hello I'm John Furrier with thecube and welcome to this special presentation of the cube and Horizon 3.ai they're announcing a global partner first approach expanding their successful pen testing product Net Zero you're going to hear from leading experts in their staff their CEO positioning themselves for a successful Channel distribution expansion internationally in Europe Middle East Africa and Asia Pacific in this Cube special presentation you'll hear about the expansion the expanse partner program giving Partners a unique opportunity to offer Net Zero to their customers Innovation and Pen testing is going International with Horizon 3.ai enjoy the program [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're here with Jennifer Lee head of Channel sales at Horizon 3.ai Jennifer welcome to the cube thanks for coming on great well thank you for having me so big news around Horizon 3.aa driving Channel first commitment you guys are expanding the channel partner program to include all kinds of new rewards incentives training programs help educate you know Partners really drive more recurring Revenue certainly cloud and Cloud scale has done that you got a great product that fits into that kind of Channel model great Services you can wrap around it good stuff so let's get into it what are you guys doing what are what are you guys doing with this news why is this so important yeah for sure so um yeah we like you said we recently expanded our Channel partner program um the driving force behind it was really just um to align our like you said our Channel first commitment um and creating awareness around the importance of our partner ecosystems um so that's it's really how we go to market is is through the channel and a great International Focus I've talked with the CEO so you know about the solution and he broke down all the action on why it's important on the product side but why now on the go to market change what's the what's the why behind this big this news on the channel yeah for sure so um we are doing this now really to align our business strategy which is built on the concept of enabling our partners to create a high value high margin business on top of our platform and so um we offer a solution called node zero it provides autonomous pen testing as a service and it allows organizations to continuously verify their security posture um so we our company vision we have this tagline that states that our pen testing enables organizations to see themselves Through The Eyes of an attacker and um we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities so we created this partner program from a perspective of the partner so the partner's perspective and we've built It Through The Eyes of our partner right so we're prioritizing really what the partner is looking for and uh will ensure like Mutual success for us yeah the partners always want to get in front of the customers and bring new stuff to them pen tests have traditionally been really expensive uh and so bringing it down in one to a service level that's one affordable and has flexibility to it allows a lot of capability so I imagine people getting excited by it so I have to ask you about the program What specifically are you guys doing can you share any details around what it means for the partners what they get what's in it for them can you just break down some of the mechanics and mechanisms or or details yeah yep um you know we're really looking to create business alignment um and like I said establish Mutual success with our partners so we've got two um two key elements that we were really focused on um that we bring to the partners so the opportunity the profit margin expansion is one of them and um a way for our partners to really differentiate themselves and stay relevant in the market so um we've restructured our discount model really um you know highlighting profitability and maximizing profitability and uh this includes our deal registration we've we've created deal registration program we've increased discount for partners who take part in our partner certification uh trainings and we've we have some other partner incentives uh that we we've created that that's going to help out there we've we put this all so we've recently Gone live with our partner portal um it's a Consolidated experience for our partners where they can access our our sales tools and we really view our partners as an extension of our sales and Technical teams and so we've extended all of our our training material that we use internally we've made it available to our partners through our partner portal um we've um I'm trying I'm thinking now back what else is in that partner portal here we've got our partner certification information so all the content that's delivered during that training can be found in the portal we've got deal registration uh um co-branded marketing materials pipeline management and so um this this portal gives our partners a One-Stop place to to go to find all that information um and then just really quickly on the second part of that that I mentioned is our technology really is um really disruptive to the market so you know like you said autonomous pen testing it's um it's still it's well it's still still relatively new topic uh for security practitioners and um it's proven to be really disruptive so um that on top of um just well recently we found an article that um that mentioned by markets and markets that reports that the global pen testing markets really expanding and so it's expected to grow to like 2.7 billion um by 2027. so the Market's there right the Market's expanding it's growing and so for our partners it's just really allows them to grow their revenue um across their customer base expand their customer base and offering this High profit margin while you know getting in early to Market on this just disruptive technology big Market a lot of opportunities to make some money people love to put more margin on on those deals especially when you can bring a great solution that everyone knows is hard to do so I think that's going to provide a lot of value is there is there a type of partner that you guys see emerging or you aligning with you mentioned the alignment with the partners I can see how that the training and the incentives are all there sounds like it's all going well is there a type of partner that's resonating the most or is there categories of partners that can take advantage of this yeah absolutely so we work with all different kinds of Partners we work with our traditional resale Partners um we've worked we're working with systems integrators we have a really strong MSP mssp program um we've got Consulting partners and the Consulting Partners especially with the ones that offer pen test services so we they use us as a as we act as a force multiplier just really offering them profit margin expansion um opportunity there we've got some technology partner partners that we really work with for co-cell opportunities and then we've got our Cloud Partners um you'd mentioned that earlier and so we are in AWS Marketplace so our ccpo partners we're part of the ISP accelerate program um so we we're doing a lot there with our Cloud partners and um of course we uh we go to market with uh distribution Partners as well gotta love the opportunity for more margin expansion every kind of partner wants to put more gross profit on their deals is there a certification involved I have to ask is there like do you get do people get certified or is it just you get trained is it self-paced training is it in person how are you guys doing the whole training certification thing because is that is that a requirement yeah absolutely so we do offer a certification program and um it's been very popular this includes a a seller's portion and an operator portion and and so um this is at no cost to our partners and um we operate both virtually it's it's law it's virtually but live it's not self-paced and we also have in person um you know sessions as well and we also can customize these to any partners that have a large group of people and we can just we can do one in person or virtual just specifically for that partner well any kind of incentive opportunities and marketing opportunities everyone loves to get the uh get the deals just kind of rolling in leads from what we can see if our early reporting this looks like a hot product price wise service level wise what incentive do you guys thinking about and and Joint marketing you mentioned co-sell earlier in pipeline so I was kind of kind of honing in on that piece sure and yes and then to follow along with our partner certification program we do incentivize our partners there if they have a certain number certified their discount increases so that's part of it we have our deal registration program that increases discount as well um and then we do have some um some partner incentives that are wrapped around meeting setting and um moving moving opportunities along to uh proof of value gotta love the education driving value I have to ask you so you've been around the industry you've seen the channel relationships out there you're seeing companies old school new school you know uh Horizon 3.ai is kind of like that new school very cloud specific a lot of Leverage with we mentioned AWS and all the clouds um why is the company so hot right now why did you join them and what's why are people attracted to this company what's the what's the attraction what's the vibe what do you what do you see and what what do you use what did you see in in this company well this is just you know like I said it's very disruptive um it's really in high demand right now and um and and just because because it's new to Market and uh a newer technology so we are we can collaborate with a manual pen tester um we can you know we can allow our customers to run their pen test um with with no specialty teams and um and and then so we and like you know like I said we can allow our partners can actually build businesses profitable businesses so we can they can use our product to increase their services revenue and um and build their business model you know around around our services what's interesting about the pen test thing is that it's very expensive and time consuming the people who do them are very talented people that could be working on really bigger things in the in absolutely customers so bringing this into the channel allows them if you look at the price Delta between a pen test and then what you guys are offering I mean that's a huge margin Gap between street price of say today's pen test and what you guys offer when you show people that they follow do they say too good to be true I mean what are some of the things that people say when you kind of show them that are they like scratch their head like come on what's the what's the catch here right so the cost savings is a huge is huge for us um and then also you know like I said working as a force multiplier with a pen testing company that offers the services and so they can they can do their their annual manual pen tests that may be required around compliance regulations and then we can we can act as the continuous verification of their security um um you know that that they can run um weekly and so it's just um you know it's just an addition to to what they're offering already and an expansion so Jennifer thanks for coming on thecube really appreciate you uh coming on sharing the insights on the channel uh what's next what can we expect from the channel group what are you thinking what's going on right so we're really looking to expand our our Channel um footprint and um very strategically uh we've got um we've got some big plans um for for Horizon 3.ai awesome well thanks for coming on really appreciate it you're watching thecube the leader in high tech Enterprise coverage [Music] [Music] hello and welcome to the Cube's special presentation with Horizon 3.ai with Raina Richter vice president of emea Europe Middle East and Africa and Asia Pacific APAC for Horizon 3 today welcome to this special Cube presentation thanks for joining us thank you for the invitation so Horizon 3 a guy driving Global expansion big international news with a partner first approach you guys are expanding internationally let's get into it you guys are driving this new expanse partner program to new heights tell us about it what are you seeing in the momentum why the expansion what's all the news about well I would say uh yeah in in international we have I would say a similar similar situation like in the US um there is a global shortage of well-educated penetration testers on the one hand side on the other side um we have a raising demand of uh network and infrastructure security and with our approach of an uh autonomous penetration testing I I believe we are totally on top of the game um especially as we have also now uh starting with an international instance that means for example if a customer in Europe is using uh our service node zero he will be connected to a node zero instance which is located inside the European Union and therefore he has doesn't have to worry about the conflict between the European the gdpr regulations versus the US Cloud act and I would say there we have a total good package for our partners that they can provide differentiators to their customers you know we've had great conversations here on thecube with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company and honestly I can just Connect the Dots here but I'd like you to weigh in more on how that translates into the go to market here because you got great Cloud scale with with the security product you guys are having success with great leverage there I've seen a lot of success there what's the momentum on the channel partner program internationally why is it so important to you is it just the regional segmentation is it the economics why the momentum well there are it's there are multiple issues first of all there is a raising demand in penetration testing um and don't forget that uh in international we have a much higher level in number a number or percentage in SMB and mid-market customers so these customers typically most of them even didn't have a pen test done once a year so for them pen testing was just too expensive now with our offering together with our partners we can provide different uh ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with with a traditional manual paint test so and that is because we have our uh Consulting plus package which is for typically pain testers they can go out and can do a much faster much quicker and their pain test at many customers once in after each other so they can do more pain tests on a lower more attractive price on the other side there are others what even the same ones who are providing um node zero as an mssp service so they can go after s p customers saying okay well you only have a couple of hundred uh IP addresses no worries we have the perfect package for you and then you have let's say the mid Market let's say the thousands and more employees then they might even have an annual subscription very traditional but for all of them it's all the same the customer or the service provider doesn't need a piece of Hardware they only need to install a small piece of a Docker container and that's it and that makes it so so smooth to go in and say okay Mr customer we just put in this this virtual attacker into your network and that's it and and all the rest is done and within within three clicks they are they can act like a pen tester with 20 years of experience and that's going to be very Channel friendly and partner friendly I can almost imagine so I have to ask you and thank you for calling the break calling out that breakdown and and segmentation that was good that was very helpful for me to understand but I want to follow up if you don't mind um what type of partners are you seeing the most traction with and why well I would say at the beginning typically you have the the innovators the early adapters typically Boutique size of Partners they start because they they are always looking for Innovation and those are the ones you they start in the beginning so we have a wide range of Partners having mostly even um managed by the owner of the company so uh they immediately understand okay there is the value and they can change their offering they're changing their offering in terms of penetration testing because they can do more pen tests and they can then add other ones or we have those ones who offer 10 tests services but they did not have their own pen testers so they had to go out on the open market and Source paint testing experts um to get the pen test at a particular customer done and now with node zero they're totally independent they can't go out and say okay Mr customer here's the here's the service that's it we turn it on and within an hour you're up and running totally yeah and those pen tests are usually expensive and hard to do now it's right in line with the sales delivery pretty interesting for a partner absolutely but on the other hand side we are not killing the pain testers business we do something we're providing with no tiers I would call something like the foundation work the foundational work of having an an ongoing penetration testing of the infrastructure the operating system and the pen testers by themselves they can concentrate in the future on things like application pen testing for example so those Services which we we're not touching so we're not killing the paint tester Market we're just taking away the ongoing um let's say foundation work call it that way yeah yeah that was one of my questions I was going to ask is there's a lot of interest in this autonomous pen testing one because it's expensive to do because those skills are required are in need and they're expensive so you kind of cover the entry level and the blockers that are in there I've seen people say to me this pen test becomes a blocker for getting things done so there's been a lot of interest in the autonomous pen testing and for organizations to have that posture and it's an overseas issue too because now you have that that ongoing thing so can you explain that particular benefit for an organization to have that continuously verifying an organization's posture yep certainly so I would say um typically you are you you have to do your patches you have to bring in new versions of operating systems of different Services of uh um operating systems of some components and and they are always bringing new vulnerabilities the difference here is that with node zero we are telling the customer or the partner package we're telling them which are the executable vulnerabilities because previously they might have had um a vulnerability scanner so this vulnerability scanner brought up hundreds or even thousands of cves but didn't say anything about which of them are vulnerable really executable and then you need an expert digging in one cve after the other finding out is it is it really executable yes or no and that is where you need highly paid experts which we have a shortage so with notes here now we can say okay we tell you exactly which ones are the ones you should work on because those are the ones which are executable we rank them accordingly to the risk level how easily they can be used and by a sudden and then the good thing is convert it or indifference to the traditional penetration test they don't have to wait for a year for the next pain test to find out if the fixing was effective they weren't just the next scan and say Yes closed vulnerability is gone the time is really valuable and if you're doing any devops Cloud native you're always pushing new things so pen test ongoing pen testing is actually a benefit just in general as a kind of hygiene so really really interesting solution really bring that global scale is going to be a new new coverage area for us for sure I have to ask you if you don't mind answering what particular region are you focused on or plan to Target for this next phase of growth well at this moment we are concentrating on the countries inside the European Union Plus the United Kingdom um but we are and they are of course logically I'm based into Frankfurt area that means we cover more or less the countries just around so it's like the total dark region Germany Switzerland Austria plus the Netherlands but we also already have Partners in the nordics like in Finland or in Sweden um so it's it's it it's rapidly we have Partners already in the UK and it's rapidly growing so I'm for example we are now starting with some activities in Singapore um um and also in the in the Middle East area um very important we uh depending on let's say the the way how to do business currently we try to concentrate on those countries where we can have um let's say um at least English as an accepted business language great is there any particular region you're having the most success with right now is it sounds like European Union's um kind of first wave what's them yes that's the first definitely that's the first wave and now we're also getting the uh the European instance up and running it's clearly our commitment also to the market saying okay we know there are certain dedicated uh requirements and we take care of this and and we're just launching it we're building up this one uh the instance um in the AWS uh service center here in Frankfurt also with some dedicated Hardware internet in a data center in Frankfurt where we have with the date six by the way uh the highest internet interconnection bandwidth on the planet so we have very short latency to wherever you are on on the globe that's a great that's a great call outfit benefit too I was going to ask that what are some of the benefits your partners are seeing in emea and Asia Pacific well I would say um the the benefits is for them it's clearly they can they can uh talk with customers and can offer customers penetration testing which they before and even didn't think about because it penetrates penetration testing in a traditional way was simply too expensive for them too complex the preparation time was too long um they didn't have even have the capacity uh to um to support a pain an external pain tester now with this service you can go in and say even if they Mr customer we can do a test with you in a couple of minutes within we have installed the docker container within 10 minutes we have the pen test started that's it and then we just wait and and I would say that is we'll we are we are seeing so many aha moments then now because on the partner side when they see node zero the first time working it's like this wow that is great and then they work out to customers and and show it to their typically at the beginning mostly the friendly customers like wow that's great I need that and and I would say um the feedback from the partners is that is a service where I do not have to evangelize the customer everybody understands penetration testing I don't have to say describe what it is they understand the customer understanding immediately yes penetration testing good about that I know I should do it but uh too complex too expensive now with the name is for example as an mssp service provided from one of our partners but it's getting easy yeah it's great and it's great great benefit there I mean I gotta say I'm a huge fan of what you guys are doing I like this continuous automation that's a major benefit to anyone doing devops or any kind of modern application development this is just a godsend for them this is really good and like you said the pen testers that are doing it they were kind of coming down from their expertise to kind of do things that should have been automated they get to focus on the bigger ticket items that's a really big point so we free them we free the pain testers for the higher level elements of the penetration testing segment and that is typically the application testing which is currently far away from being automated yeah and that's where the most critical workloads are and I think this is the nice balance congratulations on the international expansion of the program and thanks for coming on this special presentation really I really appreciate it thank you you're welcome okay this is thecube special presentation you know check out pen test automation International expansion Horizon 3 dot AI uh really Innovative solution in our next segment Chris Hill sector head for strategic accounts will discuss the power of Horizon 3.ai and Splunk in action you're watching the cube the leader in high tech Enterprise coverage foreign [Music] [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're with Chris Hill sector head for strategic accounts and federal at Horizon 3.ai a great Innovative company Chris great to see you thanks for coming on thecube yeah like I said uh you know great to meet you John long time listener first time caller so excited to be here with you guys yeah we were talking before camera you had Splunk back in 2013 and I think 2012 was our first splunk.com and boy man you know talk about being in the right place at the right time now we're at another inflection point and Splunk continues to be relevant um and continuing to have that data driving Security in that interplay and your CEO former CTO of his plug as well at Horizon who's been on before really Innovative product you guys have but you know yeah don't wait for a breach to find out if you're logging the right data this is the topic of this thread Splunk is very much part of this new international expansion announcement uh with you guys tell us what are some of the challenges that you see where this is relevant for the Splunk and Horizon AI as you guys expand uh node zero out internationally yeah well so across so you know my role uh within Splunk it was uh working with our most strategic accounts and so I looked back to 2013 and I think about the sales process like working with with our small customers you know it was um it was still very siled back then like I was selling to an I.T team that was either using this for it operations um we generally would always even say yeah although we do security we weren't really designed for it we're a log management tool and we I'm sure you remember back then John we were like sort of stepping into the security space and and the public sector domain that I was in you know security was 70 of what we did when I look back to sort of uh the transformation that I was witnessing in that digital transformation um you know when I look at like 2019 to today you look at how uh the IT team and the security teams are being have been forced to break down those barriers that they used to sort of be silent away would not commute communicate one you know the security guys would be like oh this is my box I.T you're not allowed in today you can't get away with that and I think that the value that we bring to you know and of course Splunk has been a huge leader in that space and continues to do Innovation across the board but I think what we've we're seeing in the space and I was talking with Patrick Coughlin the SVP of uh security markets about this is that you know what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data so Splunk itself is ulk know it's an ingest engine right the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it but without data it doesn't do anything right so how do you drive and how do you bring more data in and most importantly from a customer perspective how do you bring the right data in and so if you think about what node zero and what we're doing in a horizon 3 is that sure we do pen testing but because we're an autonomous pen testing tool we do it continuously so this whole thought I'd be like oh crud like my customers oh yeah we got a pen test coming up it's gonna be six weeks the week oh yeah you know and everyone's gonna sit on their hands call me back in two months Chris we'll talk to you then right not not a real efficient way to test your environment and shoot we saw that with Uber this week right um you know and that's a case where we could have helped oh just right we could explain the Uber thing because it was a contractor just give a quick highlight of what happened so you can connect the doctor yeah no problem so um it was uh I got I think it was yeah one of those uh you know games where they would try and test an environment um and with the uh pen tester did was he kept on calling them MFA guys being like I need to reset my password we need to set my right password and eventually the um the customer service guy said okay I'm resetting it once he had reset and bypassed the multi-factor authentication he then was able to get in and get access to the building area that he was in or I think not the domain but he was able to gain access to a partial part of that Network he then paralleled over to what I would assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains and So within minutes they had access and that's the sort of stuff that we do you know a lot of these tools like um you know you think about the cacophony of tools that are out there in a GTA architect architecture right I'm gonna get like a z-scale or I'm going to have uh octum and I have a Splunk I've been into the solar system I mean I don't mean to name names we have crowdstriker or Sentinel one in there it's just it's a cacophony of things that don't work together they weren't designed work together and so we have seen so many times in our business through our customer support and just working with customers when we do their pen tests that there will be 5 000 servers out there three are misconfigured those three misconfigurations will create the open door because remember the hacker only needs to be right once the defender needs to be right all the time and that's the challenge and so that's what I'm really passionate about what we're doing uh here at Horizon three I see this my digital transformation migration and security going on which uh we're at the tip of the spear it's why I joined sey Hall coming on this journey uh and just super excited about where the path's going and super excited about the relationship with Splunk I get into more details on some of the specifics of that but um you know well you're nailing I mean we've been doing a lot of things on super cloud and this next gen environment we're calling it next gen you're really seeing devops obviously devsecops has already won the it role has moved to the developer shift left is an indicator of that it's one of the many examples higher velocity code software supply chain you hear these things that means that it is now in the developer hands it is replaced by the new Ops data Ops teams and security where there's a lot of horizontal thinking to your point about access there's no more perimeter huge 100 right is really right on things one time you know to get in there once you're in then you can hang out move around move laterally big problem okay so we get that now the challenges for these teams as they are transitioning organizationally how do they figure out what to do okay this is the next step they already have Splunk so now they're kind of in transition while protecting for a hundred percent ratio of success so how would you look at that and describe the challenge is what do they do what is it what are the teams facing with their data and what's next what are they what are they what action do they take so let's use some vernacular that folks will know so if I think about devsecops right we both know what that means that I'm going to build security into the app it normally talks about sec devops right how am I building security around the perimeter of what's going inside my ecosystem and what are they doing and so if you think about what we're able to do with somebody like Splunk is we can pen test the entire environment from Soup To Nuts right so I'm going to test the end points through to its I'm going to look for misconfigurations I'm going to I'm going to look for um uh credential exposed credentials you know I'm going to look for anything I can in the environment again I'm going to do it at light speed and and what what we're doing for that SEC devops space is to you know did you detect that we were in your environment so did we alert Splunk or the Sim that there's someone in the environment laterally moving around did they more importantly did they log us into their environment and when do they detect that log to trigger that log did they alert on us and then finally most importantly for every CSO out there is going to be did they stop us and so that's how we we do this and I think you when speaking with um stay Hall before you know we've come up with this um boils but we call it fine fix verifying so what we do is we go in is we act as the attacker right we act in a production environment so we're not going to be we're a passive attacker but we will go in on credentialed on agents but we have to assume to have an assumed breach model which means we're going to put a Docker container in your environment and then we're going to fingerprint the environment so we're going to go out and do an asset survey now that's something that's not something that Splunk does super well you know so can Splunk see all the assets do the same assets marry up we're going to log all that data and think and then put load that into this long Sim or the smoke logging tools just to have it in Enterprise right that's an immediate future ad that they've got um and then we've got the fix so once we've completed our pen test um we are then going to generate a report and we can talk about these in a little bit later but the reports will show an executive summary the assets that we found which would be your asset Discovery aspect of that a fix report and the fixed report I think is probably the most important one it will go down and identify what we did how we did it and then how to fix that and then from that the pen tester or the organization should fix those then they go back and run another test and then they validate like a change detection environment to see hey did those fixes taste play take place and you know snehaw when he was the CTO of jsoc he shared with me a number of times about it's like man there would be 15 more items on next week's punch sheet that we didn't know about and it's and it has to do with how we you know how they were uh prioritizing the cves and whatnot because they would take all CBDs it was critical or non-critical and it's like we are able to create context in that environment that feeds better information into Splunk and whatnot that brings that brings up the efficiency for Splunk specifically the teams out there by the way the burnout thing is real I mean this whole I just finished my list and I got 15 more or whatever the list just can keeps growing how did node zero specifically help Splunk teams be more efficient like that's the question I want to get at because this seems like a very scale way for Splunk customers and teams service teams to be more so the question is how does node zero help make Splunk specifically their service teams be more efficient so so today in our early interactions we're building customers we've seen are five things um and I'll start with sort of identifying the blind spots right so kind of what I just talked about with you did we detect did we log did we alert did they stop node zero right and so I would I put that you know a more Layman's third grade term and if I was going to beat a fifth grader at this game would be we can be the sparring partner for a Splunk Enterprise customer a Splunk Essentials customer someone using Splunk soar or even just an Enterprise Splunk customer that may be a small shop with three people and just wants to know where am I exposed so by creating and generating these reports and then having um the API that actually generates the dashboard they can take all of these events that we've logged and log them in and then where that then comes in is number two is how do we prioritize those logs right so how do we create visibility to logs that that um are have critical impacts and again as I mentioned earlier not all cves are high impact regard and also not all or low right so if you daisy chain a bunch of low cves together boom I've got a mission critical AP uh CPE that needs to be fixed now such as a credential moving to an NT box that's got a text file with a bunch of passwords on it that would be very bad um and then third would be uh verifying that you have all of the hosts so one of the things that splunk's not particularly great at and they'll literate themselves they don't do asset Discovery so dude what assets do we see and what are they logging from that um and then for from um for every event that they are able to identify one of the cool things that we can do is actually create this low code no code environment so they could let you know Splunk customers can use Splunk sword to actually triage events and prioritize that event so where they're being routed within it to optimize the Sox team time to Market or time to triage any given event obviously reducing MTR and then finally I think one of the neatest things that we'll be seeing us develop is um our ability to build glass cables so behind me you'll see one of our triage events and how we build uh a Lockheed Martin kill chain on that with a glass table which is very familiar to the community we're going to have the ability and not too distant future to allow people to search observe on those iocs and if people aren't familiar with it ioc it's an instant of a compromise so that's a vector that we want to drill into and of course who's better at Drilling in the data and smoke yeah this is a critter this is an awesome Synergy there I mean I can see a Splunk customer going man this just gives me so much more capability action actionability and also real understanding and I think this is what I want to dig into if you don't mind understanding that critical impact okay is kind of where I see this coming got the data data ingest now data's data but the question is what not to log you know where are things misconfigured these are critical questions so can you talk about what it means to understand critical impact yeah so I think you know going back to the things that I just spoke about a lot of those cves where you'll see um uh low low low and then you daisy chain together and they're suddenly like oh this is high now but then your other impact of like if you're if you're a Splunk customer you know and I had it I had several of them I had one customer that you know terabytes of McAfee data being brought in and it was like all right there's a lot of other data that you probably also want to bring but they could only afford wanted to do certain data sets because that's and they didn't know how to prioritize or filter those data sets and so we provide that opportunity to say hey these are the critical ones to bring in but there's also the ones that you don't necessarily need to bring in because low cve in this case really does mean low cve like an ILO server would be one that um that's the print server uh where the uh your admin credentials are on on like a printer and so there will be credentials on that that's something that a hacker might go in to look at so although the cve on it is low is if you daisy chain with somebody that's able to get into that you might say Ah that's high and we would then potentially rank it giving our AI logic to say that's a moderate so put it on the scale and we prioritize those versus uh of all of these scanners just going to give you a bunch of CDs and good luck and translating that if I if I can and tell me if I'm wrong that kind of speaks to that whole lateral movement that's it challenge right print serve a great example looks stupid low end who's going to want to deal with the print server oh but it's connected into a critical system there's a path is that kind of what you're getting at yeah I use Daisy Chain I think that's from the community they came from uh but it's just a lateral movement it's exactly what they're doing in those low level low critical lateral movements is where the hackers are getting in right so that's the beauty thing about the uh the Uber example is that who would have thought you know I've got my monthly Factor authentication going in a human made a mistake we can't we can't not expect humans to make mistakes we're fallible right the reality is is once they were in the environment they could have protected themselves by running enough pen tests to know that they had certain uh exposed credentials that would have stopped the breach and they did not had not done that in their environment and I'm not poking yeah but it's an interesting Trend though I mean it's obvious if sometimes those low end items are also not protected well so it's easy to get at from a hacker standpoint but also the people in charge of them can be fished easily or spearfished because they're not paying attention because they don't have to no one ever told them hey be careful yeah for the community that I came from John that's exactly how they they would uh meet you at a uh an International Event um introduce themselves as a graduate student these are National actor States uh would you mind reviewing my thesis on such and such and I was at Adobe at the time that I was working on this instead of having to get the PDF they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2008 time frame there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it and John that's or LinkedIn hey I want to get a joke we want to hire you double the salary oh I'm gonna click on that for sure you know yeah right exactly yeah the one thing I would say to you is like uh when we look at like sort of you know because I think we did 10 000 pen tests last year is it's probably over that now you know we have these sort of top 10 ways that we think and find people coming into the environment the funniest thing is that only one of them is a cve related vulnerability like uh you know you guys know what they are right so it's it but it's it's like two percent of the attacks are occurring through the cves but yeah there's all that attention spent to that and very little attention spent to this pen testing side which is sort of this continuous threat you know monitoring space and and this vulnerability space where I think we play a such an important role and I'm so excited to be a part of the tip of the spear on this one yeah I'm old enough to know the movie sneakers which I loved as a you know watching that movie you know professional hackers are testing testing always testing the environment I love this I got to ask you as we kind of wrap up here Chris if you don't mind the the benefits to Professional Services from this Alliance big news Splunk and you guys work well together we see that clearly what are what other benefits do Professional Services teams see from the Splunk and