live from Los Angeles it's the queues covering open-source summit North America 2017 brought to you by the Linux Foundation and redhead he welcome back everyone here live in LA for the open source summit in North America I'm jumper with my co-host Jeff Fritz too many men he'll be back shortly is out scouring the hallways for all the news and analysis getting all the scuttlebutt are here we're here with our next guest brian behlendorf who is the executive director of the hyper ledger project for the Linux Foundation thanks for coming on thank ledger thanks for sharing we just talking before the camera started rolling about blockchain and the coolness around the hype around it but again the hype cycle is usually a pretext to the trend hyper ledger is one of those exciting projects that like AI everyone is jazzed about because it's the future right open source is getting bigger and bigger as Jim zemulon was saying 23 million developers and growing but there's still so much work to be done the global society's relying on open source it's shaping our culture - Ledger's one of those things where it is going to actually disrupt the culture and change it potentially and even this morning Chinese band virtual currencies and icos and all based upon doesn't mean it's time to invest yes and whatever China bands it's always been successful so your thoughts go first boy star let's get into hyper ledger project it's certainly super exciting probably people are talking about it heavily what's going on with the project give a quick update what's the purpose who's involved and when some of the milestones you guys have hyper ledger is less than two years old it was launched officially in December of 2015 I joined in main and it was founded on the principle that hey there's a lot of interesting stuff happening in the cryptocurrency world but there might be some more prosaic some more directly applicable applications of distributed ledger and smart contract technology to rebooting a lot of otherwise very thorny problems for industries in the world the main problem being you've got companies doing business with each other and the recording transactions and you know they'll have to go back and reconcile their systems to get audited bugs right and a lot of the systems out there depend upon processes at a very human processes that are prone to error prone to corruption right so the idea is the more that you can pull together you know information about transactions into a shared system of record which is really with the distributed ledger it's and then the more about of the governance and the and the business processes enclosed that you can automate by smart contract the more effective the more efficient a lot of these markets will be so that's what hyper ledger is about ok so certainly the the keynote was all about open sources being dependent upon and Jim's Emlyn as well as Christine Corbett said you know traditionally control we all know that open source but I love that the deployment changing the face of capitalism because hyper ledger is a term that you can almost apply to the notion of decentralize not just distributed but decentralized business so the notion of supply chain things in finance to moving Goods around the world this is interesting this is how about the impact of how you guys are seeing some of these applications we're now a decentralized architecture combined with distributed creates an opportunity for changing the face of capitalism flowing because the word distributed can be very loaded all right you know and even decentralized right it can be very loaded and what I what I tried to popularize is the idea of minimum viable centralization right you know football games and other sports games have referees right and when we play a game like this well sometimes you know sometimes we don't need a referee it's just us playing pick-up basketball but we want somebody on the periphery we all agree to who helps remind us what the rules are and throws a red flag from time to time all right and so you see in industries ranging from finance where you're building these transaction networks to you know supply chains where you need to track the flow of like food and to know when if food has gotten spoiled possibly where that came from or diamonds that have been involved in conflict time and you know other illegal activities right you want to know where that came for a minute and it involves that industry getting together and saying we all agree we have a big net interest in making our business actually follow certain rules and norms right and using a distributed ledger to to bring that about it's something that can just provide a lot of optimizations so most people think of like Bitcoin and ether a mezda with all this ICO buzz as de as the front end to really the underlying blockchain which you're talking about yeah and that's kind of like I get that fiat currency in this market developed to look crazed bubbles some people call it whatever but you're getting at something unique and this is that there's a real business value of hyper ledger I won't say boring but it's like meat and potatoes stuff it's like really kind of prosaic is the prosaic it's like so but it's disruptive so if you think about like the old days when we were growing up or I was growing up ERP was on mini computers and the prized resource planning relationship management software those were bloated monolithic software packages yeah still out there today and they handle the so called supply chain right so is the hypervisor a disruption to that is it an augmentation of that so some try to put it in context the cost of sending a shipping container from China to the United States right half of that is in paperwork half of that is because that container on average will go through 30 different organizations from the the you know the suppliers that you're assembling the goods into to all the different ports all the different regulatory authorities right out finally to where it's delivered and if you can optimize those business processes if you can make it so that the happen in a space where it's not about paper and facts which a lot of that world is still ruled by today or a bureaucrat sitting there reviewing stuff that's coming in and having to stamp it when really all that could be automated you could cut the cost of that and take the shipping industry from what is right now a money-losing industry to potentially being viable once again so optimization is really critical for them it's optimization but it but there's also some new capabilities here so I spent a year at Department of Health and Human Services trying to help make health care records more portable for patients right and we wrote it and got it I got the industry to write a ton of open source software implemented open standards to make these records shareable the problem was the patient wasn't involved right this was about trying to take two orgs do something that all of their bean counters told them not to do which was share patient records because no that's proprietary value and the HIPAA regulations all that not exactly blackens processes basically with blocking with blocking technology that we can reinvent that as a patient driven process right we could reinvent a lot of the other business processes out there that involve personally identifiable information like the Equifax disaster right we could reinvent how the credit markets assess risk in individuals through blockchain technology in a way that doesn't require us to build these big central anonymous third parties that Coover everybody's data and become these massive privacy titanic's right we can reinvent a lot of this through blockchain tech and that's a lot of what we're working on that Nagaraja because a analytics from that kind of a unique place because you're used to driving these big open-source projects there's a lot of people and they're trying to build the wrapper around the base core of blockchain to come up with their version or their kind of application if you will whether it be Bitcoin or whatever but you guys are in kind of a special place based on your roots we believe that I mean open standards are nice but what really matters is common code right and in a world like we envision where rather than saying you one big Network like Bitcoin or one big Network like aetherium you've got thousands or tens of thousands of these permission networks that cover different industries different geographies different regions what you need is common software so that when a developer goes to work on an application that touches one or multiple of these they've got familiar idioms to work they've got familiar technologies to work with like NGO or Java or JavaScript right but they've got a community of other technologies has been trained up on these technologies that can help them bootstrap and launch their project and maybe even become a contributor to the open source so what we've figured out at the Linux Foundation is how to make that virtuous cycle go right companies you know benefit commercially from it and then feed back into the project and that's what we're mentioning the word you get almost rethink and reimagine some of these things like the Equifax disaster yeah I think it's pretty man no breathing most tech people I really seen as as viable like absolutely it's gonna happen so there's a nice trajectory vision that people are buying into because it's somewhat you can see it hanging together playing out technically what are some of the things going on the project can you share with the folks watching about some things that you're doing to get there faster what's going on with the community with some of the issues with concerns how do people get involved take some time to go tobut deep words of the project so we're not a you know an RD kind of free thinking kind of thing we're about get writing code and shipping and getting into production right so hyper ledger fabric just hit a one dot oh that was a signal from the developers that this code is ready to be run in production systems and for you to track digital assets right doesn't by far does not mean it's the end of the road it's the end of chapter one right but at least it's a place where we you know the kind of the clear intent is let's make this actually usable by enterprises the other projects we've got eight different projects total at hyper ledger some of them even compete with each other right but we're driving all of them to get to a one dot oh and over time all of them talk about how they relate to each other in kind of complimentary ways what's some of the profile developers you're getting because some people always ask I know what should I get involved what can I sink my teeth into what are some of the meaty kind of things that people are doing with it who the persona that that are coming in these enterprise developers they more traditional full-stack developers can you give a range of some of the persona attributes because this is early code still I mean this whole space is still pretty early when it comes to understanding how to use these technologies especially at scale kind of at a DevOps scale a lot of the people first coming into the tech community now are fairly advanced right are kind of the whiz kids right but we're seeing that gradually broad broaden out we now are at a point where we could use developers coming in and writing sample applications right we could use people helping us with documentation we're developing training materials that will be creative commons-licensed so everybody will be able to deliver those and as they find bugs or add features to the training they can do that too we can really use anybody all right so folks watching get involved okay get any white spaces you might want to tease them out with that you see happening obviously mentioned tracking digital assets data is a stress that's cool anything that's going on with data probably is a digital asset but you'd agree what's some of the things that people could get motivated can you share any insight that you might have that would motivate someone to jump in I think any any industry has these challenges of weaving their systems together with other businesses and then trying to do that in a way that holds each other.you account right this is a system for building systems of record between organizations right and you know you running