi and welcome to this cube conversation in the cube Studios in Palo Alto California I'm your host Sonia - Gauri and today we're joined by two guests Justin Warren who is the chief analyst and managing director of pivot 9 and John Troy the chief reckoner of tech reckoning John and Justin welcome to the cube Thanks thanks for having us great so Justin you're in Melbourne Australia John your local to California let's start with Justin Justin you work at pivot 9 tell us a little bit about your role and what you do so I'm the founder and chief analyst steered pivot know and so everything is my fault we we like to help customers with positioning and messaging that's what most of them come to us for so we we maintain a pretty good research focus on the market focus on enterprise infrastructure cloud and information security and our clients come to us for help with positioning into those markets that's awesome and John you're the chief reckoner at Tech reckoning so tell us more about tech reckoning and what you do sure in in a way my keep reckoner is just might know I guess I am also the bottle washer and analyst as well we work with companies that help them with their ecosystem of technologists we work community and influence and advocacy and Deverell is the term of art that people like right now but basically we work we help communities communicate with their their their the ecosystems of which that's great and you're both a host of the cube so let's go down the line John tell us how did you get into hosting the cube and how has that experience been like I was here at cube number one we we started to realize that video streaming was available in a reasonable way at events and I believe we worked we worked with John and Dave and some of the few boats who were Bill around now to bring them to VMworld over ten years ago I was also doing it home at myself with him disappear that we bought it electronic door I'm very quickly looking very welcome to have them take over a functionality for a lot of people and Justin how about you how's your experience been yeah it's been great it's a again happy accident as things started off I happen to nice to I've known him for a few years and they he was in need of submersed hosting spots at a conference that I I happen to be at anyway and I foolishly said yes and now I've done it more than once oh it's is it gets a lot easier after you've done it two or three time are there any tips and tricks you would give okay thank you so much for being on the cube and we will see you next time [Music] you [Music]

(energetic music plays) >> Lisa: Hey everyone, we're so glad you're here with us. theCUBE is covering Cloud Native Security Con 23. Lisa Martin here with John Furrier. This is our second day of coverage of the event. We've had some great conversations with a lot of intellectual, exciting folks, as you know cuz you've been watching. John and I are very pleased to welcome back one of our alumni to theCUBE Taylor Dolezal joins us the head of ecosystem at CNCF. Taylor, welcome back to theCUBE. Great to see you. >> Taylor: Hey everybody, great to see you again. >> Lisa: So you are on the ground in Seattle. We're jealous. We've got fomo as John would say. Talk to us about, this is a inaugural event. We were watching Priyanka keynote yesterday. Seemed like a lot of folks there, 72 sessions a lot of content, a lot of discussions. What's the buzz, what's the reception of this inaugural event from your perspective? >> Taylor: So it's been really fantastic. I think the number one thing that has come out of this conference so far is that it's a wonderful chance to come together and for people to see one another. It's, it's been a long time that we've kind of had that opportunity to be able to interact with folks or you know, it's just a couple months since last Cube Con. But this is truly a different vibe and it's nice to have that focus on security. We're seeing a lot of folks within different organizations work through different problems and then finally have a vendor neutral space in which to talk about all of those contexts and really raise everybody up with all this new knowledge and new talking points, topics, and different facets of knowledge. >> John: Taylor, we were joking on our yesterday's summary of the keynotes, Dave Vellante and I, and the guests, Lisa and I, about the CNCF having an event operating system, you know, very decoupled highly cohesive events, strung together beautifully through the Linux Foundation, you know, kind of tongue in cheek but it was kind of fun to play on words because it's a very technical community. But the business model of, of hackers is booming. The reality of businesses booming and Cloud Native is the preferred developer environment for the future application. So the emphasis, it's very clear that this is a good move to do and targeting the community around security's a solid move. Amazon's done it with reinforce and reinvent. We see that Nice segmentation. What's the goal? Because this is really where it connects to Cube Con and Cloud Native Con as well because this shift left there too. But here it's very much about hardcore Cloud Native security. What's your positioning on this? Am I getting it right or is there is that how you guys see it? >> Taylor: Yeah, so, so that's what we've see that's what we were talking about as well as we were thinking on breaking this event out. So originally this event was a co-located event during the Cube Con windows in both Europe and North America. And then it just was so consistently popular clearly a topic that people wanted to talk, which is good that people want to talk of security. And so when we saw this massive continued kind of engagement, we wanted to break this off into its own conference. When we were going through that process internally, like you had mentioned the events team is just phenomenal to work with and they, I love how easy that they make it for us to be able to do these kinds of events too though we wanted to talk through how we differentiate this event from others and really what's changed for us and kind of how we see this space is that we didn't really see any developer-centric open source kinds of conferences. Ones that were really favoring of the developer and focus on APIs and ways in which to implement these things across all of your workloads within your organization. So that's truly what we're looking to go for here during these, all of these sessions. And that's how it's been playing out so far which has been really great to see. >> John: Taylor, I want to ask you on the ecosystem obviously the built-in ecosystem at CNCF.IO with Cube Cons Cloud Cons there, this is a new ecosystem opportunity to add more people that are security focused. Is their new entrance coming into the fold and what's been the reaction? >> Taylor: So short answer is yes we've seen a huge uptick across our vendor members and those are people that are creating Cloud offerings and selling those and working with others to implement them as well as our end users. So people consuming Cloud Native projects and using them to power core parts of their business. We have gotten a lot of data from groups like IBM and security, IBM security and put 'em on institute. They gave us a cost of data breach report that Priyanka mentioned and talked about 43% of those organizations haven't started or in the early stages of updating security practices of their cloud environments and then here on the ground, you know, talking through some best practices and really sharing those out as well. So it's, I've gotten to hear pieces and parts of different conversations and and I'm certain we'll hear more about those soon but it's just really been great to, to hear everybody with that main focus of, hey, there's more that we can do within the security space and you know, let's let's help one another out on that front just because it is such a vast landscape especially in the security space. >> Lisa: It's a huge landscape. And to your point earlier, Taylor it's everyone has the feeling that it's just so great to be back together again getting folks out of the silos that they've been operating in for such a long time. But I'd love to get some of your, whatever you can share in terms of some of the Cloud Native security projects that you've heard about over the last day or so. Anything exciting that you think is really demonstrating the value already and this inaugural event? >> Taylor: Yes, so I I've been really excited to hear a lot of, personally I've really liked the talks around EBPF. There are a whole bunch of projects utilizing that as far as runtime security goes and actually getting visibility into your workloads and being able to see things that you do expect and things that you don't expect and how to remediate those. And then I keep hearing a lot of talks about open policy agents and projects like Caverno around you know, how do we actually automate different policies or within regulated industries, how do we actually start to solve those problems? So I've heard even more around CNCF projects and other contexts that have come up but truly most of them have been around the telemetry space EBPF and, and quite a few others. So really great to, to see all those projects choosing something to bind to and making it that much more accessible for folks to implement or build on top of as well. >> John: I love the reference you guys had just the ChatGPT that was mentioned in the keynote yesterday and also the reference to Dan Kaminsky who was mentioned on the reference to DNS and Bind, lot of root level security going on. It seems like this is like a Tiger team event where all the top alpha security gurus come together, Priyanka said, experts bottoms up, developer first practitioners, that's the vibe. Is that kind of how you guys want it to be more practitioners hardcore? >> Taylor: Absolutely, absolutely. I think that when it comes to security, we really want to help. It's definitely a grassroots movement. It's great to have the people that have such a deep understanding of certain security, just bits of knowledge really when it comes to EBPF. You know, we have high surveillance here that we're talking things through. Falco is here with Sysdig and so it it's great to have all of these people here, though I have seen a good spread of folks that are, you know, most people have started their security journey but they're not where they want to be. And so people that are starting at a 2 0 1, 3 0 1, 4 0 1 level of understanding definitely seeing a good spread of knowledge on that front. But it's really, it's been great to have folks from all varying experiences, but then to have the expertise of the folks that are writing these specifications and pushing the boundaries of what's possible with security to to ensure that we're all okay and updated on that front too, I think was most notable yesterday. Like you had said >> Lisa: Sorry Taylor, when we think of security, again this is an issue that, that organizations in every industry face, nobody is immune to this. We can talk about the value in it for the hackers in terms of ransomware alone for example. But you mentioned a stat that there's a good amount of organizations that are really either early in their security journeys or haven't started yet which kind of sounds a bit scary given the landscape and how much has changed in the last couple of years. But it sounds like on the good news front it isn't too late for organizations. Talk a little bit about some of the recommendations and best practices for those organizations who are behind the curve knowing that the next attack is going to happen. >> Taylor: Absolutely. So fantastic question. I think that when it comes to understanding the fact that people need to implement security and abide by best practices, it's like I I'm sure that many of us can agree on that front, you know, hopefully all of us. But when it comes to actually implementing that, that's I agree with you completely. That's where it's really difficult to find where where do I start, where do I actually look at? And there are a couple of answers on that front. So within the CNTF ecosystem we have a technical action group security, so tag security and they have a whole bunch of working groups that cover different facets of the Cloud Native experience. So if you, for example, are concerned about runtime security or application delivery concerns within there, those are some really good places to find people knowledgeable about, that even when the conference isn't going on to get a sense of what's going on. And then TAG security has also published recently version two of their security report which is free accessible online. They can actually look through that, see what some of the recent topics are and points of focus and of interest are within our community. There are also other organizations like Open SSF which is taking a deeper dive into security. You know, initially kind of having a little bit more of an academic focus on that space and then now getting further into things around software bill materials or SBOMs supply chain security and other topics as well. >> John: Well we love you guys doing this. We think it's very big deal. We think it's important. We're starting to see events post COVID take a certain formation, you know joking aside about the event operating systems smaller events are happening, but they're tied together. And so this is key. And of course the critical need is our businesses are under siege with threats, ransomware, security challenges, that's IT moves to Cloud Native, not everyone's moved over yet. So that's in progress. So there's a huge business imperative and the hackers have a business model. So this isn't like pie in the sky, this is urgent. So, that being said, how do you see this developing from who should attend the next one or who are you looking for to be involved to get input from you guys are open arms and very diverse and great great culture there, but who are you looking for? What's the makeup persona that you hope to attract and nurture and grow? >> Taylor: Absolutely. I, think that when it comes to trying the folks that we're looking for the correct answer is it varies you know, from, you know, you're asking Priyanka or our executive director or Chris Aniszczyk our CTO, I work mostly with the end users, so for me personally I really want to see folks that are operating within our ecosystem and actually pulling these down, these projects down and using them and sharing those stories. Because there are people creating these projects and contributing to them might not always have an idea of how they're used or how they can be exploited too. A lot of these groups that I work with like Mercedes or Intuit for example, they're out there in the world using these, these projects and getting a sense for, you know, what can come up. And by sharing that knowledge I think that's what's most important across the board. So really looking for those stories to be told and novel ways in which people are trying to exploit security and attacking the supply chain, or building applications, or just things we haven't thought about. So truly that that developer archetype is really helpful to have the consumers, the end users, the folks that are actually using these. And then, yeah, and I'm truly anywhere knowledgeable about security or that wants to learn more >> John: Super important, we're here to help you scale those stories up whatever you need, send them our way. We're looking forward to getting those. This is a super important movement getting the end users who are on the front lines bringing it back into the open, building, more software, making it secure and verified, all super important. We really appreciate the mission you guys are on and again we're here to help. So send those stories our way. >> Taylor: Cool, cool. We couldn't do it without you. Yeah, just everyone contributing, everyone sharing the news. This is it's people, people is the is the true operating system of our ecosystem. So really great to, really great to share. >> Lisa: That's such a great point Taylor. It is all about people. You talked about this event having a different vibe. I wanted to learn a little bit more about that as we, as we wrap up because there's so much cultural change that's required for organizations to evolve their security practices. And so people of course are at the center of culture. Talk a little bit about why that vibe is different and do you think that yeah, it's finally time. Everyone's getting on the same page here we're understanding, we're learning from each other. >> Taylor: Yes. So, so to kind of answer that, I think it's really a focus on, there's this term shift left and shift right. And talking about where do we actually put security in the mix as it comes to people adopting this and and figuring out where things go. And if you keep shifting at left, that meaning that the developers should care more deeply about this and a deeper understanding of all of these, you know, even if it's, even if they don't understand how to put it together, maybe understand a little bit about it or how these topics and, and facets of knowledge work. But you know, like with anything, if you shift everything off to one side or the other that's also not going to be efficient. You know, you want a steady stream of knowledge flowing throughout your whole organization. So I think that that's been something that has been a really interesting topic and, and hearing people kind of navigate and try to get through, especially groups that have had, you know, deployed an app and it's going to be around for 40 years as well. So I think that those are some really interesting and unique areas of focus that I've come up on the floor and then in a couple of the sessions here >> Lisa: There's got to be that, that balance there. Last question as we wrap the last 30 seconds or so what are you excited about given the success and the momentum of day one? What excites you about what's ahead for us on day two? >> Taylor: So on day two, I'm really, it's, there's just so many sessions. I think that it was very difficult for me to, you know pick which one I was actually going to go see. There are a lot of favorites that I had kind of doubled up at each of the time so I'm honestly going to be in a lot of the sessions today. So really excited about that. Supply chain security is definitely one that's close to my heart as well but I'm really curious to see what new topics, concepts or novel ideas people have to kind of exploit things. Like one for example is a package is out there it's called Browser Test but somebody came up with one called Bowser Test. Just a very simple misname and then when you go and run that it does a fake kind of like, hey you've been exploited and just even these incorrect name attacks. That's something that is really close and dear to me as well. Kind of hearing about all these wild things people wouldn't think about in terms of exploitation. So really, really excited to hear more stories on that front and better protect myself both at home and within the Cloud Community as I stand these things up. >> Lisa: Absolutely you need to clone yourself so that you can, there's so many different sessions. There needs to be multiple versions of Taylor that you can attend and then you can all get together and talk about and learn. But that's actually a really good problem to have as we mentioned when we started 72 sessions yesterday and today. Lots of great content. Taylor, we thank you for your participation. We thank you for bringing the vibe and the buzz of the event to us and we look forward as well to hearing and seeing what day two brings us today. Thank you so much for your time Taylor. >> Taylor: Thank you for having me. >> John: All right >> Lisa: Right, for our guest and John Furrier, I'm Lisa Martin. You're watching theCube's Day two coverage of Cloud Native Security Con 23. (energetic music plays)

(gentle music) >> Hello, beautiful humans and welcome back to fabulous Las Vegas, where we are combating the dry air of the desert and all giggling about the rasp of our voice at this stage. We're theCUBE and we are live from AWS reinvent. I am Savannah Peterson, joined by the fabulous Paul Gillin. Paul, how are you holding up? How are your feet doing? >> My feet are, I can't feel them anymore. (both laugh) >> We can't feel much after these feet. >> Two miles. Just to get from, just to get to to the keynotes this morning. >> Did you do your cross training to prepare >> For, >> Apparently not well enough. (Savannah laughs) Not well enough. >> Well, it's great to have you here >> likewise. and I'm very excited for our next conversation. We've got Ramesh from Prosimo. >> Thank you. >> Savannah: Welcome to the show. How is the show going for you? How's your voice? >> Oh my God. I woke up this morning and I could not hear my own voice. I'm like, this is not me. I think it's the dry air here, so if I cough, I apologize in advance. But no, the show has been great. It's been nonstop at the booth. It's wonderful to see all the customers in one place so you don't have to schedule lots of meetings spread across three, four weeks. So you get to >> Savannah: Right. I, yeah >> So yesterday was like eight to six, nonstop and it was awesome, right? Because you get to meet all these guys. The other important thing is the focus on the right layer, right? Like, I loved the keynote from Adam. It was about applications, services, data. Nowhere in there was there like infrastructure. Like we are infrastructure, right? I actually love that because that's where the focus should be and that's what customers are caring about right? So it's, it's been great so far. >> Yeah. I'm so happy to hear your booth's packed. I know exactly what you mean. I mean, we're going to be talking about optimization. It's a theme, but we also optimize our time here >> Ramesh: Yeah. >> on the show floor by getting to engage with our community. Prosimo's been around for three years just in case folks aren't familiar, give us the pitch. >> Sure. We are in the cloud networking space, solving for two problems. What happens within the cloud as you bring up VPCs, vnet and workloads, how are they able to talk to each other, secure each other, and how to use those access workloads? Those are the two problems that we solve for. It stemmed from really us seeing a complete diversion in what cloud wants versus what network really focuses on. Cloud has been always focused on applications and speed of operations and network has always been about reliability, scalability, and robust architecture. And we didn't really see these things come together. So that's when prosimo was born. >> So what are some of the surprises newcomers to the cloud may encounter with networking, with cloud networking that was not a factor when they were fully on-prem? >> So the first thing is in the cloud, you can't deal with the workload the same way you dealt with in the data center. In the data center, you usually had pools of service. They were all allocated some level of addressing. And it was not about the workload, it was more about the identity, IP addresses and so forth. In the cloud, those things have completely gotten demolished, right? You have to refer to a S3 service as an S3 service. It's not an IP endpoint. IP endpoint comes and goes, right? >> Savannah: Yeah. >> And so you have to completely shift around that, right? >> Now, this actually challenges almost 10 years, 12, 20 years maybe, of networking that we knew about, right? So that's why cloud networking is almost night and day difference compared to regular networking right? And, we're seeing that and that's what we are really helping customers with. >> What are some of the trends that you're seeing? I, well actually, let me ask you this question. Do you, is there an industry or vertical you work with specifically? I would imagine most people across, >> Ramesh: The Yeah, across. >> Yeah. >> Anybody that has workloads in the cloud right? >> Yeah, right. >> Ramesh: That's, >> I mean I can't imagine any companies that would have that. >> Exactly. (Savannah laughs) >> What are some of the trends that you're seeing? I know we talk about time to value. We talk about cost optimization. Is that the top priority for your customers? >> Yeah. Up until end of last year, a lot of the focus was about speed of operations. And so people would look at what are the type of workloads? How do I enable things? How do I empower my development team? So, if I'm the cloud platform team responsible for connecting, securing and making sure my applications can get deployed smooth and fast, that was the primary focus. Fast forward to this year, we started to see this a little bit at the beginning of the year. Now it's in full force. It's about cost control, right? It's about egress charges coming out of the cloud. Suddenly the cloud bill and every single line item on the cloud bill is in focus, right? And so that has a direct impact on what does this mean for networking. Cloud networking for many may not be familiar, it's about 14% of the cloud bill. And so anything that materially moves the needle on the cloud networking costs can actually have a have a big impact, right? And so we have seen the focus on the speed of operations are still there but cloud cost control has become a big part of it. >> So where are the excesses? I mean, it's, it's a big part of the bill. Where can company, where do companies typically waste money in networking costs? >> So, if you bring a person who understands networking and networking architecture really, really well, they'll can build a solid architecture, but they'll not focus on operations and automation. If you bring a 25 year old, they will automate the heck out of it. They know python day in and day out. And so they'll automate the heck out of it but it will not be with a robust architecture, right? And so you, on one hand, you end up wasting because you do things very suboptimally. It's a solid architecture, it's a really good design but it's really bad for operations. In the other hand, with push of a button you can get anything done but underneath the covers, underneath the hood, if you look at it, it's a mess, right? And so you have more competence than necessary. And so, what customers want is really a best of both, right? You need solid architecture that has all the right principles but also you need the automation so that you don't employ four, five people and a whole toolkit in order to make things work, right? And that's where we see most of the efficiencies come from >> You said you were you were super busy at your booth. Do customers understand that this is a problem now? >> So more so now than I would say last year. The last reinvent when we had a session. >> Yeah. >> We had to educate a lot of people on these are the requirements for cloud networking. Thanks to Gartner, thanks to many of the sessions you guys have been doing as well. The focus and the education for what cloud networking requires has started to come about. Now, this is where the savviness of the customer is important, right? Like there are customers in different stages of their journey. Those that have been operating in the cloud for three years plus, know that they've crossed that initial phase, right? Like you have basic hygiene, you have certain things and moving from hundreds of VPCs to maybe about thousand, right? And so at that time, the set of challenges I need to work with are very, very different, right? So now increasingly we are seeing at the booth the challenges are, "Hey, I know how to operate in the cloud". Right? Like, "Don't talk to me about that." Right? "But how do I get from hundred to a thousand?" Because I have a gun to my head. My CIO has said, I need to decommission my data centers in the next couple of years and I need to go all in on cloud. Help me with that, right? And so it's the, I wouldn't call it like massive scale it's the scale from kind of the trivial to the next stage that's actually causing a lot of these problems to surface. >> It's that layer of transformation. >> Ramesh: Yeah. It's when you've made the commitment and now we've got to catch everything up >> [Ramesh} exactly. >> across the company locations and probably a variety of different silos doing different things. >> Ramesh: Exactly. Yeah. >> Super complex. So, how do folks get started with you? >> Yeah, so typically we start with like, even if the customer says, "Here's what my blueprint looks like." We say, "Bring two regions." That's it, two regions, a few workloads. We'll help you set up the connectivity, set up the secure access required, set up the foundational things There's