Horizon 3.ai Alliance so if you're I think for from our our from both of our uh Partners uh as we bring these guys together and many of them already are the same partner right uh is that uh first off the licensing model is probably one of the key areas that we really excel at so if you're an end user you can buy uh for the Enterprise by the number of IP addresses you're using um but uh if you're a partner working with this there's solution ways that you can go in and we'll license as to msps and what that business model on msps looks like but the unique thing that we do here is this C plus license and so the Consulting plus license allows like a uh somebody a small to mid-sized to some very large uh you know Fortune 100 uh consulting firms use this uh by buying into a license called um Consulting plus where they can have unlimited uh access to as many IPS as they want but you can only run one test at a time and as you can imagine when we're going and hacking passwords and um checking hashes and decrypting hashes that can take a while so but for the right customer it's it's a perfect tool and so I I'm so excited about our ability to go to market with uh our partners so that we understand ourselves understand how not to just sell to or not tell just to sell through but we know how to sell with them as a good vendor partner I think that that's one thing that we've done a really good job building bring it into the market yeah I think also the Splunk has had great success how they've enabled uh partners and Professional Services absolutely you know the services that layer on top of Splunk are multi-fold tons of great benefits so you guys Vector right into that ride that way with friction and and the cool thing is that in you know in one of our reports which could be totally customized uh with someone else's logo we're going to generate you know so I I used to work in another organization it wasn't Splunk but we we did uh you know pen testing as for for customers and my pen testers would come on site they'd do the engagement and they would leave and then another release someone would be oh shoot we got another sector that was breached and they'd call you back you know four weeks later and so by August our entire pen testings teams would be sold out and it would be like well even in March maybe and they're like no no I gotta breach now and and and then when they do go in they go through do the pen test and they hand over a PDF and they pack on the back and say there's where your problems are you need to fix it and the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations and then once you've fixed everything you just go back and run another pen test it's you know for what people pay for one pen test they can have a tool that does that every every Pat patch on Tuesday and that's on Wednesday you know triage throughout the week green yellow red I wanted to see the colors show me green green is good right not red and one CIO doesn't want who doesn't want that dashboard right it's it's exactly it and we can help bring I think that you know I'm really excited about helping drive this with the Splunk team because they get that they understand that it's the green yellow red dashboard and and how do we help them find more green uh so that the other guys are in red yeah and get in the data and do the right thing and be efficient with how you use the data know what to look at so many things to pay attention to you know the combination of both and then go to market strategy real brilliant congratulations Chris thanks for coming on and sharing um this news with the detail around the Splunk in action around the alliance thanks for sharing John my pleasure thanks look forward to seeing you soon all right great we'll follow up and do another segment on devops and I.T and security teams as the new new Ops but and super cloud a bunch of other stuff so thanks for coming on and our next segment the CEO of horizon 3.aa will break down all the new news for us here on thecube you're watching thecube the leader in high tech Enterprise coverage [Music] yeah the partner program for us has been fantastic you know I think prior to that you know as most organizations most uh uh most Farmers most mssps might not necessarily have a a bench at all for penetration testing uh maybe they subcontract this work out or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult for us this was a differentiator a a new a new partner a new partnership that allowed us to uh not only perform services for our customers but be able to provide a product by which that they can do it themselves so we work with our customers in a variety of ways some of them want more routine testing and perform this themselves but we're also a certified service provider of horizon 3 being able to perform uh penetration tests uh help review the the data provide color provide analysis for our customers in a broader sense right not necessarily the the black and white elements of you know what was uh what's critical what's high what's medium what's low what you need to fix but are there systemic issues this has allowed us to onboard new customers this has allowed us to migrate some penetration testing services to us from from competitors in the marketplace But ultimately this is occurring because the the product and the outcome are special they're unique and they're effective our customers like what they're seeing they like the routineness of it many of them you know again like doing this themselves you know being able to kind of pen test themselves parts of their networks um and the the new use cases right I'm a large organization I have eight to ten Acquisitions per year wouldn't it be great to have a tool to be able to perform a penetration test both internal and external of that acquisition before we integrate the two companies and maybe bringing on some risk it's a very effective partnership uh one that really is uh kind of taken our our Engineers our account Executives by storm um you know this this is a a partnership that's been very valuable to us [Music] a key part of the value and business model at Horizon 3 is enabling Partners to leverage node zero to make more revenue for themselves our goal is that for sixty percent of our Revenue this year will be originated by partners and that 95 of our Revenue next year will be originated by partners and so a key to that strategy is making us an integral part of your business models as a partner a key quote from one of our partners is that we enable every one of their business units to generate Revenue so let's talk about that in a little bit more detail first is that if you have a pen test Consulting business take Deloitte as an example what was six weeks of human labor at Deloitte per pen test has been cut down to four days of Labor using node zero to conduct reconnaissance find all the juicy interesting areas of the of the Enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at understand and determine where to probe deeper so what you see in that pen test Consulting business is that node zero becomes a force multiplier where those Consulting teams were able to cover way more accounts and way more IPS within those accounts with the same or fewer consultants and so that directly leads to profit margin expansion for the Penn testing business itself because node 0 is a force multiplier the second business model here is if you're an mssp as an mssp you're already making money providing defensive cyber security operations for a large volume of customers and so what they do is they'll license node zero and use us as an upsell to their mssb business to start to deliver either continuous red teaming continuous verification or purple teaming as a service and so in that particular business model they've got an additional line of Revenue where they can increase the spend of their existing customers by bolting on node 0 as a purple team as a service offering the third business model or customer type is if you're an I.T services provider so as an I.T services provider you make money installing and configuring security products like Splunk or crowdstrike or hemio you also make money reselling those products and you also make money generating follow-on services to continue to harden your customer environments and so for them what what those it service providers will do is use us to verify that they've installed Splunk correctly improved to their customer that Splunk was installed correctly or crowdstrike was installed correctly using our results and then use our results to drive follow-on services and revenue and then finally we've got the value-added reseller which is just a straight up reseller because of how fast our sales Cycles are these vars are able to typically go from cold email to deal close in six to eight weeks at Horizon 3 at least a single sales engineer is able to run 30 to 50 pocs concurrently because our pocs are very lightweight and don't require any on-prem customization or heavy pre-sales post sales activity so as a result we're able to have a few amount of sellers driving a lot of Revenue and volume for us well the same thing applies to bars there isn't a lot of effort to sell the product or prove its value so vars are able to sell a lot more Horizon 3 node zero product without having to build up a huge specialist sales organization so what I'm going to do is talk through uh scenario three here as an I.T service provider and just how powerful node zero can be in driving additional Revenue so in here think of for every one dollar of node zero license purchased by the IT service provider to do their business it'll generate ten dollars of additional revenue for that partner so in this example kidney group uses node 0 to verify that they have installed and deployed Splunk correctly so Kitty group is a Splunk partner they they sell it services to install configure deploy and maintain Splunk and as they deploy Splunk they're going to use node 0 to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment so it's a way of doing QA or verifying that Splunk has been configured correctly and that's going to be internally used by kidney group to prove the quality of their services that they've just delivered then what they're going to do is they're going to show and leave behind that node zero Report with their client and that creates a resell opportunity for for kidney group to resell node 0 to their client because their client is seeing the reports and the results and saying wow this is pretty amazing and those reports can be co-branded where it's a pen testing report branded with kidney group but it says powered by Horizon three under it from there kidney group is able to take the fixed actions report that's automatically generated with every pen test through node zero and they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified fixing l11r misconfigurations fixing or patching VMware or updating credentials policies and so on so what happens is node 0 has found a bunch of problems the client often lacks the capacity to fix and so kidney group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services and finally based on the findings from node zero kidney group can look at that report and say to the customer you know customer if you bought crowdstrike you'd be able to uh prevent node Zero from attacking and succeeding in the way that it did for if you bought humano or if you bought Palo Alto networks or if you bought uh some privileged access management solution because of what node 0 was able to do with credential harvesting and attacks and so as a result kidney group is able to resell other security products within their portfolio crowdstrike Falcon humano Polito networks demisto Phantom and so on based on the gaps that were identified by node zero and that pen test and what that creates is another feedback loop where kidney group will then go use node 0 to verify that crowdstrike product has actually been installed and configured correctly and then this becomes the cycle of using node 0 to verify a deployment using that verification to drive a bunch of follow-on services and resell opportunities which then further drives more usage of the product now the way that we licensed is that it's a usage-based license licensing model so that the partner will grow their node zero Consulting plus license as they grow their business so for example if you're a kidney group then week one you've got you're going to use node zero to verify your Splunk install in week two if you have a pen testing business you're going to go off and use node zero to be a force multiplier for your pen testing uh client opportunity and then if you have an mssp business then in week three you're going to use node zero to go execute a purple team mssp offering for your clients so not necessarily a kidney group but if you're a Deloitte or ATT these larger companies and you've got multiple lines of business if you're Optive for instance you all you have to do is buy one Consulting plus license and you're going to be able to run as many pen tests as you want sequentially so now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three and as you grow your business you start to run multiple pen tests concurrently so in week one you've got to do a Splunk verify uh verify Splunk install and you've got to run a pen test and you've got to do a purple team opportunity you just simply expand the number of Consulting plus licenses from one license to three licenses and so now as you systematically grow your business you're able to grow your node zero capacity with you giving you predictable cogs predictable margins and once again 10x additional Revenue opportunity for that investment in the node zero Consulting plus license my name is Saint I'm the co-founder and CEO here at Horizon 3. I'm going to talk to you today about why it's important to look at your Enterprise Through The Eyes of an attacker the challenge I had when I was a CIO in banking the CTO at Splunk and serving within the Department of Defense is that I had no idea I was Secure until the bad guys had showed up am I logging the right data am I fixing the right vulnerabilities are my security tools that I've paid millions of dollars for actually working together to defend me and the answer is I don't know does my team actually know how to respond to a breach in the middle of an incident I don't know I've got to wait for the bad guys to show up and so the challenge I had was how do we proactively verify our security posture I tried a variety of techniques the first was the use of vulnerability scanners and the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable I might have a hundred thousand findings from my scanner of which maybe five or ten can actually be exploited in my environment the other big problem with scanners is that they can't chain weaknesses together from machine to machine so if you've got a thousand machines in your environment or more what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two but what they can tell you is that an attacker could use a load from machine one plus a low from machine two to equal to critical in your environment and what attackers do in their tactics is they chain together misconfigurations dangerous product defaults harvested credentials and exploitable vulnerabilities into attack paths across different machines so to address the attack pads across different machines I tried layering in consulting-based pen testing and the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment human-based pen testing simply doesn't scale to test an infrastructure of that size moreover when they actually do execute a pen test and you get the report oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem and so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale and then to mitigate that problem I tried using breach and attack simulation tools and the struggle with these tools is one I had to install credentialed agents everywhere two I had to write my own custom attack scripts that I didn't have much talent for but also I had to maintain as my environment changed and then three these types of tools were not safe to run against production systems which was the the majority of my attack surface so that's why we went off to start Horizon 3. so Tony and I met when we were in Special Operations together and the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the the power of a 20-year pen testing veteran into the hands of an I.T admin a network engineer in just three clicks and the whole idea is we enable these fixers The Blue Team to be able to run node Zero Hour pen testing product to quickly find problems in their environment that blue team will then then go off and fix the issues that were found and then they can quickly rerun the attack to verify that they fixed the problem and the whole idea is delivering this without requiring custom scripts be developed without requiring credential agents be installed and without requiring the use of external third-party consulting services or Professional Services self-service pen testing to quickly Drive find fix verify there are three primary use cases that our customers use us for the first is the sock manager that uses us to verify that their security tools are actually effective to verify that they're logging the right data in Splunk or in their Sim to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their slas or that the sock understands how to quickly detect and respond and measuring and verifying that or that the variety of tools that you have in your stack most organizations have 130 plus cyber security tools none of which are designed to work together are actually working together the second primary use case is proactively hardening and verifying your systems this is when the I that it admin that network engineer they're able to run self-service pen tests to verify that their Cisco environment is installed in hardened and configured correctly or that their credential policies are set up right or that their vcenter or web sphere or kubernetes environments are actually designed to be secure and what this allows the it admins and network Engineers to do is shift from running one or two pen tests a year to 30 40 or more pen tests a month and you can actually wire those pen tests into your devops process or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment the third primary use case is for those organizations lucky enough to have their own internal red team they'll use node zero to do reconnaissance and exploitation at scale and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at Defcon and so these are the three primary use cases and what we'll do is zoom into the find fix verify Loop because what I've found in my experience is find fix verify is the future operating model for cyber security organizations and what I mean here is in the find using continuous pen testing what you want to enable is on-demand self-service pen tests you want those pen tests to find attack pads at scale spanning your on-prem infrastructure your Cloud infrastructure and your perimeter because attackers don't only state in one place they will find ways to chain together a perimeter breach a credential from your on-prem to gain access to your cloud or some other permutation and then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore they know we've built vulnerability Management Programs to reduce those vulnerabilities so attackers have adapted and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults with exploitable vulnerabilities and through the collection of credentials through a mix of techniques at scale once you've found those problems the next question is what do you do about it well you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data the second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to where is your crown jewels data is in the cloud is it on-prem has it been copied to a share drive that you weren't aware of if a domain user was compromised could they access that crown jewels data you want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure and then finally as you fix these problems you want to quickly remediate and retest that you've actually fixed the issue and this fine fix verify cycle becomes that accelerator that drives purple team culture the third part here is verify and what you want to be able to do in the verify step is verify that your security tools and processes in people can effectively detect and respond to a breach you want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations you also want to make sure that your environment is adhering to the best practices around systems hardening in cyber resilience and finally you want to be able to prove your security posture over a time to your board to your leadership into your regulators so what I'll do now is zoom into each of these three steps so when we zoom in to find here's the first example using node 0 and autonomous pen testing and what an attacker will do is find a way to break through the perimeter in this example it's very easy to misconfigure kubernetes to allow an attacker to gain remote code execution into your on-prem kubernetes environment and break through the perimeter and from there what the attacker is going to do is conduct Network reconnaissance and then find ways to gain code execution on other machines in the environment and as they get code execution they start to dump credentials collect a bunch of ntlm hashes crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment and then as they loudly maneuver they can reuse those credentials and use credential spraying techniques and so on to compromise your business email to log in as admin into your cloud and this is a very common attack and rarely is a CV actually needed to execute this attack often it's just a misconfiguration in kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization here's another example of an internal pen test and this is from an actual customer they had 5 000 hosts within their environment they had EDR and uba tools installed and they initiated in an internal pen test on a single machine from that single initial access point node zero enumerated the network conducted reconnaissance and found five thousand hosts were accessible what node 0 will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the Cyber terrain map and that cyber Terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment so what node zero will do is they'll try to find ways to get code execution reuse credentials and so on in this customer example they had Fortinet installed as their EDR but node 0 was still able to get code execution on a Windows machine from there it was able to successfully dump credentials including sensitive credentials from the lsas process on the Windows box and then reuse those credentials to log in as domain admin in the network and once an attacker becomes domain admin they have the keys to the kingdom they can do anything they want so what happened here well it turns out Fortinet was misconfigured on three out of 5000 machines bad automation the customer had no idea this had happened they would have had to wait for an attacker to show up to realize that it was misconfigured the second thing is well why didn't Fortinet stop the credential pivot in the lateral movement and it turned out the customer didn't buy the right modules or turn on the right services within that particular product and we see this not only with Ford in it but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping the next story I'll tell you is attackers don't have to hack in they log in so another infrastructure pen test a typical technique attackers will take is man in the middle uh attacks that will collect hashes so in this case what an attacker will do is leverage a tool or technique called responder to collect ntlm hashes that are being passed around the network and there's a variety of reasons why these hashes are passed around and it's a pretty common misconfiguration but as an attacker collects those hashes then they start to apply techniques to crack those hashes so they'll pass the hash and from there they will use open source intelligence common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords so here node 0 automatically collected hashes it automatically passed the hashes to crack those credentials and then from there it starts to take the domain user user ID passwords that it's collected and tries to access different services and systems in your Enterprise in this case node 0 is able to successfully gain access to the Office 365 email environment because three employees didn't have MFA configured so now what happens is node 0 has a placement and access in the business email system which sets up the conditions for fraud lateral phishing and other techniques but what's especially insightful here is that 80 of the hashes that were collected in this pen test were cracked in 15 minutes or less 80 percent 26 of the user accounts had a password that followed a pretty obvious pattern first initial last initial and four random digits the other thing that was interesting is 10 percent of service accounts had their user ID the same as their password so VMware admin VMware admin web sphere admin web Square admin so on and so forth and so attackers don't have to hack in they just log in with credentials that they've collected the next story here is becoming WS AWS admin so in this example once again internal pen test node zero gets initial access it discovers 2 000 hosts are network reachable from that environment if fingerprints and organizes all of that data into a cyber Terrain map from there it it fingerprints that hpilo the integrated lights out service was running on a subset of hosts hpilo is a service that is often not instrumented or observed by security teams nor is it easy to patch as a result attackers know this and immediately go after those types of services so in this case that ILO service was exploitable and were able to get code execution on it ILO stores all the user IDs and passwords in clear text in a particular set of processes so once we gain code execution we were able to dump all of the credentials and then from there laterally maneuver to log in to the windows box next door as admin and then on that admin box we're able to gain access to the share drives and we found a credentials file saved on a share Drive from there it turned out that credentials file was the AWS admin credentials file giving us full admin authority to their AWS accounts not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment and so what do you do step one patch the server step two delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login the final story I'll tell is a typical pattern that we see across the board with that combines the various techniques I've described together where an attacker is going to go off and use open source intelligence to find all of the employees that work at your company from there they're going to look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user all it takes is one employee to reuse a breached password for their Corporate email or all it takes is a single employee to have a weak password that's easily guessable all it takes is one and once the attacker is able to gain domain user access in most shops domain user is also the local admin on their laptop and once your local admin you can dump Sam and get local admin until M hashes you can use that to reuse credentials again local admin on neighboring machines and attackers will start to rinse and repeat then eventually they're able to get to a point where they can dump lsas or by unhooking the anti-virus defeating the EDR or finding a misconfigured EDR as we've talked about earlier to compromise the domain and what's consistent is that the fundamentals are broken at these shops they have poor password policies they don't have least access privilege implemented active directory groups are too permissive where domain admin or domain user is also the local admin uh AV or EDR Solutions are misconfigured or easily unhooked and so on and what we found in 10 000 pen tests is that user Behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work and also it becomes very difficult to find that Baseline of normal usage versus abnormal usage of credential login another interesting Insight is there were several Marquee brand name mssps that were defending our customers environment and for them it took seven hours to detect and respond to the pen test seven hours the pen test was over in less than two hours and so what you had was an egregious violation of the service level agreements that that mssp had in place and the customer was able to use us to get service credit and drive accountability of their sock and of their provider the third interesting thing is in one case it took us seven minutes to become domain admin in a bank that bank had every Gucci security tool you could buy yet in 7 minutes and 19 seconds node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations in lateral movement and so on to become domain admin if it's seven minutes today we should assume it'll be less than a minute a year or two from now making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack so that's in the find it's not just about finding problems though the bulk of the effort should be what to do about it the fix and the verify so as you find those problems back to kubernetes as an example we will show you the path here is the kill chain we took to compromise that environment we'll show you the impact here is the impact or here's the the proof of exploitation that we were able to use to be able to compromise it and there's the actual command that we executed so you could copy and paste that command and compromise that cubelet yourself if you want and then the impact is we got code execution and we'll actually show you here is the impact this is a critical here's why it enabled perimeter breach affected applications will tell you the specific IPS where you've got the problem how it maps to the miter attack framework and then we'll tell you exactly how to fix it we'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important the next part is accurate prioritization the hardest part of my job as a CIO was deciding what not to fix so if you take SMB signing not required as an example by default that CVSs score is a one out of 10. but this misconfiguration is not a cve it's a misconfig enable an attacker to gain access to 19 credentials including one domain admin two local admins and access to a ton of data because of that context this is really a 10 out of 10. you better fix this as soon as possible however of the seven occurrences that we found it's only a critical in three out of the seven and these are the three specific machines and we'll tell you the exact way to fix it and you better fix these as soon as possible for these four machines over here these didn't allow us to do anything of consequence so that because the hardest part is deciding what not to fix you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible and then once you fix these three you don't have to re-run the entire pen test you can select these three and then one click verify and run a very narrowly scoped pen test that is only testing this specific issue and what that creates is a much faster cycle of finding and fixing problems the other part of fixing is verifying that you don't have sensitive data at risk so once we become a domain user we're able to use those domain user credentials and try to gain access to databases file shares S3 buckets git repos and so on and help you understand what sensitive data you have at risk so in this example a green checkbox means we logged in as a valid domain user we're able to get read write access on the database this is how many records we could have accessed and we don't actually look at the values in the database but we'll show you the schema so you can quickly characterize that pii data was at risk here and we'll do that for your file shares and other sources of data so now you can accurately articulate the data you have at risk and prioritize cleaning that data up especially data that will lead to a fine or a big news issue so that's the find that's the fix now we're going to talk about the verify the key part in verify is embracing and integrating with detection engineering practices so when you think about your layers of security tools you've got lots of tools in place on average 130 tools at any given customer but these tools were not designed to work together so when you run a pen test what you want to do is say did you detect us did you log us did you alert on us did you stop us and from there what you want to see is okay what are the techniques that are commonly used to defeat an environment to actually compromise if you look at the top 10 techniques we use and there's far more than just these 10 but these are the most often executed nine out of ten have nothing to do with cves it has to do with misconfigurations dangerous product defaults bad credential policies and it's how we chain those together to become a domain admin or compromise a host so what what customers will do is every single attacker command we executed is provided to you as an attackivity log so you can actually see every single attacker command we ran the time stamp it was executed the hosts it executed on and how it Maps the minor attack tactics so our customers will have are these attacker logs on one screen and then they'll go look into Splunk or exabeam or Sentinel one or crowdstrike and say did you detect us did you log us did you alert on us or not and to make that even easier if you take this example hey Splunk what logs did you see at this time on the VMware host because that's when node 0 is able to dump credentials and that allows you to identify and fix your logging blind spots to make that easier we've got app integration so this is an actual Splunk app in the Splunk App Store and what you can come is inside the Splunk console itself you can fire up the Horizon 3 node 0 app all of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool and what you'll show you as I skip forward is hey there's a pen test here are the critical issues that we've identified for that weaker default issue here are the exact commands we executed and then we will automatically query into Splunk all all terms on between these times on that endpoint that relate to this attack so you can now quickly within the Splunk environment itself figure out that you're missing logs or that you're appropriately catching this issue and that becomes incredibly important in that detection engineering cycle that I mentioned earlier so how do our customers end up using us they shift from running one pen test a year to 30 40 pen tests a month oftentimes wiring us into their deployment automation to automatically run pen tests the other part that they'll do is as they run more pen tests they find more issues but eventually they hit this inflection point where they're able to rapidly clean up their environment and that inflection point is because the red and the blue teams start working together in a purple team culture and now they're working together to proactively harden their environment the other thing our customers will do is run us from different perspectives they'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access what could they do and then from there they'll run us within a specific Network segment okay from within that segment could the attacker break out and gain access to another segment then they'll run us from their work from home environment could they Traverse the VPN and do something damaging and once they're in could they Traverse the VPN and get into my cloud then they'll break in from the outside all of these perspectives are available to you in Horizon 3 and node zero as a single SKU and you can run as many pen tests as you want if you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior you can then inject their credentials and actually show the end-to-end story of how an attacker fished gained credentials of an intern and use that to gain access to sensitive financial data so what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time I'll leave you two things one is what is the AI in Horizon 3 AI those knowledge graphs are the heart and soul of everything that we do and we use machine learning reinforcement techniques reinforcement learning techniques Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs we also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations so the more pen tests we run the smarter we get and all of that is based on our knowledge graph analytics infrastructure that we have finally I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy what I cared about was coverage I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production I want to be able to do that as often as I wanted I want to be able to run pen tests in hours or days not weeks or months so I could accelerate that fine fix verify loop I wanted my it admins and network Engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agent and not have to write custom scripts and finally I didn't want to get nickeled and dimed on having to buy different types of attack modules or different types of attacks I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my Trends in directions over time so I hope you found this talk valuable uh we're easy to find and I look forward to seeing seeing you use a product and letting our results do the talking when you look at uh you know kind of the way no our pen testing algorithms work is we dynamically select uh how to compromise an environment based on what we've discovered and the goal is to become a domain admin compromise a host compromise domain users find ways to encrypt data steal sensitive data and so on but when you look at the the top 10 techniques that we ended up uh using to compromise environments the first nine have nothing to do with cves and that's the reality cves are yes a vector but less than two percent of cves are actually used in a compromise oftentimes it's some sort of credential collection credential cracking uh credential pivoting and using that to become an admin and then uh compromising environments from that point on so I'll leave this up for you to kind of read through and you'll have the slides available for you but I found it very insightful that organizations and ourselves when I was a GE included invested heavily in just standard vulnerability Management Programs when I was at DOD that's all disa cared about asking us about was our our kind of our cve posture but the attackers have adapted to not rely on cves to get in because they know that organizations are actively looking at and patching those cves and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment a concrete example is by default vcenter backups are not encrypted and so as if an attacker finds vcenter what they'll do is find the backup location and there are specific V sender MTD files where the admin credentials are parsippled in the binaries so you can actually as an attacker find the right MTD file parse out the binary and now you've got the admin credentials for the vcenter environment and now start to log in as admin there's a bad habit by signal officers and Signal practitioners in the in the Army and elsewhere where the the VM notes section of a virtual image has the password for the VM well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMS that are unencrypted find the note section and pull out the passwords for those images and then reuse those credentials across the board so I'll pause here and uh you know Patrick love you get some some commentary on on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is uh is rolled through a little bit more on what do you do about it yeah yeah no I love it I think um I think this is pretty exhaustive what I like about what you've done here is uh you know we've seen we've seen double-digit increases in the number of organizations that are reporting actual breaches year over year for the last um for the last three years and it's often we kind of in the Zeitgeist we pegged that on ransomware which of course is like incredibly important and very top of mind um but what I like about what you have here is you know we're reminding the audience that the the attack surface area the vectors the matter um you know has to be more comprehensive than just thinking about ransomware scenarios yeah right on um so let's build on this when you think about your defense in depth you've got multiple security controls that you've purchased and integrated and you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together so when you run a pen test what you want to ask yourself is did you detect node zero did you log node zero did you alert on node zero and did you stop node zero and when you think about how to do that every single attacker command executed by node zero is available in an attacker log so you can now see you know at the bottom here vcenter um exploit at that time on that IP how it aligns to minor attack what you want to be able to do is go figure out did your security tools catch this or not and that becomes very important in using the attacker's perspective to improve your defensive security controls and so the way we've tried to make this easier back to like my my my the you know I bleed Green in many ways still from my smoke background is you want to be able to and what our customers do is hey we'll look at the attacker logs on one screen and they'll look at what did Splunk see or Miss in another screen and then they'll use that to figure out what their logging blind spots are and what that where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base and you'll get all of the pen test results right there in the Splunk console and from that Splunk console you're gonna be able to see these are all the pen tests that were run these are the issues that were found um so you can look at that particular pen test here are all of the weaknesses that were identified for that particular pen test and how they categorize out for each of those weaknesses you can click on any one of them that are critical in this case and then we'll tell you for that weakness and this is where where the the punch line comes in so I'll pause the video here for that weakness these are the commands that were executed on these endpoints at this time and then we'll actually query Splunk for that um for that IP address or containing that IP and these are the source types that surface any sort of activity so what we try to do is help you as quickly and efficiently as possible identify the logging blind spots in your Splunk environment based on the attacker's perspective so as this video kind of plays through you can see it Patrick I'd love to get your thoughts um just seeing so many