a database to me running a database we don't get there on our own we only get there by working with consortio by working in as a community to actually build these systems and so I'd say every every business has that challenge whether they're engineers have felt free to go in and try to tackle that extranet days when you see people building citizen networks similar concept where blockchain is one big happy family collaborative network all right final question for you kind of shooting for a little bit what do you expect to happen community any thoughts on some of the goals you have is executive director obviously you got some hackathons for good we'll see blockchain being applied to some real things with one dot out what do you see rolling out which some of your goals I massively grow the developer community both the well you know the one end of the spectrum which is the the whiz kids the hardcore developers to you know move forward on a kind of the leading edge of that but really we've got to bring you know hundred thousand developers into this space or the next couple years just to meet the demand that's there in the industry for that town alright so if I'm a now an executive as a hey I saw this great Cuban in friens awesome go get involved what how did someone get involved is just jump standard community model just jump in what advice would you give someone if they want to engage and participate for every one of our projects if you give gave it an hour you'd get to a running you know instance of that software right so fabric or sawtooth within an hour you should ever running for node instance that you can start writing chain code two which is the smart contract language right and and then from there getting involved in the community as a matter of joining mailing list joining our rocket chat channels rocket chats an alternative to slack that we actually prefer and I and I think you'll find a really welcoming community of other devs who want to tell you about what the projects are and want to help you kind of climb that learning curve one of the comments just enough good note here is that Christina gave him the key no she says code can shape culture you've been in the industry a long time you've seen the wave you've been on the shoulders of others and now as the open source goes to the next level how is code gonna shape the culture in your opinion actually people started working together to take that I would say that almost I'm not a moon shot but it's really more of an imperative that culture will be changed inclusion else is huge your thoughts on code shaping culture so we've we've had a decline in trust in institutions in the United States and worldwide not just in the last seven months since November but actually for the last 20 years there's Edelman does this survey every year where they ask you your trust in brands your trust in government your trust in the process the fairness of society and for 20 years that's been on a straight-line decline to the point where we ask ourselves like can you trust any level of government can you trust businesses to look out for your interest the answer almost generically is going to be no this is a technology that can save us from this is a technology that we I believe can help us define the rules of the game help us build society but then actually automate and implement that in a way that doesn't require us to have to bribe an official or curry favor with a school official to get our kid into that school or anything like that this is a way to try I think to make the world more accountable and more fair and open source has that inclusive and staying away from the gerrymander and I love the quote it's so confusing now it's like who do you ask where's the source of truth and it used to be RTFM and check the source code now it's not only there is no manual who is the source fake news all these bots means kind of crazy so this is that a call to arms the open source I think it is I think it really is the trust as a service ok Brian thanks so much for come on if you appreciate it Thank You director for the hyper ledger project super important project really a game changer changing the face of capitalism also continuing the trend accelerate open source I'm Shaun Frechette for more live coverage from the queue after this short break

(upbeat music) >> Hey, everyone. Welcome back to theCUBE's day one coverage of Cloud Native SecurityCon 2023. This has been a great conversation that we've been able to be a part of today. Lisa Martin with John Furrier and Dave Vellante. Dave and John, I want to get your take on the conversations that we had today, starting with the keynote that we were able to see. What are your thoughts? We talked a lot about technology. We also talked a lot about people and culture. John, starting with you, what's the story here with this inaugural event? >> Well, first of all, there's two major threads. One is the breakout of a new event from CloudNativeCon/KubeCon, which is a very successful community and events that they do international and in North America. And that's not stopping. So that's going to be continuing to go great. This event is a breakout with an extreme focus on security and all things security around that ecosystem. And with extensions into the Linux Foundation. We heard Brian Behlendorf was on there from the Linux Foundation. So he was involved in Hyperledger. So not just Cloud Native, all things containers, Kubernetes, all things Linux Foundation as an open source. So, little bit more of a focus. So I like that piece of it. The other big thread on this story is what Dave and Yves were talking about on our panel we had earlier, which was the business model of security is real and that is absolutely happening. It's impacting business today. So you got this, let's build as fast as possible, let's retool, let's replatform, refactor and then the reality of the business imperative. To me, those are the two big high-order bits that are going on and that's the reality of this current situation. >> Dave, what are your top takeaways from today's day one inaugural coverage? >> Yeah, I would add a third leg of the stool to what John said and that's what we were talking about several times today about the security is a do-over. The Pat Gelsinger quote, from what was that, John, 2011, 2012? And that's right around the time that the cloud was hitting this steep part of the S-curve and do-over really has meant in looking back, leveraging cloud native tooling, and cloud native technologies, which are different than traditional security approaches because it has to take into account the unique characteristics of the cloud whether that's dynamic resource allocation, unlimited resources, microservices, containers. And while that has helped solve some problems it also brings new challenges. All these cloud native tools, securing this decentralized infrastructure that people are dealing with and really trying to relearn the security culture. And that's kind of where we are today. >> I think the other thing too that I had Dave is that was we get other guests on with a diverse opinion around foundational models with AI and machine learning. You're going to see a lot more things come in to accelerate the scale and automation piece of it. It is one thing that CloudNativeCon and KubeCon has shown us what the growth of cloud computing is is that containers Kubernetes and these new services are powering scale. And scale you're going to need to have automation and machine learning and AI will be a big part of that. So you start to see the new formation of stacks emerging. So foundational stacks is the machine learning and data apps are coming out. It's going to start to see more apps coming. So I think there's going to be so many new applications and services are going to emerge, and if you don't get your act together on the infrastructure side those apps will not be fully baked. >> And obviously that's a huge risk. Sorry, Dave, go ahead. >> No, that's okay. So there has to be hardware somewhere. You can't get away with no hardware. But increasingly the security architecture like everything else is, is software-defined and makes it a lot more flexible. And to the extent that practitioners and organizations can consolidate this myriad of tools that they have, that means they're going to have less trouble learning new skills, they're going to be able to spend more time focused and become more proficient on the tooling that is being applied. And you're seeing the same thing on the vendor side. You're seeing some of these large vendors, Palo Alto, certainly CrowdStrike and fundamental to their strategy is to pick off more and more and more of these areas in security and begin to consolidate them. And right now, that's a big theme amongst organizations. We know from the survey data that consolidating redundant vendors is the number one cost saving priority today. Along with, at a distant second, optimizing cloud costs, but consolidating redundant vendors there's nowhere where that's more prominent than in security. >> Dave, talk a little bit about that, you mentioned the practitioners and obviously this event bottoms up focused on the practitioners. It seems like they're really in the driver's seat now. With this being the inaugural Cloud Native SecurityCon, first time it's been pulled out of an elevated out of KubeCon as a focus, do you think this is about time that the practitioners are in the driver's seat? >> Well, they're certainly, I mean, we hear about all the tech layoffs. You're not laying off your top security pros and if you are, they're getting picked up very quickly. So I think from that standpoint, anybody who has deep security expertise is in the driver's seat. The problem is that driver's seat is pretty hairy and you got to have the stomach for it. I mean, these are technical heroes, if you will, on the front lines, literally saving the world from criminals and nation-states. And so yes, I think Lisa they have been in the driver's seat for a while, but it it takes a unique person to drive at those speeds. >> I mean, the thing too is that the cloud native world that we are living in comes from cloud computing. And if you look at this, what is a practitioner? There's multiple stakeholders that are being impacted and are vulnerable in the security front at many levels. You have application developers, you got IT market, you got security, infrastructure, and network and whatever. So all that old to new is happening. So if you look at IT, that market is massive. That's still not transformed yet to cloud. So you have companies out there literally fully exposed to ransomware. IT teams that are having practices that are antiquated and outdated. So security patching, I mean the blocking and tackling of the old securities, it's hard to even support that old environment. So in this transition from IT to cloud is changing everything. And so practitioners are impacted from the devs and the ones that get there faster and adopt the ways to make their business better, whether you call it modern technology and architectures, will be alive and hopefully thriving. So that's the challenge. And I think this security focus hits at the heart of the reality of business because like I said, they're under threats. >> I wanted to pick up too on, I thought Brian Behlendorf, he did a forward looking what could become the next problem that we really haven't addressed. He talked about generative AI, automating spearphishing and he flat out said the (indistinct) is not fixed. And so identity access management, again, a lot of different toolings. There's Microsoft, there's Okta, there's dozens of companies with different identity platforms that practitioners have to deal with. And then what he called free riders. So these are folks that go into the repos. They're open source repos, and they find vulnerabilities that developers aren't hopping on quickly. It's like, you remember Patch Tuesday. We still have Patch Tuesday. That meant Hacker Wednesday. It's kind of the same theme there going into these repos and finding areas where the practitioners, the developers aren't responding quickly enough. They just don't necessarily have the resources. And then regulations, public policy being out of alignment with what's really needed, saying, "Oh, you can't ship that fix outside of Germany." Or I'm just making this up, but outside