(upbeat music) >> Hello everyone, welcome to this special Cube conversation. I'm John Furrier, host of theCube. We're here in Palo Alto. We've got some remote guests. Going to break down the Fortinet vulnerability, which was confirmed last week as a critical vulnerability that exposed a zero-day flaw for some of their key products, obviously, FortiOS and FortiProxy for remote attacks. So we're going to break this down. It's a real time vulnerability that happened is discovered in the industry. Horizon3.ai is one of the companies that was key in identifying this. And they have a product that helps companies detect and remediate and a bunch of other cool things you've heard on the cube here. We've got James Horseman, an exploit developer. Love the title. Got to got to say, I'm not going to lie. I like that one. And Zach Hanley, who's the chief attack engineer at Horizon3.ai. Gentlemen, first, thank you for joining the Cube conversation. >> Thank you. It's good to be here. >> Yeah, thank you so much for having us. >> So before we get into the whole Fortinet, this vulnerability that was exposed and how you guys are playing into this I just got to say I love the titles. Exploit developer, Chief Attack Engineers, you don't see that every day. Explain the titles Zach, let's start with you. Chief Attack Engineer, what do you do? >> Yeah, sure. So the gist of it is, is that there is a lot to do and the cybersecurity world. And we made up a new engineering title called Attack Engineer because there's so many different things an attacker will actually do over the course of attack. So we just named them an engineer. And I lead that team that helps develop the offensive capabilities for our product. >> Got it. James, you're the Exploit Developer, exploiting. What are you exploiting? What's going on there? >> So what I'll do in a day to day is we'll take N-days, which are vulnerabilities that have been disclosed to a vendor, but not yet publicly patched necessarily or a pocket exists for them. And I'll try to reverse engineer and find them, so we can integrate them into our product and our customers can use them to make sure that they're actually secure. And then if there's no interesting N-days to go after, we'll sometimes search for zero-days, which are vulnerabilities in products that the vendor doesn't yet know about. >> Yeah, and those are most critical. Those things can being really exploited and cause a lot of damage. Well James, thanks for coming on. We're here to talk about the vulnerability that happened with Fortinet and their products zero-day vulnerability. But first with the folks, for context, Horizon3.ai is a new startup rapidly growing. They've been on theCube. The CEOs, Snehal and team have described their product as an autonomous pen testing. But as part of that, they also have more of a different approach to testing environment. So they're constantly putting companies under pressure. Let's get into it. Let's get into this hack. So you guys are kind of like, I call it the early warning detection system. You're seeing things early because your product's constantly testing infrastructure. Okay? Over time, all the time always on. How did this come come about? How did you guys see this? What happened? Take us through. >> Yeah, sure. I'll start off. So on Friday, we saw on Twitter, which is actually a really good source of threat intelligence these days, We saw a person released details that 40 minutes sent advanced warning email that a critical vulnerability had been discovered and that an emergency patch was released. And the details that we saw, we saw that was an authentication bypass and we saw that it affected the 40 OS, 40 proxy and the 40 switch manager. And we knew right off the bat those are some of their most heavily used products. And for us to understand how this vulnerability worked and for us to actually help our clients and other people around the world understand it, we needed to get after it. So after that, James and I got on it, and then James can tell you what we did after we first heard. >> Yeah. Take us through play by play. >> Sure. So we saw it was a 9.8 CVSS, which means it's easy to exploit and low complexity and also kind of gives you the keys that take them. So we like to see those because they're easy to find, easy to go after. They're big wins. So as soon as we saw this come out we downloaded some firmware for 40 OS. And the first few hours were really about unpacking the firmware, seeing if we could even to get it run. We got it running a a VMware VMDK file. And then we started to unpack the firmware to see what we could find inside. And that was probably at least half of the time. There seemed to be maybe a little bit of obfuscation in the firmware. We were able to analyze the VDMK files and get them mounted and we saw that they were, their operating system was compressed. And when we went to decompress them we were getting some strange decompression errors, corruption errors. And we were kind of scratching our heads a little bit, like you know, "What's going on here?" "These look like they're legitimately compressed files." And after a while we noticed they had what seemed to be a different decompression tool than what we had on our systems also in that VMDK. And so we were able to get that running and decompress the firmware. And from there we were off to the races to dive deeper into the differences between the vulnerable firmware and the patch firmware. >> So the compressed files were hidden. They basically hid the compressed files. >> Yeah, we're not so sure if they were intentionally obfuscated or maybe it was just a really old version of that compression algorithm. It was the XZ compression tool. >> Got it. So what happens next? So take us through. So you discovered, you guys tested. What do you guys do next? How did this thing... I mean, I saw the news it hit heavily. You know, they updated, everyone updated their catalog for patching. So this kind of hangs out there. There's a time lag out there. What's the state of the security at that time? Say Friday, it breaks over the weekend, potentially a lot of attacks might have happened. >> Yeah, so they chose to release this emergency pre-warning on Friday, which is a terrible day because most people are probably already swamped with work or checking out for the weekend. And by Sunday, James and I had actually figured out the vulnerability. Well, to make the timeline a little shorter. But generally what we do between when we discover or hear news of the CV and when we actually pocket is there's a lot of what we call patch diffing. And that's when we take the patched version and the unpatched version and we run it through a tool that kind of shows us the differences. And those differences are really key insight into, "Hey, what was actually going on?" "How did this vulnerability happen?" So between Friday and Sunday, we were kind of scratching our heads and had some inspiration Sunday night and we actually figured it out. So Sunday night, we released news on Twitter that we had replicated the exploit. And the next day, Monday morning, finally, Fortinet actually released their PSIRT notice, where they actually announced to the world publicly that there was a vulnerability and here are the mitigation steps that you can take to mitigate the vulnerability if you cannot patch. And they also release some