Splunk deployments and the effectiveness of those deployments and and how this is going to help really Elevate the effectiveness of all of your Splunk customers yeah I'm super excited about this I mean I think this these kinds of purpose-built integration snail really move the needle for our customers I mean at the end of the day when I think about the power of Splunk I think about a product I was first introduced to 12 years ago that was an on-prem piece of software you know and at the time it sold on sort of Perpetual and term licenses but one made it special was that it could it could it could eat data at a speed that nothing else that I'd have ever seen you can ingest massively scalable amounts of data uh did cool things like schema on read which facilitated that there was this language called SPL that you could nerd out about uh and you went to a conference once a year and you talked about all the cool things you were splunking right but now as we think about the next phase of our growth um we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding and as you look at the as you look at the role of the ciso it's mind-blowing to me the amount of sources Services apps that are coming into the ciso span of let's just call it a span of influence in the last three years uh you know we're seeing things like infrastructure service level visibility application performance monitoring stuff that just never made sense for the security team to have visibility into you um at least not at the size and scale which we're demanding today um and and that's different and this isn't this is why it's so important that we have these joint purpose-built Integrations that um really provide more prescription to our customers about how do they walk on that Journey towards maturity what does zero to one look like what does one to two look like whereas you know 10 years ago customers were happy with platforms today they want integration they want Solutions and they want to drive outcomes and I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape and what I would say is the maturing needs of the customer in that environment yeah for sure I think especially if if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere while the security budgets are not going to ever I don't think they're going to get cut they're not going to grow as fast and there's a lot more pressure on organizations to extract more value from their existing Investments as well as extracting more value and more impact from their existing teams and so security Effectiveness Fierce prioritization and automation I think become the three key themes of security uh over the next 18 months so I'll do very quickly is run through a few other use cases um every host that we identified in the pen test were able to score and say this host allowed us to do something significant therefore it's it's really critical you should be increasing your logging here hey these hosts down here we couldn't really do anything as an attacker so if you do have to make trade-offs you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end so you've got that level of of um justification for where to increase or or adjust your logging resolution another example is every host we've discovered as an attacker we Expose and you can export and we want to make sure is every host we found as an attacker is being ingested from a Splunk standpoint a big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were Rogue Raspberry Pi's on the network or if a new box was installed and whether Splunk was installed on it or not so now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from uh finally or second to last use case here on the Splunk integration side is for every single problem we've found we give multiple options for how to fix it this becomes a great way to prioritize what fixed actions to automate in your soar platform and what we want to get to eventually is being able to automatically trigger soar actions to fix well-known problems like automatically invalidating passwords for for poor poor passwords in our credentials amongst a whole bunch of other things we could go off and do and then finally if there is a well-known kill chain or attack path one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise and now you've got a great starting point for glass tables and iocs for actual kill chains that we know are exploitable in your environment and that becomes some super cool Integrations that we've got on the roadmap between us and the Splunk security side of the house so what I'll leave with actually Patrick before I do that you know um love to get your comments and then I'll I'll kind of leave with one last slide on this wartime security mindset uh pending you know assuming there's no other questions no I love it I mean I think this kind of um it's kind of glass table's approach to how do you how do you sort of visualize these workflows and then use things like sore and orchestration and automation to operationalize them is exactly where we see all of our customers going and getting away from I think an over engineered approach to soar with where it has to be super technical heavy with you know python programmers and getting more to this visual view of workflow creation um that really demystifies the power of Automation and also democratizes it so you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team is seeing yeah I think that between us being able to visualize the actual kill chain or attack path with you know think of a of uh the soar Market I think going towards this no code low code um you know configurable sore versus coded sore that's going to really be a game changer in improve or giving security teams a force multiplier so what I'll leave you with is this peacetime mindset of security no longer is sustainable we really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are are working or not and the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past uh nine months due to the Ukrainian War there you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint and this is no longer about financial extortion that is ransomware this is about punishing and destroying companies and you can punish any one of these companies by going after them directly or by going after their suppliers and their Distributors so suddenly your attack surface is no more no longer just your own Enterprise it's how you bring your goods to Market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit if I can get those trucks stuck at the border I can increase spoilage and have the same effect and what we should expect to see is this idea of cyber-enabled economic Warfare where if we issue a sanction like Banning the Russians from traveling there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database that is below the threshold of War that's not going to trigger the 82nd Airborne to be mobilized but it's going to achieve the right effect ban the sale of luxury goods disrupt the supply chain and create shortages banned Russian oil and gas attack refineries to call a 10x spike in gas prices three days before the election this is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture verify it see yourself Through The Eyes of the attacker build that incident response muscle memory and drive better collaboration between the red and the blue teams your suppliers and Distributors and your information uh sharing organization they have in place and what's really valuable for me as a Splunk customer was when a router crashes at that moment you don't know if it's due to an I.T Administration problem or an attacker and what you want to have are different people asking different questions of the same data and you want to have that integrated triage process of an I.T lens to that problem a security lens to that problem and then from there figuring out is is this an IT workflow to execute or a security incident to execute and you want to have all of that as an integrated team integrated process integrated technology stack and this is something that I very care I cared very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board so Patrick I'll leave you with the last word the final three minutes here and I don't see any open questions so please take us home oh man see how you think we spent hours and hours prepping for this together that that last uh uh 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now uh and I think nist has done some really interesting work here around building cyber resilient organizations that have that has really I think helped help the industry see that um incidents can come from adverse conditions you know stress is uh uh performance taxations in the infrastructure service or app layer and they can come from malicious compromises uh Insider threats external threat actors and the more that we look at this from the perspective of of a broader cyber resilience Mission uh in a wartime mindset uh I I think we're going to be much better off and and will you talk about with operationally minded ice hacks information sharing intelligence sharing becomes so important in these wartime uh um situations and you know we know not all ice acts are created equal but we're also seeing a lot of um more ad hoc information sharing groups popping up so look I think I think you framed it really really well I love the concept of wartime mindset and um I I like the idea of applying a cyber resilience lens like if you have one more layer on top of that bottom right cake you know I think the it lens and the security lens they roll up to this concept of cyber resilience and I think this has done some great work there for us yeah you're you're spot on and that that is app and that's gonna I think be the the next um terrain that that uh that you're gonna see vendors try to get after but that I think Splunk is best position to win okay that's a wrap for this special Cube presentation you heard all about the global expansion of horizon 3.ai's partner program for their Partners have a unique opportunity to take advantage of their node zero product uh International go to Market expansion North America channel Partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyber security world we live in and hope you enjoyed this program all the videos are available on thecube.net as well as check out Horizon 3 dot AI for their pen test Automation and ultimately their defense system that they use for testing always the environment that you're in great Innovative product and I hope you enjoyed the program again I'm John Furrier host of the cube thanks for watching

(light music) >> Hello, and welcome to theCUBE's special presentation with Horizon3.ai with Rainer Richter, Vice President of EMEA, Europe, Middle East and Africa, and Asia Pacific, APAC Horizon3.ai. Welcome to this special CUBE presentation. Thanks for joining us. >> Thank you for the invitation. >> So Horizon3.ai, driving global expansion, big international news with a partner-first approach. You guys are expanding internationally. Let's get into it. You guys are driving this new expanse partner program to new heights. Tell us about it. What are you seeing in the momentum? Why the expansion? What's all the news about? >> Well, I would say in international, we have, I would say a similar situation like in the US. There is a global shortage of well-educated penetration testers on the one hand side. On the other side, we have a raising demand of network and infrastructure security. And with our approach of an autonomous penetration testing, I believe we are totally on top of the game, especially as we have also now starting with an international instance. That means for example, if a customer in Europe is using our service, NodeZero, he will be connected to a NodeZero instance, which is located inside the European Union. And therefore, he doesn't have to worry about the conflict between the European GDPR regulations versus the US CLOUD Act. And I would say there, we have a total good package for our partners that they can provide differentiators to their customers. >> You know, we've had great conversations here on theCUBE with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company. And obviously, I can just connect the dots here, but I'd like you to weigh in more on how that translates into the go-to-market here because you got great cloud scale with the security product you guys are having success with. Great leverage there, I'm seeing a lot of success there. What's the momentum on the channel partner program internationally? Why is it so important to you? Is it just the regional segmentation? Is it the economics? Why the momentum? >> Well, there are multiple issues. First of all, there is a raising demand in penetration testing. And don't forget that in international, we have a much higher level number or percentage in SMB and mid-market customers. So these customers, typically, most of them even didn't have a pen test done once a year. So for them, pen testing was just too expensive. Now with our offering together with our partners, we can provide different ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with a traditional manual pen test, and that is because we have our Consulting PLUS package, which is for typically pen testers. They can go out and can do a much faster, much quicker pen test at many customers after each other. So they can do more pen test on a lower, more attractive price. On the other side, there are others or even the same one who are providing NodeZero as an MSSP service. So they can go after SMP customers saying, "Okay, you only have a couple of hundred IP addresses. No worries, we have the perfect package for you." And then you have, let's say the mid-market. Let's say the thousand and more employees, then they might even have an annual subscription. Very traditional, but for all of them, it's all the same. The customer or the service provider doesn't need a piece of hardware. They only need to install a small piece of a Docker container and that's it. And that makes it so smooth to go in and say, "Okay, Mr. Customer, we just put in this virtual attacker into your network, and that's it and all the rest is done." And within three clicks, they can act like a pen tester with 20 years of experience. >> And that's going to be very channel-friendly and partner-friendly, I can almost imagine. So I have to ask you, and thank you for calling out that breakdown and segmentation. That was good, that was very helpful for me to understand, but I want to follow up, if you don't mind. What type of partners are you seeing the most traction with and why? >> Well, I would say at the beginning, typically, you have the innovators, the early adapters, typically boutique-size of partners. They start because they are always looking for innovation. Those are the ones, they start in the beginning. So we have a wide range of partners having mostly even managed by the owner of the company. So they immediately understand, okay, there is the value, and they can change their offering. They're changing their offering in terms of penetration testing because they can do more pen tests and they can then add others ones. Or we have those ones who offered pen test services, but they did not have their own pen testers. So they had to go out on the open market and source pen testing experts to get the pen test at a particular customer done. And now with NodeZero, they're totally independent. They can go out and say, "Okay, Mr. Customer, here's the service. That's it, we turn it on. And within an hour, you are up and running totally." >> Yeah, and those pen tests are usually expensive and hard to do. Now it's right in line with the sales delivery. Pretty interesting for a partner. >> Absolutely, but on the other hand side, we are not killing the pen tester's business. We are providing with NodeZero, I would call something like the foundational work. The foundational work of having an ongoing penetration testing of the infrastructure, the operating system. And the pen testers by themselves, they can concentrate in the future on things like application pen testing, for example. So those services, which we are not touching. So we are not killing the pen tester market. We are just taking away the ongoing, let's say foundation work, call it that way. >> Yeah, yeah. That was one of my questions. I was going to ask is there's a lot of interest in this autonomous pen testing. One because it's expensive to do because those skills are required are in need and they're expensive. (chuckles) So you kind of cover the entry-level and the blockers that are in there. I've seen people say to me, "This pen test becomes a blocker for getting things done." So there's been a lot of interest in the autonomous pen testing and for organizations to have that posture. And it's an overseas issue too because now you have that ongoing thing. So can you explain that particular benefit for an organization to have that continuously verifying an organization's posture? >> Certainly. So I would say typically, you have to do your patches. You have to bring in new versions of operating systems, of different services, of operating systems of some components, and they are always bringing new vulnerabilities. The difference here is that with NodeZero, we are telling the customer or the partner the package. We're telling them which are the executable vulnerabilities because previously, they might have had a vulnerability scanner. So this vulnerability scanner brought up hundreds or even thousands of CVEs, but didn't say anything about which of them are vulnerable, really executable. And then you need an expert digging in one CVE after the other, finding out is it really executable, yes or no? And that is where you need highly-paid experts, which where we have a shortage. So with NodeZero now, we can say, "Okay, we tell you exactly which ones are the ones you should work on because those are the ones which are executable. We rank them accordingly to risk level, how easily they can be used." And then the good thing is converted or in difference to the traditional penetration test, they don't have to wait for a year for the next pen test to find out if the fixing was effective. They run just the next scan and say, "Yes, closed. Vulnerability is gone." >> The time is really valuable. And if you're doing any DevOps, cloud-native, you're always pushing new things. So pen test, ongoing pen testing is actually a benefit just in general as a kind of hygiene. So really, really interesting solution. Really bringing that global scale is going to be a new coverage area for us, for sure. I have to ask you, if you don't mind answering, what particular region are you focused on or plan to target for this next phase of growth? >> Well, at this moment, we are concentrating on the countries inside the European Union plus United Kingdom. And of course, logically, I'm based in the Frankfurt area. That means we cover more or less the countries just around. So it's like the so-called DACH region, Germany, Switzerland, Austria, plus the Netherlands. But we also already have partners in the Nordic, like in Finland and Sweden. So we have partners already in the UK and it's rapidly growing. So for example, we are now starting with some activities in Singapore and also in the Middle East area. Very important, depending on let's say, the way how to do business. Currently, we try to concentrate on those countries where we can have, let's say at least English as an accepted business language. >> Great, is there any particular region you're having the most success with right now? Sounds like European Union's kind of first wave. What's the most- >> Yes, that's the first. Definitely, that's the first wave. And now with also getting the European INSTANCE up and running, it's clearly our commitment also to the market saying, "Okay, we know there are certain dedicated requirements and we take care of this." And we are just launching, we are building up this one, the instance in the AWS service center here in Frankfurt. Also, with some dedicated hardware, internet, and a data center in Frankfurt, where we have with the DE-CIX, by the way, the highest internet interconnection bandwidth on the planet. So we have very short latency to wherever you are on the globe. >> That's a great call out benefit too. I was going to ask that. What are some of the benefits your partners are seeing in EMEA and Asia Pacific? >> Well, I would say, the benefits for them, it's clearly they can talk with customers and can offer customers penetration testing, which they before even didn't think about because penetration testing in a traditional way was simply too expensive for them, too complex, the preparation time was too long, they didn't have even have the capacity to support an external pen tester. Now with this service, you can go in and even say, "Mr. Customer, we can do a test with you in a couple of minutes. We have installed a Docker container. Within 10 minutes, we have the pen test started. That's it and then we just wait." And I would say we are seeing so many aha moments then. On the partner side, when they see NodeZero the first time working, it's like they say, "Wow, that is great." And then they walk out to customers and show it to their typically at the beginning, mostly the friendly customers like, "Wow, that's great, I need that." And I would say the feedback from the partners is that is a service where I do not have to evangelize the customer. Everybody understands penetration testing, I don't have to describe what it is. The customer understanding immediately, "Yes. Penetration testing, heard about that. I know I should do it, but too complex, too expensive." Now for example, as an MSSP service provided from one of our partners, it's getting easy. >> Yeah, and it's great benefit there. I mean, I got to say I'm a huge fan of what you guys are doing. I like this continuous automation. That's a major benefit to anyone doing DevOps or any kind of modern application development. This is just a godsend for them, this is really good. And like you said, the pen testers that are doing it, they were kind of coming down from their expertise to kind of do things that should have been automated. They get to focus on the bigger ticket items. That's a really big point. >> Exactly. So we free them, we free the pen testers for the higher level elements of the penetration testing segment, and that is typically the application testing, which is currently far away from being automated. >> Yeah, and that's where the most critical workloads are, and I think this is the nice balance. Congratulations on the international expansion of the program, and thanks for coming on this special presentation. I really appreciate it. Thank you very much. >> You're welcome. >> Okay, this is theCUBE special presentation, you know, checking on pen test automation, international expansion, Horizon3.ai. A really innovative solution. In our next segment, Chris Hill, Sector Head for Strategic Accounts, will discuss the power of Horizon3.ai and Splunk in action. You're watching theCUBE, the leader in high tech enterprise coverage. (steady music)

(upbeat music) >> Hello, and welcome back to AWS Startup Showcase, I'm John Furrier, your host. This is the Hero panel, the AWS Heroes. These are folks that have a lot of experience in Open Source, having fun building great projects and commercializing the value and best practices of Open Source innovation. We've got some great guests here. Liz Rice, Chief Open Source Officer, Isovalent. CUBE alumni, great to see you. Brian LeRoux, who is the Co-founder and CTO of begin.com. Erica Windisch who's an Architect for Developer Experience. AWS Hero, also CUBE alumni. Casey Lee, CTO Gaggle. Doing some great stuff in ed tech. Great collection of experts and experienced folks doing some fun stuff, welcome to this conversation this CUBE panel. >> Hi. >> Thanks for having us. >> Hello. >> Let's go down the line. >> I don't normally do this, but since we're remote and we have such great guests, go down the line and talk about why Open Source is important to you guys. What projects are you currently working on? And what's the coolest thing going on there? Liz we'll start with you. >> Okay, so I am very involved in the world of Cloud Native. I'm the chair of the technical oversight committee for the Cloud Native Computing Foundation. So that means I get to see a lot of what's going on across a very broad range of Cloud Native projects. More specifically, Isovalent. I focus on Cilium, which is it's based on a technology called EBPF. That is to me, probably the most exciting technology right now. And then finally, I'm also involved in an organization called OpenUK, which is really pushing for more use of open technologies here in the United Kingdom. So spread around lots of different projects. And I'm in a really fortunate position, I think, to see what's happening with lots of projects and also the commercialization of lots of projects. >> Awesome, Brian what project are you working on? >> Working project these days called Architect. It's a Open Source project built on top of AWSM. It adds a lot of sugar and terseness to the SM experience and just makes it a lot easier to work with and get started. AWS can be a little bit intimidating to people at times. And the Open Source community is stepping up to make some of that bond ramp a little bit easier. And I'm also an Apache member. And so I keep a hairy eyeball on what's going on in that reality all the time. And I've been doing this open-source thing for quite a while, and yeah, I love it. It's a great thing. It's real science. We get to verify each other's work and we get to expand and build on human knowledge. So that's a huge honor to just even be able to do that and I feel stoked to be here so thanks for having me. >> Awesome, yeah, and totally great. Erica, what's your current situation going on here? What's happening? >> Sure, so I am currently working on developer experience of a number of Open Source STKS and CLI components from my current employer. And previously, recently I left New Relic where I was working on integrating with OpenTelemetry, as well as a number of other things. Before that I was a maintainer of Docker and of OpenStack. So I've been in this game for a while as well. And I tend to just put my fingers in a lot of little pies anywhere from DVD players 20 years ago to a lot of this open telemetry and monitoring and various STKs and developer tools is where like Docker and OpenStack and the STKs that I work on now, all very much focusing on developer as the user. >> Yeah, you're always on the wave, Erica great stuff. Casey, what's going on? Do you got some great ed techs happening? What's happening with you? >> Yeah, sure. The primary Open Source project that I'm contributing to right now is ACT. This is a tool I created a couple of years back when GitHub Actions first came out, and my motivation there was I'm just impatient. And that whole commit, push, wait time where you're testing out your pipelines is painful. And so I wanted to build a tool that allowed developers to test out their GitHub Actions workflows locally. And so this tool uses Docker containers to emulate, to get up action environment and gives you fast feedback on those workflows that you're building. Lot of innovation happening at GitHub. And so we're just trying to keep up and continue to replicate those new features functionalities in the local runner. And the biggest challenge I've had with this project is just keeping up with the community. We just passed 20,000 stars, and it'd be it's a normal week to get like 10 PRs. So super excited to announce just yesterday, actually I invited four of the most active contributors to help me with maintaining the project. And so this is like a big deal for me, letting the project go and bringing other people in to help lead it. So, yeah, huge shout out to those folks that have been helping with driving that project. So looking forward to what's next for it. >> Great, we'll make sure the SiliconANGLE riders catch that quote there. Great call out. Let's start, Brian, you made me realize when you mentioned Apache and then you've been watching all the stuff going on, it brings up the question of the evolution of Open Source, and the commercialization trends have been very interesting these days. You're seeing CloudScale really impact also with the growth of code. And Liz, if you remember, the Linux Foundation keeps making projections and they keep blowing past them every year on more and more code and more and more entrance coming in, not just individuals, corporations. So you starting to see Netflix donates something, you got Lyft donate some stuff, becomes a project company forms around it. There's a lot of entrepreneurial activity that's creating this new abstraction layers, new platforms, not just tools. So you start to see a new kickup trajectory with Open Source. You guys want to comment on this because this is going to impact how fast the enterprise will see value here. >> I think a really great example of that is a project called Backstage that's just come out of Spotify. And it's going through the incubation process at the CNCF. And that's why it's front of mind for me right now, 'cause I've been working on the due diligence for that. And the reason why I thought it was interesting in relation to your question is it's spun out of Spotify. It's fully Open Source. They have a ton of different enterprises using it as this developer portal, but they're starting to see some startups emerging offering like a hosted managed version of Backstage or offering services around Backstage or offering commercial plugins into Backstage. And I think it's really fascinating to see those ecosystems building up around a project and different ways that people can. I'm a big believer. You cannot sell the Open Source code, but you can sell other things that create value around Open Source projects. So that's really exciting to see. >> Great point. Anyone else want to weigh in and react to that? Because it's the new model. It's not the old way. I mean, I remember when I was in college, we had the Pirate software. Open Source wasn't around. So you had to deal under the table. Now it's free. But I mean the old way was you had to convince the enterprise, like you've got a hard knit, it builds the community and the community manage the quality of the code. And then you had to build the company to make sure they could support it. Now the companies are actually involved in it, right? And then new startups are forming faster. And the proof points are shorter and highly accelerated for that. I mean, it's a whole new- >> It's a Cambrian explosion, and it's great. It's one of those things that it's challenging for the new developers because they come in and they're like, "Whoa, what is all this stuff that I'm supposed to figure out?" And there's no right answer and there's no wrong answer. There's just tons of it. And I think that there's a desire for us to have one sort of well-known trot and happy path, that audience we're a lot better with a more diverse community, with lots of options, with lots of ways to approach these problems. And I think it's just great. A challenge that we have with all these options and all these Cambrian explosion of projects and all these competing ideas, right now, the sustainability, it's a bit of a tricky question to answer. We know that there's a commercialization aspect that helps us fund these projects, but how we compose the open versus the commercial source is still a bit of a tricky question and a tough one for a lot of folks. >> Erica, would you chime in on that for a second. I want to get your angle on that, this experience and all this code, and I'm a new person, I'm an existing person. Do I get like a blue check mark and verify? I mean, these are questions like, well, how do you navigate? >> Yeah, I think this has been something happening for a while. I mean, back in the early OpenStack days, 2010, for instance, Rackspace Open Sourcing, OpenStack and ANSU Labs and so forth, and then trying, having all these companies forming in creating startups around this. I started at a company called Cloudccaling back in late 2010, and we had some competitors such as Piston and so forth where a lot of the ANSUL Labs people went. But then, the real winners, I think from OpenStack ended up being the enterprises that jumped in. We had Red Hat in particular, as well as HP and IBM jumping in and investing in OpenStack, and really proving out a lot of... not that it was the first time, but this is when we started seeing billions of dollars pouring into Open Source projects and Open Source Foundations, such as the OpenStack Foundation, which proceeded a lot of the things that we now see with the Linux Foundation, which was then created a little bit later. And at the same time, I'm also reflecting a little bit what Brian said because there are projects that don't get funded, that don't get the same attention, but they're also getting used quite significantly. Things like Log4j really bringing this to the spotlight in terms of projects that are used everywhere by everything with significant outsized impacts on the industry that are not getting funded, that aren't flashy enough, that aren't exciting enough because it's just logging, but a vulnerability in it brings every everything and everybody down and has possibly billions of dollars of impact to our industry because nobody wanted to fund this project. >> I think that brings up the commercialization point about maybe bringing a venture capital model in saying, "Hey, that boring little logging thing could be a key ingredient for say solving some observability problems so I think let's put some cash." Again then we'd never seen that before. Now you're starting to see that kind of a real smart investment thesis going into Open Source projects. I mean, Promethease, Crafter, these are projects that turned off companies. This is turning up companies. >> A decade ago, there was no money in Dev tools that I think that's been fully debunked now. They used to be a concept that the venture community believed, but there's just too much evidence to the contrary, the companies like Cash Court, Datadog, the list goes on and on. I think the challenge for the Open Source (indistinct) comes back to foundations and working (indistinct) these developers make this code safe and secure. >> Casey, what's your reaction to all of this? You've got, so a project has gained some traction, got some momentum. There's a lot of mission critical. I won't say white spaces, but the opportunities in the big cloud game happening. And there's a lot of, I won't say too many entrepreneurial, but there's a lot of community action happening that's precommercialization that's getting traction. How does this all develop naturally and then vector in quickly when it hits? >> Yeah, I want to go back to the Log4j topic real quick. I think that it's a great example of an area that we need to do better at. And there was a cool article that Rob Pike wrote describing how to quantify the criticality. I think that's sort of quantifying criticality was the article he wrote on how to use metrics, to determine how valuable, how important a piece of Open Source is to the community. And we really need to highlight that more. We need a way to make it more clear how important this software is, how many people depend on it and how many people are contributing to it. And because right now we all do that. Like if I'm going to evaluate an Open Source software, sure, I'll look at how many stars it has and how many contributors it has. But I got to go through and do all that work myself and come up with. It would be really great if we had an agreed upon method for ranking the criticality of software, but then also the risk, hey, that this is used by a ton of people, but nobody's contributing to it anymore. That's a concern. And that would be great to potential users of that to signal whether or not it makes sense. The Open Source Security Foundation, just getting off the ground, they're doing some work in this space, and I'm really excited to see where they go with that looking at ways to stop score critically. >> Well, this brings up a good point while we've got everyone here, let's take a plug and plug a project you think that's not getting the visibility it needs. Let's go through each of you, point out a project that you think people should be looking at and talking about that might get some free visibility here. Anyone want to highlight projects they think should be focused more on, or that needs a little bit of love? >> I think, I mean, particularly if we're talking about these sort of vulnerability issues, there's a ton of work going on, like in the Secure Software Foundation, other foundations, I think there's work going on in Apache somewhere as well around the bill of material, the software bill of materials, the Secure Software supply chain security, even enumerating your dependencies is not trivial today. So I think there's going to be a ton of people doing really good work on that, as well as the criticality aspect. It's all like that. There's a really great xkcd cartoon with your software project and some really big monolithic lumps. And then, this tiny little piece in a very important point that's maintained by somebody in his bedroom in Montana or something and if you called it out. >> Yeah, you just opened where the next lightening and a bottle comes from. And this is I think the beauty of Open Source is that you get a little collaboration, you get three feet in a cloud of dust going and you get some momentum, and if it's relevant, it rises to the top. I think that's the collective intelligence of Open Source. The question I want to ask that the panel here is when you go into an enterprise, and now that the game is changing with a much more collaborative and involved, what's the story if they say, hey, what's in it for me, how do I manage the Open Source? What's the current best practice? Because there's no doubt I can't ignore it. It's in everything we do. How do I organize around it? How do I build around it to be more efficient and more productive and reduce the risk on vulnerabilities to managing staff, making sure the right teams in place, the right agility and all those things? >> You called it, they got to get skin in the game. They need to be active and involved and donating to a sustainable Open Source project is a great way to start. But if you really want to be active, then you should be committing. You should have a goal for your organization to be contributing back to that project. Maybe not committing code, it could be committing resources into the darks or in the tests, or even tweeting about an Open Source project is contributing to it. And I think a lot of these enterprises could benefit a lot from getting more active with the Open Source Foundations that are out there. >> Liz, you've been actively involved. I know we've talked personally when the CNCF started, which had a great commercial uptake from companies. What do you think the current state-of-the-art kind of equation is has it changed a little bit? Or is it the game still the same? >> Yeah, and in the early days of the CNCF, it was very much dominated by vendors behind the project. And now we're seeing more and more membership from end-user companies, the kind of enterprises that are building their businesses on Cloud Native, but their business is not in itself. That's not there. The infrastructure is not their business. And I think seeing those companies, putting money in, putting time in, as Brian says contributing resources quite often, there's enough money, but finding the talent to do the work and finding people who are prepared to actually chop the wood and carry the water, >> Exactly. >> that it's hard. >> And if enterprises can find peoples to spend time on Open Source projects, help with those chores, it's hugely valuable. And it's one of those the rising tide floats all the boats. We can raise security, we can reduce the amount of dependency on maintain projects collectively. >> I think the business models there, I think one of the things I'll react to and then get your guys' comments is remember which CubeCon it was, it was one of the early ones. And I remember seeing Apple having a booth, but nobody was manning. It was just an Apple booth. They weren't doing anything, but they were recruiting. And I think you saw the transition of a business model where the worry about a big vendor taking over a project and having undue influence over it goes away because I think this idea of participation is also talent, but also committing that talent back into the communities as a model, as a business model, like, okay, hire some great people, but listen, don't screw up the Open Source piece of it 'cause that's a critical. >> Also hire a channel, right? They can use those contributions to source that talent and build the reputation in the communities that they depend on. And so there's really a lot of benefit to the larger organizations that can do this. They'll have a huge pipeline of really qualified engineers right out the gate without having to resort to cheesy whiteboard interviews, which is pretty great. >> Yeah, I agree with a lot of this. One of my concerns is that a lot of these corporations tend to focus very narrowly on certain projects, which they feel that they depend greatly, they'll invest in OpenStack, they'll invest in Docker, they'll invest in some of the CNCF projects. And then these other projects get ignored. Something that I've been a proponent of for a little bit for a while is observability of your dependencies. And I don't think there's quite enough projects and solutions to this. And it sounds maybe from lists, there are some projects that I don't know about, but I also know that there's some startups like Snyk and so forth that help with a little bit of this problem, but I think we need more focus on some of these edges. And I think companies need to do better, both in providing, having some sort of solution for observability of the dependencies, as well as understanding those dependencies and managing them. I've seen companies for instance, depending on software that they actively don't want to use based on a certain criteria that they already set projects, like they'll set a requirement that any project that they use has a code of conduct, but they'll then use projects that don't have codes of conduct. And if they don't have a code of conduct, then employees are prohibited from working on those projects. So you've locked yourself into a place where you're depending on software that you have instructed, your employees are not allowed to contribute to, for certain legal and other reasons. So you need to draw a line in the sand and then recognize that those projects are ones that you don't want to consume, and then not use them, and have observability around these things. >> That's a great point. I think we have 10 minutes left. I want to just shift to a topic that I think is relevant. And that is as Open Source software, software, people develop software, you see under the hood kind of software, SREs developing very quickly in the CloudScale, but also you've got your classic software developers who were writing code. So you have supply chain, software supply chain challenges. You mentioned developer experience around how to code. You have now automation in place. So you've got the development of all these things that are happening. Like I just want to write software. Some people want to get and do infrastructure as code so DevSecOps is here. So how does that look like going forward? How has the future of Open Source going to make the developers just want to code quickly? And the folks who want to tweak the infrastructure a bit more efficient, any views on that? >> At Gaggle, we're using AWS' CDK, exclusively for our infrastructure as code. And it's a great transition for developers instead of writing Yammel or Jason, or even HCL for their infrastructure code, now they're writing code in the language that they're used to Python or JavaScript, and what that's providing is an easier transition for developers into that Infrastructure as code at Gaggle here, but it's also providing an opportunity to provide reusable constructs that some Devs can build on. So if we've got a very opinionated way to deploy a serverless app in a database and do auto-scaling behind and all stuff, we can present that to a developer as a library, and they can just consume it as it is. Maybe that's as deep as they want to go and they're happy with that. But then they want to go deeper into it, they can either use some of the lower level constructs or create PRs to the platform team to have those constructs changed to fit their needs. So it provides a nice on-ramp developers to use the tools and languages they're used to, and then also go deeper as they need. >> That's awesome. Does that mean they're not full stack developers anymore that they're half stack developers they're taking care of for them? >> I don't know either. >> We'll in. >> No, only kidding. Anyway, any other reactions to this whole? I just want to code, make it easy for me, and some people want to get down and dirty under the hood. >> So I think that for me, Docker was always a key part of this. I don't know when DevSecOps was coined exactly, but I was talking with people about it back in 2012. And when I joined Docker, it was a part of that vision for me, was that Docker was applying these security principles by default for your application. It wasn't, I mean, yes, everybody adopted because of the portability and the acceleration of development, but it was for me, the fact that it was limiting what you could do from a security angle by default, and then giving you these tuna balls that you can control it further. You asked about a project that may not get enough recognition is something called DockerSlim, which is designed to optimize your containers and will make them smaller, but it also constraints the security footprint, and we'll remove capabilities from the container. It will help you build security profiles for app armor and the Red Hat one. SELinux. >> SELinux. >> Yeah, and this is something that I think a lot of developers, it's kind of outside of the realm of things that they're really thinking about. So the more that we can automate those processes and make it easier out of the box for users or for... when I say users, I mean, developers, so that it's straightforward and automatic and also giving them the capability of refining it and tuning it as needed, or simply choosing platforms like serverless offerings, which have these security constraints built in out of the box and sometimes maybe less tuneable, but very strong by default. And I think that's a good place for us to be is where we just enforced these things and make you do things in a secure way. >> Yeah, I'm a huge fan of Kubernetes, but it's not the right hammer for every nail. And there are absolutely tons of applications that are better served by something like Lambda where a lot more of that security surface is taken care of for the developer. And I think we will see better tooling around security profiling and making it easier to shrink wrap your applications that there are plenty of products out there that can help you with this in a cloud native environment. But I think for the smaller developer let's say, or an earlier stage company, yeah, it needs to be so much more straightforward. Really does. >> Really an interesting time, 10 years ago, when I was working at Adobe, we used to requisition all these analysts to tell us how many developers there were for the market. And we thought there was about 20 million developers. If GitHub's to be believed, we think there is now around 80 million developers. So both these groups are probably wrong in their numbers, but the takeaway here for me is that we've got a lot of new developers and a lot of these new developers are really struck by a paradox of choice. And they're typically starting on the front end. And so there's a lot of movement in the stack moved towards the front end. We saw that at re:Invent when Amazon was really pushing Amplify 'cause they're seeing this too. It's interesting because this is where folks start. And so a lot of the obstructions are moving in that direction, but maybe not always necessarily totally appropriate. And so finding the right balance for folks is still a work in progress. Like Lambda is a great example. It lets me focus totally on just business logic. I don't have to think about infrastructure pretty much at all. And if I'm newer to the industry, that makes a lot of sense to me. As use cases expand, all of a sudden, reality intervenes, and it might not be appropriate for everything. And so figuring out what those edges are, is still the challenge, I think. >> All right, thank you very much for coming on the CUBE here panel. AWS Heroes, thanks everyone for coming. I really appreciate it, thank you. >> Thank you. >> Thank you. >> Okay. >> Thanks for having me. >> Okay, that's a wrap here back to the program and the awesome startups. Thanks for watching. (upbeat music)