of this region because of a law. And you could be as a developer personally liable for it. So again, while these practitioners are in the driver's seat, it's a hairy place to be. >> Dave, we didn't get the word supercloud in much on this event, did we? >> Well, I'm glad you brought that up because I think security is the big single, biggest challenge for supercloud, securing the supercloud with all the diversity of tooling across clouds and I think you brought something up in the first supercloud, John. You said, "Look, ultimately the cloud, the hyperscalers have to lean in. They are going to be the enablers of supercloud. They already are from an infrastructure standpoint, but they can solve this problem by working together. And I think there needs to be more industry collaboration. >> And I think the point there is that with security the trend will be, in my opinion, you'll see security being reborn in the cloud, around zero trust as structure, and move from an on-premise paradigm to fully cloud native. And you're seeing that in the network side, Dave, where people are going to each cloud and building stacks inside the clouds, hyperscaler clouds that are completely compatible end-to-end with on-premises. Not trying to force the cloud to be working with on-prem. They're completely refactoring as cloud native first. And again, that's developer first, that's data first, that's security first. So to me that's the tell sign. To me is if when you see that, that's good. >> And Lisa, I think the cultural conversation that you've brought into these discussions is super important because I've said many times, bad user behavior is going to trump good security every time. So that idea that the entire organization is responsible for security. You hear that all the time. Well, what does that mean? It doesn't mean I have to be a security expert, it just means I have to be smart. How many people actually use a VPN? >> So I think one of the things that I'm seeing with the cultural change is face-to-face problem solving is one, having remote teams is another. The skillset is big. And I think the culture of having these teams, Dave mentioned something about intramural sports, having the best people on the teams, from putting captains on the jersey of security folks is going to happen. I think you're going to see a lot more of that going on because there's so many areas to work on. You're going to start to see security embedded in all processes. >> Well, it needs to be and that level of shared responsibility is not trivial. That's across the organization. But they're also begs the question of the people problem. People are one of the biggest challenges with respect to security. Everyone has to be on board with this. It has to be coming from the top down, but also the bottom up at the same time. It's challenging to coordinate. >> Well, the training thing I think is going to solve itself in good time. And I think in the fullness of time, if I had to predict, you're going to see managed services being a big driver on the front end, and then as companies realize where their IP will be you'll see those managed service either be a core competency of their business and then still leverage. So I'm a big believer in managed services. So you're seeing Kubernetes, for instance, a lot of managed services. You'll start to see more, get the ball going, get that rolling, then build. So Dave mentioned bottoms up, middle out, that's how transformation happens. So I think managed services will win from here, but ultimately the business model stuff is so critical. >> I'm glad you brought up managed services and I want to add to that managed security service providers, because I saw a stat last year, 50% of organizations in the US don't even have a security operations team. So managed security service providers MSSPs are going to fill the gap, especially for small and midsize companies and for those larger companies that just need to augment and compliment their existing staff. And so those practitioners that we've been talking about, those really hardcore pros, they're going to go into these companies, some large, the big four, all have them. Smaller companies like Arctic Wolf are going to, I think, really play a key role in this decade. >> I want to get your opinion Dave on what you're hoping to see from this event as we've talked about the first inaugural standalone big focus here on security as a standalone. Obviously, it's a huge challenge. What are you hoping for this event to get groundswell from the community? What are you hoping to hear and see as we wrap up day one and go into day two? >> I always say events like this they're about educating, aspiring to action. And so the practitioners that are at this event I think, I used to say they're the technical heroes. So we know there's going to be another Log4j or a another SolarWinds. It's coming. And my hope is that when that happens, it's not an if, it's a when, that the industry, these practitioners are able to respond in a way that's safe and fast and agile and they're able to keep us protected, number one and number two, that they can actually figure out what happened in the long tail of still trying to clean it up is compressed. That's my hope or maybe it's a dream. >> I think day two tomorrow you're going to hear more supply chain, security. You're going to start to see them focus on sessions that target areas if within the CNCF KubeCon + CloudNativeCon area that need support around containers, clusters, around Kubernetes cluster. You're going to start to see them laser focus on cleaning up the house, if you will, if you can call it cleaning up or fixing what needs to get fixed or solved what needs to get solved on the cloud native front. That's going to be urgent. And again, supply chain software as Dave mentioned, free riders too, just using open source. So I think you'll see open source continue to grow, but there'll be an emphasis on verification and certification. And Docker has done a great job with that. You've seen what they've done with their business model over hundreds of millions of dollars in revenue from a pivot. Catch a few years earlier because they verify. So I think we're going to be in this verification blue check mark of code era, of code and software. Super important bill of materials. They call SBOMs, software bill of materials. People want to know what's in their software and that's going to be, again, another opportunity for machine learning and other things. So I'm optimistic that this is going to be a good focus. >> Good. I like that. I think that's one of the things thematically that we've heard today is optimism about what this community can generate in terms of today's point. The next Log4j is coming. We know it's not if, it's when, and all organizations need to be ready to Dave's point to act quickly with agility to dial down and not become the next headline. Nobody wants to be that. Guys, it's been fun working with you on this day one event. Looking forward to day two. Lisa Martin for Dave Vellante and John Furrier. You're watching theCUBE's day one coverage of Cloud Native SecurityCon '23. We'll see you tomorrow. (upbeat music)

(lively music) >> Welcome back to our coverage of Cloud Native Security Con. I'm Dave Vellante, here in our Boston studio. We're connecting today, throughout the day, with Palo Alto on the ground in Seattle. And right now I'm here with Michael Foster with Red Hat. He's on the ground in Seattle. We're going to discuss the trends and containers and security and everything that's going on at the show in Seattle. Michael, good to see you, thanks for coming on. >> Good to see you, thanks for having me on. >> Lot of market momentum for Red Hat. The IBM earnings call the other day, announced OpenShift is a billion-dollar ARR. So it's quite a milestone, and it's not often, you know. It's hard enough to become a billion-dollar software company and then to have actually a billion-dollar product alongside. So congratulations on that. And let's start with the event. What's the buzz at the event? People talking about shift left, obviously supply chain security is a big topic. We've heard a little bit about or quite a bit about AI. What are you hearing on the ground? >> Yeah, so the last event I was at that I got to see you at was three months ago, with CubeCon and the talk was supply chain security. Nothing has really changed on that front, although I do think that the conversation, let's say with the tech companies versus what customers are actually looking at, is slightly different just based on the market. And, like you said, thank you for the shout-out to a billion-dollar OpenShift, and ACS is certainly excited to be part of that. We are seeing more of a consolidation, I think, especially in security. The money's still flowing into security, but people want to know what they're running. We've allowed, had some tremendous growth in the last couple years and now it's okay. Let's get a hold of the containers, the clusters that we're running, let's make sure everything's configured. They want to start implementing policies effectively and really get a feel for what's going on across all their workloads, especially with the bigger companies. I think bigger companies allow some flexibility in the security applications that they can deploy. They can have different groups that manage different ones, but in the mid to low market, you're seeing a lot of consolidation, a lot of companies that want basically one security tool to manage them all, so to speak. And I think that the features need to somewhat accommodate that. We talk supply chain, I think most people continue to care about network security, vulnerability management, shifting left and enabling developers. That's the general trend I see. Still really need to get some hands on demos and see some people that I haven't seen in a while. >> So a couple things on, 'cause, I mean, we talk about the macroeconomic climate all the time. We do a lot of survey data with our partners at ETR, and their recent data shows that in terms of cost savings, for those who are actually cutting their budgets, they're looking to consolidate redundant vendors. So, that's one form of consolidation. The other theme, of course, is there's so many tools out in the security market that consolidating tools is something that can help simplify, but then at the same time, you see opportunities open up, like IOT security. And so, you have companies that are starting up to just do that. So, there's like these countervailing trends. I often wonder, Michael, will this ever end? It's like the universe growing and tooling, what are your thoughts? >> I mean, I completely agree. It's hard to balance trying to grow the company in a time like this, at the same time while trying to secure it all, right? So you're seeing the consolidation but some of these applications and platforms need to make some promises to say, "Hey, we're going to move into this space." Right, so when you have like Red Hat who wants to come out with edge devices and help manage the IOT devices, well then, you have a security platform that can help you do that, that's built in. Then the messaging's easy. When you're trying to do that across different cloud providers and move into IOT, it becomes a little bit more challenging. And so I think that, and don't take my word for this, some of those IOT startups, you might see some purchasing in the next couple years in order to facilitate those cloud platforms to be able to expand into that area. To me it makes sense, but I don't want to hypothesize too much from the start. >> But I do, we just did our predictions post and as a security we put up the chart of candidates, and there's like dozens, and dozens, and dozens. Some that are very well funded, but I mean, you've seen some down, I mean, down rounds everywhere, but these many companies have raised over a billion dollars and it's like uh-oh, okay, so they're probably okay, maybe. But a lot of smaller firms, I mean there's just, there's too many tools in the marketplace, but it seems like there is misalignment there, you know, kind of a mismatch between, you know, what customers would like to have happen and what actually happens in the marketplace. And that just underscores, I think, the complexities in security. So I guess my question is, you know, how do you look at Cloud Native Security, and