indicators of compromise but their indicators of compromise were very limited. And what we saw was a lot of people on social media, hey asking like, "These indicators of compromise aren't sufficient." "We can't tell if we've been compromised." "Can you please give us more information?" So because we already had the exploit, what we did was we exploited our test Fortinet devices in our lab and we collected our own indicators of compromise and we wrote those up and then released them on Tuesday, so that people would have a better indication to judge their environments if they've been already exploited in the wild by this issue. Which they also announced in their PSIRT that it was a zero-day being exploited in the wild It wasn't a security researcher that originally found the issue. >> So unpack the difference for the folks that don't know the difference between a zero-day versus a research note. >> Yeah, so a zero-day is essentially a vulnerability that is exploited and taken advantage of before it's made public. An N-day, where a security researcher may find something and report it, that and then once they announce the CVE, that's considered an N-day. So once it's known, it's an N-day and once if it's exploited before that, it's a zero-day. >> Yeah. And the difference is zero-day people can get in there and get into it. You guys saw it Friday on Twitter you move into action Fortinet goes public on Monday. The lag between those days is critical time. What was going on? Why are you guys doing this? Is this part of the autonomous pen testing product? Is this part of what you guys do? Why Horizon3.ai? Is this part of your business model? Or was this was one of those things where you guys just jumped on it? Take us through Friday to Monday. >> James, you want to take this one? >> Sure. So we want to hop on it because we want to be able to be the first to have a tool that we can use to exploit our customer system in a safe manner to prove that they're vulnerable, so then they can go and fix it. So the earlier that we have these tools to exploit the quicker our customers can patch and verify that they are no longer vulnerable. So that's the drive for us to go after these breaking exploits. So like I said, Friday we were able to get the firmware, get it decompressed. We actually got a test system up and running, familiarized ourself with the system a little bit. And we just started going through the patch. And one of the first things we noticed was in their API server, they had a a dip where they started including some extra HTTP headers when they proxied a connection to one of their backend servers. And there were, I believe, three headers. There was a HTTP forwarded header, a Vdom header, and a Cert header. And so we took those strings and we put them into our de-compiled version of the firmware to kind of start to pinpoint an area for us to look because this firmware is gigantic. There's tons of files to look at. And so having that patch is really critical to being able to quickly reverse engineer what they did to find the original exploit. So after we put those strings into our firmware, we found some interesting parts centered around authorization and authentication for these devices. And what we found was when you set a specific forwarded header, the system, for lack of better term, thought that you were on the inside. So a lot of these systems they'll have kind of, two methods of entry. One is through the front door, where if you come in you have to provide some credentials. They don't really trust you. You have to provide a cookie or some kind of session ID in order to be allowed to make requests. And the other side is kind of through the back door, where it looks like you are part of the system itself. So if you want to ask for a particular resource, if you look like you're part of the system they're not going to scrutinize you too much. They'll just let you do whatever you want to do. So really the nature of this exploit was we were able to manipulate some of those HTP headers to trick the system into thinking that we were coming in through the back door when we really coming in through the front. >> So take me through that that impact. That means remote execution. I can come in remotely and anonymous and act like I'm on the inside system. >> Yeah. >> And that's the case of the kingdom as you said earlier, right? >> Yeah. So the crux of the vulnerability is it allows you to make any kind of request you want to this system as if you were an administrator. So it lets you control the interfaces, set them up or down, lets you create packet captures, lets you add and remove users. And what we tried to do, which surprisingly the exploit didn't let us do was to create a new admin user. So there was some kind of extra code in there to stop somebody that did get that extra access to create an admin user. And so that kind of bummed us out. And so after we discovered the exploit we were kind of poking around to see what we could do with it, couldn't create an admin user. We were like, "Oh no, what are we going to do?" And eventually we came up with the idea to modify the existing administrator user. And that the exploit did allow us to do. So our initial POC, took some SSH keys adding them to an existing administrative user and then we were able to SSH in through the system. >> Awesome. Great, description. All right, so Zach, let's get to you for a second. So how does this happen? What does this... How did we get here? What was the motivation? If you're the chief attacker and you want to make this exploit happen, take me through what the other guy's thinking and what he did or she. >> Sure. So you mean from like the attacker's perspective, why are they doing this? >> Yeah. How'd this exploit happen? >> Yeah. >> And what was it motivated by? Was it a mistake? Was it intentional? >> Yeah, ultimately, like, I don't think any vendor purposefully creates vulnerabilities, but as you create a system and it builds and builds, it gets more complex and naturally logic bugs happen. And this was a logic bug. So there's no blame Fortinet for like, having this vulnerability and like, saying it's like, a back door. It just happens. You saw throughout this last year, F5 had a very similar vulnerability, VMware had a very similar vulnerability, all introducing authentication bypasses. So from the attacker's mindset, why they're actually going after this is a lot of these devices that Fortinet has, are on the edge of corporate networks and ransomware and whatever else. If you're a an APT, you want to get into organizations. You want to get from the outside to the inside. So these edge devices are super important and they're going to get a lot of eyes from attackers trying to figure out different ways to get into the system. And as you saw, this was in the wild exploited and that's how Fortinet became aware of it. So obviously there are some attackers out there doing this right now. >> Well, this highlights your guys' business model. I love what you guys do. I think it's a unique and needed approach. You take on the role of, I guess white hacker as... white hat hacker as a service. I don't know what to call it. You guys are constantly penetrating, testing, creating value for the customers to avoid in this case a product that's popular that just had the situation and needed to be resolved. And the hard part is how do