>> Announcer: Live from San Francisco, it's theCUBE covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. >> Okay, welcome back, everyone, to CUBE's coverage here in San Francisco at RSA Conference 2020. I'm John Furrier, your host. You know, cybersecurity industry's changing. Enterprises are now awake to the fact that it's now a bigger picture around securing the enterprise, 'cause it's not only the data center. It's cloud, it's the edge, a lot of great stuff. We've got a great guest here from Dell EMC. Peter Gerr's a consultant, cyber resilience solutions and services marketing at Dell EMC. Great to see you. >> You too, John. >> Thanks for coming on. >> Good to see you again, thank you. >> So, you know, I was joking with Dave Volante just this morning around the three waves of cloud, public cloud, hybrid cloud, multicloud. And we see obviously the progression. Hybrid cloud is where everyone spends most of their time. That's from ground to cloud, on-premises to cloud. So pretty much everyone knows-- >> Peter: On-ramp, kind of. >> That on-prem is not going away. Validated by all the big cloud players. but you got to nail the equation down for on-premises to the cloud, whether it's, I'm Amazon-Amazon, Azure-Azure, whatever, all those clouds. But the multicloud will be a next generation wave. That as an industry backdrop is very, very key. Plus AI and data are huge inputs into solving a lot of what is going to be new gaps, blind spots, whatever insecurity. So I got to, you know, Dell has a history with huge client base, traditional enterprises transforming. You're in the middle of all this, so you got the airplane at 30,000 feet and the companies have to swap out their engines and reboot their teams, and it's a huge task. What's going on with cyber and the enterprises? What are some of the key things? >> Well, so I like to keep it pretty simple. I've been in this industry over 20 years and I've really consistently talked about data as the global currency, right? So it's beautifully simple. Whatever industry you're in, whatever size company you're in, enterprise or even now small to medium businesses, their businesses are driven by data. Connectivity to that data, availability of the data, integrity of the data, and confidentiality of the data. And so sort of the area of the world that I focus upon is protecting customers' most valuable data assets, now, whether those are on-prem, in the cloud, or in a variety of modalities, and ensuring that those assets are protected and isolated from the attack surface, and then ability to recover those critical assets quickly so they can resume business operations. That's really the area that I work in. Now, that data, as you pointed out, it could start on-prem. It could live in multicloud. It can live in a hybrid environment. The key is really to understand that not all data is created equally. If you were to have a widespread cyber attack, really the key is to bring up those critical applications systems and data sets first to return to business operations. >> Yeah, it's funny-- >> Peter: It's really challenging >> You know, it's not funny, it's actually just ironic, but it's really kind of indicative of the society now is that EMC was bought by Dell Storage and the idea of disruption has always been a storage concept. We don't want a lot of disruption when we're doing things, right? >> Peter: None, we can't, yeah. >> So whether it's backup and recovery or cyber ransomware, whatever it is, the idea of non-disruptive operations-- >> Absolutely. >> Has been a core tenant. Now, that's obviously the same for cyber, as you can tell. So I got to ask you, what is your definition and view of cyber resilience? Because, well, that's what we're talking about here, cyber resilience. What's your view on that? >> So when we started developing our cyber recovery solution about five years ago, we used the NIST cybersecurity framework, which is a very well-known standard that defines really five pillars of how organizations can think about building a cyber resilience strategy. A cyber resilience strategy really encompasses everything from perimeter threat detection and response all the way through incident response after an attack and everything that happens in between, protecting the data and recovering the data, right? And critical systems. So I think of cyber resilience as that holistic strategy of protecting an organization and its data from a cyber attack. >> That's great insight. I want to get your thoughts on how that translates into the ecosystem, because this is an ecosystem around cyber resilience. >> Peter: Absolutely. >> And let's just say, and you may or may not be able to comment on this, but RSA is now being sold. >> Peter: Yeah, no, that's fair. >> So that's going out of the Dell family. But you guys have obviously VMware and Secureworks. But it's not just you guys. It's an ecosystem. >> It really is. >> How does Dell now without, with and without RSA, fit into the ecosystem? >> So as I mentioned, cyber resilience is really thought of as a holistic strategy. RSA and other Dell assets like Carbon Black fit in somewhere in that continuum, right? So RSA is really more on threat detection and response, perimeter protection. The area of the business that I work on, data protection and cyber recovery, really doesn't address the prevention of attacks. We really start with the premise that preventing a cyber attack is not 100% possible. If you believe that, then you need to look at protecting and recovering your assets, right? And so whether it's RSA, whether it's Carbon Black, whether it's Secureworks, which is about cyber incident and response, we really work across those groups. It's about technology, processes, and people. It's not any one thing. We also work outside of the Dell technologies umbrella. So we integrate, our cyber recovery solution is integrated with Unisys Stealth. So there's an example of how we're expanding and extending the cyber recovery solution to bring in other industry standards. >> You know, it's interesting. I talk to a lot of people, like, I'm on theCube here at RSA. Everyone wants better technology, but there's also a shift back to best-of-breed, 'cause you want to have the best new technology, but at the same time, you got to have proven solutions. >> Peter: That's the key. >> So what are you guys selling, what is the best-of-breed from Dell that you guys are delivering to customers? What are some of the areas? >> So I'm old EMC guy myself, right? And back from the days of disaster recovery and business continuity, right? More traditional data protection and backup. The reality is that the modern threats of cyber hackers, breaches, insider attacks, whatever you like, those traditional data protection strategies weren't built to address those types of threats. So along with transformation and modernization, we need to modernize our data protection. That's what cyber recovery is. It's a modern solution to the modern threat. And what it does is it augments your data, excuse me, your disaster recovery and your backup environment with a purpose-built isolated air gap digital vault which is built around our proven Data Domain and PowerProtect DD platforms that have been around for over a decade. But what we've done is added intelligence, analytics, we've hardened that system, and we isolate it so customers can protect really their most valuable assets in that kind of a vault. >> So one of things I've been doing some research on and digging into is cyber resilience, which you just talked about, cyber security, which is the industry trend, and you're getting at cyber recovery, okay? >> Peter: Correct. >> Can you talk about some examples of how this all threads together? What are some real recent wins or examples? >> Sure, sure. So think of cyber recovery as a purpose-built digital vault to secure your most valuable assets. Let me give you an example. One of our customers is a global paint manufacturer, okay? And when we worked with them to try to decide what of their apps and data sets should go into this cyber recovery vault, we said, "What is the most critical intellectual property "that you have?" So in their case, and, you know, some customers might say my Oracle financials or my Office 365 environment. For this customer it was their proprietary paint matching system. So they generate $80 to $100 million every day based upon this proprietary paint matching system which they've developed and which they use every day to run their business. If that application, if those algorithms were destroyed, contaminated, or posted on the public internet somewhere, that would fundamentally change that company. So that's really what we're talking about. We're working with customers to help them identify their most critical assets, data, systems, applications, and isolate those from the threat vector. >> Obviously all verticals are impacted by cyber security. >> Every vertical is data-driven, that's right. >> And so obviously the low-hanging fruit, are they the normal suspects, financial services? Is there a particular one that's hotter than, obviously financial services has got fraud and all that stuff on it, but is that still number one, or-- >> So I think there's two sides to the coin. One, if you look at the traditional enterprise environments, absolutely financial services and healthcare 'cause they're both heavily regulated, therefore that data has very high value and is a very attractive target to the would-be hackers. If you look on the other end of the spectrum, though, the small to medium businesses that all rely on the internet for their business to run, they're the ones that are most susceptible because they don't have the budgets, the infrastructure, or the expertise to protect themselves from a sophisticated hacker. So we work across all verticals. Obviously the government is also very susceptible to cyber threats. But it's every industry, any business that's data-driven. I mean, everyone's been breached so many times, no one even knows how many times. I got to ask you about some cool trends we're reporting on here. Homomorphic encryption is getting a lot of traction here because financial services and healthcare are two-- >> Peter: Homomorphic? >> Homomorphic, yeah. Did I say that right? >> It's the first time I've ever heard that term, John. >> It's encryption at in use. So you have data at rest, data in flight, and data in use. So it's encryption when you're doing all your, protecting all your transactional data. So it's full implementation with Discovery. Intel's promoting it. We discovered a startup that's doing that, as well. >> Peter: Yeah, that's new for me, yeah. >> But it allows for more use cases. But data in use, not just motion, or in-flight, whatever they call it. >> Peter: I get it, yeah, static. >> So that's opening up these other thing. But it brings up the why, why that's important, and the reason is that financial services and healthcare, because they're regulated, have systems that were built many moons ago or generations ago. >> Absolutely. >> So there was none of these problems that you were mentioning earlier, like, they weren't built for that. >> Correct. >> But now you need more data. AI needs sharing of data. Sharing is a huge deal. >> Real-time sharing, too, right? >> Real-time sharing. >> And I think that's where the homomorphic encryption comes in. >> That's exactly right. So you mentioned that. So these industries, how can they maintain their existing operations and then get more data sharing? Do you have any insight into how you see that? Because that's one of those areas that's becoming like, okay, HIPAA, we know why that was built, but it's also restrictive. How do you maintain the purity of a process-- >> If your infrastructure is old? That is a challenge, healthcare especially, because, I mean, if I'm running a health system, every dollar that I have should really go into improving patient care, not necessarily into my IT infrastructure. But the more that every industry moves towards a real-time data-driven model for how we give care, right, the more that companies need to realize that data drives their business. They need to do everything they can to protect it and also ensure that they can recover it when and if a cyber attack happens. >> Well, I really appreciate the insight, and it's going to be great to see Dell Technologies World coming up. We'll dig into a lot of that stuff. While we're here and talking us about some of these financial services, banking, I want to get your thoughts. I've been hearing this term Sheltered Harbor being kicked around. What is that about? What does that mean? >> Sheltered Harbor, you're right, I think you'll hear a lot more about it. So Sheltered Harbor is a financial industries group and it's also a set of best practices and specifications. And really, the purpose of Sheltered Harbor is to protect consumer and financial institutions' data and public confidence in the US financial system. So the use case is this. You can imagine that a bank having a cyber attack and being unable to produce transactions could cause problems for customers of that bank. But just like we were talking about, the interconnectedness of the banking system means that one financial institution failing because of a cyber attack, it could trigger a cascade and a panic and a run on the US financial banks and therefore the global financial system. Sheltered Harbor was developed to really protect public confidence in the financial system by ensuring that banks, brokerages, credit unions are protecting their customer data, their account records, their most valuable assets from cyber attack, and that they can recover them and resume banking operations quickly. >> So this is an industry group? >> It's an industry group. >> Or is it a Dell group or-- >> No, Sheltered Harbor is a US financial industry group. It's a non-profit. You can learn more about it at shelteredharbor.org. The interesting thing for Dell Technologies is we're actually the first member of the Sheltered Harbor solution provider program, and we'll be announcing that shortly, in fact, this week, and we'll have a cyber recovery for Sheltered Harbor solution in the market very shortly. >> Cyber resilience, great topic, and you know, it just goes to show storage is never going away. The basic concepts of IT, recovery, continuous operations, non-disruptive operations. Cloud scale changes the game. >> Peter: It's all about the data. >> It's all about the data. >> Still, yes, sir. >> Thanks for coming on and sharing your insights. >> Thank you, John. >> RSA coverage here, CUBE, day two of three days of coverage. I'm John Furrier here on the ground floor in Moscone in San Francisco. Thanks for watching (electronic music)

>> Announcer: Live from San Francisco, it's theCUBE covering RSA Conference 2020, San Francisco. Brought to you by SiliconANGLE Media. >> Welcome back everybody, Jeff Frick with theCUBE. We're at RSA 2020. It's day four, it's Thursday. This is a crazy long conference, 40,000 people. Even with the challenges presented by coronavirus, and there's a lot of weird stuff going on, the team pulled it together, they went forward. And even though there was drops out here and there, I think all in all, most people will tell you, it's been a pretty successful conference. And we're excited to be joined by really one of the top level sponsors here, that's still here and still doing good things. It's Vittorio Viare... Viarengo, sorry, the new interim CMO of McAfee. >> Yeah. >> Vittorio, I just call you Vittorio all the time. I never look past your first name. Great to see you. >> Likewise. It's always a pleasure to be here with an institution of Silicon Valley-- >> Oh thank you, thank you. So interim CMO, I always think of like interim football coaches that they get pulled in halfway through the season, so the good news is you kind of got the job and all the responsibilities. The bad news is, you still have that interim thing, but you don't care, you just go to work, right? >> Now whenever you have an interim job, you have to just do the job and then that's the best way to operate. >> Yeah, so again, I couldn't help but go back and look at that conversation that we had at Xerox Parc, which is interesting. That's pretty foundational, everything that happens in Silicon Valley, and so many discoveries up there. And you touched on some really key themes in the way you manage your teams, but I think they're really much more valuable, and worth bringing back up again. And the context was using scrum as a way to manage people, but more importantly, what you said is it forced you as a leader to set first priorities and have great communication; and to continually do that on this two week pace, to keep everybody moving down the road. I think that is so powerful and so lacking unfortunately, in a lot of organizations today. >> Yeah, look, I think that when you hire smart people, if you just make sure that they understand what their priorities are, and then remove the obstacle and get out of the way, magical things happen. And I give you example that is very close to your heart. When I took over a great team at Skyhigh, that got bought by McAfee, they had content marketing down to a science, but they were lacking videos. So I brought that in. I said, "Guys, people watch videos, "people engage with videos, "we need to start telling the story through videos." And I started pushing, pushing, pushing, and then I pulled back, and these guys took it to a whole new level. And then they're doing videos, they're very creative, they are crisp. And I'm like, "Yeah, my job is done." >> It is really wild how video has become such an important way for education. I mean it used to be... I remember the first time I ever saw an engineer use Google to answer a question on writing code. I had never seen that before. I'm not a coder. Wow, I thought it was just for finding my local store or whatever. And now to see what really... I think YouTube has pushed people to expect that the answer to any question should be in a video. >> So, yesterday literally, somebody from a company I don't even know stopped me and said, "I watch you to videos on container. "Thank you very much." I was like, "What, you?" And the genesis of that was the sales people ask me, "Hey, we're selling container security and all that," but I don't even understand what containers are. Okay, sure. So I shot a video and I'm the CMO, I was the vice president. I think you have to put your face on your content. It doesn't matter how senior you are, you're not in a corner office, you're down there with the team. So I got into the studio, based on my background at VMware, I knew virtual machine, and I said, "Okay, how do you explain this "to somebody who's not technical?" And next thing you know, it makes its way out there, not just to our sales force, but to the market at large. That's fantastic. >> Right, and let me ask you to follow up on that because it seems like the world is very divergent as to those who kind of want their face, and more their personality to be part of their business culture and their business messaging, and those that don't. And you know, as part of our process, we always are looking at people's LinkedIn, and looking at people's Twitter. I get when people don't have Twitter, but it really surprises me when professionals, senior professionals within the industry aren't on LinkedIn. And is just like, wow! That is such a different kind of world. >> LinkedIn right now is... and I'm stealing this from Gary on the Chuck, as a big believer in this. LinkedIn right now is like Facebook 10 years ago. You get amazing organic distribution, and it's a crime not to use it. And the other thing is if you don't use it, how are you going to inspire your team to do the right thing? Modern marketing is all about organic distribution with a great content. If you're not doing it yourself... I grew up in a bakery. I used to look at my mom, we have a big bakery. We had eight people working, and I said, "Ma, why are you workin' so hard? "Your first day, last hour?" And she said, "Look, you cannot ask your people, "to work harder than you do." That was an amazing lesson. So it's not just about working hard, and harder than your team, it's about are you walking the walk? Are you doing the content? Are you doing the modern marketing things that work today, if you expect your people to also do it? >> Yeah, it's just funny 'cause, when we talk to them, I'm like, "If you don't even have a LinkedIn account, "we shouldn't even be talking to you "because you just won't get what we do. "You won't see the value, you won't understand it "and if you're not engaging at least "a little bit in the world then..." And then you look at people say like Michael Dell, I'll pick on or Pat Gelsinger who use social media, and put their personalities out there. And I think it's, people want to know who these people are, they want to do business with people that they they like, right? >> Absolutely. You know what's the worst to me? I can tell when an executive as somebody else manages their account, I can tell from a mile away. That's the other thing. You have to be genuine. You have to be who you are on your social and all your communication because people resonate with that, right? >> Right. All right, so what are you doing now? You got your new title, you've got some new power, you've got a great brand, leading brand in the industry, been around for a while, what are some of your new priorities? What's some of the energy that you're bringing in and where you want to to go with this thing? >> Well, my biggest priority right now is to get the brand and our marketing to catch up with what the products and the customers are already which is, Cloud, Cloud, Cloud. So when we spun off from Intel two years ago, we had this amazing heritage in the endpoint security. And then we bought Skyhigh, and Skyhigh was transformational for us because it became the foundation for us to move to become a cloud-first organization. And is in the process of becoming a cloud-first organization, and creating a business that is growing really fast. We also brought along the endpoint, which now is all delivered from the Cloud, to the cloud-first open unified approach, which is exciting. >> And we see Edge is just an extension of endpoints, I would assume. It just changes the game. >> Yeah, so if you think about today modern work gets done with the backend in the Cloud, and accessing those backends from the device, right? >> Right. >> And so, our strategy is to secure data where modern work gets done, and it's in the device, in the Cloud, and on the edge. Because data moves in and out of the Cloud, and that's kind of the edge of the Cloud. That's what we launched this week at RSA we launched Unified Cloud Edge, which is our kind of a, Gartner call's it SaaS-y, so that we are kind of the security. We believe we have the most complete and unified security part of the SaaS-y world. >> Okay, I just laugh at Gartner and the trough of disillusion men and Jeff and I always go back to a Mars law. Mar does not get enough credit for a Mars law. We've got a lot of laws, but Mars law, we tend to overestimate in the short term, the impact of these technologies, and they completely underestimate really the long tail of this technology improvements, and we see it here. So let's shift gears a little bit. When you have your customers coming in here, and they walk into RSA for the first time, how do you tell people to navigate this crazy show and the 5,000 vendors and the more kind of solutions and spin vocabulary, then is probably save for anyone to consume over three days? >> Look, security is tough because you look around and say, "You have six, 700 vendors here." It's hard to stand out from the crowd. So what I tell our customers is use this as a way to meet with your strategic vendors in the booth upstairs. That's where you conduct business and all that. And I walk around to see from the ground up, send your more junior team out there to see what's happening because some of these smaller companies that are out here will be the big transformational companies or the future like Skyhigh was three four years ago, and now we're part of McAfee, and leading the charge there. >> Yeah, just how do you find the diamond in the rough, right? >> Yeah. >> 'Cause there's just so much. But it's still the little guys that are often on the leading edge and the bleeding edge, of the innovation so you want to know what's going on so that you're kind of walking into the back corners of the floor as well. >> That's why I am lifelong learner, so I go around to see what people do from a marketing perspective because, the last thing I want to do, I want to become obsolete. (Jeff laughs) And the way you don't become obsolete is to see what the new kids on the block do and steal their ideas, steal their tactics take them to the next level. >> Right, so I want to ask you a sensitive question about the conference itself and the coronavirus thing and we all saw what happened in Mobile World Congress. I guess it just got announced today that Facebook pulled F8, their developer conference. We're in the conference business. You go to a lot of conferences. Did you have some thought process? There were some big sponsors that pulled out of this thing. How did you guys kind of approach the situation? >> It's a tough one. >> It's a really tough one. >> It's a very tough one 'cause last thing you want to do is to put your employees and your customers at risk. But the way we looked at it was there were zero cases of coronavirus in San Francisco. And we saw what the rest of the industry was doing, and we made the call to come here, give good advice to our employees, wash their hands, and usual and this too will pass. >> Yeah, yeah. Well Vittorio, it's always great to catch up with you. >> Likewise. >> I just loved the energy, and congratulations. I know you'll do good things, and I wouldn't be at all surprised if that interim title fades away like we see with most great coaches. >> Good. >> So thanks for stopping by. >> My pleasure. >> All right, he's Vittorio, I'm Jeff. You're watching theCUBE, we're at RSA 2020 in San Francisco. Thanks for watching, we'll see you next time. (upbeat music)

