>>You want us to >>Look at that camera? Okay. We're back in Boston, everybody. This is Dave ante for the cube, the leader in enterprise tech coverage. This is reinforce 2022 AWS's big security conference. We're here in Boston, the convention center where the cube started in 2010. Highend song is here. She's head of security and distributed cloud services at F five. And she's joined by Dan woods. Who's the global head of intelligence at F five. Great to see you again. Thanks for coming in the cube, Dan, first time I believe. Yeah. Happy to be here. All right. Good to see you guys. How's the, how's the event going for? Y'all >>It's been just fascinating to see all those, uh, new players coming in and taking security in a very holistic way. Uh, very encouraged. >>Yeah. Boston in, in July is, is good. A lot of, a lot of action to Seaport. When I was a kid, there was nothing here, couple mob restaurants and that's about it. And, uh, now it's just like a booming, >>I'm just happy to see people in, in person. Finally, is >>This your first event since? Uh, maybe my second or third. Third. Okay, >>Great. Since everything opened up and I tell you, I am done with >>Zoom. Yeah. I mean, it's very clear. People want to get back face to face. It's a whole different dynamic. I think, you know, the digital piece will continue as a compliment, but nothing beats belly to belly, as I like absolutely say. All right. Hi on let's start with you. So you guys do a, uh, security report every year. I think this is your eighth year, the app security report. Yeah. Um, I think you, you noted in this report, the growing complexity of apps and integrations, what did you, what are, what were your big takeaways this year? >>And so, like you said, this is our eighth year and we interview and talk to about 1500 of like companies and it decision makers. One of the things that's so prevalent coming out of the survey is complexity that they have to deal with, continue to increase. It's still one of the biggest headaches for all the security professionals and it professionals. And that's explainable in a way, if you look at how much digital transformation has happened in the last two years, right? It's an explosion of apps and APIs. That's powering all our digital way of working, uh, in the last two years. So it's certainly natural to, to see the complexity has doubled and tripled and, and we need to do something about it. >>And the number of tools keeps growing. The number of players keeps growing. I mean, so many really interesting, you know, they're really not startups anymore, but well funded new entrance into the marketplace. Were there any big surprises to you? You know, you're a security practitioner, you know, this space really well, anything jump out like, whoa, that surprised >>Me. Yeah. It's been an interesting discussion when we look at the results, right. You know, some of us would say, gosh, this is such a big surprise. How come people still, you know, willing to turn off security for the benefits of performance. And, and, and as a security professional, I will reflect on that. I said, it's a surprise, or is it just a mandate for all of us in security, we got to do better. And because security shouldn't be the one that prevents or add friction to what the business wants to do, right? So it's a surprise because we, how can, after all the breaches and, and then security incidents, people are still, you know, the three quarters of the, uh, interviewees said, well, you know, if we were given a choice, we'll turn off security for performance. And I think that's a call to action for all of us in security. How do we make security done in a way that's frictionless? And they don't have to worry about it. They don't have to do a trade off. And I think that's one of the things, you know, Dan in working our entire anti automation, uh, solution one is to PR protect. And the other thing is to enable. >>Yeah. You think about Dan, the, I always say the, the adversary is extremely capable. The ROI of cyber tech just keeps getting better and better. And your jobs really is to, to, to lower the ROI, right. It decrease the value, increase the cost, but you're, I mean, fishing continues to be prevalent. You're seeing relatively new technique island hopping, self forming malware. I mean, it's just mind boggling, but, but how are you seeing, you know, the attack change? You know, what what's the adversary do differently over the last, you know, several years maybe pre and post pandemic, we've got a different attack service. What are you seeing? >>Well, we're seeing a lot higher volume attacks, a lot higher volume and velocity. Mm-hmm, <affirmative> it isn't uncommon at all for us to go in line and deploy our client side signals and see, uh, the upper 90%, um, is automated, unwanted automation hitting the application. Uh, so the fact that the security teams continue to underestimate the size of the problem. That is something I see. Every time we go in into an enterprise that they underestimate the size of the problem, largely because they're relying on, on capabilities like caps, or maybe they're relying on two of a and while two of a is a very important role in security. It doesn't stop automated attacks and cap certainly doesn't stop automated >>Tax. So, okay. So you said 90% now, as high as 90% are, are automated up from where maybe dial back to give us a, a marker as to where