you do it, right? So again, there's all these things are going on. This is the future of security where you need to have these, I won't say simulations, but constant kind of testing at scale. >> Yeah. >> I mean, you got the edge, it takes one little entry point to get into the network. It could be anywhere. >> Yeah, it definitely security, it has to be continuous these days. Because if you're only doing a pen test once a year or twice a year you have a year to six months of risk just building and building. And there's countless vulnerabilities and countless misconfigurations that can be introduced into a your network as the time goes on. >> Well, autonomous pen testing- >> Just because you're- >> ... is great. That's awesome stuff. I think it just frees up the talent in the organization to do other things and again, get on the real important stuff. >> Just because your network was secure yesterday doesn't mean it's going to be secure today. So in addition to your defense in depth and making sure that you have all the right configurations, you want to be continuously testing the security of your network to make sure that no new vulnerabilities have been introduced. >> And with the cloud native modern application environment we have now, hardware's got to keep up. More logic potential vulnerability could emerge. You just never know when that one N-vulnerability is going to be there. And so constantly looking out for is a really big deal. >> Definitely. Yeah, the switch to cloud and moving into hybrid cloud has introduced a lot more complexity in environments. And it's definitely another hole attackers going and after. >> All right. Well I got you guys here. I really appreciate the commentary on this vulnerability and this exploit opportunity that Fortinet had to move fast and you guys helped them and the customers. In general, as you guys see the security business now and the practitioners out there, there's a lot of pain points. What are the most powerful acute pain points that the security ops guys (laughing) are dealing with right now? Is it just the constant barrage of attacks? What's the real pain right now? >> I think it really matters on the organization. I think if you're looking at it from a in the news level, where you're constantly seeing all these security products being offered. The reality is, is that the majority of companies in the US actually don't have a security staff. They maybe have an IT guy, just one and he's not a security guy. So he's having to manage helping his company have the resources he needs, but also then he's overwhelmed with all the security things that are happening in the world. So I think really time and resources are the pain points right now. >> Awesome. James, any comment? >> Yeah, just to add to what Zach said, these IT guys they're put under pressure. These Fortinet devices, they could be used in a company that just recently transitioned to a lot of work from home because of COVID and whatnot. And they put these devices online and now they're under pressure to keep them up to date, keep them configured and keep them patched. But anytime you make a change to a system, there's a risk that it goes down. And if the employees can't VPN or log in from home anymore, then they can't work. The company can't make money. So it's really a balancing act for that IT guy to make sure that his environment is up to date, while also making sure it's not taken down for any reason. So it's a challenging position to be in and prioritizing what you need to fix and when is definitely a difficult problem. >> Well, this is a great example, this news article and this. Fortinet news highlights the Horizon3.ai advantage and what you guys do. I think this is going to be the table stakes for security in the industry as people have to build their own, I call it the militia. You got to have your own testing. (laughing) You got to have your own way to help protect yourself. And one of them is to know what's going on all the time every day, today and tomorrow. So congratulations and thanks for sharing the exploit here on this zero-day flaw that was exposed. Thanks for for coming on. >> Yeah, thanks for having us. >> Thank you. >> Okay. This is theCube here in Palo Alto, California. I'm John Furrier. You're watching security update, security news, breaking down the exploit, the zero-day flaw that was exploited at least one attack that was documented. Fortinet devices now identified and patched. This is theCube. Thanks for watching. (upbeat music)

>> Live from Las Vegas, It's theCube. Covering VMworld 2018. Brought to you by VMware and it's ecosystem partners. >> Welcome back, this is day three of three days live wall to wall coverage of VMworld 2018. This is theCube, I'm Stu Miniman, and my co-host this morning is Justin Warren. How about I welcome back to our program two Cube Alum's from the VMVare storage and availity business unit. Yanbing Li, second time in The Cube this week, is the senior vice president >> Yes. >> and general manager of the group. And Christos Karamanolis, is the fellow and CTO, thank you both for joining us. >> Great to be here. >> Great to be here. >> Alright, so first of all, congratulations. A lot of news this week, a lot of excitement around it. And we're talking off cameras, there's so much there that people don't understand some of the work that went into this. And some highlights as to things that I know VMWare thinks will be very game changing over the next couple of years. So, we're excited to dig into this. Yanbing, why don't you start us off with a little bit of an overview from your group as to the news this week. >> Yeah, happy to do that. I think, so, we are seeing a lot of customer energy around what we're doing in storage and availability. You know, there's huge momentum behind product like vSan and our customers are truly embracing HCI in very mainstream use cases, and we've seen customer after customer have gone all in, meaning they're taking HCI and made a determination to run that for all of their virtualized workload. So, very exciting time. But what's more interesting is their expanded view on what HCI is about. Certainly, we started with virtualizing computer and storage together on servers. But we're seeing rapid expansion of that definition. You know, we've been a believer that HCI is foundationally a software lab architecture. I think know, there's more recognition in that. And it's also going from just computers and storage to the full stack of the entire software defined data center. It's expanding into the cloud, as you've seen from VMCI WS. It's expanding to the edge, expanding from just traditional apps to cloud native apps. You know, we've announced beta for vSan to become the storage platform for Kubernetes' Navisphere environment. So, a lot of exciting expansion around how customers want to see HCI. And if you look at HCI, hybrid cloud, SDDC, the boundary around these three is not very very clear. I think they're all converging to work, something that's very common. >> Yeah, Christos? I want you to help unpack this a little bit for us. I remember speaking to you a couple of years ago, and your team. We know how many years of effort went into, set the ground work for vSan. with the underlying things that arrived with the API's, and development with your partner ecosystem. Taking vSan as a foundation... Oh, it's going to