what's different from traditional security approaches? >> Okay, I mean, that's a great question, and it's something that we've been talking to customers for the last five years about. And, really, it's just a change in mindset. Containers are supposed to unleash developer speed, and if you don't have a security tool to help do that, then you're basically going to inhibit developers in some form or another. I think managing that, while also giving your security teams the ability to tell the message of we are being more secure. You know, we're limiting vulnerabilities in our cluster. We are seeing progress because containers, you know, have a shorter life cycle and there is security and speed. Having that conversation with the C-suites is a little different, especially when how they might be used to virtual machines and managing it through that. I mean, if it works, it works from a developer's standpoint. You're not taking advantage of those containers and the developer's speed, so that's the difference. Now doing that and then first challenge is making that pitch. The second challenge is making that pitch to then scale it, so you can get onboard your developers and get your containers up and running, but then as you bring in new groups, as you move over to Kubernetes or you get into more container workloads, how do you onboard your teams? How do you scale? And I tend to see a general trend of a big investment needed for about two years to make that container shift. And then the security tools come in and really blossom because once that core separation of responsibilities happens in the organization, then the security tools are able to accelerate the developer workflow and not inhibit it. >> You know, I'm glad you mentioned, you know, separation of responsibilities. We go to a lot of shows, as you know, with theCUBE, and many of them are cloud shows. And in the one hand, Cloud has, you know, obviously made the world, you know, more interesting and better in so many different ways and even security, but it's like new layers are forming. You got the cloud, you got the shared responsibility model, so the cloud is like the first line of defense. And then you got the CISO who is relying heavily on devs to, you know, the whole shift left thing. So we're asking developers to do a lot and then you're kind of behind them. I guess you have audit is like the last line of defense, but my question to you is how can software developers really ensure that cloud native tools that they're using are secure? What steps can they take to improve security and specifically what's Red Hat doing in that area? >> Yeah, well I think there's, I would actually move away from that being the developer responsibility. I think the job is the operators' and the security people. The tools to give them the ability to see. The vulnerabilities they're introducing. Let's say signing their images, actually verifying that the images that's thrown in the cloud, are the ones that they built, that can all be done and it can be done open source. So we have a DevSecOps validated pattern that Red Hat's pushed out, and it's all open source tools in the cloud native space. And you can sign your builds and verify them at runtime and make sure that you're doing that all for free as one option. But in general, I would say that the hope is that you give the developer the information to make responsible choices and that there's a dialogue between your security and operations and developer teams but security, we should not be pushing that on developer. And so I think with ACS and our tool, the goal is to get in and say, "Let's set some reasonable policies, have a conversation, let's get a security liaison." Let's say in the developer team so that we can make some changes over time. And the more we can automate that and the more we can build and have that conversation, the better that you'll, I don't say the more security clusters but I think that the more you're on your path of securing your environment. >> How much talk is there at the event about kind of recent high profile incidents? We heard, you know, Log4j, of course, was mentioned in the Keynote. Somebody, you know, I think yelled out from the audience, "We're still dealing with that." But when you think about these, you know, incidents when looking back, what lessons do you think we've learned from these events? >> Oh, I mean, I think that I would say, if you have an approach where you're managing your containers, managing the age and using containers to accelerate, so let's say no images that are older than 90 days, for example, you're going to avoid a lot of these issues. And so I think people that are still dealing with that aspect haven't set up the proper, let's say, disclosure between teams and update strategy and so on. So I don't want to, I think the Log4j, if it's still around, you know, something's missing there but in general you want to be able to respond quickly and to do that and need the tools and policies to be able to tell people how to fix that issue. I mean, the Log4j fix was seven days after, so your developers should have been well aware of that. Your security team should have been sending the messages out. And I remember even fielding all the calls, all the fires that we had to put out when that happened. But yeah. >> I thought Brian Behlendorf's, you know, talk this morning was interesting 'cause he was making an attempt to say, "Hey, here's some things that you might not be thinking about that are likely to occur." And I wonder if you could, you know, comment on them and give us your thoughts as to how the industry generally, maybe Red Hat specifically, are thinking about dealing with them. He mentioned ChatGPT or other GPT to automate Spear phishing. He said the identity problem is still not fixed. Then he talked about free riders sniffing repos essentially for known vulnerabilities that are slow to fix. He talked about regulations that might restrict shipping code. So these are things that, you know, essentially, we can, they're on the radar, but you know, we're kind of putting out, you know, yesterday's fire. What are your thoughts on those sort of potential issues that we're facing and how are you guys thinking about it? >> Yeah, that's a great question, and I think it's twofold. One, it's brought up in front of a lot of security leaders in the space for them to be aware of it because security, it's a constant battle, constant war that's being fought. ChatGPT lowers the barrier of entry for a lot of them, say, would-be hackers or people like that to understand systems and create, let's say, simple manifests to leverage Kubernetes or leverage a misconfiguration. So as the barrier drops, we as a security team in security, let's say group organization, need to be able to respond and have our own tools to be able to combat that, and we do. So a lot of it is just making sure that we shore up our barriers and that people are aware of these threats. The harder part I think is educating the public and that's why you tend to see maybe the supply chain trend be a little bit ahead of the implementation. I think they're still, for example, like S-bombs and signing an attestation. I think that's still, you know, a year, two years, away from becoming, let's say commonplace, especially in something like a production environment. Again, so, you know, stay bleeding edge, and then make sure that you're aware of these issues and we'll be constantly coming to these calls and filling you in on what we're doing and make sure that we're up to speed. >> Yeah, so I'm hearing from folks like yourself that the, you know, you think of the future of Cloud Native Security. We're going to see continued emphasis on, you know, better integration of security into the DevSecOps. You're pointing out it's really, you know, the ops piece, that runtime that we really need to shore up. You can't just put it on the shoulders of the devs. And, you know, using security focused tools and best practices. Of course you hear a lot about that and the continued drive toward automation. My question is, you know, automation, machine learning, how, where are we in that maturity cycle? How much of that is being adopted? Sometimes folks are, you know, they embrace automation but it brings, you know, unknown, unintended consequences. Are folks embracing that heavily? Are there risks associated around that, or are we kind of through that knothole in your view? >> Yeah, that's a great question. I would compare it to something like a smart home. You know, we sort of hit a wall. You can automate so much, but it has to actually be useful to your teams. So when we're going and deploying ACS and using a cloud service, like one, you know, you want something that's a service that you can easily set up. And then the other thing is you want to start in inform mode. So you can't just automate everything, even if you're doing runtime enforcement, you need to make sure that's very, very targeted to exactly what you want and then you have to be checking it because people start new workloads and people get onboarded every week or month. So it's finding that balance between policies where you can inform the developer and the operations teams and that they give them the information to act. And that worst case you can step in as a security team to stop it, you know, during the onboarding of our ACS cloud service. We have an early access program and I get on-calls, and it's not even security team, it's the operations team. It starts with the security product, you know, and sometimes it's just, "Hey, how do I, you know, set this policy so my developers will find this vulnerability like a Log4Shell and I just want to send 'em an email, right?" And these are, you know, they have the tools and they can do that. And so it's nice to see the operations take on some security. They can automate it because maybe you have a NetSec security team that doesn't know Kubernetes or containers as well. So that shared responsibility is really useful. And then just again, making that automation targeted, even though runtime enforcement is a constant thing that we talk about, the amount that we see it in the wild where people are properly setting up admission controllers and it's acting. It's, again, very targeted. Databases, cubits x, things that are basically we all know is a no-go in production. >> Thank you for that. My last question, I want to go to the, you know, the hardest part and 'cause you're talking to customers all the time and you guys are working on the hardest problems in the world. What is the hardest aspect of securing, I'm going to come back to the software supply chain, hardest aspect of securing the software supply chain from the perspective of a security pro, software engineer, developer, DevSecOps Pro, and then this part b of that is, is how are you attacking that specifically as Red Hat? >> Sure, so as a developer, it's managing vulnerabilities with updates. As an operations team, it's keeping all the cluster, because you have a bunch of different teams working in the same environment, let's say, from a security team. It's getting people to listen to you because there are a lot of things that need to be secured. And just communicating that and getting it actionable data to the people to make the decisions as hard from a C-suite. It's getting the buy-in because it's really hard to justify the dollars and cents of security when security is constantly having to have these conversations with developers. So for ACS, you know, we want to be able to give the developer those tools. We also want to build the dashboards and reporting so that people can see their vulnerabilities drop down over time. And also that they're able to respond to it quickly because really that's where the dollars and cents are made in the product. It's that a Log4Shell comes out. You get immediately notified when the feeds are updated and you have a policy in action that you can respond to it. So I can go to my CISOs and say, "Hey look, we're limiting vulnerabilities." And when this came out, the developers stopped it in production and we were able to update it with the next release. Right, like that's your bread and butter. That's the story that you want to tell. Again, it's a harder story to tell, but it's easy when you have the information to be able to justify the money that you're spending on your security tools. Hopefully that answered your question. >> It does. That was awesome. I mean, you got data, you got communication, you got the people, obviously there's skillsets, you have of course, tooling and technology is a big part of that. Michael, really appreciate you coming on the program, sharing what's happening on the ground in Seattle and can't wait to have you back. >> Yeah. Awesome. Thanks again for having me. >> Yeah, our pleasure. All right. Thanks for watching our coverage of the Cloud Native Security Con. I'm Dave Vellante. I'm in our Boston studio. We're connecting to Palo Alto. We're connecting on the ground in Seattle. Keep it right there for more coverage. Be right back. (lively music)

