(upbeat music) >> Hi everyone. Welcome back to this Cube conversation here in Palo Alto, California. I'm John Furrier, host of "theCUBE." Got a great conversation around Cloud Native, Cloud Native Journey, how enterprises are looking at Cloud Native and putting it all together. And it comes down to operations, developer productivity, and security. It's the hottest topic in technology. We got Chris Jones here in the studio, director of Product Management for Platform9. Chris, thanks for coming in. >> Hey, thanks. >> So when we always chat about, when we're at KubeCon. KubeConEU is coming up and in a few, in a few months, the number one conversation is developer productivity. And the developers are driving all the standards. It's interesting to see how they just throw everything out there and whatever gets adopted ends up becoming the standard, not the old school way of kind of getting stuff done. So that's cool. Security Kubernetes and Containers are all kind of now that next level. So you're starting to see the early adopters moving to the mainstream. Enterprises, a variety of different approaches. You guys are at the center of this. We've had a couple conversations with your CEO and your tech team over there. What are you seeing? You're building the products. What's the core product focus right now for Platform9? What are you guys aiming for? >> The core is that blend of enabling your infrastructure and PlatformOps or DevOps teams to be able to go fast and run in a stable environment, but at the same time enable developers. We don't want people going back to what I've been calling Shadow IT 2.0. It's, hey, I've been told to do something. I kicked off this Container initiative. I need to run my software somewhere. I'm just going to go figure it out. We want to keep those people productive. At the same time we want to enable velocity for our operations teams, be it PlatformOps or DevOps. >> Take us through in your mind and how you see the industry rolling out this Cloud Native journey. Where do you see customers out there? Because DevOps have been around, DevSecOps is rocking, you're seeing AI, hot trend now. Developers are still in charge. Is there a change to the infrastructure of how developers get their coding done and the infrastructure, setting up the DevOps is key, but when you add the Cloud Native journey for an enterprise, what changes? What is the, what is the, I guess what is the Cloud Native journey for an enterprise these days? >> The Cloud Native journey or the change? When- >> Let's start with the, let's start with what they want to do. What's the goal and then how does that happen? >> I think the goal is that promise land. Increased resiliency, better scalability, and overall reduced costs. I've gone from physical to virtual that gave me a higher level of density, packing of resources. I'm moving to Containers. I'm removing that OS layer again. I'm getting a better density again, but all of a sudden I'm running Kubernetes. What does that, what does that fundamentally do to my operations? Does it magically give me scalability and resiliency? Or do I need to change what I'm running and how it's running so it fits that infrastructure? And that's the reality, is you can't just take a Container and drop it into Kubernetes and say, hey, I'm now Cloud Native. I've got reduced cost, or I've got better resiliency. There's things that your engineering teams need to do to make sure that application is a Cloud Native. And then there's what I think is one of the largest shifts of virtual machines to containers. When I was in the world of application performance monitoring, we would see customers saying, well, my engineering team have this Java app, and they said it needs a VM with 12 gig of RAM and eight cores, and that's what we gave it. But it's running slow. I'm working with the application team and you can see it's running slow. And they're like, well, it's got all of its resources. One of those nice features of virtualization is over provisioning. So the infrastructure team would say, well, we gave it, we gave it all a RAM it needed. And what's wrong with that being over provisioned? It's like, well, Java expects that RAM to be there. Now all of a sudden, when you move to the world of containers, what we've got is that's not a set resource limit, really is like it used to be in a VM, right? When you set it for a container, your application teams really need to be paying attention to your resource limits and constraints within the world of Kubernetes. So instead of just being able to say, hey, I'm throwing over the fence and now it's just going to run on a VM, and that VMs got everything it needs. It's now really running on more, much more of a shared infrastructure where limits and constraints are going to impact the neighbors. They are going to impact who's making that decision around resourcing. Because that Kubernetes concept of over provisioning and the virtualization concept of over provisioning are not the same. So when I look at this problem, it's like, well, what changed? Well, I'll do my scale tests as an application developer and tester, and I'd see what resources it needs. I asked for that in the VM, that sets the high watermark, job's done. Well, Kubernetes, it's no longer a VM, it's a Kubernetes manifest. And well, who owns that? Who's writing it? Who's setting those limits? To me, that should be the application team. But then when it goes into operations world, they're like, well, that's now us. Can we change those? So it's that amalgamation of the two that is saying, I'm a developer. I used to pay attention, but now I need to pay attention. And an infrastructure person saying, I used to just give 'em what they wanted, but now I really need to know what they've wanted, because it's going to potentially have a catastrophic impact on what I'm running. >> So what's the impact for the developer? Because, infrastructure's code is what everybody wants. The developer just wants to get the code going and they got to pay attention to all these things, or don't they? Is that where you guys come in? How do you guys see the problem? Actually scope the problem that you guys solve? 'Cause I think you're getting at I think the core issue here, which is, I've got Kubernetes, I've got containers, I've got developer productivity that I want to focus on. What's the problem that you guys solve? >> Platform operation teams that are adopting Cloud Native in their environment, they've got that steep learning curve of Kubernetes plus this fundamental change of how an app runs. What we're doing is taking away the burden of needing to operate and run Kubernetes and giving them the choice of the flexibility of infrastructure and location. Be that an air gap environment like a, let's say a telco provider that needs to run a containerized network function and containerized workloads for 5G. That's one thing that we can deploy and achieve in a completely inaccessible environment all the way through to Platform9 running traditionally as SaaS, as we were born, that's remotely managing and controlling your Kubernetes environments on-premise AWS. That hybrid cloud experience that could be also Bare Metal, but it's our platform running your environments with our support there, 24 by seven, that's proactively reaching out. So it's removing a lot of that burden and the complications that come along with operating the environment and standing it up, which means all of a sudden your DevOps and platform operations teams can go and work with your engineers and application developers and say, hey, let's get, let's focus on the stuff that, that we need to be focused on, which is running our business and providing a service to our customers. Not figuring out how to upgrade a Kubernetes cluster, add new nodes, and configure all of the low level. >> I mean there are, that's operations that just needs to work. And sounds like as they get into the Cloud Native kind of ops, there's a lot of stuff that kind of goes wrong. Or you go, oops, what do we buy into? Because the CIOs, let's go, let's go Cloud Native. We want to, we got to get set up for the future. We're going to be Cloud Native, not just lift and shift and we're going to actually build it out right. Okay, that sounds good. And when we have to actually get done. >> Chris: Yeah. >> You got to spin things up and stand up the infrastructure. What specifically use case do you guys see that emerges for Platform9 when people call you up and you go talk to customers and prospects? What's the one thing or use case or cases that you guys see that you guys solve the best? >> So I think one of the, one of the, I guess new use cases that are coming up now, everyone's talking about economic pressures. I think the, the tap blows open, just get it done. CIO is saying let's modernize, let's use the cloud. Now all of a sudden they're recognizing, well wait, we're spending a lot of money now. We've opened that tap all the way, what do we do? So now they're looking at ways to control that spend. So we're seeing that as a big emerging trend. What we're also sort of seeing is people looking at their data centers and saying, well, I've got this huge legacy environment that's running a hypervisor. It's running VMs. Can we still actually do what we need to do? Can we modernize? Can we start this Cloud Native journey without leaving our data centers, our co-locations? Or if I do want to reduce costs, is that that thing that says maybe I'm repatriating or doing a reverse migration? Do I have to go back to my data center or are there other alternatives? And we're seeing that trend a lot. And our roadmap and what we have in the product today was specifically built to handle those, those occurrences. So we brought in KubeVirt in terms of virtualization. We have a long legacy doing OpenStack and private clouds. And we've worked with a lot of those users and customers that we have and asked the questions, what's important? And today, when we look at the world of Cloud Native, you can run virtualization within Kubernetes. So you can, instead of running two separate platforms, you can have one. So all of a sudden, if you're looking to modernize, you can start on that new infrastructure stack that can run anywhere, Kubernetes, and you can start bringing VMs over there as you are containerizing at the same time. So now you can keep your application operations in one environment. And this also helps if you're trying to reduce costs. If you really are saying, we put that Dev environment in AWS, we've got a huge amount of velocity out of it now, can we do that elsewhere? Is there a co-location we can go to? Is there a provider that we can go to where we can run that infrastructure or run the Kubernetes, but not have to run the infrastructure? >> It's going to be interesting too, when you see the Edge come online, you start, we've got Mobile World Congress coming up, KubeCon events we're going to be at, the conversation is not just about public cloud. And you guys obviously solve a lot of do-it-yourself implementation hassles that emerge when people try to kind of stand up their own environment. And we hear from developers consistency between code, managing new updates, making sure everything is all solid so they can go fast. That's the goal. And that, and then people can get standardized on that. But as you get public cloud and do it yourself, kind of brings up like, okay, there's some gaps there as the architecture changes to be more distributed computing, Edge, on-premises cloud, it's cloud operations. So that's cool for DevOps and Cloud Native. How do you guys differentiate from say, some the public cloud opportunities and the folks who are doing it themselves? How do you guys fit in that world and what's the pitch or what's the story? >> The fit that we look at is that third alternative. Let's get your team focused on what's high value to your business and let us deliver that public cloud experience on your infrastructure or in the public cloud, which gives you that ability to still be flexible if you want to make choices to run consistently for your developers in two different locations. So as I touched on earlier, instead of saying go figure out Kubernetes, how do you upgrade a hundred worker nodes in place upgrade. We've solved that problem. That's what we do every single day of the week. Don't go and try to figure out how to upgrade a cluster and then upgrade all of the, what I call Kubernetes friends, your core DNSs, your metrics server, your Kubernetes dashboard. These are all things that we package, we test, we version. So when you click upgrade, we've already handled that entire process. So it's saying don't have your team focused on that lower level piece of work. Get them focused on what is important, which is your business services. >> Yeah, the infrastructure and getting that stood up. I mean, I think the thing that's interesting, if you look at the market right now, you mentioned cost savings and recovery, obviously kind of a recession. I mean, people are tightening their belts for sure. I don't think the digital transformation and Cloud Native spend is going to plummet. It's going to probably be on hold and be squeezed a little bit. But to your point, people are refactoring looking at how to get the best out of what they got. It's not just open the tap of spend the cash like it used to be. Yeah, a couple months, even a couple years ago. So okay, I get that. But then you look at the what's coming, AI. You're seeing all the new data infrastructure that's coming. The containers, Kubernetes stuff, got to get stood up pretty quickly and it's got to be reliable. So to your point, the teams need to get done with this and move on to the next thing. >> Chris: Yeah, yeah, yeah. >> 'Cause there's more coming. I mean, there's a lot coming for the apps that are building in Data Native, AI-Native, Cloud Native. So it seems that this Kubernetes thing needs to get solved. Is that kind of what you guys are focused on right now? >> So, I mean to use a customer, we have a customer that's in AI/ML and they run their platform at customer sites and that's hardware bound. You can't run AI machine learning on anything anywhere. Well, with Platform9 they can. So we're enabling them to deliver services into their customers that's running their AI/ML platform in their customer's data centers anywhere in the world on hardware that is purpose-built for running that workload. They're not Kubernetes experts. That's what we are. We're bringing them that ability to focus on what's important and just delivering their business services whilst they're enabling our team. And our 24 by seven proactive management are always on assurance to keep that up and running for them. So when something goes bump at the night at 2:00am, our guys get woken up. They're the ones that are reaching out to the customer saying, your environments have a problem, we're taking these actions to fix it. Obviously sometimes, especially if it is running on Bare Metal, there's things you can't do remotely. So you might need someone to go and do that. But even when that happens, you're not by yourself. You're not sitting there like I did when I worked for a bank in one of my first jobs, three o'clock in the morning saying, wow, our end of day processing is stuck. Who else am I waking up? Right? >> Exactly, yeah. Got to get that cash going. But this is a great use case. I want to get to the customer. What do some of the successful customers say to you for the folks watching that aren't yet a customer of Platform9, what are some of the accolades and comments or anecdotes that you guys hear from customers that you have? >> It just works, which I think is probably one of the best ones you can get. Customers coming back and being able to show to their business that they've delivered growth, like business growth and productivity growth and keeping their organization size the same. So we started on our containerization journey. We went to Kubernetes. We've deployed all these new workloads and our operations team is still six people. We're doing way more with growth less, and I think that's also talking to the strength that we're bringing, 'cause we're, we're augmenting that team. They're spending less time on the really low level stuff and automating a lot of the growth activity that's involved. So when it comes to being able to grow their business, they can just focus on that, not- >> Well you guys do the heavy lifting, keep on top of the Kubernetes, make sure that all the versions are all done. Everything's stable and consistent so they can go on and do the build out and provide their services. That seems to be what you guys are best at. >> Correct, correct. >> And so what's on the roadmap? You have the product, direct product management, you get the keys to the kingdom. What is, what is the focus? What's your focus right now? Obviously Kubernetes is growing up, Containers. We've been hearing a lot at the last KubeCon about the security containers is getting better. You've seen verification, a lot more standards around some things. What are you focused on right now for at a product over there? >> Edge is a really big focus for us. And I think in Edge you can look at it in two ways. The mantra that I drive is Edge must be remote. If you can't do something remotely at the Edge, you are using a human being, that's not Edge. Our Edge management capabilities and being in the market for over two years are a hundred percent remote. You want to stand up a store, you just ship the server in there, it gets racked, the rest of it's remote. Imagine a store manager in, I don't know, KFC, just plugging in the server, putting in the ethernet cable, pressing the power button. The rest of all that provisioning for that Cloud Native stack, Kubernetes, KubeVirt for virtualization is done remotely. So we're continuing to focus on that. The next piece that is related to that is allowing people to run Platform9 SaaS in their data centers. So we do ag app today and we've had a really strong focus on telecommunications and the containerized network functions that come along with that. So this next piece is saying, we're bringing what we run as SaaS into your data center, so then you can run it. 'Cause there are many people out there that are saying, we want these capabilities and we want everything that the Platform9 control plane brings and simplifies. But unfortunately, regulatory compliance reasons means that we can't leverage SaaS. So they might be using a cloud, but they're saying that's still our infrastructure. We're still closed that network down, or they're still on-prem. So they're two big priorities for us this year. And that on-premise experiences is paramount, even to the point that we will be delivering a way that when you run an on-premise, you can still say, wait a second, well I can send outbound alerts to Platform9. So their support team can still be proactively helping me as much as they could, even though I'm running Platform9s control plane. So it's sort of giving that blend of two experiences. They're big, they're big priorities. And the third pillar is all around virtualization. It's saying if you have economic pressures, then I think it's important to look at what you're spending today and realistically say, can that be reduced? And I think hypervisors and virtualization is something that should be looked at, because if you can actually reduce that spend, you can bring in some modernization at the same time. Let's take some of those nos that exist that are two years into their five year hardware life cycle. Let's turn that into a Cloud Native environment, which is enabling your modernization in place. It's giving your engineers and application developers the new toys, the new experiences, and then you can start running some of those virtualized workloads with KubeVirt, there. So you're reducing cost and you're modernizing at the same time with your existing infrastructure. >> You know Chris, the topic of this content series that we're doing with you guys is finding the right path, trusting the right path to Cloud Native. What does that mean? I mean, if you had to kind of summarize that phrase, trusting the right path to Cloud Native, what does that mean? It mean in terms of architecture, is it deployment? Is it operations? What's the underlying main theme of that quote? What's the, what's? How would you talk to a customer and say, what does that mean if someone said, "Hey, what does that right path mean?" >> I think the right path means focusing on what you should be focusing on. I know I've said it a hundred times, but if your entire operations team is trying to figure out the nuts and bolts of Kubernetes and getting three months into a journey and discovering, ah, I need Metrics Server to make something function. I want to use Horizontal Pod Autoscaler or Vertical Pod Autoscaler and I need this other thing, now I need to manage that. That's not the right path. That's literally learning what other people have been learning for the last five, seven years that have been focused on Kubernetes solely. So the why- >> There's been a lot of grind. People have been grinding it out. I mean, that's what you're talking about here. They've been standing up the, when Kubernetes started, it was all the promise. >> Chris: Yep. >> And essentially manually kind of getting in in the weeds and configuring it. Now it's matured up. They want stability. >> Chris: Yeah. >> Not everyone can get down and dirty with Kubernetes. It's not something that people want to generally do unless you're totally into it, right? Like I mean, I mean ops teams, I mean, yeah. You know what I mean? It's not like it's heavy lifting. Yeah, it's important. Just got to get it going. >> Yeah, I mean if you're deploying with Platform9, your Ops teams can tinker to their hearts content. We're completely compliant upstream Kubernetes. You can go and change an API server flag, let's go and mess with the scheduler, because we want to. You can still do that, but don't, don't have your team investing in all this time to figure it out. It's been figured out. >> John: Got it. >> Get them focused on enabling velocity for your business. >> So it's not build, but run. >> Chris: Correct? >> Or run Kubernetes, not necessarily figure out how to kind of get it all, consume it out. >> You know we've talked to a lot of customers out there that are saying, "I want to be able to deliver a service to my users." Our response is, "Cool, let us run it. You consume it, therefore deliver it." And we're solving that in one hit versus figuring out how to first run it, then operate it, then turn that into a consumable service. >> So the alternative Platform9 is what? They got to do it themselves or use the Cloud or what's the, what's the alternative for the customer for not using Platform9? Hiring more people to kind of work on it? What's the? >> People, building that kind of PaaS experience? Something that I've been very passionate about for the past year is looking at that world of sort of GitOps and what that means. And if you go out there and you sort of start asking the question what's happening? Just generally with Kubernetes as well and GitOps in that scope, then you'll hear some people saying, well, I'm making it PaaS, because Kubernetes is too complicated for my developers and we need to give them something. There's some great material out there from the likes of Intuit and Adobe where for two big contributors to Argo and the Argo projects, they almost have, well they do have, different experiences. One is saying, we went down the PaaS route and it failed. The other one is saying, well we've built a really stable PaaS and it's working. What are they trying to do? They're trying to deliver an outcome to make it easy to use and consume Kubernetes. So you could go out there and say, hey, I'm going to build a Kubernetes cluster. Sounds like Argo CD is a great way to expose that to my developers so they can use Kubernetes without having to use Kubernetes and start automating things. That is an approach, but you're going to be going completely open source and you're going to have to bring in all the individual components, or you could just lay that, lay it down, and consume it as a service and not have to- >> And mentioned to it. They were the ones who kind of brought that into the open. >> They did. Inuit is the primary contributor to the Argo set of products. >> How has that been received in the market? I mean, they had the event at the Computer History Museum last fall. What's the momentum there? What's the big takeaway from that project? >> Growth. To me, growth. I mean go and track the stars on that one. It's just, it's growth. It's unlocking machine learning. Argo workflows can do more than just make things happen. Argo CD I think the approach they're taking is, hey let's make this simple to use, which I think can be lost. And I think credit where credit's due, they're really pushing to bring in a lot of capabilities to make it easier to work with applications and microservices on Kubernetes. It's not just that, hey, here's a GitOps tool. It can take something from a Git repo and deploy it and maybe prioritize it and help you scale your operations from that perspective. It's taking a step back and saying, well how did we get to production in the first place? And what can be done down there to help as well? I think it's growth expansion of features. They had a huge release just come out in, I think it was 2.6, that brought in things that as a product manager that I don't often look at like really deep technical things and say wow, that's powerful. But they have, they've got some great features in that release that really do solve real problems. >> And as the product, as the product person, who's the target buyer for you? Who's the customer? Who's making that? And you got decision maker, influencer, and recommender. Take us through the customer persona for you guys. >> So that Platform Ops, DevOps space, right, the people that need to be delivering Containers as a service out to their organization. But then it's also important to say, well who else are our primary users? And that's developers, engineers, right? They shouldn't have to say, oh well I have access to a Kubernetes cluster. Do I have to use kubectl or do I need to go find some other tool? No, they can just log to Platform9. It's integrated with your enterprise id. >> They're the end customer at the end of the day, they're the user. >> Yeah, yeah. They can log in. And they can see the clusters you've given them access to as a Platform Ops Administrator. >> So job well done for you guys. And your mind is the developers are moving 'em fast, coding and happy. >> Chris: Yeah, yeah. >> And and from a customer standpoint, you reduce the maintenance cost, because you keep the Ops smoother, so you got efficiency and maintenance costs kind of reduced or is that kind of the benefits? >> Yeah, yep, yeah. And at two o'clock in the morning when things go inevitably wrong, they're not there by themselves, and we're proactively working with them. >> And that's the uptime issue. >> That is the uptime issue. And Cloud doesn't solve that, right? Everyone experienced that Clouds can go down, entire regions can go offline. That's happened to all Cloud providers. And what do you do then? Kubernetes isn't your recovery plan. It's part of it, right, but it's that piece. >> You know Chris, to wrap up this interview, I will say that "theCUBE" is 12 years old now. We've been to OpenStack early days. We had you guys on when we were covering OpenStack and now Cloud has just been booming. You got AI around the corner, AI Ops, now you got all this new data infrastructure, it's just amazing Cloud growth, Cloud Native, Security Native, Cloud Native, Data Native, AI Native. It's going to be all, this is the new app environment, but there's also existing infrastructure. So going back to OpenStack, rolling our own cloud, building your own cloud, building infrastructure cloud, in a cloud way, is what the pioneers have done. I mean this is what we're at. Now we're at this scale next level, abstracted away and make it operational. It seems to be the key focus. We look at CNCF at KubeCon and what they're doing with the cloud SecurityCon, it's all about operations. >> Chris: Yep, right. >> Ops and you know, that's going to sound counterintuitive 'cause it's a developer open source environment, but you're starting to see that Ops focus in a good way. >> Chris: Yeah, yeah, yeah. >> Infrastructure as code way. >> Chris: Yep. >> What's your reaction to that? How would you summarize where we are in the industry relative to, am I getting, am I getting it right there? Is that the right view? What am I missing? What's the current state of the next level, NextGen infrastructure? >> It's a good question. When I think back to sort of late 2019, I sort of had this aha moment as I saw what really truly is delivering infrastructure as code happening at Platform9. There's an open source project Ironic, which is now also available within