>> Narrator: Live from San Francisco, it's theCube covering RSA Conference 2020 San Francisco brought to you by Silicon Angle Media. >> Hey welcome back here ready Jeff Frick here with theCube. We're at the RSA Conference downtown San Francisco, about 40,000 people In the year we're going to know everything with the benefit of fine sight. It's not really working out that way. So we're still going out to the events, getting the smartest people we can find, bringing them to you. We're excited to have our very next guest. He's Steve Chin, the senior director of developer relations for JFrog. Steve, great to meet you. >> Thanks very much for having me here at the conference. >> Absolutely so for people that don't know JFrog, give him kind of the one on one. >> So I think the simplest way to describe our company is where the database of DevOps >> The database of DevOps. (laughs) I don't know that that would be the simplest way, >> But basically when companies want to deliver software faster, when they're looking at how to speed up their feature development, how to respond quicker to security, we provide a end-to-end DevOps platform, the JFrog platform, which accomplishes this for companies. >> Okay so a lot of people know about DevOps. A lot of people have experienced with rapid iteration on their apps. I don't know why they have to keep uploading updates all the time. There's a ton of great benefits to that and this really revolutionize the software industry. That said, the other kind of theme here at RSA and a lot of the security conferences is you can no longer bolt security on. It can no longer be a moat around the castle. It can no longer be a firewall on the edge of the network that it has to be baked in all the way through the product. And that goes right back to kind of what you guys do. And on the DevOps, how do devs who didn't necessarily get trained on security don't necessarily want to know about security and probably would prefer not to have to deal they probably liked the better when they could just push it off, but kind of like they used to push it off to prod. That's not the way anymore they have to bake it in. So how do you help them do that? What do you kind of see in terms of trends in the space? >> Yeah, so I think what we're seeing in the industry is that companies want to deliver, they need to deliver software more quickly and more rapidly. Just based on user requirements. So if you think about your phone, your car, like pretty much everything is updating constantly and it's not even a choice anymore. Updates get pushed to you because you need new features. You also need security fixes for things. And this is happening weekly, daily, hourly. As new threats are exposed and for companies, the standard processes which might have been used in the past to type security or reviews to run a complicated scanners to have like different checkpoints that doesn't work in an environment where you're continuously deploying. And really if you think about it, the only way you can accomplish rapid iteration, high security is to be doing security scanning as a part of your workflow. As a part of your DevOps workflow and shifting left. So going towards the developers and giving them more tools, which give them information about potential security risks. So as an example, developers code and an IDE or some sort of visual environment. And if you can present the information up front right there and tell them, "Hey, this open source library "you're using it has a security vulnerability, "there's a new version you should upgrade." Or "Hey this component that has an incompatible license. "Like this doesn't meet our security requirements." Those sort of things if they're caught while you're developing new features, it saves time and money there. But it delays potential slippage, risks, pushback from the security team at the other end. The next step is when they check in code or when they're executing a build. You want to be scanning up front scan the bills, scan the binary's really far up the chain. And that way you're catching security vulnerabilities during the iterative development process. By the time you get to like QA to stage to production, security vulnerabilities shouldn't be a surprise. They should be something which the teams up front know about. They're addressing and you're using tools which are designed in that workflow to really give early, often feedback to the teams up the chain and see it's the only way like all the large companies doing continuous deployments. This is how you have to approach it. You use multiple techniques, you use binary scatters, you use source code scanners even runtime scanners and you make sure you shift as much left as possible, which is exactly what the JFrog platform enables development teams to do. >> So what percentage roughly is just making sure you've got the first thing that you described that you've got the right libraries that you're using the right tools that have already gone through some security protocol check versus just writing in a bad sequence of steps or that API call or opening up some hole via just bad code choices. Yeah so I think increasingly as companies depends more on third party libraries, open source libraries. if you think about your average application, you're bundling in hundreds of different components and libraries which you have relatively little control over. And a simple way to look at this as if you created a Docker container today, you loaded up with a bunch of DB and packages, maybe a few application bundles within a few days, at the end of a month, that will be full of security vulnerabilities. So that container you build one month ago, it will be full which is outdated. You'll have hundreds of security vulnerabilities >> Just because validated patches or because people see it in attacking? >> Well the thing is you constantly have folks releasing new software, identifying vulnerability risks, patching those risks. And if you don't stay current, if you're not constantly updating your software to stay up with the latest security patches, you're putting your customers and your own business at risk. So I think today that is the number one issue with software is we all depend on open source libraries and components which are used by a lot of companies are constantly being improved and then patched. And the most important thing is knowing when their security vulnerability is identifying the risk of how those impact your customers and then patching as quickly as possible. >> And then the other piece of it is just API is to lots of other people, software that I don't necessarily have access to rights to. So the fact that so much of this stuff is all tied together. Now an attendant just opens up kind of a whole another layer of a potential attack surface. So have you seen things change in kind of IOT as kind of OT and IT come together with IOT and a lot of those OT devices, we're not necessarily set up for patching, they weren't necessarily set up with easy to get into operating systems or maybe too easy to get into operating systems. How are you seeing kind of all the growth that's happening there impact this conversation? >> Yeah, so I think especially with edge devices, I think what we've realized is that edge devices which aren't being updated or insecurity devices. So if you don't have a plan for how you update a new patch and you address security vulnerabilities in your edge devices, they're subject to the same risks. If they're running a variant of Linux, then they're running open source software. They're running a bunch of libraries. If they're on the network, they're open to network attacks. And we have even more complicated edge devices rolling around the roads now. There were some critical security patches and several of the self driving cars with braking systems, with obstacle avoidance systems. So if you don't have an aggressive plan on how you're patching your edge devices you reached the same sort of challenge. And what that involves again is identifying what libraries and components you depend upon, assessing the security risks, which those pose and then having a distribution plan. How do you go from your systems through builds, through deployments and then do the edge distribution to all the devices to get critical security updates to your end users as quickly as possible. >> I'm just curious who do you see on the teams that ultimately has responsibility that this is ready to go or not go. 'Cause we've seen too many instances of stuff that gets shipped that's not ready to go. I can certainly see the pressure to get stuff shipped and somebody says, well, that's okay, we'll just get that patch out. We'll get that patch out next week or we'll get that patch out sometime down the road. And we've seen a ton of things go out that are super easily hacked children's toys and some of these things that have all kinds of really bad implications to it. Is there somebody usually on the team that's, that needs to give the stamp of approval? Is it more of kind of a broad? >> Yes I think the traditional approach is having somebody within the company responsible for security, but increasingly to effectively address security, it needs to be the ownership of the whole team from end to end to make it successful. So the more the security team can be an ally of the QA team of the development team, of the DevOps team rather than being the gatekeeper, they want to be the ally of those teams. Then the more successful it is. So arming the other teams in your company with knowledge about security risks, arming with tools which provide visibility into different security vulnerabilities. That's the way which you have a end-to-end secure product because when you get to the release, if the security team holds up the release, you're either making a bad decision or a bad decision. Catching it up front. When you're building features, then you actually can address it and build the right security into your product, which is much better for your customers and your company. >> Well, Steve, interesting conversation, interesting times. The DevOps and the rapid deploy is certainly the way it is that we're here. So being able to effectively bake that security is only a good thing, but really a necessary thing. >> Well, this was great chatting with you and the conference here is great to see all of these folks focused on improving security and taking us to the next generation with more secure edge devices. >> I don't think there'll be any shortage of need for security professionals anytime soon. All right well thanks again Steve. >> All right, thank you. All right Steve, I'm Jeff Frick. You're watching theCube. We're at the RSA Conference in downtown San Francisco. Thanks for watching. We'll see you next time. (upbeat music)

>> Narrator: Live from San Francisco. It's theCUBE. Covering RSA conference 2020 San Francisco. Brought to you by SiliconANGLE Media. (upbeat music) >> Hey, welcome back, everybody. Jeff Rick here with theCUBE. We're at RSA 2020, Moscone and beautiful San Francisco's day four I think Thursday already. This is a crazy conference Monday, Tuesday, Wednesday, Thursday, and Friday. I don't think we'll be here for tomorrow. It's been a pretty full slate. As it is, we're excited to have our next guest. She is Rose Ross, the founder and chief trailblazer, for Tech Trailblazers. Rose. Great to meet you. >> It's great to be here too. >> Absolutely. So what are the Tech Trailblazers? >> So the Tech Trailblazers are an awards lead platform, which recognizes the creme de la creme of the enterprise Tech startup landscape. >> Jeff: Okay. >> So we cover the categories from AI through to storage, but obviously security is a big part of that and we find that security and cloud are usually our most popular awards to be entered into. >> Okay, and I assume you're, really recognizing the individuals more than the companies, >> We do both. >> Or is it more of the companies? You do both. >> We do the Tech category so they can compare like for like apples with apples, pears with pears, security startups with security startups. And then we also acknowledge and recognize some of the key players in those startups. So we have a female trailblazers and a male trailblazer each year . >> Okay, and how long have you been doing this? >> This is our eighth edition. >> The eighth edition. >> Started for a while. 2012 was our first outing. >> Okay, And you said you just gave out this year's Awards on Monday? >> That's right. We announced it. Yeah, day one of RSA. >> Right, so give us some of the highlights. Who were some of the special people that you called out this year? >> Some of the special people, I actually sat down with one of the special people just now interviewed CEO of Shift-left who is our security trailblazer this year. Manish Gupta and yeah, we spent some time chatting about his journey and his challenges and his successes. And finding out more about the technology itself. So. >> And so what are the criteria to win? >> So we kind of look at a number of elements. We have an independent body of judges who are from the analyst community, from the blogger community from industry itself. So we have CSOs, CIOs, and just people who understand the Technology really, at both the technical level and what is needed by the marketplace. So we look at a number of things. One is obviously innovation. If you're looking at the startup world, you want to look at people who are bringing new and exciting things that are needed by companies, to either secure them or store their data or analyze their data. But we also look at how they're doing in the market. So, we'll be looking at what their go to market strategy is, how they're engaging with the end user community, that type of stuff. >> Okay. And at what stage in their growth are they generally you know, kind of coming into your radar? >> So we sort of do the cutoff for a start up as being having not celebrated their sixth birthday yet. >> Six birthday okay. >> Right, so and have not gone beyond Series C funding. >> Okay. >> So you wanted to keep it on the the newer end of the startup spectrum. We also have a special award for those that have not received any VC funding whatsoever. So they're either growing organically or privately funded. That could be seed capital, you know, crowdfunding, whatever that might be. And they have to be two years or younger, and they are all fire starters. >> And those are fire starters. So those are probably it's just really a function of life, 'cause I would imagine the vast majority of the companies that you recognize, eventually get VC funding if you're playing in this crazy technology space. >> It certainly helps to get to where you want to go. Accelerate, put a bit more fuel in the tank. >> So you also announced in your press release the incredible amount of money (laughs) your award winners have raised over time. Do you tell us a little bit more about that? >> Well, yeah, with RSA this week, we thought it'd be a great time to reflect back on what our security trailblazers had done over these eight editions. And obviously, it's a little bit early for expecting additional fundraising from Shift-left, 'cause they literally got the award on Monday. >> Great. >> But hopefully, if you look at the history of it all, we look at the people who've received the accolade over the last eight editions, nearly all of them have been within their first two years. Most of them have done at least one round of funding, but have usually gone on to do another significant round of funding within 12 months of having one, we'd love to take all the credit for that, but I think you really need to put that on the team. >> Jeff: Right. >> And acquisitions have also been quite prevalent. So we looked at the numbers just before RSA, and it was 72 722 million of the disclosed raised, and just in the security, >> Right. >> Space. Unfortunately, or very fortunately for one of our winners, ZeroFOX, they just peeped in with raising 74 million last Friday, which we didn't include. So if we put the undisclosed it would definitely over 800 million now. So well done to the ZeroFOX guys. >> Right, so how did you get involved in this? >> It was an idea that I had. My my other life is a Tech PR person. And we were working on a campaign for a show somewhat like RSA in the UK. And we thought it would be a great idea to run a startup competition to highlight some new entrants to the market. Unfortunately, they didn't think it was a fit for what they wanted to do, but it was such a compelling idea. I've worked with startups all my life and one of the challenges was always with them, particularly in the early stages to get recognition and to get coverage. So we thought we can do something about this. And I thought, well, nobody's going to listen to a PR person. They aren't interested in what I think. I'm not an expert on who's great in this space. So I spoke to Joe Bagley, who's the CTO of Amir for VMware, who's somebody I've worked with a lot over the years. And I said, Look, Joe, if I run something like this, would you come on board as a judge? And he said, Absolutely, I think it's a brilliant idea. And luckily, many other amazing judges has followed in his footsteps. So it's thanks to them, so. >> How many judges are there? >> We have around 40. I mean, we have a number of what a number of categories. So we want a specialist in those areas. Some cover multiple light cloud and security or Cloud and Storage. But obviously, when you look at AI and blockchain and all these other categories, you need people who really understand that space. >> And what's the process kind of how big is the top of the funnel when he started? And then how do you kind of whittle it down to the end when you said 1212 categories, so 12 winners per year about? >> Yeah. So we started off as obviously people enter usually through their PR team or their marketing team, or pull together the information that we request, which is quite a lengthy process, it's a big commitment of time. But not huge, but we do want to get to a certain amount of detail, to make a decision and give the judges something to work with. Then for that period, we then put out the judges to create the shortlist. So they will come back they will score on a number of elements, which are things like innovation and the maturity of the technology, then go to market attractiveness and their own personal view of how exciting and it is intuitive and how trailblazing it actually is. >> Right. >> Then we put it out to a public vote, but also the judges then take the shortlist and take another look at everybody. >> And it gets a public vote too? >> Yes, it does. >> It so does. Do the judges ever meet with the the nominees or is it all done based on the application the application packet that you put together and any other independent information they find on their own? >> Well, we still would encourage. I know the judges do like to reach out to people. And I know that obviously there are relationships because of the nature of the types of judges. >> Jeff: Sure. >> Obviously, we've got people in industry within the vendor community, analysts and bloggers, so they will have people that they know. So I always encourage people, if they say, you know, what would you do? I said, Well, if I was you, I would also reach out to the judges in your area, and just make them aware of who you are. And if they have other questions that they should you know, set up a briefing or something. >> Right. So it's really interesting concept to get the pub into the startup world because it's really, as you know, being in PR, you know, it's really hard to get elevated above the noise, if you will. And you know, we're sitting here surrounded by I don't even know how many thousands of vendors are in this hall. >> The early stage has 51 just as a starter. >> 51 in the early stage expo. >> Yes. >> Which hall is that? >> It's up on the second floor. >> On the second floor. Then there's little like corners of cubbies have of not even 10 by 10s. But you know the kind of the classic kiosks. So, when you're talking to two small companies, regardless of whether they go for the word, what do you tell them as a PR pro? What do you tell them as someone who's, you know, kind of seeing the challenges of trying to raise your profile as a small company? Do you stick to your knitting? Do you in a try to get a high profile? When you know, what are some of the tips and tricks that help little companies rise above the den, if you will, in this great space. >> Validation is always very important. Talk to the influencers in your space, talk to the analysts in your space, the bloggers in your space, and get that feedback and integrate it into your plan of how you create your message. And I think that's one of the hard things, a lot of startups particularly in the technology space, particularly enterprise Tech, they really in the weeds with what's amazing about their products and why they put it together. But you really have to put that into very simple terms. >> Jeff: Right. >> I mean, if you look at someone like RSA, we have got, you know, a lot of buzzwords kicking around here. You do have to try and put that into the deeds and requirements of the end user community. That's always got to be your lens on things >> Right. >> really. >> And you also you always have the vendor viability issues, you know, with your top and even if your Tech relatively inexpensive, maybe as a PLC or this or that, it still takes an investment from your potential customers to put it in and take that risk. And, you know, that's a much bigger hurdle to overcome often than simply the pricing or the structure of the deal. Not a easy, not an easy path. >> It has to be a partnership. I mean, one of the things we were advocating a couple years ago is that the bigger organizations really should have somebody who has a role of being a Chief Collaboration Officer for those smaller companies to engage with them. Because even the procurement process can obviously kill you. >> A little kill a little company, right? Even the pre sales, just having meetings and meetings and meetings and meetings and meetings and meetings to talk about the meetings that you're going to have to maybe eventually (laughs) get to somebody who can make a decision. >> Yeah, Its tough. >> Very cool. >> So, any kind of significant changes in the programme over time? Are you pretty much at the same place you were eight years ago? Or do you see this expanding into different categories? How do you see, you know, kind of the evolution of the Trailblazer? >> Well, we like to review everything and we listened to our judges, we listened to people in the marketplace. I mean, I had a great meeting yesterday with somebody in banking, who works with an awful lot of startups. And there is some really good news coming through that. The enterprise Tech VC community, there's a lot more of an appetite. They're starting to see the value more and more of investing in that type of longer longer term, because you can actually scale beyond where you can do sometimes with a consumer Technology. >> Right >> The potential unicorn sometimes don't quite make it. Those horses aren't always that reliable in the race. >> (laughs) Sometimes too much money is not a good thing that is for sure. >> Yeah. >> Or is good for you? It's a great way I know, I think the kind of the award format is a great way to shine a little bit of extra light on some of these companies that are really struggling to get noticed. It's a really difficult process for a startup, especially in such a deep Technology field. Something is so mission critical that people it's just not that easy for people to give you a try and give you a trial. Takes a lot of investment. So good work and look forward >> Thank you. to continuing to see the winners, raise lots of money and have success. >> Right, absolutely. Thank you, Jeff. >> All right Rose thanks again. She's Rose, I'm Jeff. You're watching theCUBE. We're at RSA 2020. Thanks for watching, we'll see you next time. (upbeat music)

