>> From theCUBE Studios in Palo Alto and Boston bringing you data driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. >> After a two year hiatus, AWS re:Inforce is back on as an in-person event in Boston next week. Like the All-Star break in baseball, re:Inforce gives us an opportunity to evaluate the cyber security market overall, the state of cloud security and cross cloud security and more specifically what AWS is up to in the sector. Welcome to this week's Wikibon cube insights powered by ETR. In this Breaking Analysis we'll share our view of what's changed since our last cyber update in May. We'll look at the macro environment, how it's impacting cyber security plays in the market, what the ETR data tells us and what to expect at next week's AWS re:Inforce. We start this week with a checkpoint from Breaking Analysis contributor and stock trader Chip Simonton. We asked for his assessment of the market generally in cyber stocks specifically. So we'll summarize right here. We've kind of moved on from a narrative of the sky is falling to one where the glass is half empty you know, and before today's big selloff it was looking more and more like glass half full. The SNAP miss has dragged down many of the big names that comprise the major indices. You know, earning season as always brings heightened interest and this time we're seeing many cross currents. It starts as usual with the banks and the money centers. With the exception of JP Morgan the numbers were pretty good according to Simonton. Investment banks were not so great with Morgan and Goldman missing estimates but in general, pretty positive outlooks. But the market also shrugged off IBM's growth. And of course, social media because of SNAP is getting hammered today. The question is no longer recession or not but rather how deep the recession will be. And today's PMI data was the weakest since the start of the pandemic. Bond yields continue to weaken and there's a growing consensus that Fed tightening may be over after September as commodity prices weaken. Now gas prices of course are still high but they've come down. Tesla, Nokia and AT&T all indicated that supply issues were getting better which is also going to help with inflation. So it's no shock that the NASDAQ has done pretty well as beaten down as tech stocks started to look oversold you know, despite today's sell off. But AT&T and Verizon, they blamed their misses in part on people not paying their bills on time. SNAP's huge miss even after guiding lower and then refusing to offer future guidance took that stock down nearly 40% today and other social media stocks are off on sympathy. Meta and Google were off, you know, over 7% at midday. I think at one point hit 14% down and Google, Meta and Twitter have all said they're freezing new hires. So we're starting to see according to Simonton for the first time in a long time, the lower income, younger generation really feeling the pinch of inflation. Along of course with struggling families that have to choose food and shelter over discretionary spend. Now back to the NASDAQ for a moment. As we've been reporting back in mid-June and NASDAQ was off nearly 33% year to date and has since rallied. It's now down about 25% year to date as of midday today. But as I say, it had been, you know much deeper back in early June. But it's broken that downward trend that we talked about where the highs are actually lower and the lows are lower. That's started to change for now anyway. We'll see if it holds. But chip stocks, software stocks, and of course the cyber names have broken those down trends and have been trading above their 50 day moving averages for the first time in around four months. And again, according to Simonton, we'll see if that holds. If it does, that's a positive sign. Now remember on June 24th, we recorded a Breaking Analysis and talked about Qualcomm trading at a 12 X multiple with an implied 15% growth rate. On that day the stock was 124 and it surpassed 155 earlier this month. That was a really good call by Simonton. So looking at some of the cyber players here SailPoint is of course the anomaly with the Thoma Bravo 7 billion acquisition of the company holding that stock up. But the Bug ETF of basket of cyber stocks has definitely improved. When we last reported on cyber in May, CrowdStrike was off 23% year to date. It's now off 4%. Palo Alto has held steadily. Okta is still underperforming its peers as it works through the fallout from the breach and the ingestion of its Auth0 acquisition. Meanwhile, Zscaler and SentinelOne, those high flyers are still well off year to date, with Ping Identity and CyberArk not getting hit as hard as their valuations hadn't run up as much. But virtually all these tech stocks generally in cyber issues specifically, they've been breaking their down trend. So it will now come down to earnings guidance in the coming months. But the SNAP reaction is quite stunning. I mean, the environment is slowing, we know that. Ad spending gets cut in that type of market, we know that too. So it shouldn't be a huge surprise to anyone but as Chip Simonton says, this shows that sellers are still in control here. So it's going to take a little while to work through that despite the positive signs that we're seeing. Okay. We also turned to our friend Eric Bradley from ETR who follows these markets quite closely. He frequently interviews CISOs on his program, on his round tables. So we asked to get his take and here's what ETR is saying. Again, as we've reported while CIOs and IT buyers have tempered spending expectations since December and early January when they called for an 8% plus spending growth, they're still expecting a six to seven percent uptick in spend this year. So that's pretty good. Security remains the number one priority and also is the highest ranked sector in the ETR data set when you measure in terms of pervasiveness in the study. Within security endpoint detection and extended detection and response along with identity and privileged account management are the sub-sectors with the most spending velocity. And when you exclude Microsoft which is just dominant across the board in so many sectors, CrowdStrike has taken over the number one spot in terms of spending momentum in ETR surveys with CyberArk and Tanium showing very strong as well. Okta has seen a big dropoff in net score from 54% last survey to 45% in July as customers maybe put a pause on new Okta adoptions. That clearly shows in the survey. We'll talk about that in a moment. Look Okta still elevated in terms of spending momentum, but it doesn't have the dominant leadership position it once held in spend velocity. Year on year, according to ETR, Tenable and Elastic are seeing the biggest jumps in spending momentum, with SailPoint, Tanium, Veronis, CrowdStrike and Zscaler seeing the biggest jump in new adoptions since the last survey. Now on the downside, SonicWall, Symantec, Trellic which is McAfee, Barracuda and TrendMicro are seeing the highest percentage of defections and replacements. Let's take a deeper look at what the ETR data tells us about the cybersecurity space. This is a popular view that we like to share with net score or spending momentum on the Y axis and overlap or pervasiveness in the data on the X axis. It's a measure of presence in the data set we used to call it market share. With the data, the dot positions, you see that little inserted table, that's how the dots are plotted. And it's important to note that this data is filtered for firms with at least 100 Ns in the survey. That's why some of the other ones that we mentioned might have dropped off. The red dotted line at 40% that indicates highly elevated spending momentum and there are several firms above that mark including of course, Microsoft, which is literally off the charts in both dimensions in the upper right. It's quite incredible actually. But for the rest of the pack, CrowdStrike has now taken back its number one net score position in the ETR survey. And CyberArk and Okta and Zscaler, CloudFlare and Auth0 now Okta through the acquisition, are all above the 40% mark. You can stare at the data at your leisure but I'll just point out, make three quick points. First Palo Alto continues to impress and as steady as she goes. Two, it's a very crowded market still and it's complicated space. And three there's lots of spending in different pockets. This market has too many tools and will continue to consolidate. Now I'd like to drill into a couple of firms net scores and pick out some of the pure plays that are leading the way. This series of charts shows the net score or spending velocity or granularity for Okta, CrowdStrike, Zscaler and CyberArk. Four of the top pure plays in the ETR survey that also have over a hundred responses. Now the colors represent the following. Bright red is defections. We're leaving the platform. The pink is we're spending less, meaning we're spending 6% or worse. The gray is flat spend plus or minus 5%. The forest green is spending more, i.e, 6% or more and the lime green is we're adding the platform new. That red dotted line at the 40% net score mark is the same elevated level that we like to talk about. All four are above that target. Now that blue line you see there is net score. The yellow line is pervasiveness in the data. The data shown in each bar goes back 10 surveys all the way back to January 2020. First I want to call out that all four again are seeing down trends in spending momentum with the whole market. That's that blue line. They're seeing that this quarter, again, the market is off overall. Everybody is kind of seeing that down trend for the most part. Very few exceptions. Okta is being hurt by fewer new additions which is why we highlighted in red, that red dotted area, that square that we put there in the upper right of that Okta bar. That lime green, new ads are off as well. And the gray for Okta, flat spending is noticeably up. So it feels like people are pausing a bit and taking a breather for Okta. And as we said earlier, perhaps with the breach earlier this year and the ingestion of Auth0 acquisition the company is seeing some friction in its business. Now, having said that, you can see Okta's yellow line or presence in the data set, continues to grow. So it's a good proxy from market presence. So Okta remains a leader in identity. So again, I'll let you stare at the data if you want at your leisure, but despite some concerns on declining momentum, notice this very little red at these companies when it comes to the ETR survey data. Now one more data slide which brings us to our four star cyber firms. We started a tradition a few years ago where we sorted the ETR data by net score. That's the left hand side of this graphic. And we sorted by shared end or presence in the data set. That's the right hand side. And again, we filtered by companies with at least 100 N and oh, by the way we've excluded Microsoft just to level the playing field. The red dotted line signifies the top 10. If a company cracks the top 10 in both spending momentum and presence, we give them four stars. So Palo Alto, CrowdStrike, Okta, Fortinet and Zscaler all made the cut this time. Now, as we pointed out in May if you combined Auth0 with Okta, they jumped to the number two on the right hand chart in terms of presence. And they would lead the pure plays there although it would bring down Okta's net score somewhat, as you can see, Auth0's net score is lower than Okta's. So when you combine them it would drag that down a little bit but it would give them bigger presence in the data set. Now, the other point we'll make is that Proofpoint and Splunk both dropped off the four star list this time as they both saw marked declines in net score or spending velocity. They both got four stars last quarter. Okay. We're going to close on what to expect at re:Inforce this coming week. Re:Inforce, if you don't know, is AWS's security event. They first held it in Boston back in 2019. It's dedicated to cloud security. The past two years has