(bright upbeat music) >> Welcome to The Cube. We're here for the AWS Executive Summit part of Reinvent 2021. I'm John Farrow, your host of the Cube. We've got a great segment focus here, Art of the Possible is the segment. Jas Bains, Chief Executive at Hafod and Jamie Smith, director of research and innovation and Laetitia Cailleteau who's the global lead of conversational AI at Accenture. Thanks for joining me today for this Art of the Possible segment. >> Thank you. >> So tell us a little bit about Hafod and what you guys are doing to the community 'cause this is a really compelling story of how technology in home care is kind of changing the game and putting a stake in the ground. >> Yeah, so Hafod is one of the largest not for profits in Wales. We employ about 1400 colleagues. We have three strands a service, which practices on key demographics. So people who are vulnerable and socioeconomically disadvantaged. Our three core strands of service are affordable housing, we provide several thousand homes to people in housing need across Wales. We also are an extensive provider of social provision, both residential and in the community. And then we have a third tier, which is a hybrid in between. So that supports people who are not quite ready for independent living but neither are they ready for residential care. So that's a supportive provision. I suppose what one of the things that marks Hafod out and why we're here in this conversation is that we're uniquely placed as one of the organizations that actually has a research and innovation capacity. And it's the work of the research and innovation capacity led by Jamie that brought about this collaboration with Accenture which is great in great meaning and benefits. So thousands of our customers and hopefully universal application as it develops. >> You know this is a really an interesting discussion because multiple levels, one, the pandemic accelerated this needs so, I want to get comments on that. But two, if you look at the future of work and work and home life, you seeing the convergence of where people live. And I think this idea of having this independent home and the ecosystem around it, there's a societal impact as well. So what brought this opportunity together? How did this come together with Accenture and AWS? >> We're going for Jamie and Laetitia. >> Yeah, I can start. Well, we were trying to apply for the LC Aging Grand Challenge in the U.K., so the United Kingdom recognized the need for change around independent living and run a grand challenge. And then we got together as part of this grand challenge. You know, we had some technology, we had trialed with AGK before and Hanover Housing Association. Hafod was really keen to actually start trying some of that technology with some of the resident. And we also worked with Swansea University, was doing a lot of work around social isolation and loneliness. And we came together to kind of pitch for the grand challenge. And we went quite far actually, unfortunately we didn't win but we have built such a great collaboration that we couldn't really let it be, you know, not going any further. And we decided to continue to invest in this idea. And now we here, probably 18 months on with a number of people, Hafod using the technology and a number of feedbacks and returns coming back and us having a grand ambitions to actually go much broader and scale this solution. >> Jas and Jamie, I'd love to get your reaction and commentary on this trend of tech for good because I mean, I'm sure you didn't wake up, oh, just want to do some tech for good. You guys have an environment, you have an opportunity, you have challenges you're going to turn into opportunities. But if you look at the global landscape right now, things that are jumping out at us are looking at the impact of social media on people. You got the pandemic with isolation, this is a first order problem in this new world of how do we get technology to change how people feel and make them better in their lives. >> Yeah, I think for us, the first has to be a problem to solve. There's got to be a question to be answered. And for us, that was in this instance, how do we mitigate loneliness and how do we take services that rely on person to person contact and not particularly scalable and replicate those through technology somehow. And even if we can do 10% of the job of that in-person service then for us, it's worth it because that is scalable. And there are lots of small interventions we can make using technology which is really efficient way for us to support people in the community when we just can't be everywhere at once. >> So, John, just to add, I think that we have about 1500 people living in households that are living alone and isolated. And I think the issue for us was more than just about technology because a lot of these people don't have access to basic technology features that most of us would take for granted. So far this is a two-prong journey. One is about increasing the accessibility to tech and familiarizing people so that they're comfortable with these devices technology and two importantly, make sure that we have the right means to help people reduce their loneliness and isolation. So the opportunity to try out something over the last 12 months, something that's bespoke, that's customized that will undoubtedly be tweaked as we go forward has been an absolutely marvelous opportunity. And for us, the collaboration with Accenture has been absolutely key. I think what we've seen during COVID is cross-fertilization. We've seen multi-disciplinary teams, we've got engineers, architects, manufacturers, and clinicians, and scientists, all trying to develop new solutions around COVID. And I think this probably just exemplary bias, especially as a post COVID where industry and in our case for example public sector and academia working together. >> Yeah, that's a great example and props to everyone there. And congratulations on this really, really important initiative. Let's talk about the home care solution. What does it do? How does it work? Take us through what's happening? >> Okay, so Home Care is actually a platform which is obviously running on AWS technology and this particular platform is the service offered accessible via voice through the Alexa device. We use the Echo Show to be able to use voice but also visuals to kind of make the technology more accessible for end user. On the platform itself, we have a series of services available out there. We connecting in the background a number of services from the community. So in the particular case of Hafod, we had something around shopping during the pandemic where we had people wanting to have access to their food bank. Or we also had during the pandemic, there was some need for having access to financial coaching and things like that. So we actually brought all of the service on the platform and the skills and this skill was really learning how to interact with the end user. And it was all customized for them to be able to access those things in a very easy way. It did work almost too well because some of our end users have been a kind of you know, have not been digital literate before and it was working so well, they were like, "But why can't it do pretty much anything on the planet? "Why can't it do this or that?" So the expectations were really, really high but we did manage to bring comfort to Hafod residents in a number of their daily kind of a need, some of the things during COVID 'cause people couldn't meet face to face. There was some challenge around understanding what events are running. So the coaches would publish events, you know, through the skills and people would be able to subscribe and go to the event and meet together virtually instead of physically. The number of things that really kind of brought a voice enabled experience for those end users. >> You know, you mentioned the people like the solution just before we, I'm going to get the Jamie in a second, but I want to just bring up something that you brought up. This is a digital divide evolution because digital divide, as Josh was saying, is that none about technology,, first, you have to access, you need access, right? First, then you have to bring broadband and internet access. And then you have to get the technology in the home. But then here it seems to be a whole nother level of digital divide bridging to the new heights. >> Yeah, completely, completely. And I think that's where COVID has really accelerated the digital divide before the solution was put in place for Hafod in the sense that people couldn't move and if they were not digitally literate, it was very hard to have access to services. And now we brought this solution in the comfort of their own home and they have the access to the services that they wouldn't have had otherwise on their own. So it's definitely helping, yeah. >> It's just another example of people refactoring their lives or businesses with technology. Jamie, what's your take on the innovation here and the technical aspects of the home care solutions? >> I think the fact that it's so easy to use, it's personalized, it's a digital companion for the home. It overcomes that digital divide that we talked about, which is really important. If you've got a voice you can use home care and you can interact with it in this really simple way. And what I love about it is the fact that it was based on what our customers told us they were finding difficult during this time, during the early lockdowns of the pandemic. There was 1500 so people Jas talked about who were living alone and at risk of loneliness. Now we spoke to a good number of those through a series of welfare calls and we found out exactly what it is they found challenging. >> What were some of the things that they were finding challenging? >> So tracking how they feel on a day-to-day basis. What's my mood like, what's my wellbeing like, and knowing how that changes over time. Just keeping the fridge in the pantry stocked up. What can I cook with these basic ingredients that I've got in my home? You could be signposted to basic resources to help you with that. Staying connected to the people who are really important to you but the bit that shines out for me is the interface with our services, with our neighborhood coaching service, where we can just give these little nudges, these little interventions just to mitigate and take the edge of that loneliness for people. We can see the potential of that coming up to the pandemic, where you can really encourage people to interact with one another, to be physically active and do all of those things that sort of mitigate against loneliness. >> Let me ask you a question 'cause I think a very important point. The timing of the signaling of data is super important. Could you comment on the relevance of having access to data? If you're getting something connected, when you're connected like this, I can only imagine the benefits. It's all about timing, right? Knowing that someone might be thinking some way or whether it's a tactical, in any scenario, timing of data, the right place at the right time, as they say. What's your take on that 'cause it sounds like what you're saying is that you can see things early when people are in the moment. >> Yeah, exactly. So if there's a trend beginning to emerge, for example, around some of these wellbeing, which has been on a low trajectory for a number of days, that can raise a red flag in our system and it alerts one of our neighborhood coaches just to reach out to that person and say, "Well, John, what's going on? "You haven't been out for a walk for a few days. "We know you like to walk, what's happening?" And these early warning signs are really important when we think of the long-term effects of loneliness and how getting upstream of those, preventing it reaching a point where it moves from being a problem into being a crisis. And the earlier we can detect that the more chance we've got of these negative long-term outcomes being mitigated. >> You know, one of the things we see in the cloud business is kind of separate track but it kind of relates to the real world here that you're doing, is automation and AI and machine learning bringing in a lot of value if applied properly. So how are you guys seeing, I can almost imagine that patterns are coming in, right? Do you see patterns in the data? How does AI and analytics technology improve this process especially with the wellbeing and emotional wellbeing of the elderly? >> I think one of the things we've learned through the pilot study we've done is there's not one size fits all. You know, all those people are very different individuals. They have very different habits. You know, there's some people not sleeping over the night. There's some people wanting to be out early, wanting to be social. Some people you have to put in much more. So it's definitely not one size fits all. And automation and digitalization of those kinds of services is really challenging because if they're not personalized, it doesn't really catch the interest or the need of the individuals. So for me as an IT professional being in the industry for like a 20 plus years, I think this is the time where personalization has really a true meaning. Personalization at scale for those people that are not digitally literate. But also in more vulnerable settings 'cause there's just so many different angles that can make them vulnerable. Maybe it's the body, maybe it's the economy position, their social condition, there's so many variation of all of that. So I think this is one of the use case that has to be powered by technology to complement the human side of it. If we really want to start scaling the services we provide to people in general, meaning obviously, in all the Western country now we all growing old, it's no secret. So in 20 years time the majority of everybody will be old and we obviously need people to take care of us. And at the moment we don't have that population to take care of us coming up. So really to crack on those kinds of challenges, we really need to have technology powering and just helping the human side to make it more efficient, connected than human. >> It's interesting. I just did a story where you have these bots that look at the facial recognition via cameras and can detect either in hospitals and or in care patients, how they feel. So you see where this is going. Jas I got to ask you how all this changes, the home care model and how Hafod works. Your workforce, the career's culture, the consortium you guys are bringing to the table, partners, you know this is an ecosystem now, it's a system. >> Yes John, I think that probably, it's also worth talking a little bit about the pressures on state governments around public health issues which are coming to the fore. And clearly we need to develop alternative ways that we engage with mass audiences and technology is going to be absolutely key. One of the challenges I still think that we've not resolved in the U.K. level, this is probably a global issue, is about data protection. When we're talking to cross governmental agencies, it's about sharing data and establishing protocols and we've enjoyed a few challenging conversations with colleagues around data protection. So I think those need to be set out in the context of the journey of this particular project. I think that what's interesting around COVID is that, hasn't materially changed the nature in which we do things, probably not in our focus and our work remains the same. But what we're seeing is very clear evidence of the ways, I mean, who would have thought that 12 months ago, the majority of our workforce would be working from home? So rapid mobilization to ensure that people can use, set IT home effectively. And then how does that relationship impact with people in the communities we're serving? Some of whom have got access to technology, others who haven't. So that's been, I think the biggest change, and that is a fundamental change in the design and delivery of future services that organizations like us will be providing. So I would say that overall, some things remain the same by and large but technology is having an absolutely profound change in the way that our engagement with customers will go forward. >> Well, you guys are in the front end of some massive innovation here with this, are they possible and that, you're really delivering impact. And I think this is an example of that. And you brought up the data challenges, this is something that you guys call privacy by design. This is a cutting edge issue here because there are benefits around managing privacy properly. And I think here, your solution clearly has value, right? And no one can debate that, but as these little blockers get in the way, what's your reaction to that? 'Cause this certainly is something that has to be solved. I mean, it's a problem. >> Yeah, so we designed a solution, I think we had, when we design, I co-designed with your end-users actually. We had up to 14 lawyers working with us at one point in time looking at different kinds of angles. So definitely really tackle the solution with privacy by design in mind and with end users but obviously you can't co-design with thousands of people, you have to co-design with a representative subset of a cohort. And some of the challenge we find is obviously, the media have done a lot of scaremongering around technology, AI and all of that kind of things, especially for people that are not necessarily digitally literate, people that are just not in it. And when we go and deploy the solution, people are a little bit worried. When we make them, we obviously explain to them what's going to happen if they're happy, if they want to consent and all that kind of things. But the people are scared, they're just jumping on a technology on top of it we're asking them some questions around consent. So I think it's just that the solution is super secured and we've gone over millions of hoops within Accenture but also with Hafod itself. You know, it's more that like the type of user we deploying the solution to are just not in that world and then they are little bit worried about sharing. Not only they're worried about sharing with us but you know, in home care, there there's an option as well to share some of that data with your family. And there we also see people are kind of okay to share with us but they don't want to share with their family 'cause they don't want to have too much information kind of going potentially worrying or bothering some of their family member. So there is definitely a huge education kind of angle to embracing the technology. Not only when you create the solution but when you actually deploy it with users. >> It's a fabulous project, I am so excited by this story. It's a great story, has all the elements; technology, innovation, cidal impact, data privacy, social interactions, whether it's with family members and others, internal, external. In teams themselves. You guys doing some amazing work, thank you for sharing. It's a great project, we'll keep track of it. My final question for you guys is what comes next for the home care after the trial? What are Hafod's plans and hopes for the future? >> Maybe if I just give an overview and then invite Jamie and Laetitia. So for us, without conversations, you don't create possibilities and this really is a reflection of the culture that we try to engender. So my ask of my team is to remain curious, is to continue to explore opportunities because it's home care up to today, it could be something else tomorrow. We also recognize that we live in a world of collaboration. We need more cross industrial partnerships. We love to explore more things that Accenture, Amazon, others as well. So that's principally what I will be doing is ensuring that the culture invites us and then I hand over to the clever people like Jamie and Laetitia to get on with the technology. I think for me we've already learned an awful lot about home care and there's clearly a lot more we can learn. We'd love to build on this initial small-scale trial and see how home care could work at a bigger scale. So how would it work with thousands of users? How do we scale it up from a cohort of 50 to a cohort of 5,000? How does it work when we bring different kinds of organizations into that mix? So what if, for example, we could integrate it into health care? So a variety of services can have a holistic view of an individual and interact with one another, to put that person on the right pathway and maybe keep them out of the health and care system for longer, actually reducing the costs to the system in the long run and improving that person's outcomes. That kind of evidence speaks to decision-makers and political partners and I think that's the kind of evidence we need to build. >> Yeah, financial impact is there, it's brutal. It's a great financial impact for the system. Efficiency, better care, everything. >> Yeah and we are 100% on board for whatever comes next. >> Laetitia-- >> What about you Laetitia? >> Great program you got there. A amazing story, thank you for sharing. Congratulations on this awesome project. So much to unpack here. I think this is the future. I mean, I think this is a case study of represents all the moving parts that need to be worked on, so congratulations. >> Thank you. >> Thank you. >> We are the Art of the Possible here inside the Cube, part of AWS Reinvent Executive Summit, I'm John Furrier, your host, thanks for watching. (bright upbeat music)

(bright upbeat music) >> Welcome to The Cube. We're here for the AWS Executive Summit part of Reinvent 2021. I'm John Farrow, your host of the Cube. We've got a great segment focus here, Art of the Possible is the segment. Jas Bains, Chief Executive at Hafod and Jamie Smith, director of research and innovation and Laetitia Cailleteau who's the global lead of conversational AI at Accenture. Thanks for joining me today for this Art of the Possible segment. >> Thank you. >> So tell us a little bit about Hafod and what you guys are doing to the community 'cause this is a really compelling story of how technology in home care is kind of changing the game and putting a stake in the ground. >> Yeah, so Hafod is one of the largest not for profits in Wales. We employ about 1400 colleagues. We have three strands a service, which practices on key demographics. So people who are vulnerable and socioeconomically disadvantaged. Our three core strands of service are affordable housing, we provide several thousand homes to people in housing need across Wales. We also are an extensive provider of social provision, both residential and in the community. And then we have a third tier, which is a hybrid in between. So that supports people who are not quite ready for independent living but neither are they ready for residential care. So that's a supportive provision. I suppose what one of the things that marks Hafod out and why we're here in this conversation is that we're uniquely placed as one of the organizations that actually has a research and innovation capacity. And it's the work of the research and innovation capacity led by Jamie that brought about this collaboration with Accenture which is great in great meaning and benefits. So thousands of our customers and hopefully universal application as it develops. >> You know this is a really an interesting discussion because multiple levels, one, the pandemic accelerated this needs so, I want to get comments on that. But two, if you look at the future of work and work and home life, you seeing the convergence of where people live. And I think this idea of having this independent home and the ecosystem around it, there's a societal impact as well. So what brought this opportunity together? How did this come together with Accenture and AWS? >> We're going for Jamie and Laetitia. >> Yeah, I can start. Well, we were trying to apply for the LC Aging Grand Challenge in the U.K., so the United Kingdom recognized the need for change around independent living and run a grand challenge. And then we got together as part of this grand challenge. You know, we had some technology, we had trialed with AGK before and Hanover Housing Association. Hafod was really keen to actually start trying some of that technology with some of the resident. And we also worked with Swansea University, was doing a lot of work around social isolation and loneliness. And we came together to kind of pitch for the grand challenge. And we went quite far actually, unfortunately we didn't win but we have built such a great collaboration that we couldn't really let it be, you know, not going any further. And we decided to continue to invest in this idea. And now we here, probably 18 months on with a number of people, Hafod using the technology and a number of feedbacks and returns coming back and us having a grand ambitions to actually go much broader and scale this solution. >> Jas and Jamie, I'd love to get your reaction and commentary on this trend of tech for good because I mean, I'm sure you didn't wake up, oh, just want to do some tech for good. You guys have an environment, you have an opportunity, you have challenges you're going to turn into opportunities. But if you look at the global landscape right now, things that are jumping out at us are looking at the impact of social media on people. You got the pandemic with isolation, this is a first order problem in this new world of how do we get technology to change how people feel and make them better in their lives. >> Yeah, I think for us, the first has to be a problem to solve. There's got to be a question to be answered. And for us, that was in this instance, how do we mitigate loneliness and how do we take services that rely on person to person contact and not particularly scalable and replicate those through technology somehow. And even if we can do 10% of the job of that in-person service then for us, it's worth it because that is scalable. And there are lots of small interventions we can make using technology which is really efficient way for us to support people in the community when we just can't be everywhere at once. >> So, John, just to add, I think that we have about 1500 people living in households that are living alone and isolated. And I think the issue for us was more than just about technology because a lot of these people don't have access to basic technology features that most of us would take for granted. So far this is a two-prong journey. One is about increasing the accessibility to tech and familiarizing people so that they're comfortable with these devices technology and two importantly, make sure that we have the right means to help people reduce their loneliness and isolation. So the opportunity to try out something over the last 12 months, something that's bespoke, that's customized that will undoubtedly be tweaked as we go forward has been an absolutely marvelous opportunity. And for us, the collaboration with Accenture has been absolutely key. I think what we've seen during COVID is cross-fertilization. We've seen multi-disciplinary teams, we've got engineers, architects, manufacturers, and clinicians, and scientists, all trying to develop new solutions around COVID. And I think this probably just exemplary bias, especially as a post COVID where industry and in our case for example public sector and academia working together. >> Yeah, that's a great example and props to everyone there. And congratulations on this really, really important initiative. Let's talk about the home care solution. What does it do? How does it work? Take us through what's happening? >> Okay, so Home Care is actually a platform which is obviously running on AWS technology and this particular platform is the service offered accessible via voice through the Alexa device. We use the Echo Show to be able to use voice but also visuals to kind of make the technology more accessible for end user. On the platform itself, we have a series of services available out there. We connecting in the background a number of services from the community. So in the particular case of Hafod, we had something around shopping during the pandemic where we had people wanting to have access to their food bank. Or we also had during the pandemic, there was some need for having access to financial coaching and things like that. So we actually brought all of the service on the platform and the skills and this skill was really learning how to interact with the end user. And it was all customized for them to be able to access those things in a very easy way. It did work almost too well because some of our end users have been a kind of you know, have not been digital literate before and it was working so well, they were like, "But why can't it do pretty much anything on the planet? "Why can't it do this or that?" So the expectations were really, really high but we did manage to bring comfort to Hafod residents in a number of their daily kind of a need, some of the things during COVID 'cause people couldn't meet face to face. There was some challenge around understanding what events are running. So the coaches would publish events, you know, through the skills and people would be able to subscribe and go to the event and meet together virtually instead of physically. The number of things that really kind of brought a voice enabled experience for those end users. >> You know, you mentioned the people like the solution just before we, I'm going to get the Jamie in a second, but I want to just bring up something that you brought up. This is a digital divide evolution because digital divide, as Josh was saying, is that none about technology,, first, you have to access, you need access, right? First, then you have to bring broadband and internet access. And then you have to get the technology in the home. But then here it seems to be a whole nother level of digital divide bridging to the new heights. >> Yeah, completely, completely. And I think that's where COVID has really accelerated the digital divide before the solution was put in place for Hafod in the sense that people couldn't move and if they were not digitally literate, it was very hard to have access to services. And now we brought this solution in the comfort of their own home and they have the access to the services that they wouldn't have had otherwise on their own. So it's definitely helping, yeah. >> It's just another example of people refactoring their lives or businesses with technology. Jamie, what's your take on the innovation here and the technical aspects of the home care solutions? >> I think the fact that it's so easy to use, it's personalized, it's a digital companion for the home. It overcomes that digital divide that we talked about, which is really important. If you've got a voice you can use home care and you can interact with it in this really simple way. And what I love about it is the fact that it was based on what our customers told us they were finding difficult during this time, during the early lockdowns of the pandemic. There was 1500 so people Jas talked about who were living alone and at risk of loneliness. Now we spoke to a good number of those through a series of welfare calls and we found out exactly what it is they found challenging. >> What were some of the things that they were finding challenging? >> So tracking how they feel on a day-to-day basis. What's my mood like, what's my wellbeing like, and knowing how that changes over time. Just keeping the fridge in the pantry stocked up. What can I cook with these basic ingredients that I've got in my home? You could be signposted to basic resources to help you with that. Staying connected to the people who are really important to you but the bit that shines out for me is the interface with our services, with our neighborhood coaching service, where we can just give these little nudges, these little interventions just to mitigate and take the edge of that loneliness for people. We can see the potential of that coming up to the pandemic, where you can really encourage people to interact with one another, to be physically active and do all of those things that sort of mitigate against loneliness. >> Let me ask you a question 'cause I think a very important point. The timing of the signaling of data is super important. Could you comment on the relevance of having access to data? If you're getting something connected, when you're connected like this, I can only imagine the benefits. It's all about timing, right? Knowing that someone might be thinking some way or whether it's a tactical, in any scenario, timing of data, the right place at the right time, as they say. What's your take on that 'cause it sounds like what you're saying is that you can see things early when people are in the moment. >> Yeah, exactly. So if there's a trend beginning to emerge, for example, around some of these wellbeing, which has been on a low trajectory for a number of days, that can raise a red flag in our system and it alerts one of our neighborhood coaches just to reach out to that person and say, "Well, John, what's going on? "You haven't been out for a walk for a few days. "We know you like to walk, what's happening?" And these early warning signs are really important when we think of the long-term effects of loneliness and how getting upstream of those, preventing it reaching a point where it moves from being a problem into being a crisis. And the earlier we can detect that the more chance we've got of these negative long-term outcomes being mitigated. >> You know, one of the things we see in the cloud business is kind of separate track but it kind of relates to the real world here that you're doing, is automation and AI and machine learning bringing in a lot of value if applied properly. So how are you guys seeing, I can almost imagine that patterns are coming in, right? Do you see patterns in the data? How does AI and analytics technology improve this process especially with the wellbeing and emotional wellbeing of the elderly? >> I think one of the things we've learned through the pilot study we've done is there's not one size fits all. You know, all those people are very different individuals. They have very different habits. You know, there's some people not sleeping over the night. There's some people wanting to be out early, wanting to be social. Some people you have to put in much more. So it's definitely not one size fits all. And automation and digitalization of those kinds of services is really challenging because if they're not personalized, it doesn't really catch the interest or the need of the individuals. So for me as an IT professional being in the industry for like a 20 plus years, I think this is the time where personalization has really a true meaning. Personalization at scale for those people that are not digitally literate. But also in more vulnerable settings 'cause there's just so many different angles that can make them vulnerable. Maybe it's the body, maybe it's the economy position, their social condition, there's so many variation of all of that. So I think this is one of the use case that has to be powered by technology to complement the human side of it. If we really want to start scaling the services we provide to people in general, meaning obviously, in all the Western country now we all growing old, it's no secret. So in 20 years time the majority of everybody will be old and we obviously need people to take care of us. And at the moment we don't have that population to take care of us coming up. So really to crack on those kinds of challenges, we really need to have technology powering and just helping the human side to make it more efficient, connected than human. >> It's interesting. I just did a story where you have these bots that look at the facial recognition via cameras and can detect either in hospitals and or in care patients, how they feel. So you see where this is going. Jas I got to ask you how all this changes, the home care model and how Hafod works. Your workforce, the career's culture, the consortium you guys are bringing to the table, partners, you know this is an ecosystem now, it's a system. >> Yes John, I think that probably, it's also worth talking a little bit about the pressures on state governments around public health issues which are coming to the fore. And clearly we need to develop alternative ways that we engage with mass audiences and technology is going to be absolutely key. One of the challenges I still think that we've not resolved in the U.K. level, this is probably a global issue, is about data protection. When we're talking to cross governmental agencies, it's about sharing data and establishing protocols and we've enjoyed a few challenging conversations with colleagues around data protection. So I think those need to be set out in the context of the journey of this particular project. I think that what's interesting around COVID is that, hasn't materially changed the nature in which we do things, probably not in our focus and our work remains the same. But what we're seeing is very clear evidence of the ways, I mean, who would have thought that 12 months ago, the majority of our workforce would be working from home? So rapid mobilization to ensure that people can use, set IT home effectively. And then how does that relationship impact with people in the communities we're serving? Some of whom have got access to technology, others who haven't. So that's been, I think the biggest change, and that is a fundamental change in the design and delivery of future services that organizations like us will be providing. So I would say that overall, some things remain the same by and large but technology is having an absolutely profound change in the way that our engagement with customers will go forward. >> Well, you guys are in the front end of some massive innovation here with this, are they possible and that, you're really delivering impact. And I think this is an example of that. And you brought up the data challenges, this is something that you guys call privacy by design. This is a cutting edge issue here because there are benefits around managing privacy properly. And I think here, your solution clearly has value, right? And no one can debate that, but as these little blockers get in the way, what's your reaction to that? 