(upbeat music) (upbeat music) >> Hi everybody, welcome back to our coverage of the Cloud Native Security Con. I'm Dave Vellante, here in our Boston studio. We're connecting today with Palo Alto, with John Furrier and Lisa Martin. We're also live from the show floor in Seattle. But right now, I'm here with Andy Thurai who's from Constellation Research, friend of theCUBE, and we're going to discuss the intersection of AI and security, the potential of AI, the risks and the future. Andy, welcome, good to see you again. >> Good to be here again. >> Hey, so let's get into it, can you talk a little bit about, I know this is a passion of yours, the ethical considerations surrounding AI. I mean, it's front and center in the news, and you've got accountability, privacy, security, biases. Should we be worried about AI from a security perspective? >> Absolutely, man, you should be worried. See the problem is, people don't realize this, right? I mean, the ChatGPT being a new shiny object, it's all the craze that's about. But the problem is, most of the content that's produced either by ChatGPT or even by others, it's an access, no warranties, no accountability, no whatsoever. Particularly, if it is content, it's okay. But if it is something like a code that you use for example, one of their site projects that GitHub's co-pilot, which is actually, open AI + Microsoft + GitHub's combo, they allow you to produce code, AI writes code basically, right? But when you write code, problem with that is, it's not exactly stolen, but the models are created by using the GitHub code. Actually, they're getting sued for that, saying that, "You can't use our code". Actually there's a guy, Tim Davidson, I think he's named the professor, he actually demonstrated how AI produces exact copy of the code that he has written. So right now, it's a lot of security, accountability, privacy issues. Use it either to train or to learn. But in my view, it's not ready for enterprise grade yet. >> So, Brian Behlendorf today in his keynotes said he's really worried about ChatGPT being used to automate spearfishing. So I'm like, okay, so let's unpack that a little bit. Is the concern there that it just, the ChatGPT writes such compelling phishing content, it's going to increase the probability of somebody clicking on it, or are there other dimensions? >> It could, it's not necessarily just ChatGPT for that matter, right? AI can, actually, the hackers are using it to an extent already, can use to individualize content. For example, one of the things that you are able to easily identify when you're looking at the emails that are coming in, the phishing attack is, you look at some of the key elements in it, whether it's a human or even if it's an automated AI based system. They look at certain things and they say, "Okay, this is phishing". But if you were to read an email that looks exact copy of what I would've sent to you saying that, "Hey Dave, are you on for tomorrow? Or click on this link to do whatever. It could individualize the message. That's where the volume at scale to individual to masses, that can be done using AI, which is what scares me. >> Is there a flip side to AI? How is it being utilized to help cybersecurity? And maybe you could talk about some of the more successful examples of AI in security. Like, are there use cases or are there companies out there, Andy, that you find, I know you're close to a lot of firms that are leading in this area. You and I have talked about CrowdStrike, I know Palo Alto Network, so is there a positive side to this story? >> Yeah, I mean, absolutely right. Those are some of the good companies you mentioned, CrowdStrike, Palo Alto, Darktrace is another one that I closely follow, which is a good company as well, that they're using AI for security purposes. So, here's the thing, right, when people say, when they're using malware detection systems, most of the malware detection systems that are in today's security and malware systems, use some sort of a signature and pattern scanning in the malware. You know how many identified malwares are there today in the repository, in the library? More than a billion, a billion. So, if you are to check for every malware in your repository, that's not going to work. The pattern based recognition is not going to work. So, you got to figure out a different way of identification of pattern of usage, not just a signature in a malware, right? Or there are other areas you could use, things like the usage patterns. For example, if Andy is coming in to work at a certain time, you could combine a facial recognition saying, that should he be in here at that time, and should he be doing things, what he is supposed to be doing. There are a lot of things you could do using that, right? And the AIOps use cases, which is one of my favorite areas that I work, do a lot of work, right? That it has use cases for detecting things that are anomaly, that are not supposed to be done in a way that's supposed to be, reducing the noise so it can escalate only the things what you're supposed to. So, AIOps is a great use case to use in security areas which they're not using it to an extent yet. Incident management is another area. >> So, in your malware example, you're saying, okay, known malware, pretty much anybody can deal with that now. That's sort of yesterday's problem. >> The unknown is the problem. >> It's the unknown malware really trying to understand the patterns, and the patterns are going to change. It's not like you're saying a common signature 'cause they're going to use AI to change things up at scale. >> So, here's the problem, right? The malware writers are also using AI now, right? So, they're not going to write the old malware, send it to you. They are actually creating malware on the fly. It is possible entirely in today's world that they can create a malware, drop in your systems and it'll it look for the, let me get that name right. It's called, what are we using here? It's called the TTPs, Tactics, Techniques and procedures. It'll look for that to figure out, okay, am I doing the right pattern? And then malware can sense it saying that, okay, that's the one they're detecting. I'm going to change it on the fly. So, AI can code itself on the fly, rather malware can code itself on the fly, which is going to be hard to detect. >> Well, and when you talk about TTP, when you talk to folks like Kevin Mandia of Mandiant, recently purchased by Google or other of those, the ones that have the big observation space, they'll talk about the most malicious hacks that they see, involve lateral movement. So, that's obviously something that people are looking for, AI's looking for that. And of course, the hackers are going to try to mask that lateral movement, living off the land and other things. How do you see AI impacting the future of cyber? We talked about the risks and the good. One of the things that Brian Behlendorf also mentioned is that, he pointed out that in the early days of the internet, the protocols had an inherent element of trust involved. So, things like SMTP, they didn't have security built in. So, they built up a lot of technical debt. Do you see AI being able to help with that? What steps do you see being taken to ensure that AI based systems are secure? >> So, the major difference between the older systems and the newer systems is the older systems, sadly even today, a lot of them are rules-based. If it's a rules-based systems, you are dead in the water and not able, right? So, the AI-based systems can somewhat learn from the patterns as I was talking about, for example... >> When you say rules-based systems, you mean here's the policy, here's the rule, if it's not followed but then you're saying, AI will blow that away, >> AI will blow that away, you don't have to necessarily codify things saying that, okay, if this, then do this. You don't have to necessarily do that. AI can somewhat to an extent self-learn saying that, okay, if that doesn't happen, if this is not a pattern that I know which is supposed to happen, who should I escalate this to? Who does this system belong to? And the other thing, the AIOps use case we talked about, right, the anomalies. When an anomaly happens, then the system can closely look at, saying that, okay, this is not normal behavior or usage. Is that because system's being overused or is it because somebody's trying to access something, could look at the anomaly detection, anomaly prevention or even prediction to an extent. And that's where AI could be very useful. >> So, how about the developer angle? 'Cause CNCF, the event in Seattle is all around developers, how can AI be integrated? We did a lot of talk at the conference about shift-left, we talked about shift-left and protect right. Meaning, protect the run time. So, both are important, so what steps should be taken to ensure that the AI systems are being developed in a secure and ethically sound way? What's the role of developers in that regard? >> How long do you got? (Both laughing) I think it could go for base on that. So, here's the problem, right? Lot of these companies are trying to see, I mean, you might have seen that in the news that Buzzfeed is trying to hire all of the writers to create the thing that ChatGPT is creating, a lot of enterprises... >> How, they're going to fire their writers? >> Yeah, they replace the writers. >> It's like automated automated vehicles and automated Uber drivers. >> So, the problem is a lot of enterprises still haven't done that, at least the ones I'm speaking to, are thinking about saying, "Hey, you know what, can I replace my developers because they are so expensive? Can I replace them with AI generated code?" There are a few issues with that. One, AI generated code is based on some sort of a snippet of a code that has been already available. So, you get into copyright issues, that's issue number one, right? Issue number two, if AI creates code and if something were to go wrong, who's responsible for that? There's no accountability right now. Or you as a company that's creating a system that's responsible, or is it ChatGPT, Microsoft is responsible. >> Or is the developer? >> Or the developer. >> The individual developer might be. So, they're going to be cautious about that liability. >> Well, so one of the areas where I'm seeing a lot of enterprises using this is they are using it to teach developers to learn things. You know what, if you're to code, this is a good way to code. That area, it's okay because you are just teaching them. But if you are to put an actual production code, this is what I advise companies, look, if somebody's using even to create a code, whether with or without your permission, make sure that once the code is committed, you validate that the 100%, whether it's a code or a model, or even make sure that the data what you're feeding in it is completely out of bias or no bias, right? Because at the end of the day, it doesn't matter who, what, when did that, if you put out a service or a system out there, it is involving your company liability and system, and code in place. You're going to be screwed regardless of what, if something were to go wrong, you are the first person who's liable for it. >> Andy, when you think about the dangers of AI, and what keeps you up at night if you're a security professional AI and security professional. We talked about ChatGPT doing things, we don't even, the hackers are going to get creative. But what worries you the most when you think about this topic? >> A lot, a lot, right? Let's start off with an example, actually, I don't know if you had a chance to see that or not. The hackers used a bank of Hong Kong, used a defect