been virtual and they announced that reinvent that it would take place in Houston in June, which everybody said, that's crazy. Who wants to go to Houston in June and turns out nobody did so they postponed the event, thankfully. And so now they're back in Boston, starting on Monday. Not that it's going to be much cooler in Boston. Anyway, Steven Schmidt had been the face of AWS security at all these previous events as the Chief Information Security Officer. Now he's dropped the I from his title and is now the Chief Security Officer at Amazon. So he went with Jesse to the mothership. Presumably he dropped the I because he deals with physical security now too, like at the warehouses. Not that he didn't have to worry about physical security at the AWS data centers. I don't know. Anyway, he and CJ Moses who is now the new CISO at AWS will be keynoting along with some others including MongoDB's Chief Information Security Officer. So that should be interesting. Now, if you've been following AWS you'll know they like to break things down into, you know, a couple of security categories. Identity, detection and response, data protection slash privacy slash GRC which is governance, risk and compliance, and we would expect a lot more talk this year on container security. So you're going to hear also product updates and they like to talk about how they're adding value to services and try to help, they try to help customers understand how to apply services. Things like GuardDuty, which is their threat detection that has machine learning in it. They'll talk about Security Hub, which centralizes views and alerts and automates security checks. They have a service called Detective which does root cause analysis, and they have tools to mitigate denial of service attacks. And they'll talk about security in Nitro which isolates a lot of the hardware resources. This whole idea of, you know, confidential computing which is, you know, AWS will point out it's kind of become a buzzword. They take it really seriously. I think others do as well, like Arm. We've talked about that on previous Breaking Analysis. And again, you're going to hear something on container security because it's the hottest thing going right now and because AWS really still serves developers and really that's what they're trying to do. They're trying to enable developers to design security in but you're also going to hear a lot of best practice advice from AWS i.e, they'll share the AWS dogfooding playbooks with you for their own security practices. AWS like all good security practitioners, understand that the keys to a successful security strategy and implementation don't start with the technology, rather they're about the methods and practices that you apply to solve security threats and a top to bottom cultural approach to security awareness, designing security into systems, that's really where the developers come in, and training for continuous improvements. So you're going to get heavy doses of really strong best practices and guidance and you know, some good preaching. You're also going to hear and see a lot of partners. They'll be very visible at re:Inforce. AWS is all about ecosystem enablement and AWS is going to host close to a hundred security partners at the event. This is key because AWS doesn't do it all. Interestingly, they don't even show up in the ETR security taxonomy, right? They just sort of imply that it's built in there even though they have a lot of security tooling. So they have to apply the shared responsibility model not only with customers but partners as well. They need an ecosystem to fill gaps and provide deeper problem solving with more mature and deeper security tooling. And you're going to hear a lot of positivity around how great cloud security is and how it can be done well. But the truth is this stuff is still incredibly complicated and challenging for CISOs and practitioners who are understaffed when it comes to top talent. Now, finally, theCUBE will be at re:Inforce in force. John Furry and I will be hosting two days of broadcast so please do stop by if you're in Boston and say hello. We'll have a little chat, we'll share some data and we'll share our overall impressions of the event, the market, what we're seeing, what we're learning, what we're worried about in this dynamic space. Okay. That's it for today. Thanks for watching. Thanks to Alex Myerson, who is on production and manages the podcast. Kristin Martin and Cheryl Knight, they helped get the word out on social and in our newsletters and Rob Hoff is our Editor in Chief over at siliconangle.com. You did some great editing. Thank you all. Remember all these episodes they're available, this podcast. Wherever you listen, all you do is search Breaking Analysis podcast. I publish each week on wikibon.com and siliconangle.com. You can get in touch with me by emailing avid.vellante@siliconangle.com or DM me @dvellante, or comment on my LinkedIn post and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching and we'll see you in Boston next week if you're there or next time on Breaking Analysis (soft music)

>>live from San Francisco. It's the queue covering our essay conference 2020 San Francisco Brought to you by Silicon Angle Media >>Hey, welcome back here. Ready? Jeff Frick here with the Cube. We're in our 2020 the biggest security conference in the country, if not the world. I guess there's got to be 50,000 people. We'll get the official word tomorrow. It's our sixth year here and we're excited to be back. I'm not sure why. It's 2020. We're supposed to know everything at this point in time with the benefit on inside. We got two people that do. You know a lot. We're excited to have him. My left is Chris Bets is the SVP and chief security officer for Centurylink. Chris, Great to see you. And to his left is Chris Smith, VP Global security Services for Centurylink. Welcome. >>Thank you for having me. >>Absolutely. You guys just flew into town >>just for the conference's great To be here is always a really exciting space with just a ton of new technology coming out. >>So let's just jump into it. What I think is the most interesting and challenging part of this particular show we go to a lot of shows you 100 shows a year. I don't know that there's one that's got kind of the breadth and depth of vendors from the really, really big the really, really small that you have here. And, you know, with the expansion of Moscone, either even packing more women underneath Howard Street, what advice do you give to people who are coming here for the first time? Especially on more than the buyer side as to how do you navigate this place >>when I when I come here and see So I'm always looking at what the new technologies are. But honestly, having a new technology is not good enough. Attackers are coming up with new attacks all the time. The big trick for me is understanding how they integrate into my other solutions. So I'm not so I'm not just focused on the technology. I'm focused on how they all fit together. And so the vendors that have solutions that fit together that really makes a difference in my book. So I'm looking for for products that are designed to work with each other, not just separate >>from a practice standpoint. The theme of IRA say this year is the human element, and for us, if you look at this floor, it's overwhelming. And if you're a CSO of an average enterprise, it's hard to figure out what you need to buy and how to build a practice with all of the emerging tools. So for us core to our practice, I think any mature, 30 security practices having a pro services capability and consulting capability that can be solved this all together, that helps you understand what to buy, what things to piece together and how to make it all work >>right. And it's funny, the human element that is the kind of the global theme. And what's funny is for all the technology it sounds like. Still, the easiest way in is through the person, whether it's a phishing attack or there's a myriad of ways that people are getting him to the human. So that's kind of a special challenge or trying to use technology to help people do a better job. At the end of the day, sometimes you're squishy ISS or easier access point is not a piece of technology, but it's actually a person. It's >>often because We asked people to do the wrong things. We're having them. Focus on security steps. Use email. Security is an easy to grasp example way all go through training every year to teach folks how to make sure that they avoid clicking on the wrong emails for us more often than a year. So the downside of that is arresting people to take a step away from their job and try to figure out how to protect themselves. And is this a bad emails that are really focusing on the job? So that's why it's so important to me to make sure that we've got solutions that help make the human better and frankly, even worse in security. We don't have the staff that we need. And so how do we help Make sure that the right tools are there, that they work together. They automate because asking everybody to take those steps, it's just it's a recipe for disaster because people are going to make mistakes >>right? Let's go a little deeper into the email thing. A friend of mines and commercial real estate, and he was describing an email that he got from his banker describing a wire transfer from one of his suppliers that he has a regular, ongoing making relationship with. You know, it's not the bad pronunciation and bad grammar and kind of the things that used to jump out is an obvious. But he said it was super good to the point where thankfully, you know, it was just this time. But, you know, he called the banker like, did you just send me this thing? So you know where this as the sophistication of the bad guys goes up specifically targeting people, how do you try to keep up with how do you give them the tools to know Woe versus being efficient? I'm trying to get my job done. >>Yeah, for me, it starts with technology. That takes a look. We've only got so many security practitioners in the company. Actually. Defend your email example. We've got to defend every user from those kinds of problems. And so how do I find technology solutions that help take the load off security practitioners so they can focus on the niche examples that really, really well crafted emails and help take that load off user? Because users just not gonna be able to handle that right? It's not fair to ask them. And like you said, it was just poorly time that helped attack. So how do we help? Make sure that we're taking that technology load off, identify the threats in advance and protect them. And so I think one of the biggest things that Chris and I talk a lot about is how to our solutions help make it easier for people to secure themselves instead of just providing only technology technology advantage, >>our strategy for the portfolio and it sort of tied to the complexity. CN This floor is simplicity. So from our perspective, our goal is a network service provider is to deliver threat free traffic to our customers even before it gets to the human being. And we've got an announcement that we launched just a week ago in advance of the show called Rapid Threat Defense. And the idea is to take our mature threat Intel practice that Chris has a team of folks focused on that. We branded black Lotus labs and Way built a machine learning practice that takes all the bad things that we see out in the network and protects customers before it gets to their people. >>So that's an interesting take. You have the benefit of seeing a lot of network traffic from a lot of customers and not just the stuff that's coming into my building. So you get a much more aggregated approach, so tell us a little bit more about that. And what is the Black Lotus Labs doing? And I'm also curious from an industry point of view, you know, it's just a collaboration with the industry cause you guys are doing a lot of traffic. There's other big network providers carrying a lot of traffic. How well