'Cause this certainly is something that has to be solved. I mean, it's a problem. >> Yeah, so we designed a solution, I think we had, when we design, I co-designed with your end-users actually. We had up to 14 lawyers working with us at one point in time looking at different kinds of angles. So definitely really tackle the solution with privacy by design in mind and with end users but obviously you can't co-design with thousands of people, you have to co-design with a representative subset of a cohort. And some of the challenge we find is obviously, the media have done a lot of scaremongering around technology, AI and all of that kind of things, especially for people that are not necessarily digitally literate, people that are just not in it. And when we go and deploy the solution, people are a little bit worried. When we make them, we obviously explain to them what's going to happen if they're happy, if they want to consent and all that kind of things. But the people are scared, they're just jumping on a technology on top of it we're asking them some questions around consent. So I think it's just that the solution is super secured and we've gone over millions of hoops within Accenture but also with Hafod itself. You know, it's more that like the type of user we deploying the solution to are just not in that world and then they are little bit worried about sharing. Not only they're worried about sharing with us but you know, in home care, there there's an option as well to share some of that data with your family. And there we also see people are kind of okay to share with us but they don't want to share with their family 'cause they don't want to have too much information kind of going potentially worrying or bothering some of their family member. So there is definitely a huge education kind of angle to embracing the technology. Not only when you create the solution but when you actually deploy it with users. >> It's a fabulous project, I am so excited by this story. It's a great story, has all the elements; technology, innovation, cidal impact, data privacy, social interactions, whether it's with family members and others, internal, external. In teams themselves. You guys doing some amazing work, thank you for sharing. It's a great project, we'll keep track of it. My final question for you guys is what comes next for the home care after the trial? What are Hafod's plans and hopes for the future? >> Maybe if I just give an overview and then invite Jamie and Laetitia. So for us, without conversations, you don't create possibilities and this really is a reflection of the culture that we try to engender. So my ask of my team is to remain curious, is to continue to explore opportunities because it's home care up to today, it could be something else tomorrow. We also recognize that we live in a world of collaboration. We need more cross industrial partnerships. We love to explore more things that Accenture, Amazon, others as well. So that's principally what I will be doing is ensuring that the culture invites us and then I hand over to the clever people like Jamie and Laetitia to get on with the technology. I think for me we've already learned an awful lot about home care and there's clearly a lot more we can learn. We'd love to build on this initial small-scale trial and see how home care could work at a bigger scale. So how would it work with thousands of users? How do we scale it up from a cohort of 50 to a cohort of 5,000? How does it work when we bring different kinds of organizations into that mix? So what if, for example, we could integrate it into health care? So a variety of services can have a holistic view of an individual and interact with one another, to put that person on the right pathway and maybe keep them out of the health and care system for longer, actually reducing the costs to the system in the long run and improving that person's outcomes. That kind of evidence speaks to decision-makers and political partners and I think that's the kind of evidence we need to build. >> Yeah, financial impact is there, it's brutal. It's a great financial impact for the system. Efficiency, better care, everything. >> Yeah and we are 100% on board for whatever comes next. >> Laetitia-- >> What about you Laetitia? >> Great program you got there. A amazing story, thank you for sharing. Congratulations on this awesome project. So much to unpack here. I think this is the future. I mean, I think this is a case study of represents all the moving parts that need to be worked on, so congratulations. >> Thank you. >> Thank you. >> We are the Art of the Possible here inside the Cube, part of AWS Reinvent Executive Summit, I'm John Furrier, your host, thanks for watching. (bright upbeat music)

>>Hello everybody. I am Toshihiko Nishimura from Stanford. University is there to TTT out here, super aging, global OMIM global transportation group about infections, uh, or major point of concerns. In addition, this year, we have the COVID-19 pandemic. As you can see here, while the why the new COVID-19 patients are still increasing, meanwhile, case count per day in the United state, uh, beginning to decrease this pandemic has changed our daily life to digital transformation. Even today, the micro segmentation is being conducted online and doctor and the nurse care, uh, now increase to telemedicine. Likewise, the drug development process is in need of major change paradigm shift, especially in vaccine in drug development for COVID-19 is, should be safe, effective, and faster >>In the >>Anastasia department, which is the biggest department in school of medicine. We have Stanford, a love for drug device development, regulatory science. So cold. Say the DDT RDS chairman is Ron Paul and this love leaderships are long mysel and stable shaper. In the drug development. We have three major pains, one exceedingly long duration that just 20 years huge budget, very low success rate general overview in the drug development. There are Discoverly but clinical clinical stage, as you see here, Tang. Yes. In clinical stage where we sit, say, what are the programs in D D D R S in each stages or mix program? Single cell programs, big data machine learning, deep learning, AI mathematics, statistics programs, humanized animal, the program SNS program engineering program. And we have annual symposium. Today's the, my talk, I do like to explain limitation of my science significance of humanized. My science out of separate out a program. I focused on humanized program. I believe this program is potent game changer for drug development mouse. When we think of animal experiment, many people think of immediately mouse. We have more than 30 kinds of inbred while the type such as chief 57, black KK yarrow, barber C white and so on using QA QC defined. Why did the type mice 18 of them gave him only one intervention using mouse, genomics analyzed, computational genetics. And then we succeeded to pick up fish one single gene in a week. >>We have another category of gene manipulated, mice transgenic, no clout, no Kamal's group. So far registered 40,000 kind as over today. Pretty critical requirement. Wrong FDA PMDA negative three sites are based on arteries. Two kinds of animal models, showing safety efficacy, combination of two animals and motel our mouse and the swine mouse and non-human primate. And so on mouse. Oh, Barry popular. Why? Because mouse are small enough, easy to handle big database we had and cost effective. However, it calls that low success rate. Why >>It, this issue speculation, low success rate came from a gap between preclinical the POC and the POC couldn't stay. Father divided into phase one. Phase two has the city FDA unsolved to our question. Speculation in nature biology using 7,372 new submissions, they found a 68 significant cradle out crazy too, to study approved by the process. And in total 90 per cent Radia in the clinical stages. What we can surmise from this study, FDA confirmed is that the big discrepancy between POC and clinical POC in another ward, any amount of data well, Ms. Representative for human, this nature bio report impacted our work significantly. >>What is a solution for this discrepancy? FDA standards require the people data from two species. One species is usually mice, but if the reported 90% in a preclinical data, then huge discrepancy between pretty critical POC in clinical POC. Our interpretation is data from mice, sometime representative, actually mice, and the humor of different especially immune system and the diva mice liver enzyme are missing, which human Liba has. This is one huge issue to be taught to overcome this problem. We started humanized mice program. What kind of human animals? We created one humanized, immune mice. The other is human eyes, DBA, mice. What is the definition of a humanized mice? They should have human gene or human cells or human tissues or human organs. Well, let me share one preclinical stages. Example of a humanized mouse that is polio receptor mice. This problem led by who was my mentor? Polio virus. Well, polio virus vaccine usually required no human primate to test in 13 years, collaboration with the FDA w H O polio eradication program. Finally FDA well as w H O R Purdue due to the place no human primate test to transgenic PVL. This is three. Our principle led by loss around the botch >>To move before this humanized mouse program, we need two other bonds donut outside your science, as well as the CPN mouse science >>human hormone, like GM CSF, Whoah, GCSF producing or human cytokine. those producing emoji mice are required in the long run. Two maintain human cells in their body under generation here, South the generation here, Dr. already created more than 100 kinds based on Z. The 100 kinds of Noe mice, we succeeded to create the human immune mice led the blood. The cell quite about the cell platelets are beautifully constituted in an mice, human and rebar MAs also succeeded to create using deparent human base. We have AGN diva, humanized mouse, American African human nine-thirty by mice co-case kitchen, humanized mice. These are Hennessy humanized, the immune and rebar model. On the other hand, we created disease rebar human either must to one example, congenital Liba disease, our guidance Schindel on patient model. >>The other model, we have infectious DDS and Waddell council Modell and GVH Modell. And so on creature stage or phase can a human itemize apply. Our objective is any stage. Any phase would be to, to propose. We propose experiment, pose a compound, which showed a huge discrepancy between. If Y you show the huge discrepancy, if Y is lucrative analog and the potent anti hepatitis B candidate in that predict clinical stage, it didn't show any toxicity in mice got dark and no human primate. On the other hand, weighing into clinical stage and crazy to October 15, salvage, five of people died and other 10 the show to very severe condition. >>Is that the reason why Nicole traditional the mice model is that throughout this, another mice Modell did not predict this severe side outcome. Why Zack humanized mouse, the Debar Modell demonstrate itself? Yes. Within few days that chemistry data and the puzzle physiology data phase two and phase the city requires huge number of a human subject. For example, COVID-19 vaccine development by Pfizer, AstraZeneca Moderna today, they are sample size are Southeast thousand vaccine development for COVID-19. She Novak UConn in China books for the us Erica Jones on the Johnson in unite United Kingdom. Well, there are now no box us Osaka Osaka, university hundred Japan. They are already in phase two industry discovery and predict clinical and regulatory stage foster in-app. However, clinical stage is a studious role because that phases required hugely number or the human subject 9,000 to 30,000. Even my conclusion, a humanized mouse model shortens the duration of drug development humanize, and most Isabel, uh, can be increase the success rate of drug development. Thank you for Ron Paul and to Steven YALI pelt at Stanford and and his team and or other colleagues. Thank you for listening.

from around the globe it's thecube with digital coverage of exascale day made possible by hewlett packard enterprise welcome everyone to the cube celebration of exascale day ben bennett is here he's an hpc strategist and evangelist at hewlett-packard enterprise ben welcome good to see you good to see you too son hey well let's evangelize exascale a little bit you know what's exciting you uh in regards to the coming of exoskilled computing um well there's a couple of things really uh for me historically i've worked in super computing for many years and i have seen the coming of several milestones from you know actually i'm old enough to remember gigaflops uh coming through and teraflops and petaflops exascale is has been harder than many of us anticipated many years ago the sheer amount of technology that has been required to deliver machines of this performance has been has been us utterly staggering but the exascale era brings with it real solutions it gives us opportunities to do things that we've not been able to do before if you look at some of the the most powerful computers around today they've they've really helped with um the pandemic kovid but we're still you know orders of magnitude away from being able to design drugs in situ test them in memory and release them to the public you know we still have lots and lots of lab work to do and exascale machines are going to help with that we are going to be able to to do more um which ultimately will will aid humanity and they used to be called the grand challenges and i still think of them as that i still think of these challenges for scientists that exascale class machines will be able to help but also i'm a realist is that in 10 20 30 years time you know i should be able to look back at this hopefully touch wood look back at it and look at much faster machines and say do you remember the days when we thought exascale was faster yeah well you mentioned the pandemic and you know the present united states was tweeting this morning that he was upset that you know the the fda in the u.s is not allowing the the vaccine to proceed as fast as you'd like it in fact it the fda is loosening some of its uh restrictions and i wonder if you know high performance computing in part is helping with the simulations and maybe predicting because a lot of this is about probabilities um and concerns is is is that work that is going on today or are you saying that that exascale actually you know would be what we need to accelerate that what's the role of hpc that you see today in regards to sort of solving for that vaccine and any other sort of pandemic related drugs so so first a disclaimer i am not a geneticist i am not a biochemist um my son is he tries to explain it to me and it tends to go in one ear and out the other um um i just merely build the machines he uses so we're sort of even on that front um if you read if you had read the press there was a lot of people offering up systems and computational resources for scientists a lot of the work that has been done understanding the mechanisms of covid19 um have been you know uncovered by the use of very very powerful computers would exascale have helped well clearly the faster the computers the more simulations we can do i think if you look back historically no vaccine has come to fruition as fast ever under modern rules okay admittedly the first vaccine was you know edward jenner sat quietly um you know smearing a few people and hoping it worked um i think we're slightly beyond that the fda has rules and regulations for a reason and we you don't have to go back far in our history to understand the nature of uh drugs that work for 99 of the population you know and i think exascale widely available exoscale and much faster computers are going to assist with that imagine having a genetic map of very large numbers of people on the earth and being able to test your drug against that breadth of person and you know that 99 of the time it works fine under fda rules you could never sell it you could never do that but if you're confident in your testing if you can demonstrate that you can keep the one percent away for whom that drug doesn't work bingo you now have a drug for the majority of the people and so many drugs that have so many benefits are not released and drugs are expensive because they fail at the last few moments you know the more testing you can do the more testing in memory the better it's going to be for everybody uh personally are we at a point where we still need human trials yes do we still need due diligence yes um we're not there yet exascale is you know it's coming it's not there yet yeah well to your point the faster the computer the more simulations and the higher the the chance that we're actually going to going to going to get it right and maybe compress that time to market but talk about some of the problems that you're working on uh and and the challenges for you know for example with the uk government and maybe maybe others that you can you can share with us help us understand kind of what you're hoping to accomplish so um within the united kingdom there was a report published um for the um for the uk research institute i think it's the uk research institute it might be epsrc however it's the body of people responsible for funding um science and there was a case a science case done for exascale i'm not a scientist um a lot of the work that was in this documentation said that a number of things that can be done today aren't good enough that we need to look further out we need to look at machines that will do much more there's been a program funded called asimov and this is a sort of a commercial problem that the uk government is working with rolls royce and they're trying to research how you build a full engine model and by full engine model i mean one that takes into account both the flow of gases through it and how those flow of gases and temperatures change the physical dynamics of the engine and of course as you change the physical dynamics of the engine you change the flow so you need a closely coupled model as air travel becomes more and more under the microscope we need to make sure that the air travel we do is as efficient as possible and currently there aren't supercomputers that have the performance one of the things i'm going to be doing as part of this sequence of conversations is i'm going to be having an in detailed uh sorry an in-depth but it will be very detailed an in-depth conversation with professor mark parsons from the edinburgh parallel computing center he's the director there and the dean of research at edinburgh university and i'm going to be talking to him about the azimoth program and and mark's experience as the person responsible for looking at exascale within the uk to try and determine what are the sort of science problems that we can solve as we move into the exoscale era and what that means for humanity what are the benefits for humans yeah and that's what i wanted to ask you about the the rolls-royce example that you gave it wasn't i if i understood it wasn't so much safety as it was you said efficiency and so that's that's what fuel consumption um it's it's partly fuel consumption it is of course safety there is a um there is a very specific test called an extreme event or the fan blade off what happens is they build an engine and they put it in a cowling and then they run the engine at full speed and then they literally explode uh they fire off a little explosive and they fire a fan belt uh a fan blade off to make sure that it doesn't go through the cowling and the reason they do that is there has been in the past uh a uh a failure of a fan blade and it came through the cowling and came into the aircraft depressurized the aircraft i think somebody was killed as a result of that and the aircraft went down i don't think it was a total loss one death being one too many but as a result you now have to build a jet engine instrument it balance the blades put an explosive in it and then blow the fan blade off now you only really want to do that once it's like car crash testing you want to build a model of the car you want to demonstrate with the dummy that it is safe you don't want to have to build lots of cars and keep going back to the drawing board so you do it in computers memory right we're okay with cars we have computational power to resolve to the level to determine whether or not the accident would hurt a human being still a long way to go to make them more efficient uh new materials how you can get away with lighter structures but we haven't got there with aircraft yet i mean we can build a simulation and we can do that and we can be pretty sure we're right um we still need to build an engine which costs in excess of 10 million dollars and blow the fan blade off it so okay so you're talking about some pretty complex simulations obviously what are some of the the barriers and and the breakthroughs that are kind of required you know to to do some of these things that you're talking about that exascale is going to enable i mean presumably there are obviously technical barriers but maybe you can shed some light on that well some of them are very prosaic so for example power exoscale machines consume a lot of power um so you have to be able to design systems that consume less power and that goes into making sure they're cooled efficiently if you use water can you reuse the water i mean the if you take a laptop and sit it on your lap and you type away for four hours you'll notice it gets quite warm um an exascale computer is going to generate a lot more heat several megawatts actually um and it sounds prosaic but it's actually very important to people you've got to make sure that the systems can be cooled and that we can power them yeah so there's that another issue is the software the software models how do you take a software model and distribute the data over many tens of thousands of nodes how do you do that efficiently if you look at you know gigaflop machines they had hundreds of nodes and each node had effectively a processor a core a thread of application we're looking at many many tens of thousands of nodes cores parallel threads running how do you make that efficient so is the software ready i think the majority of people will tell you that it's the software that's the problem not the hardware of course my friends in hardware would tell you ah software is easy it's the hardware that's the problem i think for the universities and the users the challenge is going to be the software i think um it's going to have to evolve you you're just you want to look at your machine and you just want to be able to dump work onto it easily we're not there yet not by a long stretch of the imagination yeah consequently you know we one of the things that we're doing is that we have a lot of centers of excellence is we will provide well i hate say the word provide we we sell super computers and once the machine has gone in we work very closely with the establishments create centers of excellence to get the best out of the machines to improve the software um and if a machine's expensive you want to get the most out of it that you can you don't just want to run a synthetic benchmark and say look i'm the fastest supercomputer on the planet you know your users who want access to it are the people that really decide how useful it is and the work they get out of it yeah the economics is definitely a factor in fact the fastest supercomputer in the planet but you can't if you can't afford to use it what good is it uh you mentioned power uh and then the flip side of that coin is of course cooling you can reduce the power consumption but but how challenging is it to cool these systems um it's an engineering problem yeah we we have you know uh data centers in iceland where it gets um you know it doesn't get too warm we have a big air cooled data center in in the united kingdom where it never gets above 30 degrees centigrade so if you put in water at 40 degrees centigrade and it comes out at 50 degrees centigrade you can cool it by just pumping it round the air you know just putting it outside the building because the building will you know never gets above 30 so it'll easily drop it back to 40 to enable you to put it back into the machine um right other ways to do it um you know is to take the heat and use it commercially there's a there's a lovely story of they take the hot water out of the supercomputer in the nordics um and then they pump it into a brewery to keep the mash tuns warm you know that's that's the sort of engineering i can get behind yeah indeed that's a great application talk a little bit more about your conversation with professor parsons maybe we could double click into that what are some of the things that you're going to you're going to probe there what are you hoping to learn so i think some of the things that that are going to be interesting to uncover is just the breadth of science that can be uh that could take advantage of exascale you know there are there are many things going on that uh that people hear about you know we people are interested in um you know the nobel prize they might have no idea what it means but the nobel prize for physics was awarded um to do with research into black holes you know fascinating and truly insightful physics um could it benefit from exascale i have no idea uh i i really don't um you know one of the most profound pieces of knowledge in in the last few hundred years has been the theory of relativity you know an austrian patent clerk wrote e equals m c squared on the back of an envelope and and voila i i don't believe any form of exascale computing would have helped him get there any faster right that's maybe flippant but i think the point is is that there are areas in terms of weather prediction climate prediction drug discovery um material knowledge engineering uh problems that are going to be unlocked with the use of exascale class systems we are going to be able to provide more tools more insight [Music] and that's the purpose of computing you know it's not that it's not the data that that comes out and it's the insight we get from it yeah i often say data is plentiful insights are not um ben you're a bit of an industry historian so i've got to ask you you mentioned you mentioned mentioned gigaflop gigaflops before which i think goes back to the early 1970s uh but the history actually the 80s is it the 80s okay well the history of computing goes back even before that you know yes i thought i thought seymour cray was you know kind of father of super computing but perhaps you have another point of view as to the origination of high performance computing [Music] oh yes this is um this is this is one for all my colleagues globally um you know arguably he says getting ready to be attacked from all sides arguably you know um computing uh the parallel work and the research done during the war by alan turing is the father of high performance computing i think one of the problems we have is that so much of that work was classified so much of that work was kept away from commercial people that commercial computing evolved without that knowledge i uh i have done in in in a previous life i have done some work for the british science museum and i have had the great pleasure in walking through the the british science museum archives um to look at how computing has evolved from things like the the pascaline from blaise pascal you know napier's bones the babbage's machines uh to to look all the way through the analog machines you know what conrad zeus was doing on a desktop um i think i think what's important is it doesn't matter where you are is that it is the problem that drives the technology and it's having the problems that requires the you know the human race to look at solutions and be these kicks started by you know the terrible problem that the us has with its nuclear stockpile stewardship now you've invented them how do you keep them safe originally done through the ascii program that's driven a lot of computational advances ultimately it's our quest for knowledge that drives these machines and i think as long as we are interested as long as we want to find things out there will always be advances in computing to meet that need yeah and you know it was a great conversation uh you're a brilliant guest i i love this this this talk and uh and of course as the saying goes success has many fathers so there's probably a few polish mathematicians that would stake a claim in the uh the original enigma project as well i think i think they drove the algorithm i think the problem is is that the work of tommy flowers is the person who took the algorithms and the work that um that was being done and actually had to build the poor machine he's the guy that actually had to sit there and go how do i turn this into a machine that does that and and so you know people always remember touring very few people remember tommy flowers who actually had to turn the great work um into a working machine yeah super computer team sport well ben it's great to have you on thanks so much for your perspectives best of luck with your conversation with professor parsons we'll be looking forward to that and uh and thanks so much for coming on thecube a complete pleasure thank you and thank you everybody for watching this is dave vellante we're celebrating exascale day you're watching the cube [Music]

>>Hello. I'm Professor Toru Suzuki Cherif cardiovascular medicine on associate dean of the College of Life Sciences at the University of Leicester in the United Kingdom, where I'm also director of the Lester Life Sciences accelerator. I'm also honorary consultant cardiologist within our university hospitals. It's part of the national health system NHS Trust. Today, I'd like to talk to you about our Lester Clinical Data Science Initiative. Now brief background on Lester. It's university in hospitals. Lester is in the center of England. The national health system is divided depending on the countries. The United Kingdom, which is comprised of, uh, England, Scotland to the north, whales to the west and Northern Ireland is another part in a different island. But national health system of England is what will be predominantly be discussed. Today has a history of about 70 years now, owing to the fact that we're basically in the center of England. Although this is only about one hour north of London, we have a catchment of about 100 miles, which takes us from the eastern coast of England, bordering with Birmingham to the west north just south of Liverpool, Manchester and just south to the tip of London. We have one of the busiest national health system trust in the United Kingdom, with a catchment about 100 miles and one million patients a year. Our main hospital, the General Hospital, which is actually called the Royal Infirmary, which can has an accident and emergency, which means Emergency Department is that has one of the busiest emergency departments in the nation. I work at Glen Field Hospital, which is one of the main cardiovascular hospitals of the United Kingdom and Europe. Academically, the Medical School of the University of Leicester is ranked 20th in the world on Lee, behind Cambridge, Oxford Imperial College and University College London. For the UK, this is very research. Waited, uh, ranking is Therefore we are very research focused universities as well for the cardiovascular research groups, with it mainly within Glenn Field Hospital, we are ranked as the 29th Independent research institution in the world which places us. A Suffield waited within our group. As you can see those their top ranked this is regardless of cardiology, include institutes like the Broad Institute and Whitehead Institute. Mitt Welcome Trust Sanger, Howard Hughes Medical Institute, Kemble, Cold Spring Harbor and as a hospital we rank within ah in this field in a relatively competitive manner as well. Therefore, we're very research focused. Hospital is well now to give you the unique selling points of Leicester. We're we're the largest and busiest national health system trust in the United Kingdom, but we also have a very large and stable as well as ethnically diverse population. The population ranges often into three generations, which allows us to do a lot of cohort based studies which allows us for the primary and secondary care cohorts, lot of which are well characterized and focused on genomics. In the past. We also have a biomedical research center focusing on chronic diseases, which is funded by the National Institutes of Health Research, which funds clinical research the hospitals of United Kingdom on we also have a very rich regional life science cluster, including med techs and small and medium sized enterprises. Now for this, the bottom line is that I am the director of the letter site left Sciences accelerator, >>which is tasked with industrial engagement in the local national sectors but not excluding the international sectors as well. Broadly, we have academics and clinicians with interest in health care, which includes science and engineering as well as non clinical researchers. And prior to the cove it outbreak, the government announced the £450 million investment into our university hospitals, which I hope will be going forward now to give you a brief background on where the scientific strategy the United Kingdom lies. Three industrial strategy was brought out a za part of the process which involved exiting the European Union, and part of that was the life science sector deal. And among this, as you will see, there were four grand challenges that were put in place a I and data economy, future of mobility, clean growth and aging society and as a medical research institute. A lot of the focus that we have been transitioning with within my group are projects are focused on using data and analytics using artificial intelligence, but also understanding how chronic diseases evolved as part of the aging society, and therefore we will be able to address these grand challenges for the country. Additionally, the national health system also has its long term plans, which we align to. One of those is digitally enabled care and that this hope you're going mainstream over the next 10 years. And to do this, what is envision will be The clinicians will be able to access and interact with patient records and care plants wherever they are with ready access to decision support and artificial intelligence, and that this will enable predictive techniques, which include linking with clinical genomic as well as other data supports, such as image ing a new medical breakthroughs. There has been what's called the Topol Review that discusses the future of health care in the United Kingdom and preparing the health care workforce for the delivery of the digital future, which clearly discusses in the end that we would be using automated image interpretation. Is using artificial intelligence predictive analytics using artificial intelligence as mentioned in the long term plans. That is part of that. We will also be engaging natural language processing speech recognition. I'm reading the genome amusing. Genomic announced this as well. We are in what is called the Midland's. As I mentioned previously, the Midland's comprised the East Midlands, where we are as Lester, other places such as Nottingham. We're here. The West Midland involves Birmingham, and here is ah collective. We are the Midlands. Here we comprise what is called the Midlands engine on the Midland's engine focuses on transport, accelerating innovation, trading with the world as well as the ultra connected region. And therefore our work will also involve connectivity moving forward. And it's part of that. It's part of our health care plans. We hope to also enable total digital connectivity moving forward and that will allow us to embrace digital data as well as collectivity. These three key words will ah Linkous our health care systems for the future. Now, to give you a vision for the future of medicine vision that there will be a very complex data set that we will need to work on, which will involve genomics Phanom ICS image ing which will called, uh oh mix analysis. But this is just meaning that is, uh complex data sets that we need to work on. This will integrate with our clinical data Platforms are bioinformatics, and we'll also get real time information of physiology through interfaces and wearables. Important for this is that we have computing, uh, processes that will now allow this kind of complex data analysis in real time using artificial intelligence and machine learning based applications to allow visualization Analytics, which could be out, put it through various user interfaces to the clinician and others. One of the characteristics of the United Kingdom is that the NHS is that we embrace data and captured data from when most citizens have been born from the cradle toe when they die to the grave. And it's important that we were able to link this data up to understand the journey of that patient. Over time. When they come to hospital, which is secondary care data, we will get disease data when they go to their primary care general practitioner, we will be able to get early check up data is Paula's follow monitoring monitoring, but also social care data. If this could be linked, allow us to understand how aging and deterioration as well as frailty, uh, encompasses thes patients. And to do this, we have many, many numerous data sets available, including clinical letters, blood tests, more advanced tests, which is genetics and imaging, which we can possibly, um, integrate into a patient journey which will allow us to understand the digital journey of that patient. I have called this the digital twin patient cohort to do a digital simulation of patient health journeys using data integration and analytics. This is a technique that has often been used in industrial manufacturing to understand the maintenance and service points for hardware and instruments. But we would be using this to stratify predict diseases. This'll would also be monitored and refined, using wearables and other types of complex data analysis to allow for, in the end, preemptive intervention to allow paradigm shifting. How we undertake medicine at this time, which is more reactive rather than proactive as infrastructure we are presently working on putting together what's it called the Data Safe haven or trusted research environment? One which with in the clinical environment, the university hospitals and curated and data manner, which allows us to enable data mining off the databases or, I should say, the trusted research environment within the clinical environment. Hopefully, we will then be able to anonymous that to allow ah used by academics and possibly also, uh, partnering industry to do further data mining and tool development, which we could then further field test again using our real world data base of patients that will be continually, uh, updating in our system. In the cardiovascular group, we have what's called the bricks cohort, which means biomedical research. Informatics Center for Cardiovascular Science, which was done, started long time even before I joined, uh, in 2010 which has today almost captured about 10,000 patients arm or who come through to Glenn Field Hospital for various treatments or and even those who have not on. We asked for their consent to their blood for genetics, but also for blood tests, uh, genomics testing, but also image ing as well as other consent. Hable medical information s so far there about 10,000 patients and we've been trying to extract and curate their data accordingly. Again, a za reminder of what the strengths of Leicester are. We have one of the largest and busiest trust with the very large, uh, patient cohort Ah, focused dr at the university, which allows for chronic diseases such as heart disease. I just mentioned our efforts on heart disease, uh which are about 10,000 patients ongoing right now. But we would wish thio include further chronic diseases such as diabetes, respiratory diseases, renal disease and further to understand the multi modality between these diseases so that we can understand how they >>interact as well. Finally, I like to talk about the lesser life science accelerator as well. This is a new project that was funded by >>the U started this January for three years. I'm the director for this and all the groups within the College of Life Sciences that are involved with healthcare but also clinical work are involved. And through this we hope to support innovative industrial partnerships and collaborations in the region, a swells nationally and further on into internationally as well. I realized that today is a talked to um, or business and commercial oriented audience. And we would welcome interest from your companies and partners to come to Leicester toe work with us on, uh, clinical health care data and to drive our agenda forward for this so that we can enable innovative research but also product development in partnership with you moving forward. Thank you for your time.