work with Kubernetes and cloud and everything. It's not a simple port, like, you know, no offense to the hardware people, but putting it on a new platform? Alright, you need to test it, integrate it, make it a couple tweaks, but. The software level, there's a lot of things that go on here. Talk about what the team's been working on, some of the big architectural things that've been happening. >> Oh, yes, absolutely. There are some fundamental changes. We never stop, we never declare that we have finished what we are doing. Obviously, the world is changing around us. Not only the hardware, as you know. There are many important changes there, with NVMe becoming now very prevalent, and renewed aero-technologies appearing, like persistent memory. But, for us, a focal point the last year or so has been, how do we move our entire software stack data on being outlined earlier, into any type of environment, including public clouds? So, you see now, with a few more clouds in AWS, the customers can run applications there without having to re-platform them. It's the exact same environment. So, a keystone of that environment is the storage. How do you virtualize storage? How do you deal with any type of infrastructure? So, vSan was developed for physical devices, SS disc and magnetic disc, more recently NVMe. Now, what we want to give is the option to our customers to use the cost efficiencies of cloud storage. Without the those sacrificing the semantics, the properties the vSphere stack. So, we did a lot of engineering to make vSan work on top of EBS. So, it may sound simple when you announce it at the keynote of VMWorld, but it took lot of hard engineering to adapt a platform. vSphere and vSan was designed for physical hardware, do not work on virtual storage volume. So, that is just one example, there are more examples. For cloud-native use cases, as you said. >> Yeah, I don't think people quite understand the implications of that. The fact that you can use things in the same way in multiple different locations, the whole idea behind multi-cloud-- If you can operate it in the same way as you can on site as you can in whichever cloud you choose. For enterprises who are used to doing things one way, and have made big investments in VMWare, this just opens up an entire universe of opportunity for them. >> Absolutely, and you get the best of both worlds, right? You have the same operational model, the same characteristics I can run now on Amazon applications that use vSphere, ETSI, or the motion pictures that require cell storage. On the cloud, you do not have cell storage. EBS volumes can be accessed by one host at a time, and like stores that need the networks, and vSan brings those stores their networks and semantics, all in software of course, on the cloud. So, I can run my traditional applications, as well as some new generation applications. And for us, strategically, what we've done with EBS? If you think about that is one step into a much bolder vision where vSan becomes this common storage platform that virtualize any type of storage. Physical, or cloud, or virtual, so we expose the same operational model, and the same store semantics to all those who run these three platforms. And this is, you know, just one step. >> And it's not how you-- there is the common operation model that's very appealing to all the enterprise customers. But we are truly marrying the strength and the capabilities of vSan and vSphere and the VMR platform was what EBS uniquely provide. That's elasticity, scalability, but you know, we have a much richer set of data services that we've already viewed into the whole VMR stack. >> Yeah, Yanbing, you bring up some really interesting points. When we put our critical analysis hat on, when the partnership was announced. It was like, "Well, Amazon's got access to 500,000 "VMWare customers, we're going to start "getting customers comfortable with Amazon. Great, they can start moving over." The thing that really caught a lot our attention is, it's some of the Amazon services that are now coming to the VMWare customers. So, EBS is a really good one. When you talk about, you know, the database capabilities that Amazon has, that now I can do on premises, this is a partnership, a two-way street. Its not, you know, just a one way. Maybe speak a little bit about that maturation, and, you know, definitely want to get from Christos, also. There's questions about some of the technical ways of how that works. >> Yeah, what I'm excited is exactly what you described. This is not a one way street, it's really bi-directional. And the levels of collaboration is not just superficial. It's deep levels of integration and leveraging each other to strength, in terms of both technology as well as customer reach. I think that what make the partnership is, you know, people can see that is taking to whole new level. And Christos has been very deeply involved with the various solution architects, and when we examine how we take RDS back on Prime to a VMR environment, I think he can tell a lot more stories behind that. >> For us, actually, it was a great learning experience, I must admit. Because, obviously, we see strongly the desire for our classroom is to start moving from managing the low level, nitty gritty details of the physical IT infrastructure, which we were, you know, traditionally helping them to do, to moving up the starter. Many of them now, they want to have their own users, their own customers, internal customers, to run all those applications. And what are the most critical components of business critical applications? They are the databases, right? So, how can we make the life of our customers easier, how can we provide them the tools to offer data, databases, as a service to their own users? So, this has been our high level objective, and of course, our partnership with AWS helps us deliver some of those properties. >> Christos, I want you to go one level deeper for us. Because some people it's like, >> I'd be happy to. "Wait, RDS, that's, you know, the cool new databases "in Amazon. Wait, I can do something on--" Is that an extension, am I putting things back and forth? Those of us that lived through the virtualization were getting databases just virtualized took years and a lot of hard work. And, I can't just have a database spanning between these, and moving back and forth. This isn't, you know, -- We haven't broken the laws of physics. >> We have not, because here-- >> Help us explain >> What is and isn't possible today. >> Absolutely. First of all, let me highlight what are the main pain points of customers. It's one thing to set up your application and install it and run it. But then there are all the day two operations, right? How do you patch the software, the operating system, the database? How do you scale it, up or down? How do you, even more to the performance, how do you do data protection, backup, disaster recovery? Those are really painful, difficult tasks, that involve a lot of work from expert database administrators that they'd rather be doing some of the important things that address the business earnings, right? So, our objective is to address this. Now, to your point, how do we, you know? What about those laws of physics? How can we have services on the cloud and service on a premise? What we announce here, this RDS, Relational Database Services, on VMWare, it is