do you kind of work together when you identify some nasty new things that you're doing the horizon? And where do you draw the line between better together versus still independent environment? >>When we're talking about making the Internet safer, it's not really to me a lot about competitive environment. It's really about better together. That's one of things I love about the security community. I'm sure you see it every year when you're here. You're talking security practitioners how across every industry security folks work together to accomplish something that's meaningful. So as the largest world's largest global I P we get to see a ton of traffic, and it's really, really interesting we'll be able to put together, you know, at any given point in time. We're watching many tens of thousands of probable malware networks. We're protecting our customers from that. But we're also able to ourselves take down nearly 65 now where networks every month just knock them off the Internet. So identify the command and control, and we take it off the Internet. We work with our partners. We go talk to hosting providers, maybe competitors of ours. And we say, Hey, here's a bad, bad actors bad server that's being used to control now where? Going shut it down. And so the result of that is not only protecting our customers, but more importantly, protecting tens of thousands of customers every month. By removing now where networks that were attacking, that really makes a difference. To me, that's the biggest impact we bring. And so it really is a better together. It's a collaboration story and, of course, for said, we get the benefit of that information as we're developing it as we're building it, we can protect our customers right away while we're building the confidence necessary to take something as dramatic and action as shutting down on our network. Right. Unilaterally, >>Citrix. I was gonna ask you kind of the impact of I o t. Right in this in this crazy expansion of the tax services, when you hear about all the time with my favorite example, somebody told the story of attacking a casino through the connected thermometer in the fish tank in the lobby, which may or may not be true, is still a great story. Great story. But I'm curious, you know, looking at the network, feeding versus the devices connecting that's really in an interesting way to attack this proliferation of attack services. You're getting it before it necessarily gets to all these new points of presence doing it based on the source. For >>us, that's the only way to make it scalable. It is true that automation blocking it before it gets to the azure to a device. It is what will create simplicity and value for our customers. >>Right on the other piece of the automation. Of course, that we hear about all the time is there just aren't enough security professionals, period. So if you don't have the automation. You don't have the machine learning, as you said, to filter low hanging fruit and the focus your resource. If they need to be, you're not going to do it. The bad news is the bad guys, similar tools. So as you look at kind of the increase in speed of automation, the increase in automated connectivity between these devices making decisions amongst each other, how do you see that kind of evolving? But you're kind of role and making sure you stay a step ahead of the bad guys. For >>me, it's not about just automation. It's about allowing smart people to put their brains against hard problems, hard impactful problems and so on. So simply automating is not enough. It's making sure that automation is reducing the the load on people so that they're able to focus on those hard, unique problems really solve all those solutions and, yes, Attackers, Attackers build automation as well. And so if we're not building faster and better than we're falling behind, so like every other part of this race, it's about getting better, faster and why it's so important that technology work together because we're constantly throwing out more tools and if they don't work better together, even if we got incremental automation, these place way still miss overall because it's end to end that we need to defend ourselves and our customers >>layered on what he said. For the foreseeable future, you're gonna need smart security people that help protect your practice. Our goal in automation is take the road tasks out of out of the gate. They live so they can focus on the things that provide the most value protecting their enterprise. >>Right when you're looking, you talked about making sure things work together, for you talked about making sure things work together. How do you decide what's kind of on the top of the top of the stack, where everybody wants to own the single pane of glass? Everybody wants to be the control plane. Everybody wants to be that thing that's on your computer all the time, which is how you work your day to day. How do you kind of dictate what are the top level tools while still going out? And, he said, exploring some of these really cutting edge things out around the fringe, which don't necessarily have a full stack solution that you're going to rely on but might have some cool kind of point solutions if you will, or point products to help you plug some new and emerging holes. Yeah, >>yeah. So for us, yeah, we take security capabilities and we build them into the other things that we sell. So it's not a bolt on. So when you buy things from us, whether whether it's bandwidth or whether its SD wan and security comes baked in, so it's not something you have to worry about integrating later. It's an ingredient of the things that we sell in all of the automation that we build is built into our practice, So it's simple for our customers to understand, like, simple and then layered. On top of that, we've got a couple different ways that we bring pro services and consulting to our practice. So we've got a smart group of folks that could lean into staff, augment and sit on site, do just about anything to help customers build a practice from day zero to something more mature. But now we're toying with taking those folks in building them into products and services that we sell for 10 or 20 hours a month as an ingredient. So you get that consulting wrapper on top of the portfolio that we sell as a service provider. >>Get your take on kind of budgets and how people should think about their budgets. And when I think of security, I can't help but think of like insurance because you can't spend all your money on security. But you want to spend the right amount on security. But at the end of the day, you can't be 100% secure, right? So it's kind of kind of working the margins game, and you have to make trade offs in marketing, wants their money and product development, wants their money and sales, wants their money. So what people are trying to assess kind of the risk in their investment trade offs. What are some of the things they should be thinking about to determine what is the proper investment on security? Because it can't just be, you know, locker being 100% it's not realistic, and then all the money they help people frame that. >>Usually when companies come to us in, Centurylink plays in every different segment, all the way down to, you know, five people company all the way to the biggest multinationals on the planet. So that question is, in the budget is a little bit different, depending on the type of customer, the maturity and the lens are looking at it. So, typically, way have a group of folks that we call security account managers those our consultants and we bring them in either in a dedicated or a shared way. Help companies that's us, wear their practices today in what tool sets for use again things that they need to purchase and integrate to get to where they need to be >>really kind of a needs analysis based on gaps as much as anything else. >>That's part of the reason why we try to build prisons earlier, so many of the technologies into our solution so that so that you buy, you know, SD wan from us, and you get a security story is part of it is that that allows you to use the customer to save money and really have one seamless solution that provides that secure experience. We've been building firewalls and doing network based security for going on two decades now, in different places. So at this point, that is a good place that way, understand? Well, we can apply automation against it. We can dump, tail it into existing services and then allow focused on other areas of security. So it helps. From a financial standpoint, it also helps customers understand from where they put their talent. Because, as you talked about, it's all about talents even more so than money. Yes, we need to watch our budgets. But if you buy these tools, how do you know about the talent to deploy them? And easier You could make it to do that simpler. I think the better off right >>typical way had the most success selling security practices when somebody is either under attacker compromised right, then the budget opens right up, and it's not a problem anymore. So we thought about how to solve that commercially, and I'll just use Vitas is an example. We have a big D dos global DDOS practice that's designed to protect customers that have applications out on the Internet that are business critical, and if they go down, whether it's an e commerce or a trading site losing millions of dollars a day, and some companies have the money to buy that up front and just have it as a service. And some companies don't purchase it from us until they're under attack. And the legacy telco way of deploying that service was an order and a quote. You know, some days later, we turned it up. So we've invested with Christine the whole orchestration layer to turn it up in minutes and that months so you can go to our portal. You can enter a few simple commercial terms and turn it on when you need it. >>That's interesting. I was gonna ask you kind of how has cloud kind of changed the whole go to market and the way people think about it. And even then you hear people have stuff that's secure in the cloud, but they mis configured a switch left something open. But you're saying, too it enables you to deploy in a very, very different matter based on you know, kind of business conditions and not have that old, you know, get a requisite get a p o requisition order, install config. Take on another kind of crazy stuff. Okay, so before I let you go, last question. What are your kind of priorities for this show for Centurylink when it's top of mind, Obviously, you have the report and the Black Lotus. What do you guys really prioritizing for this next week? Here for Cisco. >>We're here to help customers. We have a number of customers, a lot of learning about our solutions, and that's always my priority. And I mentioned earlier we just put out a press release for rapid threat defense. So we're here to talk about that, and I think the industry and what we're doing this little bit differently. >>I get to work with Chris Motions Week with customers, which is kind of fun. The other part that I'm really excited about, things we spent a bunch of time with partners and potential partners. We're always looking at how we bring more, better together. So one of the things that we're both focused on is making sure that we're able to provide more solutions. So the trick is finding the right partners who are ready to do a P I level integration. The other things that Chris was talking about that really make this a seamless and experience, and I think we've got a set of them that are really, really interested in that. And so those conversations this week will be exceptionally well, I think that's gonna help build better technology for our customers even six months. >>Alright, great. Well, thanks for kicking off your week with the Cube and have a terrific week. Alright. He's Chris. He's Chris. I'm Jeff. You're watching the Cube. Where? The RSA Conference in downtown San Francisco. Thanks for watching. See you next time. >>Yeah, yeah.