>> Announcer: Live from San Francisco, it's theCUBE, covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. >> Hey, welcome back everybody, Jeff Frick here with theCUBE. We are Thursday, day four of the RSA Show here in Moscone in San Francisco. It's a beautiful day outside, but the show is still going, 40,000-plus people. A couple of challenges with the coronavirus, and some other things going on, but everybody's here, everybody's staying the course, and I think it's really a good message going forward as to what's going to happen in the show season. We go to a lot of shows. Is 2020 the year we're going to know everything with the benefit of hindsight? It's not quite working out so far that way, but we're bringing in the experts to share the knowledge, and we're excited for our next guest, who's going to help us get to know what the answers are. He's Oliver Sherman, senior director, Enterprise Product Marketing for Juniper Networks. Oliver, great to see you. >> Thanks for having me. >> Absolutely, so first off, just general impressions of the show. I'm sure you've been coming here for a little while. >> We have, and I think the show's going very well, as you pointed out, there's a couple of challenges that are around, but I think everybody's staying strong, and pushing through, and really driving the agenda of security. >> So I've got some interesting quotes from you doing a little research for this segment. You said 2019 was the year of enforcement, but 2020 is the year of intelligence. What did you mean by that? >> Specifically, it's around Juniper. We have a Juniper connected security message and strategy that we proved last year by increasing the ability to enforce on all of your infrastructure without having to rip and replace technologies. For instance, on our widely rolled out MX routing platform, we offer second tell to block things like command and control traffic, or on our switching line for campus and data centers, we prevent lateral threat propagation with second tell, allowing you to block hosts as they're infected, and as we rounded that out, and it's a little bit in 2020 we were able to now deliver that on our Mist, or our wireless acquistion that we did last year around this time, so showing the integration of that product portfolio. >> Yeah, we met Bob Friday from Mist. >> Oliver: Excellent. >> He, doing the AI, some of the ethics around AI. >> Oliver: Sure. >> At your guys conference last year. It was pretty interesting conversation. Let's break down what you said a little bit deeper. So you're talking about inside your own product suite, and managing threats across once they get to that level to keep things clean across that first layer of defense. >> Right, well, I mean, whether you're a good packet or a bad packet, you have to traverse the network to be interesting. We've all put our phones in airplane mode at Black Hat or events like that because we don't want anybody on it, but they're really boring when they're offline, but they're also really boring to attackers when they're offline. As soon as you turn them on, you have a problem, or could have a problem, but as things traverse the network, what better place to see who and what's on your network than on the gears, and at the end of the day, we're able to provide that visibility, we're able to provide that enforcement, so as you mentioned, 2020 is now the year of an awareness for us, so the Threat Aware Network. We're able to do things like look at encrypted traffic, do heuristics and analysis to figure out should that even be on my network because as you bring it into a network, and you have to decrypt it, a, there's privacy concerns with that in these times, but also, it's computationally expensive to do that, so it becomes a challenge from both a financial perspective, as well as a compliance perspective, so we're helping solve that so you can offset that traffic, and be able to ensure your network's secure. >> So is that relatively new, and I apologize. I'm not deep into the weeds of feature functionality, but that sounds pretty interesting that you can actually start to do the analysis without encrypting the data, and get some meaningful, insightful information. >> Absolutely, we actually announced it on Monday at 4:45 a.m. Pacific, so it is new. >> Brand new. >> Yes. >> And what's the secret sauce to be able to do that because one would think just by rule encryption would eliminate the ability to really do the analysis, so what analysis can you still do while still keeping the data encrypted? >> You're absolutely right. We're seeing 70 to 80% of internet traffic is now encrypted. Furthermore, bad actors are using that to obfuscate themselves, right, obviously, and then, the magic to that, though, to look at it without having to crack open the package is using things like heuristics that look at connections per second, or connection patterns, or looking at significant exchanges, or even IP addresses to know this is not something you want to let in, and we're seeing a very high rate of success to block things like IoT botnets, for instance, so you'll be seeing more and more of that from us throughout the year, but this is the initial step that we're taking. >> Right, that's great because so much of it it sounds like, a, a lot of it's being generated by machines, but two, it sounds like the profile of the attacks keeps changing quite a bit from a concentrated attacks to more, it sounds like now, everyone's doing the slow creeper to try to get it under the covers. >> Right, and really, you're using your network to your full extent. I mean, a lot of things that we're doing including encrypted traffic analysis is an additional feature on our platform, so that comes with what you already have, so rather than walking in and saying, "Buy my suite of products, this will all" "solve all your problems," as we've done for the past, or as other vendors have done for the past 10, 20 years, and it's never worked. So you why not add things that you already have so you're allowed to amortize your assets, build your best of breed security, and do it within a multi-vendor environment, but also, do it with your infrastructure. >> Right, so I want to shift gears a little bit. Doing some research before you got on, you've always been technical lead. You've been doing technical lead roles. You had a whole bunch of them, and we don't have internet, unfortunately, here, so I can't read them off. >> Oliver: That's fine. >> But now, you've switched over. You've put the marketing hat on. I'm just curious the different, softer, squishy challenge of trying to take the talent that you have, the technical definitions that you have, the detailed compute and stuff you're doing around things like you just described, and now, putting the marketing hat, and trying to get that message out to the market, help people understand what you're trying to do, and break through, quite frankly, some crazy noise that we're sitting here surrounded by hundreds, if not thousands of vendors. >> I think that's really the key, and yes, I've been technical leads. I've run architecture teams. I've run development teams, and really, from a marketing perspective, it's to ensure that we're delivering a message that is, that the market will consume that is actually based in reality. I think a lot of times you see a lot of products that are put together with duct tape, baling twine, et cetera, but then, also have a great Powerpoint that makes it look good, but from a go to market perspective, from whether it's your sellers, meaning the sellers that work for Juniper, whether it's our partners, whether it's our customers, they have to believe in what's out there, and if it's tried and true, and we understand it from an engineering perspective, and we can say it's not a marketing texture, it's a strategy. >> Right. >> That really makes a difference, and we're really seeing that if you look at our year over year growth in security, if you look at what analysts are saying, if you look at what testing houses are saying about our product, that Juniper's back, and that's why I'm in this spot. >> And it really begs to have a deeper relationship with the customer, that you're not selling them a one-off market texture slide. You're not having a quick point solution that's suddenly put together, but really, have this trusted, ongoing relationship that's going to evolve over time. The products are going to evolve over time because the threats are evolving over time, right? >> Absolutely, and to help them get more out of what they already have, and from a go to market perspective, our partners have an addressful market that's naturally through the install base that we have, we're able to provide additional value and services to those customers that may want to lean on a partner to actually build some of these solutions for them. >> All right, well, Oliver, well thanks for stopping by. I'm glad I'm not too late on the encrypted analysis game, so just a couple of days. >> Absolutely. >> Thanks for stopping by. Best to you, and good luck with 2020, the year we'll know everything. >> Absolutely, thanks for having me. >> All right, he's Oliver, I'm Jeff, you're watching theCUBE. We're at RSA 2020 here in Moscone. Thanks for watching. We'll see you next time. (gentle electronic music)

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media. >>Hey, welcome back everybody. Jeff, Rick here with the cube. We're at the RSA conference in downtown San Francisco at Moscone. It's the fourth day of the show, 40,000 some odd people here. It's all about security. It's the biggest security show in the world despite the fact that there were some challenges with the coronavirus this year and you know, people were kind of wondering how that was going to shake out. There's been a lot of kind of weird stuff going on in the conference scene, but a lot of people got here, a lot of conversations around security and we're really happy to have really a seasoned vet. He's been through this cycle of security a couple of times that you said he's done four different startups. We're happy to have him as all of our Fredericks, the VP security product. That's blown. Good to see all of her. >>Thank you. Great to be here. Absolutely. So let's take a step back. You've been coming to this show for a little while. What's kind of your, your impression of the show? Well, it's really interesting this year, you know, I think it's a, I'd say the energy level is somewhat flat and I think it's a sign of our industry maturing and getting to the point where, you know, you used to see, uh, some pretty big disruption every few years when compute changes the threats or attack surface moves and the threats change with it. But things have been relatively stable. You know, the cloud is really the biggest, most recent, uh, innovation. And so there really hasn't been, I think any massive disruption in our industry for a little bit, but a lot of just continuous iteration and improvement on existing technologies. Right? There's some big ones coming down the pike though, right? >>One of the big ones that's going to have a huge impact is five G and IOT. Uh, suddenly now that you know these things, people think five GC can talk to your mom faster on the phone. That's not what it's about at all, right? It's a speed of machines and the speed in which these transactions are going to be happening. Not to mention all those connected devices, all those new attack surfaces, very, very revolutionary. And yet the theme here is the human elements. So when you think about speed of machines and, and increasing, uh, the kind of frequency of bot attacks, this and that, and yet there's still people that gotta be on the hook and responsible for this stuff. How do you think about it and has you actually use things like AI to help the people fight the machines? Yeah, I know it's a really good question. >>So typically over the years, right, attackers have targeted compute, uh, operating systems, applications, servers, and so on. But we've, we've done a really good job of starting to lock those down, finding those vulnerabilities, patching them, fixing them, you know, that's, it's not a panel, it's, it hasn't been solved, right? That's, it's an ongoing issue. But attackers have moved onto the weakest link, which is people, right? If I can convince you to send me your, you know, your bank account information or that access to your account and wire money out of your account, right? It's a lot easier than having to find a vulnerability in Microsoft windows these days, which used to be pretty easy back 20 years ago. Used to, they're there, they're by the dozens. Right. But, but now they're getting better on the fishing too. And now spear fishing. Right. I, I had a friend in commercial real estate who, who told me this email that he got like from his banker, you know, talking about a transaction with a business associate using vocabulary words that that would normally be used in their exchange to the point where he called the guy and said, did you send this to me? >>Um, so you know, the, the, the, the bad English bad grammar and, and kind of funky word selection isn't necessarily that red flag that it used to be that don't click on here and we're still getting, you know, this, this attacking is happening. So how do, how do people get more sophisticated in light of kind of these more sophisticated attacks on the people? >>Yeah, so I think there's two things. One is, you know, it hidden in there is, and that type of an attack is typically wire instructions, right? If it's, if I'm buying a house, my escrow company or title company is going to send me wire instructions to send the money for the down payment on that house for example. You know, that's, that's been a very, very common attack where, you know, title companies may not be the most sophisticated, like many of the organizations that are here today. Uh, so definitely fall victims. So that's, that's definitely a growing problem and a growing attack surface. We also see, uh, you know, the need for new technologies like natural language understanding, actually understanding the context of the data. Uh, for example, what's the intent behind it? What's the meaning? Sure, it's not going to be misspelled. But can I find other relevant factors or attributes of that email that, uh, point out at red flag or something that I need to be concerned about before I actually click on it or open it or, or act on it? >>Right. So the company that you, uh, led before spunk acquired you, Phantom, you talked a lot about they're trying to help, help to see Sox do a better job, help them kind of filter, filter what they don't need to respond to, prioritize what they need to respond to and then respond quicker when they do. That's right. A little bit more about how that works and what's kind of the impact of having that technology on the front line. >>Yeah, so five years ago, automation and security really didn't exist. Uh, we created a new category called soar security, orchestration, automation and response. And, uh, it's a technology that allows you to automate what a SOC analyst would typically do by hand. So typically, you know, if an analyst is looking at an event, uh, it would take them 10 minutes, best best-case, 11 hours, worst-case, to analyze that and do all the work that they need to do to triage it. By automating, we're able to reduce that down to a best case of one second, worst case of 10 minutes using automated playbooks. So we're able to get a, uh, a massive performance improvement by automating, by creating a playbook of those rout routine things that an analyst would do by hand. And that frees up the analyst to do more proactive, higher order activities, things that actually require the human thought versus the repetitive work which we're very happy about. >>And are most of those types of, of of uh, processes that you automated? Just check, just to get, you know, kind of checking boxes if you will, almost like a pre-flight to make sure that you kind of have the simple things covered or you know, what are some of the activities that you've been able to automate? >>Yeah, so it's interesting these, these platforms have become very flexible and multipurpose. So today we integrate with over 300 different security vendors that are on the showroom floor here today to let you automate in those products. So the typical large enterprise has maybe 60 70 security products that they're all managing from a browser tab or a different login. What soar platforms do is they tie those together and allow you to manage those products very rapidly. In the case of an event. So for example, you know, if I have a, a, a phishing email, I can take the attachment detonated in a sandbox from any of the sandbox vendors here on the showroom floor. Look it up in my reputation service like my virus total reversing labs for example, look it up on my EDR product on the endpoint to see do any of my endpoints actually have this file. And then I could take remediate, remediate of action and actually block the user, take the endpoint off the network using a Nack product that's here, uh, and so on, or block it on the firewall. So there's many different types of scenarios. >>It's that whole chain that you just described potentially would be something that you build into this playbook and have that happen automatically. Yes. Oh, that's a huge time saver. Huge time saver. So as you look forward, kind of at the power of AI, right? It's good news, bad news, right? Good news. You're going to have a lot more horsepower and computational wizardry at your fingertips. Bad news is the bad guys are also going to have a lot more computational power and wizardry at the end of their fingertips. So how do you, you know, kind of see the battle continuing to play out? Where do you really see great opportunities with, with this evolving AI to do things that you just couldn't do before? >>Yeah, look, I at attackers have been using automation and AI against us for, for many years now. So we're just starting to catch up and use it effectively to defend ourselves. Uh, you know, it'll be very interesting to see where this goes. I don't know if I can predict, but imagine machines fighting machines just like in real life and robotics and so on. In real physical kinetic warfare. Imagine the same thing happening in cyber here is entirely conceivable, but I don't think we're quite there yet. I mean, we obviously see botnets and other automated attacks that are already very rampant and then automated countermeasures that are there as well. So it'd be very interesting to even have, you know, maybe one year here we'll have uh, you know, robot Wars for cyber and have, you know, technologies battle each other to see who your >>wins. But what's crazy is as much as the bots are fighting the bots, you know, we have, uh, people in like Rachel tow back, we fed on a couple of times. She's, she does social hacking and uh, and she's basically a hundred percent, uh, successful in just calling people on the phone and giving them to provide her the details. So it still is going to keep the people in the loop. We're still going to have to, you know, make sure that they're not the weakest link. Absolutely. Yeah. All right, good. So final thoughts as you ahead into 20, 20 the year, we're going to know everything with the benefit of hindsight. Well, look, I think one thing we're seeing, there's so many vendors here, uh, things are coming together. Again, our customers are looking to consolidate, they're looking to reduce. And one thing that we're very heavily focused on at Splunk is creating a single work surface for analysts. So they don't have to deal with dozens of different consoles. Right. We're very, very focused on that. Working 70 tabs to work process is not a, not very efficient. So ideal. No. All right. All over. Well, thanks for, uh, for taking a few minutes to stop and buy and a continued success for you and Splunk. Thank you. Alrighty. He's all around. Jeff, you're watching the cube. We're an RSA 2020 and downtown San Francisco. Thanks for watching. See you next time.