a fully stand alone service that runs on VMWare environment on premises. There are no dependencies on the public cloud, you have your data sets on your own data centers, and this is actually a major requirement of customers. Whether it's for compliance reasons, or security, or company policy, we insure that your data stays in your data center, while you still get all the benefits of a managed database that you don't need to do all those, you know, little tedious operational tasks I mentioned earlier. Moreover, we support data protection using, actually, underlying vSphere features. Like ETSI and clustering, or even data protection by creating copies of your database in another available domain within your data center. And this is a lot of work that VMWare did to make this happen, as you can imagine. So, that's a lot of infrastructural work, but we support the full range of features that you get on AWS, without having to go over the wire and, you know, break those laws of physics. >> I don't think people have quite understood how profound that is. We're here at a VMWare show, I've spent a lot of time with developers, and the developers are going to love this. Because, now they can use exactly the same way that they operate in public cloud, which they've loved for many years. Being able to do that on site? The way application development is going to happen inside enterprises, where they want to keep it on site, they want to keep it under they're own control, they want their data secured inside their own data centers. The ability for them to do that, and still develop applications in the same way that they could as cloud-native? Cloud-native now means that it runs on site. This is going to be amazing. >> Absolutely. Our customers explicitly tell us that they want to consume, not storage, but data. Those abstractions that matter to the application. So much so, that they have been asking us already, "Hmmm, what is next?", right? "Can you offer us some of this new generation databases?", you know, "the Mongoose or the Cassandra's of the world? "Can we have some similar experience with those "because they're very painful to deploy "and manage in the data centers." So, I cannot make any commitment, of course, but this is an indication of how much interest there is in this type of services. >> Yeah, it really does show you, I think, some of the strategic intent from VMWare. And this is a very clear move for what is going to be possible for customers to actually be able to do on site, it's really quite exciting. >> And for us, you know. Our role providing all the storage related capability, and we've been strongly expanding our application footprint to cover the Hadoop, the Cassandra, the Mango DV type of application as well as containerize the applications. And, you know, we have introduced a lot of new capability or solution that address exactly like that. >> Containerize the applications, for example, against the announcement, I think, didn't receive the attention, that in my opinion, it deserved is supporting natively in vSphere, and with vSan, specifically, cloud-native use cases. Actually, we're introducing a controlled playing, and expanding our store's controlled playing, to manage natively, container volumes. So, now, the same way today, our customers can visit builders through the UI or API's, and have management workflows for virtual machines and virtual disc, VMDK's. Now, they can also manage volumes of containers. And, as you've heard also, we are working with Kubernetes being our main focal point and with PKS to support natively Kubernetes on vSphere, down the road. >> Yeah, great point. I wonder, since we're talking about storage here, you've talked about Kubernetes, we talked about what's in the cloud and on premises. Give us the updated view how VMWare views and how you're helping customers with-- Data can't-- I can't just move, you know, data anywhere, so. While it's good to have similar frameworks, and different-- similar tools there, but still, where data lives, what I move, how I move it, do I move it, how that whole, kind of, data locality is seen today? >> The answer, we have been very keen in defining what we doing in the broader category of data management. From data mobility to protection to analytics, and to life cycle management, the whole slew of that. And we've been starting by building a lot of-- First of all, our job is to make vSan a storage platform that can enable these different demands of data. So, we've expanded vSan's roll from purely from delivering block storage now to offer file, and down the road, object. Cuz a lot of the new data will be consumed in an object like format. And we've also been painting our roadmap for the broader data management, so. >> Yes, exactly. On one hand, we'll provide the platform for primary storage that serves all the needs of the applications, block, file, object, we may even consider a native file interface, actually, for zero data copies, since you were asking about the technical details. I'm very excited about that, you know. We'll see, some of these things will come in the future. But, then, given that you have the platform, what you are building on top of that is data mobility and data protection workflows that are driven by policies. The very first step in that direction is our disaster recovery as a service we offer for hybrid clouds. There, the new model is that, even how you manage your data is as a service. Not a traditional model of installing software and a hundred different bits and pieces that have to integrate with each other and operate. Very simple, you go to a portal, and you manage your data, in this case, starting with disaster recovery use cases. You specify policies, like recovery point objectives. Down the road you may also give the options for recover time objectives. And, also, specify, by policies, what of your data want to be archived and stay on your data center, what of the data can go to the public cloud through your, you know, the hybrid models of cloud model we offer. So, our goal down the road is quite ambitious in offering comprehensive, uniform data management across clouds, that goes all the way from the edge, your Motofy's, your oil rig, all the way to the enterprise, the Cassandra's, to the hybrid clouds. And data mobility there is, you know, using our data transport, our archival capabilities that are coming with vSan Native Snapshot that we also announced at this VMWorld. These will give you the ability to manage your data across all those environments. >> Alright, so, last thing I just want to say. It's interesting to watch this space because we say there's a lot happening under the scenes that people don't understand. I was seeing some research lately saying where AWS lives in the storage ecosystem. I've written an article, couple a years ago. They were the quiet, billion dollar, you know, storage company. And one analyst firm said,"Oh, they're number 3, "and they'll be number 1 in storage." Wikibon actually published a report this month talking about what we call true private cloud. And in our support where we look at the software ecosystem, Yanbing, do you remember who we had number 1 on the list there when you picked >> Ah, yeah... software plus the ecosystem around there for -- >> I remember it clearly, you said it's VMWare. >> Yeah, so, you know, it surprises some people when you look it there, but I'm sure it's no surprise to you and your team, I'm sure. >> So, you know what we've started with vSan is quickly becoming a big way of how all of vSphere customers consume storage. And certainly, that has been our initial focus. But what we are doing for the cloud, what we are doing for the next generation applications. I think we are re-imagining a lot of the things. And it's great to have people like Christos, who started this journey many many years ago, and continue to expand our horizon. Yeah, this is an exciting time for our business unit, and certainly for VMWare, and our customers. >> Christos, in the end, really appreciate us being able to geek out, dig into some of the really important innovations happening in this space. For Justin Warren, I'm Stu Miniman, still a full third day live coverage here from VMWorld 2018, thanks for watching theCube.