Kubernetes that is Metal Kubed that automates Bare Metal as code, which means you can go from an empty server, lay down your operating system, lay down Kubernetes, and you've just done everything delivered to your customer as code with a Cloud Native platform. That to me was sort of the biggest realization that I had as I was moving into this industry was, wait, it's there. This can be done. And the evolution of tooling and operations is getting to the point where that can be achieved and it's focused on by a number of different open source projects. Not just Ironic and and Metal Kubed, but that's a huge win. That is truly getting your infrastructure. >> John: That's an inflection point, really. >> Yeah. >> If you think about it, 'cause that's one of the problems. We had with the Bare Metal piece was the automation and also making it Cloud Ops, cloud operations. >> Right, yeah. I mean, one of the things that I think Ironic did really well was saying let's just treat that piece of Bare Metal like a Cloud VM or an instance. If you got a problem with it, just give the person using it or whatever's using it, a new one and reimage it. Just tell it to reimage itself and it'll just (snaps fingers) go. You can do self-service with it. In Platform9, if you log in to our SaaS Ironic, you can go and say, I want that physical server to myself, because I've got a giant workload, or let's turn it into a Kubernetes cluster. That whole thing is automated. To me that's infrastructure as code. I think one of the other important things that's happening at the same time is we're seeing GitOps, we're seeing things like Terraform. I think it's important for organizations to look at what they have and ask, am I using tools that are fit for tomorrow or am I using tools that are yesterday's tools to solve tomorrow's problems? And when especially it comes to modernizing infrastructure as code, I think that's a big piece to look at. >> Do you see Terraform as old or new? >> I see Terraform as old. It's a fantastic tool, capable of many great things and it can work with basically every single provider out there on the planet. It is able to do things. Is it best fit to run in a GitOps methodology? I don't think it is quite at that point. In fact, if you went and looked at Flux, Flux has ways that make Terraform GitOps compliant, which is absolutely fantastic. It's using two tools, the best of breeds, which is solving that tomorrow problem with tomorrow solutions. >> Is the new solutions old versus new. I like this old way, new way. I mean, Terraform is not that old and it's been around for about eight years or so, whatever. But HashiCorp is doing a great job with that. I mean, so okay with Terraform, what's the new address? Is it more complex environments? Because Terraform made sense when you had basic DevOps, but now it sounds like there's a whole another level of complexity. >> I got to say. >> New tools. >> That kind of amalgamation of that application into infrastructure. Now my app team is paying way more attention to that manifest file, which is what GitOps is trying to solve. Let's templatize things. Let's version control our manifest, be it helm, customize, or just a straight up Kubernetes manifest file, plain and boring. Let's get that version controlled. Let's make sure that we know what is there, why it was changed. Let's get some auditability and things like that. And then let's get that deployment all automated. So that's predicated on the cluster existing. Well why can't we do the same thing with the cluster, the inception problem. So even if you're in public cloud, the question is like, well what's calling that API to call that thing to happen? Where is that file living? How well can I manage that in a large team? Oh my God, something just changed. Who changed it? Where is that file? And I think that's one of big, the big pieces to be sold. >> Yeah, and you talk about Edge too and on-premises. I think one of the things I'm observing and certainly when DevOps was rocking and rolling and infrastructures code was like the real push, it was pretty much the public cloud, right? >> Chris: Yep. >> And you did Cloud Native and you had stuff on-premises. Yeah you did some lifting and shifting in the cloud, but the cool stuff was going in the public cloud and you ran DevOps. Okay, now you got on-premise cloud operation and Edge. Is that the new DevOps? I mean 'cause what you're kind of getting at with old new, old new Terraform example is an interesting point, because you're pointing out potentially that that was good DevOps back in the day or it still is. >> Chris: It is, I was going to say. >> But depending on how you define what DevOps is. So if you say, I got the new DevOps with public on-premise and Edge, that's just not all public cloud, that's essentially distributed Cloud Native. >> Correct. Is that the new DevOps in your mind or is that? How would you, or is that oversimplifying it? >> Or is that that term where everyone's saying Platform Ops, right? Has it shifted? >> Well you bring up a good point about Terraform. I mean Terraform is well proven. People love it. It's got great use cases and now there seems to be new things happening. We call things like super cloud emerging, which is multicloud and abstraction layers. So you're starting to see stuff being abstracted away for the benefits of moving to the next level, so teams don't get stuck doing the same old thing. They can move on. Like what you guys are doing with Platform9 is providing a service so that teams don't have to do it. >> Correct, yeah. >> That makes a lot of sense, So you just, now it's running and then they move on to the next thing. >> Chris: Yeah, right. >> So what is that next thing? >> I think Edge is a big part of that next thing. The propensity for someone to put up with a delay, I think it's gone. For some reason, we've all become fairly short-tempered, Short fused. You know, I click the button, it should happen now, type people. And for better or worse, hopefully it gets better and we all become a bit more patient. But how do I get more effective and efficient at delivering that to that really demanding- >> I think you bring up a great point. I mean, it's not just people are getting short-tempered. I think it's more of applications are being deployed faster, security is more exposed if they don't see things quicker. You got data now infrastructure scaling up massively. So, there's a double-edged swords to scale. >> Chris: Yeah, yeah. I mean, maintenance, downtime, uptime, security. So yeah, I think there's a tension around, and one hand enthusiasm around pushing a lot of code and new apps. But is the confidence truly there? It's interesting one little, (snaps finger) supply chain software, look at Container Security for instance. >> Yeah, yeah. It's big. I mean it was codified. >> Do you agree that people, that's kind of an issue right now. >> Yeah, and it was, I mean even the supply chain has been codified by the US federal government saying there's things we need to improve. We don't want to see software being a point of vulnerability, and software includes that whole process of getting it to a running point. >> It's funny you mentioned remote and one of the thing things that you're passionate about, certainly Edge has to be remote. You don't want to roll a truck or labor at the Edge. But I was doing a conversation with, at Rebars last year about space. It's hard to do brake fix on space. It's hard to do a, to roll a someone to configure satellite, right? Right? >> Chris: Yeah. >> So Kubernetes is in space. We're seeing a lot of Cloud Native stuff in apps, in space, so just an example. This highlights the fact that it's got to be automated. Is there a machine learning AI angle with all this ChatGPT talk going on? You see all the AI going the next level. Some pretty cool stuff and it's only, I know it's the beginning, but I've heard people using some of the new machine learning, large language models, large foundational models in areas I've never heard of. Machine learning and data centers, machine learning and configuration management, a lot of different ways. How do you see as the product person, you incorporating the AI piece into the products for Platform9? >> I think that's a lot about looking at the telemetry and the information that we get back and to use one of those like old idle terms, that continuous improvement loop to feed it back in. And I think that's really where machine learning to start with comes into effect. As we run across all these customers, our system that helps at two o'clock in the morning has that telemetry, it's got that data. We can see what's changing and what's happening. So it's writing the right algorithms, creating the right machine learning to- >> So training will work for you guys. You have enough data and the telemetry to do get that training data. >> Yeah, obviously there's a lot of investment required to get there, but that is something that ultimately that could be achieved with what we see in operating people's environments. >> Great. Chris, great to have you here in the studio. Going wide ranging conversation on Kubernetes and Platform9. I guess my final question would be how do you look at the next five years out there? Because you got to run the product management, you got to have that 20 mile steer, you got to look at the customers, you got to look at what's going on in the engineering and you got to kind of have that arc. This is the right path kind of view. What's the five year arc look like for you guys? How do you see this playing out? 'Cause KubeCon is coming up and we're you seeing Kubernetes kind of break away with security? They had, they didn't call it KubeCon Security, they call it CloudNativeSecurityCon, they just had in Seattle inaugural events seemed to go well. So security is kind of breaking out and you got Kubernetes. It's getting bigger. Certainly not going away, but what's your five year arc of of how Platform9 and Kubernetes and Ops evolve? >> It's to stay on that theme, it's focusing on what is most important to our users and getting them to a point where they can just consume it, so they're not having to operate it. So it's finding those big items and bringing that into our platform. It's something that's consumable, that's just taken care of, that's tested with each release. So it's simplifying operations more and more. We've always said freedom in cloud computing. Well we started on, we started on OpenStack and made that simple. Stable, easy, you just have it, it works. We're doing that with Kubernetes. We're expanding out that user, right, we're saying bring your developers in, they can download their Kube conflict. They can see those Containers that are running there. They can access the events, the log files. They can log in and build a VM using KubeVirt. They're self servicing. So it's alleviating pressures off of the Ops team, removing the help desk systems that people still seem to rely on. So it's like what comes into that field that is the next biggest issue? Is it things like CI/CD? Is it simplifying GitOps? Is it bringing in security capabilities to talk to that? Or is that a piece that is a best of breed? Is there a reason that it's been spun out to its own conference? Is this something that deserves a focus that should be a specialized capability instead of tooling and vendors that we work with, that we partner with, that could be brought in as a service. I think it's looking at those trends and making sure that what we bring in has the biggest impact to our users. >> That's awesome. Thanks for coming in. I'll give you the last word. Put a plug in for Platform9 for the people who are watching. What should they know about Platform9 that they might not know about it or what should? When should they call you guys and when should they engage? Take a take a minute to give the plug. >> The plug. I think it's, if your operations team is focused on building Kubernetes, stop. That shouldn't be the cloud. That shouldn't be in the Edge, that shouldn't be at the data center. They should be consuming it. If your engineering teams are all trying different ways and doing different things to use and consume Cloud Native services and Kubernetes, they shouldn't be. You want consistency. That's how you get economies of scale. Provide them with a simple platform that's integrated with all of your enterprise identity where they can just start consuming instead of having to solve these problems themselves. It's those, it's those two personas, right? Where the problems manifest. What are my operations teams doing, and are they delivering to my company or are they building infrastructure again? And are my engineers sprinting or crawling? 'Cause if they're not sprinting, you should be asked the question, do I have the right Cloud Native tooling in my environment and how can I get them back? >> I think it's developer productivity, uptime, security are the tell signs. You get that done. That's the goal of what you guys are doing, your mission. >> Chris: Yep. >> Great to have you on, Chris. Thanks for coming on. Appreciate it. >> Chris: Thanks very much. 0 Okay, this is "theCUBE" here, finding the right path to Cloud Native. I'm John Furrier, host of "theCUBE." Thanks for watching. (upbeat music)

(light music) >> Hi everybody. Welcome to this Cube Conversation. I'm really pleased to announce a collaboration with Rob Strechay. He's a guest cube analyst, and we'll be working together to extract the signal from the noise. Rob is a long-time product pro, working at a number of firms including AWS, HP, HPE, NetApp, Snowplow. I did a stint as an analyst at Enterprise Strategy Group. Rob, good to see you. Thanks for coming into our Marlboro Studios. >> Well, thank you for having me. It's always great to be here. >> I'm really excited about working with you. We've known each other for a long time. You've been in the Cube a bunch. You know, you're in between gigs, and I think we can have a lot of fun together. Covering events, covering trends. So. let's get into it. What's happening out there? We're sort of exited the isolation economy. Things were booming. Now, everybody's tapping the brakes. From your standpoint, what are you seeing out there? >> Yeah. I'm seeing that people are really looking how to get more out of their data. How they're bringing things together, how they're looking at the costs of Cloud, and understanding how are they building out their SaaS applications. And understanding that when they go in and actually start to use Cloud, it's not only just using the base services anymore. They're looking at, how do I use these platforms as a service? Some are easier than others, and they're trying to understand, how do I get more value out of that relationship with the Cloud? They're also consolidating the number of Clouds that they have, I would say to try to better optimize their spend, and getting better pricing for that matter. >> Are you seeing people unhook Clouds, or just reduce maybe certain Cloud activities and going maybe instead of 60/40 going 90/10? >> Correct. It's more like the 90/10 type of rule where they're starting to say, Hey I'm not going to get rid of Azure or AWS or Google. I'm going to move a portion of this over that I was using on this one service. Maybe I got a great two-year contract to start with on this platform as a service or a database as a service. I'm going to unhook from that and maybe go with an independent. Maybe with something like a Snowflake or a Databricks on top of another Cloud, so that I can consolidate down. But it also gives them more flexibility as well. >> In our last breaking analysis, Rob, we identified six factors that were reducing Cloud consumption. There were factors and customer tactics. And I want to get your take on this. So, some of the factors really, you got fewer mortgage originations. FinTech, obviously big Cloud user. Crypto, not as much activity there. Lower ad spending means less Cloud. And then one of 'em, which you kind of disagreed with was less, less analytics, you know, fewer... Less frequency of calculations. I'll come back to that. But then optimizing compute using Graviton or AMD instances moving to cheaper storage tiers. That of course makes sense. And then optimize pricing plans. Maybe going from On Demand, you know, to, you know, instead of pay by the drink, buy in volume. Okay. So, first of all, do those make sense to you with the exception? We'll come back and talk about the analytics piece. Is that what you're seeing from customers? >> Yeah, I think so. I think that was pretty much dead on with what I'm seeing from customers and the ones that I go out and talk to. A lot of times they're trying to really monetize their, you know, understand how their business utilizes these Clouds. And, where their spend is going in those Clouds. Can they use, you know, lower tiers of storage? Do they really need the best processors? Do they need to be using Intel or can they get away with AMD or Graviton 2 or 3? Or do they need to move in? And, I think when you look at all of these Clouds, they always have pricing curves that are arcs from the newest to the oldest stuff. And you can play games with that. And understanding how you can actually lower your costs by looking at maybe some of the older generation. Maybe your application was written 10 years ago. You don't necessarily have to be on the best, newest processor for that application per se. >> So last, I want to come back to this whole analytics piece. Last June, I think it was June, Dev Ittycheria, who's the-- I call him Dev. Spelled Dev, pronounced Dave. (chuckles softly) Same pronunciation, different spelling. Dev Ittycheria, CEO of Mongo, on the earnings call. He was getting, you know, hit. Things were starting to get a little less visible in terms of, you know, the outlook. And people were pushing him like... Because you're in the Cloud, is it easier to dial down? And he said, because we're the document database, we support transaction applications. We're less discretionary than say, analytics. Well on the Snowflake earnings call, that same month or the month after, they were all over Slootman and Scarpelli. Oh, the Mongo CEO said that they're less discretionary than analytics. And Snowflake was an interesting comment. They basically said, look, we're the Cloud. You can dial it up, you can dial it down, but the area under the curve over a period of time is going to be the same, because they get their customers to commit. What do you say? You disagreed with the notion that people are running their calculations less frequently. Is that because they're trying to do a better job of targeting customers in near real time? What are you seeing out there? >> Yeah, I think they're moving away from using people and more expensive marketing. Or, they're trying to figure out what's my Google ad spend, what's my Meta ad spend? And what they're trying to do is optimize that spend. So, what is the return on advertising, or the ROAS as they would say. And what they're looking to do is understand, okay, I have to collect these analytics that better understand where are these people coming from? How do they get to my site, to my store, to my whatever? And when they're using it, how do they they better move through that? What you're also seeing is that analytics is not only just for kind of the retail or financial services or things like that, but then they're also, you know, using that to make offers in those categories. When you move back to more, you know, take other companies that are building products and SaaS delivered products. They may actually go and use this analytics for making the product better. And one of the big reasons for that is maybe they're dialing back how many product managers they have. And they're looking to be more data driven about how they actually go and build the product out or enhance the product. So maybe they're, you know, an online video service and they want to understand why people are either using or not using the whiteboard inside the product. And they're collecting a lot of that product analytics in a big way so that they can go through that. And they're doing it in a constant manner. This first party type tracking within applications is growing rapidly by customers. >> So, let's talk about who wins in that. So, obviously the Cloud guys, AWS, Google and Azure. I want to come back and unpack that a little bit. Databricks and Snowflake, we reported on our last breaking analysis, it kind of on a collision course. You know, a couple years ago we were thinking, okay, AWS, Snowflake and Databricks, like perfect sandwich. And then of course they started to become more competitive. My sense is they still, you know, compliment each other in the field, right? But, you know, publicly, they've got bigger aspirations, they get big TAMs that they're going after. But it's interesting, the data shows that-- So, Snowflake was off the charts in terms of spending momentum and our EPR surveys. Our partner down in New York, they kind of came into line. They're both growing in terms of market presence. Databricks couldn't get to IPO. So, we don't have as much, you know, visibility on their financials. You know, Snowflake obviously highly transparent cause they're a public company. And then you got AWS, Google and Azure. And it seems like AWS appears to be more partner friendly. Microsoft, you know, depends on what market you're in. And Google wants to sell BigQuery. >> Yeah. >> So, what are you seeing in the public Cloud from a data platform perspective? >> Yeah. I think that was pretty astute in what you were talking about there, because I think of the three, Google is definitely I think a little bit behind in how they go to market with their partners. Azure's done a fantastic job of partnering with these companies to understand and even though they may have Synapse as their go-to and where they want people to go to do AI and ML. What they're looking at is, Hey, we're going to also be friendly with Snowflake. We're also going to be friendly with a Databricks. And I think that, Amazon has always been there because that's where the market has been for these developers. So, many, like Databricks' and the Snowflake's have gone there first because, you know, Databricks' case, they built out on top of S3 first. And going and using somebody's object layer other than AWS, was not as simple as you would think it would be. Moving between those. >> So, one of the financial meetups I said meetup, but the... It was either the CEO or the CFO. It was either Slootman or Scarpelli talking at, I don't know, Merrill Lynch or one of the other financial conferences said, I think it was probably their Q3 call. Snowflake said 80% of our business goes through Amazon. And he said to this audience, the next day we got a call from Microsoft. Hey, we got to do more. And, we know just from reading the financial statements that Snowflake is getting concessions from Amazon, they're buying in volume, they're renegotiating their contracts. Amazon gets it. You know, lower the price, people buy more. Long term, we're all going to make more money. Microsoft obviously wants to get into that game with Snowflake. They understand the momentum. They said Google, not so much. And I've had customers tell me that they wanted to use Google's AI with Snowflake, but they can't, they got to go to to BigQuery. So, honestly, I haven't like vetted that so. But, I think it's true. But nonetheless, it seems like Google's a little less friendly with the data platform providers. What do you think? >> Yeah, I would say so. I think this is a place that Google looks and wants to own. Is that now, are they doing the right things long term? I mean again, you know, you look at Google Analytics being you know, basically outlawed in five countries in the EU because of GDPR concerns, and compliance and governance of data. And I think people are looking at Google and BigQuery in general and saying, is it the best place for me to go? Is it going to be in the right places where I need it? Still, it's still one of the largest used databases out there just because it underpins a number of the Google services. So you almost get, like you were saying, forced into BigQuery sometimes, if you want to use the tech on top. >> You do strategy. >> Yeah. >> Right? You do strategy, you do messaging. Is it the right call by Google? I mean, it's not a-- I criticize Google sometimes. But, I'm not sure it's the wrong call to say, Hey, this is our ace in the hole. >> Yeah. >> We got to get people into BigQuery. Cause, first of all, BigQuery is a solid product. I mean it's Cloud native and it's, you know, by all, it gets high marks. So, why give the competition an advantage? Let's try to force people essentially into what is we think a great product and it is a great product. The flip side of that is, they're giving up some potential partner TAM and not treating the ecosystem as well as one of their major competitors. What do you do if you're in that position? >> Yeah, I think that that's a fantastic question. And the question I pose back to the companies I've worked with and worked for is, are you really looking to have vendor lock-in as your key differentiator to your service? And I think when you start to look at these companies that are moving away from BigQuery, moving to even, Databricks on top of GCS in Google, they're looking to say, okay, I can go there if I have to evacuate from GCP and go to another Cloud, I can stay on Databricks as a platform, for instance. So I think it's, people are looking at what platform as a service, database as a service they go and use. Because from a strategic perspective, they don't want that vendor locking. >> That's where Supercloud becomes interesting, right? Because, if I can run on Snowflake or Databricks, you know, across Clouds. Even Oracle, you know, they're getting into business with Microsoft. Let's talk about some of the Cloud players. So, the big three have reported. >> Right. >> We saw AWSs Cloud growth decelerated down to 20%, which is I think the lowest growth rate since they started to disclose public numbers. And they said they exited, sorry, they said January they grew at 15%. >> Yeah. >> Year on year. Now, they had some pretty tough compares. But nonetheless, 15%, wow. Azure, kind of mid thirties, and then Google, we had kind of low thirties. But, well behind in terms of size. And Google's losing probably almost $3 billion annually. But, that's not necessarily a bad thing by advocating and investing. What's happening with the Cloud? Is AWS just running into the law, large numbers? Do you think we can actually see a re-acceleration like we have in the past with AWS Cloud? Azure, we predicted is going to be 75% of AWS IAS revenues. You know, we try to estimate IAS. >> Yeah. >> Even though they don't share that with us. That's a huge milestone. You'd think-- There's some people who have, I think, Bob Evans predicted a while ago that Microsoft would surpass AWS in terms of size. You know, what do you think? >> Yeah, I think that Azure's going to keep to-- Keep growing at a pretty good clip. I think that for Azure, they still have really great account control, even though people like to hate Microsoft. The Microsoft sellers that are out there making those companies successful day after day have really done a good job of being in those accounts and helping people. I was recently over in the UK. And the UK market between AWS and Azure is pretty amazing, how much Azure there is. And it's growing within Europe in general. In the states, it's, you know, I think it's growing well. I think it's still growing, probably not as fast as it is outside the U.S. But, you go down to someplace like Australia, it's also Azure. You hear about Azure all the time. >> Why? Is that just because of the Microsoft's software state? It's just so convenient. >> I think it has to do with, you know, and you can go with the reasoning they don't break out, you know, Office 365 and all of that out of their numbers is because they have-- They're in all of these accounts because the office suite is so pervasive in there. So, they always have reasons to go back in and, oh by the way, you're on these old SQL licenses. Let us move you up here and we'll be able to-- We'll support you on the old version, you know, with security and all of these things. And be able to move you forward. So, they have a lot of, I guess you could say, levers to stay in those accounts and be interesting. At least as part of the Cloud estate. I think Amazon, you know, is hitting, you know, the large number. Laws of large numbers. But I think that they're also going through, and I think this was seen in the layoffs that they were making, that they're looking to understand and have profitability in more of those services that they have. You know, over 350 odd services that they have. And you know, as somebody who went there and helped to start yet a new one, while I was there. And finally, it went to beta back in September, you start to look at the fact that, that number of