(upbeat electronic music) >> Narrator: From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE conversation. >> Okay, hello everyone. I'm John Furrier with theCUBE. We're here with Meet the Analysts segment Sunday morning. We've got everyone around the world here to discuss a bit of the news around the EU killing the privacy deal, striking it down, among other topics around, you know, data privacy and global commerce. We got great guests here, Ray Wang, CEO of Constellation Research. Bill Mew, founder and CEO of Cyber Crisis Management from the Firm Crisis Team. And JD, CEO of Spearhead Management. JD, I can let you say your name because I really can't pronounce it. How do I (laughs) pronounce it, doctor? >> I wouldn't even try it unless you are Dutch, otherwise it will seriously hurt your throat. (Ray laughing) So, JD works perfect for me. >> Doctor Drooghaag. >> And Sarbjeet Johal, who's obviously an influencer, a cloud awesome native expert. Great, guys. Great to have you on, appreciate it, thanks for comin' on. And Bill, thank you for initiating this, I appreciate all your tweets. >> Happy Sunday. (Bill laughing) >> You guys have been really tweeting up a storm, I want to get everyone together, kind of as an analyst, Meet the Analyst segment. Let's go through with it. The news is the EU and U.S. Privacy Shield for data struck down by the court, that's the BBC headline. Variety of news, different perspectives, you've got an American perspective and you've got an international perspective. Bill, we'll start with you. What does this news mean? I mean, basically half the people in the world probably don't know what the Privacy Shield means, so why is this ruling so important, and why should it be discussed? >> Well, thanks to sharing between Europe and America, it's based on a two-way promise that when data goes from Europe to America, the Americans promise to respect our privacy, and when data goes form America to Europe, the Europeans promise to respect the American privacy. Unfortunately, there are big cultural differences between the two blocks. The Europeans have a massive orientation around privacy as a human right. And in the U.S., there's somewhat more of a prioritization on national security, and therefore for some time there's been a mismatch here, and it could be argued that the Americans haven't been living up to their promise because they've had various different laws, and look how much talk about FISA and the Cloud Act that actually contravene European privacy and are incompatible with the promise Americans have given. That promise, first of all, was in the form of a treaty called Safe Harbor. This went to court and was struck down. It was replaced by Privacy Shield, which was pretty much the same thing really, and that has recently been to the court as well, and that has been struck down. There now is no other means of legally sharing data between Europe and America other than what are being called standard contractual clauses. This isn't a broad treaty between two nations, these are drawn by each individual country. But also in the ruling, they said that standard contractual clauses could not be used by any companies that were subject to mass surveillance. And actually in the U.S., the FISA courts enforce a level of mass surveillance through all of the major IT firms, of all major U.S. telcos, cloud firms, or indeed, social media firms. So, this means that for all of the companies out there and their clients, business should be carrying on as usual apart from if you're one of those major U.S. IT firms, or one of their clients. >> So, why did this come about? Was there like a major incident? Why now, was it in the court, stuck in the courts? Were people bitchin' and moanin' about it? Why did this go down, what's the real issue? >> For those of us who have been following this attentively, things have been getting more and more precarious for a number of years now. We've had a situation where there are different measures being taken in the U.S., that have continued to erode the different protections that there were for Europeans. FISA is an example that I've given, and that is the sort of secret courts and secret warrants that are issued to seize data without anyone's knowledge. There's the Cloud Act, which is a sort of extrajudicial law that means that warrants can be served in America to U.S. organizations, and they have to hand over data wherever that data resides, anywhere in the world. So, data could exist on a European server, if it was under the control of an American company, they'd have to hand that over. So, whilst FISA is in direct conflict with the promises that the Americans made, things like the Cloud Act are not only in controversion with the promise they've made, there's conflicting law here, because if you're a U.S. subsidiary of a big U.S. firm, and you're based in Europe, who do you obey, the European law that says you can't hand it over because of GDPR, or the American laws that says they've got extrajudicial control, and that you've got to hand it over. So, it's made things a complete mess. And to say has this stuff, hasn't really happened? No, there's been a gradual erosion, and this has been going through the courts for a number of years. And many of us have seen it coming, and now it just hit us. >> So, if I get you right in what you're saying, it's basically all this mishmash of different laws, and there's no coherency, and consistency, is that the core issue? >> On the European side you could argue there's quite a lot of consistency, because we uphold people's privacy, in theory. But there have been incidents which we could talk about with that, but in theory, we hold your rights dear, and also the rights of Europeans, so everyone's data should be safe here from the sort of mass surveillance we're seeing. In the U.S., there's more of a direct conflict between everything, including there's been a, in his first week in the White House, Donald Trump signed an executive order saying that the Privacy Act in the U.S., which had been the main protection for people in the U.S., no longer applied to non-U.S. citizens. Which was, if you wanted try and cause a storm, and if you wanted to try and undermine the treaty, there's no better way of doing it than that. >> A lot of ways, Ray, I mean simplify this for me, because I'm a startup, I'm hustlin', or I'm a big company, I don't even know who runs the servers anymore, and I've got data stored in multiple clouds, I got in regions, and Oracle just announced more regions, you got Amazon, a gazillion regions, I could be on-premise. I mean bottom line, what is this about? I mean, and -- >> Bill's right, I mean when Max Schrems, the Austrian. Bill's right, when Max Schrems the Austrian activist actually filed his case against Facebook for where data was being stored, data residency wasn't as popular. And you know, what it means for companies that are in the cloud is that you have to make sure your data's being stored in the region, and following those specific region rules, you can't skirt those rules anymore. And I think the cloud companies know that this has been coming for some time, and that's why there's been announced in a lot of regions, a lot of areas that are actually happening, so I think that's the important part. But going back to Bill's earlier point, which is important, is America is basically the Canary Islands of privacy, right? Privacy is there, but it isn't there in a very, very explicit sense, and I think we've been skirting the rules for quite some time, because a lot of our economy depends on that data, and the marketing of the data. And so we often confuse privacy with consent, and also with value exchange, and I think that's part of the problem of what's going on here. Companies that have been building their business models on free data, free private data, free personally identifiable data information are the ones that are at risk! And I think that's what's going on here. >> It's the classic Facebook issue, you're the product, and the data is your product. Well, I want to get into what this means, 'cause my personal take away, not knowing the specifics, and just following say, cyber security for instance, one of the tenets there is that data sharing is an invaluable, important ethos in the community. Now, everyone has their own privacy, or security data, they don't want to let everyone know about their exploits but, but it's well known in the security world that sharing data with each other, different companies and countries is actually a good thing. So, the question that comes in my mind, is this really about data sharing or data privacy, or both? >> I think it's about both. And actually what the ruling is saying here is, all we're asking from the European side is please stop spying on us and please give us a level of equal protection that you give to your own citizens. Because data comes from America to Europe, whatever that data belongs to, a U.S. citizen or a European citizen, it's given equal protection. It is only if data goes in the other direction, where you have secret courts, secret warrants, seizure of data on this massive scale, and also a level of lack of equivalence that has been imposed. And we're just asking that once you've sorted out a few of those things, we'd say everything's back on the table, away we go again! >> Why don't we merge the EU with the United States? Wouldn't that solve the problem? (Bill laughing) >> We just left Europe! (laughs heartily) >> Actually I always -- >> A hostile takeover of the UK maybe, the 52nd state. (Bill laughing loudly) >> I always pick on Bill, like Bill, you got all screaming loud and clear about all these concerns, but UKs trying to get out of that economic union. It is a union at the end of the day, and I think the problem is the institutional mismatch between the EU and U.S., U.S. is old democracy, bigger country, population wise, bigger economy. Whereas Europe is several countries trying to put together, band together as one entity, and the institutions are new, like you know, they're 15 years old, right? They're maturing. I think that's where the big mismatch is and -- >> Well, Ray, I want to get your thoughts on this, Ray wrote a book, I forget what year it was, this digital disruption, basically it was digital transformation before it was actually a trend. I mean to me it's like, do you do the process first and then figure out where the value extraction is, and this may be a Silicon Valley or an American thing, but go create value, then figure out how to create process or understand regulations. So, if data and entrepreneurship is going to be a new modern era of value, why wouldn't we want to create a rule based system that's open and enabling, and not restrictive? >> So, that's a great point, right? And the innovation culture means you go do it first, and you figure out the rules later, and that's been a very American way of getting things done, and very Silicon Valley in our perspective, not everyone, but I think in general that's kind of the trend. I think the challenge here is that we are trading privacy for security, privacy for convenience, privacy for personalization, right? And on the security level, it's a very different conversation than what it is on the consumer end, you know, personalization side. On the security side I think most Americans are okay with a little bit of "spying," at least on your own side, you know, to keep the country safe. We're not okay with a China level type of spying, which we're not sure exactly what that means or what's enforceable in the courts. We look like China to the Europeans in the way we treat privacy, and I think that's the perspective we need to understand because Europeans are very explicit about how privacy is being protected. And so this really comes back to a point where we actually have to get to a consent model on privacy, as to knowing what data is being shared, you have the right to say no, and when you have the right to say no. And then if you have a value exchange on that data, then it's really like sometimes it's monetary, sometimes it's non-monetary, sometimes there's other areas around consensus where you can actually put that into place. And I think that's what's missing at this point, saying, you know, "Do we pay for your data? Do we explicitly get your consent first before we use it?" And we haven't had that in place, and I think that's where we're headed towards. And you know sometimes we actually say privacy should be a human right, it is in the UN Charter, but we haven't figured out how to enforce it or talk about it in the digital age. And so I think that's the challenge. >> Okay, people, until they lose it, they don't really understand what it means. I mean, look at Americans. I have to say that we're idiots on this front, (Bill chuckling) but you know, the thing is most people don't even understand how much value's getting sucked out of their digital exhaust. Like, our kids, TikTok and whatnot. So I mean, I get that, I think there's some, there's going to be blow back for America for sure. I just worry it's going to increase the cost of doing business, and take away from the innovation for citizen value, the people, because at the end of the day, it's for the people right? I mean, at the end of the day it's like, what's my privacy mean if I lose value? >> Even before we start talking about the value of the data and the innovation that we can do through data use, you have to understand the European perspective here. For the European there's a level of double standards and an erosion of trust. There's double standards in the fact that in California you have new privacy regulations that are slightly different to GDPR, but they're very much GDPR like. And if the boot was on the other foot, to say if we were spying on Californians and looking at their personal data, and contravening CCPA, the Californians would be up in arms! Likewise if we having promised to have a level of equality, had enacted a local rule in Europe that said that when data from America's over here, actually the privacy of Americans counts for nothing, we're only going to prioritize the privacy of Europeans. Again, the Americans would be up in arms! And therefore you can see that there are real double standards here that are a massive issue, and until those addressed, we're not going to trust the Americans. And likewise, the very fact that on a number of occasions Americans have signed up to treaties and promised to protect our data as they did with Safe Harbor, as they did with Privacy Shield, and then have blatantly, blatantly failed to do so means that actually to get back to even a level playing field, where we were, you have a great deal of trust to overcome! And the thing from the perspective of the big IT firms, they've seen this coming for a long time, as Ray was saying, and they sought to try and have a presence in Europe and other things. But the way this ruling has gone is that, I'm sorry, that isn't going to be sufficient! These big IT firms based in the U.S. that have been happy to hand over data, well some of them maybe more happy than others, but they all need to hand over data to the NSA or the CIA. They've been doing this for some time now without actually respecting this data privacy agreement that has existed between the two trading blocks. And now they've been called out, and the position now is that the U.S. is no longer trusted, and neither are any of these large American technology firms. And until the snooping stops and equality is introduced, they can now no longer, even from their European operations, they can no longer use standard contractual clauses to transfer data, which is going to be a massive restriction on their business. And if they had any sense, they'd be lobbying very, very hard right now to the Senate, to the House, to try and persuade U.S. lawmakers actually to stick to some these treaties! To stop introducing really mad laws that ride roughshod over other people's privacy, and have a certain amount of respect. >> Let's let JD weigh in, 'cause he just got in, sorry on the video, I made him back on a host 'cause he dropped off. Just, Bill, real quick, I mean I think it's like when, you know, I go to Europe there's the line for Americans, there's the line for EU. Or EU and everybody else. I mean we might be there, but ultimately this has to be solved. So, JD, I want to let you weigh in, Germany has been at the beginning forefront of privacy, and they've been hardcore, and how's this all playing out in your perspective? >> Well, the first thing that we have to understand is that in Germany, there is a very strong law for regulation. Germans panic as soon as they know regulation, so they need to understand what am I allowed to do, and what am I not allowed to do. And they expect the same from the others. For the record I'm not German, but I live in Germany for some 20 years, so I got a bit of a feeling for them. And that sense of need for regulation has spread very fast throughout the European Union, because most of the European member states of the European Union consider this, that it makes sense, and then we found that Britain had already a very good framework for privacy, so GDPR itself is very largely based on what the United Kingdom already had in place with their privacy act. Moving forward, we try to find agreement and consensus with other countries, especially the United States because that's where most of the tech providers are, only to find out, and that is where it started to go really, really bad, 2014, when the mass production by Edward Snowden came out, to find out it's not data from citizens, it's surveillance programs which include companies. I joined a purchasing conference a few weeks ago where the purchase of a large European multinational, where the purchasing director explicitly stated that usage of U.S. based tech providers for sensitive data is prohibited as a result of them finding out that they have been under surveillance. So, it's not just the citizens, there's mass -- >> There you have it, guys! We did trust you! We did have agreements there that you could have abided by, but you chose not to, you chose to abuse our trust! And you're now in a position where you are no longer trusted, and unless you can lobby your own elected representatives to actually recreate a level playing field, we're not going to continue trusting you. >> So, I think really I -- >> Well I mean that, you know, innovation has to come from somewhere, and you know, has to come from America if that's the case, you guys have to get on board, right? Is that what it -- >> Innovation without trust? >> Is that the perspective? >> I don't think it's a country thing, I mean like, it's not you or them, I think everybody -- >> I'm just bustin' Bill's chops there. >> No, but I think everybody, everybody is looking for what the privacy rules are, and that's important. And you can have that innovation with consent, and I think that's really where we're going to get to. And this is why I keep pushing that issue. I mean, privacy should be a fundamental right, and how you get paid for that privacy is interesting, or how you get compensated for that privacy if you know what the explicit value exchange is. What you're talking about here is the surveillance that's going on by companies, which shouldn't be happening, right? That shouldn't be happening at the company level. At the government level I can understand that that is happening, and I think those are treaties that the governments have to agree upon as to how much they're going to impinge on our personal privacy for the trade off for security, and I don't think they've had those discussions either. Or they decided and didn't tell any of their citizens, and I think that's probably more likely the case. >> I mean, I think what's happening here, Bill, you guys were pointing out, and Ray, you articulated there on the other side, and my kind of colorful joke aside, is that we're living a first generation modern sociology problem. I mean, this is a policy challenge that extends across multiple industries, cyber security, citizen's rights, geopolitical. I mean when would look, and even when we were doing CUBE events overseas in Europe, in North American companies we'd call it abroad, we'd just recycle the American program, and we found there's so much localization value. So, Ray, this is the digital disruption, it's the virtualization of physical for digital worlds, and it's a lot of network theory, which is computer science, a lot of sociology. This is a modern challenge, and I don't think it so much has a silver bullet, it's just that we need smart people working on this. That's my take away! >> I think we can describe the ideal endpoint being somewhere we have meaningful protection alongside the maximization of economic and social value through innovation. So, that should be what we would all agree would be the ideal endpoint. But we need both, we need meaningful protection, and we need the maximization of economic and social value through innovation! >> Can I add another axis? Another axis, security as well. >> Well, I could -- >> I put meaningful protection as becoming both security and privacy. >> Well, I'll speak for the American perspective here, and I won't speak, 'cause I'm not the President of the United States, but I will say as someone who's been from Silicon Valley and the east coast as a technical person, not a political person, our lawmakers are idiots when it comes to tech, just generally. (Ray laughing) They're not really -- (Bill laughing loudly) >> They really don't understand. They really don't understand the tech at all! >> So, the problem is -- >> I'm not claiming ours are a great deal better. (laughs) >> Well, this is why I think this is a modern problem. Like, the young people I talk to are like, "Why do we have this rules?" They're all lawyers that got into these positions of Congress on the American side, and so with the American JEDI Contract you guys have been following very closely is, it's been like the old school Oracle, IBM, and then Amazon is leading with an innovative solution, and Microsoft has come in and re-pivoted. And so what you have is a fight for the digital future of citizenship! And I think what's happening is that we're in a massive societal transition, where the people in charge don't know what the hell they're talkin' about, technically. And they don't know who to tap to solve the problems, or even shape or frame the problems. Now, there's pockets of people that are workin' on it, but to me as someone who looks at this saying, it's a pretty simple solution, no one's ever seen this before. So, there's a metaphor you can draw, but it's a completely different problem space because it's, this is all digital, data's involved. >> We've got a lobbyists out there, and we've got some tech firms spending an enormous amount of lobbying. If those lobbyists aren't trying to steer their representatives in the right direction to come up with law that aren't going to massively undermine trade and data sharing between Europe and America, then they're making a big mistake, because we got here through some really dumb lawmaking in the U.S., I mean, there are none of the laws in Europe that are a problem here. 'Cause GDPR isn't a great difference, a great deal different from some of the laws that we have already in California and elsewhere. >> Bill, Bill. >> The laws that are at issue here -- >> Bill, Bill! You have to like, back up a little bit from that rhetoric that EU is perfect and U.S. is not, that's not true actually. >> I'm not saying we're perfect! >> No, no, you say that all the time. >> But I'm saying there's a massive lack of innovation. Yeah, yeah. >> I don't, I've never said it! >> Arm wrestle! >> Yes, yes. >> When I'm being critical of some of the dumb laws in the U.S, (Sarbjeet laughing) I'm not saying Europe is perfect. What we're trying to say is that in this particular instance, I said there was an equal balance here between meaningful protection and the maximization of economic and social value. On the meaningful protection side, America's got it very wrong in terms of the meaningful protection it provides to civil European data. On the maximization of economic and social value, I think Europe's got it wrong. I think there are a lot of things we could do in Europe to actually have far more innovation. >> Yeah. >> It's a cultural issue. The Germans want rules, that's what they crave for. America's the other way, we don't want rules, I mean, pretty much is a rebel society. And that's kind of the ethos of most tech companies. But I think you know, to me the media, there's two things that go on with this tech business. The company's themselves have to be checked by say, government, and I believe in not a lot of regulation, but enough to check the power of bad actors. Media so called "checking power", both of these major roles, they don't really know what they're talking about, and this is back to the education piece. The people who are in the media so called "checking power" and the government checking power assume that the companies are bad. Right, so yeah, because eight out of ten companies like Amazon, actually try to do good things. If you don't know what good is, you don't really, (laughs) you know, you're in the wrong game. So, I think media and government have a huge education opportunity to look at this because they don't even know what they're measuring. >> I support the level of innovation -- >> I think we're unreeling from the globalization. Like, we are undoing the globalization, and that these are the side effects, these conflicts are a side effect of that. >> Yeah, so all I'm saying is I support the focus on innovation in America, and that has driven an enormous amount of wealth and value. What I'm questioning here is do you really need to spy on us, your allies, in order to help that innovation? And I'm starting to, I mean, do you need mass surveillance of your allies? I mean, I can see you may want to have some surveillance of people who are a threat to you, but wait, guys, we're meant to be on your side, and you haven't been treating our privacy with a great deal of respect! >> You know, Saudi Arabia was our ally. You know, 9/11 happened because of them, their people, right? There is no ally here, and there is no enemy, in a way. We don't know where the rogue actors are sitting, like they don't know, they can be within the walls -- >> It's well understood I think, I agree, sorry. it's well understood that nation states are enabling terrorist groups to take out cyber attacks. That's well known, the source enables it. So, I think there's the privacy versus -- >> I'm not sure it's true in your case that it's Europeans that's doing this though. >> No, no, well you know, they share -- >> I'm a former officer in the Royal Navy, I've stood shoulder to shoulder with my U.S. counterparts. I put my life on the line on NATO exercises in real war zones, and I'm now a disabled ex-serviceman as a result of that. I mean, if I put my line on the line shoulder to shoulder with Americans, why is my privacy not respected? >> Hold on -- >> I feel it's, I was going to say actually that it's not that, like even the U.S., right? Part of the spying internally is we have internal actors that are behaving poorly. >> Yeah. >> Right, we have Marxist organizations posing as, you know, whatever it is, I'll leave it at that. But my point being is we've got a lot of that, every country has that, every country has actors and citizens and people in the system that are destined to try to overthrow the system. And I think that's what that surveillance is about. The question is, we don't have treaties, or we didn't have your explicit agreements. And that's why I'm pushing really hard here, like, they're separating privacy versus security, which is the national security, and privacy versus us as citizens in terms of our data being basically taken over for free, being used for free. >> John: I agree with that. >> That I think we have some agreement on. I just think that our governments haven't really had that conversation about what surveillance means. Maybe someone agreed and said, "Okay, that's fine. You guys can go do that, we won't tell anybody." And that's what it feels like. And I don't think we deliberately are saying, "Hey, we wanted to spy on your citizens." I think someone said, "Hey, there's a benefit here too." Otherwise I don't think the EU would have let this happen for that long unless Max had made that case and started this ball rolling, so, and Edward Snowden and other folks. >> Yeah, and I totally support the need for security. >> I want to enter the -- >> I mean we need to, where there are domestic terrorists, we need to stop them, and we need to have local action in UK to stop it happening here, and in America to stop it happening there. But if we're doing that, there is absolutely no need for the Americans to be spying on us. And there's absolutely no need for the Americans to say that privacy applies to U.S. citizens only, and not to Europeans, these are daft, it's just daft! >> That's a fair point. I'm sure GCHQ and everyone else has this covered, I mean I'm sure they do. (laughs) >> Oh, Bill, I know, I've been involved, I've been involved, and I know for a fact the U.S. and the UK are discussing I know a company called IronNet, which is run by General Keith Alexander, funded by C5 Capital. There's a lot of collaboration, because again, they're tryin' to get their arms around how to frame it. And they all agree that sharing data for the security side is super important, right? And I think IronNet has this thing called Iron Dome, which is essentially like they're saying, hey, we'll just consistency around the rules of shared data, and we can both, everyone can have their own little data. So, I think there's recognition at the highest levels of some smart people on both countries. (laughs) "Hey, let's work together!" The issue I have is just policy, and I think there's a lot of clustering going on. Clustered here around just getting out of their own way. That's my take on that. >> Are we a PG show? Wait, are we a PG show? I just got to remember that. (laughs) (Bill laughing) >> It's the internet, there's no regulation, there's no rules! >> There's no regulation! >> The European rules or is it the American rules? (Ray laughing) >> I would like to jump back quickly to the purpose of the surveillance, and especially when mass surveillance is done under the cover of national security and terror prevention. I worked with five clients in the past decade who all have been targeted under mass surveillance, which was revealed by Edward Snowden, and when they did their own investigation, and partially was confirmed by Edward Snowden in person, they found out that their purchasing department, their engineering department, big parts of their pricing data was targeted in mass surveillance. There's no way that anyone can explain me that that has anything to do with preventing terror attacks, or finding the bad guys. That is economical espionage, you cannot call it in any other way. And that was authorized by the same legislation that authorizes the surveillance for the right purposes. I'm all for fighting terror, and anything that can help us prevent terror from happening, I would be the first person to welcome it. But I do not welcome when that regulation is abused for a lot of other things under the cover of national interest. I understand -- >> Back to the lawmakers again. And again, America's been victim to the Chinese some of the individual properties, well documented, well known in tech circles. >> Yeah, but just 'cause the Chinese have targeted you doesn't give you free right to target us. >> I'm not saying that, but its abuse of power -- >> If the U.S. can sort out a little bit of reform, in the Senate and the House, I think that would go a long way to solving the issues that Europeans have right now, and a long way to sort of reaching a far better place from which we can all innovate and cooperate. >> Here's the challenge that I see. If you want to be instrumenting everything, you need a closed society, because if you have a free country like America and the UK, a democracy, you're open. If you're open, you can't stop everything, right? So, there has to be a trust, to your point, Bill. As to me that I'm just, I just can't get my arms around that idea of complete lockdown and data surveillance because I don't think it's gettable in the United States, like it's a free world, it's like, open. It should be open. But here we've got the grids, and we've got the critical infrastructure that should be protected. So, that's one hand. I just can't get around that, 'cause once you start getting to locking down stuff and measuring everything, that's just a series of walled gardens. >> So, to JD's point on the procurement data and pricing data, I have been involved in some of those kind of operations, and I think it's financial espionage that they're looking at, financial security, trying to figure out a way to track down capital flows and what was purchased. I hope that was it in your client's case, but I think it's trying to figure out where the money flow is going, more so than trying to understand the pricing data from competitive purposes. If it is the latter, where they're stealing the competitive information on pricing, and data's getting back to a competitor, that is definitely a no-no! But if it's really to figure out where the money trail went, which is what I think most of those financial analysts are doing, especially in the CIA, or in the FBI, that's really what that probably would have been. >> Yeah, I don't think that the CIA is selling the data to your competitors, as a company, to Microsoft or to Google, they're not selling it to each other, right? They're not giving it to each other, right? So, I think the one big problem I studied with FISA is that they get the data, but how long they can keep the data and how long they can mine the data. So, they should use that data as exhaust. Means like, they use it and just throw it away. But they don't, they keep mining that data at a later date, and FISA is only good for five years. Like, I learned that every five years we revisit that, and that's what happened this time, that we renewed it for six years this time, not five, for some reason one extra year. So, I think we revisit all these laws -- >> Could be an election cycle. >> Huh? >> Could be an election cycle maybe. (laughs) >> Yes, exactly! So, we revisit all these laws with Congress and Senate here periodically just to make sure that they are up to date, and that they're not infringing on human rights, or citizen's rights, or stuff like that. >> When you say you update to check they're not conflicting with anything, did you not support that it was conflicting with Privacy Shield and some of the promises you made to Europeans? At what point did that fail to become obvious? >> It does, because there's heightened urgency. Every big incident happens, 9/11 caused a lot of new sort of like regulations and laws coming into the picture. And then the last time, that the Russian interference in our election, that created some sort of heightened urgency. Like, "We need to do something guys here, like if some country can topple our elections, right, that's not acceptable." So, yeah -- >> And what was it that your allies did that caused you to spy on us and to downgrade our privacy? >> I'm not expert on the political systems here. I think our allies are, okay, loose on their, okay, I call it village politics. Like, world is like a village. Like it's so only few countries, it's not millions of countries, right? That's how I see it, a city versus a village, and that's how I see the countries, like village politics. Like there are two camps, like there's Russia and China camp, and then there's U.S. camp on the other side. Like, we used to have Russia and U.S., two forces, big guys, and they managed the whole world balance somehow, right? Like some people with one camp, the other with the other, right? That's how they used to work. Now that Russia has gone, hold on, let me finish, let me finish. >> Yeah. >> Russia's gone, there's this void, right? And China's trying to fill the void. Chinese are not like, acting diplomatic enough to fill that void, and there's, it's all like we're on this imbalance, I believe. And then Russia becomes a rogue actor kind of in a way, that's how I see it, and then they are funding all these bad people. You see that all along, like what happened in the Middle East and all that stuff. >> You said there are different camps. We thought we were in your camp! We didn't expect to be spied on by you, or to have our rights downgraded by you. >> No, I understand but -- >> We thought we were on your side! >> But, but you have to guys to trust us also, like in a village. Let me tell you, I come from a village, that's why I use the villager as a hashtag in my twitter also. Like in village, there are usually one or two families which keep the village intact, that's our roles. >> Right. >> Like, I don't know if you have lived in a village or not -- >> Well, Bill, you're making some great statements. Where's the evidence on the surveillance, where can people find more information on this? Can you share? >> I think there's plenty of evidence, and I can send some stuff on, and I'm a little bit shocked given the awareness of the FISA Act, the Cloud Act, the fact that these things are in existence and they're not exactly unknown. And many people have been complaining about them for years. I mean, we've had Safe Harbor overturned, we've had Privacy Shield overturned, and these weren't just on a whim! >> Yeah, what does JD have in his hand? I want to know. >> The Edward Snowden book! (laughs) >> By Edward Snowden, which gives you plenty. But it wasn't enough, and it's something that we have to keep in mind, because we can always claim that whatever Edward Snowden wrote, that he made it up. Every publication by Edward Snowden is an avalanche of technical confirmation. One of the things that he described about the Cisco switches, which Bill prefers to quote every time, which is a proven case, there were bundles of researchers saying, "I told you guys!" Nobody paid attention to those researchers, and Edward Snowden was smart enough to get the mass media representation in there. But there's one thing, a question I have for Sabjeet, because in the two parties strategy, it is interesting that you always take out the European Union as part. And the European Union is a big player, and it will continue to grow. It has a growing amount of trade agreements with a growing amount of countries, and I still hope, and I think think Bill -- >> Well, I think the number of countries is reducing, you've just lost one! >> Only one. (Bill laughing loudly) Actually though, those are four countries under one kingdom, but that's another point. (Bill chortling heartily) >> Guys, final topic, 5G impact, 'cause you mentioned Cisco, couldn't help think about -- >> Let me finish please my question, John. >> Okay, go ahead. How would you the United States respond if the European Union would now legalize to spy on everybody and every company, and every governmental institution within the United States and say, "No, no, it's our privilege, we need that." How would the United States respond? >> You can try that and see economically what happens to you, that's how the village politics work, you have to listen to the mightier than you, and we are economically mightier, that's the fact. Actually it's hard to swallow fact for, even for anybody else. >> If you guys built a great app, I would use it, and surveil all you want. >> Yeah, but so this is going to be driven by the economics. (John laughing) But the -- >> That's exactly what John said. >> This is going to be driven by the economics here. The big U.S. cloud firms are got to find this ruling enormously difficult for them, and they are inevitably going to lobby for a level of reform. And I think a level of a reform is needed. Nobody on your side is actually arguing very vociferously that the Cloud Act and the discrimination against Europeans is actually a particularly good idea. The problem is that once you've done the reform, are we going to believe you when you say, "Oh, it's all good now, we've stopped it!" Because with Crypto AG scandal in Switzerland you weren't exactly honest about what you were doing. With the FISA courts, so I mean FISA secret courts, the secret warrants, how do we know and what proof can we have that you've stopped doing all these bad things? And I think one of the challenges, A, going to be the reform, and then B, got to be able to show that you actually got your act together and you're now clean. And until you can solve those two, many of your big tech companies are going to be at a competitive disadvantage, and they're going to be screaming for this reform. >> Well, I think that, you know, General Mattis said in his book about Trump and the United states, is that you need alliances, and I think your point about trust and executing together, without alliances, it really doesn't work. So, unless there's some sort of real alliance, (laughs) like understanding that there's going to be some teamwork here, (Bill laughing) I don't think it's going to go anywhere. So, otherwise it'll continue to be siloed and network based, right? So to the village point, if TikTok can become a massively successful app, and they're surveilling, so and then we have to decide that we're going to put up with that, I mean, that's not my decision, but that's what's goin' on here. It's like, what is TikTok, is it good or bad? Amazon sent out an email, and they've retracted it, that's because it went public. I guarantee you that they're talkin' about that at Amazon, like, "Why would we want infiltration by the Chinese?" And I'm speculating, I have no data, I'm just saying, you know. They email those out, then they pull it back, "Oh, we didn't mean to send that." Really, hmm? (laughs) You know, so this kind of -- >> But the TRA Balin's good, you always want to get TRA Balin out there. >> Yeah, exactly. There's some spying going on! So, this is the reality. >> So, John, you were talking about 5G, and I think you know, the role of 5G, you know, the battle between Cisco and Huawei, you just have to look at it this way, would you rather have the U.S. spy on you, or would you rather have China? And that's really your binary choice at this moment. And you know both is happening, and so the question is which one is better. Like, the one that you're in alliance with? The one that you're not in alliance with, the one that wants to bury you, and decimate your country, and steal all your secrets and then commercialize 'em? Or the one kind of does it, but doesn't really do it explicitly? So, you've got to choose. (laughs) >> It's supposed to be -- >> Or you can say no, we're going to create our own standard for 5G and kick both out, that's an option. >> It's probably not as straightforward a question as, or an answer to that question as you say, because if we were to fast-forward 50 years, I would argue that China is going to be the largest trading nation in the world. I believe that China is going to have the upper hand on many of these technologies, and therefore why would we not want to use some of their innovation, some of their technology, why would we not actually be more orientated around trading with them than we might