>> Live from Barcelona, Spain, it's theCUBE. Covering Cisco Live! Europe. Brought to you by Cisco and its ecosystem partners. >> Welcome back to Cisco Live! in Barcelona. I'm Dave Vellante with my cohost, Stu Miniman. You're watching theCUBE, the leader in live tech coverage. This is day one of a three day segments that we're doing here at Cisco Live Barcelona. Bret Hartman is here as the CTO of Cisco Security Group. And we think of CUBE alone from way back, Bret. >> Way back, way back. >> Great to see you again. >> You bet. >> Thanks for coming on. So we're here to talk about Workload Security. >> Yep. >> What is that? What is Workload Security? >> What is Workload Security? So it's really the whole idea of how people secure applications today because applications aren't built the way they used to be. It's not the idea that you have an application that's just sitting running on a server anymore. Applications are actually built out of lots and lots of components. Those components may run in a typical data center, they may run in a cloud, they may be part of a SaaS solution, so you got all these different components that need to be plugged together. So the question is how do you possibly secure that when you have all these pieces, containers, and virtualized workloads all working together? That's the big question. >> Written oftentimes by different people with different skillsets. >> Different people, different services, yeah, open source, right. So all that somehow has to come together and you have to figure out how to secure it. That's question. >> And so what did you used to do with applications security? You used to just kind of figure it out at the end and bolt it on, is that? >> Pretty much, I mean, historically, people would do their best to secure their application. It would be kind of monolithic or three-tier, the web tier, app tier, database and that sort of thing. And then you'd also depend a lot on the infrastructure. You'd depend on firewalls, you'd depend on things on the edge to protect the application. The problem is there's not so much of an edge anymore when in that world I described you can't really rely so much on that infrastructure anymore. That's the shift of the world we know of. >> So what's the prescription today? How do you solve that problem? >> You know, there's a lot of ad hoc work. And so this whole notion, a lot of people talk about devsecops these days or sometimes it's devopssec, or there's all these different versions of that. But the whole idea of the devops world, the way people build applications today, and the security world, the security ops world are either coming together or colliding or crashing, right. And so it's getting those things to work. So right now, the way devops and secops works today is not particularly well. Lot of manual work, a lot of kind ad hoc scripts. But I will say probably over the last year, there's a lot more awareness that we need to figure this out to be able to merge these two things together. That's kind of the next stage. >> Bret, bring us inside that a little bit because if you listen to the devops people it's we got to do CICD. >> Yep. >> We need to move fast. And there was the myth out there, oh well, am I fast or am I secure? >> Right. >> I was reading some research recently and they said actually that's false trade off. Actually you can move fast and be more secure. But you raised a risk because you said if these are two separate things, and they're not working in lob step and it's not secure every step of the way in that part of your methodology then you're definitely going to break security. >> That's exactly right, and there's a basic question of how much of a responsibility the developers have to provide security anyway? I mean, historically, we don't really necessarily trust developers to care that much about security. Now as to your point, these days without the way people develop software today, they need to care more about 'em. But typically, it was the security operations folks. That was their responsibility. The developers could do whatever they wanted and the security folks kept them safe. Well, again, as you said you can't do that anymore. So the developers have to pull security into their development processes. >> Yeah, when I go to some of the container shows or the serverless shows, the people in the security space are like chanting up on stage, security is everyone's responsibility. >> Right. >> Which hasn't traditionally been the case. >> It has not, and so it's really what companies are working on now is how do the security operations people fit into that development process? And what are the tools? And again, it's a long, complicated set of infrastructure and other sorts of tools, but that's sort of the point. At Cisco, we're really working on evolving the security products and technology, so exactly it fits into that process, that's the goal. >> So I'm sure there's a maturity model, or a spectrum >> Yeah >> When you go out and talk to customers. Maybe we could poke at that a little bit. >> Sure. >> Describe that. So you're really talking about a world where it's team a sport. The regime is everybody's got to be involved. But oftentimes they're working for different people. >> Yep. >> Some are working for the CIO maybe some the CTO, some the CSO, maybe some other line of business. >> Different companies, contractors, providers, all that. >> Yeah. Right, partners. So what does that spectrum look like, and how are you helping customers take that journey? >> Yeah, so not surprisingly, companies that are born in the cloud, they're like this is old news. It's like this how they deal with it every day. A lot of those companies have the lower risk deployments anyway. The organizations that are really early days on this are the ones that have lots of existing investment in all that data center stuff. And they're trying to figure out how this is going to work. You talk to a typical bank, for example, their core business processes of how they protect money, they're not going to move to the cloud, right? So how did they evolve? And they, by the way, they have to deal with compliance requirements on all this other stuff. They can't play too fast and loose. So that's an example of something that's early days. But they are also working a lot in terms of evolving, moving to the cloud and having to be able to support that too. >> So when you engage with clients, I presume you try to assess kind of where they're at. >> Yep. >> And then figure out where they want to go and then how to best get 'em there. So what is Cisco's role in helping them get there? >> And so first of all, of course I represent the business group that builds the security products, right. So a lot of this and the reason why my group is so interested in this, and our security group at Cisco is so interested, is this really represents the future of security. This idea of having it much more embedded into the applications as opposed to purely being in the infrastructure. So what we're seeing for typical customers, like if I roll the clock back a year ago, and we talked about things like devsecops, they were like yeah, kind of an interesting problem, the one we just talked about, but it's like not quite ready for it. Now this is, I think every CSO, Chief Security Office, I talked to, very aware, have active engagements about how they're working with their devops groups. And are actively seeking for tools and technology to support them. So to me that's a good sign that it's... The world is moving in this direction. And as a security vendor, we need to evolve too. So that means things like evolving the way firewalls work, for example. It's not just about firewalls sitting at the edge. It means distributing firewall functionality. It means moving functionality into the pubic cloud, like AWS, and Google, and Azure. It means moving security up into the application itself. So it's a very different world than just a box sitting on the edge. That's the journey, and we're on that journey, too. And the industry is. I mean, it's not a solved problem for exactly how to do that. >> If we go back the early days, we were talking about that when theCUBE started in 2010, security really wasn't a board level topic back then. >> True. Or at least not for every company. There was certainly some companies >> Yeah, for sure. >> But now it's like you're right, every company cares about it. >> Right, and it comes up at every quarterly meeting, certainly every annual meeting. So what should ... How should the technical C side, the CIO, CTO, if they're invited into the board meeting, how should they be communicating to the board about security? >> That's a tough one. >> What should be the key messages? >> And to your point, I mean typically these days for most major corporations in the world, the Chief Security Officer is often presenting at every board meeting because cyber risk is such a big, big part of that risk. And this is a challenge, right, because to try to communicate all the tech required to manage that risk to a board, not so easy, right. It's like trying count how many malware threats stopped. It's like what'll they do with that? If you talk to our Chief Security Officer, Steve Martino here at Cisco, I mean, he talks a lot about first of all, having visibility. Being able to show how much visibility. How much can we see? And then how much can we control and show that the organization is making more and more progress in terms of just seeing what's out there so you don't have broke devices, and then putting controls in place. So you need some pretty big animal pictures, communication of being able to manage that, but you can never come in and say, yep guaranteed, we're secure. Or give it a number, it kind of has no meaning. >> But strategy, visibility, response mechanisms, preparedness, what the response protocol is that's the level of, it sounds like >> It's showing maturity of the >> level of communications. >> processes, really, and the ability to take that on as opposed to getting into the weeds of all the metrics that, it just don't. >> So, Bret, we've had multi vendors for a long time and even in the network space there's a lot of different pieces of the environment. How is multi cloud different from a security standpoint? >> Yeah, so the issue there, and kind of what I was hinting at, we talk about the way people build applications is that all those vendors, they all do security differently. Every one does security differently. It's all good, I mean. And for example, Amazon, Google, Microsoft, they're all making massive investments to secure their own clouds, which is awesome, but they're all also different. And then you have the SaaS vendors. You talk to Salesforce, Dropbox and Box, they have different security mechanisms. And then, of course, you have different ones in the enterprise. So from a Chief Security Officer's standpoint, reporting to the board, they want one policy. We want to protect sensitive corporate data. And then you have maybe 100 