a certain level of automation, right? Let's get to that point because governance is different. The cloud privileges are different so let's work through all of that, right? Usually this takes about a week or so. The actual proof of concept, proof of value can be done in a day, but getting permissions and what not takes about, about a week, right? And once you show two regions then it's actually game on, right? Then you go from 10 VPCs to a hundred to a thousand and it's just like one to one thing after another. So that's usually how we see customers get started. We have a full stack that covers kind of what does this mean for the network to application services to kind of layer seven and so forth. We tell the customer, as much as we want you to focus on the entire stack, let's start with one, right? Start baby steps, start with one. Because for many, cloud itself is, I wouldn't say new but they're in a region that's not comfortable, right? So you wannna, you don't want to throw too much at them. >> Savannah: Right. >> So we help them kind of progressively move towards different types of workplace. >> Savannah: Yeah. >> And you have a multicloud story as well. >> Ramesh: That's correct. >> So when companies begin to cross clouds with workloads, move them between clouds, what kinds of issues emerge then? >> Yeah, so there are two parts for this, right? There is the AWS and data center and then there is the AWS plus other clouds. Two different set of problems, actually, >> Paul: Hm-hmm. Hm-hmm. The AWS plus connectivity, back into my data center almost every single enterprise. We deal with kind of the global 2000. Every single one of them has that, right? And so we kind of, we go through a series of steps, come up with an architecture, deploy a solution. After that, it's, Hey, I have BigQuery in Google that needs to talk back to an S3 bucket out here. Like, no networking solution can help you with that. Like, you need like cloud native principles in order to come into the picture. So increasingly we are seeing requests for, hey I have a distributed workload. It's not, it's not that one single application is spread across multiple clouds, but I have these islands of workloads that all need to talk to each other. >> Paul: Right. And what I don't want to do is actually build highways that actually connect all these things together because that's a waste of time. I actually want to make sure that only these applications that care about the talking to each other, are allowed to talk to each other. So that's kind of one foundational thing that we see. A few others are around compliance and governance. So we say, Hey, if I'm a retailer, I need to have some workloads in Azure some in the GCP and so forth. So it depends on kind of the industry compliance, regulatory requirements and so forth. >> So many different needs >> Ramesh: Exactly. for so many different types of companies. But also, you know, creating that efficiency is so great. >> Ramesh: Yup. >> And especially that time to value tune, cost reduction >> Ramesh: Yup. doing a lot of great things for your customers. There's a note on my run sheet here that you've seen some success with Topgolf and I suspect we have some golfers in the audience. John even used to be a caddy. We had a caddy segment with someone who was a pro caddy. Drew, when we were at Cape Con. Tell us about that story. >> So it was a really wild idea. We said, okay people are going to be walking around 22,000 steps right? >> Savannah: Yeah. >> And so >> Like Paul, >> And, they're going to be talking to people, listening to sessions. So we said, let's, what do most others do? You set up some time in a restaurant, you come, you have a social time, and what not. We said, let's give people something different. So we reserve the Topgolf here and we opened it up. We initially paid for a certain number of things. It's actually gone three x of that right now. So we had in the Topgolf, can you give us like the entire thing? I think people just want to go do something different, right? >> Savannah: Yeah. >> And of course the topic is important but equally important is like, I just want to have a good time, right? >> Yeah. And if you, hit a few And there you go. >> It doesn't have to relate back to network >> Cloud, network. >> Yeah, exactly. And so >> Well, it's all about building community. >> Exactly. >> And especially right now, we all, you know, we're stronger together. >> Ramesh: Yup. We're entering a unique time, we're coming out of a unique time. >> Ramesh: Exactly. >> And, no, I think that's great. And we actually do a swag segment here on theCUBE, differentiating on the show floor. I mean, it's clear because of how thoughtful you are >> Ramesh: Yeah. there's a reason that your, that your booth is so busy. >> Ramesh: That's right. >> So what's next? What can you, can you give us a little sneak preview? What's coming out for you? >> Yeah, so, I'm sensitive and sympathetic to all the macroeconomic conditions that are happening but there's been, we have not skipped a beat. So our business is growing really well. Thanks to all the things that are happening in the cloud. Increasingly, folks are looking at, you know, how how do I move in mass into the cloud? And so a few themes have come about as a result. One, certainly around cost control. How do I, how do I make, how do we make sure that we help our customers in that journey, right? So we have a few things around those lines. Modernization, especially after you go through the first few workloads, the next few that come about are invariably modern workloads. And modern workloads is this sensitive thing where I think the ultra savvy developers know what to do but the infrastructure guys don't know what to do in order to serve, right? And so we have actually developed a set of capabilities to help with that kind of modernization, right? Because it's not enough if your apps are modernized, your infrastructure that serves the apps also need to be modernized. And so those are the, those are the things and certainly, getting our customers less than us. We want to get our customers to talk. And so you'll see quite a bit of that as well. >> I want to ask you about a statement that was in the notes that we were reading, running up this interview. Zero Trust network access is the next solution that will be disrupted. What do you mean by that? >> So, when we started the company about three years ago, zero test network access was there. It was about maybe two, three years old at that time. And so we said, it needs to be done differently in the cloud. Why? Because you are a user. You're trying to access an application in the cloud. Do you care what's in the middle? You really don't, you just want to be able to open up your laptop, go to dub dub something.com and you should be able to access, right? But that's not how the experience is today. There's invariably something that comes, a middle mile solution that comes in the middle, right? And then the guy needs to operationalize all of that. And that now passes on to you. You need to launch a an agent on your thing, connect into something. It just brings a lot of complexity, right? So we looked at that problem and we said, cloud has done really really a few things really, really well, right? It's literally at your doorstep. Cloud presence is literally at your doorstep. So as you open up your browser, connect from your home, I don't need anything in the middle. I am jumping straight into the cloud. And so when you do that, then you actually have the luxury of bringing a few capabilities to the entry point of the cloud so that security can be done better, posture control can be done better and so on and so forth. So we developed those capabilities almost three years ago. We have quite a few large enterprises that have deployed this. And we fundamentally believe on building on top of the hyperscale network because billions of tens of billions of dollars go into the investment here. And we want to be building a layer of value on top, right? And so we've been working closely with our AWS buddies here and actually built capabilities so that the infrastructure presence, the massive reach and also the underlying capabilities for zero trust are provided. But what the customer regains in terms of value is through our platform, right? And so we'll see a whole lot more innovation along these lines. Probably bad news for the Middle Mile provider who sit in the, in the middle because hey AWS is literally at your doorstep, so you have to rethink your strategy. >> Going to be a lot of agility >> Ramesh: Yes, absolutely. >> In a very different context than we normally use it in Nerdland. And no, I think that's great. So we have, it's an exciting time for you as a company. We have a new challenge here at Reinvent. >> Okay. >> On theCUBE. I know you're a venerable alumni. >> Yep. >> You have been on theCUBE multiple times with multiple companies which is very impressive. Which says a lot about you. Although given how fun this interview's been, I'm not surprised. Give us your 30 second, Instagram real highlight, sound bite on the biggest or most important theme or takeaway from this year's show. >> From this show? Yeah, so if you look across the keynotes in all the sessions, the focus is on data, services and the applications. So the biggest takeaway I would offer anybody is focus on that first because that's where the outcome needs to shine. The rest of the stuff is a means to an end. I am an infrastructure guy through and through, I have been for the last 20 years. It hurts me to say infrastructure is a means to end but it is, right. Let the people dealing with the infrastructure deal with the infrastructure. If you are a customer or a client of the service, focus on the outcome, focus on the apps, focus on the services focus on on the data. That would be the biggest takeaway. >> Savannah: I appreciate your >> Paul: Words of wisdom >> Savannah: transparency. Yeah, no, exactly. Words of wisdom and very honest words of wisdom. Really great to talk to you about intelligent infrastructure. >> Absolutely. >> Savannah: Thank you so much for being on the show, Ramesh. >> Thank you. >> Savannah: It's been, it's been awesome. Paul, it's always a pleasure. >> Likewise. Thank you all for tuning in today here live from the show floor at AWS, reinvent in beautiful sin city, in the high desert and the high end dry desert with Paul Gillin. My name is Savannah Peterson and you're watching theCUBE, the leader in high tech coverage. (gentle music)

>> TheCUBE presents UI Path Forward Five brought to you by UI Path. >> Welcome back to UI Path Forward Five. You're watching The Cubes, Walter Wall coverage. This is day one, Dave Vellante, with my co-host Dave Nicholson. We're taking RPA to intelligence automation. We're going from point tools to platforms. Neeraj Mathur is here. He's the director of Intelligent Automation at VMware. Yes, VMware. We're not going to talk about vSphere or Aria, or maybe we are, (Neeraj chuckles) but he's joined by Thomas Stocker who's a principal product manager at UI Path. And we're going to talk about testing automation, automating the testing process. It's a new sort of big vector in the whole RPA automation space. Gentleman, welcome to theCUBE. Good to see you. >> Neeraj: Thank you very much. >> Thomas: Thank you. >> So Neeraj, as we were saying, Dave and I, you know, really like VMware was half our lives for a long time but we're going to flip it a little bit. >> Neeraj: Absolutely. >> And talk about sort of some of the inside baseball. Talk about your role and how you're applying automation at VMware. >> Absolutely. So, so as part of us really running the intelligent automation program at VMware, we have a quite matured COE for last, you know four to five years, we've been doing this automation across the enterprise. So what we have really done is, you know over 45 different business functions where we really automated quite a lot different processes and tasks on that. So as part of my role, I'm really responsible for making sure that we are, you know, bringing in the best practices, making sure that we are ready to scale across the enterprise but at the same time, how, you know, quickly we are able to deliver the value of this automation to our businesses as well. >> Thomas, as a product manager, you know the product, and the market inside and out, you know the competition, you know the pricing, you know how customers are using it, you know all the features. What's your area of - main area of focus? >> The main area of the UiPathT suite... >> For your role, I mean? >> For my role is the RPA testing. So meaning testing RPA workflows themselves. And the reason is RPA has matured over the last few years. We see that, and it has adopted a lot of best practices from the software development area. So what we see is RPA now becomes business critical. It's part of the main core business processes in corporation and testing it just makes sense. You have to continuously monitor and continuously test your automation to make sure it does not break in production. >> Okay. And you have a specific product for this? Is it a feature or it's a module? >> So RPA testing or the UiPath T Suite, as the name suggests it's a suite of products. It's actually part of the existing platform. So we use Orchestrator, which is the distribution engine. We use Studio, which is our idea to create automation. And on top of that, we build a new component, which is called the UiPath Test Manager. And this is a kind of analytics and management platform where you have an oversight on what happened, what went wrong, and what is the reason for automation to **bring. >> Okay. And so Neeraj, you're testing your robot code? >> Neeraj: Correct. >> Right. And you're looking for what? Governance, security, quality, efficiency, what are the things you're looking for? >> It's actually all of all of those but our main goal to really start this was two-front, right? So we were really looking at how do we, you know, deliver at a speed with the quality which we can really maintain and sustain for a longer period, right? So to improve our quality of delivery at a speed of delivery, which we can do it. So the way we look at testing automation is not just as an independent entity. We look at this as a pipeline of a continuous improvement for us, right? So how it is called industry as a CICD pipeline. So testing automation is one of the key component of that. But the way we were able to deliver on the speed is to really have that end to end automation done for us to also from developers to production and using that pipeline and our testing is one piece of that. And the way we were able to also improve on the quality of our delivery is to really have automated way of doing the code reviews, automated way of doing the testing using this platform as well. and then, you know, how you go through end to end for that purpose. >> Thomas, when I hear testing robots, (Thomas chuckles) I don't care if it's code or actual robots, it's terrifying. >> It's terrify, yeah. >> It's terrifying. Okay, great. You, you have some test suite that says look, Yeah, we've looked at >> The, why is that terrifying? >> What's, It's terrifying because if you have to let it interact with actual live systems in some way. Yeah. The only way to know if it's going to break something is either you let it loose or you have some sort of sandbox where, I mean, what do you do? Are you taking clones of environments and running actual tests against them? I mean, think it's >> Like testing disaster recovery in the old days. Imagine. >> So we are actually not running any testing in the production live environment, right? The way we build this actually to do a testing in the separate test environment on that as well by using very specific test data from business, which you know, we call that as a golden copy of that test data because we want to use that data for months and years to come. Okay. Right? Yeah. So not touching any production environmental Facebook. >> Yeah. All right. Cause you, you can imagine >> Absolutely >> It's like, oh yeah we've created a robotic changes baby diapers let's go ahead and test it on these babies. [Collective Laughter] Yeah >> I don't think so. No, no, But, but what's the, does it does it matter if there's a delta between the test data and the, the, the production data? How, how big is that delta? How do you manage that? >> It does matter. And that's where actually that whole, you know, angle of how much you can, can in real, in real life can test right? So there are cases where you would have, even in our cases where, you know, the production data might be slightly different than the test data itself. So the whole effort goes into making sure that the test data, which we are preparing here, is as close to the products and data itself, right? It may not be a hundred percent close but that's the sort of you know, boundary or risk you may have to take. >> Okay. So you're snapshotting, that moving it over, a little V motion? >> Neeraj: Yeah. >> Okay. So do you do this for citizen developers as well? Or is you guys pretty much center of excellence writing all the bots? >> No, right now we are doing only for the unattended, the COE driven bots only at this point of time, >> What are you, what are your thoughts on the future? Because I can see I can see some really sloppy citizen coders. >> Yeah. Yeah. So as part of our governance, which we are trying to build for our citizen developers as well, there there is a really similar consideration for that as well. But for us, we have really not gone that far to build that sort of automation right >> Now, narrowly, just if we talk about testing what's the business impact been on the testing? And I'm interested in overall, but the overall platform but specifically for the testing, when did that when did you start implementing that and, and what what has been the business benefit? >> So the benefit is really on the on the speed of the delivery, which means that we are able to actually deliver more projects and more automation as well. So since we adopted that, we have seen our you know, improvement, our speed is around 15%, right? So, so, you know, 15% better speed than previously. What we have also seen is, is that our success rate of our transactions in production environment has gone to 96% success rate, which is, again there is a direct implication on business, on, on that point of view that, you know, there's no more manual exception or manual interaction is required for those failure scenarios. >> So 15% better speed at what? At, at implementing the bots? At actually writing code? Or... >> End to end, Yes. So from building the code to test that code able to approve that and then deploy that into the production environment after testing it this is really has improved by 15%. >> Okay. And, and what, what what business processes outside of sort of testing have you sort of attacked with the platform? Can you talk to that? >> The business processes outside of testing? >> Dave: Yeah. You mean the one which we are not testing ourself? >> Yeah, no. So just the UI path platform, is it exclusively for, for testing? >> This testing is exclusively for the UI path bots which we have built, right? So we have some 400 plus automations of UI bots. So it's meant exclusively >> But are you using UI path in any other ways? >> No, not at this time. >> Okay, okay. Interesting. So you started with testing? >> No, we started by building the bots. So we already had roughly 400 bots in production. When we came with the testing automation, that's when we started looking at it. >> Dave: Okay. And then now building that whole testing-- >> Dave: What are those other bots doing? Let me ask it that way. >> Oh, there's quite a lot. I mean, we have many bots. >> Dave: Paint a picture if you want. Yeah. In, in finance, in auto management, HR, legal, IT, there's a lot of automations which are there. As I'm saying, there's more than 400 automations out there. Yeah. So so it's across the, you know, enterprise on that. >> Thomas. So, and you know, both of you have a have a view on this, but Thomas's views probably wider across other, other instances. What are the most common things that are revealed in tests that indicate something needs to be fixed? Yeah, so think of, think of a test, a test failure, an error. What are the, what are the most common things that happen? >> So when we started with building our product we conducted a, a survey among our customers. And without a surprise the main reason why automation breaks is change. >> David: Sure. >> And the problem here is RPA is a controlled process a controlled workflow but it runs in an uncontrollable environment. So typically RPA is developed by a C.O.E. Those are business and automation experts, but they operate in an environment that's driven by new patches new application changes ruled out by IT. And that's the main challenge here. You cannot control that. And so far, if you, if you do not proactively test what happens is you catch an issue in production when it already breaks, right? That's reactive, that's leads to maintenance to un-claim maintenance actually. And that was the goal right from the start from the taste suite to support our customers here and go over to proactive maintenance meaning testing before and finding those issues before the heat production. >> Yeah. Yeah, yeah. So I'm, I'm still not clear on, so you just gave a perfect example, changes in the environment. >> Yeah. >> So those changes are happening in the production environment. >> Thomas: Yeah. The robot that was happily doing its automation stuff before? >> Thomas: Yeah. Everyone was happy with it. Change happens. Robot breaks. >> Thomas: Yeah. >> Okay. You're saying you test before changes are implemented? To see if those changes will break the robot? >> Thomas: Yeah. >> Okay. How do you, how do you expose those changes that are in the, in a, that are going to be in a production environment to the robot? You must have a, Is is that part of the test environment? Does that mean that you have to have what fully running instances of like an ERP system? >> Thomas: Yeah. You know, a clone of an environment. How do you, how do you test that without having the live robot against the production environment? >> I think there's no big difference to standard software testing. Okay. The interesting thing is, the change actually happens earlier. You are affected on production side with it but the change happens on it side or on DevOps side. So you typically will test in a test environment that's similar to your production environment or probably in it in a pre-product environment. And the test itself is simply running your workflow that you want to test, but mark away any dependencies you don't want to invoke. You don't want to send a, a letter to a customer in a test environment, right? And then you verify that the result is what you actually expect, right? And as soon as this is not the case, you will be notified you will have a result, the fail result, and you can act before it breaks. So you can fix it, redeploy to production and you should be good now. >> But the, the main emphasis at VMware is testing your bots, correct? >> Neeraj: Testing your bots. Yes. Can I apply this to testing other software code? >> Yeah, yeah. You, you can, you can technically actually and Thomas can speak better than me on that to any software for that matter, but we have really not explored that aspect of it. >> David: You guys have pretty good coders, good engineers at VMware, but no, seriously Thomas what's that market looking like? Is that taking off? Are you, are you are you applying this capability or customers applying it for just more broadly testing software? >> Absolutely. So our goal was we want to test RPA and the application it relies on so that includes RPA testing as well as application testing. The main difference is typical functional application testing is a black box testing. So you don't know the inner implementation of of that application. And it works out pretty well. The big, the big opportunity that we have is not isolated Not isolated testing, isolated RPA but we talk about convergence of automation. So what we offer our customers is one automation platform. You create one, you create automation, not redundantly in different departments, but you create once probably for testing and then you reuse it for RPA. So that suddenly helps your, your test engineers to to move from a pure cost center to a value center. >> How, how unique is this capability in the industry relative to your competition and and what capabilities do you have that, that or, or or differentiators from the folks that we all know you're competing with? >> So the big advantage is the power of the entire platform that we have with UiPath. So we didn't start from scratch. We have that great automation layer. We have that great distribution layer. We have all that AI capabilities that so far were used for RPA. We can reuse them, repurpose them for testing. And that really differentiates us from the competition. >> Thomas, I I, I detect a hint of an accent. Is it, is it, is it German or >> It's actually Austrian. >> Austrian. Well, >> You know. Don't compare us with Germans. >> I understand. High German. Is that the proper, is that what's spoken in Austria? >> Yes, it is. >> So, so >> Point being? >> Point being exactly as I drift off point being generally German is considered to be a very very precise language with very specific words. It's very easy to be confused about between the difference the difference between two things automation testing and automating testing. >> Thomas: Yes. >> Because in this case, what you are testing are automations. >> Thomas: Yes. >> That's what you're talking about. >> Thomas: Yes. >> You're not talking about the automation of testing. Correct? >> Well, we talk about >> And that's got to be confusing when you go to translate that into >> Dave: But isn't it both? >> 50 other languages? >> Dave: It's both. >> Is it both? >> Thomas: It actually is both. >> Okay. >> And there's something we are exploring right now which is even, even the next step, the next layer which is autonomous testing. So, so far you had an expert an automation expert creating the automation once and it would be rerun over and over again. What we are now exploring is together with university to autonomously test, meaning a bot explores your application on the test and finds issues completely autonomously. >> Dave: So autonomous testing of automation? >> It's getting more and more complicated. >> It's more clear, it's getting clearer by the minute. >> Sorry for that. >> All right Neeraj, last question is: Where do you want to take this? What's your vision for, for VMware in the context of automation? >> Sure. So, so I think the first and the foremost thing for us is to really make it more mainstream for for our automation developer Excel, right? What I mean by that is, is to really, so so there is a shift now how we engage with our business users and SMEs. And I said previously they used to actually test it manually. Now the conversation changes that, hey can you tell us what test cases you want what you want us to test in an automated measure? Can you give us the test data for that so that we can keep on testing in a continuous manner for the months and years to come down? Right? The other part of the test it changes is that, hey it used to take eight weeks for us to build but now it's going to take nine weeks because we're going to spend an extra week just to automate that as well. But it's going to help you in the long run and that's the conversation. So to really make it as much more mainstream and then say that out of all these kinds of automation and bots which we are building, So we are not looking to have a test automation for every single bot which we are building. So we need to have a way to choose where their value is. Is it the quarter end processing one? Is it the most business critical one, or is it the one where we are expecting of frequent changes, right? That's where the value of the testing is. So really bring that as a part of our whole process and then, you know >> We're still fine too. That great. Guys, thanks so much. This has been really interesting conversation. I've been waiting to talk to a real life customer about testing and automation testing. Appreciate your time. >> Thank you very much. >> Thanks for everything. >> All right. Thank you for watching, keep it right there. Dave Nicholson and I will be back right after this short break. This is day one of theCUBE coverage of UI Path Forward Five. Be right back after this short break.