services, people, their own sellers don't even know all of their services. It's impossible to comprehend and sell that many things. So, I think what they're going through is really looking to rationalize a lot of what they're doing from a services perspective going forward. They're looking to focus on more profitable services and bringing those in. Because right now it's built like a layer cake where you have, you know, S3 EBS and EC2 on the bottom of the layer cake. And then maybe you have, you're using IAM, the authorization and authentication in there and you have all these different services. And then they call it EMR on top. And so, EMR has to pay for that entire layer cake just to go and compete against somebody like Mongo or something like that. So, you start to unwind the costs of that. Whereas Azure, went and they build basically ground up services for the most part. And Google kind of falls somewhere in between in how they build their-- They're a sort of layer cake type effect, but not as many layers I guess you could say. >> I feel like, you know, Amazon's trying to be a platform for the ecosystem. Yes, they have their own products and they're going to sell. And that's going to drive their profitability cause they don't have to split the pie. But, they're taking a piece of-- They're spinning the meter, as Ziyas Caravalo likes to say on every time Snowflake or Databricks or Mongo or Atlas is, you know, running on their system. They take a piece of the action. Now, Microsoft does that as well. But, you look at Microsoft and security, head-to-head competitors, for example, with a CrowdStrike or an Okta in identity. Whereas, it seems like at least for now, AWS is a more friendly place for the ecosystem. At the same time, you do a lot of business in Microsoft. >> Yeah. And I think that a lot of companies have always feared that Amazon would just throw, you know, bodies at it. And I think that people have come to the realization that a two pizza team, as Amazon would call it, is eight people. I think that's, you know, two slices per person. I'm a little bit fat, so I don't know if that's enough. But, you start to look at it and go, okay, if they're going to start out with eight engineers, if I'm a startup and they're part of my ecosystem, do I really fear them or should I really embrace them and try to partner closer with them? And I think the smart people and the smart companies are partnering with them because they're realizing, Amazon, unless they can see it to, you know, a hundred million, $500 million market, they're not going to throw eight to 16 people at a problem. I think when, you know, you could say, you could look at the elastic with OpenSearch and what they did there. And the licensing terms and the battle they went through. But they knew that Elastic had a huge market. Also, you had a number of ecosystem companies building on top of now OpenSearch, that are now domain on top of Amazon as well. So, I think Amazon's being pretty strategic in how they're doing it. I think some of the-- It'll be interesting. I think this year is a payout year for the cuts that they're making to some of the services internally to kind of, you know, how do we take the fat off some of those services that-- You know, you look at Alexa. I don't know how much revenue Alexa really generates for them. But it's a means to an end for a number of different other services and partners. >> What do you make of this ChatGPT? I mean, Microsoft obviously is playing that card. You want to, you want ChatGPT in the Cloud, come to Azure. Seems like AWS has to respond. And we know Google is, you know, sharpening its knives to come up with its response. >> Yeah, I mean Google just went and talked about Bard for the first time this week and they're in private preview or I guess they call it beta, but. Right at the moment to select, select AI users, which I have no idea what that means. But that's a very interesting way that they're marketing it out there. But, I think that Amazon will have to respond. I think they'll be more measured than say, what Google's doing with Bard and just throwing it out there to, hey, we're going into beta now. I think they'll look at it and see where do we go and how do we actually integrate this in? Because they do have a lot of components of AI and ML underneath the hood that other services use. And I think that, you know, they've learned from that. And I think that they've already done a good job. Especially for media and entertainment when you start to look at some of the ways that they use it for helping do graphics and helping to do drones. I think part of their buy of iRobot was the fact that iRobot was a big user of RoboMaker, which is using different models to train those robots to go around objects and things like that, so. >> Quick touch on Kubernetes, the whole DevOps World we just covered. The Cloud Native Foundation Security, CNCF. The security conference up in Seattle last week. First time they spun that out kind of like reinforced, you know, AWS spins out, reinforced from reinvent. Amsterdam's coming up soon, the CubeCon. What should we expect? What's hot in Cubeland? >> Yeah, I think, you know, Kubes, you're going to be looking at how OpenShift keeps growing and I think to that respect you get to see the momentum with people like Red Hat. You see others coming up and realizing how OpenShift has gone to market as being, like you were saying, partnering with those Clouds and really making it simple. I think the simplicity and the manageability of Kubernetes is going to be at the forefront. I think a lot of the investment is still going into, how do I bring observability and DevOps and AIOps and MLOps all together. And I think that's going to be a big place where people are going to be looking to see what comes out of CubeCon in Amsterdam. I think it's that manageability ease of use. >> Well Rob, I look forward to working with you on behalf of the whole Cube team. We're going to do more of these and go out to some shows extract the signal from the noise. Really appreciate you coming into our studio. >> Well, thank you for having me on. Really appreciate it. >> You're really welcome. All right, keep it right there, or thanks for watching. This is Dave Vellante for the Cube. And we'll see you next time. (light music)

(rousing music) >> Hello everyone. Welcome back to "theCUBE's" day one coverage of Cloud Native Security Con 23. This is going to be an exciting panel. I've got three great guests. I'm Lisa Martin, you know our esteemed analysts, John Furrier, and Dave Vellante well. And we're excited to welcome to "theCUBE" for the first time, Yves Sandfort, the CEO of Comdivision Group, who's coming to us from Germany. As you know, Cloud Native Security Con is a global event. Everyone welcome Yves, great to have you in particular. Welcome to "theCUBE." >> Great to be here. >> Thank you for inviting me. >> Yves, tell us a little bit, before we dig into really wanting to understand your perspectives on the event and get Dave and John's feedback as well, tell us a little bit about you. >> So yeah, talking about me, or talking about Comdivision real quick. We are in the business for over 27 years already. We started as a SaaS company, then became more like an architecture and, and Cloud Native company over the last few years. But what's interesting is, and I think that's, that's, that's really interesting when we look at our industry. It hasn't really, the requirements haven't really changed over the years. It's still security. We still have to figure out how we deal with security. We still have to figure out how we deal with compliance and everything else. And I think therefore, it's more and more important that we take these items more seriously. Also, based on the fact that when we look at it, how development and other things happen nowadays, it's, it's, everybody says it's like open source. It's great because everybody can look into the code. We, I think the last few years have shown us enough example that that's not necessarily solving all the issues, but it's also code and development has changed rapidly when we look at the Cloud Native approach, where it's far more about gluing the pieces together, versus the development pieces. When I was actually doing software development 25 years ago, and had to basically build my code because I didn't have that much internet access for it. So it has evolved, but even back then we had to deal with security and everything. >> Right. The focus on security is, is incredibly important, and the focus keeps growing as you mentioned. This is, guys, and I want to get your perspectives on this. We're going to start with John. This is the first time Cloud Native Security Con is its own event being extracted from, and amplified from KubeCon. John, I want to understand from your perspective, break down the event, what you see, what you've heard, and Cloud Native Security in general. What does this mean to companies? What does it mean to customers? Is this a reality? >> Well, I think that's the topic we want to discuss, and I think Yves background, you see the VMware certification, I love that. Because what VMware did with virtualization, was abstract that from server virtualization, kind of really changed the game on things, and you start to see Cloud Native kind of go that next level of how companies will be operating their business, not just digital transformation, as digital transformation goes to completion, it's total business transformation where IT is everywhere. And so you're starting to see the trends where, "Okay, that's happening." Now you're starting to see, that's Cloud Native Con, or KubeCon, AWS re:Invent, or whatever show, or whatever way you want to look at it. But in, in the past decade, past five years, security has always been front and center as almost a separate thing, and, in and of itself, but the same thing. So you're starting to see the breakout of security conversations around how to make things work. So a lot of operational conversations around what used to be DevOps makes infrastructure as code, and that was great, that fueled that. Then DevSecOps came. So the Cloud Native next level, is more application development at scale, developers driving the standards with developer first thinking, shifting left, I get all that. But down in the lower ends of the stack, you got real operational issues. DNS we've heard in the keynote, we heard about the Colonel, the Lennox Colonel. Things that need to be managed and taken care of at a security level. These are like, seem like in the weeds, but you're starting to see that happen. And the other thing that I think's real about Cloud Native Security Con that's going to be interesting to watch, is Amazon has pretty much canceled all their re:Invent like shows except for two; Re:Invent, which is their annual conference, and Re:Inforce, which is dedicated to securities. So Cloud Native, Linux, the Linux Foundation has now breaking out Cloud Native Con and KubeCon, and now Cloud Native Security Con. They can't call it KubeCon because it's not Kubernetes, but it's like security focus. I think this is the beginning of starting to see this new developer driving, developers driving the standards, and it has it implications, what used to be called IT ops, and that's like the VMwares of the world. You saw all the stuff that was not at developer focus, but more ops, becoming much more in the application. So I think, I think it's real. The question is where does it go? How fast does it develop? So to me, I think it's a real trend, and it's worthy of a breakout, but it's not yet clear of where the landing zone is for people to start doing it, how they get started, what are the best practices. Machine learning's going to be a big part of this. So to me it's totally cool, but I'm not yet seeing the beachhead. So that's kind of my take. >> Dave, our inventor and host of breaking analysis, what's your take? >> So when you, I think when you zoom out, there's some, there's a big macro change that's been going on. I think when you look back, let's say 10, 12 years ago, the, the need for speed far trumped the, the, the security aspect, the governance, the data privacy. It was like, "Yeah, the risks, they're not that great compared to our opportunity." That has completely changed because the risks are now so much higher. And so what's happening, I think there's a, there's a major effort amongst CIOs and CISOs to try to make security not a blocker because it use to be, it still is. "Okay, I got this great initiative." Eh, give it to the SecOps pros, and let them take it for a while before we can go to market. And so a huge challenge now is to simplify, automate, AI comes in, the whole supply chain security, so the, so the companies can not be facing so much friction. And that is non-trivial. I don't think we're anywhere close there, but I think the goal is by, within the next several years, we're going to be in a position, that security, we heard today, is, wasn't designed in to the initial internet protocols. It was bolted on. And so increasingly, the fundamental architecture of the internet, the Cloud, et cetera, is, is seeing designed in security, and, and that is an imperative, or else business is going to come to a grinding halt. >> Right. It's no longer, the bolt no longer works. Yves, what's your perspective on Cloud Native Security, where it stands today? What's in it for customers, whether we're talking about banks, or hospitals, or retailers, what do you think? >> I think when we, when we look at security in the, in the modern world, is we need to as, as Dave mentioned, we need to rethink how we apply it. Very often, security in the past has been always bolted on in the end. If we continue to do that, it'll become more and more difficult, because as companies evolve, and as companies want to bring products and software to market in a much faster and faster way, it's getting more and more difficult if we bolt on the security process at the end. It's like, developers build something and then someone checks security. That's not going to work any longer. Especially if we also consider now the changes in the industry. We had Stack Overflow over the last 10 years. If I would've had Stack Overflow 15, 20, what, 25 years ago when I was a developer, it would've changed a hell lot. Looking at it now, and looking at it what we had in the last few weeks, it's like where nearly all of my team members say is like finally I don't need any script kiddies anymore because I can't go to (indistinct) who writes the code for me. Which is on one end great, because it enables us to solve certain problems in a much higher pace. But the challenge with that is, if the people who just copy and past that code, don't understand the implications of that code, we have a much higher risk continuously. And what people thought was, is challenging with Stack Overflow. Imagine that something in one of these AI engines, is actually going ballistic, and it creates holes in nearly every one of these applications. And trust me, there will be enough developers who are going to use these tools to develop codes, the same as students in university are going to take this to write their essays and everything else. And so it's really important that every developer team basically has a security person within their team, and not a security at the end. So we build something, we check it, go through QA, and then it goes to security. Security needs to be at the forefront. And I think that's where we see Cloud Native Security Con, where we see AWS. I saw it during re:Invent already where they said is like, we have reinforced next year. I think this becomes more and more of a topic, and I think companies, as much as it is become a norm that you have a firewall and everything else, it needs to become a norm that when you are doing software development, and every development team needs to have a security person on that needs to be trained. >> I love that chat comment Dave, 'cause you and I were talking about this. And I think that is going to be the issue. Do we need security chat for the chat bot? And there's like a, like a recursive model there. The biases are built in. I think, and I think our interview with the Palo Alto Network's co-founder, Dave, when he talked about zero trust as a structured way to start things, but he was referencing that with Cloud, there's a chance to rethink or do a do-over in security. So, I think this is kind of to me, where this is all going. And I think you asked Pat Gelsinger what, year 2013, 2014, can, is security a do over? I think we're in that do over time. >> He said yes. >> He said yes. (laughing) He was right. But yeah, eight years later... But this is, how do you, zero trust gives you some structure, but how do you organize and redo security? Because to me, I think that's what's happening here. >> And John you heard, Zuk at Palo Alto Network said, "Yeah, the, the words security and architecture, they don't go together historically." And so it is a total, total retake. >> Well is that because there's too many tools out there and- >> Yeah. For sure. >> Yeah, well, first of all, a lot of hardware. And then yeah, a lot of tools. You even see IIOT and industry 40, you see IOT security coming up as another stove pipe, and that's not the right approach. And, and so- >> Well let me, let me ask you a question Dave, and Yves, if you don't mind. 'Cause I was just riffing on this yesterday about this. In the ML space, you're seeing the ML models, you're seeing proprietary models versus open source. Is security going to go down this proprietary security methods and open source? Because that's interesting, because the CNCF is run by the the Linux Foundation. So you can almost maybe see a model where there's more proprietary security methods than open source. Or is it, is that a non-issue? >> I would, I would, let me, if I, if I jump in here first, I think the last, especially last five or 10 years have clearly shown the, the whole and, and I invested early on in the, in the end 90s in several open source startups in the Bay area. So, I'm well behind the whole open source idea and, and mid (indistinct) and others back then several times. But the point is, I think what we have seen is open source is not in general, more secure or less secure, because code is too complex nowadays. You have millions of lines of code, and it's not that either one way or the other is going to solve it. The ways I think we are going to look at it is more is what's the role to market, because only because something is open source doesn't necessarily mean it's going to be available for everyone. And the same for proprietary source from that perspective, even though everybody mixes licensing and payments and all that all the time, but it doesn't necessarily have anything to do with it. But I think as we are going through it, and when we also look at the industry, security industry over the last 10 plus years has been primarily hardware focused. And a lot of these vendors have done a good business out of selling hardware boxes, putting software on top of it. Whereas in reality, those were still X86 standard boxes in the end. So it was not that we had specific security ethics or anything like that in there anymore. And so overall, the question of the market is going to change. And as we are looking into Cloud Native, think about someone like an AWS, do you really envision them to have a hardware box of every supplier in their data center, and that in every availability zone in every region? Same for Microsoft, same for Google, etc? So we need to have new ways on how we can apply security. And that applies both on the backend services, but also on the front end side. >> And if I, and if I could chime in, I think the, the good, I think the answer is, is, is no and yes. And what I mean by that is if you take, antivirus and known malware, I mean pretty much anybody today can, can solve that problem, it's the unknown malware. So I think the yes part of the answer is yes, it's, it's going to be proprietary, but in the sense we're going to use open source tooling, and then apply that in a proprietary way with, with specific algorithms and unique architectures that are going to solve problems. For example, XDR with, with unknown malware. So, and that's the, that's the hard part. As somebody said, I think this morning at the keynote, it's, it's all the stuff that, that the SecOps team couldn't find. That's the really hard part. >> (laughs) Well the question will be will, is the new IP, the ability to feed ChatGPT some magical spelled insertion query string that does the job, that's unique, that might be the new IP, the the question to ask. >> Well, that's what the hackers are going to do. And I, they're on offense. (John laughs) And the offense knows what play is coming. So, they're going to start. >> So guys, let's take this conversation up a level. I want to get your perspectives on what's in this for me as a customer? We know security is a board level conversation. We talk about this all the time. We also know that they're based on, I think David, was the conversations that you and I had, with Palo Alto Networks at Ignite in December. There's a, there's a lack of alignment between the executives and the board from a security perspective. When we talk about Cloud Native Security, we all talked about the value in that, what's in it for customers? I want to get your perspectives on should this be a board level conversation, and if so, how do you advise organizations, whether it is a hospital, or a bank, or an organization that is really affected by things like ransomware? How should they be thinking about this from an organizational perspective? >> Well, I'll start first, because we had this conversation during our Super Cloud event last month, and this comes up a lot. And this is, the CEO board level. Yes it is a board level conversation for security, as is application development as in terms of transforming their business to be competitive, not to be on the wrong side of history with this wave coming. So I think that's more of a management. But the issue is, they tell their people, "Go do it." And they're like, 'cause they get sold on the idea of, "Hey, won't you transform your business, and everything's going to be data driven, and machine learning's going to power your apps, get new customers, be profitable." "Oh, sign me up for that." When you have to implement this, it's really hard. And I think the core issue is, where are companies in their life cycle of the ability to execute and architect this thing properly as Dave said, Nick Zuk said, "You can't have architecture and security, you need platforms." So, I think the re-platforming, and the re-factoring of business is a big factor, and that's got to get down into the, the organizational shifts and the people to do it. So are there skills? Do I do a managed service? How do I architect it? Are there more services? Are there developers doing applications that are going to be more agile? So, this is not an easy thing. And to move a business from IT operations that is proven, to be positioned for this enablement, is just really difficult. And it's expensive. And if you screw it up, you could be, could be on the wrong side of things. So, to me, that's the big issue is, you sell the dream and then you got to implement it. And that's really difficult. >> Yves, give us your perspective on, based on John's comments, how do organizations shift so dramatically? There's a cultural element there as well, but there's also organizations that are, have competitive competitors in the rear view mirror, and there's time to waste. What are your thoughts on that? >> I think that's exactly the point. It's like, as an organization, you need to take the decision between the time, the risk, and all the other elements we have into this game. Because you can try to achieve 100% security, but that's exactly the same as trying to, to protect gold or anything else 100%. It's most likely not going to be from a risk perspective anyway sensible. And that's the same from a corporational perspective. When you look at building new internet services, or IOT services, or any kind of new shopping experience or whatever else, you need to balance out between the risks and the advantages out of it. And you also need to be accepting that you potentially on the way make mistakes, but then it's more important than ever that you are able to quickly fix any mistakes, and to adjust to anything what's happening in the market. Because as we are building all these new Cloud Native applications, and build up all these skill sets, one of the big scenarios is we are far more depending on individual building blocks. These building blocks come out of open source communities, which have a much different way. When we look back in software development, back then we had application servers from Oracle, Web Logic, whatsoever, they had a release cycles of every three to six months. As now we have to deal with open source, where sometimes release cycles are on a four week schedule, in between security patches. So you need to be much faster in adopting that, checking that, implementing that, getting things to work. So there is a security stretch from that perspective. There is a speech stretch on the other thing companies have to deal with, and on the other side it's always a measurement between the risk, and the security you can afford. Because reality is, you will not be 100% protected no matter what you do. So, you need to balance out what you as an organization can actually build on. But I think, coming back also to the point, it's on the bot level nowadays. It's like nearly every discussion we have with companies nowadays as they move into the Cloud, especially also here in Europe where for the last five years, it was always, it's like "It's data privacy." Data privacy is no longer, I mean, yes, for certain people, it's still the point, but for many more people it's like, "How protected is my data?" "What do we do in case of ransomware attack?" "What do we do in case of a denial of service?" All of these things become more vulnerable, where in the past you were discussing these things with a becking page, or, or like a stock exchange. They were, it's like, "What the hell is going to happen if we have a denial of service?" Now all of the sudden, this now affects nearly everyone in their storefronts and everything else, because everything is depending on it. >> Yeah, I think you're right on. You think about how cultural change occurs, it's bottom ups or, bottom up, top down or middle out. And what, what's happened with security is the people in the security team cared about it, they were the, everybody said, "Oh, it's their problem." And then it just did an end run to the board, kind of mid, early last decade. And then the board sort of pushed that down. And the line of business is realizing, "Holy cow. My business, my EBIT can be dramatically affected by this, so I care." Now it's this whole house, cultural team sport. I know it's sort of a, a cliche, but it, it's true. Everybody actually is beginning to care about security because the risks are now so high, and it's going to affect not only the bottom line of the company, the bottom line of the business, their job, it's, it's, it's virtually everywhere. It's a huge cultural shift that we're seeing. >> And that's a big challenge for organizations in any industry. And Yves, you talked about ransomware service. Every industry across the globe is vulnerable to this. But how can, maybe John, we'll start with you. How can Cloud Native Security help organizations if they're able to embrace it, operationally, culturally, dial down some of the vulnerabilities that just seem to keep growing? >> Well, I mean that's the big question. The breaches are, are critical. The governances also could be a way that anchors down growth. So I think the balance between the governance compliance piece of it is key, but making the developers faster and more productive is the key to me. And I think having the security paradigm where they're not blockers, as Dave said, is critical. So I love the whole shift left, but now that we have more data focused initiatives around how that, you can use data to understand the security issues, I think data and security are together, and I think there's a going to be a data operating system model emerging, where data and security will be almost one thing. And that will be set up by the security teams, and the data teams together. And that will feed guardrails into the developer environment. So the developer should feel no pain at all in doing this. So I think the best practice will end up being what we're seeing with supply chain, security, with making sure code's verified. And you're going to see the container, security side completely address has been, and KubeCon, we just, I asked Scott Johnson, the CEO of Docker, and I asked him directly, "Are you guys all tight on container security?" He said, yes, but other people are suggesting