(upbeat music) >> From our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE conversation. >> Hi, and welcome to theCUBE Studios, for another CUBE Conversation, where we go in-depth with thought leaders driving innovation across the tech industry. I'm your host, Peter Burris. One of the banes of every enterprise is complexity, especially in the security world. The more devices, the more things, the greater the surface attack areas. One of the biggest or best approaches to reducing the challenges of security is to try to increase the overall simplicity of what it is you're trying to secure and the practices that you use. Now, today to talk about that, we're here with Ken Athanasiou, who is the VP and CISO of AutoNation. Ken, welcome to theCUBE! >> Thanks, thanks for having me. >> So I said up front that challenges of complexity and simplicity are very real, we're going to get into that, but let's start with AutoNation. Tell us a little bit about AutoNation, tell us a little bit about yourself. >> Sure, so AutoNation is the nation's largest new car dealership, we have about 300 dealerships across the country, we're all North American-based. We sell thousands of cars a year and we're about a $22 billion a year business. >> Well that's pretty sizable, and as a company that has to actually deliver something physical, it means you have a pretty broad network of locations where AutoNation has to operate. Have I got that right? >> Yeah that's correct. We have, as I said, about 300 different locations across the country. We also have about seven parts distribution centers, we have collision centers where we actually repair vehicles that have been involved in accidents as well, so it's an extensive network. >> So AutoNation is a company that requires a fair amount of security, you're taking a lot of personal and private information from your customers, you're enacting or effecting pretty significant transactions, at least in their lives, tell us a little bit about some of the challenges that AutoNation was facing and what you had to do to reduce the complexity of your overall security stance. >> Sure, so I've been with the organization about not quite five years now, I'm actually the first CSO that the organization has had, and I was brought in because they had a small breach of a third-party company that was handling some of their customer information. That obviously is enough to raise the awareness of the executives, the general counsel, et cetera. So the focus was to ensure that they were being as diligent as necessary, so they, at the recommendation of an outside party, hired in me to build a cybersecurity program. One of the first things I noticed when I got here was that each of the independent locations, the store locations, had an Internet point of presence as well as a circuit back to our data centers. Those Internet points of presence were protected with fairly antiquated software techniques, so that was kind of exposing some significant risk to the organization. That was one of the main problems that I had to solve the first few months. >> So you had Internet in, you had points of presence and then you had connections back to the data center which meant that someone could, if they breached one of those POPs, one of those dealerships, could actually effect a fair amount of chaos within your overall corporate network and application infrastructure, have I got that right? >> Yeah, absolutely, and obviously as a car dealership we take credit applications from folks on a daily basis. Those applications contain pretty significant privacy information, and basically have most everything you need to be able to compromise someone's identity, steal their identity, and/or commit all sorts of different fraud activities. So we take that very seriously, and while we do treat our stores' environment not as untrusted but we do segment our stores' environment from our back-end systems. That lack of adequate perimeter protection in the stores was a significant risk. >> So you come in, you look at the situation, a fair amount of locations where problems could arise, a fair amount of personal data that, if compromised, would affect your brand. Ken, how did you think through the way forward? >> Sure, so the traditional approach to an Internet point of presence is to put a firewall in place. And then of course, you put a web proxy in place, and then you put an SSL interceptor in place and then you put some network-based malware detection engine in place, and then your layer on these controls, until you get to the point where, hey, we think we're okay. The cost associated with doing that sort of thing at 300 different locations, not just the cost of purchasing and implementing a small stack of iron at every one of those locations, but then the ongoing costs of trying to manage it, most of these devices, you're not intended to actually run 300 of these devices across the country, so managing them, replacing them when they fail, it was something that was a pretty significant challenge, so we decided it was time to think outside the box, and look for something that was cloud-based, that we could leverage across the entire enterprise, with much less investment in resources. >> So, what you looked at was this large number of devices, the inability to put talent close to them, which would have led to both a lot of cost in the actual devices and a lot of uncertainty in their operation. You looked at using the Internet as a way of securing the points of presence themselves. What direction did you take? >> So we started looking at cloud-based services. I'd been in discussions with a couple of these folks while I was at my previous engagement. I was at American Eagle Outfitters as their CSO for about seven years. But that organization was very much a hub-and-spoke environment, and we were backhauling all of the traffic from the stores to the data center and then out to the Internet. The environment at AutoNation is significantly different, that I think a much more modern approach of having local breakouts at the stores, taking advantage of the capacity of the Internet, that sort of thing, but to do that, your privacy requires that you still control those, so we started looking at cloud-based services. We looked at Zscaler, we looked at Blue Coat, we looked at Websense, we looked at Cisco stuff, and we also looked at some of the hardware-based solutions, such as SonicWall and some of the Palo Alto devices. We didn't immediately discount the idea that, hey maybe hardware in each of these stores like a sub-host, small home-office device, would work for us, but it became quickly apparent that an Internet-based cloud solution was the right way to go. >> And you chose Zscaler. >> We did, we did. When we were going through the evaluation and looking at the various products, Zscaler definitely had the most complete solution. Most of the other products were not truly a full protocol next generation firewall in-the-cloud solution. Some of the solutions were quote unquote cloud-based, but they basically were talking about putting a virtual instance or multiple virtual instances of a firewall in the cloud, right, which was actually just somebody else's data center, and then pumping that traffic through those virtual instances. That would have reduced the number of instances that we would had to have managed significantly, but it would still be a traditional hardware-based firewall approach just stuck into someone else's data center, as a quote unquote cloud solution. So Zscaler really had the most comprehensive of all the solutions that we looked at. We started to pilot it and roll things out and it was working very very well. >> So right now you've got Zscaler to handle your endpoint security from a cloud-based solution. How's that changed your security posture? Let's start there. >> As soon as we started rolling Zscaler out, as a prophylactic around the environment, it gave us some pretty excellent visibility. We were running McAfee Antivirus at the time, we were using Microsoft SCCM to do patching, we were doing a number of other things in the environment. As soon as we rolled Zscaler out, we started getting the visibility into the traffic, we started really seeing what was actually happening in our environment. It was very clear that those solutions were significantly deficient. We were seeing commodity malware infections happen on a fairly regular basis. We were seeing bot traffic originating from our systems. It was obvious that our internal controls were not where they needed to be. Using that as empirical evidence, right, and taking that to my executives and my risk committee, it was very easy to justify additional investments in other security tools to really clean up the environment. We deployed a brand-new endpoint protection solution, we deployed a brand-new solution for management and patching of the endpoints. We made a lot of very significant changes in the environment, and all of that was generated out of the visibility we got from pumping all that client traffic through Zscaler. >> Well it sounds like Zscaler has had a significant impact on the overall security posture of AutoNation. How's made your CSO feel? >> Yeah well I can sleep at night for the most part. Whenever you get into a new organization, you get a perspective on the level of risk that you're subjected to. Your reaction is along a spectrum, and it's either complete panic to oh, okay, this isn't so bad. I will say that I wasn't in complete panic when I got down here and fully understood the situation, but I will say that I wasn't on the oh, it's not too bad side of the spectrum either. There's a significant amount of work that needed to be done, and again, I can't stress how much that visibility actually helped us drive new controls into the environment. >> Ken Athanasiou talking about the impact of Zscaler and how it simplified the security posture of AutoNation. Thanks very much for being on theCUBE! >> Thanks very much for having me. >> Once again I'm Peter Burris. This has been another CUBE Conversation, see you next time! (upbeat music)