hello I'm John Furrier with thecube and welcome to this special presentation of the cube and Horizon 3.ai they're announcing a global partner first approach expanding their successful pen testing product Net Zero you're going to hear from leading experts in their staff their CEO positioning themselves for a successful Channel distribution expansion internationally in Europe Middle East Africa and Asia Pacific in this Cube special presentation you'll hear about the expansion the expanse partner program giving Partners a unique opportunity to offer Net Zero to their customers Innovation and Pen testing is going International with Horizon 3.ai enjoy the program [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're here with Jennifer Lee head of Channel sales at Horizon 3.ai Jennifer welcome to the cube thanks for coming on great well thank you for having me so big news around Horizon 3.aa driving Channel first commitment you guys are expanding the channel partner program to include all kinds of new rewards incentives training programs help educate you know Partners really drive more recurring Revenue certainly cloud and Cloud scale has done that you got a great product that fits into that kind of Channel model great Services you can wrap around it good stuff so let's get into it what are you guys doing what are what are you guys doing with this news why is this so important yeah for sure so um yeah we like you said we recently expanded our Channel partner program um the driving force behind it was really just um to align our like you said our Channel first commitment um and creating awareness around the importance of our partner ecosystems um so that's it's really how we go to market is is through the channel and a great International Focus I've talked with the CEO so you know about the solution and he broke down all the action on why it's important on the product side but why now on the go to market change what's the what's the why behind this big this news on the channel yeah for sure so um we are doing this now really to align our business strategy which is built on the concept of enabling our partners to create a high value high margin business on top of our platform and so um we offer a solution called node zero it provides autonomous pen testing as a service and it allows organizations to continuously verify their security posture um so we our company vision we have this tagline that states that our pen testing enables organizations to see themselves Through The Eyes of an attacker and um we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities so we created this partner program from a perspective of the partner so the partner's perspective and we've built It Through The Eyes of our partner right so we're prioritizing really what the partner is looking for and uh will ensure like Mutual success for us yeah the partners always want to get in front of the customers and bring new stuff to them pen tests have traditionally been really expensive uh and so bringing it down in one to a service level that's one affordable and has flexibility to it allows a lot of capability so I imagine people getting excited by it so I have to ask you about the program What specifically are you guys doing can you share any details around what it means for the partners what they get what's in it for them can you just break down some of the mechanics and mechanisms or or details yeah yep um you know we're really looking to create business alignment um and like I said establish Mutual success with our partners so we've got two um two key elements that we were really focused on um that we bring to the partners so the opportunity the profit margin expansion is one of them and um a way for our partners to really differentiate themselves and stay relevant in the market so um we've restructured our discount model really um you know highlighting profitability and maximizing profitability and uh this includes our deal registration we've we've created deal registration program we've increased discount for partners who take part in our partner certification uh trainings and we've we have some other partner incentives uh that we we've created that that's going to help out there we've we put this all so we've recently Gone live with our partner portal um it's a Consolidated experience for our partners where they can access our our sales tools and we really view our partners as an extension of our sales and Technical teams and so we've extended all of our our training material that we use internally we've made it available to our partners through our partner portal um we've um I'm trying I'm thinking now back what else is in that partner portal here we've got our partner certification information so all the content that's delivered during that training can be found in the portal we've got deal registration uh um co-branded marketing materials pipeline management and so um this this portal gives our partners a One-Stop place to to go to find all that information um and then just really quickly on the second part of that that I mentioned is our technology really is um really disruptive to the market so you know like you said autonomous pen testing it's um it's still it's well it's still still relatively new topic uh for security practitioners and um it's proven to be really disruptive so um that on top of um just well recently we found an article that um that mentioned by markets and markets that reports that the global pen testing markets really expanding and so it's expected to grow to like 2.7 billion um by 2027. so the Market's there right the Market's expanding it's growing and so for our partners it's just really allows them to grow their revenue um across their customer base expand their customer base and offering this High profit margin while you know getting in early to Market on this just disruptive technology big Market a lot of opportunities to make some money people love to put more margin on on those deals especially when you can bring a great solution that everyone knows is hard to do so I think that's going to provide a lot of value is there is there a type of partner that you guys see emerging or you aligning with you mentioned the alignment with the partners I can see how that the training and the incentives are all there sounds like it's all going well is there a type of partner that's resonating the most or is there categories of partners that can take advantage of this yeah absolutely so we work with all different kinds of Partners we work with our traditional resale Partners um we've worked we're working with systems integrators we have a really strong MSP mssp program um we've got Consulting partners and the Consulting Partners especially with the ones that offer pen test services so we they use us as a as we act as a force multiplier just really offering them profit margin expansion um opportunity there we've got some technology partner partners that we really work with for co-cell opportunities and then we've got our Cloud Partners um you'd mentioned that earlier and so we are in AWS Marketplace so our ccpo partners we're part of the ISP accelerate program um so we we're doing a lot there with our Cloud partners and um of course we uh we go to market with uh distribution Partners as well gotta love the opportunity for more margin expansion every kind of partner wants to put more gross profit on their deals is there a certification involved I have to ask is there like do you get do people get certified or is it just you get trained is it self-paced training is it in person how are you guys doing the whole training certification thing because is that is that a requirement yeah absolutely so we do offer a certification program and um it's been very popular this includes a a seller's portion and an operator portion and and so um this is at no cost to our partners and um we operate both virtually it's it's law it's virtually but live it's not self-paced and we also have in person um you know sessions as well and we also can customize these to any partners that have a large group of people and we can just we can do one in person or virtual just specifically for that partner well any kind of incentive opportunities and marketing opportunities everyone loves to get the uh get the deals just kind of rolling in leads from what we can see if our early reporting this looks like a hot product price wise service level wise what incentive do you guys thinking about and and Joint marketing you mentioned co-sell earlier in pipeline so I was kind of kind of honing in on that piece sure and yes and then to follow along with our partner certification program we do incentivize our partners there if they have a certain number certified their discount increases so that's part of it we have our deal registration program that increases discount as well um and then we do have some um some partner incentives that are wrapped around meeting setting and um moving moving opportunities along to uh proof of value gotta love the education driving value I have to ask you so you've been around the industry you've seen the channel relationships out there you're seeing companies old school new school you know uh Horizon 3.ai is kind of like that new school very cloud specific a lot of Leverage with we mentioned AWS and all the clouds um why is the company so hot right now why did you join them and what's why are people attracted to this company what's the what's the attraction what's the vibe what do you what do you see and what what do you use what did you see in in this company well this is just you know like I said it's very disruptive um it's really in high demand right now and um and and just because because it's new to Market and uh a newer technology so we are we can collaborate with a manual pen tester um we can you know we can allow our customers to run their pen test um with with no specialty teams and um and and then so we and like you know like I said we can allow our partners can actually build businesses profitable businesses so we can they can use our product to increase their services revenue and um and build their business model you know around around our services what's interesting about the pen test thing is that it's very expensive and time consuming the people who do them are very talented people that could be working on really bigger things in the in absolutely customers so bringing this into the channel allows them if you look at the price Delta between a pen test and then what you guys are offering I mean that's a huge margin Gap between street price of say today's pen test and what you guys offer when you show people that they follow do they say too good to be true I mean what are some of the things that people say when you kind of show them that are they like scratch their head like come on what's the what's the catch here right so the cost savings is a huge is huge for us um and then also you know like I said working as a force multiplier with a pen testing company that offers the services and so they can they can do their their annual manual pen tests that may be required around compliance regulations and then we can we can act as the continuous verification of their security um um you know that that they can run um weekly and so it's just um you know it's just an addition to to what they're offering already and an expansion so Jennifer thanks for coming on thecube really appreciate you uh coming on sharing the insights on the channel uh what's next what can we expect from the channel group what are you thinking what's going on right so we're really looking to expand our our Channel um footprint and um very strategically uh we've got um we've got some big plans um for for Horizon 3.ai awesome well thanks for coming on really appreciate it you're watching thecube the leader in high tech Enterprise coverage [Music] [Music] hello and welcome to the Cube's special presentation with Horizon 3.ai with Raina Richter vice president of emea Europe Middle East and Africa and Asia Pacific APAC for Horizon 3 today welcome to this special Cube presentation thanks for joining us thank you for the invitation so Horizon 3 a guy driving Global expansion big international news with a partner first approach you guys are expanding internationally let's get into it you guys are driving this new expanse partner program to new heights tell us about it what are you seeing in the momentum why the expansion what's all the news about well I would say uh yeah in in international we have I would say a similar similar situation like in the US um there is a global shortage of well-educated penetration testers on the one hand side on the other side um we have a raising demand of uh network and infrastructure security and with our approach of an uh autonomous penetration testing I I believe we are totally on top of the game um especially as we have also now uh starting with an international instance that means for example if a customer in Europe is using uh our service node zero he will be connected to a node zero instance which is located inside the European Union and therefore he has doesn't have to worry about the conflict between the European the gdpr regulations versus the US Cloud act and I would say there we have a total good package for our partners that they can provide differentiators to their customers you know we've had great conversations here on thecube with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company and honestly I can just Connect the Dots here but I'd like you to weigh in more on how that translates into the go to market here because you got great Cloud scale with with the security product you guys are having success with great leverage there I've seen a lot of success there what's the momentum on the channel partner program internationally why is it so important to you is it just the regional segmentation is it the economics why the momentum well there are it's there are multiple issues first of all there is a raising demand in penetration testing um and don't forget that uh in international we have a much higher level in number a number or percentage in SMB and mid-market customers so these customers typically most of them even didn't have a pen test done once a year so for them pen testing was just too expensive now with our offering together with our partners we can provide different uh ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with with a traditional manual paint test so and that is because we have our uh Consulting plus package which is for typically pain testers they can go out and can do a much faster much quicker and their pain test at many customers once in after each other so they can do more pain tests on a lower more attractive price on the other side there are others what even the same ones who are providing um node zero as an mssp service so they can go after s p customers saying okay well you only have a couple of hundred uh IP addresses no worries we have the perfect package for you and then you have let's say the mid Market let's say the thousands and more employees then they might even have an annual subscription very traditional but for all of them it's all the same the customer or the service provider doesn't need a piece of Hardware they only need to install a small piece of a Docker container and that's it and that makes it so so smooth to go in and say okay Mr customer we just put in this this virtual attacker into your network and that's it and and all the rest is done and within within three clicks they are they can act like a pen tester with 20 years of experience and that's going to be very Channel friendly and partner friendly I can almost imagine so I have to ask you and thank you for calling the break calling out that breakdown and and segmentation that was good that was very helpful for me to understand but I want to follow up if you don't mind um what type of partners are you seeing the most traction with and why well I would say at the beginning typically you have the the innovators the early adapters typically Boutique size of Partners they start because they they are always looking for Innovation and those are the ones you they start in the beginning so we have a wide range of Partners having mostly even um managed by the owner of the company so uh they immediately understand okay there is the value and they can change their offering they're changing their offering in terms of penetration testing because they can do more pen tests and they can then add other ones or we have those ones who offer 10 tests services but they did not have their own pen testers so they had to go out on the open market and Source paint testing experts um to get the pen test at a particular customer done and now with node zero they're totally independent they can't go out and say okay Mr customer here's the here's the service that's it we turn it on and within an hour you're up and running totally yeah and those pen tests are usually expensive and hard to do now it's right in line with the sales delivery pretty interesting for a partner absolutely but on the other hand side we are not killing the pain testers business we do something we're providing with no tiers I would call something like the foundation work the foundational work of having an an ongoing penetration testing of the infrastructure the operating system and the pen testers by themselves they can concentrate in the future on things like application pen testing for example so those Services which we we're not touching so we're not killing the paint tester Market we're just taking away the ongoing um let's say foundation work call it that way yeah yeah that was one of my questions I was going to ask is there's a lot of interest in this autonomous pen testing one because it's expensive to do because those skills are required are in need and they're expensive so you kind of cover the entry level and the blockers that are in there I've seen people say to me this pen test becomes a blocker for getting things done so there's been a lot of interest in the autonomous pen testing and for organizations to have that posture and it's an overseas issue too because now you have that that ongoing thing so can you explain that particular benefit for an organization to have that continuously verifying an organization's posture yep certainly so I would say um typically you are you you have to do your patches you have to bring in new versions of operating systems of different Services of uh um operating systems of some components and and they are always bringing new vulnerabilities the difference here is that with node zero we are telling the customer or the partner package we're telling them which are the executable vulnerabilities because previously they might have had um a vulnerability scanner so this vulnerability scanner brought up hundreds or even thousands of cves but didn't say anything about which of them are vulnerable really executable and then you need an expert digging in one cve after the other finding out is it is it really executable yes or no and that is where you need highly paid experts which we have a shortage so with notes here now we can say okay we tell you exactly which ones are the ones you should work on because those are the ones which are executable we rank them accordingly to the risk level how easily they can be used and by a sudden and then the good thing is convert it or indifference to the traditional penetration test they don't have to wait for a year for the next pain test to find out if the fixing was effective they weren't just the next scan and say Yes closed vulnerability is gone the time is really valuable and if you're doing any devops Cloud native you're always pushing new things so pen test ongoing pen testing is actually a benefit just in general as a kind of hygiene so really really interesting solution really bring that global scale is going to be a new new coverage area for us for sure I have to ask you if you don't mind answering what particular region are you focused on or plan to Target for this next phase of growth well at this moment we are concentrating on the countries inside the European Union Plus the United Kingdom um but we are and they are of course logically I'm based into Frankfurt area that means we cover more or less the countries just around so it's like the total dark region Germany Switzerland Austria plus the Netherlands but we also already have Partners in the nordics like in Finland or in Sweden um so it's it's it it's rapidly we have Partners already in the UK and it's rapidly growing so I'm for example we are now starting with some activities in Singapore um um and also in the in the Middle East area um very important we uh depending on let's say the the way how to do business currently we try to concentrate on those countries where we can have um let's say um at least English as an accepted business language great is there any particular region you're having the most success with right now is it sounds like European Union's um kind of first wave what's them yes that's the first definitely that's the first wave and now we're also getting the uh the European instance up and running it's clearly our commitment also to the market saying okay we know there are certain dedicated uh requirements and we take care of this and and we're just launching it we're building up this one uh the instance um in the AWS uh service center here in Frankfurt also with some dedicated Hardware internet in a data center in Frankfurt where we have with the date six by the way uh the highest internet interconnection bandwidth on the planet so we have very short latency to wherever you are on on the globe that's a great that's a great call outfit benefit too I was going to ask that what are some of the benefits your partners are seeing in emea and Asia Pacific well I would say um the the benefits is for them it's clearly they can they can uh talk with customers and can offer customers penetration testing which they before and even didn't think about because it penetrates penetration testing in a traditional way was simply too expensive for them too complex the preparation time was too long um they didn't have even have the capacity uh to um to support a pain an external pain tester now with this service you can go in and say even if they Mr customer we can do a test with you in a couple of minutes within we have installed the docker container within 10 minutes we have the pen test started that's it and then we just wait and and I would say that is we'll we are we are seeing so many aha moments then now because on the partner side when they see node zero the first time working it's like this wow that is great and then they work out to customers and and show it to their typically at the beginning mostly the friendly customers like wow that's great I need that and and I would say um the feedback from the partners is that is a service where I do not have to evangelize the customer everybody understands penetration testing I don't have to say describe what it is they understand the customer understanding immediately yes penetration testing good about that I know I should do it but uh too complex too expensive now with the name is for example as an mssp service provided from one of our partners but it's getting easy yeah it's great and it's great great benefit there I mean I gotta say I'm a huge fan of what you guys are doing I like this continuous automation that's a major benefit to anyone doing devops or any kind of modern application development this is just a godsend for them this is really good and like you said the pen testers that are doing it they were kind of coming down from their expertise to kind of do things that should have been automated they get to focus on the bigger ticket items that's a really big point so we free them we free the pain testers for the higher level elements of the penetration testing segment and that is typically the application testing which is currently far away from being automated yeah and that's where the most critical workloads are and I think this is the nice balance congratulations on the international expansion of the program and thanks for coming on this special presentation really I really appreciate it thank you you're welcome okay this is thecube special presentation you know check out pen test automation International expansion Horizon 3 dot AI uh really Innovative solution in our next segment Chris Hill sector head for strategic accounts will discuss the power of Horizon 3.ai and Splunk in action you're watching the cube the leader in high tech Enterprise coverage foreign [Music] [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're with Chris Hill sector head for strategic accounts and federal at Horizon 3.ai a great Innovative company Chris great to see you thanks for coming on thecube yeah like I said uh you know great to meet you John long time listener first time caller so excited to be here with you guys yeah we were talking before camera you had Splunk back in 2013 and I think 2012 was our first splunk.com and boy man you know talk about being in the right place at the right time now we're at another inflection point and Splunk continues to be relevant um and continuing to have that data driving Security in that interplay and your CEO former CTO of his plug as well at Horizon who's been on before really Innovative product you guys have but you know yeah don't wait for a breach to find out if you're logging the right data this is the topic of this thread Splunk is very much part of this new international expansion announcement uh with you guys tell us what are some of the challenges that you see where this is relevant for the Splunk and Horizon AI as you guys expand uh node zero out internationally yeah well so across so you know my role uh within Splunk it was uh working with our most strategic accounts and so I looked back to 2013 and I think about the sales process like working with with our small customers you know it was um it was still very siled back then like I was selling to an I.T team that was either using this for it operations um we generally would always even say yeah although we do security we weren't really designed for it we're a log management tool and we I'm sure you remember back then John we were like sort of stepping into the security space and and the public sector domain that I was in you know security was 70 of what we did when I look back to sort of uh the transformation that I was witnessing in that digital transformation um you know when I look at like 2019 to today you look at how uh the IT team and the security teams are being have been forced to break down those barriers that they used to sort of be silent away would not commute communicate one you know the security guys would be like oh this is my box I.T you're not allowed in today you can't get away with that and I think that the value that we bring to you know and of course Splunk has been a huge leader in that space and continues to do Innovation across the board but I think what we've we're seeing in the space and I was talking with Patrick Coughlin the SVP of uh security markets about this is that you know what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data so Splunk itself is ulk know it's an ingest engine right the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it but without data it doesn't do anything right so how do you drive and how do you bring more data in and most importantly from a customer perspective how do you bring the right data in and so if you think about what node zero and what we're doing in a horizon 3 is that sure we do pen testing but because we're an autonomous pen testing tool we do it continuously so this whole thought I'd be like oh crud like my customers oh yeah we got a pen test coming up it's gonna be six weeks the week oh yeah you know and everyone's gonna sit on their hands call me back in two months Chris we'll talk to you then right not not a real efficient way to test your environment and shoot we saw that with Uber this week right um you know and that's a case where we could have helped oh just right we could explain the Uber thing because it was a contractor just give a quick highlight of what happened so you can connect the doctor yeah no problem so um it was uh I got I think it was yeah one of those uh you know games where they would try and test an environment um and with the uh pen tester did was he kept on calling them MFA guys being like I need to reset my password we need to set my right password and eventually the um the customer service guy said okay I'm resetting it once he had reset and bypassed the multi-factor authentication he then was able to get in and get access to the building area that he was in or I think not the domain but he was able to gain access to a partial part of that Network he then paralleled over to what I would assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains and So within minutes they had access and that's the sort of stuff that we do you know a lot of these tools like um you know you think about the cacophony of tools that are out there in a GTA architect architecture right I'm gonna get like a z-scale or I'm going to have uh octum and I have a Splunk I've been into the solar system I mean I don't mean to name names we have crowdstriker or Sentinel one in there it's just it's a cacophony of things that don't work together they weren't designed work together and so we have seen so many times in our business through our customer support and just working with customers when we do their pen tests that there will be 5 000 servers out there three are misconfigured those three misconfigurations will create the open door because remember the hacker only needs to be right once the defender needs to be right all the time and that's the challenge and so that's what I'm really passionate about what we're doing uh here at Horizon three I see this my digital transformation migration and security going on which uh we're at the tip of the spear it's why I joined sey Hall coming on this journey uh and just super excited about where the path's going and super excited about the relationship with Splunk I get into more details on some of the specifics of that but um you know well you're nailing I mean we've been doing a lot of things on super cloud and this next gen environment we're calling it next gen you're really seeing devops obviously devsecops has already won the it role has moved to the developer shift left is an indicator of that it's one of the many examples higher velocity code software supply chain you hear these things that means that it is now in the developer hands it is replaced by the new Ops data Ops teams and security where there's a lot of horizontal thinking to your point about access there's no more perimeter huge 100 right is really right on things one time you know to get in there once you're in then you can hang out move around move laterally big problem okay so we get that now the challenges for these teams as they are transitioning organizationally how do they figure out what to do okay this is the next step they already have Splunk so now they're kind of in transition while protecting for a hundred percent ratio of success so how would you look at that and describe the challenge is what do they do what is it what are the teams facing with their data and what's next what are they what are they what action do they take so let's use some vernacular that folks will know so if I think about devsecops right we both know what that means that I'm going to build security into the app it normally talks about sec devops right how am I building security around the perimeter of what's going inside my ecosystem and what are they doing and so if you think about what we're able to do with somebody like Splunk is we can pen test the entire environment from Soup To Nuts right so I'm going to test the end points through to its I'm going to look for misconfigurations I'm going to I'm going to look for um uh credential exposed credentials you know I'm going to look for anything I can in the environment again I'm going to do it at light speed and and what what we're doing for that SEC devops space is to you know did you detect that we were in your environment so did we alert Splunk or the Sim that there's someone in the environment laterally moving around did they more importantly did they log us into their environment and when do they detect that log to trigger that log did they alert on us and then finally most importantly for every CSO out there is going to be did they stop us and so that's how we we do this and I think you when speaking with um stay Hall before you know we've come up with this um boils but we call it fine fix verifying so what we do is we go in is we act as the attacker right we act in a production environment so we're not going to be we're a passive attacker but we will go in on credentialed on agents but we have to assume to have an assumed breach model which means we're going to put a Docker container in your environment and then we're going to fingerprint the environment so we're going to go out and do an asset survey now that's something that's not something that Splunk does super well you know so can Splunk see all the assets do the same assets marry up we're going to log all that data and think and then put load that into this long Sim or the smoke logging tools just to have it in Enterprise right that's an immediate future ad that they've got um and then we've got the fix so once we've completed our pen test um we are then going to generate a report and we can talk about these in a little bit later but the reports will show an executive summary the assets that we found which would be your asset Discovery aspect of that a fix report and the fixed report I think is probably the most important one it will go down and identify what we did how we did it and then how to fix that and then from that the pen tester or the organization should fix those then they go back and run another test and then they validate like a change detection environment to see hey did those fixes taste play take place and you know snehaw when he was the CTO of jsoc he shared with me a number of times about it's like man there would be 15 more items on next week's punch sheet that we didn't know about and it's and it has to do with how we you know how they were uh prioritizing the cves and whatnot because they would take all CBDs it was critical or non-critical and it's like we are able to create context in that environment that feeds better information into Splunk and whatnot that brings that brings up the efficiency for Splunk specifically the teams out there by the way the burnout thing is real I mean this whole I just finished my list and I got 15 more or whatever the list just can keeps growing how did node zero specifically help Splunk teams be more efficient like that's the question I want to get at because this seems like a very scale way for Splunk customers and teams service teams to be more so the question is how does node zero help make Splunk specifically their service teams be more efficient so so today in our early interactions we're building customers we've seen are five things um and I'll start with sort of identifying the blind spots right so kind of what I just talked about with you did we detect did we log did we alert did they stop node zero right and so I would I put that you know a more Layman's third grade term and if I was going to beat a fifth grader at this game would be we can be the sparring partner for a Splunk Enterprise customer a Splunk Essentials customer someone using Splunk soar or even just an Enterprise Splunk customer that may be a small shop with three people and just wants to know where am I exposed so by creating and generating these reports and then having um the API that actually generates the dashboard they can take all of these events that we've logged and log them in and then where that then comes in is number two is how do we prioritize those logs right so how do we create visibility to logs that that um are have critical impacts and again as I mentioned earlier not all cves are high impact regard and also not all or low right so if you daisy chain a bunch of low cves together boom I've got a mission critical AP uh CPE that needs to be fixed now such as a credential moving to an NT box that's got a text file with a bunch of passwords on it that would be very bad um and then third would be uh verifying that you have all of the hosts so one of the things that splunk's not particularly great at and they'll literate themselves they don't do asset Discovery so dude what assets do we see and what are they logging from that um and then for from um for every event that they are able to identify one of the cool things that we can do is actually create this low code no code environment so they could let you know Splunk customers can use Splunk sword to actually triage events and prioritize that event so where they're being routed within it to optimize the Sox team time to Market or time to triage any given event obviously reducing MTR and then finally I think one of the neatest things that we'll be seeing us develop is um our ability to build glass cables so behind me you'll see one of our triage events and how we build uh a Lockheed Martin kill chain on that with a glass table which is very familiar to the community we're going to have the ability and not too distant future to allow people to search observe on those iocs and if people aren't familiar with it ioc it's an instant of a compromise so that's a vector that we want to drill into and of course who's better at Drilling in the data and smoke yeah this is a critter this is an awesome Synergy there I mean I can see a Splunk customer going man this just gives me so much more capability action actionability and also real understanding and I think this is what I want to dig into if you don't mind understanding that critical impact okay is kind of where I see this coming got the data data ingest now data's data but the question is what not to log you know where are things misconfigured these are critical questions so can you talk about what it means to understand critical impact yeah so I think you know going back to the things that I just spoke about a lot of those cves where you'll see um uh low low low and then you daisy chain together and they're suddenly like oh this is high now but then your other impact of like if you're if you're a Splunk customer you know and I had it I had several of them I had one customer that you know terabytes of McAfee data being brought in and it was like all right there's a lot of other data that you probably also want to bring but they could only afford wanted to do certain data sets because that's and they didn't know how to prioritize or filter those data sets and so we provide that opportunity to say hey these are the critical ones to bring in but there's also the ones that you don't necessarily need to bring in because low cve in this case really does mean low cve like an ILO server would be one that um that's the print server uh where the uh your admin credentials are on on like a printer and so there will be credentials on that that's something that a hacker might go in to look at so although the cve on it is low is if you daisy chain with somebody that's able to get into that you might say Ah that's high and we would then potentially rank it giving our AI logic to say that's a moderate so put it on the scale and we prioritize those versus uh of all of these scanners just going to give you a bunch of CDs and good luck and translating that if I if I can and tell me if I'm wrong that kind of speaks to that whole lateral movement that's it challenge right print serve a great example looks stupid low end who's going to want to deal with the print server oh but it's connected into a critical system there's a path is that kind of what you're getting at yeah I