that's not true. There's a lot of issues with the container security. So, there's all kinds of areas where there's holes. So Cloud Native is cool on one hand, and very relevant, but if it's not shored up, it's going to be a problem. But I, so I think that's where the action will be, at the developer pipeline, in the containers, and the data. So, that will be very relevant, and if companies nail that, they'll be faster, they'll have better apps, and that'll be the differentiator. And again, if they don't on this next wave, they're going to be driftwood. >> Dave, how do they prevent becoming driftwood? >> Well, I think Cloud has had a huge impact. And a Cloud's by no means a panacea, but let's face it, it's dramatically improved a lot of companies security posture. Now there's still that shared responsibility. Even though an S3 bucket is encrypted, it's still your responsibility to make sure that it doesn't get decrypted by somebody who has access to it. So there are things like that, but to Yve's earlier point, that can be, that's done through software now, it's done through best practices. Those best practices can be shared. So the way you, you don't become driftwood, is you start to, you step back, rethink that security architecture as we were talking about earlier, take advantage of the Cloud, take advantage of Cloud Native, and all the, the rapid pace of innovation that's occurring there, and you don't use, it's called before, The audit is the last line of defense. That's no longer a check box item. "Oh yeah, we're in compliance." It's, this is a business imperative, and because we're going to reduce our expected loss and reduce our business risk. That's part of the business case today. >> Yeah. >> It's a huge, critically important part of the business case. Yves, question for you. If you're in an elevator with a CEO, a CFO, and a CISO, and they're talking about security and Cloud Native Security, what's your value proposition to them on a, on a say a 32nd elevator ride? >> Difficult story. I think at the moment, the most important part is, we need to get people to work together, and we need to train people to work more much better together. I think that's the overall most important part for all of these solutions, because in the end, security is always a person issue. If, we can have the best tools in the industry, as long as we don't get all of these teams to work together, then we have a problem. If the security team is always seen as the end of the solution to fix everything, that's not going to work because they always are the bad guys in the game. And so we need to bring the teams together. And once we have the teams work together, I think we have a far better track on, on maintaining security. >> John and Dave, I want to get your perspectives on what Yves just said. In all the experience that the two of you have as industry analysts here on "theCUBE," Wikibon, Siliconangle Media. How do you advise organizations to get those teams together? As Eve said, that alignment is critical, but John, we'll start with you, then Dave go to you. What's your advice for organizations that need to align those teams and really don't have a lot of time to wait to do it? >> (chuckling) That's a great question. I think, I think that's everyone pays hundreds of thousands of millions of dollars to get that advice from these consultants, organizations out there doing the transformations. But I think it comes down to personnel and commitment. I think if there's a C-level commitment to the effort, you'll see the institutional structure change. So you can see really getting behind it with their, with their wallet and their, and their support of either getting more personnel to support and assist, or manage services, or giving the power to the teams to execute and doing it in a way that, that's, that's well known and best practices. Start small, build out the pilots, build the platform, and then start getting it right. And I think that's the key. Not the magic wand, the old model of rolling out stuff in, in six month cycles. It's really, get the proof points, double down and change the culture, but also execute and have real metrics. And changing the architecture, like having more penetration tests as a service. Doing pen tests is like a joke now. So that doesn't make any sense. You got to have that built in almost every day, and every minute. So, these kinds of new techniques have to be implemented and have to be tried. So that's why these communities are growing. That's why I like what open source has been doing, and I like the open source as the place to have these conversations, because that's where the action will be for new stuff. And I think people will implement open source like they did before, but with different ways, better testing, better supply chain on the software side, verifying code. So, I see open source actually getting a tailwind from this, not a headwind. So, I'm bullish on the open source piece here on, on all levels, machine learning- >> Lisa, my answer is intramural sports. And it's 'cause I think it's cultural. And what I mean by that, is you take your your best and brightest security, and this is what frankly, a lot of CISOs do, an examples is Lena Smart, MongoDB. Take your best and brightest security pros, make them captains of the intramural teams, and pair them up with pods of individuals across the organization, which is most people who don't know anything about security, and put them together, so that they can, they, so that the folks that understand security can, can realize how little people know, what, what, what, how, what the worst practices that are out there in the reverse, how they can cross pollinate. And they do that on a regular basis, I know at Mongo and other companies. And that kind of cultural assimilation is a starting point for how you get security awareness up to your question around making it a team sport. >> Absolutely critical. Yves, I want to kind of wrap things with you. We've got a couple of minutes left. When you're really looking at the Cloud Native community, the growth of it, we talked about earlier in the program, Cloud Native Security Con being now extracted and elevated out of KubeCon, what are your thoughts on the groundswell that this community is generating around Cloud Native Security, the benefits that organizations will achieve from it? >> I think overall, when we have these securities conferences, or these security arms a bit spread out and separated out of the main conference, it helps to a certain degree, because especially in the security space, when you look at at other like black hat or white hat conferences and things like that in the past, although they were not focused on Cloud Native, a lot of these security folks didn't feel well taken care of in any of the other conferences because they were always these, it's like they are always blocking us, they're always making us problems, and all these kinds of things. Now that we really take the Cloud Native piece and the security piece together, or like AWS does it with re:Inforce, I think we will see more and more that people understand is that security is a permanent topic we need to cover, but we need to bring different people together, because security also has compliance and a lot of other components in there. So we will see at these conferences moving forward, also a different audience. It's not going to be only the Cloud Native developers. And if I see some of these security audiences, I can't really imagine them to really be at KubeCon because there is too much other things going on. And you couldn't really see much of that at re:Invent because re:Invent by itself has become a complete monster of a conference. It covers too many topics. And so having this very, very important security piece separated, also gives the opportunity, I think, that we can bring in the security people, but also have the type of board level discussions potentially, between the leaders of the industry, to also discuss on how we can evolve, how we can make things better, and how, how we can actually, yeah, evolve our industry for it. Because let's face it, that threat is not going to go away. It's, it's a business. And one of the last security conferences I was on, on the ransomware part, it was one of the topics someone said is like, "Look, currently on average, it takes a hacker group roughly around they said 15 to 20 K to break into a company, and they on average make 100K. It's a business, let's face it. And it's a business we don't like. And ethically, it's no discussion that this is not good, but that's something which is happening. People are making money with it. And as long as that's going to go on, and we have enough countries where these people can hide, it's going to stay and survive. And so, with that being said, it's important for us to really build an industry around this. But I also think it's good that we have separate conferences. In the past we had more the RSA conference, which tried to cover all of these areas. But that is not really fitting Cloud Native and everything else. So I think it's good that we have these new opportunities, the Cloud Native one, but also what AWS brings up for someone. >> Yves, you just nailed it. It just comes down to simple math. It's a fraction. Revenue over cost. And if you could increase the hacker's cost, increase the denominator, their ROI will go down. And that is the game. >> Great point, Dave. What I'm hearing guys, and we can talk about technology for days and days. I know all of you. But there's, there's a big component that, that the elevation of Cloud Native Security, on its own as standalone is critical, as is the people component. You guys all talked about that. We talked about the cultural change necessary for that. Hopefully what we're seeing with Cloud Native Security Con 23, this first event is going to give us more insight over the next couple of days, and the next months or so, as to how this elevation, and how the people can come together to really help organizations from a math perspective as, as Dave talked about, really dial down the risks there, understand more of the vulnerabilities so that ransomware as a service is not as lucrative as it is today. Guys, so much appreciate your time, really breaking down Cloud Native Security, the value in it from different perspectives, and what your thoughts are on where it's going. Thanks so much for your time. >> All right. Thanks. >> Thanks, Lisa. >> Thank you. >> Thanks, Yves. >> All right. For my guests, I'm Lisa Martin. You're watching theCUBE's day one coverage of Cloud Native Security Con 23. Thanks for watching. (rousing music)

>> Hello friends and welcome back to Fabulous Las Vegas, Nevada. We are here at AWS re:Invent in the heat of day three. Very exciting time. My name is Savannah Peterson, joined with John Furrier here on theCUBE. John, what's your, what's your big hot take from the day? Just from today. >> So right now the velocity of content is continuing to flow on theCUBE. Thank you, everyone, for watching. The security conversations. Also, the cost tuning of the cloud kind of vibe is going on. You're hearing that with the looming recession, but if you look at the show it's the bulk of the keynote time spent talking is on data and security together. So Security, Security Lake, Amazon, they continue to talk about security. This next segment's going to be awesome. We have a multi-, eight-time CUBE alumni coming back and great conversation about security. I'm looking forward to this. >> Alumni VIP, I know, it's so great. Actually, both of these guests have been on theCUBE before so please welcome Dan and Haiyan. Thank you both for being here from F5. How's the show going? You're both smiling and we're midway through day three. Good? >> It's so exciting to be here with you all and it's a great show. >> Awesome. Dan, you having a good time too? >> It's wearing me out. I'm having a great time. (laughter) >> It's okay to be honest. It's okay to be honest. It's wearing out our vocal cords for sure up here, but it is definitely a great time. Haiyan, can you tell me a little bit about F5 just in case the audience isn't familiar? >> Sure, so F5 we specialize in application delivery and security. So our mission is to deliver secure and optimize any applications, any APIs, anywhere. >> I can imagine you have a few customers in the house. >> Absolutely. >> Yeah, that's awesome. So in terms of a problem that, well an annoyance that we've all had, bots. We all want the anti-bots. You have a unique solution to this. How are you helping AWS customers with bots? Let's send it to you. >> Well we, we collect client side signals from all devices. We might study how it does floating point math or how it renders emojis. We analyze those signals and we can make a real time determination if the traffic is from a bot or not. And if it's from a bot, we could take mitigating action. And if it's not, we just forward it on to origin. So client side signals are really important. And then the second aspect of bot protection I think is understanding that bot's retool. They become more sophisticated. >> Savannah: They learn. >> They learn. >> They unfortunately learn as well. >> Exactly, yeah. So you have to have a second stage what we call retrospective analysis where you're looking over all the historical transactions, looking for anything that may have been missed by a realtime defense and then updating that stage one that real time defense to deal with the newly discovered threat. >> Let's take a step back for a second. I want to just set the table in the context for the bot conversation. Bots, automation, that's, people know like spam bots but Amazon has seen the bot networks develop. Can you scope the magnitude and the size of the problem of bots? What is the problem? And give a size of what this magnitude of this is. >> Sure, one thing that's important to realize is not all bots are bad. Okay? Some bots are good and you want to identify the automation from those bots and allow listed so you don't interfere with what they're doing. >> I can imagine that's actually tricky. >> It is, it is. Absolutely. Yeah. >> Savannah: Nuanced. >> Yeah, but the bad bots, these are the ones that are attempting credential stuffing attacks, right? They're trying username password pairs against login forms. And because of consumer habits to reuse usernames and passwords, they end up taking over a lot of accounts. But those are the bookends. There are all sorts of types of bots in between those two bookends. Some are just nuisance, like limited time offer bots. You saw some of this in the news recently with Ticketmaster. >> That's a spicy story. >> Yeah, it really is. And it's the bots that is causing that problem. They use automation to buy all these concert tickets or sneakers or you know, any limited time offer project. And then they resell those on the secondary market. And we've done analysis on some of these groups and they're making millions of dollars. It isn't something they're making like 1200 bucks on. >> I know Amazon doesn't like to talk about this but the cloud for its double edged sword that it is for all the greatness of the agility spinning up resources bots have been taking advantage of that same capability to hide, change, morph. You've seen the matrix when the bots attacked the ship. They come out of nowhere. But Amazon actually has seen the bot problem for a long time, has been working on it. Talk about that kind of evolution of how this problem's being solved. What's Amazon doing about, how do you guys help out? >> Yeah, well we have this CloudFront connector that allows all Amazon CloudFront customers to be able to leverage this technology very, very quickly. So what historically was available only to like, you know the Fortune 500 at most of the global 2000 is now available to all AWS customers who are using CloudFront just by really you can explain how do they turn it on in CloudFront? >> Yeah. So I mean CloudFront technologies like that is so essential to delivering the digital experience. So what we do is we do a integration natively. And so if your CloudFront customers and you can just use our bot defense solution by turning on, you know, that traffic. So go through our API inspection, go through our bot inspection and you can benefit from all the other efficiencies that we acquired through serving the highest and the top institutions in the world. >> So just to get this clarification, this is a super important point. You said it's native to the service. I don't have to bolt it on? Is it part of the customer experience? >> Yeah, we basically built the integration. So if you're already a CloudFront customer and you have the ability to turn on our bot solutions without having to do the integration yourself. >> Flick a switch and it's on. >> Haiyan: Totally. >> Pretty much. >> Haiyan: Yeah. >> That's how I want to get rid of all the spam in my life. We've talked a lot about the easy button. I would also like the anti-spam button if we're >> Haiyan: 100% >> Well we were talking before you came on camera that there's a potentially a solution you can sit charge. There are techniques. >> Yeah. Yeah. We were talking about the spam emails and I thought they just charge, you know 10th of a penny for every sent email. It wouldn't affect me very much. >> What's the, are people on that? You guys are on this but I mean this is never going to stop. We're going to see the underbelly of the web, the dark web continue to do it. People are harvesting past with the dark web using bots that go in test challenge credentials. I mean, it's just happening. It's never going to stop. What's, is it going to be that cat and mouse game? Are we going to see solutions? What's the, when are we going to get some >> Well it's certainly not a cat and mouse game for F5 customers because we win that battle every time. But for enterprises who are still battling the bots as a DIY project, then yes, it's just going to be a cat and mouse. They're continuing to block by IP, you know, by rate limiting. >> Right, which is so early 2000's. >> Exactly. >> If we're being honest. >> Exactly. And the attackers, by the way, the attackers are now coming from hundreds of thousands or even millions of IP addresses and some IPs are using one time. >> Yeah, I mean it seems like such an easy problem to circumnavigate. And still be able to get in. >> What are I, I, let's stick here for a second. What are some of the other trends that you're seeing in how people are defending if they're not using you or just in general? >> Yeah, maybe I'll add to to that. You know, when we think about the bot problem we also sort of zoom out and say, Hey, bot is only one part of the problem when you think about the entire digital experience the customer experiencing, right? So at F5 we actually took a more holistic sort of way to say, well it's about protecting the apps and applications and the APIs that's powering all of those. And we're thinking not only the applications APIs we're thinking the infrastructure that those API workloads are running. So one of the things we're sharing since we acquired Threat Stack, we have been busy doing integrations with our distributed cloud services and we're excited. In a couple weeks you will hear announcement of the integrated solution for our application infrastructure protection. So that's just another thing. >> On that Threat Stack, does that help with that data story too? Because it's a compliance aspect as well. >> Yeah, it helps with the telemetries, collecting more telemetries, the data story but is also think about applications and APIs. You can only be as secure as the infrastructure you're running on it, right? So the infrastructure protection is a key part of application security. And the other dimension is not only we can help with the credentials, staffing and, and things but it's actually thinking about the customer's top line. Because at the end of the day when all this inventory are being siphoned out the customer won't be happy. So how do we make sure their loyal customers have the right experience so that can improve their top line and not just sort of preventing the bots. So there's a lot of mission that we're on. >> Yeah, that surprise and delight in addition to that protection. >> 100% >> If I could talk about the evolution of an engagement with F5. We first go online, deploy the client side signals I described and take care of all the bad bots. Okay. Mitigate them. Allow list all the good bots, now you're just left with human traffic. We have other client side signals that'll identify the bad humans among the good humans and you could deal with them. And then we have additional client side signals that allow us to do silent continuous authentication of your good customers extending their sessions so they don't have to endure the friction of logging in over and over and over. >> Explain that last one again because I think that was, that's, I didn't catch that. >> Yeah. So right now we require a customer to enter in their username and password before we believe it's them. But we had a customer who a lot of their customers were struggling to log in. So we did analysis and we realized that our client side signals, you know of all those that are struggling to log in, we're confident like 40% of 'em are known good customers based on some of these signals. Like they're doing floating point math the way they always have. They're rendering emojis the way they always have all these clients that signals are the same. So why force that customer to log in again? >> Oh yeah. And that's such a frustrating user experience. >> So true. >> I actually had that thought earlier today. How many time, how much of my life am I going to spend typing my email address? Just that in itself. Then I could crawl back under the covers but >> With the biometric Mac, I forget my passwords. >> Or how about solving CAPTCHA's? How fun is that? >> How many pictures have a bus? >> I got one wrong the other day because I had to pick all the street signs. I got it wrong and I called a Russian human click farm and figured out why was I getting it wrong? And they said >> I love that you went down this rabbit hole deeply. >> You know why that's not a street sign. That's a road sign, they told me. >> That's the secret backdoor. >> Oh well yeah. >> Talk about your background because you have fascinating background coming from law enforcement and you're in this kind of role. >> He could probably tell us about our background. >> They expunge those records. I'm only kidding. >> 25, 30 years in working in local, state and federal law enforcement and intelligence among those an FBI agent and a CIA cyber operations officer. And most people are drawn to that because it's interesting >> Three letter agencies can get an eyebrow raise. >> But I'll be honest, my early, early in my career I was a beat cop and that changed my life. That really did, that taught me the importance of an education, taught me the criminal mindset. So yeah, people are drawn to the FBI and CIA background, but I really value the >> So you had a good observation eye for kind of what, how this all builds out. >> It all kind of adds up, you know, constantly fighting the bad guys, whether they're humans, bots, a security threat from a foreign nation. >> Well learning their mindset and learning what motivates them, what their objectives are. It is really important. >> Reading the signals >> You don't mind slipping into the mind of a criminal. It's a union rule. >> Right? It actually is. >> You got to put your foot and your hands in and walk through their shoes as they say. >> That's right. >> The bot networks though, I want to get into, is not it sounds like it's off the cup but they're highly organized networks. >> Dan: They are. >> Talk about the aspect of the franchises or these bots behind them, how they're financed, how they use the money that they make or ransomware, how they collect, what's the enterprise look like? >> Unfortunately, a lot of the nodes on a botnet are now just innocent victim computers using their home computers. They can subscribe to a service and agree to let their their CPU be used while they're not using it in exchange for a free VPN service, say. So now bad actors not, aren't just coming from you know, you know, rogue cloud providers who accept Bitcoin as payment, they're actually coming from residential IPs, which is making it even more difficult for the security teams to identify. It's one thing when it's coming from- >> It's spooky. I'm just sitting here kind of creeped out too. It's these unknown hosts, right? It's like being a carrier. >> You have good traffic coming from it during the day. >> Right, it appears normal. >> And then malicious traffic coming from it. >> Nefarious. >> My last question is your relationship with Amazon. I'll see security center piece of this re:Invent. It's always been day zero as they say but really it's the security data lake. A lot of gaps are being filled in the products. You kind of see that kind of filling out. Talk about the relationship with F5 and AWS. How you guys are working together, what's the status? >> We've been long-term partners and the latest release the connector for CloudFront is just one of the joint work that we did together and try to, I think, to Dan's point, how do we make those technology that was built for the very sophisticated big institutions to be available for all the CloudFront customers? So that's really what's exciting. And we also leverage a lot of the technology. You talked about the data and our entire solution are very data driven, as you know, is automation. If you don't use data, you don't use analytics, you don't use AI, it's hard to really sort of win that war. So a lot of our stuff, it's very data driven >> And the benefit to customers is what? Access? >> The customer's access, the customer's top line. We talked about, you know, like how we're really bringing better experiences at the end of the day. F5's mission is try to bring a better digital world to life. >> And it's also collaborative. We've had a lot of different stories here on on the set about companies collaborating. You're obviously collaborating and I also love that we're increasing access, not just narrowing this focus for the larger companies at scale already, but making sure that these companies starting out, a lot of the founders probably milling around on the floor right now can prevent this and ensure that user experience for their customers. throughout the course of their product development. I think it's awesome. So we have a new tradition here on theCUBE at re:Invent, and since you're alumni, I feel like you're maybe going to be a little bit better at this than some of the rookies. Not that rookies can't be great, but you're veterans. So I feel strong about this. We are looking for your 30-second Instagram reel hot take. Think of it like your sizzle of thought leadership from the show this year. So eventually eight more visits from now we can compile them into a great little highlight reel of all of your sound bites over the evolution of time. Who wants to give us their hot take first? >> Dan? >> Yeah, sure. >> Savannah: You've been elected, I mean you are an agent. A former special agent >> I guess I want everybody to know the bot problem is much worse than they think it is. We go in line and we see 98, 99% of all login traffic is from malicious bots. And so it is not a DIY project. >> 98 to 99%? That means only 1% of traffic is actually legitimate? >> That's right. >> Holy moly. >> I just want to make sure that everybody heard you say that. >> That's right. And it's very common. Didn't happen once or twice. It's happened a lot of times. And when it's not 99 it's 60 or it's 58, it's high. >> And that's costing a lot too. >> Yes, it is. And it's not just in fraud, but think about charges that >> Savannah: I think of cloud service providers >> Cost associated with transactions, you know, fraud tools >> Savannah: All of it. >> Yes. Sims, all those things. There's a lot of costs associated with that much automation. So the client side signals and multi-stage defense is what you need to deal with it. It's not a DIY project. >> Bots are not DIY. How would you like to add to that? >> It's so hard to add to that but I would say cybersecurity is a team sport and is a very data driven solution and we really need to sort of team up together and share intelligence, share, you know, all the things we know so we can be better at this. It's not a DIY project. We need to work together. >> Fantastic, Dan, Haiyan, so great to have you both back on theCUBE. We look forward to seeing you again for our next segment and I hope that the two of you have really beautiful rest of your show. Thank you all for tuning into a fantastic afternoon of coverage here from AWS re:Invent. We are live from Las Vegas, Nevada and don't worry we have more programming coming up for you later today with John Furrier. I'm Savannah Peterson. This is theCUBE, the leader in high tech coverage.