different security policies across all this mess. That's why it's different. Trying to manage the complexity and get the policies to work and get, of course all those platforms, you can't force it all to be the same. So a lot of what we're working on are really tools to do that. So you can, fitting back into that devops process, you can define high-level policies of how do you control that data and then map it to all those different platforms. That's the goal, that's how we get there, make progress. >> So you had a picture up in the keynotes today. It had users, devices kind of on one side of the network. And then applications and data on the other side of the network. And then the network in the middle and all those pieces fitting in. How does that affect how you think about security? We've talked a lot about applications, securing the applications. Are you thinking similarly about the data, or the devices, or even the users? Bad user behavior will trump great security every time. Where do those other pieces fit into the context? >> Well, of course, that's a big reason why we just acquired Duo Security. >> Yikes. >> Very significant acquisition there, which is exactly around trust of human beings as well as the devices. A key component that Cisco didn't have before that and fits in exactly to that point. I was a key strategic piece of that, of trust, defining trust. And yeah, that fits in. Obviously we already do lots on the device side. We do things like the Identity Service Engine to enforce access with the network. We have more and more on the applications side. Not so much in the data side yet. I mean, but as we move up the stack into the application it'll be around data too. But the network is a natural conversions point there. And the whole idea of having security embedded right into that network is of course why I'm at Cisco, right. That security is a critical thing that needs to be embedded in everything that Cisco does. >> Well, you've got an advantage in that you can do the ePacket inspection, you're in the network. I mean, that's fundamental. >> Security is really all about visibility. You don't have visibility, you have nothing. And Cisco has this incredible footprint, incredible telemetry across the world. I mean, all the statistics around Talos you probably seen. It's huge, right. And that's a big advantage that we have to really provide security. >> Awesome. Well, Brent, thank you for coming back on theCUBE. It's great to see you again. >> My pleasure. >> 'Preciate the update. >> Glad to see you again. >> All right, keep it right there everybody. Stu Miniman and Dave Vellante. You're watching theCUBE from Cisco Live! Barcelona. Stay right there, we'll be right back. (upbeat music)

>> Live from Washington DC, it's theCUBE. Covering AWS Public Sector Summit 2018. Brought to you by Amazon Web Services and it's ecosystem partners. >> Hey, welcome back everyone. This is theCUBE's exclusive coverage live in Washington DC at Amazon Web Services AWS Public Sector Summit. I mean, it's so jam-packed you can't even move. This is like the re:Invent for Public Sector even though it's a summit for Amazon Web Services. I'm here with Dave Vellante, my co-host. Our next guest is John Wood, Chairman and CEO of Telos, and Rick Tracy, Chief Security Officer and the co-inventor of Xacta, it's hot technology. John, great to see you, welcome to theCUBE. >> Thanks guys. >> Thanks for having us. >> I love to get the brain trust here, John you're, like, probably one of the most experienced cyber security gurus in the DC area still standing. (laughing) As we said last time on theCUBE. >> Always, always. >> Okay. (laughing) And you've got some patents here, with some core technology, so first of all, I want to, before we get into some of the cool features of the products, talk about the dynamic of public sector, because Amazon has these summits, and they're kind of like a recycled re:Invent. Small scale, still packed. Talk about what Public Sector Summit is, because this is a completely different ballgame in this world. >> Sure, it's a perfect age for the cloud, and what this summit does, is it provides a great venue for people to come, learn about what works, get best practices, find use cases and just see what the ecosystem's all about in terms of how to make it work with the cloud. >> Rick, so what's your take? >> Well, if there's any doubt about it, what, is it double the size of last year? I think there were 7,000 people here last year and Teresa said today 14,500. So, yeah, I mean, it suits us perfectly because this is our sweet spot. >> So, Dave and I are always amazed by Amazon in general, the slew of announcements, Teresa Carlson picking the reins up where Andy Jassy does that Amazon re:Invent which is just tons of content, so many new announcements. What's your guys take on the hot news for you guys, because you guys are a major sponsor and you're in the ecosystem, you've been doing a lot of business with Amazon. >> Sure. >> What's going on in the business? What's happening with Telos? Why is it so booming right now for you guys? >> Well, I think people realize that there is a way to use automation where security can help drive cloud adoption. So, Rick and I co-authored an article back in 2011 that talked about why the cloud was more secure and it went over kind of like a lead ballon. And then back in 2014 the agency made the decision, the CIA made the decision, arguably the most security conscious organization in the world, to go to the cloud. And so that was a big, big, big, deal. But what we do is we help drive the security automation and orchestration stuff so you can reduce the time it takes to get what's called your authority to operate. And so I think that's a big deal now. The use of automation is being used to enhance the mission, so that the mission owners can get to their mission using the cloud, much more quickly. >> And we heard from the most powerful sentence in the keynote this morning was, "The cloud on it's weakest day is more secure than Client Service Solutions." This is a practitioner saying that, a leader of an agency saying that, not Amazon or not Telos. >> Absolutely. >> And it's because of that automation, right? I mean, that's really a key factor. >> It's because of the automation. It's also because the cloud providers are making sure that they lock down their physical infrastructure. Guards, gates, guns. All of the physical infrastructure and the virtual infrastructure, they do a really good job of that. If you think about it, the US government, unfortunately, 80% of their spend is around maintaining old systems. Well, the cloud providers are keeping modern. Those old systems have a lot of weaknesses from a standpoint of cyber security flaws. So, with a modern technology like the cloud, there's a lot more you can do around automation to lock down much more quickly. >> And the standardization that you get with a cloud makes it's easier as well, because there's not so many variations of things that you have to figure out how to protect. So, the standardized services that everything's built on really helps. >> Yeah, and people are adopting cloud in kind of different ways, which makes it harder, too. But you get the benefits of scale and speed, certainly. But I got to just pick up on some big news that's happened just last night and today. Microsoft Azure suffered an 11 hour downtime across Europe. 11 hours Azure's down, Microsoft Azure. This is a huge concern. Downtime, security, these are issues, I mean, this is just like, so, what's going on with this? >> Well, the truth of the matter is, if you think about where Amazon is today, Amazon is light years ahead of the rest of the cloud guys. The reason for that is they made the decision early on to take the risk around cloud. As a result of that, they have so many lessons learned that are beyond all of the other cloud providers, that that wouldn't happen to Amazon today, because they'll be able to back up, replication and duplication if they have, and their environments. >> How big do you think that lead is? You know, there's a lot of debate in the industry that other guys are catching up. The other side of the coin is, no, actually the flywheel effect is a lot like Secretariat in the stretch run of the Belmont, you were talking about racing before. What's your sense of that lead, even subjectively. >> I think it's between 5 and 10 years. There was a, it was crickets in this world, in the public sector world for cloud up until, literally, the agency decided to adopt. So the CIA made that decision, that was, sort of, the shot heard around the world as it relates to cloud adoption. Not just for public sector but for commercial as well, 'cause if you look at Amazon's ramp up, right after that decision was made, their ramp up has been amazing. >> That was a watershed event, for sure. >> It was, and it was very well documented, I mean, I read the judges ruling on that when IBM tried to stop them and the judge eviscerated IBM. And of course IBM had no cloud at the time, they had to go out and spend two billion dollars on software. John has lots of opinions on that, but okay, so that leaves-- >> I'm on the right side of history on that call. >> I think you are, it was a pretty good call. What about, what should be practitioners be thinking about? You talked about the standardization. Where should they be focused? Is it on response, is it on analytics, is it on training? What should it be? >> Well, from our perspective it is, a lot of the focus is on analytics, right? So, a lot of data that we've helped our customers collect over time for this ATO process that John previously mentioned, our goal with IO, Xacta IO, is to help organizations leverage that data to do more through analytics, so there's this dashboard with ad hoc reporting and analytic capability that's going to allow them to blend asset data with risk-to-threat data, with other sorts of data that they're collecting for ATO, specifically for the ATO process, that they can use now for more robust cyber risk management. So, for me, analytics is huge moving forward. >> And that's a prioritization tool so they can focus on the things that matter, or maybe double-click on that? >> It could be, it could be a prioritization tool, but it could also be a tool that you use to anticipate what might happen, right? So, some analytics will help you determine this asset is vulnerable for these variety of reasons, therefore it has to go to the top of the sack for remediation. But also, using that data over time might help you understand that this plus this plus this is an indication that this bad thing is going to happen. And so, analytics, I think, falls into both categories. Probably it's more the forecasting and predictive is something that's going to come later but as you unmask more data and understand how to apply rules to that data, it will naturally come. So, Rick and I have worked together for many, many years and, over a quarter of a century, so the way I would say it is like this. Xacta 360 helps you to accelerate your authority to operate, but that's a point in time. The holy grail for us as security practitioners is all around continuous monitoring of your underlying risk. So, the data analytics that he's talking about, is where we come about and looking at Xacta IO. So, Xacta IO helps fulfill that mission of continuous compliance, which means that the ATO is no longer just relevant at that moment in time because we can do continuous monitoring now at scale, in hybrid environments, in the cloud, on prem. 