from the noise it's the cube covering vmworld 2015 brought to you by VM world and its ecosystem sponsors now your host Stu minimun and Brian Grace Lee Patrick Shanna's on for a member of the technical staff for dr. Patrick saw you at the end of our spring tour and now you're here at the you know picking up the fall tour so thank you for joining us again hey thanks for having me alright so I mean last year you know containers with VMware I mean was a big discussion we kind of all had that you've got some background with Microsoft right and VMware yeah and VMware so you know there was kind of a joke of you know oh the old Microsoft you know extend embrace and we'll see how we go from there but you know it's been a year later so can you give us a little bit of the update of kind of you know how docker in VMware how do you guys see each other I could evm where is a great partner you so the announcement this morning VMware embrace containers so I'm super excited to be here some of the announcements that were made this morning is now this year is a control plane for containers there's this notion of native containers in this year one of the things that excites me the most is their project bonville that they talked about this morning it's actually been made by one of my friends on the ex-colleagues banchory and what they're doing in there that they are implemented the back end for the darker engine in terms of these fear primitives so when you're creating images it creates a set of vmdk layers and when you're creating when you want to create a container the isolation primitives are the ones of VMS as opposed to linux containers all right so that's a very good way of running container yes sir patrick last time we're in the cube you did a great job of helping us you know kind of walk the stack I don't know if you saw we actually did a research piece kind of layering the whole stack so here the announcement you mentioned this morning is the vSphere integrated containers and they've got photon and they've got Bonneville on and let me ask you am I looking at this right that we're VMware I mean VMware very much down at the infrastructure level yeah so when they build that photon layer you know whether they call it just enough virtualization as Kate kolbert said this morning when I heard him speak um but dr. sits on top of that am I getting that right yeah it's exactly right and actually one of my reasons for joining VMware I think four years ago was for them to go up stack and at that time it was with cloud foundry and I would argue that maybe with cloud foundry we were a little bit too much up stack compared to my vm worries at the bottom when I present the whole stack usually I talk about like the new hardware the new hardware today is your cloud provider it's a Amazon Microsoft Google and then the virtualization with VMware so that's the new hardware and that's where vmware is very strong so they manage networking storage and compute on top of that you have the OS layer and what really got me interested into moving to darker is that the whole landscape just changed when containers appear two years ago and the whole industry is reorganizing around that so what happened at the OS layer that all the OS providers starting with chorus initially who studied that friend started doing minimal release of their OS that are just designed to run containers so coral I started that trend but then very quickly read had followed with project atomic and then we went to with winter core the most interesting to me is Ranchero s where they run docker for everything so they have two darker system darker and userland occur and then VMware came out with photon I think twas last June or something like that and today I think they have a preview to of that coming out on top of that you have ducker so the rocker engine running and on top of the darker engine you have orchestration platforms and these are the ones that are replacing what used to be past platform as a service and when I was at Google I was doing google appengine at vmware i was doing cloud foundry now you see cloud foundry reinventing itself as a control plane for containers and so one of the announcement that excited me most in the keynote this morning is that now Cloud Foundry is running with photon they have an integrated distribution so finally vmware is going up stack with its own stack like vSphere at the bottom then on top of that you have photon and then on top of that you have cloud foundry yeah so really exciting times yeah I think for me one of the things that I always hear that feels like it's confusing or off the markets a lot of people want to kind of get into this containers replaces VMs or VMs versus container debate and as if they're both sort of infrastructure layer which if you think about them is something that holds that I could see you make the mistake but but Dockers is something that developers love they love to package their applications they love this idea of right on my laptop push it somewhere do you find that confusion a lot in the marketplace I mean oh yeah I find that a lot and I think it's tied to the rise of DevOps it really in the past five years the this new movement called DevOps like really took off and DevOps is a lot about people and processes a little bit about products as well and I think when docker appeared it was the right level of abstraction for DevOps to happen like the right packaging construct where developers can put all their dependencies in a container and then ups have all the right knobs to tweak for putting that in production but it's the same thing that you put in production that you have on your developer machine so to me a lot of the confusion assoc d2 docker is tied to that because it's a technology that you use both by developers and by ops I think vmware is doing a really good job of giving up so kind of control they need to put darker in production yeah so we're here at vmworld a lot of talk about vmware in containers you guys doing a ton of stuff with Microsoft like yeah talk a little bit about because you know for a long time people like to say what containers have been along for on for a long time Linux containers and but but windows and microsoft adopting this like what's going on there yeah so the partnership with Microsoft is super exciting so after a VMware I actually moved to Microsoft and at Microsoft my role was to help all the darker partners to get onto Azure and since I join I've seen all the work that happened