foreign welcome back everyone to our special presentation here at thecube with Horizon 3.a I'm John Furrier host thecube here in Palo Alto back it's niho and Tony CEO and co-founder of horizon 3 for deep dive on going under the hood around the big news and also the platform autonomous pen testing changing the game and security great to see you welcome back thank you John I love what you guys have been doing with the cube huge fan been here a bunch of times and yeah looking forward to the conversation let's get into it all right so what what's the market look like and how do you see it evolving we're in a down Market relative to startups some say our data we're reporting on siliconangle in the cube that yeah there might be a bit of downturn in the economy with inflation but the tech Market is booming because the hyperscalers are still pumping out massive scale and still innovating so so you know for the first time in history this is a recession or downturn where there's now Cloud scale players that are an economic engine what's your view on this where's the market heading relative to the downturn and how are you guys navigating that so um I think about it one the there's a lot of belief out there that we're going to hit a downturn and we started to see that we started to see deals get longer and longer to close back in May across the board in the industry we continue to see deals get at least backloaded in the quarter as people understand their procurement how much money they really have to spend what their earnings are going to be so we're seeing this across the board one is quarters becoming lumpier for tech companies and we think that that's going to become kind of the norm over the next over the next year but what's interesting in our space of security testing is a very basic supply and demand problem the demand for security testing has skyrocketed when I was a CIO eight years ago I only had to worry about my on-prem attack surface my perimeter and Insider threat those are my primary threat vectors now if I was a CIO I have to include multiple clouds all of the data in my SAS offerings my Salesforce account and so on as well as work from home threat vectors and other pieces and I've got Regulatory Compliance in Europe in Asia in in the U.S tons of demand for testing and there's just not enough Supply there's only 5 000 certified pen testers in the United States so I think for starters you have a fundamental supply and demand problem that plays to our strength because we're able to bring a tremendous amount of pen testing supply to the table but now let's flip to if you are the CEO of a large security company or whether it's a Consulting shop or so on you've got a whole bunch of deferred revenue in your business model around security testing services and what we've done in our past in previous companies I worked at is if we didn't think we were going to make the money the quarter with product Revenue we would start to unlock some of that deferred Services Revenue to make the number to hit what we expected Wall Street to hit what Wall Street expected of us in testing that's not possible because there's not enough Supply except us so if I'm the CEO of an mssp or a large security company and I need I see a huge backlog of security testing revenue on the table the easy button to convert that to recognized revenue is Horizon 3. and when I think about the next six months and the amount of Revenue misses we're going to see in security shops especially those that can't fulfill their orders I think there's a ripe opportunity for us to win yeah one of the few opportunities where on any Market you win because the forces will drive your flywheel that's exactly right very basic supply and demand forces that are only increasing with pressure and there's no way it takes 10 years just to build a master hacker just it's a very hard complex space we become the easy button to address that supply problem yeah and this and the autonomous aspect makes appsec reviews as new things get pushed with Cloud native developers they're shifting left but still the security policies need to stay Pace as these new vectors threat vectors appear yeah I mean because that's what's happening a new new thing makes a vector possible that's exactly right I think there's two aspects one is the as you in increase change in your environment you need to increase testing they are absolutely correlated the second thing though is you know for 20 years we focused on remote code execution or rces as an industry what was the latest rce that gave an attacker access to my environment but if you look over the past few years that entire mindset has shifted credentials are the new code execution what I mean by that is if I have a large organization with a hundred a thousand ten thousand employees all it takes is one of them to have a password I can crack in credential spray and gain access to as an attacker and once I've gained access to a single user I'm going to systematically snowball that into something of consequence and so I think that the attackers have shifted away from looking for code execution and looked more towards harvesting credentials and cascading credentials from a regular domain user into an admin this brings up the conversation I would like to do it more Deep dive now shift into more of like the real kind of landscape of the market and your positioning and value proposition in that and that is managed services are becoming really popular as we move into this next next wave of super cloud and multi-cloud and hybrid Cloud because I mean multi-cloud and hybrid hybrid than multi-cloud sounds good on paper but the security Ops become big and one of the things we're reporting with here on the cube and siliconangle the past six months is devops has made the developer the IT team because they've essentially run it now in CI CD pipeline as they say that means it's replaced by data Ops or AI Ops or security Ops and data and security kind of go hand in hand so I can see that playing out do you believe that to be true that that's kind of the new operational kind of beach head that's critical and if so secure if data is part of security that makes security the new it yeah I I think that if you think about organizations hell even for Horizon 3 right now I don't need to hire a CIO I'll have a CSO and that CSO will own it and governance risk and compliance and security operations because at the end of the day the most pressing question for me to answer as a CEO is my security posture IIT is a supporting function of that security posture and we see that at say or a growth stage company like Horizon 3 but when I thought about my time at GE Capital we really shifted to this mindset of security by Design architecture as code and it was very much security driven conversation and I think that is the norm going forward and how do you view the idea that you have to enable a managed service provider with security also managing comp and which then manages the company to enable them to have agile security um security is code because what you're getting at is this autonomous layer that's going to be automated away to make the next talented layer whether it's coder or architect scale so the question is what is abstracted away at at automation seems to be the conversation that's coming out of this big cloud native or super cloud next wave of cloud scale I think there's uh there's two Dimensions to that and honestly I think the more interesting Dimension is not the technical side of it but rather think of the Equifax hack a bunch of years ago had Equifax used a managed security services provider would the CEO have been fired after the breach and the answer is probably not I think the CEO would have transferred enough reputational risk in operational risk to the third party mssp to save his job from being you know from him being fired you can look at that across the board I think that if if I were a CIO again I would be hard-pressed to build my own internal security function because I'm accepting that risk as an executive and we saw what just happened at Uber there's a ton of risk coming with that with the with accepting that as a security person so I think in the future the role of the mssp becomes more significant as a mechanism for transferring enough reputational and operational and legal risk to a third party so that you as the Core Company are able to protect yourself and your people now then what you think is a super cloud printables and Concepts being applied at mssp scale and I think that becomes really interesting talk about the talent opportunity because I think the managed service providers point to markets that are growing and changing also having managed service means that the customers can't always hire Talent hence they go to a Channel or a partner this seems to be a key part of the growth in your area talk about the talent aspect of it yeah um think back to what we saw in Cloud so as as Cloud picked up we saw IBM HP other Hardware companies sell more servers but to fewer customers Amazon Google and others right and so I think something similar is going to happen in the security space where I think you're going to see security tools providers selling more volume but to fewer customers that are just really big mssps so that is the the path forward and I think that the underlying Talent issue gives us economies at scale and that's what we saw this with Cloud we're going to see the same thing in the mssp space I've got a density of Talent Plus a density of automation plus a density of of relationships and ecosystem that give mssps a huge economies of scale advantage over everybody else I mean I want to get into the mssp business sounds like I make a lot of money yeah definitely it's profitable no doubt about it like that I got to ask more on the more of the burden side of it because if you're a partner I don't need another training class I don't need another tool I don't need someone saying this is the highest margin product I need to actually downsize my tools so right now there's hundreds of tools that mssps have all the time dealing with and does the customer so tools platforms we've kind of teased this out in previous conversations together but more more relevant to the mssp is what they do to the customers so talk about this uh burden of tools and the socks out there in the in in the landscape how do you how do you view that and what's the conversation like on average an organization has 130 different cyber security tools installed none of those tools were designed to work together none of those tools are from the same vendor and in fact oftentimes they're from vendors that have competing products and so what we don't have and they're still getting breached in the industry we don't have a tools problem we have an Effectiveness problem we have to reduce the number of tools we have get more out of out of the the effectiveness out of the existing infrastructure build muscle memory you know how to detect and respond to a breach and continuously verify that posture I think that's what the the most successful security organizations have mastered the fundamentals and they mastered that by making sure they were effective in detection and response not mastering it by buying the next shiny AI tool on the defensive side okay so you mentioned supply and demand early since you're brought up economics we'll get into the economic equations here when you have great profits that's going to attract more entrance into the marketplace so as more mssps enter the market you're going to start to see a little bit of competition maybe some fud maybe some price competitive price penetration all kinds of different Tactics get out go on there um how does that impact you because now does that impact your price or are you now part of them just competing on their own value what's that mean for the channel as more entrants come in hey you know I can compete against that other one does that create conflict is that an opportunity does are you neutral on that what's the position it's a great question actually I think the way it plays out is one we are neutral two the mssp has to stand on their own with their own unique value proposition otherwise they're going to become commoditized we saw this in the early cloud provider days the cloud providers that were just basically wrapping existing Hardware with with a race to the bottom pricing model didn't survive those that use the the cloud infrastructure as a starting point to build higher value capabilities they're the ones that have succeeded to this day the same Mo I think will occur in mssps which is there's a base level of capability that they've got to be able to deliver and it is the burden of the mssp to innovate effectively to elevate their value problem it's interesting Dynamic and I brought it up mainly because if you believe that this is going to be a growing New Market price erosion is more in mature markets so it's interesting to see that Dynamic come up and we'll see how that handles on the on the economics and just the macro side of it getting more into kind of like the next gen autonomous pen testing is a leading indicator that a new kind of security assessment is here um if I said that to you how do you respond to that what is this new security assessment mean what does that mean for the customer and to the partner and that that relationship down that whole chain yeah um back to I'm wearing a CIO hat right now don't tell me we're secure in PowerPoint show me we're secure Today Show me where we're secure tomorrow and then show me we're secure again next week because that's what matters to me if you can show me we're secure I can understand the risk I'm accepting and articulate it up to my board to my Regulators up until now we've had a PowerPoint tell me where secure culture and security and I just don't think that's going to last all that much longer so I think the future of security testing and assessment is this shift from a PowerPoint report to truly showing me that my I'm secure enough you guys auto-generate those statements now you mentioned that earlier that's exactly right because the other part is you know the classic way to do security reports was garbage in garbage out you had a human kind of theoretically fill out a spreadsheet that magically came up with the risk score or security posture that doesn't work that's a check the box mentality what you want to have is an accurate High Fidelity understanding of your blind spots your threat vectors what data is at risk what credentials are at risk you want to look at those results over time how quickly did I find problems how quickly did I fix them how often did they reoccur and that is how you get to a show me where secure culture whether I'm a company or I'm a channel partner working with Horizon 3.ai I have to put my name on the line and say Here's a service level agreement I'm going to stand behind there's levels of compliance you mentioned that earlier how do you guys help that area because that becomes I call the you know below the line I got to do it anyway usually it's you know they grind out the work but it has to be fundamental because if the threats vectors are increasing and you're handling it like you say you are the way it is real time today tomorrow the next day you got to have that other stuff flow into it can you describe how that works under the hood yeah there's there's two parts to it the first part is that attackers don't have to hack in with zero days they log in with credentials that they found but often what attackers are doing is chaining together different types of problems so if you have 10 different tactics you can chain those together a number of different ways it's not just 10 to the 10th it's it's actually because you don't you don't have to use all the tactics at once this is a very large number of combinations that an attacker can apply upon you is what it comes down to and so at the base level what you want to have is what are the the primary tactics that are being used and those tactics are always being added to and evolving what are the primary outcomes that an attacker is trying to achieve steal your data disrupt your systems become a domain admin and borrow and now what you have is it actually looks more like a chess game algorithm than it does any sort of hard-coded automation or anything else which is based on the pieces on the board the the it infrastructure I've discovered what is the next best action to become a domain admin or steal your data and that's the underlying innovation in IP we've created which is next best action Knowledge Graph analytics and adaptiveness to figure out how to combine different problems together to achieve an objective that an attacker cares about so the 3D chess players out there I'd say that's more like 3D chess are the practitioners implementing it but when I think about compliance managers I don't see 3D chess players I see back office accountants in my mind like okay are they actually even understand what comes out of that so how do you handle the compliance side do you guys just check the boxes there is it not part of it is it yeah I I know I don't Envision the compliance guys on the front lines identifying vectors do you know what it doesn't even know what it means yeah it's a great question when you think about uh the market segmentation I think there are we've seen are three basic types of users you've got the the really mature high frequency security testing purple team type folks and for them we are the the force multiplier for them to secure the environment you then have the middle group where the IT person and the security person are the same individual they are barely Treading Water they don't know what their attack surface is and they don't know what to focus on we end up that's actually where we started with the barely Treading Water Persona and that's why we had a product that helped those Network Engineers become superheroes the third segment are those that view security and compliance as synonymous and they don't really care about continuous they care about running and checking the box for PCI and forever else and those customers while they use us they are better served by our partner ecosystem and that's really so the the first two categories tend to use us directly self-service pen tests as often as they want that compliance-minded folks end up going through our partners because they're better served there steel great to have you on thanks for this deep dive on um under the hood section of the interview appreciate it and I think autonomous is is an indicator Beyond pen testing pen testing has become like okay penetration security but this is not going away where do you see this evolving what's next what's next for Horizon take a minute to give a plug for what's going on with copy how do you see it I know you got good margins you're raising Capital always raising money you're not yet public um looking good right now as they say yeah yeah well I think the first thing is our company strategy is in three chapters chapter one is become the best security testing platform in the industry period that's it and be very good at helping you find and fix your security blind spots that's chapter one we've been crushing it there with great customer attraction great partner traction chapter two which we've started to enter is look at our results over time to help that that GRC officer or auditor accurately assess the security posture of an organization and we're going to enter that chapter about this time next year longer term though the big Vision I have is how do I use offense to inform defense so for me chapter three is how do I get away from just security testing towards autonomous security overall where you can use our security testing platform to identify ways to attack that informs defensive tools exactly where to focus how to adjust and so on and now you've got offset and integrated learning Loop between attack and defense that's the future never been done before Master the art of attack to become a better Defender is the bigger vision of the company love the new paradigm security congratulations been following you guys we will continue to follow you thanks for coming on the Special Report congratulations on the new Market expansion International going indirect that a big way congratulations thank you John appreciate it okay this is a special presentation with the cube and Horizon 3.ai I'm John Furrier your host thanks for watching thank you

>>Keon Cloud Native Con kicks off in Detroit on October 24th, and we're pleased to have Stewart Miniman, who's the director of Market Insights, hi, at, for hybrid platforms at Red Hat back in the studio to help us understand the key trends to look for at the events. Do welcome back, like old, old, old >>Home. Thank you, David. It's great to, great to see you and always love doing these previews, even though Dave, come on. How many years have I told you Cloud native con, It's a hoodie crowd. They're gonna totally call you out for where in a tie and things like that. I, I know you want to be an ESPN sportscaster, but you know, I I, I, I still don't think even after, you know, this show's been around for so many years that there's gonna be too many ties into Troy. I >>Know I left the hoodie in my off, I'm sorry folks, but hey, we'll just have to go for it. Okay. Containers generally, and Kubernetes specifically continue to show very strong spending momentum in the ETR survey data. So let's bring up this slide that shows the ETR sectors, all the sectors in the tax taxonomy with net score or spending velocity in the vertical axis and pervasiveness on the horizontal axis. Now, that red dotted line that you see, that marks the elevated 40% mark, anything above that is considered highly elevated in terms of momentum. Now, for years, the big four areas of momentum that shine above all the rest have been cloud containers, rpa, and ML slash ai for the first time in 10 quarters, ML and AI and RPA have dropped below the 40% line, leaving only cloud and containers in rarefied air. Now, Stu, I'm sure this data doesn't surprise you, but what do you make of this? >>Yeah, well, well, Dave, I, I did an interview with at Deepak who owns all the container and open source activity at Amazon earlier this year, and his comment was, the default deployment mechanism in Amazon is containers. So when I look at your data and I see containers and cloud going in sync, yeah, that, that's, that's how we see things. We're helping lots of customers in their overall adoption. And this cloud native ecosystem is still, you know, we're still in that Cambridge explosion of new projects, new opportunities, AI's a great workload for these type type of technologies. So it's really becoming pervasive in the marketplace. >>And, and I feel like the cloud and containers go hand in hand, so it's not surprising to see those two above >>The 40%. You know, there, there's nothing to say that, Look, can I run my containers in my data center and not do the public cloud? Sure. But in the public cloud, the default is the container. And one of the hot discussions we've been having in this ecosystem for a number of years is edge computing. And of course, you know, I want something that that's small and lightweight and can do things really fast. A lot of times it's an AI workload out there, and containers is a great fit at the edge too. So wherever it goes, containers is a good fit, which has been keeping my group at Red Hat pretty busy. >>So let's talk about some of those high level stats that we put together and preview for the event. So it's really around the adoption of open source software and Kubernetes. Here's, you know, a few fun facts. So according to the state of enterprise open source report, which was published by Red Hat, although it was based on a blind survey, nobody knew that that Red Hat was, you know, initiating it. 80% of IT execs expect to increase their use of enterprise open source software. Now, the CNCF community has currently more than 120,000 developers. That's insane when you think about that developer resource. 