be with the U.S.? I think the U.S. is throwing its weight around at this moment in time, but if we were to fast-forward I think looking in the longterm, if I had to put my money on Huawei or some of its competitors, I think given its level of investments in research and whatever, I think the better longterm bet is Huawei. >> No, no, actually you guys need to pick a camp. It's a village again. You have to pick a camp, you can't be with both guys. >> Global village. >> Oh, right, so we have to go with the guys that have been spying on us? >> How do you know the Chinese haven't been spying on you? (Ray and John laughing loudly) >> I think I'm very happy, you find a backdoor in the Huawei equipment and you show it to us, we'll take them to task on it. But don't start bullying us into making decisions based on what-ifs. >> I don't think I'm, I'm not qualified to represent the U.S., but what we would want to say is that if you look at the dynamics of what's going on, China, we've been studying that as well in terms of the geopolitical aspects of what happens in technology, they have to do what they're doing right now. Because in 20 years our population dynamics go like this, right? You've got the one child policy, and they won't have the ability to go out and fight for those same resources where they are, so what they're doing makes sense from a country perspective and country policy. But I think they're going to look like Japan in 20 years, right? Because the xenophobia, the lack of immigration, the lack of inside stuff coming in, an aging population. I mean, those are all factors that slow down your economy in the long run. And the lack of bringing new people in for ideas, I mean that's part of it, they're a closed system. And so I think the longterm dynamics of every closed system is that they tend to fail versus open systems. So, I'm not sure, they may have better technology along the way. But I think a lot of us are probably in the camp now thinking that we're not going to aid and abet them, in that sense to get there. >> You're competing a country with a company, I didn't say that China had necessarily everything rosy in its future, it'll be a bigger economy, and it'll be a bigger trading partner, but it's got its problems, the one child policy and the repercussions of that. But that is not one of the things, Huawei, I think Huawei's a massively unlimited company that has got a massive lead, certainly in 5G technology, and may continue to maintain a lead into 6G and beyond. >> Oh yeah, yeah, Huawei's done a great job on the 5G side, and I don't disagree with that. And they're ahead in many aspects compared to the U.S., and they're already working on the 6G technologies as well, and the roll outs have been further ahead. So, that's definitely -- >> And they've got a great backer too, the financer, the country China. Okay guys, (Ray laughing) let's wrap up the segment. Thanks for everyone's time. Final thoughts, just each of you on this core issue of the news that we discussed and the impact that was the conversation. What's the core issue? What should people think about? What's your solution? What's your opinion of how this plays out? Just final statements. We'll start with Bill, Ray, Sarbjeet and JD. >> All I'm going to ask you is stop spying on us, treat us equally, treat us like the allies that we are, and then I think we've got to a bright future together! >> John: Ray? >> I would say that Bill's right in that aspect in terms of how security agreements work, I think that we've needed to be more explicit about those. I can't represent the U.S. government, but I think the larger issue is really how do we view privacy, and how we do trade offs between security and convenience, and you know, what's required for personalization, and companies that are built on data. So, the sooner we get to those kind of rules, an understanding of what's possible, what's a consensus between different countries and companies, I think the better off we will all be a society. >> Yeah, I believe the most important kind of independence is the economic independence. Like, economically sound parties dictate the terms, that's what U.S. is doing. And the smaller countries have to live with it or pick the other bigger player, number two in this case is China. John said earlier, I think, also what JD said is the fine balance between national security and the privacy. You can't have, you have to strike that balance, because the rogue actors are sitting in your country, and across the boundaries of the countries, right? So, it's not that FISA is being fought by Europeans only. Our internal people are fighting that too, like how when you are mining our data, like what are you using it for? Like, I get concerned too, when you can use that data against me, that you have some data against me, right? So, I think it's the fine balance between security and privacy, we have to strike that. Awesome. JD? I'll include a little fake check, fact check, at the moment China is the largest economy, the European Union is the second largest economy, followed directly by the USA, it's a very small difference, and I recommend that these two big parties behind the largest economy start to collaborate and start to do that eye to eye, because if you want to balance the economical and manufacturing power of China, you cannot do that as being number two and number three. You have to join up forces, and that starts with sticking with the treaties that you signed, and that has not happened in the past, almost four years. So, let's go back to the table, let's work on rules where from both sides the rights and the privileges are properly reflected, and then do the most important thing, stick to them! >> Yep, I think that's awesome. I think I would say that these young kids in high school and college, they need to come up and solve the problems, this is going to be a new generational shift where the geopolitical landscape will change radically, you mentioned the top three there. And new alliances, new kinds of re-imagination has to be there, and from America's standpoint I'll just say that I'd like to see lawmakers have, instead of a LinkedIn handle, a GitHub handle. You know, when they all go out on campaign talk about what code they've written. So, I think having a technical background or some sort of knowledge of computer science and how the internet works with sociology and societal impact will be critical for our citizenships to advance. So, you know rather a lawyer, right so? (laughs) Maybe get some law involved in that, I mean the critical lawyers, but today most people are lawyers in American politics, but show me a GitHub handle of that congressman, that senator, I'd be impressed. So, that's what we need. >> Thanks, good night! >> Ray, you want to say something? >> I wanted to say something, because I thought the U.S. economy was 21 trillion, the EU is sittin' at about 16, and China was sitting about 14, but okay, I don't know. >> You need to do math man. >> Hey, we went over our 30 minutes time, we can do an hour with you guys, so you're still good. (laughs) >> Can't take anymore. >> No go on, get in there, go at it when you've got something to say. >> I don't think it's immaterial the exact size of the economy, I think that we're better off collaborating on even and fair terms, we are -- >> We're all better off collaborating. >> Yeah. >> Gentlemen -- >> But the collaboration has to be on equal and fair terms, you know. (laughs) >> How do you define fair, good point. Fair and balanced, you know, we've got the new -- >> We did define fair, we struck a treaty! We absolutely defined it, absolutely! >> Yeah. >> And then one side didn't stick to it. >> We will leave it right there, and we'll follow up (Bill laughing) in a later conversation. Gentlemen, you guys are good. Thank you. (relaxing electronic music)

>>long from Las Vegas. It's the Q covering a ws re invent 2019. Brought to you by Amazon Web service is and in along with its ecosystem partners. >>Welcome back to the Cube. Lisa Martin live on the show floor of AWS. A re in that 19 was stupid. And then this is the almost the end of our second day of coverage. And as we were just saying, There's more people in here now than there were probably a couple of hours ago. 65,000 or so folks that AWS is expecting here and I think they're all in the Expo Hall now. Sue and I are pleased to welcome from Amazon business. David Stout, the head of global alliances and partnerships. Stephen, welcome to the Cube. >>Thanks so much for having me excited because this afternoon, >>so everybody on the planet knows amazon dot com. It has transformed our lives. I also think that it's transformed us as consumers and put pressure on any business, be able to deliver to us what we want whenever way wanted >>everybody. This week's getting alerts on their phones of package deliveries. >>Yes, that's why you one of the best parts of your day is when that Amazon package shows up and it's so fast. I always forget what's really order. Hope is for me. But I'd love for you to share with our audience what Amazon businesses. >>So obviously, you just said we all know about Amazon. We'll know about eight of us, right? 65,000 people here this week. Amazon businesses, a group that's been around since 2015 and we're focusing specifically on the needs to procure it needs of business and institutional customers. >>So the big theme that we heard from Andy Jassy was talking about transformation. We can't incrementally change the environment, so tell us a little bit what happens in your space and how that ties in tow, those transformations a couple things. So so one we like. I >>said, we start in 2015 focusing on both private and public sector customers, and what we're really trying to focus on is that experience you talked about For consumers taking that same ease of use and experience to the business world, corporate chairman is really hard and cumbersome. There's a lot of tools that need to be in used, and so we're trying to drive that same ease of use into the corporate and public sector world as well. So one of things that we've done way launched 2015. As I said, way don't share a lot of details. But we did about a year ago announced that we're on about a $10 billion annualized run rate. We're in nine countries around the world so outside the United States were also live in Germany, United Kingdom, France, Italy, Germany, Spain, India, France, Sorry, India, Japan and just announced last month in Canada. So it's, ah, fast growing business and we continue to try to find ways our customers are great to give us feedback on how we can continue to innovate to serve their needs. >>Yeah, you know, it's funny. I have some history, my career, working with procurement organizations, and change is not something I hear from them. When I think of public sector, it's like, Well, it's on the G s, a contract negotiated from the years when you go to companies and you say, Hey, we've got the new product. Oh, well, I got to go through the procurement cycle to get that through these environments. So how do we make sure that companies can take the innovation, you know, be agile and, you know, take advantage of these things now from a human standpoint, yes. So there's >>a couple things. So one this week you're here in a town about digital transformation, right? Something that isn't an event. It's an ongoing evolution, one of things you know, We've been coming to to reinvent for four years now, and what we're seeing and continually saying, is that there's a convergence between the I T strategies and the procurement strategies. A lot of that is happening through technology and enabling a new technology. But it za super interesting observation for us sitting on the sidelines and helping drive some of that innovation for customers. >>The rule of the chief procurement officer has changed a lot in recent years alone. Where this rose. You're saying there's this now convergence with I T. But the CPO has a much bigger opportunity now to become much more of a strategic driver of business, whether it's evaluating supply chain management and looking for ways to streamline operations. Big shift from the financial perspective, Dr Spell some of the things that Amazon business is seeing in your customers and how it is enabling those two sides the I t folks on the procurement folks to come together so that what they're enabling is that digital business transfer. >>Yeah, absolutely so historically procurement teams up CPS and their teams were responsible for very traditional things. Sourcing contract management, risk management, supplier on boarding and off, boarding compliance with you to your point earlier still on regulations and is it on a schedule or not? Those >>are all >>still really important attributes and will continue to be a huge focus areas for those organizations. But I think with the advent of technology, what you're starting to see is a lot more focus on how to use artificial intelligence. How do we use our P? A. How do we use use machine learning to find new opportunities to Dr Efficiencies within those operations? And so I think because of that, what you're starting to see is a lot more harmonization between what see peos are thinking about. The strategy is employing and the c i ose and we're releasing a convergence between those two organizations. Republished. Amazon Business published an article with Procure Con a couple months ago. One of the findings that came out of that study was that there is a convergence happening. Over 55% of the respondents said that their goals are either fully aligned or mostly align with the goals of of the C. I. A. Organization. So we're works pretty excited about that happening. We think that we're gonna be helping customers continue to drive that collaboration and for forward thinking organizations that are trying to drive more technology way believe it's gonna be a requirement in essential. >>That's awesome. It aligns with some of the broader trends we've been seeing in cloud adoption overall, it can't be. I t in the business separately, doing their things. Help us understand how this movement forward translates into innovation for for customers. Yeah, >>so a couple things come to mind, um, eight of us things number things happening here. Eight abyss yesterday, oftentimes is sorry. Oftentimes eight of us is considered as a starter for when you think about digital transformation and cloud transformation. Um, pace of that evolution is amazing, right? Yesterday there were 14 press releases issued on new technologies and capabilities that AWS is delivering directly or through partners and I think those types of things we're helping drive that pace of evolution we talked about earlier. One of the things that I found really interesting is eight of us as a partner network. It's very mature. There's tens of thousands of partners. They launched it in 2013 and it's a huge portion of their business and growth. Amazon business is much younger in our in our maturity on we're just starting to Launch a partner network. One of things were really interested in is how do we work with third party organizations, and my team's responsible for really extending the range and reach of our traditional sales, marketing and service's channels by working with third parties. Those take the forms of primarily software companies. So you see Air P organizations, a procurement platforms and accounting expense management platforms is examples there and in the infrastructure providers that leverage that. So Octa eyes an identity management provider, their sponsor of reinvent this year they're our partner of Amazon business, and we've built a pre configured integration that will allow Octa customers that you're using a single sign of product to access the Amazon business, uh, store easily and within the controls that they've established >>it. Actually, we just had Dave McCann from the eight of us Marketplace on the program earlier, and we've watched the evolution in maturation of marketplace. How does that tie underworld allowing? Really? You know, I I've been going for years. It is close, is what we have to the enterprise app store there. So how does this play into your s? So, you know, I think there's gonna continue to be >>convergence between Amazon business in AWS overtime in the marketplace, we offer kind of a goods marketplace. They offer a software marketplace in a service marketplace. And so I think we're still working on how do we harmonize that experience better. And we've got a lot of work to do there. We have a saying in Amazon that it's always Day one, and that's a great example where we still have a lot of work to do. One >>of the >>things that is another one of our partners, Cooper, which is procure to pay platform and a long time Amazon business partner we've done some pretty creative things to improve the user experience and make it easier for customers is both Cooper and Amazon business and concert Together announced couple months ago. They've built an integration to the eight of US marketplace. And so that's a pretty exciting opportunity where people who are provisioning service is via a theatre. Best marketplace gonna have transaction, flows seamlessly into their, procured up a solution and let you know the user whose provisioning that focus on what they want to do, which is developing new solutions to serve customers. >>Yeah, Cooper is one of our cube clients. I was just covering their event Cooper London just a few weeks ago. One of the things that's interesting about them, and I'd love to get your feedback on the is their community is really massively influential in their technology, and I presume in terms of the partnerships that they forge and as really catalysts for that procurement role being so strategic to the business. Talk to us about some of the customers that you are working with, and there's third party folks as well. How are the influencing the road map of Amazon business? >>Yeah, so our customers are never shy to tell >>us that's a >>pretty right, and that's one of the things that we've been able to grow so quickly, right? So we have. We've segmented our business into four verticals who focus on health care, education, government and then commercial, which is our largest segment. We have custom invites your boards from each one of those segments and those air very intimate working sessions with everyone from micro customers up to Fortune 100 customers that are never shy, as I said to provide feedback on what we need to do better. I was with a client last week who and one of our partners who It was great to hear them say way. They just have been a at a customer advisory board. And we love the fact that those features we suggested to you 12 months ago are now in production. And so it's a huge part of what we do. It's a huge part of what drives our road map. Wey have probably the most sophisticated voice of customer feedback monitoring systems that I've seen, and that includes everything from, you know, our sales professionals talk to customers and log that feedback on future requests to monitoring social feeds to understanding what our customers want. So it's ah, it's a big part of what we do and how we do it. And I think it's one of the things that makes Amazon a really differentiated company business overall. >>All right. So, David, I think most people not only did the no Amazon, but many of them, including disclaimer myself, our Amazon prime customers. You'll have something called Business Prime. Maybe explain a little bit what that is. S >>O. So most of us are prime members as consumers, and there's a number of features to come with that. There's a shipping program, which is where it started, and then we've had a different solutions. Whether it's music or video, there are storage. Amazon business has the same philosophy. And so right now there are. We have a business prime shipping program, which was launched two years ago. We also have a other business prime offerings, including advanced analytics. So within Amazon business, them's on business portal. You can actually look at spend categorization, and we've got some pretty powerful data visualization capabilities, its prime benefit, and we have a pretty extensive road map for other features that are going to continue to come. We have financing vehicles that are tied to it already, and there's there's a lot on the road mouth. >>Well, if you need two more business videos for your business, prime customers, give us a call. We have a large library with Amazon for >>that year for seeing that, you know, >>let's talk about security. It is a fundamental component of any organization because there is so much data and we're only generating more and more and more businesses need to ensure that how they're transacting with any organization and that their data is managed in a secure way. What are some of the fundamental elements of Amazon business that you guys have built into the technology to delay liver that security for your business customers? >>First of all, we're built fully on AWS, as you'd expect, and so there's There's a >>happy about that, by the way. >>So there's there's that's that's just a safety feature that I think it gives most of his comfort. I think back to this kind of notion of convergence of I t and procurement. This is something I find really interesting. And so, um, this prick your con article I mentioned a few minutes ago one of the findings and that was that 70% of organ of respondents said that their security strategy is shared jointly between their i t and the procurement teams. And so obviously security here it reinvent you walked the expo floor. There is an entire row of things that are focused on security and how to continue to drive that within the cloud in an efficient way. This whole concept of I t and procurement coming together share objectives. I think that's a great example where it's already happening, and we continue to expect that it will happen in more detail. >>What are some of the things that surprised you most about the last day and 1/2 with all the announcements that folks understanding more about Amazon business, some of the feedback that you've gotten on the show floor or in customer meetings that the kind of highlight? Yeah, we're doing the right thing. Here >>S o. I think >>for it's always humbling when people don't know about us, right, Asai said. We've built a pretty big business, but it's still really, really early on dso It's to me that's a great opportunity that we can continue to be more to educate customers about the opportunity and how Amazon can help transform their procurement practices. It's still super release, so we're always wanting to hear that feedback. And what else could we d'oh For customers that are aware of us? What's been really also humbling is how much they're finding us to be a bigger and bigger portion of their strategic vision in the future. And so we're really excited about that on both fronts, right? The opportunity to Maur, but also that customers who are adopting us or seeing great opportunities to consolidate their suppliers Dr Greater Efficiencies and, most importantly, provide a better end user experience that they're used to from their home. Purchasing >>of this last question for you Looking at the vertical focus that you guys are taking, you mentioned the verticals, any of them in particular that are really kind of leading the way here. For that I t procurement strategic collaboration. You mentioned healthcare, commercial, anything that you really see as early adopters leading edge. >>So we actually see there's probably some some nuances between each vertical, but we've seen some great adoption across all for those vertical. So we have 55 of the Fortune 100 as customers. We have 80% of the largest educational institutions in the U. S. Is customers. We have a greater than 50% of the largest health systems in the U. S. Is customers already and greater than 40% of the largest municipalities in United States. So so we've seen some really great adoption across all four segments. Again, I think the needs of a small dentist's office are gonna be different than the needs of industrial manufacturing organization. And so we continue to find solution sets with little dress, the needs of each one of those customers. We have strategic teams that are focused specifically on the segments and how to solve them. And as I said before, customers will always tell us what we could do better at >>that. Really, >>What drives our innovation >>and where can folks go? Business owners small enlarged to learn more about Amazon business >>amazon dot com slash business >>Easy, David. Thank you for joining student on a program and sharing with us What Amazon business as we appreciate it. >>Very welcome. Thanks for having me. >>Alright. First the Minutemen. I'm Lisa Martin and you're watching the Cube from Day two of our coverage of aws reinvent 19 from Vegas signing off. Thanks for watching

>>From Miami beach, Florida. It's the queue covering a Chronis global cyber summit 2019. Brought to you by Acronis. >>Okay. Welcome back. Everyone's cubes coverage here and the Kronos is global cyber summit 2019 and Sarah inaugural event around cyber protection. I'm John Forrey hosted the cube. We're talking to all the thought leaders, experts talking about the platforms. We've got a great guest here, security analyst, author and Ted speaker. Karen Ellis, Zari who runs the besides Tel Aviv. Um, she gave a keynote here. Welcome to the queue. Thanks for coming on. >>Oh, thanks for having me. It's a pleasure. >>Love to have you on. Security obviously is hot. You've been on that wave. Even talking a lot about it. You had talked here and opposed the conference. But for us, before we get into that, I want to get in and explore what you've been doing that besides Tel Aviv, this is the global community that would be runs a cyber week. He wrote a big thing there. >>So that's something that's really important to me. So 10 years ago, hackers and security researchers thing start that somebody called security besides which was an alternative community event for hackers that couldn't find their voice in their space. In the more mainstream events like RSA conference or black hat for example. That's when security besides was born 10 years ago. Now it's a global movement and there's been more than a hundred besides events. Just this year alone, just in 2019 anywhere from Sao Paolo to Cairo, Mexico city, Athens, Colorado, Zurich, London, and in my hometown of Tel Aviv. I was very proud to bring the besides idea and the concept to Tel Aviv five years ago. This year, 2020 will be our fifth year and we'll be, I hope our biggest year yet last summer we had more than 1200 participants. We take place during something called Telaviv cyber week, which if you've never visited Tel Aviv, that's your opportunity next year of Bellevue cyber Wade brings 9,000 people to Israel. >>It's hosted by Tel Aviv university where I'm also a researcher and all of these events are free. They're in English, they are welcoming to people from all sorts of places in all walks of life. We bring people from more than 70 countries and I think it's great that we can have that platform in Israel, in Tel Aviv to share not just our knowledge but also our points of view, our different opinions about the future of cyber security. Tel Aviv university. Yeah. So Tel Aviv university hosts me cyber week and they're also the gracious hosts for the sites televi which runs as a nonprofit separate from the university. >>You know, I love these movements where you have organic, just organic growth. And then we saw that with the unconference wave couple years ago where you know, the fancy conferences got too stuffy to sponsor oriented, right? That's >>right. Yeah. Up there too. They want to have more face to face, more community oriented conversations, more or, yeah. So besides actually the first one was absolutely an unconference and to this day we maintain some of that vibe, that important community aspect of providing a stage for people that really may not have the opportunity to speak at Blackhat or here or there. They may not feel comfortable on a huge with all those lights on them. So we really need to have that community aspect of them and believe it or not. And unconference is how I got on the Ted stage because a producer from Ted actually came all the way to Israel to an unconference in the Northern city of Nazareth in Israel, and she was sitting in the room while I was giving a talk to 15 people in the lobby of a hotel. And it wasn't that, it wasn't, you know, I didn't have a big projector. >>It wasn't a fancy production on any scale, but that's where that took for loser found me and my perspective and decided that this was this sort of point of view deserves to have a bigger stage. Now with digital technologies, the lobby conference, we call it the lobby copy, cons, actions in the hallway, just always kind of cause do you have a programs? It's not about learning anymore at these events because if all you can learn online, it's a face to face communal activity. I think it's a difference between people talking at you. Two people talking with you and that's why I'm very happy to give talks and I'm here focused on sharing my point of view. But I also want to focus on having conversations with people and that's what I've been doing this morning, sharing my points of view, teaching people about how I think the security worlds could look like, learning from them, listening to them. >>And it's really about creating that sort of an atmosphere and there's a lot of tension right now in the security space. I want to get your thoughts on this because you know, I have my personal passion is I really believe that communities is where the action is in a lot of problems can be solved if tapped properly, if they want, if they're not used or if they're, if the collective intelligence of a community can be harnessed. Yes, absolutely. Purity community right now has a imperative mandate, which is there's a lot of to do better. I think good that could be happening. The adversaries are at scale. You seeing, um, you know, zero day out there yet digital warfare going on, you got all kinds of things on a national global scale happening and people are worried. Absolutely. So there's directions, there's a lot of fear, there's a lot of panic going on these days. >>If you're an average individual, you hear about cybersecurity, you're of all hackers, you're thinking, Oh my God, they should turn all of my devices off, go live in the woods with some sheep and that's going to be my future. Otherwise I'm a twist and I agree with you. It's the responsibility, all the security industry and the security community to come together and also harness the power and the potential of the many friendly hackers out there. Friendly hackers such as myself, security researchers and not all security researchers are working in a lab at the university or in the big company and they might want to, you know, be wherever they are in the world, but still contributing. This is why I talk about the hackers immune system, how hackers can actually contribute to an immune system helping us identify vulnerabilities and fix them. And in many cases I found that it's not just a friendly hackers, even the unfriendly ones, even the criminals have a lot to teach us and we can actually not afford not to pay attention, not to be really more immersed, more closely connected with what is happening in the hacker's world, whether it's criminal hackers underground or the friendly hackers who get together at community events, who share their work, who participate on bug bounty platforms, which is a big part of my personal work and my passion bug bounty programs for the viewers who are not familiar with it are frameworks that will help companies that you might rely on like Google or Facebook, United airlines or Starbucks or any company that you can imagine. >>So many big companies now have bug bounty programs in place, allowing them to actively reward individual hackers that are identifying vulnerabilities. Yeah. And they pay him a lot of money to up to millions of dollars. Yes, they do, but it's not just about the money, you know, don't, it's not just amount of money. There's all kinds of other rewards that place as well. Whether it's a fancy, you know, a tee shirt or a sticker, or in the case of Tesla for example, they give out challenge coins, the challenge coins that only go out to the top hackers. I've worked with them now you can't find anything with these challenge coins. You keep the tray, you can trade them in in the store for money. But what you can do is that you get a lot of reputational and you know, unmonitored value out of that as well. Additionally, you know another organization that's called them, the Pentagon has a similar program, so depending on his giving out, not just monetary rewards but challenge coins for hackers that are working with them. >>This reputation kind of system is really cutting edge and I think that's a great point. I personally believe that that will be a big movement in all community behavior because when you start getting into having people arbitrator who's reputable, that's an incentive beyond money. Well, what I've found great I guess, but like reputation also is important. I can tell you this because I've, I've this, I've really dissected and researched this in my academic work and the look at the data from several bug bounty programs and the data that was available. There's all kinds of value on the table. Some of the value is money and you get paid. And you know, last month I heard about the first bug bounty millionaire and he's a guy from Argentina. But the value is not just in the money, it's also reputational value. It's also work value. So some hackers, some security researchers just want to build up their resume and then they get job offers and they start working for companies that may have never looked at them before because they're not graduates of this and that school didn't have this or that upbringing. >>We have to remember that from, from the global perspective, not everybody has access to, you know, the American school system or the Israeli school system. They can't just sign up for a college degree in cybersecurity or engineering if they live in parts of the world where that's not accessible to them. But through being a researcher on the bug bounty platform, they gain up their experience, they gain up their knowhow, and then companies want to work with them and want to hire them. So that's contributing to the, you've seen this really? Yeah. We've seen this and the reports are showing this. The data is showing this, all of the bug bounty programs that ha have reports that come out that show this information as well. Do you see that the hackers on bug bounty pack platforms that usually under 30 a lot of them are. They're 30 they're young people. >>They're making their way into this industry. Now, let me tell you something. When I was growing up in Israel, that was a young hacker. I didn't know any bug bounty programs. None of that stuff was around. Granted, we also didn't have a cyber crime law, so anything I did wasn't officially illegal because we didn't have, yeah, it wouldn't necessarily. Fermentation is good. It certainly was and I was very driven by curiosity, but the point I'm trying to make is that I didn't actually have a legal, legitimate alternative to, you know, the type of hacking that I was doing. There wasn't any other option for me until it was time for me to serve in the Israeli military, which is where I really got my chops. But for people living in parts of the world where they don't have any legitimate legal way to work in cybersecurity, previously, they would have turned to criminal activities to using their knowhow to make money as a cybercriminal. >>Now that alternative of being part of a global immune system is available to them on a legitimate legal pathway, and that's really important for our workforce as well. A lot of people will tell you that cybersecurity workforce needs all the help it can get. There's a shortage of talent gap. A lot of people talk about the talent gap. I believe a big part of the solution is going to come from all of these hackers all over the world that are now accessing the legitimate legal world of cybersecurity or something. I want to amplify that. Certainly after this interview, I'd love to follow up with you. Really, we will come to Tel Aviv. It's on our list for the cube stuff. We'll be there. We'd love to launch loving mutation. What you're talking about is an unforeseen democratization, the positive impact of the world. I want you to just take a minute to explain how this all came together for this. >>With your view on this reputational thing. I talk about the impact. Where does it go beyond just reputational for jobs? What? How does a community flex and organically grow from this and so one thing that I'm very happy to see, I think in the past couple of years, the reputations generally of hackers have become important and that the concept of a hacker is not what we used to think about in the past where we would automatically go to somebody who was a criminal or a bad guy. Did you know that the girl Scouts organization, the U S girl Scouts are now teaching girls Scouts to be hackers. They're teaching them cybersecurity skills. Arguably, I would claim this is a more important skill than making cookies or you know, selling cookies. Certainly a more money to survive in the wilderness. Why not in the digital wilderness? Yes, in a fire counter than that. >>More than that, it's about service. So the girl Scouts organization's always been very dedicated to values of service. Imagine these girls, they're now becoming very knowledgeable about cybersecurity. They can teach their peers, their families, so they can actually help spread. The more you build a more secure world, certainly they could probably start the fire or track a rapid in the forest or whatever it is that girl Scouts used to do that digitally too. That's called tracing. Really motivating that person. I think that's aspiring to many young women. That's very kind of, you actually have to have more voices out there. What can we do differently? What help? What can I do as a guy, as in the industry, I have two daughters. Everyone has, as I get older, I have daughters because they care now, but most men want to help. What can we do as a group? >>So I think you're absolutely right that diversity and inclusivity within the technology workforce is not a problem there. Just the underrepresented groups need to solve by. It's actually an issue for the entire group to solve. It's men or women or any underrepresented minority and overrepresented groups as well because diversity of the workforce will actually help build a more resilient, sustainable workforce and will help with that talent gap, that shortage of people of skilled employees that we mentioned. Others, a few things that you can do. I personally decided to do what I can, so I contributed to a book called women in tech at practical guide and in that book there's also a chapter for allies. So if you're a person that wants to help a woman or women in tech in your community, you are very welcome to check out the book. It's on Amazon, women in tech, a practical guide. >>I'm a contributor to that and myself. I also started a group called leading cyber ladies, which is a global meetup for women in cyber security and we have chapters on events in Israel, in New York city, in Canada, and soon I believe in United Kingdom and Silicon Valley and perhaps in your company or in your community, you could help start a similar group or maybe encourage some of the ladies that you know to start a group, help them by finding a space, creating a safe environment for them to create meetups like that by providing resources, by sponsoring events, by mentoring does a few, a lot of things. Yeah, there's a lot of things that you can do and it's certainly most important to consider that diversity in the workforce is everybody's issue with Cod. Something just one gender or one group needs to figure out how to be a big bang theory. >>You can share with three people, two people, absolutely organic growth or conditional. Yes, certainly. And as men, if you don't want to, you know, start them an event for women because that may seem disingenuous, but you can do certainly encourage the women that you find around you. In your workforce to see if they want to maybe have a meetup and if they do, what kind of help you can offer? Can you run the AB for them? Can you as sponsored lacrosse songs, whatever kind of help that you can offer to create that sort of a space. The reason we we started cyber ladies is because I didn't see enough women speaking at security events, so I wanted to fray the meet up where the women in cybersecurity could share their work network with one another and really build up also their speaking port portfolio, their speaking powers so that they can really feel more comfortable speaking and sharing their work on other events as well. >>Camaraderie there too. Yes, it very important. Thank you so much to you now, what is your, your professional and personal interests these days? What's getting you excited? So there's some of the cool things. That's a fantastic question. So one thing I'm super excited about is that I'm actually collaborating with my sister. So my sister, believe it or not is a lawyer and she's a lawyer who specializing in cyber line, intellectual property privacy, security policy work, and I'm collaborating with her to create a new book which would be a guide to the future of cybersecurity from the hacker's perspective and the lawyers perspective because we are seeing a lot of regulators, a lot of companies that are now really having to follow laws and guidelines and regulations around cybersecurity and we really want to bring these two points of view together. We've already collaborated in the past and in fact my sister has worked on the legal terms of many of the bug bounty programs that I mentioned earlier, including the Tesla program. >>So it's very exciting. I'm very proud to be able to work with my younger sister who followed me into the cyber world. I'm the hacker, she's the lawyer and we are creating something together. Dynamic duo that's going to be, I'm excited to interview her. Yeah, so in my family we call her the tour Vogue version. Can you imagine that together? It's really unstoppable. We didn't have a chance to speak together at the RSA conference earlier this year and that was really unique. Am I going to fall off on that with the book? Well, our platform is your platform. Anything we can do to help you get the word out, super exciting work that you're doing. We think cyber community will be one of the big answers to some of the challenges out there. And we need more education. Law makers and global politicians have to get more tech savvy. Yes, this is a big, everybody, it's everybody's issue. Like I said in this morning speech, everybody's on the front lines. It's not the cyber generals or you know, the hackers in the basements that are fighting. We are on that digital Battlefront and we all have to be safer together. Karen, thanks for your great insights here in energy. Bug bounties are hot. The community is growing. This is the cyber conference here that, uh, Acronis global cyber summit 2019. I'm John Barry here to be back with more coverage after this short break.