use Daisy Chain I think that's from the community they came from uh but it's just a lateral movement it's exactly what they're doing in those low level low critical lateral movements is where the hackers are getting in right so that's the beauty thing about the uh the Uber example is that who would have thought you know I've got my monthly Factor authentication going in a human made a mistake we can't we can't not expect humans to make mistakes we're fallible right the reality is is once they were in the environment they could have protected themselves by running enough pen tests to know that they had certain uh exposed credentials that would have stopped the breach and they did not had not done that in their environment and I'm not poking yeah but it's an interesting Trend though I mean it's obvious if sometimes those low end items are also not protected well so it's easy to get at from a hacker standpoint but also the people in charge of them can be fished easily or spearfished because they're not paying attention because they don't have to no one ever told them hey be careful yeah for the community that I came from John that's exactly how they they would uh meet you at a uh an International Event um introduce themselves as a graduate student these are National actor States uh would you mind reviewing my thesis on such and such and I was at Adobe at the time that I was working on this instead of having to get the PDF they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2008 time frame there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it and John that's or LinkedIn hey I want to get a joke we want to hire you double the salary oh I'm gonna click on that for sure you know yeah right exactly yeah the one thing I would say to you is like uh when we look at like sort of you know because I think we did 10 000 pen tests last year is it's probably over that now you know we have these sort of top 10 ways that we think and find people coming into the environment the funniest thing is that only one of them is a cve related vulnerability like uh you know you guys know what they are right so it's it but it's it's like two percent of the attacks are occurring through the cves but yeah there's all that attention spent to that and very little attention spent to this pen testing side which is sort of this continuous threat you know monitoring space and and this vulnerability space where I think we play a such an important role and I'm so excited to be a part of the tip of the spear on this one yeah I'm old enough to know the movie sneakers which I loved as a you know watching that movie you know professional hackers are testing testing always testing the environment I love this I got to ask you as we kind of wrap up here Chris if you don't mind the the benefits to Professional Services from this Alliance big news Splunk and you guys work well together we see that clearly what are what other benefits do Professional Services teams see from the Splunk and Horizon 3.ai Alliance so if you're I think for from our our from both of our uh Partners uh as we bring these guys together and many of them already are the same partner right uh is that uh first off the licensing model is probably one of the key areas that we really excel at so if you're an end user you can buy uh for the Enterprise by the number of IP addresses you're using um but uh if you're a partner working with this there's solution ways that you can go in and we'll license as to msps and what that business model on msps looks like but the unique thing that we do here is this C plus license and so the Consulting plus license allows like a uh somebody a small to mid-sized to some very large uh you know Fortune 100 uh consulting firms use this uh by buying into a license called um Consulting plus where they can have unlimited uh access to as many IPS as they want but you can only run one test at a time and as you can imagine when we're going and hacking passwords and um checking hashes and decrypting hashes that can take a while so but for the right customer it's it's a perfect tool and so I I'm so excited about our ability to go to market with uh our partners so that we understand ourselves understand how not to just sell to or not tell just to sell through but we know how to sell with them as a good vendor partner I think that that's one thing that we've done a really good job building bring it into the market yeah I think also the Splunk has had great success how they've enabled uh partners and Professional Services absolutely you know the services that layer on top of Splunk are multi-fold tons of great benefits so you guys Vector right into that ride that way with friction and and the cool thing is that in you know in one of our reports which could be totally customized uh with someone else's logo we're going to generate you know so I I used to work in another organization it wasn't Splunk but we we did uh you know pen testing as for for customers and my pen testers would come on site they'd do the engagement and they would leave and then another release someone would be oh shoot we got another sector that was breached and they'd call you back you know four weeks later and so by August our entire pen testings teams would be sold out and it would be like well even in March maybe and they're like no no I gotta breach now and and and then when they do go in they go through do the pen test and they hand over a PDF and they pack on the back and say there's where your problems are you need to fix it and the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations and then once you've fixed everything you just go back and run another pen test it's you know for what people pay for one pen test they can have a tool that does that every every Pat patch on Tuesday and that's on Wednesday you know triage throughout the week green yellow red I wanted to see the colors show me green green is good right not red and one CIO doesn't want who doesn't want that dashboard right it's it's exactly it and we can help bring I think that you know I'm really excited about helping drive this with the Splunk team because they get that they understand that it's the green yellow red dashboard and and how do we help them find more green uh so that the other guys are in red yeah and get in the data and do the right thing and be efficient with how you use the data know what to look at so many things to pay attention to you know the combination of both and then go to market strategy real brilliant congratulations Chris thanks for coming on and sharing um this news with the detail around the Splunk in action around the alliance thanks for sharing John my pleasure thanks look forward to seeing you soon all right great we'll follow up and do another segment on devops and I.T and security teams as the new new Ops but and super cloud a bunch of other stuff so thanks for coming on and our next segment the CEO of horizon 3.aa will break down all the new news for us here on thecube you're watching thecube the leader in high tech Enterprise coverage [Music] yeah the partner program for us has been fantastic you know I think prior to that you know as most organizations most uh uh most Farmers most mssps might not necessarily have a a bench at all for penetration testing uh maybe they subcontract this work out or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult for us this was a differentiator a a new a new partner a new partnership that allowed us to uh not only perform services for our customers but be able to provide a product by which that they can do it themselves so we work with our customers in a variety of ways some of them want more routine testing and perform this themselves but we're also a certified service provider of horizon 3 being able to perform uh penetration tests uh help review the the data provide color provide analysis for our customers in a broader sense right not necessarily the the black and white elements of you know what was uh what's critical what's high what's medium what's low what you need to fix but are there systemic issues this has allowed us to onboard new customers this has allowed us to migrate some penetration testing services to us from from competitors in the marketplace But ultimately this is occurring because the the product and the outcome are special they're unique and they're effective our customers like what they're seeing they like the routineness of it many of them you know again like doing this themselves you know being able to kind of pen test themselves parts of their networks um and the the new use cases right I'm a large organization I have eight to ten Acquisitions per year wouldn't it be great to have a tool to be able to perform a penetration test both internal and external of that acquisition before we integrate the two companies and maybe bringing on some risk it's a very effective partnership uh one that really is uh kind of taken our our Engineers our account Executives by storm um you know this this is a a partnership that's been very valuable to us [Music] a key part of the value and business model at Horizon 3 is enabling Partners to leverage node zero to make more revenue for themselves our goal is that for sixty percent of our Revenue this year will be originated by partners and that 95 of our Revenue next year will be originated by partners and so a key to that strategy is making us an integral part of your business models as a partner a key quote from one of our partners is that we enable every one of their business units to generate Revenue so let's talk about that in a little bit more detail first is that if you have a pen test Consulting business take Deloitte as an example what was six weeks of human labor at Deloitte per pen test has been cut down to four days of Labor using node zero to conduct reconnaissance find all the juicy interesting areas of the of the Enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at understand and determine where to probe deeper so what you see in that pen test Consulting business is that node zero becomes a force multiplier where those Consulting teams were able to cover way more accounts and way more IPS within those accounts with the same or fewer consultants and so that directly leads to profit margin expansion for the Penn testing business itself because node 0 is a force multiplier the second business model here is if you're an mssp as an mssp you're already making money providing defensive cyber security operations for a large volume of customers and so what they do is they'll license node zero and use us as an upsell to their mssb business to start to deliver either continuous red teaming continuous verification or purple teaming as a service and so in that particular business model they've got an additional line of Revenue where they can increase the spend of their existing customers by bolting on node 0 as a purple team as a service offering the third business model or customer type is if you're an I.T services provider so as an I.T services provider you make money installing and configuring security products like Splunk or crowdstrike or hemio you also make money reselling those products and you also make money generating follow-on services to continue to harden your customer environments and so for them what what those it service providers will do is use us to verify that they've installed Splunk correctly improved to their customer that Splunk was installed correctly or crowdstrike was installed correctly using our results and then use our results to drive follow-on services and revenue and then finally we've got the value-added reseller which is just a straight up reseller because of how fast our sales Cycles are these vars are able to typically go from cold email to deal close in six to eight weeks at Horizon 3 at least a single sales engineer is able to run 30 to 50 pocs concurrently because our pocs are very lightweight and don't require any on-prem customization or heavy pre-sales post sales activity so as a result we're able to have a few amount of sellers driving a lot of Revenue and volume for us well the same thing applies to bars there isn't a lot of effort to sell the product or prove its value so vars are able to sell a lot more Horizon 3 node zero product without having to build up a huge specialist sales organization so what I'm going to do is talk through uh scenario three here as an I.T service provider and just how powerful node zero can be in driving additional Revenue so in here think of for every one dollar of node zero license purchased by the IT service provider to do their business it'll generate ten dollars of additional revenue for that partner so in this example kidney group uses node 0 to verify that they have installed and deployed Splunk correctly so Kitty group is a Splunk partner they they sell it services to install configure deploy and maintain Splunk and as they deploy Splunk they're going to use node 0 to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment so it's a way of doing QA or verifying that Splunk has been configured correctly and that's going to be internally used by kidney group to prove the quality of their services that they've just delivered then what they're going to do is they're going to show and leave behind that node zero Report with their client and that creates a resell opportunity for for kidney group to resell node 0 to their client because their client is seeing the reports and the results and saying wow this is pretty amazing and those reports can be co-branded where it's a pen testing report branded with kidney group but it says powered by Horizon three under it from there kidney group is able to take the fixed actions report that's automatically generated with every pen test through node zero and they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified fixing l11r misconfigurations fixing or patching VMware or updating credentials policies and so on so what happens is node 0 has found a bunch of problems the client often lacks the capacity to fix and so kidney group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services and finally based on the findings from node zero kidney group can look at that report and say to the customer you know customer if you bought crowdstrike you'd be able to uh prevent node Zero from attacking and succeeding in the way that it did for if you bought humano or if you bought Palo Alto networks or if you bought uh some privileged access management solution because of what node 0 was able to do with credential harvesting and attacks and so as a result kidney group is able to resell other security products within their portfolio crowdstrike Falcon humano Polito networks demisto Phantom and so on based on the gaps that were identified by node zero and that pen test and what that creates is another feedback loop where kidney group will then go use node 0 to verify that crowdstrike product has actually been installed and configured correctly and then this becomes the cycle of using node 0 to verify a deployment using that verification to drive a bunch of follow-on services and resell opportunities which then further drives more usage of the product now the way that we licensed is that it's a usage-based license licensing model so that the partner will grow their node zero Consulting plus license as they grow their business so for example if you're a kidney group then week one you've got you're going to use node zero to verify your Splunk install in week two if you have a pen testing business you're going to go off and use node zero to be a force multiplier for your pen testing uh client opportunity and then if you have an mssp business then in week three you're going to use node zero to go execute a purple team mssp offering for your clients so not necessarily a kidney group but if you're a Deloitte or ATT these larger companies and you've got multiple lines of business if you're Optive for instance you all you have to do is buy one Consulting plus license and you're going to be able to run as many pen tests as you want sequentially so now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three and as you grow your business you start to run multiple pen tests concurrently so in week one you've got to do a Splunk verify uh verify Splunk install and you've got to run a pen test and you've got to do a purple team opportunity you just simply expand the number of Consulting plus licenses from one license to three licenses and so now as you systematically grow your business you're able to grow your node zero capacity with you giving you predictable cogs predictable margins and once again 10x additional Revenue opportunity for that investment in the node zero Consulting plus license my name is Saint I'm the co-founder and CEO here at Horizon 3. I'm going to talk to you today about why it's important to look at your Enterprise Through The Eyes of an attacker the challenge I had when I was a CIO in banking the CTO at Splunk and serving within the Department of Defense is that I had no idea I was Secure until the bad guys had showed up am I logging the right data am I fixing the right vulnerabilities are my security tools that I've paid millions of dollars for actually working together to defend me and the answer is I don't know does my team actually know how to respond to a breach in the middle of an incident I don't know I've got to wait for the bad guys to show up and so the challenge I had was how do we proactively verify our security posture I tried a variety of techniques the first was the use of vulnerability scanners and the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable I might have a hundred thousand findings from my scanner of which maybe five or ten can actually be exploited in my environment the other big problem with scanners is that they can't chain weaknesses together from machine to machine so if you've got a thousand machines in your environment or more what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two but what they can tell you is that an attacker could use a load from machine one plus a low from machine two to equal to critical in your environment and what attackers do in their tactics is they chain together misconfigurations dangerous product defaults harvested credentials and exploitable vulnerabilities into attack paths across different machines so to address the attack pads across different machines I tried layering in consulting-based pen testing and the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment human-based pen testing simply doesn't scale to test an infrastructure of that size moreover when they actually do execute a pen test and you get the report oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem and so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale and then to mitigate that problem I tried using breach and attack simulation tools and the struggle with these tools is one I had to install credentialed agents everywhere two I had to write my own custom attack scripts that I didn't have much talent for but also I had to maintain as my environment changed and then three these types of tools were not safe to run against production systems which was the the majority of my attack surface so that's why we went off to start Horizon 3. so Tony and I met when we were in Special Operations together and the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the the power of a 20-year pen testing veteran into the hands of an I.T admin a network engineer in just three clicks and the whole idea is we enable these fixers The Blue Team to be able to run node Zero Hour pen testing product to quickly find problems in their environment that blue team will then then go off and fix the issues that were found and then they can quickly rerun the attack to verify that they fixed the problem and the whole idea is delivering this without requiring custom scripts be developed without requiring credential agents be installed and without requiring the use of external third-party consulting services or Professional Services self-service pen testing to quickly Drive find fix verify there are three primary use cases that our customers use us for the first is the sock manager that uses us to verify that their security tools are actually effective to verify that they're logging the right data in Splunk or in their Sim to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their slas or that the sock understands how to quickly detect and respond and measuring and verifying that or that the variety of tools that you have in your stack most organizations have 130 plus cyber security tools none of which are designed to work together are actually working together the second primary use case is proactively hardening and verifying your systems this is when the I that it admin that network engineer they're able to run self-service pen tests to verify that their Cisco environment is installed in hardened and configured correctly or that their credential policies are set up right or that their vcenter or web sphere or kubernetes environments are actually designed to be secure and what this allows the it admins and network Engineers to do is shift from running one or two pen tests a year to 30 40 or more pen tests a month and you can actually wire those pen tests into your devops process or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment the third primary use case is for those organizations lucky enough to have their own internal red team they'll use node zero to do reconnaissance and exploitation at scale and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at Defcon and so these are the three primary use cases and what we'll do is zoom into the find fix verify Loop because what I've found in my experience is find fix verify is the future operating model for cyber security organizations and what I mean here is in the find using continuous pen testing what you want to enable is on-demand self-service pen tests you want those pen tests to find attack pads at scale spanning your on-prem infrastructure your Cloud infrastructure and your perimeter because attackers don't only state in one place they will find ways to chain together a perimeter breach a credential from your on-prem to gain access to your cloud or some other permutation and then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore they know we've built vulnerability Management Programs to reduce those vulnerabilities so attackers have adapted and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults with exploitable vulnerabilities and through the collection of credentials through a mix of techniques at scale once you've found those problems the next question is what do you do about it well you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data the second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to where is your crown jewels data is in the cloud is it on-prem has it been copied to a share drive that you weren't aware of if a domain user was compromised could they access that crown jewels data you want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure and then finally as you fix these problems you want to quickly remediate and retest that you've actually fixed the issue and this fine fix verify cycle becomes that accelerator that drives purple team culture the third part here is verify and what you want to be able to do in the verify step is verify that your security tools and processes in people can effectively detect and respond to a breach you want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations you also want to make sure that your environment is adhering to the best practices around systems hardening in cyber resilience and finally you want to be able to prove your security posture over a time to your board to your leadership into your regulators so what I'll do now is zoom into each of these three steps so when we zoom in to find here's the first example using node 0 and autonomous pen testing and what an attacker will do is find a way to break through the perimeter in this example it's very easy to misconfigure kubernetes to allow an attacker to gain remote code execution into your on-prem kubernetes environment and break through the perimeter and from there what the attacker is going to do is conduct Network reconnaissance and then find ways to gain code execution on other machines in the environment and as they get code execution they start to dump credentials collect a bunch of ntlm hashes crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment and then as they loudly maneuver they can reuse those credentials and use credential spraying techniques and so on to compromise your business email to log in as admin into your cloud and this is a very common attack and rarely is a CV actually needed to execute this attack often it's just a misconfiguration in kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization here's another example of an internal pen test and this is from an actual customer they had 5 000 hosts within their environment they had EDR and uba tools installed and they initiated in an internal pen test on a single machine from that single initial access point node zero enumerated the network conducted reconnaissance and found five thousand hosts were accessible what node 0 will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the Cyber terrain map and that cyber Terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment so what node zero will do is they'll try to find ways to get code execution reuse credentials and so on in this customer example they had Fortinet installed as their EDR but node 0 was still able to get code execution on a Windows machine from there it was able to successfully dump credentials including sensitive credentials from the lsas process on the Windows box and then reuse those credentials to log in as domain admin in the network and once an attacker becomes domain admin they have the keys to the kingdom they can do anything they want so what happened here well it turns out Fortinet was misconfigured on three out of 5000 machines bad automation the customer had no idea this had happened they would have had to wait for an attacker to show up to realize that it was misconfigured the second thing is well why didn't Fortinet stop the credential pivot in the lateral movement and it turned out the customer didn't buy the right modules or turn on the right services within that particular product and we see this not only with Ford in it but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping the next story I'll tell you is attackers don't have to hack in they log in so another infrastructure pen test a typical technique attackers will take is man in the middle uh attacks that will collect hashes so in this case what an attacker will do is leverage a tool or technique called responder to collect ntlm hashes that are being passed around the network and there's a variety of reasons why these hashes are passed around and it's a pretty common misconfiguration but as an attacker collects those hashes then they start to apply techniques to crack those hashes so they'll pass the hash and from there they will use open source intelligence common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords so here node 0 automatically collected hashes it automatically passed the hashes to crack those credentials and then from there it starts to take the domain user user ID passwords that it's collected and tries to access different services and systems in your Enterprise in this case node 0 is able to successfully gain access to the Office 365 email environment because three employees didn't have MFA configured so now what happens is node 0 has a placement and access in the business email system which sets up the conditions for fraud lateral phishing and other techniques but what's especially insightful here is that 80 of the hashes that were collected in this pen test were cracked in 15 minutes or less 80 percent 26 of the user accounts had a password that followed a pretty obvious pattern first initial last initial and four random digits the other thing that was interesting is 10 percent of service accounts had their user ID the same as their password so VMware admin VMware admin web sphere admin web Square admin so on and so forth and so attackers don't have to hack in they just log in with credentials that they've collected the next story here is becoming WS AWS admin so in this example once again internal pen test node zero gets initial access it discovers 2 000 hosts are network reachable from that environment if fingerprints and organizes all of that data into a cyber Terrain map from there it it fingerprints that hpilo the integrated lights out service was running on a subset of hosts hpilo is a service that is often not instrumented or observed by security teams nor is it easy to patch as a result attackers know this and immediately go after those types of services so in this case that ILO service was exploitable and were able to get code execution on it ILO stores all the user IDs and passwords in clear text in a particular set of processes so once we gain code execution we were able to dump all of the credentials and then from there laterally maneuver to log in to the windows box next door as admin and then on that admin box we're able to gain access to the share drives and we found a credentials file saved on a share Drive from there it turned out that credentials file was the AWS admin credentials file giving us full admin authority to their AWS accounts not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment and so what do you do step one patch the server step two delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login the final story I'll tell is a typical pattern that we see across the board with that combines the various techniques I've described together where an attacker is going to go off and use open source intelligence to find all of the employees that work at your company from there they're going to look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user all it takes is one employee to reuse a breached password for their Corporate email or all it takes is a single employee to have a weak password that's easily guessable all it takes is one and once the attacker is able to gain domain user access in most shops domain user is also the local admin on their laptop and once your local admin you can dump Sam and get local admin until M hashes you can use that to reuse credentials again local admin on neighboring machines and attackers will start to rinse and repeat then eventually they're able to get to a point where they can dump lsas or by unhooking the anti-virus defeating the EDR or finding a misconfigured EDR as we've talked about earlier to compromise the domain and what's consistent is that the fundamentals are broken at these shops they have poor password policies they don't have least access privilege implemented active directory groups are too permissive where domain admin or domain user is also the local admin uh AV or EDR Solutions are misconfigured or easily unhooked and so on and what we found in 10 000 pen tests is that user Behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work and also it becomes very difficult to find that Baseline of normal usage versus abnormal usage of credential login another interesting Insight is there were several Marquee brand name mssps that were defending our customers environment and for them it took seven hours to detect and respond to the pen test seven hours the pen test was over in less than two hours and so what you had was an egregious violation of the service level agreements that that mssp had in place and the customer was able to use us to get service credit and drive accountability of their sock and of their provider the third interesting thing is in one case it took us seven minutes to become domain admin in a bank that bank had every Gucci security tool you could buy yet in 7 minutes and 19 seconds node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations in lateral movement and so on to become domain admin if it's seven minutes today we should assume it'll be less than a minute a year or two from now making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack so that's in the find it's not just about finding problems though the bulk of the effort should be what to do about it the fix and the verify so as you find those problems back to kubernetes as an example we will show you the path here is the kill chain we took to compromise that environment we'll show you the impact here is the impact or here's the the proof of exploitation that we were able to use to be able to compromise it and there's the actual command that we executed so you could copy and paste that command and compromise that cubelet yourself if you want and then the impact is we got code execution and we'll actually show you here is the impact this is a critical here's why it enabled perimeter breach affected applications will tell you the specific IPS where you've got the problem how it maps to the miter attack framework and then we'll tell you exactly how to fix it we'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important the next part is accurate prioritization the hardest part of my job as a CIO was deciding what not to fix so if you take SMB signing not required as an example by default that CVSs score is a one out of 10. but this misconfiguration is not a cve it's a misconfig enable an attacker to gain access to 19 credentials including one domain admin two local admins and access to a ton of data because of that context this is really a 10 out of 10. you better fix this as soon as possible however of the seven occurrences that we found it's only a critical in three out of the seven and these are the three specific machines and we'll tell you the exact way to fix it and you better fix these as soon as possible for these four machines over here these didn't allow us to do anything of consequence so that because the hardest part is deciding what not to fix you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible and then once you fix these three you don't have to re-run the entire pen test you can select these three and then one click verify and run a very narrowly scoped pen test that is only testing this specific issue and what that creates is a much faster cycle of finding and fixing problems the other part of fixing is verifying that you don't have sensitive data at risk so once we become a domain user we're able to use those domain user credentials and try to gain access to databases file shares S3 buckets git repos and so on and help you understand what sensitive data you have at risk so in this example a green checkbox means we logged in as a valid domain user we're able to get read write access on the database this is how many records we could have accessed and we don't actually look at the values in the database but we'll show you the schema so you can quickly characterize that pii data was at risk here and we'll do that for your file shares and other sources of data so now you can accurately articulate the data you have at risk and prioritize cleaning that data up especially data that will lead to a fine or a big news issue so that's the find that's the fix now we're going to talk about the verify the key part in verify is embracing and integrating with detection engineering practices so when you think about your layers of security tools you've got lots of tools in place on average 130 tools at any given customer but these tools were not designed to work together so when you run a pen test what you want to do is say did you detect us did you log us did you alert on us did you stop us and from there what you want to see is okay what are the techniques that are commonly used to defeat an environment to actually compromise if you look at the top 10 techniques we use and there's far more than just these 10 but these are the most often executed nine out of ten have nothing to do with cves it has to do with misconfigurations dangerous product defaults bad credential policies and it's how we chain those together to become a domain admin or compromise a host so what what customers will do is every single attacker command we executed is provided to you as an attackivity log so you can actually see every single attacker command we ran the time stamp it was executed the hosts it executed on and how it Maps the minor attack tactics so our customers will have are these attacker logs on one screen and then they'll go look into Splunk or exabeam or Sentinel one or crowdstrike and say did you detect us did you log us did you alert on us or not and to make that even easier if you take this example hey Splunk what logs did you see at this time on the VMware host because that's when node 0 is able to dump credentials and that allows you to identify and fix your logging blind spots to make that easier we've got app integration so this is an actual Splunk app in the Splunk App Store and what you can come is inside the Splunk console itself you can fire up the Horizon 3 node 0 app all of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool and what you'll show you as I skip forward is hey there's a pen test here are the critical issues that we've identified for that weaker default issue here are the exact commands we executed and then we will automatically query into Splunk all all terms on between these times on that endpoint that relate to this attack so you can now quickly within the Splunk environment itself figure out that you're missing logs or that you're appropriately catching this issue and that becomes incredibly important in that detection engineering cycle that I mentioned earlier so how do our customers end up using us they shift from running one pen test a year to 30 40 pen tests a month oftentimes wiring us into their deployment automation to automatically run pen tests the other part that they'll do is as they run more pen tests they find more issues but eventually they hit this inflection point where they're able to rapidly clean up their environment and that inflection point is because the red and the blue teams start working together in a purple team culture and now they're working together to proactively harden their environment the other thing our customers will do is run us from different perspectives they'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access what could they do and then from there they'll run us within a specific Network segment okay from within that segment could the attacker break out and gain access to another segment then they'll run us from their work from home environment could they Traverse the VPN and do something damaging and once they're in could they Traverse the VPN and get into my cloud then they'll break in from the outside all of these perspectives are available to you in Horizon 3 and node zero as a single SKU and you can run as many pen tests as you want if you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior you can then inject their credentials and actually show the end-to-end story of how an attacker fished gained credentials of an intern and use that to gain access to sensitive financial data so what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time I'll leave you two things one is what is the AI in Horizon 3 AI those knowledge graphs are the heart and soul of everything that we do and we use machine learning reinforcement techniques reinforcement learning techniques Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs we also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations so the more pen tests we run the smarter we get and all of that is based on our knowledge graph analytics infrastructure that we have finally I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy what I cared about was coverage I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production I want to be able to do that as often as I wanted I want to