with microsoft recently we've done tons of stuff we end many many different integration points to me the most important one is finally we have native windows containers that shipped with a Windows Server tv3 like literally I think two weeks ago so that's something that was pre announced that dark on and my croissan'wich came onstage with the ducati sure to do a demo now you can run it on Azure yourself what's exciting there is that the concepts that are at the heart of docker are based on using c groups and name spaces which are linux kernel features for isolation of your workloads the thing is these isolation primitive similar ones existed in windows server and especially the version of Windows Server that was running within Microsoft data center for to power Bing and things like that to have denser workloads in the data center where the Microsoft team has done is that they re implemented the darker back end in terms of windows containers primitives and so now you can create Windows net application running on windows server in windows native containers the beauty of it if you're a developer especially an enterprise developer in the enterprise basically you have half and half Java and.net very often like developers go from one to the other or they are developers who do Java others doing dotnet they have completely different tool chains now with darker they have a single tool chain that they can use to build a multi container application that use different technologies behind the scene so finally developers can use the best tools for the father father job yep so pattern one of the things we look at every year here at vmworld is how are we doing it kind of fixing the things that broke when virtualization went into both storage and networking yeah and it was big discussion point at dr. Khan this year you put up a beta of docker networking yep storage I'd say is even a little bit you know further behind there so you know what's the latest on how you guys think of that you know where are we along that maturity curve of you know storage and networking for for containers so I'm really glad you asked that because when i joined occur in march that was my first project to kick-start a project to do darker extensibility and the two extension points that we created based on ecosystem and customer demands were about storage and networking and so I'd acha kaun in June we announced to extension points for dr. a plug-in system one for networking and one for volumes and what I really love about what happened at vmworld today this morning in the keynote is that VMware implemented a networking plug-in based on NSX as well as a volume plug inning in collaboration with a cluster HQ who had built flutter and help us create that extension point four volumes so finally one of the big issues with containers is that when you were deploying it in a multi host set up especially with swarm and compose when you're stunning to the orchestration before June there was no way to to move one container when state full container with data to another machine with a volume plug-in now you can do that and with the networking aspect now you can refer to containers by instead of like doing links and there were some complicated ways to do that now you can use either the native networking driver that comes with ducker but as usual we use the philosophy of batteries included but replaceable and so you can plug networking plug-in coming from nsx if you're using this fear under the hood yeah so still we're we're going to be doing a panel tomorrow on on containers one of the things I want to dig into we're gonna have intel on the show and tells doing some neat things where they're they're calling it clear containers but in essence it's it's kind of the equivalent for the vm we're proud of you know VT technology right hardware isolation of processes talk about just what's the potential of that for containers ability to better leverage hardware to make containers a it's faster and yeah so that aspect of internal research is super exciting and it corroborates some of the things i see happening in the marketplace right now especially on the research side where you have both like Linux containers became super successful in the past two years now that we're going in production there will be lots of different type of isolation technologies applied to containers and so one of the first one I heard about West project banville where it's implemented in terms of this year primitives another one is the clear container by Intel another one that I heard about that that came through the oci project that will talk about that new standard that we announced a cocoon is called is called things of run V and it's based on the hyper SH container technology based on virtualization so I see more and more people using virtualization as an implementation for isolation in containers yeah talk about what's going on with run see so you know six months ago it was we had this you know are we gonna have diverging container standards you guys stood up with core OS and 20 other companies and said we're no we're going to have one standard what's going on with with oci and run c and that thing that's been super exciting so that was my second project that docker we announced it at Daka Connie you that we had a 20 of the biggest companies in the industry joining to create a standard container especially core OS joining as well as Google and Amazon and everybody and what blew my mind is that we're what were free month later less than three months later the team right now is preparing a first draft of the spec for September they've been working actively all throughout the summer we put out we started working on the spec just after dark on we had the darker contributor summit and the the working group for OC I was the largest we had like 15 people from different companies starting to iterate on the spec they continued throughout the summer and now we have something that's close to a first draft of the spec with a reference implementation that's runs in one of the most interesting development that happens there and that really speaks to the power of open source and open stone is is that once the specs started to mature we started to have already a second reference a second implementation of the spec that's called rungy that's been built by the hyper SH project based on virtualization and then why way contributed a test suite for compliance of the of the spec so that spec is advancing really fast yeah so I was having a conversation with Jim's emmalin who runs the Linux Foundation II week or so ago at linux con and we asked him we said you know it's hard because you love them all like your kids do you have a favorite project he said yeah no question oci is my favorite project right now just because of the promise of portability the sort of write once run anywhere so you're working on it it's an important product the Linux domain is really looking at you guys to make this work and and drive that portability yeah and the Linux Foundation has done a really great job at coordinating the work of all the maintainer Xin there it's really a neutral ground where we can advance so that all of us can innovate on top of it now a lot of the competition is happening at the upper layer of the stack like oci I think we all agree on the semantics of what a container runtime should be now at