>> Announcer: Live from San Francisco, it's theCUBE, covering RSA conference 2020 San Francisco, brought to you by SiliconANGLE Media. >> Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're at the RSA 2020 show, here in Moscone in San Francisco, it's Thursday, we've been going wall to wall, we're really excited for our next guest. We've been talking about some kind of interesting topics, getting a little bit into the weeds, not on the technology, but some of the philosophical things that are happening in this industry that you should be thinking about. And we're excited welcome, Laurence Pitt, he is the cyber security strategist at Juniper Networks. Laurence, great to meet you. >> Thank you very much, hi. >> Yeah, so before we turn the cameras off, we've been talking about all kinds of fancy things, so let's just jump into it. One of the topics that gets a lot of news is deepfakes, and there's a lot of cute funny things out there of people's voices and things that they're saying not necessarily being where you expect them to be, but there's a real threat here, and a real kind of scary situation that just barely beginning to scratch the surface, I want you to get share some of your thoughts on deepfakes. >> I'm going to think you made a good point at the start. There's a lot of cute and funny stuff out there, there's a lot of fake political stuff you see. So is it seen as being humorous some people are sharing it a lot. But there is a darker side that's going to happen to deepfakes, because a lot of the things that you see today that go out on video, the reason that it is what it is, is because you're very familiar with the person that you're seeing in that video. Is a famous politician, is a movie star, and they're saying something that's out of character or funny and that's it. But what if that was actually the Chief Financial Officer of a major company, where the company appears to have launched a video, very close to the bell ringing on the stock market, that makes some kind of announcement about product or delay or something to do with their quarterly figures or something like that? You know that one minute video, could do a huge amount of damage to that organization. It could that somebody's looking to take advantage of a dip at that point, video goes out, their stocks going to dip, buy it out, then they could profit, but it all could also be much darker. It could be somebody who's trying to do that to actually damage their business. >> So, would you define a very good text base phishing spear phishing as a deepfake, where they've got enough data, where they're, the relevance of the topic is so spot on, the names that are involved in the text are so spot on 'cause they've done their homework, and the transactions that they're suggesting, are really spot on and consistent with the behavior of the things that their target does each and every day. >> So I'm not sure I defined that as a deepfake yet, obviously you've got two types of a phish, you've got a spear phish, which is the the perfected version, the work has gone into target, you as a specific, high value individual for some reason in your organization, but what we are seeing is in the same way that deepfakes are leveraging technology to be able to manipulate somebody, things like the fact that we're all on Instagram, we're all on Facebook, we're all on Twitter, means that social manipulation is a lot easier for the bad guys to be able to create, phishing campaigns that appear to be very much more targeted, they can create emails because they know you've got a dog. They know roughly where you live, because you're this information is coming up in pictures and it's a metro on the internet. And so they can generate automated messaging and emails and things that are going to go out. That will appear to be from whomever you expect to receive it from, using words that you think that only they would know about to make that appear to be more realistic. >> Right. >> And that's actually something, we sort of seen the start of that, but still the thing to spot is that the grammar is very often not very good in these if they haven't perfected the language side of it. >> But that's coming right, but that's coming right. >> But they all getting much more accurate yeah. >> We is an automated transcription service to do all the transcription on these videos. And you know, It's funny you can you can pay for the machine or you can pay for the human, we do both. But it's amazing, even only in the last six months to see the Delta shrink between the machine generated and the person generated. And this is even in, you know, pretty technical stuff that we get in very specific kind of vocabulary around the tech conferences that we cover. And the machines are catching up very, very fast. >> They very much are. but then if you think about, this is not new. What's happened, it's been happening in the background for a while things like quite a lot of legal work is done. If you look at a state agency, for example, conveyancing it's not uncommon for the conveyancing to be done using machine learning and using computer generated documentation because it's within a framework. But of course, the more it does that, the more that it learns. And then that software can more easily be applied to other other areas to be able to do that accurately. >> Right. So another big topic that gets a lot of conversation is passwords. You know, it's been going on forever, and now we're starting to get The two factor authentication, you know, the new Apple phones, you can look at it and identify it, you say now you have kind of biometrics. But that can all be hacked, too, right? It's just a slightly different, a slightly different method. But, you know, even those, the biometric is not at all. >> Well. >> That's secure. >> I think the thing is, you see that when you're logging into something, there's two pieces of information you need. There's there's what you are you as a person and then there's the thing that you know, a lot of people confuse biometrics, thinking of biometric authentication is their password, we're actually the biometric is is the them. And so you still should back things with strong passwords, you still should have that behind it. Because if somebody does get through the biometric that shouldn't automatically just give them access to absolutely everything. It's you know, these are technologies that are provided to make things easier to make it so that you can have less strong passwords so that so that you do know where you're storing information. But People over people tend to rely on them too much, it is still very, very important to use strong passwords to think about the process for how you want to do that. Taking statements and then turning those statements into strange sentences that only you understand maybe having your own code to do that conversion. So that you have a very strong password that nobody's ever going to pick up, right? We know that common passwords, unfortunately, are still 1234567 password, its horrific. >> I know, i saw some article that you're quoted in and it had the worst 25 passwords for 2018 and 2019. And it's basically just pick and pick a string. >> They just don't change. >> But you know, but it's interesting cause, you know, having a hard Prat, you know, it's easy to make, take the time and go ahead and create that, that that strong password. But then, you know, three months later. Salesforce keeps making me do a new one or the bank keeps making me do a new one. What's your opinion in some of these kind of password managers? Because to me, it seems like okay, well, I might be doing a great job creating some crazy passwords for the specific accounts. But what if I could hacked on that thing right now they have everything in the same a single place. >> Yeah. So this is where things like two factor authentication become really, really important. So I use passwords manager. And I've been I'm very, very careful with the how my passwords are created and what goes in there so that i know where certain passwords are created for certain types of account and certain complexities. But I also turned on two factor. And if somebody does try to go into my online password account, I will get an alert to say that they've tried to do that a single failed authentication and I will get an alert to say that they've done it an authentication that happens where I'm not I you know, then I will get a note say I've done that. So this is where there's that second factor actually becomes very important. If you have something that gives you the option to use two factor authentication. Use it. >> Use it. >> You know, it may, you know, we it is a pain when you're trying to do something with your credit card and you have to do One time text. But it'd be more of a pain if you didn't and somebody else was to use it. And to fill it up nicely for you wouldn't right. >> Right. You know, it's funny part of the keynote from Rowan was talking about, you know, as a profession, spending way too much time thinking about the most kind of crazy bizarre, sophisticated attacks. At the at the fault of, you know, not necessarily paying attention to the basics and the basics is where still a lot of the damage was done right. >> You know what? This is the thing and then there's, you know, there's a, there's a few things in our industry. So exactly what you just said. Everybody seems to believe that they're going to be the target of the next really big complex, major attack. The reality is they aren't. And the reality is that they've been hit by the basic slight ransomware, phishing spearphishing credential stuffing all these attacks are hitting them all the time. And so they need to have those foundational elements in place against those understanding what those are and not worry about the big stuff because the reality is if your organization is going to be hit by a nation state level complex attack. Or you can do fight against that as well, it's going to happen. And that's the thing with a lot of the buzzwords that we see in in cyber today as Matt. >> And and with smaller companies SMB's, I mean is really their only solution to go with, you know, cloud providers and other types of organizations and have the resources to get the people and the systems and the processes to really protect them because you can't expect you to just flowers down down off fourth street to be have any type of sophistication needed. But as soon as you plug that server in with a website, you're instantly going to get, get attacked , right. >> So the thing is, you can expect that, that guy to be an expert. He's not going to be an expert in cybersecurity and the cost of hiring someone is going to outweigh the value who's getting back. My recommendation that case is to look for organizations that can actually help you to become more cyber resilience. So an organization that I work with, it's actually UK and US basis, the global cyber alliance. They actually produce a small business toolkit. So it's a set of tools which are not chargeable is put together. And some of it might be a white paper, a set of recommendations, it might actually be a vendor developed tool that they can use to download to check the vulnerabilities or something like that. But what it does is it provides a framework for them. So they go through and say, Okay, yeah, I get this. This is English, simple language. And it helps to protect me as a small business owner, not a massive enterprise where actually none of those solutions fits what i one's to. So that's my recommendation to small businesses, look for these types of organization, work with someone like that, listen to what they're doing and learn cyber from them. >> Yeah, that's good tip. I want to, kind of of double click on that. So that makes sense when it's easy to measure your ROI on a small business. I just can't afford the security pros. >> Yeah. >> For bigger companies when they're doing their budgeting for security. To me, it's always a really interesting as i can, it's insurance at some point, you know, wouldn't be great if i could ensure 100% coverage, but we can't. And there's other needs in the business beyond just investing in, in cyber security, how should people think about the budgets relative to, as you just said, the value that they're trying to protect? How do you help people think about their cyber security budgets and allocations. >> So then there needs to be and this is happening, a change in how the conversation works between the security team and the board who own those budgets. What tends to happen today is that there's a cyber team wants to provide the right information to the board that's going to make them see how good what they're doing is and how successful they are and justifies the spend that they've made and also justifies the future investments that they're going to need to make. But very often, that falls back on reporting on big numbers, statistics, we blocked billions of threats. We turned away millions of pieces of malware. Actually, that conversation needs to narrow down and the team should be saying, Okay, so in the last two months, we had Five attacks that came in, we actually dealt with them by doing this, this is the changes that we've made, this is what we've learned. However, if we had had this additional or this switched on, then we would have been more successful or we'd have been faster or we could have turned down the time on doing that. Having that risk and compliance type conversation is actually adding value to the security solutions they've got and the board understand that they get that conversation, you're going to be happy to engage. This is happening, this is something that is happening. And it will, it's going to get better and better. But that's that's where things need to go. >> Right. Cause the other hard thing is it's kind of like we've joked earlier, it's kind of like an offensive lineman, they do a great job for 69 plays. And on the seventh seventh play, they get a holding call. That's all anybody sees . And you know, there's, again, that was part of robots, keynote that we can't necessarily brag about all the DDoS taxes that we stopped cause we can't let the bad guys kind of know where we're, we're being successful. So it's a little bit of a challenge in tryna show the ROI. Show the value when you can't necessarily raise your hand and say, hey, we stopped the 87. Tax. >> Yeah, >> Cause it's only the 88. That really is the one that that showed up in the Wall Street Journal. >> I think the thing with that is when organizations are looking at security solutions, specifically, we're very aware of that. As you know, organizations struggle to get customer references, you'll see a lot of the references are major financial, large manufacturing organization, because companies don't want to step up and say, I implemented security, they did this because the reverse of that is, she didn't have it before then >> Right right, or we'll go in that door not that door. >> Yeah and so, but there are a lot of good testing organizations out there that actually do take the security solutions, and run them through very, very stringent tests and then report back on the success of those tests. So you know, we work closely with NSX labs, for example, we've had some very good reports that have come out from there, where they do a drill down into how fast how much, how many, and then that's the kind of You can then take to the board. That's the kind of thing that you can publicize to say, the reason that we're using Juniper X or x firewalls is because in this report, this is what it said, this is how good that product was. And then you're not admitting a weakness. You're actually saying we're strong because we did this work in this research background. >> Right, very different kind of different approach. >> Yeah, yeah. >> Yeah well, Lawrence really enjoyed the conversation. We'll have to leave it here. But I think you have no shortage of job security, even though we will know everything in 2020 with the benefit of hindsight. >> Really, yeah thank you very much for that. >> All right. Thanks a lot. Alright, he's Lawrence. I'm Jeff. You're watching the cube. We're at RSA 2020 in Moscone. Thanks for watching. We'll see you next time.

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media. >>Welcome back everybody. Jeffrey here with the cube. We're at RSA 2020, downtown San Francisco and Moscone center, 40,000 professionals in the security industries, the biggest security event in the world. I'm pretty sure, certainly the biggest one in the U S we're excited to have somebody who's been running around taking care of these problems and talking to customers for a very long time. It's got a great longterm perspective. We're happy to have him. Jonathan, new wind, the VP global field say-so team for fortunate. Jonathan, great to see you. So you said you've been coming to this show for a long, long time. Love to get kind of your impressions that the human element is the theme. Yeah, well, sheer, you know, I, I think, uh, it's changing. It's uh, the attendance is broken out by very senior people who've been here for, you know, multiple events and then a whole new slew of people are coming into the industry, right. >>And there's a lot of excitement. It's, um, there's a little bit less of a buzz. It just seems it's a little bit less people here this year because of the virus scare. Um, but overall I think that the themes are pretty consistent, which is kind of tragic that the themes are consistent year after year because this suggests that not a lot has changed despite the $130 billion and it works with purity span. You know, absolutely complexity. Uh, everyone is telling me about how to solve complexity, how to do more with less, uh, how to do more with less and fewer people and how to get their arms around this vast volume of data that's being generated. And there's a lot of talk about automation and AI, uh, but much more practical, less buzzwords and more practical solutions. And yet still tons of new vendors, right? Tons of new opportunities. >>You know, I don't know what the final count is on the vendor side, but it's a really large number and you go off into the corners to the EDBD little, little, a little mini boost is still a time of innovation. So I think that people trying to move the ball. So I think when the first show first started, there were less than a less than 500 vendors, I think in the industry back in 2007 I think today we're North of of 5,000 and it's probably 8,000 or about 5,000 vendors in the immediate vicinity here. But just go around the corner and there are dozens of others having their own events and the neighboring hotels and restaurants. It's astounding the number of different point products are still coming into the industry and, and, and that really suggests that we haven't gotten our arms around integrating all of this technology. >>And it's just another level of complexity. So what do you tell your friends on the buy side, right? Who know you and say, say Jonathan, I'm going, I'm going to RSA. How in the heck am I supposed to navigate not only the show specifically, but kind of this vendor landscape and then make sense of it all? I'm telling him to look for vendors that are partners that have a longterm perspective and that do the integration for you. You know, one of the things coming from an operational background, as I talked to other CSOs, like our job is to operate technology. It really isn't about integrating technology. It really isn't about OAA and product. I want to focus my budget and my resources on operating technologies and manage risk. So I look for partners and mentors like, like Fordanet that has a fabric with 258 plus different products and vendors that are already integrated out of the box. >>I'm looking for someone that solves complexity rather than a specific problem or specific threat vector. And I'm really looking for some of that helps me understand and manage risk because that's the object of the exercise in cybersecurity today. It's not about compliance, it's about compliance, it's about security, it's about resilience, but a reasonable level of care in managing risk. Right. And yeah, it's, it's a great topic cause I was thinking that kind of in terms of insurance. Yeah. In terms of, you know, how much do you spend and you can't insure everything to 100% right. So it's going to be some number less than that. Everybody else needs a piece of the pie. But how do you make those kinds of trade offs, investment versus risk? Because you can't absolutely protect everything. It makes no sense. So I think that value of it comes back to the CSO and his or her team. >>It's a very human decision. Uh, there is no prescriptive definition of what reasonable care is. You know, outside of one statement by Kamala Harrison, she was the state's attorney in California here, which is the CIS 20 is the minimum level of reasonable care. And so now we have to understand how do we define what is reasonable, what is the risk appetite or tolerance for a company? And once you identify those things, what are the controls and mitigation measures that you're gonna have in place to mitigate those risks? And then what's left is residual risk. And that's a hard decision. How much will you absorb? How much will you transfer, uh, and how much will you just tolerate? Um, but it's really no longer just about compliance, uh, and it's no longer just about having a security or continuity or resilience about all of those things. At a reasonable level. >>Right. It's interesting as pulling up Winnie Naylor from, from Cisco gave one of the early ketos and she talked about, you know, really this security profession, embracing those pesky people that keep clicking on links because really they're the people that can, that have the data around the specific, um, applications and specific assets that the company has to kinda have that informed decision as to what is it worth to protect and do we need to protect it? Do we need to protect them more? Can we let this thing go a little bit? Yeah. I think the human element is the hardest part, you know, in mind at this conference and its theme, that human element. The hardest part about this job is that it's not just mechanical issues on routing issues and networking issues, but it's about dealing with all types of humans, innocent humans that do strange and bad things unknowingly. >>And then malicious people who do very bad things that by design. And so the research suggests that no matter what we do in security awareness training, some 4% of our employee base will continually fail security awareness tests. Well, we fished actively. And so one of the things that we need to do is use automation and intelligence so that you could comb through all of that data and make a better informed decision about what risks you're going to mitigate, right? And for this 4% that are habitually abusing the system and can't be retrained while you can isolate them, right, and make sure that they're, they're separated and they're not able to, uh, to do things that may harm the organization. Right. The other human element is the people on the security teams, right. And it's a tough resource. There aren't enough of them. And, and, and historically, they'd been the ones that, that integration point between all these different systems and it's a highly stressful job. >>You know, there was a Forbes article that said 17% of all CSOs are functional alcoholics. I mean, I mean, and they met as a 17 for 17%. One of every six CSOs medicates himself or herself with alcohol. And medicate is a very specific term of art. It doesn't mean recreational drinking means you are a functional alcoholic and that tells you about the level of stress and complexity. You know, in this job, our research suggests that the average CSO lifespan is somewhere on the low end of about 12 months on the high end, somewhere about 24. You know, in their role or in their profession, their role and their current job, their current gig, they're not lasting more than than two years. Uh, the sheer complexity and stress of the job and you know, and, and those, of course, 24 months, three of those months are just orientation cause that gives you an idea. >>It's a level of stress and complexity that the average CSO is going to face here. Right. So really begs for a lot more automation, a lot more automation on the defense side. It does, it, it makes for a lot more automation. And how do you help those teams cope with a massive levels of complexity and data that's coming out of these digitized and digitally transformed enterprises, right? And when you think about each person's going to generate three to five terabytes of data per person per day, uh, and that computing is going to change in the next three to five years. Right now 85% of computing and data generated comes from traditional it functions as you move into 5g and edge based computing, the vast majority of data generating computing will be done on the edge. So the level of complexity, the number of technologies and devices that we're going to have to monitor is only going to expand, right? >>Right, right. And the speed of those transactions and the speed of the potential harm. So marry that against the research data says that 99% of the attacks could have been mitigated through simple intermediate controls and that the patches, the signatures were readily available. And so the thing to contemplate as we go into this heightened level of complexity and expansion of our computing environment is we're missing the basics today, right? Right. If 99% of the successful attacks are based upon exploits that are known that the signatures are available in the patches available for then a year, what are we going to do when everything else becomes even more complex, more sophisticated. Yeah. That's funny. That was part of, of of raw heats keynote, uh, to kick off the whole thing is he said, you know, we as security professionals like to focus on the complex, we like to focus on the, the ornate and the, and the super sophisticated attacks on the reality is the vast majority and we're just coming right in the normal side door that they've been coming in all along. >>And one thing I decided during my time at the Verizon data breach investigations report was a 77% of all the breaches were not identified by the security team. They were identified by law enforcement. And so 77, 77% of the case. So let's, so let's say you've got a CIS admin that that goes out and accesses financial information before the earnings call and does insider trading. And it's the sec that calls the FBI. And then it's the FBI that calls you and said, by the way, your CIS admin is going to be charged with insider trading. And that's how they know that there's been a compromise out. And in many cases, what does that tell you? Despite $130 billion of network security spend this year alone, that's seven out of 10 data breaches will be identified by law enforcement and not the security team. Yeah. So that tells you that not the security law enforcement team, either it's the FBI or the sec hires the cl service and it just says that security is so complex that until we find ways like the FORNAS security fabric to automate and to manage complexity in an integrated way, you know, that's the, that's the leading edge indicator that I look for is that at what point do security teams identify more data breaches then law enforcement and the victims and they're way behind at this point? >>I think so, unfortunately. Yes. That's crazy. So, um, but there's a lot more AI now that you guys can use to write on the good guys side. But how does that really square the circle when you're saying so many of it just comes through the simple approaches because of lack of visibility. Uh, SOC teams are overwhelmed by the volume of data. And so the way to address the volume and variety and velocity of data is to use artificial intelligence to use a machine to make human decisions and behavior at machine speed. And so when we launched our 40 AI product offering and the virtual security analysts, you know, the research that we did suggest that is he pivoted a five SOC analysts. And so that's one way of helping SOC teams that are overwhelmed by the volume of data that are understaffed, to use artificial intelligence to distill out from all of that, that data, that useful patterns, and to marry that with our Florida guard intelligence, say, okay, this is the techniques, tactics and procedures most likely associated with this threat vector right now, escalate that to a human to make a decision on whether you want to mitigate that. >>And once you decide to mitigate that, use the automated and integrated capabilities of the fabric to make an efficient and effective, uh, mitigation, uh, of that incident. Right? Yeah. Yeah. That's interesting. You bring up the sec case. We had a conversation earlier today where we were talking about deep fakes. Yeah. If somebody had the use case that, you know, what, if you just had a pretty straight forward, deep fake of some executive from some companies saying something to move the market and you drop that into the, uh, into the social stream three minutes before the close on a Friday, you get a play off the off the margin leverage. Nobody gets to really investigate the thing until the four minutes are over. Markets are closed, right? You get a significant financials damage in a situation like that, not even really directly impacting the company system. Right. >>So you're, you're hitting on the fact that we are more interconnected than ever and that the traditional compensating controls that we would have used to mitigate that type of risk is not, not as effective. And so, you know, that's going to be a challenge moving forward. Everything is going to be more interconnected, accelerated and decisions will be driven by data. So it's all of those things will drive complexity. So maybe next year when we talk again, we'll see it and see that. But I'm a little, one of the reasons I'm, you know, I have a credit freeze personally is that I'm aware of things like, like deep fakes, uh, impersonations moving my identities. So having a credit freeze allows, allows me to know that no one can leverage my credit even if they have my data. Right. Interesting. So thanks. Question. We sit down here a year from now, uh, without the benefit of 20, 20 hindsight. >>Yeah. You know, what do you think the themes are going to be? What, what do you see as kind of this kind of short term move in the market based on some of these factors that you've identified? I think, uh, more automation, more uh, artificial intelligence ways of automating the traditional process was insecurity. The secondarily, I think there's going to be the rising awareness of edge based computing and smart systems, autonomous level five vehicles that are networked and rather than a sensory based awareness, smart homes, smart industrial applications, uh, that computing will be done on the edge increasingly and those industrial applications, that 85% of the data computer will be done there. And that increasingly the cloud will become a repository for, for, uh, for storage and correlation. But the actual computing and actuation will be done on the edge. And so as 5g takes hold, you're going to see tremendous transformations in our society and our economy and how we conduct commerce, how we communicate. >>Uh, and that leads some more complexity. That's why, that's why I'm so focused on helping organizations getting security right now before that next onslaught of complexity hits us. It's coming. It is the five G IOT thing is, is just around the corner. The look at the telcos, there is a very specific reason why they're investing literally hundreds of billions of dollars into five G and the tremendous societal and economic changes that that will bring in infrastructure, communications and security will have to stay pace with that. One of the things that we're going to see moving forward is that the digital infrastructure is only successful only as successful as a security is. And I think we'll, we should see a breakdown in the traditional operational silos in network operations and security operations as Michelle Dennett. He said earlier on the air, if you cannot protect, you should not connect. But unfortunately people are still connecting before they're ready to. Absolutely. Well, hopefully there'll be a little bit more circumspect going forward. We'll try Jonathan, thanks for, uh, for taking a few minutes and sharing your perspective. Really appreciate it. Always a fun time. Alright, Jonathan, I'm Jeff. You're watching the cube where at RSA 2020 from downtown San Francisco. Thanks for watching. We'll see you next time.