73% of organizations in the most recent CNCF annual survey are using Kubernetes. Now, despite the momentum, according to that same Red Hat survey, adoption barriers remain for some organizations. Stu, I'd love you to talk about this specifically around skill sets, and then we've highlighted some of the other trends that we expect to see at the event around Stu. I'd love to, again, your, get your thoughts on the preview. You've done a number of these events, automation, security, governance, governance at scale, edge deployments, which you just mentioned among others. Now Kubernetes is eight years old, and I always hear people talking about there's something coming beyond Kubernetes, but it looks like we're just getting started. Yeah, >>Dave, It, it is still relatively early days. The CMC F survey, I think said, you know, 96% of companies when they, when CMC F surveyed them last year, were either deploying Kubernetes or had plans to deploy it. But when I talked to enterprises, nobody has said like, Hey, we've got every group on board and all of our applications are on. It is a multi-year journey for most companies and plenty of them. If you, you look at the general adoption of technology, we're still working through kind of that early majority. We, you know, passed the, the chasm a couple of years ago. But to a point, you and I we're talking about this ecosystem, there are plenty of people in this ecosystem that could care less about containers and Kubernetes. Lots of conversations at this show won't even talk about Kubernetes. You've got, you know, big security group that's in there. >>You've got, you know, certain workloads like we talked about, you know, AI and ml and that are in there. And automation absolutely is playing a, a good role in what's going on here. So in some ways, Kubernetes kind of takes a, a backseat because it is table stakes at this point. So lots of people involved in it, lots of activities still going on. I mean, we're still at a cadence of three times a year now. We slowed it down from four times a year as an industry, but there's, there's still lots of innovation happening, lots of adoption, and oh my gosh, Dave, I mean, there's just no shortage of new projects and new people getting involved. And what's phenomenal about it is there's, you know, end user practitioners that aren't just contributing. But many of the projects were spawned out of work by the likes of Intuit and Spotify and, and many others that created some of the projects that sit alongside or above the, the, you know, the container orchestration itself. >>So before we talked about some of that, it's, it's kind of interesting. It's like Kubernetes is the big dog, right? And it's, it's kind of maturing after, you know, eight years, but it's still important. I wanna share another data point that underscores the traction that containers generally are getting in Kubernetes specifically have, So this is data from the latest ETR survey and shows the spending breakdown for Kubernetes in the ETR data set for it's cut for respondents with 50 or more citations in, in by the IT practitioners that lime green is new adoptions, the forest green is spending 6% or more relative to last year. The gray is flat spending year on year, and those little pink bars, that's 6% or down spending, and the bright red is retirements. So they're leaving the platform. And the blue dots are net score, which is derived by subtracting the reds from the greens. And the yellow dots are pervasiveness in the survey relative to the sector. So the big takeaway here is that there is virtually no red, essentially zero churn across all sectors, large companies, public companies, private firms, telcos, finance, insurance, et cetera. So again, sometimes I hear this things beyond Kubernetes, you've mentioned several, but it feels like Kubernetes is still a driving force, but a lot of other projects around Kubernetes, which we're gonna hear about at the show. >>Yeah. So, so, so Dave, right? First of all, there was for a number of years, like, oh wait, you know, don't waste your time on, on containers because serverless is gonna rule the world. Well, serverless is now a little bit of a broader term. Can I do a serverless viewpoint for my developers that they don't need to think about the infrastructure but still have containers underneath it? Absolutely. So our friends at Amazon have a solution called Fargate, their proprietary offering to kind of hide that piece of it. And in the open source world, there's a project called Can Native, I think it's the second or third can Native Con's gonna happen at the cncf. And even if you use this, I can still call things over on Lambda and use some of those functions. So we know Dave, it is additive and nothing ever dominates the entire world and nothing ever dies. >>So we have, we have a long runway of activities still to go on in containers and Kubernetes. We're always looking for what that next thing is. And what's great about this ecosystem is most of it tends to be additive and plug into the pieces there, there's certain tools that, you know, span beyond what can happen in the container world and aren't limited to it. And there's others that are specific for it. And to talk about the industries, Dave, you know, I love, we we have, we have a community event that we run that's gonna happen at Cubans called OpenShift Commons. And when you look at like, who's speaking there? Oh, we've got, you know, for Lockheed Martin, University of Michigan and I g Bank all speaking there. So you look and it's like, okay, cool, I've got automotive, I've got, you know, public sector, I've got, you know, university education and I've got finance. So all of you know, there is not an industry that is not touched by this. And the general wave of software adoption is the reason why, you know, not just adoption, but the creation of new software is one of the differentiators for companies. And that is what, that's the reason why I do containers, isn't because it's some cool technology and Kubernetes is great to put on my resume, but that it can actually accelerate my developers and help me create technology that makes me respond to my business and my ultimate end users. Well, >>And you know, as you know, we've been talking about the Supercloud a lot and the Kubernetes is clearly enabler to, to Supercloud, but I wanted to go back, you and John Furrier have done so many of, you know, the, the cube cons, but but go back to Docker con before Kubernetes was even a thing. And so you sort of saw this, you know, grow. I think there's what, how many projects are in CNCF now? I mean, hundreds. Hundreds, okay. And so you're, Will we hear things in Detroit, things like, you know, new projects like, you know, Argo and capabilities around SI store and things like that? Well, you're gonna hear a lot about that. Or is it just too much to cover? >>So I, I mean the, the good news, Dave, is that the CNCF really is, is a good steward for this community and new things got in get in. So there's so much going on with the existing projects that some of the new ones sometimes have a little bit of a harder time making a little bit of buzz. One of the more interesting ones is a project that's been around for a while that I think back to the first couple of Cube Cuban that John and I did service Mesh and Istio, which was created by Google, but lived under basically a, I guess you would say a Google dominated governance for a number of years is now finally under the CNCF Foundation. So I talked to a number of companies over the years and definitely many of the contributors over the years that didn't love that it was a Google Run thing, and now it is finally part. >>So just like Kubernetes is, we have SEO and also can Native that I mentioned before also came outta Google and those are all in the cncf. So will there be new projects? Yes. The CNCF is sometimes they, they do matchmaking. So in some of the observability space, there were a couple of projects that they said, Hey, maybe you can go merge down the road. And they ended up doing that. So there's still you, you look at all these projects and if I was an end user saying, Oh my God, there is so much change and so many projects, you know, I can't spend the time in the effort to learn about all of these. And that's one of the challenges and something obviously at Red Hat, we spend a lot of time figuring out, you know, not to make winners, but which are the things that customers need, Where can we help make them run in production for our, our customers and, and help bring some stability and a little bit of security for the overall ecosystem. >>Well, speaking of security, security and, and skill sets, we've talked about those two things and they sort of go hand in hand when I go to security events. I mean, we're at reinforced last summer, we were just recently at the CrowdStrike event. A lot of the discussion is sort of best practice because it's so complicated. And, and, and will you, I presume you're gonna hear a lot of that here because security securing containers now, you know, the whole shift left thing and shield right is, is a complicated matter, especially when you saw with the earlier data from the Red Hat survey, the the gaps are around skill sets. People don't have the skill. So should we expect to hear a lot about that, A lot of sort of how to, how to take advantage of some of these new capabilities? >>Yeah, Dave, absolutely. So, you know, one of the conversations going on in the community right now is, you know, has DevOps maybe played out as we expect to see it? There's a newer term called platform engineering, and how much do I need to do there? Something that I, I know your, your team's written a lot about Dave, is how much do you need to know versus what can you shift to just a platform or a service that I can consume? I've talked a number of times with you since I've been at Red Hat about the cloud services that we offer. So you want to use our offering in the public cloud. Our first recommendation is, hey, we've got cloud services, how much Kubernetes do you really want to learn versus you want to do what you can build on top of it, modernize the pieces and have less running the plumbing and electric and more, you know, taking advantage of the, the technologies there. So that's a big thing we've seen, you know, we've got a big SRE team that can manage that for use so that you have to spend less time worrying about what really is un differentiated heavy lifting and spend more time on what's important to your business and your >>Customers. So, and that's, and that's through a managed service. >>Yeah, absolutely. >>That whole space is just taken off. All right, Stu I'll give you the final word. You know, what are you excited about for, for, for this upcoming event and Detroit? Interesting choice of venue? Yeah, >>Look, first of off, easy flight. I've, I've never been to Detroit, so I'm, I'm willing to give it a shot and hopefully, you know, that awesome airport. There's some, some, some good things there to learn. The show itself is really a choose your own adventure because there's so much going on. The main show of QAN and cloud Native Con is Wednesday through Friday, but a lot of a really interesting stuff happens on Monday and Tuesday. So we talked about things like OpenShift Commons in the security space. There's cloud Native Security Day, which is actually two days and a SIG store event. There, there's a get up show, there's, you know, k native day. There's so many things that if you want to go deep on a topic, you can go spend like a workshop in some of those you can get hands on to. And then at the show itself, there's so much, and again, you can learn from your peers. >>So it was good to see we had, during the pandemic, it tilted a little bit more vendor heavy because I think most practitioners were pretty busy focused on what they could work on and less, okay, hey, I'm gonna put together a presentation and maybe I'm restricted at going to a show. Yeah, not, we definitely saw that last year when I went to LA I was disappointed how few customer sessions there were. It, it's back when I go look through the schedule now there's way more end users sharing their stories and it, it's phenomenal to see that. And the hallway track, Dave, I didn't go to Valencia, but I hear it was really hopping felt way more like it was pre pandemic. And while there's a few people that probably won't come because Detroit, we think there's, what we've heard and what I've heard from the CNCF team is they are expecting a sizable group up there. I know a lot of the hotels right near the, where it's being held are all sold out. So it should be, should be a lot of fun. Good thing I'm speaking on an edge panel. First time I get to be a speaker at the show, Dave, it's kind of interesting to be a little bit of a different role at the show. >>So yeah, Detroit's super convenient, as I said. Awesome. Airports too. Good luck at the show. So it's a full week. The cube will be there for three days, Tuesday, Wednesday, Thursday. Thanks for coming. >>Wednesday, Thursday, Friday, sorry, >>Wednesday, Thursday, Friday is the cube, right? So thank you for that. >>And, and no ties from the host, >>No ties, only hoodies. All right Stu, thanks. Appreciate you coming in. Awesome. And thank you for watching this preview of CubeCon plus cloud Native Con with at Stu, which again starts the 24th of October, three days of broadcasting. Go to the cube.net and you can see all the action. We'll see you there.

>>The Cube presents UI Path Forward five. Brought to you by UI Path. >>We're back the cube's coverage of UI path forward. Five. And we're live. Dave Velante with Dave Nicholson. AJ Gupta is here. He's the Chief Digital Transformation Officer at the Motor Vehicles of California dmv. Welcome Jay. Good to see you. >>Thank you. >>Good to see you. Wow, you, you have an interesting job. I would just say, you know, I've been to going to conferences for a long time. I remember early last decade, Frank Sluman put up a slide. People ho hanging out, waiting outside the California dmv. You were the butt of many jokes, but we have a happy customer here, so we're gonna get it to your taste >>Of it. Yeah, very happy >>Customer, obviously transform the organization. I think it's pretty clear from our conversations that that automation has played a role in that. But first of all, tell us about yourself, your role and what's going on at the dmv. >>Sure. Myself, a j Gupta, I am the Chief Digital Transformation Officer at the dmv. Somewhat of i, one would say a made up title, but Governor's office asked me, Okay, we need help. And that's what >>Your title though? >>Yeah, yeah. So I'm like, well we are doing business and technology transformation. So that's, that's what I've been doing for the last three years at the dmv. Before that I was in private sector for 25 years, decided first time to give back cuz I was mostly doing public sector consulting. So here I am. >>Okay. So you knew the industry and that's cool that you wanted to give back because I mean obviously you just, in talking off camera, you're smart, you're very cogent and you know, a lot of times people in the private sector, they don't want to go work in the, in the public sector unless they're, unless they're power crazy, you know? Anyway, so speaking with David Nicholson, the experience has gone from really crappy to really great. I mean, take >>It from here. Yeah. Well, am I gonna be, I'm, because I'm from California, I was just, I was just, you know, we >>Got a dual case study >>Eloquently about, about the, the, the change that's happened just in, just in terms of simple things like a registration renewal. It used to be go online and pray and weed through things and now it's very simple, very, very fast. Tell us more about, about some of the things that you've done in the area of automation that have increased the percentage of things that could be done online without visiting a field office. Just as an >>Example. Yeah, what's the story? >>Yeah, so first of all, thank you for saying nice things about dmv, you as a customer. It means a lot because we have been very deliberately working towards solving all customer po pain points, whether it's in person experiences, online call centers, kiosks, so all across the channels. So we started our journey, myself and director Steve Gordon about three years ago, almost at the same time with the goal of making Department of Mo no motor vehicles in California as the best retail experience in the nation across industries. So that's our goal, right? Not there yet, but we are working towards it. So for, for our in person channels, which is what you may be familiar with, first of all, we wanna make sure brick and click and call all the customer journeys can be done across the channels. You can decide to start journey at one place, finish at another place. >>All that is very deliberate. We are also trying to make sure you don't have to come to field office at all. We would welcome you to come, we love you, but we don't want you to be there. You have better things to do for the economy. We want you to do that instead of showing up in the field office, being in the weight line. So that's number one. Creating more digital channels has been the key. We have created virtual field office. That's something that you would become familiar with if you are not as a DMV customer. During Covid, the goal was we provide almost all the services. We connect our technicians to the customer who are in need of a live conversation or a email or a text or a, or a SMS conversation or chat conversation in multiple languages or a video call, right? >>So we were able to accomplish that while Covid was going on, while the riots were going on. Those of your, you know about that, we, our offices were shut down. We created this channel, which we are continuing because it's a great disaster recovery business continuity channel, but also it can help keep people away from field office during peak hours. So that's been very deliberate. We have also added additional online services using bots. So we have created these web and process bots that actually let you do the intake, right? You, we could set up a new service in less than four weeks, a brand new service online. We have set up a brand new IVR service on call centers in less than a month for our seniors who didn't want to come to the field office and they were required certain pieces of information and we were able to provide that for our customers by creating this channel in less than less than four. >>And the pandemic was an accelerant to this was, was it the catalyst really? And then you guys compressed it? Or were, had you already started on the >>Well, we were >>Ready. I mean you, but you came on right? Just about just before the pandemic. >>Yeah. Yeah. So I came on in 2019, pandemic started in 2020 early. So we got lucky a little bit because we had a head start at, I was already working with u UI paths and we had come up with design patterns that we gonna take this journey for all DMV channels with using UiPath. So it was about timing that when it happened, it accelerated the need and it accelerated the actual work. I was thinking, I'll have a one year plan. I executed all of the one year plan items in less than two months out of necessity. So it accelerated definitely the execution of my plan. >>So when you talk about the chat channel, is that bots, is that humans or a combination? Yeah, >>It's a, it's a combination of it. I would say more AI than bots. Bots to the service fulfillment. So there is the user interaction where you have, you're saying something, the, the chat answers those questions, but then if you want something, hey, I want my, my registration renewed, right? It would take you to the right channel. And this is something we do today on our IVR channel. If you call in the DMV number in California, you'll see that your registration renewal is all automatic. You also have a AI listening to it. But also when you are saying, Yep, I wanna do it, then bot triggers certain aspects of the service fulfillment because our legacy is still sitting about 60 years old and we are able to still provide this modern facade for our customers with no gap and as quickly as possible within a month's time. How >>Many DMVs are in the state? >>Okay, so we have 230 different field locations out of which 180 are available for general public services. >>Okay. So and then you're, you're creating a digital overlay that's right >>To all of >>That, right? >>Yeah, it's digital and virtual overlay, right? Digital is fully self-service. Bots can do all your processing automation, can do all the processing. AI can do all the processing, but then you have virtual channels where you have customer interacting with the technicians or technicians virtually. But once a technician is done solving the problem, they click a button and bot does rest of the work for the technician. So that's where we are able to get some back office efficiency and transaction reduction. >>When was the last time you walked into a bank? >>Oh man. >>I mean, is that where we're going here where you just don't have to >>Go into the branch and that is the goal. In fact, we already have a starting point. I mean, just like you have ATM machines, we have kiosks already that do some of this automation work for us today. The goal is to not have to have to, unless you really want to, We actually set up these personas. One of them was high touch Henry. He likes to go to the field office and talk to people. We are there for them. But for the millennials, for the people who are like, I don't have time. I wanna like quickly finish this work off hours 24 by seven, which is where bots come in. They do not have weekends, HR complaint, they don't have overtime. They're able to solve these problems for me, 24 >>By seven. And what's the scope of your, like how many automations, how many bots? Can you give us a sense? >>Sure. So right now we are sitting at 36 different use cases. We have collected six point of eight point, well, we have saved 8.8 million just using the bots overall savings. If you were to look at virtual field office, which bots are part of, we have collected 388 million so far in that particular channel bots. I've also saved paper. I've saved a million sheets of paper through the bot, which I'm trying to remember how many trees it equates to, but it's a whole lot of trees that I've saved. And >>How many bots are we talking about? >>So it's 36 different use cases. So 36 >>Bots? >>Well, no, there's more bots I wanna say. So we are running at 85% efficiency, 50 bots. Oh wow. Yeah. >>Wow. Okay. So you, you asked the question about, you know, when was the last time someone was in a bank? The last time I was in a bank it was to deposit, you know, more than $10,000 in cash because of a cash transaction. Someone bought a car from me. It was more of a nuisance. I felt like I was being treated like a criminal. I was very clear what I was doing. I had just paid off a loan with that bank and I was giving them the cash for that transaction as opposed to the DMV transaction transferring title. That was easy. The DMV part was easier than the bank. And you're trying to make it even easier and it shouldn't, it shouldn't be that way. Yes. Right. But, but I, I have a, I have a question for you on, on that bot implementation. Can you give us, you've sort of give it us examples of how they interact. Yeah. But as your kind of prototypical California driver's license holder, how has that improved a specific transaction that I would be involved with? Can >>You, so well you as a Californian and you as a taxpayer, you as a Californian getting services and you as a taxpayer getting the most out of the money Okay. That the DMV spending on providing services, Right. Both are benefits to you. Sure. So bots have benefited in both of those areas. If you were used to the DMV three years ago, there was a whole lot of paper involved. You gotta fill this form out, you gotta fill this other form out and you gotta go to dmv. Oh by the way, your form, you didn't bring this thing with you. Your form has issues. We are calculated that about 30% of paper workloads are wasted because they just have bad data, right? There is no control. There's nobody telling you, hey, do this. Right. Even dates could be wrong, names could be wrong fields, maybe incomplete and such. >>So we were able to automate a whole lot of that by creating self-service channels, which are accelerated by bot. So we have these web acceleration platforms that collect the data, bots do the validation, they also verify the information, give you real time feedback or near real time feedback that hey, this is what you need to change. This is when you need to verify. So all the business rules are in the bot. And then once you're done, it'll commit the information to our legacy systems, which wouldn't have been possible unless a technician was punching it in manually. So there is a third cohort of Californians, which is our employees. We have 10,000 of those. They, I don't want them to get carpal tunnel. I want them to make sure they're spending more time thinking and helping our customers, looking at the customers rather than typing things. And that's what we are able to accomplish with the bots where you press that one button, which will have required maybe 50 more keystrokes and that's gone. And now you're saving time, you're also saving the effort and the attention loss of serving the best. >>Jay, what does it take to get a new process on board? So I'm thinking about real id, I just went through that in Massachusetts. I took, it was gonna be months to get to the dmv. So I ended up going through a aaa, had to get all these documents, I uploaded all the documents. Of course when I showed up, none were there. Thankfully I had backup copies. But it was really a pleasant experience. Are you, describe what you're doing with real ID and what role bots play? >>Yeah, sure. So with real id, what we are doing today and what I, what we'll be doing in the future, so I can talk about both. What we are doing today is that we are aligning most of the work to be done upfront by the customer. Because real ID is a complex transaction. You've gotta have four different pieces of documentation. You need to provide your information, it needs to match our records. And then you show up to the field office. And by the way, oh man, I did not upload this information. We are getting about 15 to 17% returns customers. And that's a whole lot of time. Every single mile our customer travels to the DMV office, which averages to about 13 miles. In my calculation for average customer, it's a dollar spent in carbon footprint in the time lost in the technician time trying to triage out some other things. So you're talking $26 per visit to the economy. >>Yeah. An amazing frustration, Yes. >>That has to come back and, and our customer satisfaction scores, which we really like to track, goes down right away. So in general, for real, id, what we have been, what we have done is created bunch of self-service channels, which are accelerated by workflow engines, by AI and by bots to collect the documentation, verify the documentation against external systems because we actually connect with Department of Homeland Security verify, you know, what's your passport about? We look at your picture and we verify that yep, it is truly a passport and yours and not your wives. Right? Or not a picture of a dog. And it's actually truly you, right? I mean, people do all kind of fun stuff by mistake or intentionally. So we wanna make sure we save time for our customer, we save time for our, for our employees, and we have zero returns required when employees, where customer shows up, which by the way is requirement right now. But the Department of Homeland Security is in a rule making process. And we are hopeful, very hopeful at this point in time that we'll be able to take the entire experience and get it done from home. And that'll give us a whole lot more efficiency, as you can imagine. And bots are at the tail end of it, committing all the data and transactions into our systems faster and with more accuracy. >>That's a great story. I mean, really congratulations and, and I guess I'll leave it. Last question is, where do you want to take this? What's the, what's your roadmap look like? What's your runway look like? Is it, is there endless opportunities to automate at the state or do you see a sort of light at the end of the tunnel? >>Sure. So there is a thing I shared in the previous session that I was in, which is be modern while we modernize. So that's been the goal with the bot. They are integral part of my transition architecture as I modernize the entire dmv, bring them from 90 60, bringing us from 1960 to 2022 or even 2025 and do it now, right? So bots are able to get me to a place where customers expectations are managed. They are getting their online, they're getting their mobile experience, they are avoiding making field off his trips and avoiding any kind of paper based processing right? For our employees and customers as well. So bots are serving that need today as part of the transition strategy going from 1960 to 2022 in the future. They're continue gonna continue to service. I think it's one thing that was talked about by the previous sessions today that we, they, they're looking at empowering the employees to do their own work back office work also in a full automation way and self-power them to automate their own processes. So that's one of the strategies we're gonna look for. But also we'll continue to have a strategy where we need to remain nimble with upcoming needs and have a faster go to market market plan using the bot. >>Outstanding. Well thanks so much for sharing your, your story and, and thanks for helping Dave. >>Real life testimony. I never, never thought I'd be coming on to praise the California dmv. Here I am and it's legit. Yeah, >>Well done. Can I, can I make an introduction to our Massachusetts colleagues? >>Good to, well actually we have, we have been working with state of New York, Massachusetts, Nevara, Arizona. So goal is to share but also learn from >>That. Help us out, help us out. >>But nice to be here, >>Great >>To have you and looking for feedback next time you was at dmv. >>All right. Oh, absolutely. Yeah. Get that, fill out that NPS score. All right. Thank you for watching. This is Dave Valante for Dave Nicholson. Forward five UI customer conference from the Venetian in Las Vegas. We'll be right back.