be able to run pen tests in hours or days not weeks or months so I could accelerate that fine fix verify loop I wanted my it admins and network Engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agent and not have to write custom scripts and finally I didn't want to get nickeled and dimed on having to buy different types of attack modules or different types of attacks I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my Trends in directions over time so I hope you found this talk valuable uh we're easy to find and I look forward to seeing seeing you use a product and letting our results do the talking when you look at uh you know kind of the way no our pen testing algorithms work is we dynamically select uh how to compromise an environment based on what we've discovered and the goal is to become a domain admin compromise a host compromise domain users find ways to encrypt data steal sensitive data and so on but when you look at the the top 10 techniques that we ended up uh using to compromise environments the first nine have nothing to do with cves and that's the reality cves are yes a vector but less than two percent of cves are actually used in a compromise oftentimes it's some sort of credential collection credential cracking uh credential pivoting and using that to become an admin and then uh compromising environments from that point on so I'll leave this up for you to kind of read through and you'll have the slides available for you but I found it very insightful that organizations and ourselves when I was a GE included invested heavily in just standard vulnerability Management Programs when I was at DOD that's all disa cared about asking us about was our our kind of our cve posture but the attackers have adapted to not rely on cves to get in because they know that organizations are actively looking at and patching those cves and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment a concrete example is by default vcenter backups are not encrypted and so as if an attacker finds vcenter what they'll do is find the backup location and there are specific V sender MTD files where the admin credentials are parsippled in the binaries so you can actually as an attacker find the right MTD file parse out the binary and now you've got the admin credentials for the vcenter environment and now start to log in as admin there's a bad habit by signal officers and Signal practitioners in the in the Army and elsewhere where the the VM notes section of a virtual image has the password for the VM well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMS that are unencrypted find the note section and pull out the passwords for those images and then reuse those credentials across the board so I'll pause here and uh you know Patrick love you get some some commentary on on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is uh is rolled through a little bit more on what do you do about it yeah yeah no I love it I think um I think this is pretty exhaustive what I like about what you've done here is uh you know we've seen we've seen double-digit increases in the number of organizations that are reporting actual breaches year over year for the last um for the last three years and it's often we kind of in the Zeitgeist we pegged that on ransomware which of course is like incredibly important and very top of mind um but what I like about what you have here is you know we're reminding the audience that the the attack surface area the vectors the matter um you know has to be more comprehensive than just thinking about ransomware scenarios yeah right on um so let's build on this when you think about your defense in depth you've got multiple security controls that you've purchased and integrated and you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together so when you run a pen test what you want to ask yourself is did you detect node zero did you log node zero did you alert on node zero and did you stop node zero and when you think about how to do that every single attacker command executed by node zero is available in an attacker log so you can now see you know at the bottom here vcenter um exploit at that time on that IP how it aligns to minor attack what you want to be able to do is go figure out did your security tools catch this or not and that becomes very important in using the attacker's perspective to improve your defensive security controls and so the way we've tried to make this easier back to like my my my the you know I bleed Green in many ways still from my smoke background is you want to be able to and what our customers do is hey we'll look at the attacker logs on one screen and they'll look at what did Splunk see or Miss in another screen and then they'll use that to figure out what their logging blind spots are and what that where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base and you'll get all of the pen test results right there in the Splunk console and from that Splunk console you're gonna be able to see these are all the pen tests that were run these are the issues that were found um so you can look at that particular pen test here are all of the weaknesses that were identified for that particular pen test and how they categorize out for each of those weaknesses you can click on any one of them that are critical in this case and then we'll tell you for that weakness and this is where where the the punch line comes in so I'll pause the video here for that weakness these are the commands that were executed on these endpoints at this time and then we'll actually query Splunk for that um for that IP address or containing that IP and these are the source types that surface any sort of activity so what we try to do is help you as quickly and efficiently as possible identify the logging blind spots in your Splunk environment based on the attacker's perspective so as this video kind of plays through you can see it Patrick I'd love to get your thoughts um just seeing so many Splunk deployments and the effectiveness of those deployments and and how this is going to help really Elevate the effectiveness of all of your Splunk customers yeah I'm super excited about this I mean I think this these kinds of purpose-built integration snail really move the needle for our customers I mean at the end of the day when I think about the power of Splunk I think about a product I was first introduced to 12 years ago that was an on-prem piece of software you know and at the time it sold on sort of Perpetual and term licenses but one made it special was that it could it could it could eat data at a speed that nothing else that I'd have ever seen you can ingest massively scalable amounts of data uh did cool things like schema on read which facilitated that there was this language called SPL that you could nerd out about uh and you went to a conference once a year and you talked about all the cool things you were splunking right but now as we think about the next phase of our growth um we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding and as you look at the as you look at the role of the ciso it's mind-blowing to me the amount of sources Services apps that are coming into the ciso span of let's just call it a span of influence in the last three years uh you know we're seeing things like infrastructure service level visibility application performance monitoring stuff that just never made sense for the security team to have visibility into you um at least not at the size and scale which we're demanding today um and and that's different and this isn't this is why it's so important that we have these joint purpose-built Integrations that um really provide more prescription to our customers about how do they walk on that Journey towards maturity what does zero to one look like what does one to two look like whereas you know 10 years ago customers were happy with platforms today they want integration they want Solutions and they want to drive outcomes and I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape and what I would say is the maturing needs of the customer in that environment yeah for sure I think especially if if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere while the security budgets are not going to ever I don't think they're going to get cut they're not going to grow as fast and there's a lot more pressure on organizations to extract more value from their existing Investments as well as extracting more value and more impact from their existing teams and so security Effectiveness Fierce prioritization and automation I think become the three key themes of security uh over the next 18 months so I'll do very quickly is run through a few other use cases um every host that we identified in the pen test were able to score and say this host allowed us to do something significant therefore it's it's really critical you should be increasing your logging here hey these hosts down here we couldn't really do anything as an attacker so if you do have to make trade-offs you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end so you've got that level of of um justification for where to increase or or adjust your logging resolution another example is every host we've discovered as an attacker we Expose and you can export and we want to make sure is every host we found as an attacker is being ingested from a Splunk standpoint a big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were Rogue Raspberry Pi's on the network or if a new box was installed and whether Splunk was installed on it or not so now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from uh finally or second to last use case here on the Splunk integration side is for every single problem we've found we give multiple options for how to fix it this becomes a great way to prioritize what fixed actions to automate in your soar platform and what we want to get to eventually is being able to automatically trigger soar actions to fix well-known problems like automatically invalidating passwords for for poor poor passwords in our credentials amongst a whole bunch of other things we could go off and do and then finally if there is a well-known kill chain or attack path one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise and now you've got a great starting point for glass tables and iocs for actual kill chains that we know are exploitable in your environment and that becomes some super cool Integrations that we've got on the roadmap between us and the Splunk security side of the house so what I'll leave with actually Patrick before I do that you know um love to get your comments and then I'll I'll kind of leave with one last slide on this wartime security mindset uh pending you know assuming there's no other questions no I love it I mean I think this kind of um it's kind of glass table's approach to how do you how do you sort of visualize these workflows and then use things like sore and orchestration and automation to operationalize them is exactly where we see all of our customers going and getting away from I think an over engineered approach to soar with where it has to be super technical heavy with you know python programmers and getting more to this visual view of workflow creation um that really demystifies the power of Automation and also democratizes it so you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team is seeing yeah I think that between us being able to visualize the actual kill chain or attack path with you know think of a of uh the soar Market I think going towards this no code low code um you know configurable sore versus coded sore that's going to really be a game changer in improve or giving security teams a force multiplier so what I'll leave you with is this peacetime mindset of security no longer is sustainable we really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are are working or not and the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past uh nine months due to the Ukrainian War there you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint and this is no longer about financial extortion that is ransomware this is about punishing and destroying companies and you can punish any one of these companies by going after them directly or by going after their suppliers and their Distributors so suddenly your attack surface is no more no longer just your own Enterprise it's how you bring your goods to Market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit if I can get those trucks stuck at the border I can increase spoilage and have the same effect and what we should expect to see is this idea of cyber-enabled economic Warfare where if we issue a sanction like Banning the Russians from traveling there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database that is below the threshold of War that's not going to trigger the 82nd Airborne to be mobilized but it's going to achieve the right effect ban the sale of luxury goods disrupt the supply chain and create shortages banned Russian oil and gas attack refineries to call a 10x spike in gas prices three days before the election this is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture verify it see yourself Through The Eyes of the attacker build that incident response muscle memory and drive better collaboration between the red and the blue teams your suppliers and Distributors and your information uh sharing organization they have in place and what's really valuable for me as a Splunk customer was when a router crashes at that moment you don't know if it's due to an I.T Administration problem or an attacker and what you want to have are different people asking different questions of the same data and you want to have that integrated triage process of an I.T lens to that problem a security lens to that problem and then from there figuring out is is this an IT workflow to execute or a security incident to execute and you want to have all of that as an integrated team integrated process integrated technology stack and this is something that I very care I cared very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board so Patrick I'll leave you with the last word the final three minutes here and I don't see any open questions so please take us home oh man see how you think we spent hours and hours prepping for this together that that last uh uh 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now uh and I think nist has done some really interesting work here around building cyber resilient organizations that have that has really I think helped help the industry see that um incidents can come from adverse conditions you know stress is uh uh performance taxations in the infrastructure service or app layer and they can come from malicious compromises uh Insider threats external threat actors and the more that we look at this from the perspective of of a broader cyber resilience Mission uh in a wartime mindset uh I I think we're going to be much better off and and will you talk about with operationally minded ice hacks information sharing intelligence sharing becomes so important in these wartime uh um situations and you know we know not all ice acts are created equal but we're also seeing a lot of um more ad hoc information sharing groups popping up so look I think I think you framed it really really well I love the concept of wartime mindset and um I I like the idea of applying a cyber resilience lens like if you have one more layer on top of that bottom right cake you know I think the it lens and the security lens they roll up to this concept of cyber resilience and I think this has done some great work there for us yeah you're you're spot on and that that is app and that's gonna I think be the the next um terrain that that uh that you're gonna see vendors try to get after but that I think Splunk is best position to win okay that's a wrap for this special Cube presentation you heard all about the global expansion of horizon 3.ai's partner program for their Partners have a unique opportunity to take advantage of their node zero product uh International go to Market expansion North America channel Partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyber security world we live in and hope you enjoyed this program all the videos are available on thecube.net as well as check out Horizon 3 dot AI for their pen test Automation and ultimately their defense system that they use for testing always the environment that you're in great Innovative product and I hope you enjoyed the program again I'm John Furrier host of the cube thanks for watching

>>Welcome back everyone to the Cube and Horizon three.ai special presentation. I'm John Furrier, host of the Cube. We with Chris Hill, Sector head for strategic accounts and federal@horizonthree.ai. Great innovative company. Chris, great to see you. Thanks for coming on the Cube. >>Yeah, like I said, you know, great to meet you John. Long time listener. First time call. So excited to be here with >>You guys. Yeah, we were talking before camera. You had Splunk back in 2013 and I think 2012 was our first splunk.com. Yep. And boy man, you know, talk about being in the right place at the right time. Now we're at another inflection point and Splunk continues to be relevant and continuing to have that data driving security and that interplay. And your ceo, former CTO of Splunk as well at Horizons Neha, who's been on before. Really innovative product you guys have, but you know, Yeah, don't wait for a brief to find out if you're locking the right data. This is the topic of this thread. Splunk is very much part of this new international expansion announcement with you guys. Tell us what are some of the challenges that you see where this is relevant for the Splunk and the Horizon AI as you guys expand Node zero out internationally? >>Yeah, well so across, so you know, my role within Splunk was working with our most strategic accounts. And so I look back to 2013 and I think about the sales process like working with, with our small customers. You know, it was, it was still very siloed back then. Like I was selling to an IT team that was either using us for IT operations. We generally would always even say, yeah, although we do security, we weren't really designed for it. We're a log management tool. And you know, we, and I'm sure you remember back then John, we were like sort of stepping into the security space and in the public sector domain that I was in, you know, security was 70% of what we did. When I look back to sort of the transformation that I was, was witnessing in that digital transformation, you know when I, you look at like 2019 to today, you look at how the IT team and the security teams are, have been forced to break down those barriers that they used to sort of be silo away, would not communicate one, you know, the security guys would be like, Oh this is my BA box it, you're not allowed in today. >>You can't get away with that. And I think that the value that we bring to, you know, and of course Splunk has been a huge leader in that space and continues to do innovation across the board. But I think what we've we're seeing in the space that I was talking with Patrick Kauflin, the SVP of security markets about this, is that, you know, what we've been able to do with Splunk is build a purpose built solution that allows Splunk to eat more data. So Splunk itself, as you well know, it's an ingest engine, right? So the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it, but without data it doesn't do anything, right? So how do you drive and how do you bring more data in? And most importantly from a customer perspective, how do you bring the right data in? >>And so if you think about what node zero and what we're doing in a Horizon three is that, sure we do pen testing, but because we're an autonomous pen testing tool, we do it continuously. So this whole thought of being like, Oh, crud like my customers, Oh yeah, we got a pen test coming up, it's gonna be six weeks. The wait. Oh yeah. You know, and everyone's gonna sit on their hands, Call me back in two months, Chris, we'll talk to you then. Right? Not, not a real efficient way to test your environment and shoot, we, we saw that with Uber this week. Right? You know, and that's a case where we could have helped. >>Well just real quick, explain the Uber thing cause it was a contractor. Just give a quick highlight of what happened so you can connect the >>Dots. Yeah, no problem. So there it was, I think it was one of those, you know, games where they would try and test an environment. And what the pen tester did was he kept on calling them MFA guys being like, I need to reset my password re to set my password. And eventually the customer service guy said, Okay, I'm resetting it. Once he had reset and bypassed the multifactor authentication, he then was able to get in and get access to the domain area that he was in or the, not the domain, but he was able to gain access to a partial part of the network. He then paralleled over to what would I assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains. And so within minutes they had access. And that's the sort of stuff that we do under, you know, a lot of these tools. >>Like not, and I'm not, you know, you think about the cacophony of tools that are out there in a CTA orchestra architecture, right? I'm gonna get like a Zscaler, I'm gonna have Okta, I'm gonna have a Splunk, I'm gonna do this sore system. I mean, I don't mean to name names, we're gonna have crowd strike or, or Sentinel one in there. It's just, it's a cacophony of things that don't work together. They weren't designed work together. And so we have seen so many times in our business through our customer support and just working with customers when we do their pen test, that there will be 5,000 servers out there. Three are misconfigured. Those three misconfigurations will create the open door. Cause remember the hacker only needs to be right once, the defender needs to be right all the time. And that's the challenge. And so that's why I'm really passionate about what we're doing here at Horizon three. I see this my digital transformation, migration and security going on, which we're at the tip of the sp, it's why I joined say Hall coming on this journey and just super excited about where the path's going and super excited about the relationship with Splunk. I get into more details on some of the specifics of that. But you know, >>I mean, well you're nailing, I mean we've been doing a lot of things around super cloud and this next gen environment, we're calling it NextGen. You're really seeing DevOps, obviously Dev SecOps has, has already won the IT role has moved to the developer shift left as an indicator of that. It's one of the many examples, higher velocity code software supply chain. You hear these things. That means that it is now in the developer hands, it is replaced by the new ops, data ops teams and security where there's a lot of horizontal thinking. To your point about access, there's no more perimeter. So >>That there is no perimeter. >>Huge. A hundred percent right, is really right on. I don't think it's one time, you know, to get in there. Once you're in, then you can hang out, move around, move laterally. Big problem. Okay, so we get that. Now, the challenges for these teams as they are transitioning organizationally, how do they figure out what to do? Okay, this is the next step. They already have Splunk, so now they're kind of in transition while protecting for a hundred percent ratio of success. So how would you look at that and describe the challenges? What do they do? What is, what are the teams facing with their data and what's next? What do they, what do they, what action do they take? >>So let's do some vernacular that folks will know. So if I think about dev sec ops, right? We both know what that means, that I'm gonna build security into the app, but no one really talks about SEC DevOps, right? How am I building security around the perimeter of what's going inside my ecosystem and what are they doing? And so if you think about what we're able to do with somebody like Splunk is we could pen test the entire environment from soup to nuts, right? So I'm gonna test the end points through to it. So I'm gonna look for misconfigurations, I'm gonna, and I'm gonna look for credential exposed credentials. You know, I'm gonna look for anything I can in the environment. Again, I'm gonna do it at at light speed. And, and what we're, what we're doing for that SEC dev space is to, you know, did you detect that we were in your environment? >>So did we alert Splunk or the SIM that there's someone in the environment laterally moving around? Did they, more importantly, did they log us into their environment? And when did they detect that log to trigger that log? Did they alert on us? And then finally, most importantly, for every CSO out there is gonna be did they stop us? And so that's how we, we, we do this in, I think you, when speaking with Stay Hall, before, you know, we've come up with this boils U Loop, but we call it fine fix verify. So what we do is we go in is we act as the attacker, right? We act in a production environment. So we're not gonna be, we're a passive attacker, but we will go in un credentialed UN agents. But we have to assume, have an assumed breach model, which means we're gonna put a Docker container in your environment and then we're going to fingerprint the environment. >>So we're gonna go out and do an asset survey. Now that's something that's not something that Splunk does super well, you know, so can Splunk see all the assets, do the same assets marry up? We're gonna log all that data and think then put load that into the Splunk sim or the smoke logging tools just to have it in enterprise, right? That's an immediate future ad that they've got. And then we've got the fix. So once we've completed our pen test, we are then gonna generate a report and we could talk about about these in a little bit later. But the reports will show an executive summary the assets that we found, which would be your asset discovery aspect of that, a fixed report. And the fixed report I think is probably the most important one. It will go down and identify what we did, how we did it, and then how to fix that. >>And then from that, the pen tester or the organization should fix those. Then they go back and run another test. And then they validate through like a change detection environment to see, hey, did those fixes taste, play take place? And you know, SNA Hall, when he was the CTO of JS o, he shared with me a number of times about, he's like, Man, there would be 15 more items on next week's punch sheet that we didn't know about. And it's, and it has to do with how we, you know, how they were prioritizing the CVEs and whatnot because they would take all CVS was critical or non-critical. And it's like we are able to create context in that environment that feeds better information into Splunk and whatnot. That >>Was a lot. That brings, that brings up the, the efficiency for Splunk specifically. The teams out there. By the way, the burnout thing is real. I mean, this whole, I just finished my list and I got 15 more or whatever the list just can, keeps, keeps growing. How did Node zero specifically help Splunk teams be more efficient? Now that's the question I want to get at, because this seems like a very scalable way for Splunk customers and teams, service teams to be more efficient. So the question is, how does Node zero help make Splunk specifically their service teams be more efficient? >>So to, so today in our early interactions with building Splunk customers, what we've seen are five things, and I'll start with sort of identifying the blind spots, right? So kind of what I just talked about with you. Did we detect, did we log, did we alert? Did they stop node zero, right? And so I would, I put that at, you know, a a a more layman's third grade term. And if I was gonna beat a fifth grader at this game would be, we can be the sparring partner for a Splunk enterprise customer, a Splunk essentials customer, someone using Splunk soar, or even just an enterprise Splunk customer that may be a small shop with three people and, and just wants to know where am I exposed. So by creating and generating these reports and then having the API that actually generates the dashboard, they can take all of these events that we've logged and log them in. >>And then where that then comes in is number two is how do we prioritize those logs, right? So how do we create visibility to logs that are, have critical impacts? And again, as I mentioned earlier, not all CVEs are high impact regard and also not all are low, right? So if you daisy chain a bunch of low CVEs together, boom, I've got a mission critical AP CVE that needs to be fixed now, such as a credential moving to an NT box that's got a text file with a bunch of passwords on it, that would be very bad. And then third would be verifying that you have all of the hosts. So one of the things that Splunk's not particularly great at, and they, they themselves, they don't do asset discovery. So do what assets do we see and what are they logging from that? And then for, from, for every event that they are able to identify the, one of the cool things that we can do is actually create this low-code, no-code environment. >>So they could let, you know, float customers can use Splunk. So to actually triage events and prioritize that events or where they're being routed within it to optimize the SOX team time to market or time to triage any given event. Obviously reducing mtr. And then finally, I think one of the neatest things that we'll be seeing us develop is our ability to build glass tables. So behind me you'll see one of our triage events and how we build a lock Lockheed Martin kill chain on that with a glass table, which is very familiar to this Splunk community. We're going to have the ability, not too distant future to allow people to search, observe on those IOCs. And if people aren't familiar with an ioc, it's an incident of compromise. So that's a vector that we want to drill into. And of course who's better at drilling in into data and Splunk. >>Yeah, this is a critical, this is awesome synergy there. I mean I can see a Splunk customer going, Man, this just gives me so much more capability. Action actionability. And also real understanding, and I think this is what I wanna dig into, if you don't mind understanding that critical impact, okay. Is kind of where I see this coming. I got the data, data ingest now data's data. But the question is what not to log, You know, where are things misconfigured? These are critical questions. So can you talk about what it means to understand critical impact? >>Yeah, so I think, you know, going back to those things that I just spoke about, a lot of those CVEs where you'll see low, low, low and then you daisy chain together and you're suddenly like, oh, this is high now. But then to your other impact of like if you're a, if you're a a Splunk customer, you know, and I had, I had several of them, I had one customer that, you know, terabytes of McAfee data being brought in and it was like, all right, there's a lot of other data that you probably also wanna bring, but they could only afford, wanted to do certain data sets because that's, and they didn't know how to prioritize or filter those data sets. And so we provide that opportunity to say, Hey, these are the critical ones to bring in. But there's also the ones that you don't necessarily need to bring in because low CVE in this case really does mean low cve. >>Like an ILO server would be one that, that's the print server where the, your admin credentials are on, on like a, a printer. And so there will be credentials on that. That's something that a hacker might go in to look at. So although the CVE on it is low, if you daisy chain was something that's able to get into that, you might say, ah, that's high. And we would then potentially rank it giving our AI logic to say that's a moderate. So put it on the scale and we prioritize though, versus a, a vulner review scanner's just gonna give you a bunch of CVEs and good luck. >>And translating that if I, if I can and tell me if I'm wrong, that kind of speaks to that whole lateral movement. That's it. Challenge, right? Print server, great example, look stupid low end, who's gonna wanna deal with the print server? Oh, but it's connected into a critical system. There's a path. Is that kind of what you're getting at? >>Yeah, I used daisy chain. I think that's from the community they came from. But it's, it's just a lateral movement. It's exactly what they're doing. And those low level, low critical lateral movements is where the hackers are getting in. Right? So that's what the beauty thing about the, the Uber example is that who would've thought, you know, I've got my multifactor authentication going in a human made a mistake. We can't, we can't not expect humans to make mistakes. Were fall, were fallible, right? Yeah. The reality is is once they were in the environment, they could have protected themselves by running enough pen tests to know that they had certain exposed credentials that would've stopped the breach. Yeah. And they did not, had not done that in their environment. And I'm not poking. Yeah, >>They put it's interesting trend though. I mean it's obvious if sometimes those low end items are also not protected well. So it's easy to get at from a hacker standpoint, but also the people in charge of them can be fished easily or spear fished because they're not paying attention. Cause they don't have to. No one ever told them, Hey, be careful of what you collect. >>Yeah. For the community that I came from, John, that's exactly how they, they would meet you at a, an international event introduce themselves as a graduate student. These are national actor states. Would you mind reviewing my thesis on such and such? And I was at Adobe at the time though I was working on this and start off, you get the pdf, they opened the PDF and whoever that customer was launches, and I don't know if you remember back in like 2002, 2008 time frame, there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it. And John, that's >>Or LinkedIn. Hey I wanna get a joke, we wanna hire you double the salary. Oh I'm gonna click on that for sure. You know? Yeah, >>Right. Exactly. Yeah. The one thing I would say to you is like when we look at like sort of, you know, cuz I think we did 10,000 pen test last year is it's probably over that now, you know, we have these sort of top 10 ways that we think then fine people coming into the environment. The funniest thing is that only one of them is a, a CVE related vulnerability. Like, you know, you guys know what they are, right? So it's it, but it's, it's like 2% of the attacks are occurring through the CVEs, but yet there's all that attention spent to that. Yeah. And very little attention spent to this pen testing side. Yeah. Which is sort of this continuous threat, you know, monitoring space and, and, and this vulnerability space where I think we play such an important role and I'm so excited to be a part of the tip of the spear on this one. >>Yeah. I'm old enough to know the movie sneakers, which I love as a, you know, watching that movie, you know, professional hackers are testing, testing, always testing the environment. I love this. I gotta ask you, as we kind of wrap up here, Chris, if you don't mind the benefits to team professional services from this alliance, big news Splunk and you guys work well together. We see that clearly. What are, what other benefits do professional services teams see from the Splunk and Horizon three AI alliance? >>So if you're a, I think for, from our, our, from both of our partners as we bring these guys together and many of them already are the same partner, right? Is that first off, the licensing model is probably one of the key areas that we really excel at. So if you're an end user, you can buy for the enterprise by the enter of IP addresses you're using. But if you're a partner working with this, there's solution ways that you can go in and we'll license as to MSPs and what that business model on our MSPs looks like. But the unique thing that we do here is this c plus license. And so the Consulting Plus license allows like a, somebody a small to midsize to some very large, you know, Fortune 100, you know, consulting firms uses by buying into a license called Consulting Plus where they can have unlimited access to as many ips as they want. >>But you can only run one test at a time. And as you can imagine when we're going and hacking passwords and checking hashes and decrypting hashes, that can take a while. So, but for the right customer, it's, it's a perfect tool. And so I I'm so excited about our ability to go to market with our partners so that we underhand to sell, understand how not to just sell too or not tell just to sell through, but we know how to sell with them as a good vendor partner. I think that that's one thing that we've done a really good job building bringing into market. >>Yeah. I think also the Splunk has had great success how they've enabled partners and professional services. Absolutely. They've, you know, the services that layer on top of Splunk are multifold tons of great benefits. So you guys vector right into that ride, that wave with >>Friction. And, and the cool thing is that in, you know, in one of our reports, which could be totally customized with someone else's logo, we're going to generate, you know, so I, I used to work at another organization, it wasn't Splunk, but we, we did, you know, pen testing as a, as a for, for customers and my pen testers would come on site, they, they do the engagement and they would leave. And then another really, someone would be, oh shoot, we got another sector that was breached and they'd call you back, you know, four weeks later. And so by August our entire pen testings teams would be sold out and it would be like, wow. And in March maybe, and they'd like, No, no, no, I gotta breach now. And, and, and then when they do go in, they go through, do the pen test and they hand over a PDF and they pat you on the back and say, there's where your problems are, you need to fix it. And the reality is, is that what we're gonna generate completely autonomously with no human interaction is we're gonna go and find all the permutations that anything we found and the fix for those permutations and then once you fixed everything, you just go back and run another pen test. Yeah. It's, you know, for what people pay for one pen test, they could have a tool that does that. Every, every pat patch on Tuesday pen test on Wednesday, you know, triage throughout the week, >>Green, yellow, red. I wanted to see colors show me green, green is good, right? Not red. >>And once CIO doesn't want, who doesn't want that dashboard, right? It's, it's, it is exactly it. And we can help bring, I think that, you know, I'm really excited about helping drive this with the Splunk team cuz they get that, they understand that it's the green, yellow, red dashboard and, and how do we help them find more green so that the other guys are >>In Yeah. And get in the data and do the right thing and be efficient with how you use the data, Know what to look at. So many things to pay attention to, you know, the combination of both and then, then go to market strategy. Real brilliant. Congratulations Chris. Thanks for coming on and sharing this news with the detail around this Splunk in action around the alliance. Thanks for sharing, >>John. My pleasure. Thanks. Look forward to seeing you soon. >>All right, great. We'll follow up and do another segment on DevOps and IT and security teams as the new new ops, but, and Super cloud, a bunch of other stuff. So thanks for coming on. And our next segment, the CEO of Verizon, three AA, will break down all the new news for us here on the cube. You're watching the cube, the leader in high tech enterprise coverage.