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media >>and welcome back. You're ready Jeffrey here with the cube. We are a day four here at the RSA conference in Moscone Thursday. We've been going all day Monday, Tuesday, Wednesday, Thursday. It's a huge conference over 40,000 people, you know, kind of the first big us conference after the mobile world Congress thing with a coronavirus. So we were all kind of curious to see how it would work out. There was some companies that pulled out but you know Rohit and the team stayed the course, they got the support they needed from the city and it's turned out to be quite a show. So I'm sure there's a lot of people all over the industry kind of watching this as an indicator of how do you execute a conference and these kinds of crazy times. So we're excited for our next guest. He's Andy Smith, the senior vice president of marketing for Centrify. >>Andy, great to see you. Good to be here, Jeff. Doing great. So you said you've been coming to this show for a while, you're a seasoned veteran of the industry. First off kind of general impressions of this show versus versus other kinds of RSAs you've been doing in the past. It's super interesting to watch. It ebbs and flows of the security industry, right? I mean I've been 15 years over the past 25 I've been at this show and you've seen it be big and then shrink down, you know, to one hall and then the two halls again. I mean what's interesting the last couple of years is it's, it's big again, like security is hot. We know budgets are going up, a breach, cultures out there. And so, you know, the IC, the RSA show is a reflection of what's happening with the industry when you look at the size and number of attendees. >>Right. The other kind of theme this year was the human centric, uh, boat. And we had row head guy on just a little bit earlier in his keynote. I thought it was really interesting. It was not about security per se. It was not about threats and detection. It was really about stories and narratives and peoples and kind of taking that back as an industry. I wonder, you know, kinda your impression as this kind of human centric theme as we're surrounded by tech tech and more tech. It is, if you think about human centric, it's a, it's a big piece of your, your security strategy, right? I mean, uh, what, there was just this morning, uh, one of the sharks got fished, right? Lost $400,000. One of the, yeah. And so, uh, you know, educating people about looking out for fishing attacks, right? Uh, uh, looking at insiders who are one of our biggest threats and you know, they're, they're a huge piece of this is not technology at all. >>Right? I thought Wendy's keynote was great too from Cisco. Talking about everything we do on computers is about clicking. And yet we tell people, you know, click the download the patch, but don't click on anything else. And really, you know, kind of taken an approach that people need to be part of the solution. They're not these horrible people that keep clicking on the wrong things, but you really need to integrate them into your strategy. Yeah, absolutely. I mean, it's about educating your workforce. It's about educating consumers, right? Whether you're talking B to C security or whether you're talking to me to be that human element and educating to be diligent right to you, you got to know a little bit about how to look for something that might be suspicious and know what is, what you should be clicking on, what you shouldn't. There's, there's not a lot of technology that can solve that for you. >>It's getting out and, and, and making sure people are educated. And unfortunately, the bad guys have been working hard on their grammar and, uh, and doing all the AI on the background. So, you know, it's not, a lot of things today are not easily identifiable like they used to. They've gotten, that's no longer really kind of a baseline, a hope not to click that thing. They've gotten way better. Right? So rather than these attacks that are spray and pray, they're going after, you know, just going after anybody. They can, they're targeted now. Right? So spear fishing, right. And uh, and so specific individuals. And that's why one of the things that, that is a little bit coming up at this show and something that we talk about is identity centric security. So that you've got a tie, that kind of human element to your security. >>You know, there's network centric, but getting identity centric and tying that human element to your security aspect, making sure the security, the identity technologies and the security technologies are working together. That is brings that human element into your own security strategy. And when you, when you talk about identity, how should people be thinking about identity? Because clearly we see the kind of the rise in multi-factor now, right? We have to do, we have to go to the, our phones all the time with the code. Now we're hearing people, you know, can spoof identity, they can Smoove faces. I guess identity is not a face, but you know, some of these indicators of identity. So when you help people think about identity, what are some of the factors they should think about? What are the things they don't but they should be thinking about? Yeah, yeah. >>I mean some of the things that we talked a lot about is multifactor authentication. So although yes, right, real sophisticated people can have ways of getting around that, but most attackers and hackers are lazy, right? They're going to go for somebody who's got no multi-factor in place, like even doing the basics is way better than doing nothing. I mean, the statistics bear out that you do a little something right? And then you can always step it up and get more sophisticated where you've got tokens that you have to put your finger on, right? And you know, you can get smart cards and all those kinds of things. You can get much more sophisticated, but multi-factor in general works. I mean, you're just going to take it a far bit above. But what's interesting about identity, because we always think of humans, right? But when we talk identity, where this market is going is identity is machines. >>You have to give a machine an identity, you have to give a service account, an identity, you have to give a microservice identity. And these more and more, this is just completely automated world. This isn't humans logging into things anymore. This is microservices talking to each other. Each of those needs an identity needs an authorization cause they have accounts that can be hacked also. Right? So the you need protect those just as much as needed to protect those human accounts. It's funny cause we, we cover a lot of RPA shows, right? And the whole talk of, of of people that do RPA, right, is that they're, they're, they treat them as people, right? They treat them as kind of like your little assistance, your own little bot to do little tasks that you assigned them to do. So treating them with kind of an identity protocol. >>Then that gives all the authorizations and you kind of leverage all that back end is the way to integrate them into the workforce. Absolutely. It's all about access controls, authentication, authorization. Those are the controls that have been there forever. You're supplying these two new types of identities and you know, the, we're in the privileged access management space, so it used to always be a windows admin or a Unix Linux admin logging into a physical box, right? And so it was about protecting those accounts. But more and more it's about giving a machine and identity and a microservice and identity and how are those things talking to each other? We're protecting, that's all completely automated with dev ops. You think about if I have a, as I moved to the cloud, I want to be able to scale out dynamically, right? Uh, horizontally, vertically. So all of a sudden new servers, virtual servers or containers just popping up automatically. >>You have to be able to control the access to all those automatically, dynamically on the spot, and then they shrink back down. You need to get rid of all that, right? So the automation that's come into our space, although the same, I'm still trying to do authentication, authorization, same type of privilege access controls we've been doing for 30 years, but how they're applied in this new world is much different right now. What about then you layer you layer on top of that zero trust, so I definitely want to identify, but I have zero trust and I'm presuming at some point in time you might end up either being a bad guy or some bad guy's going to come in via your credential. How does the zero trust piece fit on top of the identity kind of management? It's really why we're talking about identity centric security now is because you can't, you, you have to assume somebody on your network. >>You can't trust all those perimeter controls that are there. The reality is they're going to get in and so that identity centric security starts at that access layer and not not trusting just because you got onto the network that, Oh, sure, here you go. You can, you can do whatever you want. That's where zero trust comes in. I don't, every time I want to get access to a piece of data or a system, et cetera, I need to do that F indication that authorization apply, that multi-factor. Those are all identity centric controls that result in this, this journey towards the zero trust world. It's, it's funny, uh, I've sat down with Mike and Caesar, uh, for scout and you know, he talks about when they do the little sniff on all the little devices that are plugged into the networks and it's usually multiples back of what people think are on the network, especially remote location. >>People are plugging stuff in. But then too, you know, like you said in the machine, identify, you know, what should a logic cam do and how should it act. And as soon as it starts acting and asking for things in accounts payable, maybe that's not necessarily what a lot to take camera wants do or should be doing. Yeah. Yeah. And so first there's like knowing what that device is giving you an identity so he know what it is, know what it should be doing. It has a role, it has specific access and authorization rights that are granted to it. So the logic camera, if I know what that camera is, you have an identity. I know what it's supposed to be doing. I should be able to restrict the access it has to just what it needs to do. Right. Rather than it's got root account to do whatever or some God account to create, you know, like those are the kinds of controls we have in place. >>And it's just logical identity management controls that have been there forever. But you're a, once you can identify those devices connected, you can, you can give them those, you know, limited. There's talk about least privilege, right? That's again, a 30 year old control, but giving at least privilege on just what it should do and nothing more. And do you see in the future just more and more kind of multifactor, uh, validation points that we'll have to get added to the, to the process as we move from single factor to factor, however many factors is going to take? For sure. Yeah. I mean, so the multi-factor, cause there's one thing are you authenticate yourself at the front door, right? So that's what most authentication is, but there's this concept of continuous authentication. You're the trust in that, uh, that initial authentication degrades as your session goes on. >>Right? So the longer I've had a session open, you know, is that still that same person or that same service that is clicking away at the keyboard there? There's cool stuff, wrong continuous authentication where there they can tell it's still the same person based on the cadence. They click on the keyboard, other biometric methods, the swiping I do on my phone and stuff like that. So there's ways to have continuous concepts now called continuous authentication. Right? And so I absolutely see that those behavior based, uh, types of, uh, of authentication. You're going out through a user's entire session. So I want to shift gears a little bit. One of the things that amazes me about this show, and I don't know when it was small, but it's been big ever since I've been coming. It's right, there's so many vendors here, there's so many companies in this and there's so many kinds of stories that a lot of really enthusiastic people work in booths that are screaming at you to come over and tell you all the great things they do. >>From a marketing point of view, you're, you're the SVP marketing. How do you, you know, kind of package your messaging, how do you kind of break through the clutter? What advice do you give to, to buyers, um, to help them kind of navigate what is a, a very large, loud and complex system? Yeah, it's a, it's a complex battle, right? So you have to be able to, because there are so many different technologies here, uh, in, in the security arena, uh, we're all fighting for the same share of wallet in a sense. Right? And so first you have to identify yourself with something people recognize a market that people recognize like identity, privilege, access management, endpoint security, you know, et cetera. But then you have to differentiate yourself within that market, right? So you've got to add something to the market space I'm in to that gives a little twist. >>So for us, it's identity centric, privilege access management and that, you know, we suppose that against Balt centric or you know, something else that we've tried to put the other bets. So you try to, in your message, you got to categorize what's the space I'm in and how do I differentiate? And in something as short and brand-able as possible. And then you got to have this kind of ongoing solutions, partnership relationship with, with your clients, right? Because this is not something you're going to be switching things out that frequently and, and, and, and the landscape and the threats evolve and change so rapidly. I think we've had a number of people come on to publish this report or that report, his report, he's come out every six months and there's actually the online version so he can keep up with what happened today or what happens tomorrow. >>So not an easy, uh, not an easy kind of marketing challenge to stay relevant, stay connected and state stay really in people's mind. Well, and you know, there's, there's awareness aspects to it and it is really just what really helps is you just create as many happy customers as you can. Right? I mean, you're amazed at the how connected this industry actually is. I mean, the attendees that are coming to this conference, they know each other. They've been coming here from here. It's just like we have. Right, right. And a word of mouth between people who have used your technology, they share that with something else. I mean the security industry as big as it is, it's, it's super interconnected. One person goes from one company to the other and so tons of business just comes from word of mouth, referral, etc. So the happier you can keep your customers, the more uh, you know, mind share. >>You can get up there. Okay. Last question before I let you go. We just like to say we just had row hit on one of the topics was they just got bought by a symphony. I think it's symphony, a private equity firm. Um, we met the other night at a, at a cocktail party put on by Tom Thoma Bravo and you were at Centrify before they came in. And after, you know, I think some people are kind of confused, you know, what is private equity, how does it impact the company? So wonder if you can kind of share, you know, how that transition has come along and you know, kind of give us an update on what's going on at Centrify and where you guys are going next. Yeah, so we were acquired about a year and a half ago now, uh, by private equity and you know, they basically, they take later stage companies and uh, help them get, uh, profitable, uh, they increased value and then they look for going, taking that company IPO or selling it off, et cetera. >>Right? But it's really about looking for opportunities, uh, in existing market with larger companies, the venture capitalists will go after smaller, much larger risks. These are bigger dollar amounts, right? Larger companies. But then they, they look about how to optimize. They're very sophisticated on how to run a B to B business. Tama Bravo happens to have a huge investment in security and it comes like eight or 10 companies there the other night. Yeah. So they, they realize that this is a hot space right now. So they've, if they can take a company and create value that they realize that there's more stuff popping up. There's probably money being invested in. And one of the things that, but not all private equities created equal. Yes, they are about all about kind of optimizing, increasing value. But what we really found with Tom or Bravo is they're interested in investing in that company, looking at other folds and acquisitions, et cetera. >>And that's a part of a strategy for me as a, as a manager and an I'm part of the executive team. When you're backed, they don't have the money to go after acquisitions. Uh, like that they, you know, they make these smaller investments. We're talking about Bravo actually does have the capital to look at other things that can be immediately accretive and add to your value. And that's a, a real part of our strategy now that didn't exist before we were owned by PE. I think they spun out a whole nother, another company out of what your technology say. Correct. Exactly. So one of the unique things about our particular acquisition is Centrify was both a privileged access management. And a identity as a service. And I Daz a company and they looked at what we were doing and they said, geez, you're really selling to two different markets and it's two different sales cycles and two different business models. >>We could actually create more value if we split these up and each of you focused on your individual markets. And so that there's a, there's an MQ and a market segment and a wave for IDASS and there's an MQ and a wave, you know, et cetera for Pam. But there's not anything that does both. And that's what Centrify was. So they actually, we, we completely divested of our IDASS capabilities spun off in an entirely separate company called adaptive. And so over the last year, that's was a lot of the work that was going on. It was, was splitting this company, uh, uh, into two. But it really provided us a much more focused to go after the market that we were going after. Well, they wouldn't come in if they didn't see some opportunity to, uh, to pull some more value out that wasn't really being unlocked. Absolutely. Right. Andy, we'll thank for taking a few minutes and uh, and great to catch up and best you for the rest of the show. Awesome. Thanks a lot, Jay. He's Andy. I'm Jeff. You're watching the cube where? At the RSA show in San Francisco. Thanks for watching. We'll see you next time.