it used to be. >>Well, less than 1% is typically what all of our customers across the F five network enjoy less than 1% of all traffick hitting origin is unwanted, but when we first go online, it is upper 90, we've seen 99% of all traffic being unwanted >>Automation. But Dan, if I dial back to say 2015, was it at that? Was it that high? That, that was automated >>Back then? Or, you know, I, I don't know if it was that high then cuz stuffing was just, you know, starting to kind take off. Right? No. Right. Um, but as pre stuffing became better and better known among the criminal elements, that's when it really took off explain the pays you're right. Crime pays >>Now. Yeah. It's unfortunate, but it's true. Yeah. Explain the capture thing. Cause sometimes as a user, like it's impossible to do the capture, you know, it's like a twister. Yeah. >>I >>Got that one wrong it's and I presume it's because capture can be solved by, by bots. >>Well, actually the bots use an API into a human click farming. So they're humans to sit around, solving captures all day long. I actually became a human capture solver for a short time just to see what the experience was like. And they put me to the training, teaching me how to solve, captures more effectively, which was fascinating, cuz I needed that training frankly. And then they tested to make sure I solve caps quickly enough. And then I had solved maybe 30 or 40 caps and I hadn't earned one penny us yet. So this is how bots are getting around caps. They just have human solve them. >>Oh, okay. Now we hear a lot at this event, you gotta turn on multifactor authentication and obviously you don't want to use just SMS based MFA, but Dan you're saying not good enough. Why explain >>That? Well, most implementations of two a is, you know, you enter in username and password and if you enter in the correct username and password, you get a text message and you enter in the code. Um, if you enter in the incorrect username and password, you're not sent to code. So the, the purpose of a credential stocking attack is to verify whether the credentials are correct. That's the purpose. And so if it's a two, a protected log in, I've done that. Admittedly, I haven't taken over the account yet, but now that I have a list of known good credentials, I could partner with somebody on the dark web who specializes in defeating two, a through social engineering or port outs or SIM swaps S so seven compromises insiders at telcos, lots of different ways to get at the, uh, two, a text message. >>So, wow, <laugh>, this is really interesting, scary discussion. So what's the answer to, to that problem. How, how have five approach >>It highend touched on it. We, we want to improve security without introducing a lot of friction. And the solution is collecting client side signals. You interrogate the users, interactions, the browser, the device, the network, the environment, and you find things that are unique that can't be spoof like how it does floating point math or how it renders emojis. Uh, this way you're able to increase security without imposing friction on, on the customer. And honestly, if I have to ever have to solve another capture again, I, I, I just, my blood is boiling over capture. I wish everyone would rip it out >>As a user. I, I second that request I had, um, technology got us into this problem. Can technology help us get out of the problem? >>It has to. Um, I, I think, uh, when you think about the world that is powering all the digital experiences and there's two things that comes to mind that apps and APIs are at the center of them. And in order to solve the problem, we need to really zero in where, you know, the epic center of the, the, uh, attack can be and, and had the max amount of impact. Right? So that's part of the reason from a F five perspective, we think of application and API security together with the multitier the defense with, you know, DDoS to bots, to the simple boss, to the most sophisticated ones. And it has to be a continuum. You don't just say, Hey, I'm gonna solve this problem in this silo. You have to really think about app and APIs. Think about the infrastructure, think about, you know, we're here at AWS and cloud native solutions and API services is all over. You. Can't just say, I only worry about one cloud. You cannot say, I only worry about VMs. You really need to think of the entire app stack. And that's part of the reason when we build our portfolio, there is web application firewall, there's API security there's bot solution. And we added, you know, application infrastructure protection coming from our acquisition for threat stack. They're actually based in Boston. Uh, so it's, it's really important to think holistically of telemetry visibility, so you can make better decisions for detection response. >>So leads me to a number of questions first. The first I wanna stay within the AWS silo for a minute. Yeah. Yeah. What do you, what's the relationship with AWS? How will you, uh, integrating, uh, partnering with AWS? Let's start there. >>Yeah, so we work with AWS really closely. Uh, a lot of our solutions actually runs on the AWS platform, uh, for part of our shape services. It's it's, uh, using AWS capabilities and thread stack is purely running on AWS. We just, uh, actually had integration, maybe I'm pre announcing something, uh, with, uh, the cloud front, with our bot solutions. So we