hello I'm John Furrier with thecube and welcome to this special presentation of the cube and Horizon 3.ai they're announcing a global partner first approach expanding their successful pen testing product Net Zero you're going to hear from leading experts in their staff their CEO positioning themselves for a successful Channel distribution expansion internationally in Europe Middle East Africa and Asia Pacific in this Cube special presentation you'll hear about the expansion the expanse partner program giving Partners a unique opportunity to offer Net Zero to their customers Innovation and Pen testing is going International with Horizon 3.ai enjoy the program [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're here with Jennifer Lee head of Channel sales at Horizon 3.ai Jennifer welcome to the cube thanks for coming on great well thank you for having me so big news around Horizon 3.aa driving Channel first commitment you guys are expanding the channel partner program to include all kinds of new rewards incentives training programs help educate you know Partners really drive more recurring Revenue certainly cloud and Cloud scale has done that you got a great product that fits into that kind of Channel model great Services you can wrap around it good stuff so let's get into it what are you guys doing what are what are you guys doing with this news why is this so important yeah for sure so um yeah we like you said we recently expanded our Channel partner program um the driving force behind it was really just um to align our like you said our Channel first commitment um and creating awareness around the importance of our partner ecosystems um so that's it's really how we go to market is is through the channel and a great International Focus I've talked with the CEO so you know about the solution and he broke down all the action on why it's important on the product side but why now on the go to market change what's the what's the why behind this big this news on the channel yeah for sure so um we are doing this now really to align our business strategy which is built on the concept of enabling our partners to create a high value high margin business on top of our platform and so um we offer a solution called node zero it provides autonomous pen testing as a service and it allows organizations to continuously verify their security posture um so we our company vision we have this tagline that states that our pen testing enables organizations to see themselves Through The Eyes of an attacker and um we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities so we created this partner program from a perspective of the partner so the partner's perspective and we've built It Through The Eyes of our partner right so we're prioritizing really what the partner is looking for and uh will ensure like Mutual success for us yeah the partners always want to get in front of the customers and bring new stuff to them pen tests have traditionally been really expensive uh and so bringing it down in one to a service level that's one affordable and has flexibility to it allows a lot of capability so I imagine people getting excited by it so I have to ask you about the program What specifically are you guys doing can you share any details around what it means for the partners what they get what's in it for them can you just break down some of the mechanics and mechanisms or or details yeah yep um you know we're really looking to create business alignment um and like I said establish Mutual success with our partners so we've got two um two key elements that we were really focused on um that we bring to the partners so the opportunity the profit margin expansion is one of them and um a way for our partners to really differentiate themselves and stay relevant in the market so um we've restructured our discount model really um you know highlighting profitability and maximizing profitability and uh this includes our deal registration we've we've created deal registration program we've increased discount for partners who take part in our partner certification uh trainings and we've we have some other partner incentives uh that we we've created that that's going to help out there we've we put this all so we've recently Gone live with our partner portal um it's a Consolidated experience for our partners where they can access our our sales tools and we really view our partners as an extension of our sales and Technical teams and so we've extended all of our our training material that we use internally we've made it available to our partners through our partner portal um we've um I'm trying I'm thinking now back what else is in that partner portal here we've got our partner certification information so all the content that's delivered during that training can be found in the portal we've got deal registration uh um co-branded marketing materials pipeline management and so um this this portal gives our partners a One-Stop place to to go to find all that information um and then just really quickly on the second part of that that I mentioned is our technology really is um really disruptive to the market so you know like you said autonomous pen testing it's um it's still it's well it's still still relatively new topic uh for security practitioners and um it's proven to be really disruptive so um that on top of um just well recently we found an article that um that mentioned by markets and markets that reports that the global pen testing markets really expanding and so it's expected to grow to like 2.7 billion um by 2027. so the Market's there right the Market's expanding it's growing and so for our partners it's just really allows them to grow their revenue um across their customer base expand their customer base and offering this High profit margin while you know getting in early to Market on this just disruptive technology big Market a lot of opportunities to make some money people love to put more margin on on those deals especially when you can bring a great solution that everyone knows is hard to do so I think that's going to provide a lot of value is there is there a type of partner that you guys see emerging or you aligning with you mentioned the alignment with the partners I can see how that the training and the incentives are all there sounds like it's all going well is there a type of partner that's resonating the most or is there categories of partners that can take advantage of this yeah absolutely so we work with all different kinds of Partners we work with our traditional resale Partners um we've worked we're working with systems integrators we have a really strong MSP mssp program um we've got Consulting partners and the Consulting Partners especially with the ones that offer pen test services so we they use us as a as we act as a force multiplier just really offering them profit margin expansion um opportunity there we've got some technology partner partners that we really work with for co-cell opportunities and then we've got our Cloud Partners um you'd mentioned that earlier and so we are in AWS Marketplace so our ccpo partners we're part of the ISP accelerate program um so we we're doing a lot there with our Cloud partners and um of course we uh we go to market with uh distribution Partners as well gotta love the opportunity for more margin expansion every kind of partner wants to put more gross profit on their deals is there a certification involved I have to ask is there like do you get do people get certified or is it just you get trained is it self-paced training is it in person how are you guys doing the whole training certification thing because is that is that a requirement yeah absolutely so we do offer a certification program and um it's been very popular this includes a a seller's portion and an operator portion and and so um this is at no cost to our partners and um we operate both virtually it's it's law it's virtually but live it's not self-paced and we also have in person um you know sessions as well and we also can customize these to any partners that have a large group of people and we can just we can do one in person or virtual just specifically for that partner well any kind of incentive opportunities and marketing opportunities everyone loves to get the uh get the deals just kind of rolling in leads from what we can see if our early reporting this looks like a hot product price wise service level wise what incentive do you guys thinking about and and Joint marketing you mentioned co-sell earlier in pipeline so I was kind of kind of honing in on that piece sure and yes and then to follow along with our partner certification program we do incentivize our partners there if they have a certain number certified their discount increases so that's part of it we have our deal registration program that increases discount as well um and then we do have some um some partner incentives that are wrapped around meeting setting and um moving moving opportunities along to uh proof of value gotta love the education driving value I have to ask you so you've been around the industry you've seen the channel relationships out there you're seeing companies old school new school you know uh Horizon 3.ai is kind of like that new school very cloud specific a lot of Leverage with we mentioned AWS and all the clouds um why is the company so hot right now why did you join them and what's why are people attracted to this company what's the what's the attraction what's the vibe what do you what do you see and what what do you use what did you see in in this company well this is just you know like I said it's very disruptive um it's really in high demand right now and um and and just because because it's new to Market and uh a newer technology so we are we can collaborate with a manual pen tester um we can you know we can allow our customers to run their pen test um with with no specialty teams and um and and then so we and like you know like I said we can allow our partners can actually build businesses profitable businesses so we can they can use our product to increase their services revenue and um and build their business model you know around around our services what's interesting about the pen test thing is that it's very expensive and time consuming the people who do them are very talented people that could be working on really bigger things in the in absolutely customers so bringing this into the channel allows them if you look at the price Delta between a pen test and then what you guys are offering I mean that's a huge margin Gap between street price of say today's pen test and what you guys offer when you show people that they follow do they say too good to be true I mean what are some of the things that people say when you kind of show them that are they like scratch their head like come on what's the what's the catch here right so the cost savings is a huge is huge for us um and then also you know like I said working as a force multiplier with a pen testing company that offers the services and so they can they can do their their annual manual pen tests that may be required around compliance regulations and then we can we can act as the continuous verification of their security um um you know that that they can run um weekly and so it's just um you know it's just an addition to to what they're offering already and an expansion so Jennifer thanks for coming on thecube really appreciate you uh coming on sharing the insights on the channel uh what's next what can we expect from the channel group what are you thinking what's going on right so we're really looking to expand our our Channel um footprint and um very strategically uh we've got um we've got some big plans um for for Horizon 3.ai awesome well thanks for coming on really appreciate it you're watching thecube the leader in high tech Enterprise coverage [Music] [Music] hello and welcome to the Cube's special presentation with Horizon 3.ai with Raina Richter vice president of emea Europe Middle East and Africa and Asia Pacific APAC for Horizon 3 today welcome to this special Cube presentation thanks for joining us thank you for the invitation so Horizon 3 a guy driving Global expansion big international news with a partner first approach you guys are expanding internationally let's get into it you guys are driving this new expanse partner program to new heights tell us about it what are you seeing in the momentum why the expansion what's all the news about well I would say uh yeah in in international we have I would say a similar similar situation like in the US um there is a global shortage of well-educated penetration testers on the one hand side on the other side um we have a raising demand of uh network and infrastructure security and with our approach of an uh autonomous penetration testing I I believe we are totally on top of the game um especially as we have also now uh starting with an international instance that means for example if a customer in Europe is using uh our service node zero he will be connected to a node zero instance which is located inside the European Union and therefore he has doesn't have to worry about the conflict between the European the gdpr regulations versus the US Cloud act and I would say there we have a total good package for our partners that they can provide differentiators to their customers you know we've had great conversations here on thecube with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company and honestly I can just Connect the Dots here but I'd like you to weigh in more on how that translates into the go to market here because you got great Cloud scale with with the security product you guys are having success with great leverage there I've seen a lot of success there what's the momentum on the channel partner program internationally why is it so important to you is it just the regional segmentation is it the economics why the momentum well there are it's there are multiple issues first of all there is a raising demand in penetration testing um and don't forget that uh in international we have a much higher level in number a number or percentage in SMB and mid-market customers so these customers typically most of them even didn't have a pen test done once a year so for them pen testing was just too expensive now with our offering together with our partners we can provide different uh ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with with a traditional manual paint test so and that is because we have our uh Consulting plus package which is for typically pain testers they can go out and can do a much faster much quicker and their pain test at many customers once in after each other so they can do more pain tests on a lower more attractive price on the other side there are others what even the same ones who are providing um node zero as an mssp service so they can go after s p customers saying okay well you only have a couple of hundred uh IP addresses no worries we have the perfect package for you and then you have let's say the mid Market let's say the thousands and more employees then they might even have an annual subscription very traditional but for all of them it's all the same the customer or the service provider doesn't need a piece of Hardware they only need to install a small piece of a Docker container and that's it and that makes it so so smooth to go in and say okay Mr customer we just put in this this virtual attacker into your network and that's it and and all the rest is done and within within three clicks they are they can act like a pen tester with 20 years of experience and that's going to be very Channel friendly and partner friendly I can almost imagine so I have to ask you and thank you for calling the break calling out that breakdown and and segmentation that was good that was very helpful for me to understand but I want to follow up if you don't mind um what type of partners are you seeing the most traction with and why well I would say at the beginning typically you have the the innovators the early adapters typically Boutique size of Partners they start because they they are always looking for Innovation and those are the ones you they start in the beginning so we have a wide range of Partners having mostly even um managed by the owner of the company so uh they immediately understand okay there is the value and they can change their offering they're changing their offering in terms of penetration testing because they can do more pen tests and they can then add other ones or we have those ones who offer 10 tests services but they did not have their own pen testers so they had to go out on the open market and Source paint testing experts um to get the pen test at a particular customer done and now with node zero they're totally independent they can't go out and say okay Mr customer here's the here's the service that's it we turn it on and within an hour you're up and running totally yeah and those pen tests are usually expensive and hard to do now it's right in line with the sales delivery pretty interesting for a partner absolutely but on the other hand side we are not killing the pain testers business we do something we're providing with no tiers I would call something like the foundation work the foundational work of having an an ongoing penetration testing of the infrastructure the operating system and the pen testers by themselves they can concentrate in the future on things like application pen testing for example so those Services which we we're not touching so we're not killing the paint tester Market we're just taking away the ongoing um let's say foundation work call it that way yeah yeah that was one of my questions I was going to ask is there's a lot of interest in this autonomous pen testing one because it's expensive to do because those skills are required are in need and they're expensive so you kind of cover the entry level and the blockers that are in there I've seen people say to me this pen test becomes a blocker for getting things done so there's been a lot of interest in the autonomous pen testing and for organizations to have that posture and it's an overseas issue too because now you have that that ongoing thing so can you explain that particular benefit for an organization to have that continuously verifying an organization's posture yep certainly so I would say um typically you are you you have to do your patches you have to bring in new versions of operating systems of different Services of uh um operating systems of some components and and they are always bringing new vulnerabilities the difference here is that with node zero we are telling the customer or the partner package we're telling them which are the executable vulnerabilities because previously they might have had um a vulnerability scanner so this vulnerability scanner brought up hundreds or even thousands of cves but didn't say anything about which of them are vulnerable really executable and then you need an expert digging in one cve after the other finding out is it is it really executable yes or no and that is where you need highly paid experts which we have a shortage so with notes here now we can say okay we tell you exactly which ones are the ones you should work on because those are the ones which are executable we rank them accordingly to the risk level how easily they can be used and by a sudden and then the good thing is convert it or indifference to the traditional penetration test they don't have to wait for a year for the next pain test to find out if the fixing was effective they weren't just the next scan and say Yes closed vulnerability is gone the time is really valuable and if you're doing any devops Cloud native you're always pushing new things so pen test ongoing pen testing is actually a benefit just in general as a kind of hygiene so really really interesting solution really bring that global scale is going to be a new new coverage area for us for sure I have to ask you if you don't mind answering what particular region are you focused on or plan to Target for this next phase of growth well at this moment we are concentrating on the countries inside the European Union Plus the United Kingdom um but we are and they are of course logically I'm based into Frankfurt area that means we cover more or less the countries just around so it's like the total dark region Germany Switzerland Austria plus the Netherlands but we also already have Partners in the nordics like in Finland or in Sweden um so it's it's it it's rapidly we have Partners already in the UK and it's rapidly growing so I'm for example we are now starting with some activities in Singapore um um and also in the in the Middle East area um very important we uh depending on let's say the the way how to do business currently we try to concentrate on those countries where we can have um let's say um at least English as an accepted business language great is there any particular region you're having the most success with right now is it sounds like European Union's um kind of first wave what's them yes that's the first definitely that's the first wave and now we're also getting the uh the European instance up and running it's clearly our commitment also to the market saying okay we know there are certain dedicated uh requirements and we take care of this and and we're just launching it we're building up this one uh the instance um in the AWS uh service center here in Frankfurt also with some dedicated Hardware internet in a data center in Frankfurt where we have with the date six by the way uh the highest internet interconnection bandwidth on the planet so we have very short latency to wherever you are on on the globe that's a great that's a great call outfit benefit too I was going to ask that what are some of the benefits your partners are seeing in emea and Asia Pacific well I would say um the the benefits is for them it's clearly they can they can uh talk with customers and can offer customers penetration testing which they before and even didn't think about because it penetrates penetration testing in a traditional way was simply too expensive for them too complex the preparation time was too long um they didn't have even have the capacity uh to um to support a pain an external pain tester now with this service you can go in and say even if they Mr customer we can do a test with you in a couple of minutes within we have installed the docker container within 10 minutes we have the pen test started that's it and then we just wait and and I would say that is we'll we are we are seeing so many aha moments then now because on the partner side when they see node zero the first time working it's like this wow that is great and then they work out to customers and and show it to their typically at the beginning mostly the friendly customers like wow that's great I need that and and I would say um the feedback from the partners is that is a service where I do not have to evangelize the customer everybody understands penetration testing I don't have to say describe what it is they understand the customer understanding immediately yes penetration testing good about that I know I should do it but uh too complex too expensive now with the name is for example as an mssp service provided from one of our partners but it's getting easy yeah it's great and it's great great benefit there I mean I gotta say I'm a huge fan of what you guys are doing I like this continuous automation that's a major benefit to anyone doing devops or any kind of modern application development this is just a godsend for them this is really good and like you said the pen testers that are doing it they were kind of coming down from their expertise to kind of do things that should have been automated they get to focus on the bigger ticket items that's a really big point so we free them we free the pain testers for the higher level elements of the penetration testing segment and that is typically the application testing which is currently far away from being automated yeah and that's where the most critical workloads are and I think this is the nice balance congratulations on the international expansion of the program and thanks for coming on this special presentation really I really appreciate it thank you you're welcome okay this is thecube special presentation you know check out pen test automation International expansion Horizon 3 dot AI uh really Innovative solution in our next segment Chris Hill sector head for strategic accounts will discuss the power of Horizon 3.ai and Splunk in action you're watching the cube the leader in high tech Enterprise coverage foreign [Music] [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're with Chris Hill sector head for strategic accounts and federal at Horizon 3.ai a great Innovative company Chris great to see you thanks for coming on thecube yeah like I said uh you know great to meet you John long time listener first time caller so excited to be here with you guys yeah we were talking before camera you had Splunk back in 2013 and I think 2012 was our first splunk.com and boy man you know talk about being in the right place at the right time now we're at another inflection point and Splunk continues to be relevant um and continuing to have that data driving Security in that interplay and your CEO former CTO of his plug as well at Horizon who's been on before really Innovative product you guys have but you know yeah don't wait for a breach to find out if you're logging the right data this is the topic of this thread Splunk is very much part of this new international expansion announcement uh with you guys tell us what are some of the challenges that you see where this is relevant for the Splunk and Horizon AI as you guys expand uh node zero out internationally yeah well so across so you know my role uh within Splunk it was uh working with our most strategic accounts and so I looked back to 2013 and I think about the sales process like working with with our small customers you know it was um it was still very siled back then like I was selling to an I.T team that was either using this for it operations um we generally would always even say yeah although we do security we weren't really designed for it we're a log management tool and we I'm sure you remember back then John we were like sort of stepping into the security space and and the public sector domain that I was in you know security was 70 of what we did when I look back to sort of uh the transformation that I was witnessing in that digital transformation um you know when I look at like 2019 to today you look at how uh the IT team and the security teams are being have been forced to break down those barriers that they used to sort of be silent away would not commute communicate one you know the security guys would be like oh this is my box I.T you're not allowed in today you can't get away with that and I think that the value that we bring to you know and of course Splunk has been a huge leader in that space and continues to do Innovation across the board but I think what we've we're seeing in the space and I was talking with Patrick Coughlin the SVP of uh security markets about this is that you know what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data so Splunk itself is ulk know it's an ingest engine right the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it but without data it doesn't do anything right so how do you drive and how do you bring more data in and most importantly from a customer perspective how do you bring the right data in and so if you think about what node zero and what we're doing in a horizon 3 is that sure we do pen testing but because we're an autonomous pen testing tool we do it continuously so this whole thought I'd be like oh crud like my customers oh yeah we got a pen test coming up it's gonna be six weeks the week oh yeah you know and everyone's gonna sit on their hands call me back in two months Chris we'll talk to you then right not not a real efficient way to test your environment and shoot we saw that with Uber this week right um you know and that's a case where we could have helped oh just right we could explain the Uber thing because it was a contractor just give a quick highlight of what happened so you can connect the doctor yeah no problem so um it was uh I got I think it was yeah one of those uh you know games where they would try and test an environment um and with the uh pen tester did was he kept on calling them MFA guys being like I need to reset my password we need to set my right password and eventually the um the customer service guy said okay I'm resetting it once he had reset and bypassed the multi-factor authentication he then was able to get in and get access to the building area that he was in or I think not the domain but he was able to gain access to a partial part of that Network he then paralleled over to what I would assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains and So within minutes they had access and that's the sort of stuff that we do you know a lot of these tools like um you know you think about the cacophony of tools that are out there in a GTA architect architecture right I'm gonna get like a z-scale or I'm going to have uh octum and I have a Splunk I've been into the solar system I mean I don't mean to name names we have crowdstriker or Sentinel one in there it's just it's a cacophony of things that don't work together they weren't designed work together and so we have seen so many times in our business through our customer support and just working with customers when we do their pen tests that there will be 5 000 servers out there three are misconfigured those three misconfigurations will create the open door because remember the hacker only needs to be right once the defender needs to be right all the time and that's the challenge and so that's what I'm really passionate about what we're doing uh here at Horizon three I see this my digital transformation migration and security going on which uh we're at the tip of the spear it's why I joined sey Hall coming on this journey uh and just super excited about where the path's going and super excited about the relationship with Splunk I get into more details on some of the specifics of that but um you know well you're nailing I mean we've been doing a lot of things on super cloud and this next gen environment we're calling it next gen you're really seeing devops obviously devsecops has already won the it role has moved to the developer shift left is an indicator of that it's one of the many examples higher velocity code software supply chain you hear these things that means that it is now in the developer hands it is replaced by the new Ops data Ops teams and security where there's a lot of horizontal thinking to your point about access there's no more perimeter huge 100 right is really right on things one time you know to get in there once you're in then you can hang out move around move laterally big problem okay so we get that now the challenges for these teams as they are transitioning organizationally how do they figure out what to do okay this is the next step they already have Splunk so now they're kind of in transition while protecting for a hundred percent ratio of success so how would you look at that and describe the challenge is what do they do what is it what are the teams facing with their data and what's next what are they what are they what action do they take so let's use some vernacular that folks will know so if I think about devsecops right we both know what that means that I'm going to build security into the app it normally talks about sec devops right how am I building security around the perimeter of what's going inside my ecosystem and what are they doing and so if you think about what we're able to do with somebody like Splunk is we can pen test the entire environment from Soup To Nuts right so I'm going to test the end points through to its I'm going to look for misconfigurations I'm going to I'm going to look for um uh credential exposed credentials you know I'm going to look for anything I can in the environment again I'm going to do it at light speed and and what what we're doing for that SEC devops space is to you know did you detect that we were in your environment so did we alert Splunk or the Sim that there's someone in the environment laterally moving around did they more importantly did they log us into their environment and when do they detect that log to trigger that log did they alert on us and then finally most importantly for every CSO out there is going to be did they stop us and so that's how we we do this and I think you when speaking with um stay Hall before you know we've come up with this um boils but we call it fine fix verifying so what we do is we go in is we act as the attacker right we act in a production environment so we're not going to be we're a passive attacker but we will go in on credentialed on agents but we have to assume to have an assumed breach model which means we're going to put a Docker container in your environment and then we're going to fingerprint the environment so we're going to go out and do an asset survey now that's something that's not something that Splunk does super well you know so can Splunk see all the assets do the same assets marry up we're going to log all that data and think and then put load that into this long Sim or the smoke logging tools just to have it in Enterprise right that's an immediate future ad that they've got um and then we've got the fix so once we've completed our pen test um we are then going to generate a report and we can talk about these in a little bit later but the reports will show an executive summary