>> Narrator: Live from San Francisco it's theCUBE covering RSA Conference 2020 San Francisco brought to you by SiliconANGLE media. >> Welcome back, everybody. Jeff Frick here with theCUBE. We are at the RSA 2020, a really special segment. As you can tell it's really quiet here, it's not like normal CUBE action, we are here before the expo hall even opens on Thursday morning with a very special guest, we pulled them away from a crazy busy week if not more, it's Rohit Ghai the president of RSA, Rohit great to see you again. >> Always a pleasure, thanks Jeff. >> Absolutely, so I was really looking forward to this, I was really impressed by the opening keynotes, first it rolled out George Takei, that's a pretty bold move even more bold is to try to follow him up. >> Totally (laughing) >> So congratulations, and you know, that was pretty brave. >> I appreciate it, thank you. That was quite a, you know, quite a hurdle to got to follow George Takei. >> Right, and I just want to get kind of these other things that were kind of bubbling above the surface out of the way you know, a big piece of news, I think a week it came out before the show is that RSA was sold to Symphony I believe? >> Rohit: Symphony Technology Group. >> Right, so give us a little bit of the story there. >> Absolutely, so you know we entered into a definitive agreement, Symphony Technology Group acquiring RSA from Dell Technologies. What this does is this it basically clarifies the swim lanes for Dell Technologies to focus on intrinsic security and RSA can focus on managing digital and cyber risk, and you know, we are excited about the opportunity to become agile and independent and you know, kind of play in a smaller company setting to pursue our future, so we are super excited to be part of Symphony. >> Yeah, that's great, and the other thing that's kind of a pall, I mean just to put it out there is the corona virus thing. And you know, Mobile World Congress, a completely different show but a big show, probably the first big show of our industry this year was canceled. A hundred thousand plus people, so I just am just wondering if you can share kind of what were some of your thoughts and the team's thoughts 'cause we were all curious to see well how is this going to happen, there was a couple of drop outs but I think it's been a very good week. >> It has been a great week, you know what I'll say is it was a demonstration of resilience on part of the attendees, you know when we analyzed the situation what we noted was about 82 plus percent of our attendees are from the Americas right, so there was a core set of attendees that were perhaps not as impacted in terms of travel, et cetera, so we decided to move forward, we've been in close collaboration with the CDC and the mayor's office right here, Major London Breed's office right here is SF to make sure it's going to be a safe event for everyone and you know, the team put together a great kind of set of measures to make sure everyone has hand sanitizer. >> Great, great. >> And you know, we made sure we did what was needed to manage the risk and ensure resilience through this sort of you know very global risk that is playing out, so very proud of the team, and we garnered 40 thousand plus attendees despite you know, despite the coronavirus issue. >> You know, good job I am sure it was touch and go and a real sensitive situation and I can tell you a lot of other people and event organizers you know, were getting ready to head into a very busy event season, it's what we do and so, you know nice kind of lead indicator from you to execute with caution. >> I appreciate it, thank you. >> So let's jump into the fun stuff. So your key note was not really talking that much about bad guys and technology and this and that, you talked about story telling and you got very much into kind of the human element, which is the theme this year, but really the role of stories, the importance of stories, and most importantly for the security industry to take back their story and not let it get away from them. >> You summed it up really well Jeff, and you know what I said is hey if the theme of the conference is the human element, let's explore what intrinsically makes us human and the point, you know you've all know that it is stories that makes us human and I feel we've lost control of the narrative as an industry and as such we need to take that back and make sure we clarify the role of all the human characters in our story because until we do that, until we change our story we have no shot at changing our reality. >> Right, but you're kind of in a weird spot right, it's the classic spy dilemma. You can't necessarily tell people what you know because then they'll know that you know it and you might not be able to get more or better information down the road, so as you said in you keynote you don't necessarily have the ability to celebrate your wins, and a DDoS attack thwarted doesn't make the news. I keep thinking it's like ref in a game or like a offensive lineman in football you only hear about them on that one play when they get the holding call, not the 70 other plays were they did their job. >> Rohit: Totally, totally. >> So it's a unique challenge though >> It is, it is a challenge, it is not an easy problem and you know, there is a couple of recipes that I put out there for us to consider as an industry is you know, recipe one is we can celebrate our successes at a collective level right so, just like we put out breach reports, et cetera, in terms of what the statistics are, where the breaches are animating from we can talk about defensive strategies that are working at a collective level as an industry and share that sort of best practices recipes to win, that would be a fine start. I think another area, another point that I made was that we don't have to win for the hacker to lose. 71% of the breaches were motivated by financial gains, right, and as such if we, despite breaches, which is not a win for us, if we deny financial gain to the hackers we make them lose and they are subject to the same laws of economics, they have a profit and loss statement, they are spending resources for gain and when we deny them gain we make them lose, so those are a couple of ideas on how we can begin to change the narrative. >> Right. So the other piece of the human part is the rise of the bots, right, and the raise of AI and the rise of these increasingly smart and sophisticated machines. I think I saw one of those reports that we talk about on air was you know that people are an increasingly targeted group we hear it all the time, we hear about social engineering. As that gets more complicated, how does the role of people change? 'Cause clearly they can't monitor tens and tens and hundreds of thousands of concurrent attacks all the time. >> Absolutely, so you know the bad guys are using AI you know I cited the example of a deep fake audio clip that actually duped the CEO into initiating a wire transfer so they are using all these sophisticated attacks so to your point, we cannot rely on the end user to discern through these very sophisticates. It's unfair for us to think of them as the first line of defense, we have to on the IT side, we have to bring in technology, make the technology more usable, so you don't have to pay attention to this one millimeter by one millimeter lock at the corner of the browser to realize whether a web interaction is safe or not. We need to make more usable software, we need to do a better job of managing and reducing vulnerabilities to reduce the attack surface so IT has to step up in that regard, and then on the security teams I think they have to step up to use AI to detect bot initiated attacks so we are not leaning on the human to discern what is an anomalous interaction and what could be a phishing or a smishing attack, et cetera, you know we need to bring AI to fight the good fight on our behalf. >> Right. So the other kind of angle on that I thought was really interesting, Wendy's keynote, a couple of keynotes after yours from Cisco talked about, you know, a theme we see over and over in tech which is really kind of the democratization of security and get it out of just the hallowed halls of the super billion CSOCs and technologists that are just security and open it up to everybody so make them part of the solution and not those pesky people that keep clicking on links that they are not supposed to. >> Absolutely. She did a great job of kind of making that point and you know the way I think about it is again we need to move from a culture of elitism to a culture of inclusion. Until we really get the steaming going, not just within the security professionals which we are doing a better job of certainly in the industry, but we have to team with the user, the IT and the business teams in order to have a shot at tipping the balance in our favor. >> Yeah, it's really funny 'cause that kind of democratization theme is something that we see kind of across many levels of technology, whether it's in big data, can get away from the data scientists, in doing your own reports, in having access to your own marketing material and you know, so it's kind of funny that now we are just hearing it here I guess the last bastion of we're the smartest people in the room, no no, you need to use all the brain power. >> All the brain power. I use the phrase let's stop being STEM snobs and let's be more inclusive, and you know garner the entire spectrum of the diverse talent pool that we have available and you know making the point, perhaps a provocative point, that the cyber talent gap, a bit of it might be actually self-inflicted because we have been in this sort of elitism mindset. >> Right, and I think one of the themes that you talked about in you keynote was because of kind of the elite mindset we only want to focus on the elite challenges and in fact it's not the hardest challenges that are necessarily the most dangerous or the ones that are more frequently used, it doesn't have to be the craziest hardest way in. >> It absolutely does not. The point I made was preparing for the worse does not prepare you for the likely and the statistics are overwhelming. 60% of the breaches were on the back of six stolen credentials. That's a pretty table stakes basic issue that ought to be just taken off the table, and if we take care of the basics then we can focus our energy on the corner cases but let's first prepare for the likely before we get to the worst situations. >> Right. So Rohit I'm just curious to get your take as you have been here for the last couple of days, you know you did a whole lot of work getting into that keynote and getting this thing up and off the ground but you've had a couple of days to be here walked around, talked to a lot of customers and clients, partners, I wonder if there is anything that's kind of come up as a theme that you either didn't expect or kind of reinforced some of thoughts that you had coming into this week. >> Absolutely. I think if I would've net it out Jeff what I'm sensing is there is a whole movement to shift security left, which is this whole idea of IT stepping up as the first line of defense, reduce cyber exposure, take care of patching, multi-factor authentication, reduce the attack surface intrinsic security right so DevOps and SecDevOps take care of it right up front before the apps even get built right, then there is another movement to shift things right which is take care of the new aspects of the attack surface right, what the hacker always take advantage of are the areas where they sense we are unprepared and for a long time they've seen us being unprepared in terms of reducing the attack surface and then they go after the new aspects of the attack surface and what are those? IT, IoT, OT, data as an attack surface and the Edge right, so these are areas were there is a lot of activity, a lot of innovation, you know, on the floor here if you walk the corners shifting left shifting right as in all the new aspects of the attack surface. I am seeing a lot of conversations, a lot of innovation is that area. >> Yeah. Well, there's certainly no shortage of innovation in the companies here and in fact I think it's probably one of the biggest challenges that I think of from a virus perspective is to walk this floor and to figure it all out 'cause I don't know how many thousand of vendors there are but there's really big ones and there is lot's of little ones like you said tucked in the corner in kind of the cutting edge of the innovation. What advice do you give to people who is their first time coming to RSA? >> Yes, I think you know, it's a huge challenge for customers, there's 14 of every category. I think the customers what they have to see is they have to think about the recipe rather they have to focus not on the tool but the concept behind the tool, and think about the architecture right and they should seek out vendors that take this platform approach. It is, you know, the market hasn't consolidated that much where they can just go to a few vendors but when they build that architecture they should choose vendors that behave well as a puzzle piece in the jigsaw puzzle that our customers are having to assemble together right, that they are investing in the API integrations on the edges so they can slot in and be part of a broader solution. That's a key, key criteria that customers should utilize in their selection of the vendors. >> Yes, that's good. That's good advice, and they should be listening. So Rohit, thanks again for your time. Congratulations on a week and I hope you get that weekend of absolutely nothing coming up in just a couple of days that you talked about. >> I absolutely do. The joke I made was, you know, the only time I'm okay being labeled as useless is the weekend after RSA conference. So, I fully look forward to being useless over this weekend, it's been a great week and thank you again for having me. >> All right, two more days, 48 hours. All right, thanks again. He's Rohit, I'm Jeff, you're watching theCUBE. We're at RSA 2020, the year we're going to know everything with the benefit of hindsight. We're not quite there yet but we're trying yo get a little closer. Thanks for watching, we'll see you next time. (upbeat music)

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media. >>Hey, welcome back everyone. Cubes coverage here in San Francisco, the Moscone South. We're here at the RSA conference. I'm John, your host and the cube. You know, cybersecurity is now a global phenomenon, but cubbies have to move at the speed of business, which now is at the speed of the potential attacks. This is a new paradigm shift. New generation of problems that have to be solved and companies solving them. We have a hot startup here that's growing. Hazel cast, the CEO, Kelly Kelly Harrell is here. Cube alumni. Good to see you. Good to see you, John. Hey, so we know each other you've been on before. Um, you know, networking, you know, compute, you know the industry. You're now the CEO of Hazel cast. So first of all, what does Hazelcast do? And then we can get into some of the cool things. Hazel cast is an in memory compute platform. >>So we're a kind of a neutral platform. You write your applications to us. We sit in front of things like databases and stream, uh, streaming sources, uh, and we execute applications at microsecond speeds, which is really, really important as we move more and more towards digital and AI. Uh, so basically when, when time matters, when time is money people buy Hazelcast. So I've got to ask you your interest in better, you can do a lot of different things. You can run any companies you want. Why Hazelcast what attracted you to this company? What was unique about it that got your attention and what made you join the firm? Well, when I first started looking at it and realized that a hundred of the world's largest companies are their customers and this company really was kind of kind of a run silent run deep company. A lot of people didn't know about it. >>Um, I could not, I had this dissonance, like how can this possibly be the case? Well, it turns out, uh, if you go into the Java developer world, the name is like Kleenex. Everybody knows Hazelcast because of the open source adoption of it, which has gone viral a long, long time ago. So once I started realizing what they had and why people were buying it, and I looked at that, that problem statement and the problem statement is really increasing with digitalization. So the more things are speeding up, the more applications have to perform at really, really low latency. So there was this big big growth market opportunity and Hazel CAS clearly had the had the drop on the market. So I've got to ask you, so we're at RSA and I mentioned on my intro here the speed of business while he's been down the, it kind of cliche moving at the speed of business, but now business has to move as the speed of how to react to some of the large scale things, whether it's compute power, cloud computing, and obviously cyber is attacks and a response. >>How do you view that and how are you guys attacking that problem? Well, you know, it's funny. I think the first time I truly understood security was the day that I was shopping for a home safe. You know, because I realized that all of these safes, they all were competing on one of the common metric, which is the meantime to break in, right? Is that you had one job and all you can tell me is that it's going to happen eventually, you know? So the kind of the scales got peeled off my eyes and I realized that, that when it comes to security, the only common factor is elapsed time, you know, and uh, so the last time is what matters. And then the second thing is that time is relative. It's relative to the speed of the attack. You know, if I'm just trying to protect my goods in a safe, the last amount of time is how long it can take for the bad guy to break into the safe. >>But now we're working at digital speeds, you know, so, you know, you take a second break that down to a thousand, uh, that's uh, you know, milliseconds. It takes 300 milliseconds. The blink. Yeah. Now we're working at microsecond speeds. Uh, and we're finding that there are just a really rapidly growing number of transactions that have to perform at that scale and that, and that speed. Um, you know, it, it may have escaped people completely, but card processing, credit card, debit card processing, ever Dawn on you that that's an IOT application now. Yeah, because my phone is a terminal. Amazon's a giant terminal number of transactions go up. They have three milliseconds to decide whether or not they're going to approve that. And uh, now with using Hazel Cassady not just handle it within that three milliseconds, but they also are running multiple fraud detection algorithms in that same window. >>Okay. So I get it now. That's why the in-memory becomes critical. You can't gotta be in memory. Okay, so I got to ask the next logical question, which is okay, I get that it makes less sense and I want to dig into that in a second. But let's go to the application developer. Okay, I'm doing dev ops, I'm doing cloud. I'm cool. Right? So now you just wake me up and say, wait a minute, I'm not dealing with nanosecond latency. What do I do? Like what's I mean, who's, how to applications respond to that kind of attack velocity? Well, it's not a not a a an evolution. So the application is written to Hazel cast is very, very simple to do. Um, there are, uh, like 60 million Hazel cast cluster starts every month. So people out in the wild are doing this all day long and we're really big in the Java developer community, but not only Java. >>Um, and so it's very, very straightforward with how to write your application and pointed at Hazelcast instead of pointing at the database behind us. Uh, so that part is actually very, very simple. All right, so take me through, I get the market space you're going after. It makes total sense. You run the, I think the right wave in my opinion. Business model product, how you guys organize, how do people sign up for our development and the development side? Who's your buyer? What's the business look like? Share a Hazel. Cast a one-on-one. Yeah. So we're an open core model, meaning the core engine is open source and fully downloadable and you know, free to use, uh, the additional functionality is the commercial aspect of it, which are tend to be features that are used when you're really going into, into sensitive and large scale deployments. Um, so the developers have access to a, they just come to hazelcast.org and uh, and join the community that way. >>Um, the people that we engage with are everyone from the developer all the way up through the architect and then the a C level member who's charged with standing up whatever this new capability is. So we talk up and down that chain, um, where you're a very, very technical company. Uh, but we've got a very, very powerful RLM. What's the developer makeup look like? Is it a software developer? Is it an engineer? So what's the makeup of the, of the developer? They're core application developers. Um, a lot in Java, increasingly in.net, uh, as a MLM AR coming on, we're getting a lot of Python. Uh, so it's, it's developers with that skillset and they're basically, uh, writing an application that they're, um, uh, basically their division is specified. So we need this new application. It could be a new application for a customer engagement and application for fraud detection and an application for stock trading. >>Anything that's super, super time sensitive and, uh, they, they select us and they build on us. So you get the in-memory solution for developers. Take me through the monetization on the open core. Is it services? Is it, uh, it's a subscription. It's a subscription model. So, okay. Uh, w we are paid on a, on a annual basis, uh, for, for use of the software. And um, you know, however large the installation gets is a function that basically determines, uh, you know, what the price is and then it's just renewed annually. Awesome. We'll do good subscriptions. Good economics. It is. What about the secret sauce? What sun in the cut was on the covers? Can you share what the magic is or is it proprietary? Is that now what's, uh, it's, it's hardcore computer science. It really is what it is. And that is actually what is in the core engine. >>Um, but I mean, we've got PhDs on staff. We're tackling some really, really hard problems. You know, I can, I can build anything in memory. I can make a spreadsheet in memory, I can make a word processor and memory. But you know, the question is how good is it? How fast is it, how scalable, how resilient. So, um, you know, those, you're saying speed, resilience and scale are the foundation and it took the company years and years to be able to master this. That's an asymptotic attempt and you're never at the end of that. But we've got, you know, the most resilience, so something, it doesn't go down. It can't go down because our customers lose millions for every second that it's down. So it can't go down. It's got to scale. And it's gotta be low latency number of customers you guys have right now. Can you tell us about the public references and why they using Hazelcast and what did they say about it? >>Yeah, I mean we've got a hundred of the largest, uh, financial services, about 60% of our revenue. E-commerce is a, another 20% large telcos. Another job. There are a lot of IOPS type companies, right? Yeah. Basically it's, um, so you know, in the financial services, uh, it's all the names that you would know, uh, every logo in your wallet. It's probably one of our customers as an example. Um, massive banks, uh, card processors, uh, we don't get to talk about very many of them, but you know, something like national bank of Australia, uh, capital one, um, you know, you can, you can let your, your mind run there. Um, our largest customer has over a trillion dollar market cap. There's only a few that meet that criteria. So I'll let you on that one. One of the three. Um, all right, so what's next for you guys? >>Give the quick plug in. The company would appreciate the insights. I think he'd memory's hot. What do you guys are going to do? What's your growth strategy? Uh, what's, what do you, what's your priorities? The CEO? Yeah. Well, we just raised a $50 million round, which is a very, very significant round. Um, and we're putting that to work aggressively. We just came off the biggest quarter in the company's history. So we're really on fire right now. Uh, we've established a very strong technology partnership with Intel, uh, including specialty because of their AI initiatives. Because we power a lot of AI, uh, uh, applications. IBM has become a strategic partner. They're now reselling Hazelcast. Uh, so we've got a bunch of, uh, a bunch of wind in our sails right now coming into this year, what we're going to be doing is, uh, really delivering a full blown, uh, in memory compute platform that delivers, that can process stored and streaming data simultaneously. >>Nothing else on the planet can do that. We're finding some really innovative applications and, um, you know, we're just really, really working on market penetration right now. You know, when you see all these supply chain hacks out there, you're going to look at more in memory detection, prevention, counter strike, you know, all this provision things you got to take care of. Mean applications have to now respond. It's almost like a whole new SLA for application requirement. Yeah, it is. I mean, the bad guys are moving to digital speed, you know, if you have important apps that, uh, that are affected by that. Right. You know, you'd better get ahead of that. Well, actually you could be doing that, by the way. You can be doing that on your, on premise or you could be doing in the cloud with the managed service that we've also stood up while still we get the Cuban in, in memory Africa and when we were there, I will be happy. Kelly, congratulations on the funding. Looking forward to tracking you. We'll follow up and check in with you guys. All right. Congratulations. Awesome. Thanks John. I appreciate it. Okay. It's keep coverage here in San Francisco, the Moscone. I'm John furrier. Thanks for watching.