can be adding another layer of protection for customers who are using cloud front as the w on AWS. >>Okay. So, um, you integrate, you worry about a APIs, AWS APIs and primitives, but you have business on prem, you have business, other cloud providers. How do you simplify those disparities for your customers? Do you kind of abstract all that complexity away what's F fives philosophy with regard then and creating that continuous experience across the states irrespective of physical >>Location? Yeah, I think you're spot on in terms of, we have to abstract the complexity away. The technology complexity is not gonna go away because there's always gonna be new things coming in the world become more disaggregated and they're gonna be best of brain solutions coming out. And I think it's our job to say, how do we think about policies for web application? And, you know, you're, on-prem, you're in AWS, you're in another cloud, you're in your private data center and we can certainly abstract out the policies, the rules, and to make sure it's easier for a customer to say, I want this particular use case and they push a button. It goes to all the properties, whether it's their own edge or their own data center, and whether it's using AWS, you know, cloud front as you using or web. So that is part of our adapt. Uh, we call it adaptive application. Vision is to think delivery, think security, think optimizing the entire experience together using data. You know, I come from, uh, a company that was very much around data can power so many things. And we believe in that too. >>We use a, we use a term called super cloud, which, which implies a layer that floats above the hyperscale infrastructure hides the underlying complexity of the primitives adds value on top and creates a continuous experience across clouds, maybe out to the edge even someday on prem. Is that, does that sound like, it sounds like that's your strategy and approach and you know, where are you today? And that is that, is that technically feasible today? Is it, is it a journey? Maybe you could describe >>That. Yeah. So, uh, in my title, right, you talked about a security and distribute cloud services and the distribute cloud services came from a really important acquisition. We did last year and it's about, uh, is called Wil Tara. What they brought to F five is the ability not only having lot of the SAS capabilities and delivery capabilities was a very strong infrastructure. They also kept have capability like multi-cloud networking and, you know, people can really just take our solution and say, I don't have to go learn about all the, like I think using super cloud. Yeah, yeah. Is exactly that concept is we'll do all the hard work behind the scenes. You just need to decide what application, what user experience and we'll take care of the rest. So that solutions already in the market. And of course, there's always more things we can do collect more telemetry and integrate with more solutions. So there's more insertion point and customer can have their own choice of whatever other security solution they want to put on top of that. But we already provide, you know, the entire service around web application and API services and bot solution is a big piece of that. >>So I could look at analytics across those clouds and on-prem, and actually you don't have to go to four different stove pipes to find them, is that >>Right? Yeah. And I think you'd be surprised on what you would see. Like you, you know, typically you're gonna see large amounts of unwanted automation hitting your applications. Um, it's, I, I think the reason so many security teams are, are underestimating. The size of the problem is because these attacks are coming from tens of thousands, hundreds of thousands, even millions of IP addresses. So, you know, for years, security teams have been blocking by IP and it's forced the attackers to become highly, highly distributed. So the security teams will typically identify the attack coming from the top hundred or 1500 noisiest IPS, but they missed the long tail of tens of thousands, hundreds of thousands of IPS that are only used one or two times, because, you know, over time we forced the attackers to do this. >>They're scaling. >>Yeah, they are. And, and they're coming from residential IPS now, uh, not just hosting IPS, they're coming from everywhere. >>And, and wow. I mean, I, we know that the pandemic changed the way that organization, they had to think more about network security, rethinking network security, obviously end point cloud security. But it sounds like the attackers as well, not only did they exploit that exposure, but yeah, yeah. They were working from home and then <laugh> >>The human flick farms. They're now distributor. They're all working from home. >>Now we could take advantage >>Of that when I was solving captures, you could do it on your cell phone just by walking around, solving, captures for money. >>Wow. Scary world. But we live in, thank you for helping making it a little bit safer, guys. Really appreciate you coming on the queue. >>We'll continue to work on that. And our motto is bring a better digital world to life. That's what we can set out >>To do. I love it. All right. Great. Having you guys. Thank you. And thank you for watching. Keep it right there. This is Dave ante from reinforce 2022. You're watching the cube right back after this short break.