'Cause our clients are huge, so they're going to be a combination of environments that they're sitting in, and they need to understand their underlying risk posture. They need to have, they're going to have all kinds of scanners, so we don't really care, we can ingest any kind of scanner that you have with Exact IO. As a result of that, the security professional can spend their time on the analysis and not the pedestrian stuff that's just kind of wasting time, like documentation and all that stuff. >> Yeah, for us, data's a means to an end, right? It's either to get an ATO or to help you understand where you need to be focusing your resources to remediate issues. So, for us, leveraging the data that's produced by many companies that are at this show. Their data is a means to help us get our job done. >> Were you able to have, one follow up, if I may, were you able to have an impact, to me, even, again, subjectively, on that number, whatever that number is, that we get infiltrated, the customer gets infiltrated, it's 300 days before they even realize it. Are you seeing an impact on that as a result of analytics, or is it too early days? >> I would say it's still early. But it's reasonable to expect that there will be benefits in terms of faster detection. And maybe it's not even detection at some point, hopefully, it's anticipating so that you're not detecting something bad already happened, it's avoiding it before it happens. >> Yeah, and let me say it this way, too. You know, if you listen to John Edwards, the CIO from the CIA, he talks about how the reason he loves the cloud is because it used to take the agency about a year to provision a server, now it's a few minutes, right? Well that's great, but if you can't get your authority to operate, 'cause that can take another 18 months, you're not going to get the benefit of the cloud, right? So what we do, is we help accelerate how fast you can get to that ATO so that guys like the agency and anybody else that wants to use the cloud can use it much more quickly, right? >> Yeah, and the continuous integration and all that monitoring is great for security but I've got to ask you a question. Analytics are super important, we all know data analysis now is in the center of the value proposition across the board, horizontally. Not just data warehousing, analytics that are used as instrumentation and variables into critical things like security. So, with that being said, if you believe that, the question is, how does that shape the architecture, if I'm in an agency or I'm a customer, I want to build a cloud architecture that's going to scale and do all those things, be up, not go down, and have security. How does the architecture change with the cloud formula for the decision maker? Because right now they're like, "Oh, should I do multi-cloud, should I just Amazon" So, the data is a critical architectural decision point. How do you guys see that shaping, what's your advice to practitioners around designing the cloud architecture for data in mind. Just use Amazon? (laughs) >> Well, yes. (laughs) Just use Amazon. I mean, all the tools that you need exist here, right, and so-- >> If all the tools you need in the cloud exist here. >> Alright, so rephrase another way. >> But John, the issue is you're not going to have all your stuff in the cloud if you're the air force or if you're the army, because you have 75 years of data that you got to push in. So over the next 10 years there's going to be this "hybrid" environment where you'll have some stuff in the cloud, some stuff in a hybrid world, some stuff on prem, right? >> How I secured that, so that's a great point. So, data's everywhere, so that means you're going to need to collect it and then measure certain things. What's the best way to secure it and then is that where Xacta fits in? I'm trying to put that together if I'm going to design my architecture and then go to procurement, whether it's on premise or multi-cloud. >> Well, there are lots of security products that people use to secure, whether you're on prem or whether you're in the cloud and our platform leverages that information to determine whether things are secure enough. So there's a distinction between cyber risk management and actually securing a database, right? So, there's so many granular point products that exist for different points along the security chain, lifecycle chain, if you will, that our objective is to ingest as much of that information and purpose it in a way that allows someone to understand whether they're actually secure or not. And so it's understanding your security posture, transforming that security information to risk so that you can prioritize, as you were talking about before. >> You're taking a platform mentality as opposed to a point product. >> We're taking an enterprise view of risk. So, the enterprise is, remember, it's on prem, and hybrid and cloud. If all your stuff is in the cloud, Amazon has the answer for you. None of our customers are in that situation. If you're a start up, Amazon's the way to go, period. But all of our customers have legacy. As a result of that it's an enterprise view of risk. That's why companies like Telos partner so well with Amazon because they're all about being close to the customer, they're all about using automation. We are as well. >> Alright, talk about the news you guys have, Xacta IO, you're the co-inventor of it, Jack. Talk about this product. What's the keys, what does it do, where's it applied to, you mentioned a little bit of getting past the authority time point there. What's the product about? The product is about ingesting massive amounts of information to facilitate the ATO process, one, but managing cyber risk more generically because not everybody has an ATO requirement. So, you asked a few seconds ago about, so you're taking a platform approach. Yes, we're blending three separate products that we currently have, taking that functionality and putting it on a very, very, robust platform that can exist on prem, it can exist in the cloud. To enable organizations to manage their cyber risk and if they choose, or they have a requirement, to deal with things like FedRAMP and risk management framework and cyber security framework and iso certification and things of that nature. The point is, not everyone has an ATO requirement but everyone has a need to manage their risk posture. So we're using our ability to ingest lots and lots of data from lots and lots of different sources. We're organizing that data in ways that allow an organization to understand compliance and/or risk and/or security, and visualize all that through some dashboard with ad hoc reporting that let's them blend that data across each other to get better insights about risk posture. >> And to visualize it in a way that makes sense to the user. >> Yes, so, if you're the CEO, you're going to want to see it a certain way. If you're the IT manager, you're going to want to see it a certain way. If you're a risk assessor, you're going to want to see it a different way. So that's kind of what we're talking about. >> I got to ask you one question, I know we got to go, but, a hardcore security practitioner once said to me that hardcore security practitioners, like you guys, when they were kids they used to dream about saving the world. So, I want to know, who's your favorite superhero? >> Superman. >> Superman? >> Spiderman. >> Alright, awesome. (laughing) >> That was a basic question for you guys. >> Thank you very much >> Yeah, that's the hardest question, see they're fast, they know. Star Trek or Star Wars? (laughing) >> Depends on the generation. >> We won't go there. theCUBE have 15 more minutes today. Okay, final question, what's this going to do for your business now you have new, opened up new windows with the new product integration. How's that going to change Telos, what does it do for you guys from a capabilities standpoint? >> Well, the big thing I'd suggest your listeners and your watchers to consider is, there's a new case study that just came out, it's published jointly by the CIA, Amazon and Telos, talking about why working together is really, really, really groundbreaking in terms of this movement to the cloud. 'Cause your public sector listeners and viewers are going to want to know about that because this ATO thing is really a problem. So this addresses a massive issue inside of the public sector. >> And final question, while you're here, just to get your thoughts, obviously there's a big change of the guard, if you will, from old guard to new guard, that's an Amazon term Andy Jassy uses. Also, we all saw the DOD deal, JEDI's right there on the table, a lot of people jockeying, kind of old school policy, lobbying, sales is changing. How is the landscape, from a vendor-supplies to the agencies changed and/or changing with this notion of how things were done in the past and the new school? So, three points, legislatively there's top cover, they understand the need to modernize, which is great. The executive branch understands the need to modernize through the IT modernization act as well as the cyber security executive order. And then lastly, there are use cases now that can show the way forward. Here's the problem. The IT infrastructure out there, the IT guys out there that do business in the government, many of them are not paid to be efficient, they're paid cost plus, they're paid time and material, that's no way to modernize. So, fundamentally, I think our customers understand that and they're going to revolutionize the move forward. >> And the rules are changing big time. Sole source, multi-source, I mean, Amazon's on record, I've got Teresa on record saying, "Look, if we don't want a sole source requirement, let everyone bid fairly." Let's see who wins. Who can bring a secret cloud to the table? No one else has that. >> In terms of past performance and customer use cases they're pretty much in the head, for sure. >> Great, Amazon kicking butt here, Telos, congratulations for a great event, thanks for coming on. >> Thanks a lot guys. >> I appreciate it. >> Alright, CUBE coverage here in DC, this is theCUBE, I'm John Furrier with Dave Vellante. Stay with us, we have more great interviews stacked up all day and all day tomorrow. Actually you have half day tomorrow until two 'o clock Eastern. Stay with us for more, we'll be right back. (upbeat music)