>>Hi from San Francisco, it's the cube covering RSA conference, 2020 San Francisco, brought to you by Silicon angle media. >>You're welcome back. You're ready. Jeff Frick here with the cube. We are wrapping up Wednesday here at RSA 2020 Moscone center. It's the year we know everything. It's women in tech Wednesday and we're really excited that our next guest, she's been coming to the show for a very, very long time. She's really dialed into the community. She's an author. I got the whole as author, advisor, consultant, speaker. I could go on and on and on as you share. Rubinoff Shira, great to see you and welcome back to the cube. Oh, thank you so much. Pleasure to be here. Again, RSA 2020. A lot of kind of crazy stuff going on. The little coronavirus, you know, kind of impact, which is really interesting coming off of mobile world Congress, being in the event space and kind of seeing how this is gonna shake out. But the theme this year is the human element, which, uh, kind of plays right into your strengths. >>So just first get your kind of impressions of the show and really kind of that theme and kind of your take on why that's an important theme for RSA this year? >> Well, I think the human element has always been at the forefront. It's just now becoming accepted and put at the beginning of what people are really talking about. We talk about the people, the process and the technology all the time. When it comes to practice, everyone's really been focused on the security and the technology, but they forget the human elements and RSA this year is really focused on the human element being at the forefront. We have to realize there's a human creating the technology, a human at the end of the truck. Technology is trying to help and the glue between the process, how it all intersects together really depends on how people embrace it. And that was actually the premise for my book cyber Myers. >>So a plug for the book plug for the book cyber minds is a, a book is I view cybersecurity as the umbrella over all other technology. You need cybersecurity intersected in some way when you're dealing really with anything. But the human element really takes the forefront. So I really talk about cybersecurity and cyber hygiene and cyber elements within the book and cyber hygiene. I broke down into four categories which are training and that's ongoing training from the top down, being from the border and all the way down to the intern. Global awareness with an organization, keeping that culture going, a security and patching and digital transformation within the organization as well as zero trust. And I take that and I really continue with it throughout the book when we talk about blockchain, artificial intelligence, internet of things and cyber warfare and really showing how the human element is an integral part of everything we're doing in order to protect ourselves as a, as people, as an organization and just all support friends and sharing of information now is being, is completely critical. And it's being done because of that human element piece that's being embraced and understood >> lot a lot there. Right? So the human over the string, right? So it used to be per T E Z to identify a phishing attack. Right. You know, bad grammar and everything. A little bit of context and >>maybe the vocabulary wasn't quite right. That's not the way anymore. The sophistication of these attacks, the phishing attacks specifically at a friend in the, in the, in the real estate business, you know, and it was, it was an email from a banker that he does business with at a bank that he does business with around the transaction that he had knowledge about and doing a wire transfer. And it just was slightly mistimed where he, where he called the banker, his buddy and said, you know, did you, did you send this? So, you know, in the age of deep fakes, which is barely beginning in the age of this war, advanced AI for them to really put together these packages, um, and really infinite bandwidth, time and money. If you're really trying to pervade, I mean, how will the role of the human shift, you know, can we really expect them even with ongoing training to be sophisticated enough to keep up with these attacks? >>Well, I think it also boils down to real world examples and we have to really understand the demographics that we're working for. I think today it's the first time really in history that we have four generations working side by side in the workforce, so we have to understand that people learn differently. Training should be adjusted to the type of people that we're teaching, but fishing doesn't just boil down to clicking on links. Fishing teaches. Also, it boils down to tricking somebody, getting someone's trust, and it could come in many different forms. For example, think of social media. How do people connect? We're connecting for us social media on many different platforms. I'll give a very easy example. LinkedIn. LinkedIn is a business platform. We're all connected on LinkedIn. Why we connect on LinkedIn, because that's a social platform that people feel safe on because we're able to connect to each other in a business form. >>However, think of the person who's getting the first job with an organization, their first job in maybe their project manager and they're working for bank, a excited to be working for bank gay. Hey, I'm the list all the projects I'm working for. So here's now my resume on LinkedIn. I'm working on project a, B, C, D, and this is my manager I report to. Perfect. There's some information sitting there on LinkedIn. Now what else I will tell you is that you might have somebody who looking to get into that bank. What will they do? Let's look for the lowest hanging fruit. Ooh, this new project manager. Oh, I see. They're working on these projects and they're reporting into someone. Well, I'm not a project manager. I'm a senior project manager from a competing bank. I'm going to be friend them and tell them that I'm really excited about the work they're doing. So you're their social engineering your way into their friendship, into their good graces, into their trust. Once somebody becomes a trusted source, people share information freely. So people are putting too much information out there on social trusting to easily opening the door for more than a phishing attack. And things are just rapidly going out of control. Right. >>Well, it's funny. So one of my other favorite women in cyber is Rachel Tobik. Back, I don't know if you know Rachel, but she's famous for, you know, kind of live hacking at black hat, all social engineering, calling people up and just getting through and you know, she says she's basically undefeated. Um, this >>way if you're about the human elements, why do people act quickly? The biggest problem is people don't stop and pause. So if you think about, my background also is in psychology, psychology and business. So when you deal about the human element, it's panic. Let's set panic in. When you set panic in on a personal nature, people are quick to respond and quick over to give over information. If they feel it's pertinent to them, calling someone quickly, Hey your babysitter called, I need your social or anything like that. Set somebody into a spin. They're very quick to give over information cause they feel personal at risk when it comes to business and the business setting, it may not be as personal that way. That, so they kind of composite about the way people get in as through other social channels in ways that are more personal to individuals. >>So is that, is, is, is more sophistication around the human training element. Really the key as opposed to God knows how many vendors are in this, this building right now. I mean I, I feel so much for the buyer trying to sort it all out. Right? And there's big players in the established solutions that have been around forever. And then of course he get a spice with the startups that are cutting edge and doing new things when in fact all that goes out the window. If I can call the person up and say, you know, your house is on fire, please give me your, your password or your front door. Cause I gotta get the kids out. I mean I'm exaggerating to make a point, but is enough appreciation going into the human factors of training? Not on the technology side, but really the motivators for people to do things, um, to, to, to make, to try to please. Right. That's another great motivator to try to please. >>Well, right. Cause people like to be wanted. They like to be acknowledged. So they like to feel they're doing good. But again, it boils down to the people, the process and the technology. You can't have one without the other. You can't just focus on the people without focusing on the technology. But if you leave them as separate entities and you don't deal with the process in the middle, that glue, you're gonna leave yourself open. So they have to work hand in hand all the time. It's something that's a, it's a one plus one if you'll stand right at that perspective. So yes, you really need all of it together. >>The other thing that we hear over and over and over, right is just zero trust. The whole concept of zero trust. It's been around for a long time, which, which you know, you just assume that the bad guys are going to get in. Right? So then how do you try to find them quicker? How do you try to limit what they can get once they get in? So it's a really different kind of point of view to take a zero trust attitude on the assumption they're going to get it at some point and then try to mitigate the damage after the fact. >>So I look at zero trust from a little bit of a different perspective. I think zero trust is pertinent. Everyone should be using it because again, you're authenticating yourself, you're giving access only to that person for that specific task. But again, in organizations, if they say we're locking down everything all the time because we want to be secure, the employees are going to say, this is ridiculous. We don't have to be locked down for ABC. It makes no difference to us. What I say to organizations that are don't lock down things that don't need to be locked down, and when you do lock down something, it's important to have that three 60 dialogue with your employees. Explain why. Make them part of the solution, not part of the problem. If everyone's saying, Hey, you human, you're the weakest link. >>People are going to take offense at that and say, look, we know what we're doing. But if you make them part of the solution, Hey, we're in this together, let's make this part of the culture and they act as that with an organization you're going to have, they'll kill piece of ness so becomes just an ongoing everyday life living thing. Right. You brought that up. The windy neither from from Cisco is one of the keynotes on the first day and she was phenomenal. The basic, her basic premise was we as an industry have been to a kind of a not inclusive, exclusive like we own everything. We have all the control, we have all the answers, we know everything and her whole gist was no you don't. You don't have the context necessarily to make risk trade offs a benefit trade off. You don't necessarily have the context to see the softer stuff and really what you're saying really embrace everybody as part of the solution as opposed to trying to Creech people to do certain things and do and not do other things. >>I'm a little bit of both, right? Proper balance but also look at organizations today in the past would be, these are our solutions. We found out this Intel, you figure it out on your own and that it wasn't helping anybody. The idea now of sharing of information has become widely embraced certainly in the larger security companies at large and they really understand the value of it. So when I talk about, yes, you do have to lock down certain things and people do have to understand where the end points are, but they also need to understand that they are part of the solution and where the ends in the beginning. Let's shift gears a little bit from the people who back to the machines because the other thing that's happening really, really fast, right? As IOT. Yes, a lot of more edge devices, a lot of sensor devices. >>We saw what happened with, with some of the Alexa devices that was not very, was not very good. Um, so as you talk to your clients and, and, and, and people that read your book, how do you get them to think about IOT? How do you get them to think about this kind of machine to machine though? Of course that five G, which will just accelerate it at a, at a whatever, a hundred X, uh, speed to think about working. That is because we want API to API communication. We want machines to, to interface with each other. We want to remove that kind of human integration point a lot of times. But now you just opening up a boatload more of attack surfaces don't necessarily have the smartest machines is and often they can be compromised in ways that maybe people didn't think through before they connected them onto the internet. >>Well, it's also interesting when you talk about five G, it's not that we can do things at speed that speed, it's also bad actors could do things at that speed sales. So understand the portals of what your connectivity is, your third party software to whose, who has access, where are the access points, how are you going to protect those access points because the speed is that much quicker. We have to be that much more diligent. So yes, they're massive. Haas, really good positives. But there's also some negatives. So if we have to be diligent around those, it can be fabulous, but it could also be really, really dangerous for us. Sure. And it's coming right? It's coming. Right. So give us the, give us the 401 on the book. What's the, you know, kind of the top level themes for people to run out and get this? I saw some great reviews on Amazon. You're selling it upstairs, you know, what are kind of the really key takeaways here? >>Well, the key takeaways are really, again, cybersecurity is the umbrella over all of the technology. When you think of technology, cybersecurity is part of it. And when you look at cyber security, that comes from many different elements. It's not just a technology play, it's also a human element play. And the humans are an essential part of cybersecurity, whether you're securing for or securing too. It's just an interplay of both. So cyber mine's really touches upon all those concepts and all the latest and greatest emerging tech out there, as well as blockchain, AI, IOT, cyber warfare. Uh, think about it. It really just travels through. And I had some really amazing interviews with some top of the minds within the book that really adds tremendous value to it and grateful for them. >>Great. Well, I'm glad to finally get my own copies so I will be able to dig in and next time we talk I'll be digging deep into this book with you and getting a little bit more of that insight. I look forward to hearing your thoughts. Well, thanks. You're, hopefully you can kick your feet up a little bit tonight, but probably not. I'm sure you're busy, busy, busy. Well, thanks for stopping by. All right. She shear. I'm Jeff. You're watching the cube. We're at RSA 2020 at Moscone. Thanks for watching. We'll see you next time.

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media. >>Hi everyone. Welcome back to the cubes coverage here at in San Francisco, the Moscone center for RSA conference 2020 I'm job for your host. We are the very special guests, the COO of VMware, Sanjay Poonen, cube alumni. When you talk about security, talk about the modern enterprise as it transforms new use cases, new problems emerge. New opportunities exist here to break it down. Sanjay, welcome back. Thank you John. Always a pleasure to be on your show and I think it's my first time at RSA. We've talked a number of times, but nice to see you here. Well, it's a security guard. Well, this is really why I wanted you to talk, talk to you because operations is become now the big conversation around security. So you know, security was once part of it. It comes out and part of the board conversation, but when you look at security, all the conversations that we're seeing that are the most important conversations are almost a business model conversation. >>Almost like if you're the CEO of the company, you've got HR people, HR, organizational behavior, collaboration, technology, stack compliance and risk management. So the threat of cyber has to cut across now multiple operational functions of the business. It's no longer one thing, it's everything. So this is really kind of makes it the pressure of the business owners to be mindful of a bigger picture. And the attack velocity is happening so much faster, more volume of attacks, milliseconds and nanosecond attacks. So this is a huge, huge problem. I need you to break it down for me. >> Good. But then wonderful intro. No, I would say you're absolutely right. First off, security is a boardroom topic. Uh, audit committees are asking, you know, the CIO so often, you know, reports a report directly, sometimes, often not even to the CIO, to the head of legal or finance and often to the audit. >>So it's a boardroom topic then. You're right, every department right now cares about security because they've got both threat and security of nation state, all malicious, organized crime trying to come at them. But they've also got physical security mind. I mean, listen, growing a virus is a serious threat to our physical security. And we're really concerned about employees and the idea of a cyber security and physical security. We've put at VMware, cybersecurity and, and um, um, physical security. One guy, the CIO. So he actually runs vote. So I think you're absolutely right and if you're a head of HR, you care about your employees. If you're care ahead of communications, you care about your reputation and marketing the same way. If you're a finance, you care about your accounting systems and having all of the it systems that are. So we certainly think that holistic approach does, deserves a different approach to security, which is it can't be silo, silo, silo. >>It has to be intrinsic. And I've talked on your show about why intrinsic and how differentiated that intrinsic security, what I talked about this morning in my keynote. >> Well, and then again, the connect the dots there. It's not just security, it's the applications that are being built on mobile. For instance, I've got a mobile app. I have milliseconds, serious bond to whether something's yes or no. That's the app on mobile. But still the security threat is still over here and I've got the app over here. This is now the reality. And again, AirWatch was a big acquisition that you did. I also had some security. Carbon black was a $2 billion acquisition that VMware made. That's a security practice. How's it all coming together? Can you think of any questions? Blame the VMware because it's not just security, it's what's around it. >> Yeah. I think we began to see over the course of the last several years that there were certain control points and security that could help, you know, bring order to this chaos of 5,000 security vendors. >>They're all legitimate. They're all here at the show. They're good vendors. But you cannot, if you are trying to say healthy, go to a doctor and expect the doctor to tell you, eat 5,000 tablets and sailed. He just is not sustainable. It has to be baked into your diet. You eat your proteins, your vegetables, your fruit, your drink, your water. The same way we believe security needs to become intrinsically deeper parts, the platform. So what were the key platforms and control points? We decided to focus on the network, the endpoint, and you could think of endpoint as to both client and workload identity, cloud analytics. You take a few of those and network. We've been laboring the last seven years to build a definitive networking company and now a networking security company where we can do everything from data center networking, Dell firewalls to load balancing to SDN in this NSX platform. >>You remember where you bought an nice syrup. The industry woke up like what's VM ever doing in networking? We've now built on that 13,000 customers really good growing revenue business in networking and and now doing that working security. That space is fragmented across Cisco, Palo Alto, FIU, NetScaler, checkpoint Riverbed, VMware cleans that up. You get to the end point side. We saw the same thing. You know you had an endpoint management now workspace one the sequel of what AirWatch was, but endpoint security again, fragmented. You had Symantec McAfee, now CrowdStrike, tenable Qualis, you know, I mean just so many fragmented IOM. We felt like we could come in now and clean that up too, so I have to worry about to do >> well basically explaining that, but I want to get now to the next conversation point that I'm interested in operational impact because when you have all these things to operationalize, you saw that with dev ops and cloud now hybrid, you got to operationalize this stuff. >>You guys have been in the operations side of the business for our VMware. That's what you're known for and the developers and now on the horizon I gotta operationalize all the security. What do I do? I'm the CSO. I think it's really important that in understanding operations of the infrastructure, we have that control point called vSphere and we're now going to take carbon black and make it agentless on the silverside workloads, which has never been done before. That's operationalizing it at the infrastructure level. At the end point we're going to unify carbon black and workspace one into a unified agent, never been done before. That's operationalizing it on the client side. And then on the container and the dev ops site, you're going to start bringing security into the container world. We actually happened in our grade point of view in containers. You've seen us do stuff with Tansu and Kubernetes and pivotal. >>Bringing that together and data security is a very logical thing that we will add there. So we have a very good view of where the infrastructure and operations parts that we know well, a vSphere, NSX workspace one containers with 10 Xu, we're going to bring security to all of them and then bake it more and more in so it's not feeling like it's a point tool. The same platform, carbon black will be able to handle the security of all of those use cases. One platform, several use cases. Are you happy with the carbon black acquisition? Listen, you know, you stay humble and hungry. Uh, John for a fundamental reason, I've been involved with number of acquisitions from my SAP VMware days, billion dollar plus. We've done talking to us. The Harvard business review had an article several years ago, which Carney called acquisitions and majority of them fail and they feel not because of process of product they feel because good people leave. >>One of the things that we have as a recipe does acquisition. We applied that to AirWatch, we apply the deny Sera. There is usually some brain trust. You remember in the days of nice area, it was my team Cosato and the case of AirWatch. It was John Marshall and that team. We want to preserve that team to help incubate this and then what breve EV brings a scale, so I'm delighted about Patrick earlier. I want to have him on your show next time because he's now the head of our security business unit. He's culturally a fit for the mr. humble, hungry. He wants to see just, we were billion dollar business now with security across networking endpoint and then he wants to take just he's piece of it, right? The common black piece of it, make it a billion dollar business while the overall security business goes from three to five. >>And I think we're going to count them for many years to come to really be a key part of VMware's fabric, a great leader. So we're successful. If he's successful, what's my job then? He reports to me is to get all the obstacles out of the way. Get every one of my core reps to sell carbon black. Every one of the partners like Dell to sell carbon black. So one of the deals we did within a month is Dell has now announced that their preferred solution on at Dell laptops, this carbon bike, they will work in the past with silence and crowd CrowdStrike. Now it's common black every day laptop now as a default option. That's called blank. So as we do these, John, the way we roll is one on here to basically come in and occupy that acquisition, get the obstacles out of the way, and that let Patrick scaled us the same way. >>Martine Casado or jumbo. So we have a playbook. We're gonna apply that playbook. Stay humble and hungry. And you ask me that question every year. How are we doing a carbon black? I will be saying, I love you putting a check on you. It will be checking in when we've done an AirWatch. What do you think? Pretty good. Very good. I think good. Stayed line to the radar. Kept growing. It's top right. Known every magic quadrant. That business is significant. Bigger than the 100 million while nice here. How do we do a nice hero? NSX? It's evolved quite a bit. It's evolved. So this is back to the point. VMware makes bets. So unlike other acquisitions where they're big numbers, still big numbers, billions or billions, but they're bets. AirWatch was a good bet. Turned out okay. That the betting, you're being conservative today anyway. That's it. You're making now. >>How would you classify those bets? What are the big bets that you're making right now? Listen, >> I think there's, um, a handful of them. I like to think of things as no more than three to five. We're making a big bet. A multi-cloud. Okay. The world is going to be private, public edge. You and us have talked a lot about VMware. AWS expanded now to Azure and others. We've a big future that private cloud, public cloud edge number two, we're making a big bet on AB motorization with the container level 10 zoos. I think number three, we're making a big bet in virtual cloud networking cause we think longterm there's going to be only two networking companies in matter, VMware and Cisco. Number four, we're making a big bet in the digital workspace