(upbeat music) >> Hello and welcome to theCUBE's presentation of the AWS Startup Showcase. This is season two, episode four of the ongoing series covering the exciting hot startups from the AWS ecosystem. Here we're talking about cybersecurity in this episode. I'm your host, John Furrier here we're excited to have CUBE alumni who's back Snehal Antani who's the CEO and co-founder of Horizon3.ai talking about exploitable weaknesses and vulnerabilities with autonomous pen testing. Snehal, it's great to see you. Thanks for coming back. >> Likewise, John. I think it's been about five years since you and I were on the stage together. And I've missed it, but I'm glad to see you again. >> Well, before we get into the showcase about your new startup, that's extremely successful, amazing margins, great product. You have a unique journey. We talked about this prior to you doing the journey, but you have a great story. You left the startup world to go into the startup, like world of self defense, public defense, NSA. What group did you go to in the public sector became a private partner. >> My background, I'm a software engineer by education and trade. I started my career at IBM. I was a CIO at GE Capital, and I think we met once when I was there and I became the CTO of Splunk. And we spent a lot of time together when I was at Splunk. And at the end of 2017, I decided to take a break from industry and really kind of solve problems that I cared deeply about and solve problems that mattered. So I left industry and joined the US Special Operations Community and spent about four years in US Special Operations, where I grew more personally and professionally than in anything I'd ever done in my career. And exited that time, met my co-founder in special ops. And then as he retired from the air force, we started Horizon3. >> So there's really, I want to bring that up one, 'cause it's fascinating that not a lot of people in Silicon Valley and tech would do that. So thanks for the service. And I know everyone who's out there in the public sector knows that this is a really important time for the tactical edge in our military, a lot of things going on around the world. So thanks for the service and a great journey. But there's a storyline with the company you're running now that you started. I know you get the jacket on there. I noticed get a little military vibe to it. Cybersecurity, I mean, every company's on their own now. They have to build their own militia. There is no government supporting companies anymore. There's no militia. No one's on the shores of our country defending the citizens and the companies, they got to offend for themselves. So every company has to have their own military. >> In many ways, you don't see anti-aircraft rocket launchers on top of the JP Morgan building in New York City because they rely on the government for air defense. But in cyber it's very different. Every company is on their own to defend for themselves. And what's interesting is this blend. If you look at the Ukraine, Russia war, as an example, a thousand companies have decided to withdraw from the Russian economy and those thousand companies we should expect to be in the ire of the Russian government and their proxies at some point. And so it's not just those companies, but their suppliers, their distributors. And it's no longer about cyber attack for extortion through ransomware, but rather cyber attack for punishment and retaliation for leaving. Those companies are on their own to defend themselves. There's no government that is dedicated to supporting them. So yeah, the reality is that cybersecurity, it's the burden of the organization. And also your attack surface has expanded to not just be your footprint, but if an adversary wants to punish you for leaving their economy, they can get, if you're in agriculture, they could disrupt your ability to farm or they could get all your fruit to spoil at the border 'cause they disrupted your distributors and so on. So I think the entire world is going to change over the next 18 to 24 months. And I think this idea of cybersecurity is going to become truly a national problem and a problem that breaks down any corporate barriers that we see in previously. >> What are some of the things that inspired you to start this company? And I loved your approach of thinking about the customer, your customer, as defending themselves in context to threats, really leaning into it, being ready and able to defend. Horizon3 has a lot of that kind of military thinking for the good of the company. What's the motivation? Why this company? Why now? What's the value proposition? >> So there's two parts to why the company and why now. The first part was what my observation, when I left industry realm or my military background is watching "Jack Ryan" and "Tropic Thunder" and I didn't come from the military world. And so when I entered the special operations community, step one was to keep my mouth shut, learn, listen, and really observe and understand what made that community so impressive. And obviously the people and it's not about them being fast runners or great shooters or awesome swimmers, but rather there are learn-it-alls that can solve any problem as a team under pressure, which is the exact culture you want to have in any startup, early stage companies are learn-it-alls that can solve any problem under pressure as a team. So I had this immediate advantage when we started Horizon3, where a third of Horizon3 employees came from that special operations community. So one is this awesome talent. But the second part that, I remember this quote from a special operations commander that said we use live rounds in training because if we used fake rounds or rubber bullets, everyone would act like metal of honor winners. And the whole idea there is you train like you fight, you build that muscle memory for crisis and response and so on upfront. So when you're in the thick of it, you already know how to react. And this aligns to a pain I had in industry. I had no idea I was secure until the bad guy showed up. I had no idea if I was fixing the right vulnerabilities, logging the right data in Splunk, or if my CrowdStrike EDR platform was configured correctly, I had to wait for the bad guys to show up. I didn't know if my people knew how to respond to an incident. So what I wanted to do was proactively verify my security posture, proactively harden my systems. I needed to do that by continuously pen testing myself or continuously testing my security posture. And there just wasn't any way to do that where an IT admin or a network engineer could in three clicks have the power of a 20 year pen testing expert. And that was really what we set out to do, not build a autonomous pen testing platform for security people, build it so that anybody can quickly test their security posture and then use the output to fix problems that truly matter. >> So the value preposition, if I get this right is, there's a lot of companies out there doing pen tests. And I know I hate pen tests. They're like, cause you do DevOps, it changes you got to do another pen test. So it makes sense to do autonomous pen testing. So congratulations on seeing that that's obvious to that, but a lot of other have consulting tied to it. Which seems like you need to train someone and you guys taking a different approach. >> Yeah, we actually, as a company have zero consulting, zero professional services. And the whole idea is that build a true software as a service offering where an intern, in fact, we've got a video of a nine year old that in three clicks can run pen tests against themselves. And because of that, you can wire pen tests into your DevOps tool chain. You can run multiple pen tests today. In fact, I've got customers running 40, 50 pen tests a month against their organization. And that what that does is completely lowers the barrier of entry for being able to verify your posture. If you have consulting on average, when I was a CIO, it was at least a three month lead time to schedule consultants to show up and then they'd show up, they'd embarrass the security team, they'd make everyone look bad, 'cause they're going to get in, leave behind a report. And that report was almost identical to what they found last year because the older that report, the one the date itself gets stale, the context changes and so on. And then eventually you just don't even bother fixing it. Or if you fix a problem, you don't have the skills to verify that has been fixed. So I think that consulting led model was acceptable when you viewed security as a compliance checkbox, where once a year was sufficient to meet your like PCI requirements. But if you're really operating with a wartime mindset and you actually need to harden and secure your environment, you've got to be running pen test regularly against your organization from different perspectives, inside, outside, from the cloud, from work, from home environments and everything in between. >> So for the CISOs out there, for the CSOs and the CXOs, what's the pitch to them because I see your jacket that says Horizon3 AI, trust but verify. But this trust is, but is canceled out, just as verify. What's the product that you guys are offering the service. Describe what it is and why they should look at it. >> Yeah, sure. So one, when I back when I was the CIO, don't tell me we're secure in PowerPoint. Show me we're secure right now. Show me we're secure again tomorrow. And then show me we're secure again next week because my environment is constantly changing and the adversary always has a vote and they're always evolving. And this whole idea of show me we're secure. Don't trust that your security tools are working, verify that they can detect and respond and stifle an attack and then verify tomorrow, verify next week. That's the big mind shift. Now what we do is-- >> John: How do they respond to that by the way? Like they don't believe you at first or what's the story. >> I think, there's actually a very bifurcated response. There are still a decent chunk of CIOs and CSOs that have a security is a compliance checkbox mindset. So my attitude with them is I'm not going to convince you. You believe it's a checkbox. I'll just wait for you to get breached and sell to your replacement, 'cause you'll get fired. And in the meantime, I spend all my energy with those that actually care about proactively securing and hardening their environments. >> That's true. People do get fired. Can you give an example of what you're saying about this environment being ready, proving that you're secure today, tomorrow and a few weeks out. Give me an example. >> Of, yeah, I'll give you actually a customer example. There was a healthcare organization and they had about 5,000 hosts in their environment and they did everything right. They had Fortinet as their EDR platform. They had user behavior analytics in place that they had purchased and tuned. And when they ran a pen test self-service, our product node zero immediately started to discover every host on the network. It then fingerprinted all those hosts and found it was able to get code execution on three machines. So it got code execution, dumped credentials, laterally maneuvered, and became a domain administrator, which in IT, if an attacker becomes a domain admin, they've got keys to the kingdom. So at first the question was, how did the node zero pen test become domain admin? How'd they get code execution, Fortinet should have detected and stopped it. Well, it turned out Fortinet was misconfigured on three boxes out of 5,000. And these guys had no idea and it's just automation that went wrong and so on. And now they would've only known they had misconfigured their EDR platform on three hosts if the attacker had showed up. The second question though was, why didn't they catch the lateral movement? Which all their marketing brochures say they're supposed to catch. And it turned out that that customer purchased the wrong Fortinet modules. One again, they had no idea. They thought they were doing the right thing. So don't trust just installing your tools is good enough. You've got to exercise and verify them. We've got tons of stories from patches that didn't actually apply to being able to find the AWS admin credentials on a local file system. And then using that to log in and take over the cloud. In fact, I gave this talk at Black Hat on war stories from running 10,000 pen tests. And that's just the reality is, you don't know that these tools and processes are working for you until the bad guys have shown. >> The velocities there. You can accelerate through logs, you know from the days you've been there. This is now the threat. Being, I won't say lazy, but just not careful or just not thinking. >> Well, I'll do an example. We have a lot of customers that are Horizon3 customers and Splunk customers. And what you'll see their behavior is, is they'll have Horizon3 up on one screen. And every single attacker command executed with its timestamp is up on that screen. And then look at Splunk and say, hey, we were able to dump vCenter credentials from VMware products at this time on this host, what did Splunk see or what didn't they see? Why were no logs generated? And it turns out that they had some logging blind spots. So what they'll actually do is run us to almost like stimulate the defensive tools and then see what did the tools catch? What did they miss? What are those blind spots and how do they fix it. >> So your price called node zero. You mentioned that. Is that specifically a suite, a tool, a platform. How do people consume and engage with you guys? >> So the way that we work, the whole product is designed to be self-service. So once again, while we have a sales team, the whole intent is you don't need to have to talk to a sales rep to start using the product, you can log in right now, go to Horizon3.ai, you can run a trial log in with your Google ID, your LinkedIn ID, start running pen test against your home or against your network against this organization right now, without talking to anybody. The whole idea is self-service, run a pen test in three clicks and give you the power of that 20 year pen testing expert. And then what'll happen is node zero will execute and then it'll provide to you a full report of here are all of the different paths or attack paths or sequences where we are able to become an admin in your environment. And then for every attack path, here is the path or the kill chain, the proof of exploitation for every step along the way. Here's exactly what you've got to do to fix it. And then once you've fixed it, here's how you verify that you've truly fixed the problem. And this whole aha moment is run us to find problems. You fix them, rerun us to verify that the problem has been fixed. >> Talk about the company, how many people do you have and get some stats? >> Yeah, so we started writing code in January of 2020, right before the pandemic hit. And then about 10 months later at the end of 2020, we launched the first version of the product. We've been in the market for now about two and a half years total from start of the company till present. We've got 130 employees. We've got more customers than we do employees, which is really cool. And instead our customers shift from running one pen test a year to 40, 50 pen test. >> John: And it's full SaaS. >> The whole product is full SaaS. So no consulting, no pro serve. You run as often as you-- >> Who's downloading, who's buying the product. >> What's amazing is, we have customers in almost every section or sector now. So we're not overly rotated towards like healthcare or financial services. We've got state and local education or K through 12 education, state and local government, a number of healthcare companies, financial services, manufacturing. We've got organizations that large enterprises. >> John: Security's diverse. >> It's very diverse. >> I mean, ransomware must be a big driver. I mean, is that something that you're seeing a lot. >> It is. And the thing about ransomware is, if you peel back the outcome of ransomware, which is extortion, at the end of the day, what ransomware organizations or criminals or APTs will do is they'll find out who all your employees are online. They will then figure out if you've got 7,000 employees, all it takes is one of them to have a bad password. And then attackers are going to credential spray to find that one person with a bad password or whose Netflix password that's on the dark web is also their same password to log in here, 'cause most people reuse. And then from there they're going to most likely in your organization, the domain user, when you log in, like you probably have local admin on your laptop. If you're a windows machine and I've got local admin on your laptop, I'm going to be able to dump credentials, get the admin credentials and then start to laterally maneuver. Attackers don't have to hack in using zero days like you see in the movies, often they're logging in with valid user IDs and passwords that they've found and collected from somewhere else. And then they make that, they maneuver by making a low plus a low equal a high. And the other thing in financial services, we spend all of our time fixing critical vulnerabilities, attackers know that. So they've adapted to finding ways to chain together, low priority vulnerabilities and misconfigurations and dangerous defaults to become admin. So while we've over rotated towards just fixing the highs and the criticals attackers have adapted. And once again they have a vote, they're always evolving their tactics. >> And how do you prevent that from happening? >> So we actually apply those same tactics. Rarely do we actually need a CVE to compromise your environment. We will harvest credentials, just like an attacker. We will find misconfigurations and dangerous defaults, just like an attacker. We will combine those together. We'll make use of exploitable vulnerabilities as appropriate and use that to compromise your environment. So the tactics that, in many ways we've built a digital weapon and the tactics we apply are the exact same tactics that are applied by the adversary. >> So you guys basically simulate hacking. >> We actually do the hacking. Simulate means there's a fakeness to it. >> So you guys do hack. >> We actually compromise. >> Like sneakers the movie, those sneakers movie for the old folks like me. >> And in fact that was my inspiration. I've had this idea for over a decade now, which is I want to be able to look at anything that laptop, this Wi-Fi network, gear in hospital or a truck driving by and know, I can figure out how to gain initial access, rip that environment apart and be able to opponent. >> Okay, Chuck, he's not allowed in the studio anymore. (laughs) No, seriously. Some people are exposed. I mean, some companies don't have anything. But there's always passwords or so most people have that argument. Well, there's nothing to protect here. Not a lot of sensitive data. How do you respond to that? Do you see that being kind of putting the head in the sand or? >> Yeah, it's actually, it's less, there's not sensitive data, but more we've installed or applied multifactor authentication, attackers can't get in now. Well MFA only applies or does not apply to lower level protocols. So I can find a user ID password, log in through SMB, which isn't protected by multifactor authentication and still upon your environment. So unfortunately I think as a security industry, we've become very good at giving a false sense of security to organizations. >> John: Compliance drives that behavior. >> Compliance drives that. And what we need. Back to don't tell me we're secure, show me, we've got to, I think, change that to a trust but verify, but get rid of the trust piece of it, just to verify. >> Okay, we got a lot of CISOs and CSOs watching this showcase, looking at the hot startups, what's the message to the executives there. Do they want to become more leaning in more hawkish if you will, to use the military term on security? I mean, I heard one CISO say, security first then compliance 'cause compliance can make you complacent and then you're unsecure at that point. >> I actually say that. I agree. One definitely security is different and more important than being compliant. I think there's another emerging concept, which is I'd rather be defensible than secure. What I mean by that is security is a point in time state. I am secure right now. I may not be secure tomorrow 'cause something's changed. But if I'm defensible, then what I have is that muscle memory to detect, respondent and stifle an attack. And that's what's more important. Can I detect you? How long did it take me to detect you? Can I stifle you from achieving your objective? How long did it take me to stifle you? What did you use to get in to gain access? How long did that sit in my environment? How long did it take me to fix it? So on and so forth. But I think it's being defensible and being able to rapidly adapt to changing tactics by the adversary is more important. >> This is the evolution of how the red line never moved. You got the adversaries in our networks and our banks. Now they hang out and they wait. So everyone thinks they're secure. But when they start getting hacked, they're not really in a position to defend, the alarms go off. Where's the playbook. Team springs into action. I mean, you kind of get the visual there, but this is really the issue being defensible means having your own essentially military for your company. >> Being defensible, I think has two pieces. One is you've got to have this culture and process in place of training like you fight because you want to build that incident response muscle memory ahead of time. You don't want to have to learn how to respond to an incident in the middle of the incident. So that is that proactively verifying your posture and continuous pen testing is critical there. The second part is the actual fundamentals in place so you can detect and stifle as appropriate. And also being able to do that. When you are continuously verifying your posture, you need to verify your entire posture, not just your test systems, which is what most people do. But you have to be able to safely pen test your production systems, your cloud environments, your perimeter. You've got to assume that the bad guys are going to get in, once they're in, what can they do? So don't just say that my perimeter's secure and I'm good to go. It's the soft squishy center that attackers are going to get into. And from there, can you detect them and can you stop them? >> Snehal, take me through the use. You got to be sold on this, I love this topic. Alright, pen test. Is it, what am I buying? Just pen test as a service. You mentioned dark web. Are you actually buying credentials online on behalf of the customer? What is the product? What am I buying if I'm the CISO from Horizon3? What's the service? What's the product, be specific. >> So very specifically and one just principles. The first principle is when I was a buyer, I hated being nickled and dimed buyer vendors, which was, I had to buy 15 different modules in order to achieve an objective. Just give me one line item, make it super easy to buy and don't nickel and dime me. Because I've spent time as a buyer that very much has permeated throughout the company. So there is a single skew from Horizon3. It is an annual subscription based on how big your environment is. And it is inclusive of on-prem internal pen tests, external pen tests, cloud attacks, work from home attacks, our ability to harvest credentials from the dark web and from open source sources. Being able to crack those credentials, compromise. All of that is included as a singles skew. All you get as a CISO is a singles skew, annual subscription, and you can run as many pen tests as you want. Some customers still stick to, maybe one pen test a quarter, but most customers shift when they realize there's no limit, we don't nickel and dime. They can run 10, 20, 30, 40 a month. >> Well, it's not nickel and dime in the sense that, it's more like dollars and hundreds because they know what to expect if it's classic cloud consumption. They kind of know what their environment, can people try it. Let's just say I have a huge environment, I have a cloud, I have an on-premise private cloud. Can I dabble and set parameters around pricing? >> Yes you can. So one is you can dabble and set perimeter around scope, which is like manufacturing does this, do not touch the production line that's on at the moment. We've got a hospital that says every time they run a pen test, any machine that's actually connected to a patient must be excluded. So you can actually set the parameters for what's in scope and what's out of scope up front, most again we're designed to be safe to run against production so you can set the parameters for scope. You can set the parameters for cost if you want. But our recommendation is I'd rather figure out what you can afford and let you test everything in your environment than try to squeeze every penny from you by only making you buy what can afford as a smaller-- >> So the variable ratio, if you will is, how much they spend is the size of their environment and usage. >> Just size of the environment. >> So it could be a big ticket item for a CISO then. >> It could, if you're really large, but for the most part-- >> What's large? >> I mean, if you were Walmart, well, let me back up. What I heard is global 10 companies spend anywhere from 50 to a hundred million dollars a year on security testing. So they're already spending a ton of money, but they're spending it on consultants that show up maybe a couple of times a year. They don't have, humans can't scale to test a million hosts in your environment. And so you're already spending that money, spend a fraction of that and use us and run as much as you want. And that's really what it comes down to. >> John: All right. So what's the response from customers? >> What's really interesting is there are three use cases. The first is that SOC manager that is using us to verify that their security tools are actually working. So their Splunk environment is logging the right data. It's integrating properly with CrowdStrike, it's integrating properly with their active directory services and their password policies. So the SOC manager is using us to verify the effectiveness of their security controls. The second use case is the IT director that is using us to proactively harden their systems. Did they install VMware correctly? Did they install their Cisco gear correctly? Are they patching right? And then the third are for the companies that are lucky to have their own internal pen test and red teams where they use us like a force multiplier. So if you've got 10 people on your red team and you still have a million IPs or hosts in your environment, you still don't have enough people for that coverage. So they'll use us to do recon at scale and attack at scale and let the humans focus on the really juicy hard stuff that humans are successful at. >> Love the product. Again, I'm trying to think about how I engage on the test. Is there pilots? Is there a demo version? >> There's a free trials. So we do 30 day free trials. The output can actually be used to meet your SOC 2 requirements. So in many ways you can just use us to get a free SOC 2 pen test report right now, if you want. Go to the website, log in for a free trial, you can log into your Google ID or your LinkedIn ID, run a pen test against your organization and use that to answer your PCI segmentation test requirements, your SOC 2 requirements, but you will be hooked. You will want to run us more often. And you'll get a Horizon3 tattoo. >> The first hits free as they say in the drug business. >> Yeah. >> I mean, so you're seeing that kind of response then, trial converts. >> It's exactly. In fact, we have a very well defined aha moment, which is you run us to find, you fix, you run us to verify, we have 100% technical win rate when our customers hit a find, fix, verify cycle, then it's about budget and urgency. But 100% technical win rate because of that aha moment, 'cause people realize, holy crap, I don't have to wait six months to verify that my problems have actually been fixed. I can just come in, click, verify, rerun the entire pen test or rerun a very specific part of it on what I just patched my environment. >> Congratulations, great stuff. You're here part of the AWS Startup Showcase. So I have to ask, what's the relationship with AWS, you're on their cloud. What kind of actions going on there? Is there secret sauce on there? What's going on? >> So one is we are AWS customers ourselves, our brains command and control infrastructure. All of our analytics are all running on AWS. It's amazing, when we run a pen test, we are able to use AWS and we'll spin up a virtual private cloud just for that pen test. It's completely ephemeral, it's all Lambda functions and graph analytics and other techniques. When the pen test ends, you can delete, there's a single use Docker container that gets deleted from your environment so you have nothing on-prem to deal with and the entire virtual private cloud tears itself down. So at any given moment, if we're running 50 pen tests or a hundred pen tests, self-service, there's a hundred virtual private clouds being managed in AWS that are spinning up, running and tearing down. It's an absolutely amazing underlying platform for us to make use of. Two is that many customers that have hybrid environments. So they've got a cloud infrastructure, an Office 365 infrastructure and an on-prem infrastructure. We are a single attack platform that can test all of that together. No one else can do it. And so the AWS customers that are especially AWS hybrid customers are the ones that we do really well targeting. >> Got it. And that's awesome. And that's the benefit of cloud? >> Absolutely. And the AWS marketplace. What's absolutely amazing is the competitive advantage being part of the marketplace has for us, because the simple thing is my customers, if they already have dedicated cloud spend, they can use their approved cloud spend to pay for Horizon3 through the marketplace. So you don't have to, if you already have that budget dedicated, you can use that through the marketplace. The other is you've already got the vendor processes in place, you can purchase through your existing AWS account. So what I love about the AWS company is one, the infrastructure we use for our own pen test, two, the marketplace, and then three, the customers that span that hybrid cloud environment. That's right in our strike zone. >> Awesome. Well, congratulations. And thanks for being part of the showcase and I'm sure your product is going to do very, very well. It's very built for what people want. Self-service get in, get the value quickly. >> No agents to install, no consultants to hire. safe to run against production. It's what I wanted. >> Great to see you and congratulations and what a great story. And we're going to keep following you. Thanks for coming on. >> Snehal: Phenomenal. Thank you, John. >> This is the AWS Startup Showcase. I'm John John Furrier, your host. This is season two, episode four on cybersecurity. Thanks for watching. (upbeat music)