>> Narrator: Live from New York City, it's the CUBE covering CyberConnect 2017 brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> Okay welcome back everyone. This is the CUBE's live coverage in New York City exclusively with the CyberConnect 2017, it's an inaugural event presented by Centrify. It's not a Centrify event. Centrify one of the fastest growing security startups in Silicon Valley and around the world. It is underwriting this great event bringing industry, government and practitioners together to add value on top of the great security conversations. I'm John Furrier, your host with Dave Vellante, my co-host, my next guest is Bill Mann who's the Chief Product Officer with Centrify. Welcome back to the CUBE, great to see you. >> Hey, great to be here. >> Thanks and congratulations for you guys doing what I think is a great community thing, underwriting an event, not just trying to take the event, make it about Centrify, it's really an organically driven event with the team of customers you have, and industry consultants and practitioners, really, really great job, congratulations. >> Bill: Thank you. >> Alright so now let's get down to the meat of the conversation here at the show in the hallways is general's conversation, General Alexander talking about his experience at the NSA and the Fiber Command Center. Really kind of teasing out the future of what cyber will be like for an enterprise whether it's a slow moving enterprise or a fast moving bank or whatever, the realities are this is the biggest complexity and challenge of our generation. Identity's at the heart of it. You guys were called the foundational element of a new solution that has people have to coming together in a community model sharing data, talking to each other, why did he call you guys foundational? >> I think he's calling us foundational because I think he's realizing that having strong identity in an environment is kind of the keys to getting yourself in a better state of mind and a better security posture. If we look at the kind of the foundational principles of identity, it's really about making sure you know who the people are within your organization, by doing identity assurance so that's a foundational principle. The principle of giving people the least amount of access within an organization, that's a foundational principle. The principle of understanding what people did and then using that information and then adjusting policy, that's a foundational principle. I think that's the fundamental reason why he talks about it as a foundational principle and let's face it, most organizations are now connected to the Cloud, they've got mobile user, they've got outsourced IT so something's got to change, right. I mean the way we've been running security up until now. If it was that great, we wouldn't have had all the threats, right? >> And all kinds of silver bullets have been rolling out, Dave and I were commenting and Dave made a point on our intro today that there's no silver bullet in security, there's a lot of opportunities to solve problems but there's no, you can't buy one product. Now identity is a foundational element. Another interesting thing I want to get your reaction to was on stage was Jim from Aetna, the Chief Security Officer and he was kind of making fun with himself by saying I'm not a big computer science, I was a history major and he made a comment about his observation that when civilizations crumble, it's because of trust is lost. And kind of inferring that you can always connect the dots that trust in fundamental and that email security and most of the solutions are really killing the trust model rather than enhancing it and making it more secure so a holistic view of trust stability and enhancement can work in security. What's your reaction to that? >> So it's a complicated area. Trust is complicated let me just kind of baseline that for the moment. I think that we unfortunately, need to have better trust but the way we're approaching trust at the moment is the wrong way so let me give you a simple example. When we go, when we're at home and we're sleeping in our homes and the doors and windows are closed, we inherently trust the security of our environment because the doors and windows are closed but reality is the doors and windows can be really easily opened right, so we shouldn't be trusting that environment at all but we do so what we need to instead do is get to a place where we trust the known things in our environment very, very well and understand what are the unknown things in our environment so the known things in our environment can be people right, the identity of people, can be objects like knowing that this is really Bill's phone, it's a registered phone and it's got a device ID is better than having any phone being used for access so like I said, trust, it's complicated. >> John: But we don't know it has malware on there though. You could have malware. >> You could have malware on there but look, then you've got different levels of trust, right. You've got zero trust when you don't know anything about it. You've got higher levels of trust when you know it's got no malware. >> So known information is critical. >> Known information is critical and known information can then be used to make trust decisions but it's when we make decisions on trust without any information and where we infer that things are trustworthy when they shouldn't be like the home example where you think the doors are closed but it's so easy to break through them, that's when we infer trust so trust is something that we need to build within the environment with information about all the objects in the environment and that's where I think we can start building trust and that's I think how we have to approach the whole conversation about trust. Going back to your example, when you receive an email from somebody, you don't know if it came from that person right. Yet I'm talking to you, I trust that I'm talking to you, right, so that's where the breakdown happens and once we have that breakdown, society can breakdown as well. >> But going back to your device example so there are situations today. I mean you try to log on to your bank from your mobile device and it says do you want to remember this device, do you want to trust this device? Is that an example of what you're talking about and it might hit me a text with a two factor authentication. >> That's an example, that's absolutely an example of trust and then so there's a model in security called the zero trust model and I spoke about it earlier on today and that model of security is the foundational principles of that is understanding who the user is, understanding what endpoint or device they're coming from and that's exactly what you've described which is understanding the context of that device, the trustworthy of the device, you know the location of that device, the posture of that device. All of those things make that device more trustworthy than knowing nothing about that device and those are the kind of fundamental constructs of building trust within the organization now as opposed to what we've got at the moment is we're implying trust without any information about really trust right. I mean most of us use passwords and most of us use password, password so there's no difference between both of you, right and so how can I trust-- >> I've never done that. >> I know but how can we trust each other if we're using you know, data like that to describe ourselves. >> Or using the data in your Linkedin profile that could be socially engineered. >> Bill: Exactly. >> So there's all kinds of ways to crack the passwords so you brought up the trust so this is a, spoofing used to be a common thing but that's been resolved that some, you know same calling some techniques and other things but now when you actually have certificates being compromised, account compromised, that's where you know, you think you know who that person is but that's not who it is so this is a new dynamic and was pointed out in one of the sessions that this account, real compromises of identity is a huge issue. What are you guys doing to solve that problem? Have you solved that problem? >> We're addressing parts of solving that problem and the part of the problem that we're trying to solve is increasing the posture of multi factor authentication of that user so you know more certainty that this is really who that person is. But the fact of the matter is like you said earlier on, trying to reduce the risk down to zero is almost impossible and I think that's what we have to be all clear about in this market, this is not about reducing risk to zero, it's about getting the risk down to something which is acceptable for the type of business you are trying to work on so implementing MFA is a big part of what Centrify advocates within organizations. >> Explain MFA real quick. >> Oh, multi factor authentication. >> Okay, got it. >> Something that we're all used to when we're using, doing online banking at the moment but unfortunately most enterprises don't implement MFA for all the use cases that they need to be able to implement before. So I usually describe it as MFA everywhere and the reason I say MFA everywhere, it should be for all users, not a subset of the users. >> Should be all users, yeah. >> And it should be for all the accesses when they're accessing salesforce.com for concur so all the application, all the servers that they access, all the VPNs that they access, all the times that they request any kind of privilege command, you should reauthenticate them as well at different points in time. So implementing MFA like that can reduce the risk within the organization. >> So I buy that 100% and I love that direction, I'd ask you then a hard question. Anyone who's an Apple user these days knows how complicated MFA could be, I get this iCloud verification and it sends me a code to my phone which could be hacked potentially so you have all these kinds of complexities that could arise depending upon how complicated the apps are. So how should the industry think about simplifying and yet maintaining the security of the MFA across workloads so application one through n. >> So let me kind of separate the problems out so we focus on the enterprise use case so what you're describing is more the consumer use case but we have the same problem in the enterprise area as well but at least in the enterprise area I think that we're going to be able to address the problems sooner in the market. >> John: Because you have the identity baseline? >> One, we have the identity and there's less applications that the enterprise is using. >> It's not Apple. >> It's not like endpoints. >> But take Salesforce, that's as much of a pain, right. >> But with applications like Salesforce, and a lot of the top applications out there, the SaaS applications out there, they already support SAML as a mechanism for eliminating passwords altogether and a lot of the industry is moving towards using API mechanisms for authentication. Now your example for the consumer is a little bit more challenging because now you've got