mechanism to fool Bank of Hong Kong to transfer $35 million to a fake account, the money is gone, right? And the problem that is, what they did was, they interacted with a manager and they learned this executive who can control a big account and cloned his voice, and clone his patterns on how he calls and what he talks and the whole name he has, after learning that, they call the branch manager or bank manager and say, "Hey, you know what, hey, move this much money to whatever." So, that's one way of kind of phishing, kind of deep fake that can come. So, that's just one example. Imagine whether business is conducted by just using voice or phone calls itself. That's an area of concern if you were to do that. And imagine this became an uproar a few years back when deepfakes put out the video of Tom Cruise and others we talked about in the past, right? And Tom Cruise looked at the video, he said that he couldn't distinguish that he didn't do it. It is so close, that close, right? And they are doing things like they're using gems... >> Awesome Instagram account by the way, the guy's hilarious, right? >> So, they they're using a lot of this fake videos and fake stuff. As long as it's only for entertainment purposes, good. But imagine doing... >> That's right there but... >> But during the election season when people were to put out saying that, okay, this current president or ex-president, he said what? And the masses believe right now whatever they're seeing in TV, that's unfortunate thing. I mean, there's no fact checking involved, and you could change governments and elections using that, which is scary shit, right? >> When you think about 2016, that was when we really first saw, the weaponization of social, the heavy use of social and then 2020 was like, wow. >> To the next level. >> It was crazy. The polarization, 2024, would deepfakes... >> Could be the next level, yeah. >> I mean, it's just going to escalate. What about public policy? I want to pick your brain on this because I I've seen situations where the EU, for example, is going to restrict the ability to ship certain code if it's involved with critical infrastructure. So, let's say, example, you're running a nuclear facility and you've got the code that protects that facility, and it can be useful against some other malware that's outside of that country, but you're restricted from sending that for whatever reason, data sovereignty. Is public policy, is it aligned with the objectives in this new world? Or, I mean, normally they have to catch up. Is that going to be a problem in your view? >> It is because, when it comes to laws it's always miles behind when a new innovation happens. It's not just for AI, right? I mean, the same thing happened with IOT. Same thing happened with whatever else new emerging tech you have. The laws have to understand if there's an issue and they have to see a continued pattern of misuse of the technology, then they'll come up with that. Use in ways they are ahead of things. So, they put a lot of restrictions in place and about what AI can or cannot do, US is way behind on that, right? But California has done some things, for example, if you are talking to a chat bot, then you have to basically disclose that to the customer, saying that you're talking to a chat bot, not to a human. And that's just a very basic rule that they have in place. I mean, there are times that when a decision is made by the, problem is, AI is a black box now. The decision making is also a black box now, and we don't tell people. And the problem is if you tell people, you'll get sued immediately because every single time, we talked about that last time, there are cases involving AI making decisions, it gets thrown out the window all the time. If you can't substantiate that. So, the bottom line is that, yes, AI can assist and help you in making decisions but just use that as a assistant mechanism. A human has to be always in all the loop, right? >> Will AI help with, in your view, with supply chain, the software supply chain security or is it, it's always a balance, right? I mean, I feel like the attackers are more advanced in some ways, it's like they're on offense, let's say, right? So, when you're calling the plays, you know where you're going, the defense has to respond to it. So in that sense, the hackers have an advantage. So, what's the balance with software supply chain? Are the hackers have the advantage because they can use AI to accelerate their penetration of the software supply chain? Or will AI in your view be a good defensive mechanism? >> It could be but the problem is, the velocity and veracity of things can be done using AI, whether it's fishing, or malware, or other security and the vulnerability scanning the whole nine yards. It's scary because the hackers have a full advantage right now. And actually, I think ChatGPT recently put out two things. One is, it's able to direct the code if it is generated by ChatGPT. So basically, if you're trying to fake because a lot of schools were complaining about it, that's why they came up with the mechanism. So, if you're trying to create a fake, there's a mechanism for them to identify. But that's a step behind still, right? And the hackers are using things to their advantage. Actually ChatGPT made a rule, if you go there and read the terms and conditions, it's basically honor rule suggesting, you can't use this for certain purposes, to create a model where it creates a security threat, as that people are going to listen. So, if there's a way or mechanism to restrict hackers from using these technologies, that would be great. But I don't see that happening. So, know that these guys have an advantage, know that they're using AI, and you have to do things to be prepared. One thing I was mentioning about is, if somebody writes a code, if somebody commits a code right now, the problem is with the agile methodologies. If somebody writes a code, if they commit a code, you assume that's right and legit, you immediately push it out into production because need for speed is there, right? But if you continue to do that with the AI produced code, you're screwed. >> So, bottom line is, AI's going to speed us up in a security context or is it going to slow us down? >> Well, in the current version, the AI systems are flawed because even the ChatGPT, if you look at the the large language models, you look at the core piece of data that's available in the world as of today and then train them using that model, using the data, right? But people are forgetting that's based on today's data. The data changes on a second basis or on a minute basis. So, if I want to do something based on tomorrow or a day after, you have to retrain the models. So, the data already have a stale. So, that in itself is stale and the cost for retraining is going to be a problem too. So overall, AI is a good first step. Use that with a caution, is what I want to say. The system is flawed now, if you use it as is, you'll be screwed, it's dangerous. >> Andy, you got to go, thanks so much for coming in, appreciate it. >> Thanks for having me. >> You're very welcome, so we're going wall to wall with our coverage of the Cloud Native Security Con. I'm Dave Vellante in the Boston Studio, John Furrier, Lisa Martin and Palo Alto. We're going to be live on the show floor as well, bringing in keynote speakers and others on the ground. Keep it right there for more coverage on theCUBE. (upbeat music) (upbeat music) (upbeat music) (upbeat music)

>> Narrator: Live from Las Vegas, it's The Cube, covering IBM Think 2018. Brought to you by IBM. >> Hello everyone, welcome to the third day of live coverage here at IBM Think in Las Vegas. This is The Cube, our flagship program, we go out to the events, and extract a civil noise of the leader in live technology coverage. I'm John Furrier, with my co-host Dave Vellante. Our seventh, eighth year covering a bunch of IBM shows. With all now six of them rolled into one IBM Think, this is their big tent event, day three, keynotes just finished, it's blockchain day here at IBM, and as we said, on the opening, on Tuesday, this is like, the innovation sandwich. In the middle is the meat, is data, and then the bread is blockchain and AI. And really that is the architecture of IBM's future strategy, foundationally set up by cloud computing and a variety of other applications and whatnot, but really the future is about data, with blockchain and AI surrounding it. Today's blockchain day, your thoughts on the keynote? Keynote speeches? >> Mm-hm. >> IBM, blockchain, certainly we've seen a lot of advertising on TV. Your thoughts and reaction to the keynote. >> Yeah, and I like your innovation sandwich, I just want to add, that the substrate of all this is cloud. It's critical, if you're going to get network effects, you've got to have the cloud. Today, yeah, was blockchain day, we heard from Marie Wieck, who's the general manager of IBM blockchain. IBM has a tendency, as you know, John, to identify a hot trend, especially some in Open Source, they did this with Linux, they did this with Spark, and they kind of, elbow their way in, you know, maybe that's a pejorative, but they do that, and they say, "Here's some code, here's some resources." They spend money on it, and they give credibility to that Open Source effort. The Hyperledger project is the one they targeted here. It's the fastest growing project in the history of the Linux Foundation. IBM contributed lines of code, people, they've got 15 hundred blockchain experts on this, and they're going all in on blockchain. Which I think, John, is really positive for the blockchain, and even the crypto community, because it brings the credibility of a, you know, a Fortune 100 company to that world. They've announced the blockchain starter kit. All this stuff is available on the IBM cloud. They announced today PWC as an audit partner, which again, brings credibility to the table. Although, I think as you and I know, and we're going to have some guests on later today, there's some other tech emerging, that is going to maybe complement that. >> Yeah. >> And we heard from David Katz, who is the CEO of Plastic Bank, this is the company that's essentially creating currency out of plastic. Allowing disadvantaged people to turn collecting plastic into money. And, at the same time, help save the planet. >> I mean, this is a great example of blockchain as an enabling technology. New ways to do business. As you know, we've been hot on blockchain for the audience watching, you know, we've been covering big data, and AI, that's in our wheelhouse, do all those shows and events, cover that territory with our journalism, and TV and research. But blockchain is an adjacency to storage and infrastructure, and also decentralized applications. The fundamental thing that we're seeing, and we talked to Brian-- Brian Behlendorf, who's with the Hyperledger project, at the Open Source Summit, the Apache Foundation, which IBM is a big sponsor of, IBM needs to do well here. Because they're, again, innovations is essentially betting on blockchain. But it's not just the developers at Open Source, the business users are the ones that are going to create the value, and what I mean by that is, if you look at the blockchain world, and crypto currency and decentralized applications, that's essentially the three components to this market. The blockchain is the infrastructure, ledger, storage of data, et cetera, you know over simplified, but the cryptocurrency runs protocols and infrastructure that power that, and then the application's going to sit on top. We've reported and observed that the secret of success in this new world, is nailing the business logic, and the business model, efficiencies that take advantage of the underlying technology. And that the risk factors in making that success happen, is that business model, not the technology. Although the technology is super important, the technology can be switched out a reduced risk. So the real risk in blockchain and cryptocurrency, and decentralized applications is nailing the business model disruption. This is different than the old way of tech, which was the risk was technology selection. This is a big deal, IBM needs to up their game on that piece of it. I've heard a lot of tech, I've got some nice use cases, but on the outreach basis, they got to go to the business users, and say, "This