the higher level there are lots of discussions about how the orchestration should be done and there you have 15 different projects you have swarmed from darker this mess those this coup banaras which is very opinionated and one of the other development this summer is that Google and many others including us dr. with part of that announced an another foundation called the CNC F the cloud native computing foundation where the goal there is to create reference tax for orchestration that can interoperate together pretty much along the same line of the work that darker did with a mesosphere for having a swarm plugin for mezclas so Patrick boy there's been so much movement in this space we talked multiple foundations a lot going on one of the things we came out of dr. Khan that we were just I guess a little concerned about is how many people actually run an import and we know you know I mean live through the the VMware lived through the Linux you know adoption phases so is it fair to kind of gauge that piece of it you know what do you see when you know you're talking to the practitioners and the you pick users out there as to you know how should we be measuring you know that's a naturally occurring production yeah so I would say it's maturing a lot we see more and more users putting darker in production there are lots of holes still in the offering that needs to be filled and that's why I'm pretty excited to see VMware stepping in and saying hey for production use we have a lot of technology that you can use to put that in production some of the things that we've seen is a like networking and volumes so that was really needed now that there are lots of plugins I hope that people will have an easier time putting that into production the agreement on what orchestration should be so people are still asking a lot of question about which orchestrator should i use for my containers in production and so I've seen so people using measures others using coronary some are trying swarm there's still lots of questions out there about what the right stack should look like and I would say as usual in software project it kind of depends on what you're running well the one thing that concerns me and it's always there's so many good things going on around docker I've been doing some research over the last couple of months looking at all the different platforms so everything from you know dr. native to what hoshi corp is doing to what openshift is doing and we were we talkin to Adrian Cockroft he said you know dockers reached sort of plaid in terms of speed it moves so fast you guys are releasing some every two months how do you deal with that because you deal with the ecosystem how do they deal with the fact that you're now part of their core platform but you're releasing new stuff every two months I mean are we going to get into something where it's like well it's it's one dot six and two dot one and how do you deal with that yeah so ducker itself as a company is maturing addict Akane you one of the big things that we announced is a darker trusted registry and aqus yes so we have a version of docker that is supported where we're going to do backwards a porting of patches so for people who really want to run it in production we have an offering that supported for them so that they are not obliged to run on the tape every time some of the startups that I've seen out there like large startups with a more in the consumer space who have larger data center and a pretty mature ops team they some of them are running on tip or on the latest version of darker but in the enterprise you can assume that like the adoption of new versions will be slower and so we have that like support offering for for all the versions of darker now the darker open source project is continuing to fire I like to create lots of things and there are lots of poor request the project is more successful than ever I think in the last like recently the most prolific contributor was Microsoft in the project there are lots of torrid has a huge contributor that Google as well is sending lots of pull requests so there are not lots of new features coming with each new release but at the same time we're really working on a platform that everybody is going to use and that needs to mature that's why you have that really fast pace of innovation in that space yeah so I mean Patrick here you're you're in the weeds of some of this so the other one that comes up quite a bit of courses security so even just this last week there's a big back and forth on Twitter and a couple of blog posts talking about it you know what what your thought is to how how we should talk about kind of the maturity and where we're going with the container security discussion yeah so as you guess container security is one of our big focus abductor because that's one of the things that people are expecting from a platform especially to run in production my colleague yoga Monica did lots of blog posts recently about how to improve your security in production security is not only a factor of the software itself but on the all the processes that you put in place around it and basically around darker you have to put in place with some kind of processes you have for operating systems like getting the latest release of the official images I don't know if you saw that there's been a blog post like talking where they looked randomly at all the images in docker hub and evaluating them for security issues one of the things that they didn't look at is that the latest releases of operating systems that we have in there in blocker images are just tracking the upstream releases and people who have sound security practices internally I'll just pulling these latest releases all right last question I have for you Patrick it's it easy for people to come I come in here and be like oh well you know biggest threat to vmware is is docker what what I love talking to you is you know this is a real small community I over the last year a lot of former VMware people now working over a doctor and not that they're unhappy with VMware and you know Microsoft is is in the mix you know so I mean this whole community is pulling together and doing a lot of work a lot of contribution you know what do you see out there from the technology community to help mature this whole space yeah I'd say both VMware and Microsoft at the operating system an infrastructure level as well as Google at the orchestration layer VMware a red hat at the operating system layer like everybody is trying to make darker a sound platform to run in production so what I see in all corners is just darker getting solidified and getting part of most people's production infrastructure with all these efforts on the security and stability and processes as well as the development processes there are lots of innovation in the terms of CI CD integration with darker no no she saw the work that cloudbees has been doing for integrating jenkins with darker so doctor is both the platform for apps and for devs and in that in that qualification that the ecosystem is very broad both on the dev tools side as well as on the ops and platform side all right well Patrick unfortunately at a time is always great chatting with you thank you so much for joining us we'll be back with lots more coverage here from being real 2015 and thank you for watching you inseam six months you