to get all these consumer applications to tie in and so forth right so that's going to be tougher to do but you know, we're focused on trying to solve the enterprise problem and even that is being a struggle in the industry. It's only now that you're seeing standards like SAML and OWASP getting implemented whereby we can make assertions about an identity and then an application can then consume that assertion and then move forward. >> Even in those situations if I may Bill, there's take the trust to another level which is there's a trusted third party involved in those situations. It might be Twitter, Linkedin, Facebook or Google, might be my bank, it might be RSA in some cases. Do you envision a day where we can eliminate the trusted third party with perhaps blockchain. >> Oh I actually do. Yeah, no, I do, I think the trusted third party model that we've got is broken fundamentally because if a break in to the bank, that's it, you know the third party trust but I'm a big fan of blockchain mainly because it's going to be a trusted end party right so there's going to be end parties that are vouching for Bill's identity on the blockchain so and it's going to be harder to get to all those end minors and convince them that they need to change their or break into them right. So yeah I'm a big fan of the trust model changing. I think that's going to be one of the biggest use cases for blockchain when it comes to trust and the way we kind of think about certificates and browsers and SSL certificates and so forth. >> I think you're right on the money and what i would add to that is looking at this conference, CyberConnect, one theme that I see coming out of this is I hear the word reimagining the future here, reimagining security, reimagining DNS, reimagining so a lot of the thought leaders that are here are talking about things like okay, here's what we have today. I'm not saying throwing it away but it's going to be completely different in the new world. >> Yeah and I think you know the important thing about the past is got to learn from the past and we got to apply some of the lessons to the future and things are just so different now. We know with microservices versus monolithic application architectures you know security used to be an afterthought before but you know, you talk to the average developer now, they want to add security in their applications, they realize that right so, and that's going to, I mean, maybe I'm being overly positive but I think that's going to take us to a better place. >> I think we're in a time. >> We need to be overly positive Bill. >> You're the chief officer, you have to have a 20 mouth stare and I think you know legacy always has been a thing we've heard in the enterprise but I just saw a quote on Twitter on the internet and it was probably, it's in quotes so it's probably right, it's motivating, a motivating quote. If you want to create the future, you've got to create a better version of the past and they kind of use taxis versus Uber obviously to answer of a shift in user behavior so that's happening in this industry. There's a shift of user experience, user expectations, changing internet infrastructure, you mentioned blockchain, a variety of other things so we're actually in a time where the better mouse trap actually will work. If you could come out with a great product that changes the economics and the paradigm or use case of an old legacy. So in a way by theory if you believe that, legacy shouldn't be a problem. >> You know and I certainly believe that. Having a kid who's in middle school at the moment, and the younger generation, to understand security way more than we ever used to and you know, this generation, this coming generation understands the difference between a password and a strong password and mobile be used as a second factor authentication so I think that the whole tide will rise here from a security perspective. I firmly believe that. >> Dave: You are an optimist. >> Well about government 'cause one thing that I liked about the talk here from the general was he was pretty straight talk and one of his points, I'm now generalizing and extrapolating out is that the HR side of government has to change in other words the organizational behavior of how people look at things but also the enterprise, we've heard that a lot in our Cloud coverage. Go back eight years when the Clouderati hit, oh DevOps is great but I can't get it through 'cause I've got to change my behavior of my existing staff. So the culture of the practitioners have to change. >> Bill: Yes, absolutely. >> 'Cause the new generation's coming. >> Oh absolutely, absolutely. I was speaking to a customer this morning who I won't mention and literally they told me that their whole staff has changed and they had to change their whole staff on this particular project around security because they found that the legacy thinking was there and they really wanted to move forward at a pace and they wanted to make changes that their legacy staff just wouldn't let 'em move forward with so basically, all of their staff had been changed and it was a memorable quote only because this company is a large organization and it's struggling with adopting new technologies and it was held back. It was not held back because of product or strategies, >> John: Or willingness. >> Or willingness. It was held back by people who were just concerned and wanted to stick to the old way of doing things and that has to change as well so I think you know, there's times will change and I think this is one of those times where security is one of those times where you got to push through change otherwise I mean I'm also a believer that security is a competitive advantage for an organization as well and if you stick with the past, you're not going to be able to compete in the future. >> Well, and bad user behavior will always trump good security. It was interesting to hear Jim Routh today talk about unconventional message and I was encouraged, he said, you know spoofing, we got DMARC, look alike domains, we got sink holes, display name deception, we've got, you know we can filter the incoming and then he talked about compromised accounts and he said user education and I went oh, but there's hope as an optimist so you've got technologies on the horizon to deal with that even right so you. >> I'm also concerned that the pace at which the consumer world is moving forward on security, online banking and even with Google and so forth that the new generation will come into the workforce and be just amazed how legacy the environments are right, 'cause the new generation is used to using you know, Google Cloud, Google Mail, Google everything and everything works, it's all integrated already and if they're coming to the workplace and that workplace is still using legacy technologies right, they're not going to be able to hire those people. >> Well I'll give you an example. When I went to college, I was the first generation, computer science major that didn't have to use punch cards and I was blown away like actually people did that like what, who the hell would ever do that? And so you know, I was the younger guy coming up, it was like, I was totally looking down. >> Dave: That's ridiculous. >> I would thank God I don't do that but they loved it 'cause they did it. >> I mean I've got the similar story, I was the first generation in the UK. We were the first Mac-Lab in the UK, our university had the first large Mac, Apple Macintosh Lab so when I got into the workplace and somebody put a PC in front of me, I was like hold on, where's the mouse, where's the windows, I couldn't handle it so I realized that right so I think we're at that kind of junction at the moment as well. >> We got two minutes left and I want to ask you kind of a question around the comment you just made a minute ago around security as a competitive advantage. This is really interesting, I mean you really can't say security is a profit center because you don't sell security products if you're deploying state of the art security practices but certainly it shouldn't be a cost center so we've seen on our CUBE interviews over the past year specifically, the trend amongst CCOs and practitioners is when pressed, they say kind of, I'm again generalizing the trend, we're unbundling the security department from IT and making it almost a profit center reporting to the board and or the highest levels, not like a profit center but in a way, that's the word they use because if we don't do that, our ability to make a profit is there so you've brought up competitive strategy, you have to have a security and it's not going to be underneath an IT umbrella. I'm not saying everyone's doing it but the trend was to highlight that they have to break out security as a direct report as if it was a profit center because their job is so critical, they don't want to be caught in an IT blanket. Do you see that trend and your comment and reaction to that statement? >> I see that trend but I see it from a perspective of transparency so I think that taking security out of the large umbrella of IT and given its own kind of foundation, own reporting structure is all about transparency and I think that modern organizations understand now the impact a breach can have to a company. >> John: Yeah, puts you out of business. >> Right, it puts you out of business right. You lose customers and so forth so I think having a security leader at the table to be able to describe what they're doing is giving the transparency for decision makers within the organization and you know, one of my other comments about it being a competitive advantage, I personally think let's take the banking arena, it's so easy to move from bank A to bank B and I personally think that people will stay with a certain bank if that bank has more security features and so forth. I mean you know, savings, interest rates going to be one thing and mortgage rates are going to be one thing but if all things are even. >> It's a product feature. >> It's a product feature and I think that again, the newer generation is looking for features like that, because they're so much more aware of the threat landscape. So I think that's one of the reasons why I think it's a competitive advantage but I agree with you, having more visibility for an organization is important. >> You can't make a profit unless the lights are on, the systems are running and if you have a security hack and you're not running, you can't make a profit so it's technically a profit center. Bill I believe you 100% on the competitive strategy. It certainly is going to be table stakes, it's part of the product and part of the organization's brand, everything's at stake. Big crisis, crisis of our generation, cyber security, cyber warfare for the government, for businesses as a buzz thing and business, this is the Centrify presented event underwritten by Centrify here in New York City. CyberConnect 2017, the CUBE's exclusive coverage. More after this short break. (electronic jingle)