(upbeat music) >> Hey, everyone. Welcome to theCUBE's presentation of the AWS Startup Showcase, season two, episode four. I'm your host, Lisa Martin. This topic is cybersecurity detect and protect against threats. Very excited to welcome a CUBE alumni back to the program. Snehal Antani, the co-founder and CEO of Horizon3 joins me. Snehal, it's great to have you back in the studio. >> Likewise, thanks for the invite. >> Tell us a little bit about Horizon3, what is it that you guys do? You were founded in 2019, got a really interesting group of folks with interesting backgrounds, but talk to the audience about what it is that you guys are aiming to do. >> Sure, so maybe back to the problem we were trying to solve. So my background, I was a engineer by trade, I was a CIO at G Capital, CTO at Splunk and helped grow scale that company. And then took a break from industry to serve within the Department of Defense. And in every one of my jobs where I had cyber security in my responsibility, I suffered from the same problem. I had no idea I was secure or that we were fixing the right vulnerabilities or logging the right data in Splunk or that our tools and processes and people worked together well until the bad guys had showed up. And by then it was too late. And what I wanted to do was proactively verify my security posture, make sure that my security tools were actually effective, that my people knew how to respond to a breach before the bad guys were there. And so this whole idea of continuously verifying my security posture through security testing and pen testing became a passion project of mine for over a decade. And through my time in the DOD found the right group of an early people that had offensive cyber experience, that had defensive cyber experience, that knew how to build and ship and deliver software at scale. And we came together at the end of 2019 to start Horizon3. >> Talk to me about the current threat landscape. We've seen so much change in flux in the last couple of years. Globally, we've seen the threat actors are just getting more and more sophisticated as is the different types of attacks. What are you seeing kind of horizontally across the threat landscape? >> Yeah, the biggest thing is attackers don't have to hack in using Zero-days like you see in the movies. Often they're able to just log in with valid credentials that they've collected through some mechanism. As an example, if I wanted to compromise a large organization, say United Airlines, one of the things that an attacker's going to go off and do is go to LinkedIn and find all of the employees that work at United Airlines. Now you've got say, 7,000 pilots. Of those pilots, you're going to figure out quickly that their user IDs and passwords or their user IDs at least are first name, last initial @united.com. Cool, now I have 7,000 potential logins and all it takes is one of them to reuse a compromised password for their corporate email, and now you've got an initial user in the system. And most likely, that initial user has local admin on their laptops. And from there, an attacker can dump credentials and find a path to becoming a domain administrator. And what happens oftentimes is, security tools don't detect this because it looks like valid behavior in the organization. And this is pretty common, this idea of collecting information on an organization or a target using open source intelligence, using a mix of credential spraying and kind of low priority or low severity exploitations or misconfigurations to get in. And then from there, systematically dumping credentials, reusing those credentials, and finding a path towards compromise. And less than 2% of CVEs are actually used in exploits. Most of the time, attackers chain together misconfigurations, bad product defaults. And so really the threat landscape is, attackers don't hack in, they log in. And organizations have to focus on getting the basics right and fundamentals right first before they layer on some magic easy button that is some security AI tools hoping that that's going to save their day. And that's what we found systemically across the board. >> So you're finding that across the board, probably pan-industry that a lot of companies need to go back to basics. We talk about that a lot when we're talking about security, why do you think that is? >> I think it's because, one, most organizations are barely treading water. When you look at the early rapid adopters of Horizon3's pen testing product, autonomous pen testing, the early adopters tended to be teams where the IT team and the security team were the same person, and they were barely treading water. And the hardest part of my job as a CIO was deciding what not to fix. Because the bottleneck in the security process is the actual capacity to fix problems. And so, fiercely prioritizing issues becomes really important. But the tools and the processes don't focus on prioritizing what's exploitable, they prioritize by some arbitrary score from some arbitrary vulnerability scanner. And so we have as a fundamental breakdown of the small group of folks with the expertise to fix problems tend to be the most overworked and tend to have the most noise to need to sift through. So they don't even have time to get to the basics. They're just barely treading water doing their day jobs and they're often sacrificing their nights and weekends. All of us at Horizon3 were practitioners at one point in our career, we've all been called in on the weekend. So that's why what we did was fiercely focus on helping customers and users fix problems that truly matter, and allowing them to quickly reattack and verify that the problems were truly fixed. >> So when it comes to today's threat landscape, what is it that organizations across the board should really be focused on? >> I think, systemically, what we see are bad password or credential policies, least access privileged management type processes not being well implemented. The domain user tends to be the local admin on the box, no ability to understand what is a valid login versus a malicious login. Those are some of the basics that we see systemically. And if you layer that with it's very easy to say, misconfigure vCenter, or misconfigure a piece of Cisco gear, or you're not going to be installing, monitoring security observability tools on that HPE Integrated Lights Out server and so on. What you'll find is that you've got people overworked that don't have the capacity to fix. You have the fundamentals or the basics not well implemented. And you have a whole bunch of blind spots in your security posture. And defenders have to be right every time, attackers only have to be right once. And so what we have is this asymmetric fight where attackers are very likely to get in, and we see this on the news all the time. >> So, and nobody, of course, wants to be the next headline, right? Talk to me a little bit about autonomous pen testing as a service, what you guys are delivering, and what makes it unique and different than other tools that have been out, as you're saying, that clearly have gaps. >> Yeah. So first and foremost was the approach we took in building our product. What we set upfront was, our primary users should be IT administrators, network engineers, and that IT intern who, in three clicks, should have the power of a 20-year pen testing expert. So the whole idea was empower and enable all of the fixers to find, fix, and verify their security weaknesses continuously. That was the design goal. Most other security products are designed for security people, but we already know they're task saturated, they've got way too many tools under the belt. So first and foremost, we wanted to empower the fixers to fix problems that truly matter. The second part was, we wanted to do that without having to install credentialed agents all over the place or writing your own custom attack scripts, or having to do a bunch of configurations and make sure that it's safe to run against production systems so that you could test your entire attack surface. Your on-prem, your cloud, your external perimeter. And this is where AWS comes in to be very important, especially hybrid customers where you've got a portion of your infrastructure on AWS, a portion on-prem, and you use Horizon3 to be able to attack your complete attack surface. So we can start on-prem and we will find say, the AWS credentials file that was mistakenly saved on a shared drive, and then reuse that to become admin in the cloud. AWS didn't do anything wrong, the cloud team didn't do anything wrong, a developer happened to share a password or save a password file locally. That's how attackers get in. So we can start from on-prem and show how we can compromise the cloud, start from the cloud and show how we can compromise on-prem. Start from the outside and break in. And we're able to show that complete attack surface at scale for hybrid customers. >> So showing that complete attack surface sort of from the eyes of the attacker? >> That's exactly right, because while blue teams or the defenders have a very specific view of their environment, you have to look at yourself through the eyes of the attacker to understand what are your blind spots, what do they see that you don't see. And it's actually a discipline that is well entrenched within military culture. And that's also important for us as the company. We're about a third of Horizon3 served in US special operations or the intelligence community with the United States, and then DOD writ large. And a lot of that red team mindset, view yourself through the eyes of the attacker, and this idea of training like you fight and building muscle memory so you know how to react to the real incident when it occurs is just ingrained in how we operate, and we disseminate that culture through all of our customers as well. >> And at this point in time, every business needs to assume an attacker's going to get in. >> That's right. There are way too many doors and windows in the organization. Attackers are going to get in, whether it's a single customer that reused their Netflix password for their corporate email, a patch that didn't get applied properly, or a new Zero-day that just gets published. A piece of Cisco software that was misconfigured, not buy anything more than it's easy to misconfigure these complex pieces of technology. Attackers are going to get in. And what we want to understand as customers is, once they're in, what could they do? Could they get to my crown jewel's data and systems? Could they borrow and prepare for a much more complicated attack down the road? If you assume breach, now you want to understand what can they get to, how quickly can you detect that breach, and what are your ways to stifle their ability to achieve their objectives. And culturally, we would need a shift from talking about how secure I am to how defensible are we. Security is kind of a point in time state of your organization. Defensibility is how quickly you can adapt to the attacker to stifle their ability to achieve their objective. >> As things are changing constantly. >> That's exactly right. >> Yeah. Talk to me about a typical customer engagement. If there's, you mentioned folks treading water, obviously, there's the huge cybersecurity skills gap that we've been talking about for a long time now, that's another factor there. But when you're in customer conversations, who are you talking to? Typically, what are they coming to you for help? >> Yeah. One big thing is, you're not going to win and win a customer by taking 'em out to steak dinners. Not anymore. The way we focus on our go to market and our sales motion is cultivating champions. At the end of the proof of concept, our internal measure of successes is, is that person willing to get a Horizon3 tattoo? And you do that, not through steak dinners, not through cool swag, not through marketing, but by letting your results do the talking. Now, part of those results should not require professional services or consulting. The whole experience should be self-service, frictionless, and insightful. And that really is how we've designed the product and designed the entire sales motion. So a prospect will learn or discover about us, whether it's through LinkedIn, through social, through the website, but often because one of their friends or colleagues heard about us, saw our result, and is advocating on our behalf when we're not in the room. From there, they're going to be able to self-service, just log in to our product through their LinkedIn ID, their Google ID. They can engage with a salesperson if they want to. They can run a pen test right there on the spot against their home without any interaction with a sales rep. Let those results do the talking, use that as a starting point to engage in a more complicated proof of value. And the whole idea is we don't charge for these, we let our results do the talking. And at the end, after they've run us to find problems, they've gone off and fixed those issues, and they've rerun us to verify that what they've fixed was properly fixed, then they're hooked. And we have a hundred percent technical win rate with our prospects when they hit that find-fix-verify cycle, which is awesome. And then we get the tattoo for them, at least give them the template. And then we're off to the races. >> Sounds like you're making the process more simple. There's so much complexity behind it, but allowing users to be able to actually test it out themselves in a simplified way is huge. Allowing them to really focus on becoming defensible. >> That's exactly right. And the value is, especially now in security, there's so much hype and so much noise. There's a lot more time being spent self-discovering and researching technologies before you engage in a commercial discussion. And so what we try to do is optimize that entire buying experience around enabling people to discover and research and learn. The other part, remember is, offensive cyber and ethical hacking and so on is very mysterious and magical to most defenders. It's such a complicated topic with many nuance tools that they don't have the time to understand or learn. And so if you surface the complexity of all those attacker tools, you're going to overwhelm a person that is already overwhelmed. So we needed the experience to be incredibly simple and optimize that find-fix-verify aha moment. And once again, be frictionless and be insightful. >> Frictionless and insightful. Excellent. Talk to me about results, you mentioned results. We love talking about outcomes. When a customer goes through the PoC, PoV that you talked about, what are some of the results that they see that hook them? >> Yeah, the biggest thing is, what attackers do today is they will find a low from machine one plus a low from machine two equals compromised domain. What they're doing is they're chaining together issues across multiple parts of your system or your organization to opone your environment. What attackers don't do is find a critical vulnerability and exploit that single machine. It's always a chain, always multiple steps in the attack. And so the entire product and experience in, actually, our underlying tech is around attack paths. Here is the path, the attack path an attacker could have taken. That node zero our product took. Here is the proof of exploitation for every step along the way. So you know this isn't a false positive. In fact, you can copy and paste the attacker command from the product and rerun it yourself and see it for yourself. And then here is exactly what you have to go fix and why it's important to fix. So that path, proof, impact, and fix action is what the entire experience is focused on. And that is the results doing the talking, because remember, these folks are already overwhelmed, they're dealing with a lot of false positives. And if you tell them you've got another critical to fix, their immediate reaction is "Nope, I don't believe you. This is a false positive. I've seen this plenty of times, that's not important." So you have to, in your product experience and sales process and adoption process, immediately cut through that defensive or that reflex. And it's path, proof, impact. Here's exactly what you fix, here are the exact steps to fix it, and then you're off to the races. What I learned at Splunk was, you win hearts and minds of your users through amazing experience, product experience, amazing documentation. >> Yes. >> And a vibrant community of champions. Those are the three ingredients of success, and we've really made that the core of the product. So we win on our documentation, we win on the product experience, and we've cultivated pretty awesome community. >> Talk to me about some of those champions. Is there a customer story that you think really articulates the value of node zero and what it is that you are doing? >> Yeah, I'll tell you a couple. Actually, I just gave this talk at Black Hat on war stories from running 10,000 pen tests. And I'll try to be gentle on the vendors that were involved here, but the reality is, you got to be honest and authentic. So a customer, a healthcare organization ran a pen test and they were using a very well-known managed security services provider as their security operations team. And so they initiate the pen test and they wanted to audit their response time of their MSSP. So they run the pen test and we're in and out. The whole pen test runs two hours or less. And in those two hours, the pen test compromises the domain, gets access to a bunch of sensitive data, laterally maneuvers, rips the entire environment apart. It took seven hours for the MSSP to send an email notification to the IT director that said, "Hey, we think something suspicious is going on." >> Wow. >> Seven hours! >> That's a long time. >> We were in and out in two, seven hours for notification. And the issue with that healthcare company was, they thought they had hired the right MSSP, but they had no way to audit their performance. And so we gave them the details and the ammunition to get services credits to hold them accountable and also have a conversation of switching to somebody else. >> Accountability is key, especially when we're talking about the threat landscape and how it's evolving day to day. >> That's exactly right. Accountability of your suppliers or your security vendors, accountability of your people and your processes, and not having to wait for the bad guys to show up to test your posture. That's what's really important. Another story that's interesting. This customer did everything right. It was a banking customer, large environment, and they had Fortinet installed as their EDR type platform. And they initiate us as a pen test and we're able to get code execution on one of their machines. And from there, laterally maneuver to become a domain administrator, which in security is a really big deal. So they came back and said, "This is absolutely not possible. Fortinet should have stopped that from occurring." And it turned out, because we showed the path and the proof and the impact, Fortinet was misconfigured on three machines out of 5,000. And they had no idea. >> Wow. >> So it's one of those, you want to don't trust that your tools are working, don't trust your processes, verify them. Show me we're secure today. Show me we're secure tomorrow. And then show me again we're secure next week. Because my environment's constantly changing and the adversary always has a vote. >> Right, the constant change in flux is huge challenge for organizations, but those results clearly speak for themselves. You talked about speed in terms of time, how quickly can a customer deploy your technology, identify and remedy problems in their environment? >> Yeah, this find-fix-verify aha moment, if you will. So traditionally, a customer would have to maybe run one or two pen tests a year. And then they'd go off and fix things. They have no capacity to test them 'cause they don't have the internal attack expertise. So they'd wait for the next pen test and figure out that they were still exploitable. Usually, this year's pen test results look identical than last year's. That isn't sustainable. So our customers shift from running one or two pen tests a year to 40 pen tests a month. And they're in this constant loop of finding, fixing, and verifying all of the weaknesses in their infrastructure. Remember, there's infrastructure pen testing, which is what we are really good at, and then there's application level pen testing that humans are much better at solving. >> Okay. >> So we focus on the infrastructure side, especially at scale. But can you imagine, 40 pen tests a month, they run from the perimeter, the inside from a specific subnet, from work from home machines, from the cloud. And they're running these pen tests from many different perspectives to understand what does the attacker see from each of these locations in their organization and how do they systemically fix those issues? And what they look at is, how many critical problems were found, how quickly were they fixed, how often do they reoccur. And that third metric is important because you might fix something, but if it shows up again next week because you've got bad automation, you're in a rat race. So you want to look at that reoccurrence rate also. >> The reoccurrence rate. What are you most excited about as, obviously, the threat landscape continues to evolve, but what are you most excited about for the company and what it is that you're able to help organizations across industries achieve in such tumultuous times? >> Yeah. One of the coolest things is, because I was a customer for many of these products, I despised threat intelligence products. I despised them. Because there were basically generic blog posts. Maybe delivered as a data feed to my Splunk environment or something. But they're always really generic. Like, "You may have a problem here." And as a result, they weren't very actionable. So one of the really cool things that we do, it's just part of the product is this concept of flares, flares that we shoot up. And the idea is not to cause angst or anxiety or panic, but rather we look at threat intelligence and then because all of the insights we have from your pen test results, we connect those two together and say, "Your VMware Horizon instance at this IP is exploitable. You need to fix it as fast as possible, or is very likely to be exploited. And here is the threat intelligence and in the news from CSAI and elsewhere that shows why it's important." So I think what is really cool is we're able to take together threat intelligence out in the wild combined with very precise understanding of your environment to give you very accurate and actionable starting points for what you need to go fix or test or verify. And when we do that, what we see is almost like, imagine this ball bouncing, that is the first drop of the ball, and then that drives the first major pen test. And then they'll run all these subsequent pen tests to continue to find and fix and verify. And so what we see is this tremendous amount of excitement from customers that we're actually giving them accurate, detailed information to take advantage of, and we're not causing panic and we're not causing alert and fatigue as a result. >> That's incredibly important in this type of environment. Last question for you. If autonomous pen testing is obviously critical and has tremendous amount of potential for organizations, but it's only part of the equation. What's the larger vision? >> Yeah, we are not a pen testing company and that's something we decided upfront. Pen testing is a sensor. It collects and understands a tremendous amount of data for your attack surface. So the natural next thing is to analyze the pen test results over time to start to give you a more accurate understanding of your governance, risk, and compliance posture. So now what happens is, we are able to allow customers to go run 40 pen tests a month. And that kind of becomes the initial land or flagship product. But then from there, we're able to upsell or increase value to our customers and start to compete and take out companies like Security Scorecard or RiskIQ and other companies like that, where there tended to be, I was a user of all those tools, a lot of garbage in, garbage out. Where you can't fill out a spreadsheet and get an accurate understanding of your risk posture. You need to look at your detailed pen test results over time and use that to accurately understand what are your hotspots, what's your recurrence rate and so on. And being able to tell that story to your auditors, to your regulators, to the board. And actually, it gives you a much more accurate way to show return on investment of your security spend also. >> Which is huge. So where can customers and those that are interested go to learn more? >> So horizonthree.ai is the website. That's a great starting point. We tend to very much rely on social channels, so LinkedIn in particular, to really get our stories out there. So finding us on LinkedIn is probably the next best thing to go do. And we're always at the major trade shows and events also. >> Excellent. Snehal, it's been a pleasure talking to you about Horizon3, what it is that you guys are doing, why, and the greater vision. We appreciate your insights and your time. >> Thank you, likewise. >> All right. For my guest, I'm Lisa Martin. We want to thank you for watching the AWS Startup Showcase. We'll see you next time. (gentle music)

>>Hey everyone. Welcome to the Cube's presentation of the AWS startup showcase. Season two, episode four, I'm your host. Lisa Martin. This topic is cybersecurity detect and protect against threats. Very excited to welcome a Cub alumni back to the program. SNA hall, autonomy, the co-founder and CEO of horizon three joins me SNA hall. It's great to have you back in the studio. >>Likewise, thanks for the invite. >>Tell us a little bit about horizon three. What is it that you guys do you we're founded in 2019? Got a really interesting group of folks with interesting backgrounds, but talk to the audience about what it is that you guys are aiming to do. >>Sure. So maybe back to the problem we were trying to solve. So my background, I was a engineer by trade. I was a CIO at G capital CTO at Splunk and helped, helped grows scale that company and then took a break from industry to serve within the department of defense. And in every one of my jobs where I had cyber security in my responsibility, I suffered from the same problem. I had no idea I was secure or that we were fixing the right vulnerabilities or logging the right data in Splunk or that our tools and processes and people worked together well until the bad guys had showed up. And by then it was too late. And what I wanted to do was proactively verify my security posture, make sure that my security tools were actually effective, that my people knew how to respond to a breach before the bad guys were there. And so this whole idea of continuously verifying my security posture through security testing and pen testing became a, a passion project of mine for over a decade. And I, through my time in the DOD found the right group of an early people that had offensive cyber experience that had defensive cyber experience that knew how to build and ship and, and deliver software at scale. And we came together at the end of 2019 to start horizon three. >>Talk to me about the current threat landscape. We've seen so much change in flux in the last couple of years globally. We've seen, you know, the threat actors are just getting more and more sophisticated as is the different types of attacks. What are you seeing kind of horizontally across the threat landscape? >>Yeah. The biggest thing is attackers don't have to hack in using zero days. Like you see in the movies. Often they're able to just log in with valid credentials that they've collected through some mechanism. As an example, if I wanted to compromise a large organization, say United airlines, one of the things that an attacker's gonna go off and do is go to LinkedIn and find all of the employees that work at United airlines. Now you've got, say 7,000 pilots of those pilots. You're gonna figure out quickly that their use varie and passwords or their use varie@leastarefirstnamelastinitialatunited.com. Cool. Now I have 7,000 potential logins and all it takes is one of them to reuse a compromise password for their corporate email. And now you've got an initial user in the system and most likely that initial user has local admin on their laptops. And from there, an attacker can dump credentials and find a path to becoming a domain administrator. >>And what happens oftentimes is security tools. Don't detect this because it looks like valid behavior in the organization. And this is pretty common. This idea of collecting information on an organization or a topic or target using open source intelligence, using a mix of credentialed spraying and kinda low priority or low severity exploitations or misconfigurations to get in. And then from there systematically dumping credentials, reusing those credentials and finding a path towards compromise and almost less than 2% of, of CVEs are actually used in exploits. Most of the time attackers chain together misconfigurations bad product defaults. And so really the threat landscape is attackers don't hack in. They log in and organizations have to focus on getting the basics right and fundamentals right first, before they layer on some magic, easy button that is some security AI tools hoping that that's gonna save their day. And that's what we found systemically across the board. >>So you're finding that across the board, probably pan industry, that, that a lot of companies need to go back to basics. We talk about that a lot when we're talking about security, why do you think that >>Is? I think it's because one, most organizations are barely treading water. When you look at the early rapid adopters of horizon threes, pen testing, product, autonomous pen testing, the early adopters tended to be teams where the it team and the security team were the same person and they were barely treading water. And the hardest part of my job as a CIO was deciding what not to fix because the bottleneck in the security processes, the actual capacity to fix problems. And so fiercely prioritizing issues becomes really important, but the, the tools and the processes don't focus on prioritizing what's exploitable, they prioritize, you know, by some arbitrary score from some arbitrary vulnerability scanner. And so we have as a fundamental breakdown of the small group of folks with the expertise to fix problems, tend to be the most overworked and tend to have the most noise to need to sift through. So they don't even have time to get to the basics. They're just barely treading water doing their day jobs. And they're often sacrificing their nights and weekends. All of us at horizon three were practitioners at one point in our career, we've all been called in on the weekend. So that's why, what we did was fiercely focus on helping customers and users fix problems that truly matter, and allowing them to quickly retack and verify that the problems were truly fixed. >>So when it comes to today's threat landscape, what is it that organizations across the board should really be focused on? >>I think systemically what we see are bad password or credential policies, least access, privileged management type processes, not being well implemented. The domain user tends to be the local admin on the box, no ability to understand what is a valid login versus a, a malicious login. Those are some of the basics that we see systemically. And if you layer that with, it's very easy to say misconfigure vCenter, or misconfigure a piece of Cisco gear, or you're not gonna be installing monitoring and OB observa security observability tools on that. HP integrated lights out server. And so on. What you'll find is that you've got people overworked that don't have the capacity to fix. You have the fundamentals or the basics, not, not well implemented. And you have a whole bunch of blind spots in your security posture, and defenders have to be right. Every time attackers only have to be right once. And so what we have is this asymmetric fight where attackers are very likely to get in. And we see this on the news all the time. >>So, and, and nobody of course wants to be the next headline. Right? Talk to me a little bit about autonomous pen testing as a service, what you guys are delivering and what makes it unique and different than other tools that have been out there as, as you're saying that clearly have >>Gaps. Yeah. So first and foremost was the approach we took in building our product. What we set up front was our primary users should be it administrators, network, engineers, and P. And that, that it intern who in three clicks should have the power of a 20 year pen testing expert. So the whole idea was empower and enable all of the fixers to find, fix in verify their security weaknesses continuously. That was the design goal. Most other security products are designed for security people, but we already know they're they're task saturated. They've got way too many tools under the belt. So first and foremost, we wanted to empower the fixers to fix problems. That truly matter, the second part was we wanted to do that without having to install credentialed agents all over the place or writing your own custom attack scripts, or having to do a bunch of configurations and make sure that it's safe to run against production systems so that you could, you could test your entire attack surface your on-prem, your cloud, your external perimeter. >>And this is where AWS comes in to be very important, especially hybrid customers where you've got a portion of your infrastructure on AWS, a portion on-prem and you use horizon three to be able to attack your complete attack surface. So we can start on Preem and we will find, say the AWS credentials file that was mistakenly saved on a, a share drive, and then reuse that to become admin in the cloud. AWS didn't do anything wrong. The cloud team didn't do anything wrong. A developer happened to share a password or save a password file locally. That's how attackers get in. So we can start from on-prem and show how we can compromise the cloud, start from the cloud and, and, and show how we can compromise. On-prem start from the outside and break in. And we're able to show that complete attack surface at scale for hybrid customers. >>So showing that complete attack surface sort of from the eyes of the attacker, >>That's exactly right, because while blue teams or the defenders have a very specific view of their environment, you have to look at yourself through the eyes of the attacker to understand what are your blind spots? What do do they see that you don't see? And it's actually a discipline that is well entrenched within military culture. And that's also important for us as the company. We're about a third of horizon, three served in us special operations or the intelligence community with the United States, and then do OD writ large. And a lot of that red team mindset view yourself through the eyes of the attacker and this idea of training. Like you fight in building muscle memories. So you know how to react to the real incident when it occurs is just ingrained in how we operate. And we disseminate that culture through all of our customers as well. >>And, and at this point in time, it's, every business needs to assume an attacker's gonna get in >>That's right. There are way too many doors and windows in the organization. Attackers are going to get in, whether it's a single customer that reused their Netflix password for their corporate email, a patch that didn't get applied properly, or a new zero day that just gets published a piece of Cisco software that was misconfigured, you know, not by anything more than it's easy to misconfigure. These complex pieces of technology attackers are going to get in. And what we want to understand as customers is once they're in, what could they do? Could they get to my crown Jewel's data and