is an opportunity to leverage the data, "leverage the software and AI with watts and other things." And then leverage the underlying technology, software defined storage, software systems that move to the blockchain, in a decentralized and distributed way. Distributed and decentralized is the future of infrastructure, this is the secret of success, this is where the winners are establishing the clear line of sight. >> Well, one of the things that you're hearing at this conference, Ginny set this up yesterday, was incumbent disrupters, and we were just, kind of, having fun at the open yesterday, but I think it's really smart for IBM. You know me, John, I'm a big fan of saying most of your business is going to come from your existing customers, and if you're chasing all this new business, and start ups, and developers, you're not going to be as productive as if you go to your core. And I think that you're seeing this. IBM back to the core, and they're bringing blockchain to that core as a way to disrupt existing business models, defend against disrupters. So you're absolutely right, companies need to look for inefficiencies where there's a third party taking a toll, and then attack it hard with blockchain. I actually think-- well no, so IBM is really talking business. How do we bring blockchain to the business? They're not really talking about what we talk about a lot, this crypto economy and this whole other mission driven initiative. >> Well, but I mean, if they want to talk business, they got to talk token economics. That's where the business model efficiencies will be rendered on the app side, and the money side. The killer wrap in blockchain and crypto is money. Okay, and marketplaces. IBM got to great marketplace, but it's not just about the developers, that's an organic one stakeholder. The stakeholders that matter is the business guys and the developers coming together. That is absolutely fundamental. If they don't understand that, that's going to be hard to be successful. You can't just throw money at developer programs and say, "Oh, when we win the developers, we win the day." Cloud was, kind of, that playbook, but this world is so fast, and accelerating in it's value creation, that the business users are fundamental in actually grokking what the capabilities are, and putting that into motion quickly, and the proof points is pilots converting to production. That's going to come from the business units. That's where the intellectual property is, is looking at the technology innovations that are possible on the business logic. Business logic is the new IP, this is where the action is, and I haven't heard IBM talk at all about token economics, they kind of talk about it, but that really is the business impact. >> Well, I mean, you sort of heard that today from Plastic Bank, although they didn't talk about a token, they didn't talk about coins, they did talk about monetizing plastic, but in using blockchain to do that, I assume there's tokens behind that, but maybe not. Maybe it's just Fiat currency. It's unclear to me, but I think you're right, the killer app is money. >> Look at it, this is simple. The equation in crypto, and not blockchain, is value creators create value, and they can capture the value. Capturing the value is where the money is, the creating the value is where the technology can happen. So you got to nail both of those as areas. And money is the killer app, so that's going to come from the business side, so the real benefit of decentralization is offering the value capture equation to look different and be different. That's token economics. That's where the action's going to be. So, it really is, it's not mutually exclusive, they're both things. >> Well I think that what you're hearing, so value comes from two places in the simplest form, increased revenue, cut costs. I'm hearing a lot from IBM of cut costs, now again, the Plastic Bank this morning was a really interesting example, I'm glad IBM uses it, but the vast majority of things you're hearing from IBM, like the IBM Maersk relationship, et cetera, are about cutting costs, taking out inefficiencies. >> Well, I mean, the bank thing is easy to look at in your mind, but it's any supply chain. The ICO market that's at a massive bubble right now, is because the supply chain of funding start ups and growth, used to come from private equity and venture capital, that is being disrupted because it certainly hyped up, but that's a supply chain. Any supply chain activities, set of activities, that make up a supply chain, can and will be disrupted by blockchain, crypto, and token economics. >> Yeah, so let's talk about that. Because again, you're not hearing a lot of that from IBM. But I think we have a perspective there. You know, the 1.0 was the wild west, a bunch of developers, blockchain developers, theory developers, doing stuff, building up protocols, making a lot of money. And disintermediating the VCs, right? The new form of raising capital. The VCs are now all in, right? We saw this in Bahamas, you saw this in Puerto Rico, at the two conferences, at four conferences that we covered. So explain that? >> Well, that's just one application, the VCs and these guys are inefficient in some way, but what's happening with crypto currency about access to capital. Now there's a lot of capital being thrown out there. That's mainly because of the hype and the bubble aspect of it, but the real disruption is access to capital, that value chain, value activities are being disrupted and being more efficient. That's a global phenomenon, and that's happening in financing of start ups. Anything with a supply chain, whether it's moving food from point A to point B, is what IBM also highlights as well, anything that's structural incumbent is at risk. And so, this is where, I mean IBM has a ton of supply chain business. They've been doing this for generations in the computer industry. They connect systems together, and create value with using technology. So this is not going to be-- this is a great opportunity for IBM. Again, if they can convert that business value into the blockchain with the value capture, the create capture model, they can run the table. >> But I want to come back to innovation equation. And part of that innovation equation is being able to raise capital. And last I checked, which was last month, about 6.5 billion had been raised in crypto investments. >> And 60% of the projects failed. >> For sure, okay. But failure-- Silicon Valley, fail fest, it's probably up to 10 billion now, much more is being raised through crypto in startups in blockchain than there is in VC. The VCs realized this, and they want a piece of the action, but we're seeing private equity, we're seeing hedge funds, we're seeing crypto billionaires. >> The path of least resistance for the entrepreneur is where the action is. They go right to the new money opportunity. Because they can raise more money. >> So, here's the question. You take Fiocoin, for example, smart guys, trying to go after S3 with peer to peer storage, they raised 250 million dollars in 30 minutes, okay? Is it too much too fast? >> Yes, I think so, but it's what the market's giving. I mean, Fiocoin doesn't even have a product. They're on a roadmap. That's essentially a series A financing. >> Dave: That's a series C. >> Well, no, in terms of the evolution of the startup, it's a seed financing as a series C or D or F financing. >> Yeah, 250 million. >> I mean, it's insane. >> David Scott told us that he needed 85 to start Three Par. I mean that's a storage company 10 years ago, 20 years ago. >> Yeah. >> What a change. At 250 million. >> Look, it's a bubble. But the reality is that it's a bubble that's not going to pop and destroy the sector, it's just a proof point that the efficiency of funding is going to be disrupted. It is being disrupted. >> No, we'll see if it's going to destroy this sector or not. This could, you know-- Warren Buffet says it's going to end badly, others are believers. >> I'm long on blockchain, obviously you know that. I'm pretty biased, but anywhere there's inefficiencies, there's an opportunity for entrepreneurs and business leaders to put new business logic in place to capture that value. That's where the action will be. That's the innovation. And if IBM's innovation sandwich could work, you got a blockchain AI, data in the middle, everyone's going to be full and hungry and eat up everyone's lunch. So, Dave, that's the blockchain day. I'm John Furrier, with Dave Vellante, day three wall to wall coverage here at IBM Think in Las Vegas. More live coverage after this short break. (futuristic music)

>> Live from Los Angeles, it's theCube covering Open Source Summit North America 2017 brought to you by the Linux Foundation and Red Hat. >> Hey welcome back everyone, live here at Los Angeles, California it's theCUBE's exclusive coverage of the Open Source Summit in North America. I'm John Furrier, your host with my co-host Stu Miniman with Wikibon, and our next two guests, Alan Dickenson who is the program director of the blockchain platform at IBM and Shaun Frankson, who's the co-founder and TED speaker at a company called The Plastic Bank doing some truly amazing things with technology for the betterment of society and communities. We'll get this out in a second. Guys, welcome to theCUBE. >> Thanks for having us. >> So two important things honestly. IBM, well-known in the history books that's being written. Real proponent of Linux, they were one of the early guys in during that movement, with a billion dollars in cash. That's a big number. You guys went all in on Linux, good bet, Linux was successful, it's now the standard so congratulations. Now you have the same thing going on with Blockchain. IBM's got the big bet, the company's best brains at work working on blockchain, kind of reminds me of the Linux move back in the day. Pretty impressive. >> Yeah I mean, there's a lot going on with Blockchain and one of the reasons we're here is that this is a developer event. We really want to help accelerate technology adoption and with our platform we launched two weeks ago, we have a whole suite of capabilities that developers can use that's complimentary, that's free and they can use that to go and try blockchain with a Hyperledger Composer and they can experiment and work on blockchain projects. >> You know I love the IBM marketing department, they always have the best commercials. To me I also love the Smarter Planet and I think Shaun, I would like to give you a chance to talk about your amazing project you have going on. Take a minute to explain, you're up on stage here at the event, pretty compelling, great social good, real value. What's some tech behind it. Take a minute to talk about your work. >> At The Plastic Bank we make plastic waste a currency so in developing countries it can be too valuable to enter the ocean. So the mission to use technology to stop ocean plastic. So we create a recycling ecosystems all around the world where people can go out, recycle the plastic that's abundant in the environment, they can earn enough value to provide for their families, send their kids to school and we have this entire ecosystem where we gather the plastic, we have these incentive programs to sort it, recycle, then we actually sell it back to some of the world's largest corporations who can use that recycled social plastic in their products instead of using new plastic. Which means that every single product tells a story of stopping ocean plastic, reducing global poverty and this really allows just a responsible consumer to make a choice that's helping to stop ocean plastic in the end. >> Well great story I just want to drill down because this highlights couple of big trends we've seen in the Internet business as it got into Big Data. And certainly you guys know a lot about that at IBM. The collective intelligence idea of having these self-forming communities, you think of any problem. Recycling plastic, which is not that hard to do, you go to the placement. How do you get it institutionalized? Is the collective intelligence problem. So you got a clever idea to do this but you also have to support it. There's a lot of cost involved so how did you pull this together? What were some of the nuance to keep the incentives, to keep the motivation, to create the payouts. We all recycle our cans for five cents at some