(soaring orchestral music) >> Everyone, welcome to this CUBE Conversation here at Palo Alto, California. I'm John Furrier, host of theCUBE. We are here with Joel Horwitz, who's the CMO of WANdisco, Joel, great to see you, formerly of IBM, we've known you for many years, we've had great conversations when you were at IBM, rising star, now at WANdisco, congratulations. >> Thank you, yeah, it's really great to be at WANdisco, and great to be here with theCUBE. So we've had many conversations, again, goin' back, you were a rising star in data, you know the cloud real well, why WANdisco, why leave IBM for WANdisco, what attracted you to the opportunity? >> Yeah, really three things. First and foremost, the people. I've known the WANdisco team now for years. Back in my Hadoop days, when I was at Datamere, I used to, hang out with the WANdisco team at Data After Dark, in New York, which was great, and they had the best marketing there at the time. Two, the product, I mean I won't join a company unless the product is really legit, and they have an absolutely great technology, and they are applying it to some really tough problems. And third is just the potential, really, the potential of this company is not even close to being tapped. So there's a ton of runway there, and so, for me, I'm just totally grateful, and totally honored, to be a part of WANdisco. >> What's the tailwind for them, that wave that they're on, if you will, because you mentioned, there's a lot of runway or headroom, a lot of market growth. Certainly cloud, David Richards will talk about that. But what attracted you, 'cause you knew the cloud game too. >> Yeah, yeah. >> IBM made a big run at the cloud. >> Yeah well, I came in, at IBM, through the data door, so to speak, and then I walked through the cloud door, as well, while I was there. And the reality is that data continues to be the lifeblood of an enterprise, no matter what. And so, what I saw in WANdisco was that they had technology that allowed people to enlarge enterprise to, frankly replicate or manage their data across Hadoop clusters from cluster to cluster. And then we ended up, when I spoke with you last, with David here, we also recognize the opportunity that just how copying data, large-scale data from one Hadoop cluster to another, is challenging, copying data, it's really not that different of copying data from, say, HDFS to an object storage or S3, as pretty similar problem. And so that's why, just this past week, we announced live data for multicloud. >> Explain live data for multicloud, I've read it in the news, got some buzz, it's this great trend, live. We're doing you a lot of live videos on theCUBE, live implies real time. Data's data. Multicloud is clearly becoming one of those enterprise categories. >> Yeah. >> First it was public cloud, then hybrid cloud. >> Yeah. >> Now it's multicloud. How does live data fit into multicloud? >> Yeah, so multicloud, and live data, as I just mentioned, we have live data for Hadoop, so that's fairly obvious, so if you're going multi-cluster you can do that. As well as from, even on-prem, data center to data center, so, multi-site if you will. But multicloud is a really interesting phrase that's kind of cropped up this year. We're seeing it used quite a lot. The focus in multicloud has been mainly focus on applications. And so, talking about, how do you have a container strategy? Or a virtualization strategy, for your applications? And so, I think of it really as a multicloud strategy, as opposed to a multicloud architecture. So we're helping our enterprise clients think about their multicloud strategy. So they're not locked in to any one vendor, so they're able to take advantage of all the great innovations that are happening, if you ask me, on the cloud first, and then ultimately comes down to, at times, on-prem. >> What's the pitfalls between multicloud strategy and multicloud architecture, you just said, customers don't want to get locked in, obviously, no-one wants to get locked in, multi-vendor used to be a big buzzword, during that last wave of computer-to-client server. >> Yeah. >> Now multicloud seems like multi-vendor, what do you mean by architecture versus strategy, how do you parse that? Yeah, so like I said, in terms of your data, right, and it all comes back to your data. If you go all in on, say, one vendor, and you're architecting for that vendor only and you're choosing your migration, your data management tools, for a particular cloud vendor, and, said a different way, if you're only using the native tools from that vendor, then it's very difficult to ever move off of that cloud, or to take advantage of other clouds as they, for example, maybe have new IOT offerings, or have new blockchain offerings, or have new AI offerings, as many others come on the scene. And so, that's what I mean by strategy, is if you choose one vendor for, your certain toolset, then it's going to be very difficult to maintain arbitrage between the different vendors. >> Talk about how you guys are attacking the market, obviously, it's clear that data, has been a fundamental part of WANdisco's value proposition. Moving data around has been a top concern, even back in the Hadoop days, now it's in the cloud. >> Yeah. >> Moving data across the network, whether it's cloud to cloud, or cloud to data center, or to the edge of the network-- >> Yep. Yep. >> Is a challenge. >> You know at IBM, when I was there in 2016, and we're coming up with our strategy when I was in Corp Dev. We talked about four different areas of data, we talked about data gravity, so data has gravity. We talked about data movement, and we talked about data science. And we talked about data governance. And I still think those are still relatively the four major themes around this topic of data. And so, absolutely data has gravity, and not just in terms of the absolute size and weight, if you will. But it also has applications that depend on it, the business itself depends on it, and so, the types of strategies that we've seen to migrate data, say, to the cloud, or have a hybrid data management strategy, has been lift and shift, or to load it on to the back of, I always picture that image of the forklift lifting all those tape drives onto the airplane, you know, the IBM version of that. And that's like a century old at this point, so, we have a way to replicate data continuously, using our patented consensus technology, that's in the lifeblood of our company, which is distributed computing. And so having a way, to migrate data to the cloud, without disrupting your business, is not just marketing speak, but it's really what we are able to do for our clients. How do you guys go to market, how do you guys serve customers, what's the strategy? >> So, primarily we've formed a number of strategic partnerships, obviously one with IBM that I helped spearhead while I was there, we actually just recently announced that we now support Big SQL, so it's actually the first opportunity where, if you are using a database, provided by IBM, you can actually replicate across different databases and still query it with Big SQL. Which is a big deal, right, it means you can still have access to your data while it's in motion, right, that's pretty cool. And then so IBM is there, and then secondly, we've formed a number of other strategic partnerships with the other cloud vendors, of course, Alibaba we have an OEM, Microsoft, we have preferred selling motion with them, AWS, of course, we're in their marketplace. So primarily, we sell through a number of our key partnerships, because, we are, fairly integrated, like I said, into the architecture of these platforms, and, just to comment more deeply on that, when you look at, object storage, on each of these various public cloud vendors. They may look similar on the surface, maybe they all use the same APIs or have some level of, similar interaction, they look like they're the same, the pricing might be the same. We go like one level deeper, and they're all very different, they're all very different flavors of object storage. And so while it might seem like, "Oh, that's trivial to work with," it really isn't, it's extremely non-trivial, so, we help, not only our customers solve that, but we also help our partners significantly, help their clients move to the cloud, to their cloud, faster. >> So you basically work through people who sell your product, to the end user customer, or through their application or service. >> Yeah, that's our main route to market, I would say, the other, obviously, the main, we have a direct sales force, who's out there, working with the best clients in the world. AMD is a great customer of ours, who we recently helped migrate to Microsoft Azure. And we have a number of other large enterprise customers, in retail, and finance, and media. And so really, when it comes down to it, yeah it's those two majors motions, one through the cloud vendors themselves, 'cause frankly, in most cases, they don't have this technology to do it, you know, they're trying to basically take snapshots of data, and they're struggling to convince their customers to move to their cloud. >> It becomes a key feature in platforms. >> Yes it does. >> So that's obviously what attracts sellers, what other things would attract sellers or partners, for you, what motivates them, obviously the IP, clearly, is the number one, economics, what's the other value proposition? >> The end goal isn't to move data to the cloud, the end goal is to move business processes to the cloud, and then be able to take advantage of the other value adds that already exist in the cloud. And so if you're saying, what's the benefit there, well, once you do that move, then you can sell into, clients with all your additional value adds. So that's really powerful, if you are stuck with this stage of "Eh, how do we actually migrate data to the cloud?" >> So IBM Think is coming up, what's your view of what's happening there, what are you guys going to be doing there, as are you, on the IBM side-- >> Yeah. >> Now you're on the other side of the table. You've been on both sides of the table. >> Yeah. >> So what's goin' on at Think, and how does WANdisco, vector, and certainly CUBE will be there. >> Yeah, we'll be there, so WANdisco is a sponsor of IBM Think as well, clearly, as I mentioned, we'll be talking about Big Replicate, which is our Hadoop replication offering, that's sold with IBM. The other one, as I mentioned, is Big SQL, so that's a new offering that we just announced this past month. So we'll be talking about that, and showing a number of great examples of how that actually works, so if you're going to be at Think, come by our booth, and check that out. In addition to that, I mean, clearly, IBM is also talking about multicloud and hybrid cloud, so hybrid data management, hybrid cloud is a big topic. You can expect to see, at IBM Think, a lot of conversations on the application side. In terms of, obviously with their acquisition of Red Hat, you can well imagine they're going to be talking a lot about the software stack, there. But I would say that, we'll be talking, and spending most of our time talking about, how to manage your data across different environments. >> Where's the product roadmap heading, I know you guys don't like to go into specifics in public- >> Yeah. >> Sensitive information, but, generally speaking, where's the main trendlines that you guys are going to be building on, obviously, cloud data, they'll come in together, good core competency there for WANdisco, what's next, what's the next level for you guys? >> So what's really fascinating, and I actually didn't realize this when I joined WANdisco, just to be completely transparent. WANdisco has a core piece of technology called DConE, Distributed Coordination Engine. It essentially is a form of blockchain, really, it's a consensus technology, it's an algorithm. And that's been their secret sauce since the founding of the company. And so they originally applied that to code, through source code management, and then only in this last few years they've applied it to data. So you can guess, at other areas that we might apply it to, and already this past year, we actually filed two patents, in the area of blockchain, or really, distributed ledger technology, as we're starting to hear it called in the actual enterprise that's using it. But you can expand that to any other enterprise asset, really. That's big, right, that has value, and that you want to manage across different environments, so you can imagine, lots of other assets that we could apply this to, not only code, not only data, not only ledgers, but what are the other assets? And so that's essentially what we're working on. >> Is that protectable IP the patents, so those are filed on the blockchain? >> Yeah, yeah. >> For instance? >> So DConE is certainly patented, I'm sure Jagane'll talk more about this. >> Yeah, we'll get into it. >> There's probably a handful of people in the world, and they might all be working at WANdisco at this point. (chuckles) Who actually know how that works, and it's essentially Paxos, which is a really gnarly problem to solve, a really difficult math problem. And as David mentioned earlier, Google, the other smartest company in the world, published their paper on Spanner, and as you said, they used brute force, really, to solve the problem. Where we have a very elegant solution, using software, right? So it's a really great time to be at WANdisco, because I just see that there's so many applications of our technology, but, right now, we're mainly focused on what our customers are asking for. >> You've said a great quote, thanks Joe, final question for you, where do you see it going, WANdisco, what are your plans, do you have anything in mind, do you want to share anything notable, around what you're doing, and what you think WANdisco will be in a few years. >> We have an incredible team, as I mentioned, the people that are joining WANdisco, as David mentioned, I myself, not to say too much there, but, the new folks that have joined our Research and Development Team, but we've been making some great hires, to WANdisco. So I'm really excited about the team, I'm going, actually, to visit, we have a great team in Europe, in the UK, in the United Kingdom, so I'm going to go see them next week. But we have just the company culture is what drives me, I think that's just one of those hard things, really, to find. And so that's what I'm really excited about, so there's a lot of cool stuff happening there. You know, on that note, it's actually kind of funny, because on one of the articles that talked about live data for multicloud, asked the question, and her headline was "Are You Down to Boogie?" So, disco continues to be a great meme for us, with our name. (John chuckles) Unintentional, so, as a marketer, it's a pretty fun time to be at WANdisco. >> Seventies and eighties were great times, certainly I'm an eighties guy, Joel, thanks for comin' on, appreciate the update, Joel Horowitz, CMO, Chief Marketing Officer, WANdisco, really on a nice wave right now, cloud growth, data growth, all comin' together, real IP, lookin' forward to hearing more, what comes down the pipe for those guys, you'll see him at IBM Think. I'm John Furrier here, in the studios at Palo Alto, thanks for watching. (soaring orchestral music)

>> Announcer: From Boston, Massachusetts, it's theCUBE! Covering Cloud Foundry Summit 2018. Brought to you by the Cloud Foundry Foundation. >> I'm Stu Minamin and this is theCUBE's coverage of Cloud Foundry Summit 2018. Here in beautiful Boston, Massachusetts. Happy to welcome back to the program Chip Childers, who is the CTO of the Cloud Foundry Foundation. Chip, you started off this morning saying the runners this morning got a taste of the Boston Marathon. >> They did, they did! >> It's raining, it's cold, it's miserable. >> Yesterday was beautiful. >> At least there was less wind. >> Yesterday was absolutely beautiful. So we kicked off the summit, beautiful sun, but then we had our Fun Run this morning. >> As a local, I do apologize for the weather. Normally April's a great time. We want more tech coverage here in the area. More tech shows. We're in the center of a great tech hub, here in the Boston Seaport. We've talked to a couple of Boston startups, you know, here at the show. And, you know, great ecosystem if you go there. Thank you for bringing your show here. >> Absolutely, happy to be here. >> All right, so, last time we caught up was year ago at the show. And I think it was, what, 213 working days or something? I think Molly said >> Something like that Something like that yeah. >> The good thing is in our industry, nothings changing, we can talk about the same stuff as last year. >> Leisurely pace >> No concern, let's just sit back and you know, talk about our favorite pop culture references. Chip what's hot on your plate? And what are you hearing from the users in the community? >> Sure. So this year the theme Our events team came up with a very fun pun, which is Running at Scale. It means two things. One, the Boston Marathon was on Monday, but two it really does represent the stories that we're getting from our users, the customers, and the distributions, those that use the open source directly. So not only are we seeing a broadening of adoption across new organizations, but they're getting really deep into using it. We filled a survey, user survey, just did our second run of it. In fact we didn't have this data back in Santa Clara last year. So it's been less than a year since the 2017 one. And what we found was that there was a 21 point swing in those companies that were using Cloud Foundry with more than 50 developers, alright. So 50 developers and higher When you really talk to the interesting, large scale Fortune 500 companies, they're talking thousands of developers, that are working on the platform, being productive, and that truly is kind of what this event is about for us. >> I grew up around the infrastructure stuff, and scale means a lot of things to a lot of people, but had a great discussion with Dr. Nick, just before talking about how if you were to build your kind of utopian environment You look at some of the hyper-scale companies, the Facebooks and Googles of the world, and thing is they're such a scale that if they don't have good automation, and don't have you know really the distributive architectures that we're all talking about and things like that, there's no way that they could run their businesses. >> Yeah and the reality is a lot of the businesses that aren't Google, aren't Facebook, they have to be able to think about that level of scale. To me it really boils down to three basic principles, and to me this is the best definition of what Cloud native means. Whether you're talking about a platform, whether you're talking about how you design your applications, it's simple patterns, highly automated, which can be scaled with ease, right? And through that you can do really amazing things with software, but it has to be easily scaled, it has be easily managed, and you do that through the simplicity of the patterns that you apply. >> Yeah, and being simple is difficult. >> Yes >> How much we have arguments in the industry it's like well, let's throw an abstraction layer in there, do an overlay or underlay, but you know really building kind of distributed systems, is a little bit different. >> It is a little bit different. So one of the things that the Cloud Foundry ecosystem has, is a rich history of iterating towards a better and better developer experience. At its heart, the Cloud Foundry ecosystem of distribution, and tools, and the different products we have, they're all about helping the developer be a better developer in the context of their organization. So we've been iterating on that experience and just doing incremental constant improvement and change and we're very proud of that productivity, right? And that's really what drive these organizations to say look, this is a platform that is operated very easily with small teams. I think you've spoken with a couple companies, and if you ever ask them hot many operators do you have to handle thousands of engineers, tens of thousands of applications, they say, well, maybe ten. >> The T-Mobile example is >> Great example >> Ten to fifteen operators with 17000 developers so >> Chip: Yep, yep >> It's funny cause I remember we used to talk about you know in the enterprise how many servers can a single admin handle and then if you go to the hyper-scale ones it was three orders magnitude different. But in the hyper-scale ones they didn't really have server people, they had people that brought in servers, and people threw them in the wood chipper when they were done >> Chip: Absolutely >> And they didn't manage them. It was the old cattle versus pets analogy that we talked about in the other room, It's just totally different mindsets is how we think about this. I love, For me, it was in the enterprise you know, we harden the hardware, we think about this, and in the software world it's you know, No no, I built it in the application layer, because One of my favorite lines I use is you know, Hardware will eventually fail, and software will eventually work right? >> Absolutely. I think that's the difference between, So application centric thinking leads you to Necessarily, you have to have infrastructure to run it right? My favorite thing is this whole server-less term is absolutely ridiculous if anybody understands it, but there's a little bit behind it, which is, in fact I'd argue Cloud Foundry's fundamentally server-less because when you push code into it, you don't care what operating system's underneath it, right? All you care about is the fact that you've written some code in Java or in Nojass or in Ruby, you're handing it to a platform it deals with all of the details of building a container image, scaling it, managing it, pulling independencies, you don't care what underlying operating systems there, and then that ten person platform operations team, in the Cloud Foundry world, they have the benefit of upstream projects actually producing the operating system image that they can consume, within hours of major vulnerabilities being announced. >> I love actually, at this show you've got a containers and server-less track >> We do >> And I'm an infrastructure guy by background and when we went to virtualization we went little bit up the stack, I don't think about servers I'm trying to get closer to that application. Love you to comment on is Cloud Foundry helps gives some stability and control at that infrastructure level, but it still involved with infrastructure, from in my own data center, >> Chip: Yep >> or hosted data center or I know what could I'm on. When I start going up to like server-less, I'm a little bit higher up the stack, and that's why they can live together, >> Yeah, yeah >> And its closer tied to the application than it is to the infrastructure, so maybe you can tease that out for us a little. >> Yeah, so I think one of the main things that we've heard from the user community and this is actually coming from users of a number of the different distributions. They're saying, look there are roughly, today, roughly two different modes that we care about, cloud native application workloads. And this might expand to include functions and service but predominantly there's two. There's the custom software that we write, which the past experience is great for, and then there's the ISV delivered software, which today increasingly the medium of software delivery is becoming the container image, whether it's an OCI container, whether it's a Docker image, ISV ships software as container images, and you need a great place to land that, so those two abstractions, that paths, just hand the system your code, or the container service just hand it a container image, both of them work really well together, and part of what we're trying to do as a community, a technical community, is we're evolving those integrations so that we can work really well with the Kubernetes ecosystem. There are different options for how these things might be stacked, depending on the vendor that you're talking to, I think mostly that's immaterial to the customers, I think mostly the customers care about having those two experiences be unified from their developer or app owner prospective. >> When you come to this show, there's more than just Cloud Foundry. There's a lot of other projects >> Chip: For sure >> That are coming on to the space Gives us a little viewpoint as to how the foundation looks at this. What's the charter which it fits under Linux foundation There's so many different pieces, Some kind of bleed into what the CNCF is doing, and just try to help map out >> Chip: Yeah how some of these pieces and it's this great toolbox that we've talked about in open source. I love like the zip car guy got up and he's like, I use all the peripheral stuff, and none of the core stuff >> Right >> And that's okay >> Absolutely, that's the fun of open source. So there's a couple ways to look at this. So first, the open source communities collectively. There's a lot of innovations going on in this space, obviously What the Cloud Foundry ecosystem generally does, historically has done, and will continue to do, is that we are focused on the user needs, first and foremost. And what our technical project teams do is they look at what's available in the broader open source ecosystem. They adopt and integrate what makes sense, where we have to build something ourselves, simply because there isn't an equivalent, or it's necessary for technical reasons. We'll build that software. But our architecture has changed many times. In fact, since 2015, right. It hasn't been that many years, as you said, we move slow in this industry (Stu laughs) We've changed this architecture constantly. The upstream projects releasing at minimum of twice a month. That's a pretty high velocity. And it's a big coordinated release. So we're going to continue to evolve the architecture, to bring in new components, this is where CNCF relates. We've integrated Envoy, which is a CNCF project. We're now bringing in Kubernetes, in a couple of different ways. We're working closely with Istio, which is not a CNCF project, yet. But it looks like it might head that way. Service mesh capabilities, We were an early adopter of the container networking interface. Another Linux foundation effort was the open container initiative, right. Seeded from some code from Docker, again one of the earliest platforms to adopt that, outside of Docker. So we really look at the entire spectrum of open source software as a rich market of componentry that can be brought together. And we bring it together so that all these great users that you're talking to, can go along this journey, and think of it almost as a rationalization of the innovative chaos that's occurring. So we rationalize that. Our job is to rationalize our distributions, use that rationalization, and then all of the users get to take advantage of new things that come up. But also we take what gets integrated very seriously, because it has to reach a point of maturity. T-Mobile again, running their whole business on Cloud Foundry. Comcast, running their whole business on Cloud Foundry. US Air Force, fundamentally running their air traffic control, right, how do they get fuel to the jets, on Cloud Foundry. So we take that seriously. And so it's this combination of, harvesting innovation from where we can harvest it, bring it all together, be very thoughtful about how we bring it together, and then the distributions get the advantage of saying, here's a stable core that's going to evolve and take us into the future. >> Chip I've loved the discussion with real customers, doing digital transformation. What that means for them. How they're moving their business forward. Want to give you the final word, for those that couldn't come to the show, I know a lot of the stuffs online, there's a lot of information out there, anything particular do you want to call out, or say hey this is cool, interesting, or exciting you that you'd want to point to. >> Yeah, I actually. There are a lot of things but the one thing that I'll point to is as a US citizen, I'm particularly proud of some of the work that's happening in the US Government. Through 18F, with cloud.gov as an example, but if I step back even further, Cloud Foundry is serving as a vehicle for collaboration across multiple nations right now. We're seeing Australia, we're seeing the United Kingdom, Netherlands, Canada, South Korea, all of these national governments, are trying to figure out how to change citizen engagement to follow the lead of the startups, which are the internet companies, at the same time that these large Fortune 500 companies, are also trying to digitally transform. Governments are trying to do the same thing. So we had a, we're almost done for the day here, but there was almost a full day track of governments talking about their use of the tech, talking about that same digital transformation journey. So to me that's actually really inspiring to see that happen >> Alright well Chip Childers. He was a dancing stick figure >> Chip: I was in the keynote this morning, but here with us on theCUBE. Thank you so much for joining once again, and thank you to the foundation for helping us bring this program to our audience. >> Chip: We're happy to have you here. >> I'm Stu Miniman, and this is theCUBE. Thanks for watching (bright popping music)