and build on what we've done with AirWatch and other technologies. Number five, and make it a big bet security. >>So these five we think of what can take the company from 10 to 20 billion. So we, you know, uh, we, we've talked about the $10 billion Mark. Um, and the next big milestone for the company is a 20 billion ball Mark. And you have to ask yourself, can you see this company with these five bets going from where they are about a 10 billion revenue company to 20. Boom. We hope again, >> Dave, a lot that's doing a braking and now he might've already shipped the piece this morning on multi-cloud. Um, he and I were commenting that, well, I said it's the third wave of cloud computing, public cloud, hybrid multi-cloud and hybrids, the first step towards multi-cloud. Everyone kind of knows that. Um, but I want to ask you, because I told Dave and we kind of talked about this is a multi-decade growth opportunity, wealth creation, innovation, growth, new opportunity multicloud for the generation. >>Take the, this industry the next level. How do you see that multicloud wave? Do you agree on the multigenerational and if so, what specifically do you see that unfolding into this? And I'm deeply inspired by what Andy Jassy, Satya Nadella, you know, the past leading up to Thomas Korea and these folks are creating big cloud businesses. Amazon's the biggest, uh, in the iOS pass world. Azure is second, Google is third, and just market shares. These folks collectively are growing, growing really well. In some senses, VM-ware gets to feed off that ecosystem in the public cloud. So we are firm believers in what you're described. Hybrid cloud is the pot to the multicloud. We coined that term hybrid thought. In fact, the first incantation of eco there was called via cloud hybrid service. So we coined the term hybrid cloud, but the world is not multi-cloud. The the, the key though is that I don't think you're gonna walk away from those three clouds I mentioned have deep pockets. >>Then none of them are going away and they're going to compete hard with each other. The market shares may stay the same. Our odd goal is to be a Switzerland player that can help our customers take VM or workloads, optimize them in the private cloud first. Okay? When a bank of America says on their earnings caller, Brian Warren and said, I can run a private cloud better than a public cloud and I can save 2 billion doing that, okay? It turns off any of the banks are actually running on VMware. That's their goal. But there are other companies like Freddie Mac, we're going all in with Amazon. We want to ride the best of both worlds. If you're a private cloud, we're going to make you the most efficient private cloud, VMware software, well public cloud, and going to Amazon like a Freddie Mac will help you ride your apps into that through VMware. >>So sometimes history can be a predictor of future behavior. And just to kind of rewind the computer industry clock, if you looked at mainframe mini-computers, inter networking, internet proprietary network operating systems dominated it, but you saw the shift and it was driven by choice for customers, multiple vendors, interoperability. So to me, I think cloud multicloud is going to come down to the best choice for the workload and then the environment of the business. And that's going to be a spectrum. But the key in that is multi-vendor, multi, a friend choice, multi-vendor, interoperability. This is going to be the next equation in the modern error. It's not gonna look the same as mainframe mini's networking, but it'll create the next Cisco, the create the next new brand that may or may not be out there yet that might be competing with you or you might be that next brand. >>So interoperability, multi-vendor choice has been a theme in open systems for a long time. Your reactions, I think it's absolutely right, John, you're onto something there. Listen, the multicloud world is almost a replay of the multi hardware system world. 20 years ago, if you asked who was a multi hardware player before, it was Dell, HP at the time, IBM, now, Lenovo, EMC, NetApp, so and so forth and Silva storage, networking. The multicloud world today is Amazon, Azure, Google. If you go to China, Alibaba, so on and so forth. A Motiva somebody has to be a Switzerland player that can serve the old hardware economy and the new hardware economy, which is the, which is the cloud and then of course, don't forget the device economy of Apple, Google, Microsoft, there too. I think that if you have some fundamental first principles, you expressed one of them. >>Listen where open source exists, embrace it. That's why we're going big on Kubernetes. If there are multiple clouds, embrace it. Do what's right for the customer, abstract away. That's what virtualization is. Managed common infrastructure across Ahmed, which is what our management principles are, secure things. At the point of every device and every workload. So those are the principles. Now the engineering of it changes. The way in which we're doing virtualization today in 2020 is slightly different from when Diane started the company and around the year 2020 years ago. But the principals are saying, we're just not working just with the hardware vendors working toward the cloud vendors. So using choices where it's at, the choice is what they want. Absolutely, absolutely. And you're right. It's choice because it was the big workloads. We see, for example, Amazon having a headstart in the public cloud markets, but there's some use cases where Azure is applicable. >>Some use his word, Google's applicable, and to us, if the entire world was only one hardware player or only one cloud player, only one device player, you don't need VMware. We thrive in heterogeneity. It's awesome. I love that word. No heterogeneity provides not 3000 vendors. There's almost three, three of every kind, three silver vendors, three storage vendors, three networking vendors, three cloud vendors, three device vendors. We was the middle of all of it. And yeah, there may be other companies who tried to do that too. If they are, we should learn from them, do it better than them. And competition even to us is a good thing. All right. My final question for you is in the, yeah, the Dell technologies family of which VMware is a part of, although big part of it, the crown jewel as we've been calling them the cube, they announced RSA is being sold to a private equity company. >>What's the general reaction amongst VMware folks and the, and the Dell technology family? Good move, no impact. What we support Dell and you know, all the moves that they've made. Um, and from our perspective, you know, if we're not owning it, we're going to partner it. So I see no overlap with RSA. We partner with them. They've got three core pillars, secure ID, net witness and Archer. We partnered with them very well. We have no aspirations to get into those aspects of governance. Risk and compliance or security has been, so it's a partner. So whoever's running it, Rohit runs on very well. He also owns the events conference. We have a great relationship and then we'll keep doing that. Well, we are focused in the areas I described, network, endpoint security. And I think what Michael has done brilliantly through the course of the last few years is set up a hardware and systems company in Dell and allow the software company called Vima to continue to operate. >>And I think, you know, the movement of some of these assets between the companies like pivotal to us and so on and so forth, cleans it up so that now you've got both these companies doing well. Dell has gone public, we Hammer's gone public and he has said on the record, what's good for Dell is good, what's good for VMware and vice versa and good for the customer. And I think the key is there's no visibility on what cloud native looks like. Hybrid, public, multi, multi, not so much. But you get almost, it's an easy bridge to get across and get there. AI, cyber are all big clear trends. They're waves. Sasha. Great. Thank you. Thanks for coming on. Um, your thoughts on the security show here. Uh, what's your, what's your take to, uh, definitive security shows? I hope it stays that way. Even with the change of where RSA is. >>Ownership goes is this conference in black hat and we play in both, uh, Amazon's conference. I was totally starting to, uh, reinforce, reinforce cloud security will show up there too. Uh, but we, we think, listen, there's what, 30,000 people here. So it's a force. It's a little bit like VMworld. We will play here. We'll play a big, we've got, you know, it just so happens because the acquisition happened before we told them, but we have two big presences here. We were at carbon black, um, and it's an important business for us. And I said, like I said, we have $1 billion business and security today by 30,000 customers using us in a security network, endpoints cloud. I want to take that to be a multi, multiple times that size. And I think there's a pot to do that because it's an adjacent us and security. So we have our own kind of selfish motives here in terms of getting more Mindshare and security. >>We did a keynote this morning, which was well received with Southwest airlines. She did a great job. Carrie Miller, she was a fantastic speaker and it was our way of showing in 20 minutes, not just to our point of view, because you don't want to be self serving a practitioner's point of view. And that's what's really important. Well finally on a personal note, um, you know, I always use the term tech athlete, which I think you are one, you really work hard and smart, but I got to get your thoughts. But then I saw you're not on Twitter. I'm on. When IBM announced a new CEO, Arvin, um, fishnet Indian American, another CEO, this is a pattern. We're starting to see Indian American CEOs running cup American companies because this is the leadership and it's really a great thing in my mind, I think is one of the most successful stories of meritocracy of all time. >>You're quick. I'm a big fan of oven, big fan of Shantanu, Sundar Pichai, something that Ellen, many of them are close friends of mine. Uh, many of them have grown up in Southern India. We're a different ages. Some of them are older than me and in many cases, you know, we were falling behind other great players like Vino Cosla who came even 10 to 15 years prior. And you know, it's hard for an immigrant in this country. You know, um, when I first got here and I came as an immigrant to Dartmouth college, there may have been five or 10 Brown skin people in the town of Hanover, New Hampshire. I don't know if you've been to New Hampshire. I've been there, there's not many at that time. And then the late 1980s, now of course, there's much more, uh, so, you know, uh, we stay humble and hungry. >>There's a part of our culture in India that's really valued education and hard work and people like Arvin and some of these other people are products. I look up to them, the things I learned from them. And um, you know, it's true of India. It's a really good thing to see these people be successful at name brand American companies, whether it's IBM or Microsoft or Google or Adobe or MasterCard. So we're, we're, I'm in that fan club and there's a lot I learned from that. I just love being around people who love entrepreneurship, love innovation, love technology, and work hard. So congratulations. Thank you so much for your success. Great to see you again soon as you put in the COO of VM-ware here on the ground floor here at RSA conference at Moscone, sharing his insight into the security practice that is now carbon black and VMware. All the good things that are going on there. Thanks for watching.

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angled media. >>Okay, welcome back. Everyone's keeps coverage here in San Francisco for RSA. Copper's 2020. I'm John Farrow, your host, you know, cybersecurity industry's changing and enterprises are now awake to the fact that is now a bigger picture around securing the enterprise cause it's not only the data center, it's cloud, it's the edge. A lot of great stuff. I've got a great guest here from Dell, EMC, Peter Garris, consultant cyber resilient solutions and services marketing, uh, Dell EMC. Great to see you. Thanks for to John. Good to see you again. So you know, I was joking with Dave Alante just this morning around the three ways of cloud, public cloud, hybrid cloud, multi-cloud. And we see obviously the progression hybrid cloud is where everyone spend most of their time. That's from ground to cloud on premises to cloud. Yep. So pretty much everyone knows around on premise is not going away, validated by all the big cloud players. >>But you've got to nail the equation down for on premises to the cloud, whether it's Amazon, Amazon, Azure, Azure, whatever, all those costs. But the multicloud will be a next generation wave that is an industry backdrop and it's very, very key. Plus AI and data are huge inputs into solving a lot of what is going to be new gaps, blind spots, whatever insecurity. So I guess, you know, Dell's has a history with huge client base, traditional enterprises transforming. You're in the middle of all this. So you've got, you know, the airplane at three to 30,000 feet. Yep. And the companies have to swap out their engines and reboot their teams and it's a huge task. What's going on with cyber and the enterprises? What are, what are some of the key things? Well, so I like to keep it pretty simple. I've been in this industry over 20 years and I've really consistently talked about data as the global currency, right. >>So it's beautifully simple. Whatever industry you're in, whatever size company you're in, enterprise or even now, small to medium businesses, their businesses are driven by data connectivity. That data availability of the data, integrity of the data and confidentiality of the data, and so the sort of the area of the world that I focus upon is protecting customers. Most valuable data assets now, whether those are on prem, in the cloud or in a variety of modalities, and ensuring that those assets are protected and isolated from the attack surface and then ability to recover those critical assets quickly so they can return resume business operations. That's really the area that I work in. Now, that data, as you pointed out, it could start on prem, it could live in multi-cloud, it can live in a hybrid environment. The key is really to to understand that not all data is created equally if you were to have a widespread cyber attack, really the key is to bring up those critical applications, systems and datasets first to return to business operations. >>Really challenging. You know, it's not funny. It's actually, I just, I run it, but it's, it's, it's, it's really kind of indicative of the society now is that EMC was bought by Dell storage and the idea of disruption was always been a storage concept. Yes, we want, we don't want a lot of disruption when we're doing things right. So not know whether it's backup and recovery or cyber ransomware, whatever it is, the idea of non-disruptive operations. Absolutely. A core tenant. Now that's obviously the same for cyber as you can tell. So I've got to ask you, what is your definition in view of cyber resilience because, well, that's what we're talking about here. Cyber resilience. What's your view on this? So when we started developing our cyber recovery solution about five years ago, we used, uh, the NIST cybersecurity framework, which is a very well known standard that defines really five pillars of how organizations can think about building a cyber resilience strategy. >>A cyber resilience strategy really encompasses everything from a perimeter threat detection and response all the way through incident response after an attack. And everything that happens in between protecting the data and recovering the data, right? And critical systems. So I think of cyber resilience is that holistic strategy of protecting an organization and its data from a cyber attack as great insight. I want to get your thoughts on how that translates into the ecosystem. Okay. Because there's an ecosystem around cyber resilience. Absolute, let's just say, and you may or may not be able to comment on this, but RSA was now being sold. Yeah, no, that's fair. That's going out of the Dell family. But you guys have, you know, obviously VMware and insecure words, but it's not just you guys. It's an ecosystem. It really is. Does Dell now without, with and without RSA fit into the ecosystem. >>So as I mentioned, cyber resilience is really thought of as a holistic strategy. RSA and, and other Dell assets like carbon black, um, fit in somewhere in that continuum. Right? So RSA is really more on threat detection and response, perimeter protection. The area of the business that I work on, data protection and cyber recovery really doesn't address the, um, prevention of attacks. We really start with the premise that preventing a cyber attack is not a hundred percent possible. If you believe that, then you need to look at protecting and recovering your assets. Right? And so whether it's RSA, whether it's carbon black, whether it's secure works, which is about cyber incident and response, we really work across those groups. It's, it's about technology processes and people. It's not any one thing. We also work outside of the Dell technologies umbrella. So we integrate, our cyber recovery solution is integrated with Unisys stealth. >>Uh, so there's an example of how we're expanding and extending the cyber recovery solution to bring in, you know, other industry standards. You know, it's interesting, I talked to a lot of people that come on the Q of history here at RSA. Sure. Everyone wants better technology, but this also has shipped back the best of breed because you one of the best new technologies. At the same time, you've gotta have proven solutions. So what are you guys selling? What is the best of breed from, uh, Dell? Yeah, you guys are delivering to customers. What are some of the areas? So I, I'm old EMC guy myself, right? And, and back from the days of disaster recovery and business continuity, right? More traditional data protection and backup. The reality is that the modern threats of cyber sec of cyber hackers, breaches, insider attacks, whatever you like, those traditional data protection strategies weren't built to address those types of threats. >>So along with transformation and modernization, we need to modernize our data protection. That's what cyber recovery is. It's a modern solution to the modern threat. And what it does is it augments your data or your, excuse me, your disaster recovery and your backup environment with a purpose built isolated air gap digital vault, which is built around our proven data domain and power protect DD platforms. Uh, that, you know, I've been around for over a decade. Um, but what we've done is added intelligence, uh, analytics. We've hardened that system and we isolate it. Uh, so customers can protect really the most valuable assets in that kind of evolved. So one of the things I've been doing some research on and digging into is cyber resilience, which you just talked about cybersecurity, which is the industry trend and you're getting at cyber recovery. Okay. Can you talk about some examples of how this all threads together? >>What are some real recent examples? Sure. So think of cyber recovery as a purpose-built digital vault to secure your most valuable assets. Let me give you an example. One of our customers, is it a global paint manufacturer? Okay. And when we work with them to try to decide what of their apps and datasets should go into this cyber recovery vault, it said, what is the most critical intellectual property that you have? So in their Kenyan, Oh, some customers might say my Oracle financials or my office three 65 environment. For this customer it was their proprietary paint matching system. So they generate 80 to $100 million every day based upon this proprietary paint matching system, which they've developed and which they use every day to run their business. If that application, if those algorithms were destroyed, contaminated or you know, posted on the public internet somewhere, that would fundamentally change that company. >>So that's really what we're talking about. We're working with customers to help them identify their most critical assets, data systems, applications, and isolate those from the threat vector. Obviously all verticals are impacted by cyber security. Every vertical is data-driven. That's true. Obviously the low hanging fruit, are they below the normal suspects financial services? Is there, is there a particular one that's harder than having financial services got fraud and all that stuff on it, but yeah, that's still number one or so. I think there's two sides to the coin. One, if you look at the traditional enterprise environments, absolutely financial services in healthcare because they're both heavily regulated, uh, therefore that data has very high value and is a very attractive target to the Woodby hackers. If you look on the other end of the spectrum though, the small to medium businesses that all rely on the internet for their business to run, uh, they're the ones that are most susceptible because they don't have the budgets, the infrastructure or the expertise to protect themselves from a sophisticated hacker. >>Um, so we, you know, we work across all verticals. Obviously the government is also very susceptible to cyber threats, but it's every industry, any business that's data-driven. I mean, everyone's been breached so many times and no one even knows how many times. Uh, I gotta ask you about, um, um, some cool trends we're reporting on here. Sure. Homomorphic encryption is getting a lot of traction here because financial services in healthcare homomorphic homomorphic yeah. Okay. Did I say that right? Oh, it's the first time I've ever heard that term, John. I, it's encryption at end use. So you have data at rest, data in flight and data and use encryption. When you're doing all, you're protecting all your transactional data. Ah, so it's focusing with discovery. Intel's promoting it. Uh, we just covered a startup that's doing that as well. That's new, that's new for me, but allows for more use cases, but data and use, not just motion static. >>Yeah. That's opening up these other things. But it brings up the why, why that's important. And the reason is, is that financial services and healthcare, because they're regulated. Yes. Have systems that were built many moons ago or generations. Absolutely. So there was not these problems that you mentioned earlier that were built for that, but now you need more data. AI needs sharing of data sharing is a huge deal. Real time share real time. Right. And I think that's where the homomorphic encryption comes in. That's exactly right. So you mentioned that, so these industries, how can they maintain their existing operations and then get more data share? Do you have any insight into how you see that? Because that's one of those areas that's becoming like, okay, HIPAA, we know why that was built, but it's also restrictive. Yeah. How do you maintain the purity of a process if your infrastructure is, is old? >>That is, that is a challenge. Healthcare especially because, I mean, if I'm, if I'm, uh, you know, running a health system, every dollar that I have should really go into improving patient care, not necessarily into my it infrastructure, but the more that every industry moves towards a real time data-driven model for, for how we give care. Right? Yeah. Um, the more that, uh, companies need to realize that data drives their business, they need to do everything they can to protect it and also ensure that they can recover it when and if a cyber attack happens. Well, I really appreciate the insight and it's going to be great to see Dell technologies world coming up. We'll dig into a lot of that stuff while we're here on talking to us about some of this financial service in banking. I want to get your thoughts, I've been hearing this term sheltered Harbor. >>Yeah. Being kicked around. What does that about? What does that mean? Sheltered Harbor? You're right, I think you'll hear a lot more about it. So sheltered Harbor, uh, was, uh, is it isn't financial industries group and it's also a set of, uh, best practices and specifications. And really the, the purpose of sheltered Harbor is to protect consumer and financial institutions data, uh, and public confidence in the U S financial system. So the, the, the use cases, this, you can imagine that a, a bank having a cyber attack and B being unable to produce transactions could cause problems for customers of that bank. But the, just like we were talking about the interconnectedness of the banking system means that one financial institution failing because of a cyber attack, it could trigger a cascade and a panic and a run on the U S financial banks. And therefore the global financial system sheltered Harbor was developed to really protect public confidence in the financial system by ensuring that banks, brokerages, credit unions are protecting their customer data, their account records, their most valuable assets from cyber attack and that they can recover them and resume banking operations quick. >>So this is an industry group. It's an industry build group. Sheltered Harbor is a U S financial, uh, industry group. Uh, it's a nonprofit. You can, you can learn more about it. It's sheltered harbor.org. Uh, the interesting thing for Dell technologies is we're actually the first member of the sheltered Harbor solution provider program and we'll be announcing that shortly. In fact this week and we'll have a cyber recovery for sheltered Harbor solution in the market very shortly. Cyber resilience. Great topic, and you know, it just goes to show storage has never gone away. The basic concepts of it, recovery, continuous operations, not disruptive operations. Yeah, cloud scale changes the game. It's all about the data. All about the data. Still sites, RSA coverage here, cube day, two of three days of coverage. I'm John furrier here on the ground floor in Moscone in San Francisco. Thanks for watching.