points in our lives, I remember when I was in college it helped me a lot. But it's a whole other scale here. Take a minute to talk about the technology. >> For sure. So we're starting in developing countries that essentially have almost no existing waste management systems so we're really starting from the ground and looking at the way of how do we remove the dangers of the cash-based systems, instead have an asset-backed token that we can safely distribute and create new abilities. So really we're dealing with the unbankable who can now for the first time, save and earn through recycling. So it's not really not looking of how do we go back to you know, what's been done in the past, it's how do we take an area and start with the best technology that exists to safely bring in these new systems. >> When you say unbankable, what does that mean? >> I mean sadly, but most of the world does not qualify for a bank account. They don't have the identity, they don't have the credit history, so it's simple concept of how do you save 200 dollars to send your kid to school. You essentially hide it under a mattress and hope that nothing happens in between. But when you can safely have a digital wallet, it's just instant savings. >> Mobile phone penetration is pretty high in these areas, so they might have mobility but no actual institutional credit bank account, am I getting that right? >> Oh exactly. It's amazing when we think there's countries with no power but who have phones. So that means the education of the mobile payments is still there, it's not a foreign concept, but now you can earn the tokens which can then even be converted into mobile payment. Again where recycling is the equal opportunity. >> So are you using the blockchain component, IBM blockchain, or are you guys using a derivatives, what's the tech? >> So we use IBM blockchain, Hyperledger Fabric and LinuxOne and you know it's a system designed to scale around the world without any interruptions and just it's a go big go at home and do it right. >> You mentioned LinuxOne and I believe there's some announcements week around how to secure containers even more and we've been trying LinuxOne, Linux on the mainframe for quite a few years. Give us the update on what's new. >> One of the new things that we're announcing at this year's show is Emperor II. It's a new Linux platform and it's the technology that's underpinning The Plastic Bank's blockchain. The other thing that we're announcing is the beta for Secure Services Containers. Around the globe we have a lot of cases where data is stolen and blockchain's another type of data, we don't want it to get stolen even though there's a lot of encryption in blockchain. We still don't want the data stolen and people trying to get at it. So we have this idea of Secure Service Containers that kind of wraps around the application and protects it from malware, protects it from insiders, can't see it, insider credentials get compromised, goes into the main ways, data gets stolen. You have to do it that way. Even if IBM gets a court order for us to reveal your blockchain data, we can't do it. It's protected and encrypted in this area, and only you have the encryption keys. So the beta for that is something we also announced today. And then two weeks ago we announced the blockchain platform, it's kind of a technology that we put in place to accelerate and help people. >> Security is a huge issue, I mean the ICO marker for instance, remind me of the old stagecoach robberies, right. You literally do like a multimillion dollar ICO, completely a secured, when you're getting your wallet getting snatched, you're getting hijacked, is that something that is related to that? Or is that just a point of the security is still an open book? I mean you can have secure transactions on the blockchain but you still got your wallets out there, so you got to have a wallet strategy. >> Most of the Secure Container technology can be used for any Linux application that you run when it's out of beta. Right now it's in beta. So we're looking for users that want to have a very secure application environment, running on Linux and sign then up for our beta. >> Shaun can you tell us, what led you to this solution? I'm sure security has got to be high on your list, the kind of financial transactions that are involved in it, but I have to say a young small company, mainframe is not the initial thing that we think of. >> Again, the only way to solve the global problems is really go on such a scale that we can have hundreds of millions of pounds provided to the world's largest companies. Which just means it's got to be large scale, no interruptions and for us, trust is the biggest thing. Investor trust, client trust, and just even everyone's trust that not only the financial side, but you know we're delivering a promise of social good, environmental justice, that if we get an irrefutable trust that it's just the right system, and to me, blockchain's a trust stamp, IBM's a trust stamp, LinuxOne is a trust stamp that just it's the right way to do it on a global scale. And for us it was global was the only way to go. >> And now of course, the supply chain is a channel that you're dealing with that blockchain is a good fit for. A lot of these early use cases, their supply chain like, well you got to keep track of a lot of moving parts and who's contributing to what. >> You can have a digital token that represents the physical asset and you can kind of track it through that way and blockchain can keep the information safe and documented so that you don't lose track of the value. >> Well we're super excited. As you know, we're looking at blockchain for our audience and our world, so it's interesting, a lot of the blockchain, certainly people see the hype and the scams out there and the ICO stuff, which is natural, they're early market, the underbelly kind of shows itself, we've seen that movie before. But, here's the thing that I've never seen in my career ever. Very often, when you have alpha geeks getting super excited, we're talking CTOs, really strong technical people, and A plus entrepreneurs, they're salivating at the blockchain opportunity because they're the canaries in the coal mines in my opinion on disruption opportunities. You seeing use cases where I can solve that problem, people with passion are going after these new opportunities that were ungettable before because you'd have to roll out this complex software product, all these costs to get started. Same pattern. >> We're seeing a lot of technology people get excited about it. But they understand the technology relatively quickly and they can get it. What seems to be slowing down a lot of blockchain adoption is more the linkages with other organizations because when you're exchanging value, you're passing it between one organization and another, and another and a value chain. And getting that value chain where you can articulate who it is, and codifying the ways that you work with the people in the value chain and create a smart contract around that, that's what we see slowing down the progress of blockchain. >> We had Brian Behlendorf on yesterday, he runs the SmartLedger project for the group and we talked about decentralizations versus distributive, we all know what distributive computing is, we've seen that. But now with decentralizations, he had a good quote, he said, minimum viable decentralization and 'cause if people think that you have to have a completely decentralized environment which I thought was a really good observation. >> I agree, I heard him say that and it reminded me of one of the steps we see in blockchain progression is we have to get a minimum viable ecosystem together. We see people sometimes biting off too big of a problem and one thing I like about The Plastic Bank's approach is that they try to get it working right somewhere first and then scale from there. And then the same thing with blockchain. You have to get your ecosystem defined, you have to get that working and then expand from there. And that's one of the things that we've designed into our blockchain platform, is the ability to govern a group of folks that are trying to exchange value and then also how to operate a blockchain once it's exchanging value with a group of folks. Things like, lets say you have a new version of Hyperledger Fabric, you want to take down your blockchain that's operating while you install the new version, but we've made sure that you can do that in a smooth way that keeps on running. >> You know Alan, that is a super smart observation. I hundred percent agree with you. I've always said this, and Stu and I and Dave, we talked about this. Blockchain is a community win. The community could win this together as the community participants increase in that kind of philosophy, the value increases. If it's a winner take all, it doesn't work, clearly. So what do you guys with the ecosystem? That's a good question. Are you guys investing in the ecosystem? Can you give some examples. Obviously you're supporting great projects. >> We've built a lot of technology but one of the things that is unique about IBM's approach to blockchain is the governance tools that we've created to help manage the ecosystem. We're the only blockchain partner out there right now that has these kind of ecosystem partner tools that can kind of speed the creation of bringing multi parties together and helping them think through how they should govern the creation and then also the operation of the blockchain. What if you want to add a few more members after your blockchain is running? That's a technology problem, but it's also a business problem. And will your blockchain keep running? >> Well we'll keep in touch, we definitely want to do a lot more coverage on what you guys are doing. I think it's instrumental, we're doing a lot of coverage as well on the ICO side, tracking that business side of it, but down on the enterprise it's a lot of activity coming and I think Accenture is going to do very well. Shaun, get back to you for a second. Want to ask you a quick question. On a personal note, what has been a learning from your process? You're doing, what seems to be probably an exciting and intoxicating job where you're making social good happen, using some tech. I mean, it's a cool project. Assuming there's been some bumps along the road like any other entrepreneurial venture. What are some of the learnings you've taken away from where you are today, where you've come from and what you achieved? What are some personal learnings? >> I think really the two biggest things is one, especially coming from just a entrepreneurial nature, it's not what you know, it's what you can figure out. There's always a how. And for us, when it was when you come up with such a giant idea and you just know where it's going and where it can go past there. Mentally just becoming the person capable of achieving what you are trying to achieve as compared to getting caught up on all the things you don't know, I mean the more you know, the more you know how much you don't know and it's really just getting inspired by the fact that whatever the next answer, whatever the next hiccup, whatever the next how, we'll figure it out. I might now know the answer, but I'm committed to figuring it out and committed to becoming the person capable of figuring it out. And you know it's a journey and process and an inspiring journey to be on. >> You got to dream the future to create it. What you're saying is it's a growth mindset, I love that growth mindset, say hey we're going to go after it, we're going to see some things and have to figure it out, that's a great mindset. Versus nervousness and insecurity. Good job, well done. Well congratulations on your success and thanks for coming on theCUBE, we really appreciate it. Alan, we look forward to chatting with you in the future and talking blockchain. IBM here on theCUBE with the great projects they're doing on blockchain and also they had an announcement a couple weeks ago around some really cutting edge value around food distribution and value chain so again, Smarter Planet, I know you guys do a lot of investments early on but congratulations, and continued success Shaun. Live coverage here from the Open Source Summit in Los Angeles, California. It's theCube, I'm John Furrier, Stu Minniman, be right back with more after this short break.