systems? Could they borrow and prepare for a much more complicated attack down the road? If you assume breach, now you wanna understand what can they get to, how quickly can you detect that breach and what are your ways to stifle their ability to achieve their objectives. And culturally, we would need a shift from talking about how secure I am to how defensible are we. Security is kind of a state, a point in time, state of your organization, defense ability is how quickly you can adapt to the attacker to stifle their ability to achieve their objective >>As things are changing >>Constantly. That's exactly right. >>Yeah. Talk to me about a typical customer engagement. If there's, you mentioned folks treading water, obviously there's the huge cybersecurity skills gap that we've been talking about for a long time. Now that's another factor there, but when you're in customer conversations, who were you talking to? What typically are, what are they coming to you for help? >>Yeah. One big thing is you're not gonna win and, and win a customer by taking 'em out to steak dinners. Not anymore. The way we focus on, on our go to market and our sales motion is cultivating champions. At the end of the proof of concept, our internal measure of successes is that person willing to get a horizon three tattoo. And you do that, not through state dinners, not through cool swag, not through marketing, but by letting your results do the talking. Now, part of those results should not require professional services or consulting it. The whole experience should be self-service frictionless and insightful. And that really is how we've designed the product and designed the entire sales motion. So a prospect will learn or discover about us, whether it's through LinkedIn, through social, through the website, but often because one of their friends or colleagues heard about us saw our result and is advocating on our behalf. >>When we're not in the room from there, they're gonna be able to self-service just log to our product through their LinkedIn ID, their Google ID. They can engage with a salesperson if they want to, they can run a pen test right there on the spot against their home, without any interaction with a sales rep, let those results do the talking, use that as a starting point to engage in a, in a more complicated proof of value. And the whole idea is we don't charge for these. We let our results do the talking. And at the end, after they've run us to find problems they've gone off and fixed those issues. And they've rerun us to verify that what they've fixed was properly fixed, then they're hooked. And we have a hundred percent technical win rate with our prospects when they hit that fine fix verify cycle, which is awesome. And then we get the tattoo for them, at least give them the template. And then we're off to the races >>That it sounds like you're making the process more simple. There's so much complexity behind it, but allowing users to be able to actually test it out themselves in a, in a simplified way is huge. Allowing them to really focus on becoming defensible. >>That's exactly right. And you know, the value is we're all, especially now in security, there's so much hype and so much noise. There's a lot more time being spent, self discovering and researching technologies before you engage in a commercial discussion. And so what we try to do is optimize that entire buying experience around enabling people to discover and research and learn the other part, right. Remember is offensive cyber and ethical hacking. And so on is very mysterious and magical to most defenders. It's such a complicated topic with many nuance tools that they don't have the time to understand or learn. And so if you surface the complexity of all those attacker tools, you're gonna overwhelm a person that is already overwhelmed. So we needed the, the experience to be incredibly simple and, and optimize that fine fix verify aha moment. And once again, be frictionless and be insightful, >>Frictionless and insightful. Excellent. Talk to me about results. You mentioned results. We, we love talking about outcomes. When a customer goes through the, the POC POB that you talked about, what are some of the results that they see that hook them? >>Yeah. The biggest thing is what attackers do today is they will find a low from machine one, plus a low from machine two equals compromised domain. What they're doing is they're chaining together issues across multiple parts of your system or your organization to hone your environment. What attackers don't do is find a critical vulnerability and exploit that single machine it's always a chain is always, always multiple steps in the attack. And so the entire product and experience in actually our underlying tech is around attack pads. Here is the path, the attack path an attacker could have taken. You know, that node zero, our product took here is the proof of exploitation for every step along the way. So, you know, this isn't a false positive, in fact, you can copy and paste the attacker command from the product and rerun it yourself and see it for yourself. >>And then here is exactly what you have to go fix and why it's important to fix. So that path proof impact and fix action is what the entire experience is focused on. And that is the results doing the talking, because remember, these folks are already overwhelmed. They're dealing with a lot of false positives. And if you tell them you've got another critical to fix their immediate reaction is Nope. I don't believe you. This is a false positive. I've seen this plenty of times. That's not important. So you have to in your product experience in sales process and adoption process immediately cut through that defensive or that reflex and its path proof impact. Here's exactly what you fix here are the exact steps to fix it. And then you're off to the races. What I learned at Splunk was you win hearts and minds of your users through amazing experience, product experience, amazing documentation, yes, and a vibrant community of champions. Those are the three ingredients of success, and we've really made that the core of the product. So we win on our documentation. We win on the product experience and we've cultivated pretty awesome community. >>Talk to me about some of those champions. Is there a customer story that you think really articulates the value of no zero and what it is that, that you are doing? Yeah. >>I'll tell you a couple. Actually, I just gave this talk at black hat on war stories from running 10,000 pen tests. And I'll try to be gentle on the vendors that were involved here, but the reality is you gotta be honest and authentic. So a customer, a healthcare organization ran a pen test and they were using a very well known, managed security services provider as their, as their security operations team. And so they initiate the pen test and they were, they wanted to audit their response time of their MSSP. So they run the pen test and we're in and out. The whole pen test runs two hours or less. And in those two hours, the pen test compromises, the domain gets access to a bunch of sensitive data. Laterally, maneuvers rips the entire entire environment apart. It took seven hours for the MSSP to send an email notification to the it director that said, Hey, we think something's suspicious is wow. Seven hours. That's >>A long time >>We were in and out in two, seven hours for notification. And the issue with that healthcare company was they thought they had hired the right MSSP, but they had no way to audit their performance. And so we gave them the, the details and the ammunition to get services credits to hold them accountable and also have a conversation of switching to somebody else. >>That accountability is key, especially when we're talking about the, the threat landscape and how it's evolving day to day. That's >>Exactly right. Accountability of your suppliers or, or your security vendors, accountability of your people and your processes, and not having to wait for the bad guys to show up, to test your posture. That's, what's really important. Another story is interesting. This customer did everything right. It was a banking customer, large environment, and they had Ford net installed as their, as their EDR type platform. And they, they initiate us as a pen test and we're able to get code execution on one of their machines. And from there laterally maneuver to become a domain administrator, which insecurity is a really big deal. So they came back and said, this is absolutely not possible. Ford net should have stopped that from occurring. And it turned out because we showed the path and the proof and the impact Forder net was misconfigured on three machines out of 5,000. And they had no idea. Wow. So it's one of those you wanna don't trust that your tools are working. Don't trust your processes. Verify them, show me we're secure today. Show me we're secured tomorrow. And then show me again, we're secure next week, because my environment's constantly changing. And the, and the adversary always has a vote, >>Right? The, the constant change in flux is, is huge challenge for organizations, but those results clearly speak for themselves. You, you talked about the speed in terms of time, how quickly can a customer deploy your technology, identify and remedy problems in their environment. >>Yeah. You know, this fine fix verify aha moment. If you will. So traditionally a customer would have to maybe run one or two pen tests a year and then they'd go off and fix things. They have no capacity to test them cuz they don't have the internal attack expertise. So they'd wait for the next pen test and figure out that they were still exploitable. Usually this year's pen test results look identical the last years that isn't sustainable. So our customers shift from running one or two pen tests a year to 40 pen tests a month. And they're in this constant loop of finding, fixing and verifying all of the weaknesses in their infrastructure. Remember there's infrastructure, pen testing, which is what we are really good at. And then there's application level pen testing that humans are much better at solving. Okay. So we focus on the infrastructure side, especially at scale, but can you imagine so 40 pen tests a month, they run from the perimeter, the inside from a specific subnet from work from home machines, from the cloud. And they're running these pen tests from many different perspectives to understand what does the attacker see from each of these locations in their organization and how do they systemically fix those issues? And what they look at is how many critical problems were found, how quickly were they fixed? How often do they reoccur? And that third metric is important because you might fix something. But if it shows up again next week, because you've got bad automation, you're not gonna you're in a rat race. So you wanna look at that reoccurrence rate also >>The recurrence rate. What are you most excited about as obviously the threat landscape continues to evolve, but what are you most excited about for the company and what it is that you're able to help organizations across industries achieve in such tumultuous times? Yeah. You >>Know, one of the coolest things is back because I was a customer for many of these products, I, I despised threat intelligence products. I despised them because they were basically generic blog posts maybe delivered as a, as a, as a data feed to my Splunk environment or something. But they're always really generic. Like you may have a problem here. And as a result, they weren't very actionable. So one of the really cool things that we do, it's just part of the product is this concept of, of flares flares that we shoot up. And the idea is not to be, to cause angst or anxiety or panic, but rather we look at threat intelligence and then because all, all the insights we have from your pen test results, we connect those two together and say your VMware horizon instance at this IP is exploitable. You need to fix it as fast as possible or as very likely to be exploited. >>And here is the threat intelligence and in the news from CSUN elsewhere, that shows why it's important. So I think what is really cool is we're able to take together threat intelligence out in the wild combined with very precise understanding of your environment, to give you very accurate and actionable starting points for what you need to go fix or test or verify. And when we do that, what we see is almost like, imagine this ball bouncing, that is the first drop of the ball. And then that drives the first major pen test. And then they'll run all these subsequent pen tests to continue to find and fix and verify. And so what we see is this tremendous amount of AC excitement from customers that we're actually giving them accurate, detailed information to take advantage of, and we're not causing panic and we're not causing alert, fatigue as a result. >>That's incredibly important in this type of environment. Last question for you. If, if autonomous pen testing is obviously critical and has tremendous amount of potential for organizations, but it's not, it's only part of the equation. What's the larger vision. >>Yeah. You know, we are not a pen testing company and that's something we decided upfront. Pen testing is a sensor. It collects and understands a tremendous amount of data for your attack surface. So the natural next thing is to analyze the pen test results over time, to start to give you a more accurate understanding of your governance risk and compliance posture. So now what happens is we are able to allow customers to go run 40 pen tests a month. And that kind of becomes the, the initial land or flagship product. But then from there we're able to upsell or increase value to our customers and start to compete and take out companies like security scorecard or risk IQ and other companies like that, where there tended to be. I was a user of all those tools, a lot of garbage in garbage out, okay, where you can't fill out a spreadsheet and get an accurate understanding of your risk posture. You need to look at your detailed pen, test results over time and use that to accurately understand what are your hotspots, what's your recurrence rate and so on. And being able to tell that story to your auditors, to your regulators, to the board. And actually it gives you a much more accurate way to show return on investment of your security spend also, which >>Is huge. So where can customers and, and those that are interested go to learn more. >>So horizon three.ai is the website. That's a great starting point. We tend to very much rely on social channels. So LinkedIn in particular to really get our stories out there. So finding us on LinkedIn is probably the next best thing to go do. And we're always at the major trade shows and events also. >>Excellent SNA. It's been a pleasure talking to you about horizon three. What it is that you guys are doing, why and the greater vision we appreciate your insights and your time. >>Thank you, likewise. >>All right. For my guest. I'm Lisa Martin. We wanna thank you for watching the AWS startup showcase. We'll see you next time.

>>Okay, welcome back everyone to Supercloud 22, this is the cube studio's live performance. We streaming virtually@siliconangledotcomandthecube.net. I'm John for host the cube at Dave Alane with a distinguished panel talking about securing the Supercloud all cube alumni G written house was the CEO of Skyhigh security, Peter Sharma founder of, of QX sold to tenable and Tony qua who's investor. Co-founder former head of product at VMware chance. Thanks for coming on and to our, in all girls super cloud pilot event. >>Good to see you guys big topic. >>Okay. So before we get into secure in the cloud, one of the things that we were discussing before we came on camera was how cloud, the relationship between cloud and on premise and multi-cloud and how Supercloud fits into that. At the end of the day, security's driving a lot of the conversations at the op side and dev shift left is happening. We see that out there. So before we get into it, how do you guys see super cloud Tony? We'll start with you. We'll go down the line. What is Supercloud to you? >>Well, to me, super cloud is really the next evolution, the culmination of the services coming all together, right? As a application developer today, you really don't need to worry about where this thing is. Sit sitting or what's the latency cuz cuz the internet is fast enough. Now I really wanna know what services something provides. What, how do I get access to it now? Security. We'll talk about that later. That that becomes a, a big issue because of the fragmentation of how security is implemented across all the different vendors. So to me it's an IP address I program to it and you know, off we go, but there's a lot of >>You like that pipe happens >>Iceberg chart, right? Like I'm the developer touching the APIs up there. There's a bunch of other things. BU service. >>Okay. Looking forward again. Gee, what's your take? Obviously we've had many conversations on the cube. What's your super cloud update. >>Yeah, so I, I view it as just an extension of what we see today before like maybe 10 years ago we were mashing up applications built on other SAS applications and whatnot. Now we're just extending that down to further primitives, not, we don't really care where our mashup resides, what cloud platform, where it sits to Tony's point, as long as you have an IP address. But beyond that, we're just gonna start to get little micro services and deeper into the applications. >>BP, what should you take? >>I think, I think super cloud to me is something that don't don't exist. It exists only on my laptop. That's the super cloud means to me. I know it takes a lot behind the scene to get that working of and running. But, but essentially, essentially that the everything having be able to touch physically versus not being able to touch anything is super cloud to me. >>So we, what Victoria was saying. Yeah, we see serverless out there, all these cool things happening. Exactly. And you look at the, some of the successful companies that have come in, I call V two cloud. Some are, some are saying the next gen, they're all building on top of the CapEx. I mean, if, why would you not wanna leverage all that work AWS is doing and now Azure, and obviously Google's out there and you got other, other, other clouds out there. But in terms of AWS as a hyperscaler, they're spending all the money and they're getting better. They're getting lower level. We're talking about some of that yesterday, data bricks, snowflake, Goldman Sachs there's industry clouds that could be powerhouse service providers to themselves and their vertical. Then you got specialty clouds. Like there could be a data cloud, there could be an identity cloud. So yeah. How does this sort itself out? How do you guys see that? Because can they coexist? >>But I think they have to right, because I, I think, you know, eventually organizations will get big enough where they can be strong and really market leading in multiple segments. But if you think about what it takes to really build a massive scaled out database company that, that DNA doesn't just overnight translate to identity or translate to video, it takes years to build that up. So in the meantime, all these guys have to understand that they are one part of the service stack to power the next gen solutions. And if they don't play well with each other, then you're gonna have a problem. >>So security, I think is one of the hardest problems of, of super cloud. And not only do you have too many tools and a lack of talent, but you've now got this new first line of defense, which is the cloud. And the problem is you've got multiple clouds. So you've got multiple first lines of defense with multiple cloud provider tools. And then the CISO, I guess, is the next line of defense with the application development team. You know, there to be the pivot point between strategy and execution. And I guess audit is the third line of the defense. So it's an even more complicated environment. So gee, how do you see that CSO role changing and, and can there actually be a unified security layer in Supercloud? >>Yeah, so I believe that that they can be, the role is definitely changing because now a CSO actually has to have a basic understanding of how clouds work, the dependency of clouds on the, on the business that they serve. And, and this is to your point, not only do we have these new lines and opening up in a tax surface, but they're coupled together. So we have supply chain type connections between this. So there's a coherence across these systems that a CISO has to kind of think about not only these Bo cloud boundaries, but the trust boundaries between them. So classic example visibility, wh what, where are these things and what are the dependencies in my business then of course you mentioned compliance. Am I regulatory? And then of course protecting and responding to this, >>You know? Yeah. The, the, the supply chain piece that you just mentioned. I mean, I feel like there's like these milestones stocks, net was a milestone, you know, obvious obviously log four J was another one, the supply chain hack with solar winds. Yep. You know, it's just, the adversary just keeps getting stronger and stronger and, and, and more agile. So, so is this a data? Do we solve this as a data problem? Is it, you know, you can't just throw more infrastructure at it. What are your thoughts >>For it? I think, you know, great, great point that you're brought up. We need to look at things very fundamentally. What is happening is security has the most difficult job in the cloud, especially super cloud. The poor guys are managing some, managing something or securing something that they can't govern, right? Your, your custodian of the cloud as your developers and DevOps, they are the ones who are defining, creating, destroying things in the cloud. And that guy sitting at the end of the tunnel, looking at things that what he gets and he has to immediately respond. That's why it has to be fundamentally solve. Number one, we talked about supply chain. We talked about the, the, the stuck net to wanna cry, to sort of wins, to know the most recent one on the pipeline. Once the interesting phenomena is that the way industry has moved super cloud, the attackers are also moving them super attackers, right? They have stopped. They have not stopped, but they have started slowly moving to the left, which is the governance part. So they have started attacking your source code, you know, impersonating the codes, replacing the binary, finding one is there. So if they can, if the cloud is built so early, why can't I go early and, and, and inject myself. >>So super hackers is coming to super thinking Hollywood right now. I mean, that brings up a good point. I mean, this whole trust thing is huge. I mean, I hear zero trust. I think, wait a minute, that's not the conference I was just at, we went to, we managed, we work with DockerCon and they were talking about trust services. Yeah. So supply chain source code has trust brokering going on. And yet you got zero trust, which is which are they contextually different? I mean, what, what, >>What, from my perspective, though, the same in that zero trust is a framework that starts with minimum privileges and then build up those privileges over time. Normally in today's dialogue, zero trust is around access. I'm not having a broad access. I'm having a narrow access around an application, but you can also extend those principles to usage. What can, how much privilege do I have within an application? I have to build up my trust to enhance and, and get extended privileges within an application. Of course you can then extend this naturally to applications, APIs, applications, talking with each other. And so by you, you have to restrict the attack surface that is based on a trust model fundamentally. And then to your point, I mean, there's always this residual that you have to deal with afterwards. >>So, so super cloud implies more surface area. You're talking about private. So here we go. So how, and by the way, the AWS was supposed to be at this conference. They said they couldn't make it. They had a schedule issue, but they wanted to be here, but I would ask them, how do you differentiate AWS going forward? Do you go IAS all the way? Do you release the pass layer up? How does this solve? Because you have native clouds that are doing great, the complexity on super cloud, and multi-cloud has to be solved. >>Let me offer maybe a different argument. So if you think about we're all old enough to see the history sort of re pendulum shift and it shifting back in a way, if you're arguing that this culmination of all these services in the form of cloud today, essentially moving up stack, then really this is a architectural pattern that's emerging, right? And therefore there needs to be a super cloud, almost operating system. So operating systems, if you build one before you need a scheduler, you need process handler, you need process isolation, you need memory storage, compute all that together. Now that is our sitting in different parts of the internet. And, and there is no operating system. Yes. And that's the gap, right? And so if you don't even have an operating system, how do you implement security? And that's the pain. Yeah, because today it's one off, directly from service to service. Like how many times can you set up SAML orchestration? You can have an entire team doing that, right. If that's, that's what you have to do. So I think that's ultimately the gap and, and we're sort of just revolving around this concept that there's missing an operating system for superpower. >>It's like Maribel Lopez said in the previous panel that Lord of the rings, there will be no one ring rule the ball. Right. Probably there is needs one. Oh yeah. But, but, but, so what happens? So again, security's the hardest problem. So Snowflake's gotta implement its security, you know, data bricks with an open source model has to implement its security. So there's these multiple security models. You talk about zero trust, which I, if, if I infer what you said, gee, it's essentially, if you don't have privilege access, you don't get access. Yeah. Right. If you, okay. Okay. So that's the framework. Fine. And then you gotta earn it over time. Yeah. Now companies like Amazon, they have the, the talent and the skills to implement that zero trust framework. Exactly. So, so the, the industry, you, you guys with the R and D have to actually ultimately build that, that super cloud framework, don't you? >>Yeah. But I would just look all of the major cloud providers, the ones you mentioned and more will have their own framework within their own environment. Right? Yeah. The problem is with super cloud, you're extending it across multiple ones. There's no standards. There's no easy way to integrate that. So now all of that is left to the developer who is like throwing out code as fast as they can >>Is their, their job is to abstract that, I mean, they've gotta secure the, the run time, they gotta secure the container. >>You have to >>Abstract it. Right. Okay. But, but they're not security pros or ops. >>Exactly. They're haves. >>But to, but to G's point, right. If everyone's implementing their own little Z TNA, then inherently, there's a blind trust between two vendors. Right. That has to >>Be, >>That has to be >>Established. That's implicit. You're saying, >>Yeah. But, but it's, it's contractual, it's not technology. Right. Because I'm turning something out in my cloud, you're turning out something in your cloud that says we've got something, some token exchange, which gives us trust. But what happens if that breaks down and whatever happens to the third party comes in? I think that's the problem. >>Yeah. In fact, in fact, the, if I put the, you know, combine one of those commons, the zero trust was build, keeping identity authentication, then authorization in mind, right? Yeah. This needs to be extended because the zero test definition now probably go into integrity. Yeah, exactly. Right. Yeah. I authenticated. I worked well with Tony in the past, but how do I know that something has changed on the Tony's side? Yeah, exactly. Right, right. That, that integrity is going to be very, very foundational. Given developers are building those third party libraries, those source code pumping stuff. The only way I can validate is, Hey, what has changed? >>And then throw edge into the equation, John and IOT and machine to machine. Exactly. It's just, >>Well, >>Yeah. I think, I think we have another example to build on Tony's operating system model. Okay. And that is the cloud access service broker model for SAS. So we, we have these services sitting out there, we've brokered them together. They're normally on user policies. What I can have access to what I can do, what I can't do, but that can be extended down to services and have the same kind of broker arrangement all through APIs. You have to establish that trust and the, and the policies there, and they can be dynamic and all of this stuff. But you can from an, either an operating system or a SAS interaction and integration model come to these same kind of points. So who >>Builds the, the, the secure Supercloud? Is it new guys like you? Is it your old company giants like Palo Alto? Who, who actually builds the and secures the Supercloud it sounds like it's an ecosystem. >>Yeah. It is an ecosystem. Absolutely. It's an ecosystem. >>Yeah. There's no one security Supercloud >>As well. No, but I, I do think there's one, there's one difference in that historically security has always focused on that shiny object. The, the, the, a particular solution to a particular threat when you're dealing with a, a cloud or super cloud, like the number of that is incalculable. So you have to come into some sort of platform. And so you will see if it's not one, you know, a finite number of platform type solutions that are trying to solve this on behalf of the >>Customer. That to your point, then get connected. >>I think it's gonna be like Unix, right? Like how many flavors of Unix were there out there? All of them 'em had a scheduler. All of them had these processes. All of them had their little compilers. You can compile to that system, target to that system. And for a while, it's gonna be very fragmented until multiple parties decide to converge. >>Right? Well, this is, this is the final question we have one minute left. I wish we had more time. This is a great panel. We'll we'll bring you guys back for sure. After the event, what one thing needs to happen to unify or get through the other side of this fragmentation than the challenges for Supercloud. Because remember the enterprise equation is solve complexity with more complexity. Well, that's not what the market wants. They want simplicity. They want SA they want ease of use. They want infrastructure risk code. What has to happen? What do you think each of you? >>So I, I can start and extending to the previous conversation. I think we need a consortium. We need, we need a framework that defines that if you really want to operate in super cloud, these are the 10 things that you must follow. It doesn't matter whether you take AWS slash or GCP, or you have all, and you will have the on-prem also, which means that it has to follow a pattern. And that pattern is what is required for super cloud. In my opinion, otherwise security is going everywhere. They're like they have to fix everything, find everything and so on. So forth, it's not gonna be possible. So they need a, they need a framework. They need a consortium. And it, this consortium needs to be, I think, needs to led by the cloud providers, because they're the ones who have these foundational infrastructure elements and the security vendor should contribute on providing more severe detections or findings. So that's, in my opinion is, should be the model. >>Well, thank you G >>Yeah, I would think it's more along the lines of a business model we've seen in cloud that the scale matters. And once you're big, you get bigger. We haven't seen that coals around either a vendor, a business model, whatnot, to bring all of this and connect it all together yet. So that value proposition in the industry I think is missing, but there's elements of it already available. >>I, I think there needs to be a mindset. If you look again, history repeating itself, the internet sort of came together around set of I ETF, RSC standards, everybody embraced and extended it. Right. But still there was at least a baseline. Yeah. And I think at that time, the, the largest and most innovative vendors understood that they couldn't do it by themselves. Right. And so I think what we need is a mindset where these big guys like Google, let's take an example. They're not gonna win at all, but they can have a substantial share. So how do they collaborate with the ecosystem around a set of standards so that they can bring, bring their differentiation and then embrace everybody >>Together. Guys, this has been fantastic. I mean, I would just chime in back in the day, those was proprietary nosis proprietary network protocols. You had kind of an enemy to rally around. I'm not sure. I see an enemy out here right now. So the clouds are doing great. Right? So it's a tough one, but I think super OS super consortiums, super business models are gonna emerge. Thanks so much for spending the time. Great conversation. Thank you for having us to bring, keep going hour superclouds here in Palo Alto, live coverage stream virtually I'm John with Dave. Thanks for watching. Stay with us for more coverage. This break.