the assets that we found which would be your asset Discovery aspect of that a fix report and the fixed report I think is probably the most important one it will go down and identify what we did how we did it and then how to fix that and then from that the pen tester or the organization should fix those then they go back and run another test and then they validate like a change detection environment to see hey did those fixes taste play take place and you know snehaw when he was the CTO of jsoc he shared with me a number of times about it's like man there would be 15 more items on next week's punch sheet that we didn't know about and it's and it has to do with how we you know how they were uh prioritizing the cves and whatnot because they would take all CBDs it was critical or non-critical and it's like we are able to create context in that environment that feeds better information into Splunk and whatnot that brings that brings up the efficiency for Splunk specifically the teams out there by the way the burnout thing is real I mean this whole I just finished my list and I got 15 more or whatever the list just can keeps growing how did node zero specifically help Splunk teams be more efficient like that's the question I want to get at because this seems like a very scale way for Splunk customers and teams service teams to be more so the question is how does node zero help make Splunk specifically their service teams be more efficient so so today in our early interactions we're building customers we've seen are five things um and I'll start with sort of identifying the blind spots right so kind of what I just talked about with you did we detect did we log did we alert did they stop node zero right and so I would I put that you know a more Layman's third grade term and if I was going to beat a fifth grader at this game would be we can be the sparring partner for a Splunk Enterprise customer a Splunk Essentials customer someone using Splunk soar or even just an Enterprise Splunk customer that may be a small shop with three people and just wants to know where am I exposed so by creating and generating these reports and then having um the API that actually generates the dashboard they can take all of these events that we've logged and log them in and then where that then comes in is number two is how do we prioritize those logs right so how do we create visibility to logs that that um are have critical impacts and again as I mentioned earlier not all cves are high impact regard and also not all or low right so if you daisy chain a bunch of low cves together boom I've got a mission critical AP uh CPE that needs to be fixed now such as a credential moving to an NT box that's got a text file with a bunch of passwords on it that would be very bad um and then third would be uh verifying that you have all of the hosts so one of the things that splunk's not particularly great at and they'll literate themselves they don't do asset Discovery so dude what assets do we see and what are they logging from that um and then for from um for every event that they are able to identify one of the cool things that we can do is actually create this low code no code environment so they could let you know Splunk customers can use Splunk sword to actually triage events and prioritize that event so where they're being routed within it to optimize the Sox team time to Market or time to triage any given event obviously reducing MTR and then finally I think one of the neatest things that we'll be seeing us develop is um our ability to build glass cables so behind me you'll see one of our triage events and how we build uh a Lockheed Martin kill chain on that with a glass table which is very familiar to the community we're going to have the ability and not too distant future to allow people to search observe on those iocs and if people aren't familiar with it ioc it's an instant of a compromise so that's a vector that we want to drill into and of course who's better at Drilling in the data and smoke yeah this is a critter this is an awesome Synergy there I mean I can see a Splunk customer going man this just gives me so much more capability action actionability and also real understanding and I think this is what I want to dig into if you don't mind understanding that critical impact okay is kind of where I see this coming got the data data ingest now data's data but the question is what not to log you know where are things misconfigured these are critical questions so can you talk about what it means to understand critical impact yeah so I think you know going back to the things that I just spoke about a lot of those cves where you'll see um uh low low low and then you daisy chain together and they're suddenly like oh this is high now but then your other impact of like if you're if you're a Splunk customer you know and I had it I had several of them I had one customer that you know terabytes of McAfee data being brought in and it was like all right there's a lot of other data that you probably also want to bring but they could only afford wanted to do certain data sets because that's and they didn't know how to prioritize or filter those data sets and so we provide that opportunity to say hey these are the critical ones to bring in but there's also the ones that you don't necessarily need to bring in because low cve in this case really does mean low cve like an ILO server would be one that um that's the print server uh where the uh your admin credentials are on on like a printer and so there will be credentials on that that's something that a hacker might go in to look at so although the cve on it is low is if you daisy chain with somebody that's able to get into that you might say Ah that's high and we would then potentially rank it giving our AI logic to say that's a moderate so put it on the scale and we prioritize those versus uh of all of these scanners just going to give you a bunch of CDs and good luck and translating that if I if I can and tell me if I'm wrong that kind of speaks to that whole lateral movement that's it challenge right print serve a great example looks stupid low end who's going to want to deal with the print server oh but it's connected into a critical system there's a path is that kind of what you're getting at yeah I use Daisy Chain I think that's from the community they came from uh but it's just a lateral movement it's exactly what they're doing in those low level low critical lateral movements is where the hackers are getting in right so that's the beauty thing about the uh the Uber example is that who would have thought you know I've got my monthly Factor authentication going in a human made a mistake we can't we can't not expect humans to make mistakes we're fallible right the reality is is once they were in the environment they could have protected themselves by running enough pen tests to know that they had certain uh exposed credentials that would have stopped the breach and they did not had not done that in their environment and I'm not poking yeah but it's an interesting Trend though I mean it's obvious if sometimes those low end items are also not protected well so it's easy to get at from a hacker standpoint but also the people in charge of them can be fished easily or spearfished because they're not paying attention because they don't have to no one ever told them hey be careful yeah for the community that I came from John that's exactly how they they would uh meet you at a uh an International Event um introduce themselves as a graduate student these are National actor States uh would you mind reviewing my thesis on such and such and I was at Adobe at the time that I was working on this instead of having to get the PDF they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2008 time frame there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it and John that's or LinkedIn hey I want to get a joke we want to hire you double the salary oh I'm gonna click on that for sure you know yeah right exactly yeah the one thing I would say to you is like uh when we look at like sort of you know because I think we did 10 000 pen tests last year is it's probably over that now you know we have these sort of top 10 ways that we think and find people coming into the environment the funniest thing is that only one of them is a cve related vulnerability like uh you know you guys know what they are right so it's it but it's it's like two percent of the attacks are occurring through the cves but yeah there's all that attention spent to that and very little attention spent to this pen testing side which is sort of this continuous threat you know monitoring space and and this vulnerability space where I think we play a such an important role and I'm so excited to be a part of the tip of the spear on this one yeah I'm old enough to know the movie sneakers which I loved as a you know watching that movie you know professional hackers are testing testing always testing the environment I love this I got to ask you as we kind of wrap up here Chris if you don't mind the the benefits to Professional Services from this Alliance big news Splunk and you guys work well together we see that clearly what are what other benefits do Professional Services teams see from the Splunk and Horizon 3.ai Alliance so if you're I think for from our our from both of our uh Partners uh as we bring these guys together and many of them already are the same partner right uh is that uh first off the licensing model is probably one of the key areas that we really excel at so if you're an end user you can buy uh for the Enterprise by the number of IP addresses you're using um but uh if you're a partner working with this there's solution ways that you can go in and we'll license as to msps and what that business model on msps looks like but the unique thing that we do here is this C plus license and so the Consulting plus license allows like a uh somebody a small to mid-sized to some very large uh you know Fortune 100 uh consulting firms use this uh by buying into a license called um Consulting plus where they can have unlimited uh access to as many IPS as they want but you can only run one test at a time and as you can imagine when we're going and hacking passwords and um checking hashes and decrypting hashes that can take a while so but for the right customer it's it's a perfect tool and so I I'm so excited about our ability to go to market with uh our partners so that we understand ourselves understand how not to just sell to or not tell just to sell through but we know how to sell with them as a good vendor partner I think that that's one thing that we've done a really good job building bring it into the market yeah I think also the Splunk has had great success how they've enabled uh partners and Professional Services absolutely you know the services that layer on top of Splunk are multi-fold tons of great benefits so you guys Vector right into that ride that way with friction and and the cool thing is that in you know in one of our reports which could be totally customized uh with someone else's logo we're going to generate you know so I I used to work in another organization it wasn't Splunk but we we did uh you know pen testing as for for customers and my pen testers would come on site they'd do the engagement and they would leave and then another release someone would be oh shoot we got another sector that was breached and they'd call you back you know four weeks later and so by August our entire pen testings teams would be sold out and it would be like well even in March maybe and they're like no no I gotta breach now and and and then when they do go in they go through do the pen test and they hand over a PDF and they pack on the back and say there's where your problems are you need to fix it and the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations and then once you've fixed everything you just go back and run another pen test it's you know for what people pay for one pen test they can have a tool that does that every every Pat patch on Tuesday and that's on Wednesday you know triage throughout the week green yellow red I wanted to see the colors show me green green is good right not red and one CIO doesn't want who doesn't want that dashboard right it's it's exactly it and we can help bring I think that you know I'm really excited about helping drive this with the Splunk team because they get that they understand that it's the green yellow red dashboard and and how do we help them find more green uh so that the other guys are in red yeah and get in the data and do the right thing and be efficient with how you use the data know what to look at so many things to pay attention to you know the combination of both and then go to market strategy real brilliant congratulations Chris thanks for coming on and sharing um this news with the detail around the Splunk in action around the alliance thanks for sharing John my pleasure thanks look forward to seeing you soon all right great we'll follow up and do another segment on devops and I.T and security teams as the new new Ops but and super cloud a bunch of other stuff so thanks for coming on and our next segment the CEO of horizon 3.aa will break down all the new news for us here on thecube you're watching thecube the leader in high tech Enterprise coverage [Music] yeah the partner program for us has been fantastic you know I think prior to that you know as most organizations most uh uh most Farmers most mssps might not necessarily have a a bench at all for penetration testing uh maybe they subcontract this work out or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult for us this was a differentiator a a new a new partner a new partnership that allowed us to uh not only perform services for our customers but be able to provide a product by which that they can do it themselves so we work with our customers in a variety of ways some of them want more routine testing and perform this themselves but we're also a certified service provider of horizon 3 being able to perform uh penetration tests uh help review the the data provide color provide analysis for our customers in a broader sense right not necessarily the the black and white elements of you know what was uh what's critical what's high what's medium what's low what you need to fix but are there systemic issues this has allowed us to onboard new customers this has allowed us to migrate some penetration testing services to us from from competitors in the marketplace But ultimately this is occurring because the the product and the outcome are special they're unique and they're effective our customers like what they're seeing they like the routineness of it many of them you know again like doing this themselves you know being able to kind of pen test themselves parts of their networks um and the the new use cases right I'm a large organization I have eight to ten Acquisitions per year wouldn't it be great to have a tool to be able to perform a penetration test both internal and external of that acquisition before we integrate the two companies and maybe bringing on some risk it's a very effective partnership uh one that really is uh kind of taken our our Engineers our account Executives by storm um you know this this is a a partnership that's been very valuable to us [Music] a key part of the value and business model at Horizon 3 is enabling Partners to leverage node zero to make more revenue for themselves our goal is that for sixty percent of our Revenue this year will be originated by partners and that 95 of our Revenue next year will be originated by partners and so a key to that strategy is making us an integral part of your business models as a partner a key quote from one of our partners is that we enable every one of their business units to generate Revenue so let's talk about that in a little bit more detail first is that if you have a pen test Consulting business take Deloitte as an example what was six weeks of human labor at Deloitte per pen test has been cut down to four days of Labor using node zero to conduct reconnaissance find all the juicy interesting areas of the of the Enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at understand and determine where to probe deeper so what you see in that pen test Consulting business is that node zero becomes a force multiplier where those Consulting teams were able to cover way more accounts and way more IPS within those accounts with the same or fewer consultants and so that directly leads to profit margin expansion for the Penn testing business itself because node 0 is a force multiplier the second business model here is if you're an mssp as an mssp you're already making money providing defensive cyber security operations for a large volume of customers and so what they do is they'll license node zero and use us as an upsell to their mssb business to start to deliver either continuous red teaming continuous verification or purple teaming as a service and so in that particular business model they've got an additional line of Revenue where they can increase the spend of their existing customers by bolting on node 0 as a purple team as a service offering the third business model or customer type is if you're an I.T services provider so as an I.T services provider you make money installing and configuring security products like Splunk or crowdstrike or hemio you also make money reselling those products and you also make money generating follow-on services to continue to harden your customer environments and so for them what what those it service providers will do is use us to verify that they've installed Splunk correctly improved to their customer that Splunk was installed correctly or crowdstrike was installed correctly using our results and then use our results to drive follow-on services and revenue and then finally we've got the value-added reseller which is just a straight up reseller because of how fast our sales Cycles are these vars are able to typically go from cold email to deal close in six to eight weeks at Horizon 3 at least a single sales engineer is able to run 30 to 50 pocs concurrently because our pocs are very lightweight and don't require any on-prem customization or heavy pre-sales post sales activity so as a result we're able to have a few amount of sellers driving a lot of Revenue and volume for us well the same thing applies to bars there isn't a lot of effort to sell the product or prove its value so vars are able to sell a lot more Horizon 3 node zero product without having to build up a huge specialist sales organization so what I'm going to do is talk through uh scenario three here as an I.T service provider and just how powerful node zero can be in driving additional Revenue so in here think of for every one dollar of node zero license purchased by the IT service provider to do their business it'll generate ten dollars of additional revenue for that partner so in this example kidney group uses node 0 to verify that they have installed and deployed Splunk correctly so Kitty group is a Splunk partner they they sell it services to install configure deploy and maintain Splunk and as they deploy Splunk they're going to use node 0 to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment so it's a way of doing QA or verifying that Splunk has been configured correctly and that's going to be internally used by kidney group to prove the quality of their services that they've just delivered then what they're going to do is they're going to show and leave behind that node zero Report with their client and that creates a resell opportunity for for kidney group to resell node 0 to their client because their client is seeing the reports and the results and saying wow this is pretty amazing and those reports can be co-branded where it's a pen testing report branded with kidney group but it says powered by Horizon three under it from there kidney group is able to take the fixed actions report that's automatically generated with every pen test through node zero and they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified fixing l11r misconfigurations fixing or patching VMware or updating credentials policies and so on so what happens is node 0 has found a bunch of problems the client often lacks the capacity to fix and so kidney group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services and finally based on the findings from node zero kidney group can look at that report and say to the customer you know customer if you bought crowdstrike you'd be able to uh prevent node Zero from attacking and succeeding in the way that it did for if you bought humano or if you bought Palo Alto networks or if you bought uh some privileged access management solution because of what node 0 was able to do with credential harvesting and attacks and so as a result kidney group is able to resell other security products within their portfolio crowdstrike Falcon humano Polito networks demisto Phantom and so on based on the gaps that were identified by node zero and that pen test and what that creates is another feedback loop where kidney group will then go use node 0 to verify that crowdstrike product has actually been installed and configured correctly and then this becomes the cycle of using node 0 to verify a deployment using that verification to drive a bunch of follow-on services and resell opportunities which then further drives more usage of the product now the way that we licensed is that it's a usage-based license licensing model so that the partner will grow their node zero Consulting plus license as they grow their business so for example if you're a kidney group then week one you've got you're going to use node zero to verify your Splunk install in week two if you have a pen testing business you're going to go off and use node zero to be a force multiplier for your pen testing uh client opportunity and then if you have an mssp business then in week three you're going to use node zero to go execute a purple team mssp offering for your clients so not necessarily a kidney group but if you're a Deloitte or ATT these larger companies and you've got multiple lines of business if you're Optive for instance you all you have to do is buy one Consulting plus license and you're going to be able to run as many pen tests as you want sequentially so now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three and as you grow your business you start to run multiple pen tests concurrently so in week one you've got to do a Splunk verify uh verify Splunk install and you've got to run a pen test and you've got to do a purple team opportunity you just simply expand the number of Consulting plus licenses from one license to three licenses and so now as you systematically grow your business you're able to grow your node zero capacity with you giving you predictable cogs predictable margins and once again 10x additional Revenue opportunity for that investment in the node zero Consulting plus license my name is Saint I'm the co-founder and CEO here at Horizon 3. I'm going to talk to you today about why it's important to look at your Enterprise Through The Eyes of an attacker the challenge I had when I was a CIO in banking the CTO at Splunk and serving within the Department of Defense is that I had no idea I was Secure until the bad guys had showed up am I logging the right data am I fixing the right vulnerabilities are my security tools that I've paid millions of dollars for actually working together to defend me and the answer is I don't know does my team actually know how to respond to a breach in the middle of an incident I don't know I've got to wait for the bad guys to show up and so the challenge I had was how do we proactively verify our security posture I tried a variety of techniques the first was the use of vulnerability scanners and the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable I might have a hundred thousand findings from my scanner of which maybe five or ten can actually be exploited in my environment the other big problem with scanners is that they can't chain weaknesses together from machine to machine so if you've got a thousand machines in your environment or more what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two but what they can tell you is that an attacker could use a load from machine one plus a low from machine two to equal to critical in your environment and what attackers do in their tactics is they chain together misconfigurations dangerous product defaults harvested credentials and exploitable vulnerabilities into attack paths across different machines so to address the attack pads across different machines I tried layering in consulting-based pen testing and the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment human-based pen testing simply doesn't scale to test an infrastructure of that size moreover when they actually do execute a pen test and you get the report oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem and so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale and then to mitigate that problem I tried using breach and attack simulation tools and the struggle with these tools is one I had to install credentialed agents everywhere two I had to write my own custom attack scripts that I didn't have much talent for but also I had to maintain as my environment changed and then three these types of tools were not safe to run against production systems which was the the majority of my attack surface so that's why we went off to start Horizon 3. so Tony and I met when we were in Special Operations together and the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the the power of a 20-year pen testing veteran into the hands of an I.T admin a network engineer in just three clicks and the whole idea is we enable these fixers The Blue Team to be able to run node Zero Hour pen testing product to quickly find problems in their environment that blue team will then then go off and fix the issues that were found and then they can quickly rerun the attack to verify that they fixed the problem and the whole idea is delivering this without requiring custom scripts be developed without requiring credential agents be installed and without requiring the use of external third-party consulting services or Professional Services self-service pen testing to quickly Drive find fix verify there are three primary use cases that our customers use us for the first is the sock manager that uses us to verify that their security tools are actually effective to verify that they're logging the right data in Splunk or in their Sim to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their slas or that the sock understands how to quickly detect and respond and measuring and verifying that or that the variety of tools that you have in your stack most organizations have 130 plus cyber security tools none of which are designed to work together are actually working together the second primary use case is proactively hardening and verifying your systems this is when the I that it admin that network engineer they're able to run self-service pen tests to verify that their Cisco environment is installed in hardened and configured correctly or that their credential policies are set up right or that their vcenter or web sphere or kubernetes environments are actually designed to be secure and what this allows the it admins and network Engineers to do is shift from running one or two pen tests a year to 30 40 or more pen tests a month and you can actually wire those pen tests into your devops process or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment the third primary use case is for those organizations lucky enough to have their own internal red team they'll use node zero to do reconnaissance and exploitation at scale and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at Defcon and so these are the three primary use cases and what we'll do is zoom into the find fix verify Loop because what I've found in my experience is find fix verify is the future operating model for cyber security organizations and what I mean here is in the find using continuous pen testing what you want to enable is on-demand self-service pen tests you want those pen tests to find attack pads at scale spanning your on-prem infrastructure your Cloud infrastructure and your perimeter because attackers don't only state in one place they will find ways to chain together a perimeter breach a credential from your on-prem to gain access to your cloud or some other permutation and then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore they know we've built vulnerability Management Programs to reduce those vulnerabilities so attackers have adapted and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults with exploitable vulnerabilities and through the collection of credentials through a mix of techniques at scale once you've found those problems the next question is what do you do about it well you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data the second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to where is your crown jewels data is in the cloud is it on-prem has it been copied to a share drive that you weren't aware of if a domain user was compromised could they access that crown jewels data you want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure and then finally as you fix these problems you want to quickly remediate and retest that you've actually fixed the issue and this fine fix verify cycle becomes that accelerator that drives purple team culture the third part here is verify and what you want to be able to do in the verify step is verify that your security tools and processes in people can effectively detect and respond to a breach you want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations you also want to make sure that your environment is adhering to the best practices around systems hardening in cyber resilience and finally you want to be able to prove your security posture over a time to your board to your leadership into your regulators so what I'll do now is zoom into each of these three steps so when we zoom in to find here's the first example using node 0 and autonomous pen testing and what an attacker will do is find a way to break through the perimeter in this example it's very easy to misconfigure kubernetes to allow an attacker to gain remote code execution into your on-prem kubernetes environment and break through the perimeter and from there what the attacker is going to do is conduct Network reconnaissance and then find ways to gain code execution on other machines in the environment and as they get code execution they start to dump credentials collect a bunch of ntlm hashes crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment and then as they loudly maneuver they can reuse those credentials and use credential spraying techniques and so on to compromise your business email to log in as admin into your cloud and this is a very common attack and rarely is a CV actually needed to execute this attack often it's just a misconfiguration in kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization here's another example of an internal pen test and this is from an actual customer they had 5 000 hosts within their environment they had EDR and uba tools installed and they initiated in an internal pen test on a single machine from that single initial access point node zero enumerated the network conducted reconnaissance and found five thousand hosts were accessible what node 0 will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the Cyber terrain map and that cyber Terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment so what node zero will do is they'll try to find ways to get code execution reuse credentials and so on in this customer example they had Fortinet installed as their EDR but node 0 was still able to get code execution on a Windows machine from there it was able to successfully dump credentials including sensitive credentials from the lsas process on the Windows box and then reuse those credentials to log in as domain admin in the network and once an attacker becomes domain admin they have the keys to the kingdom they can do anything they want so what happened here well it turns out Fortinet was misconfigured on three out of 5000 machines bad automation the customer had no idea this had happened they would have had to wait for an attacker to show up to realize that it was misconfigured the second thing is well why didn't Fortinet stop the credential pivot in the lateral movement and it turned out the customer didn't buy the right modules or turn on the right services within that particular product and we see this not only with Ford in it but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping the next story I'll tell you is attackers don't have to hack in they log in so another infrastructure pen test a typical technique attackers will take is man in the middle uh attacks that will collect hashes so in this case what an attacker will do is leverage a tool or technique called responder to collect ntlm hashes that are being passed around the network and there's a variety of reasons why these hashes are passed around and it's a pretty common misconfiguration but as an attacker collects those hashes then they start to apply techniques to crack those hashes so they'll pass the hash and from there they will use open source intelligence common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords so here node 0 automatically collected hashes it automatically passed the hashes to crack those credentials and then from there it starts to take the domain user user ID passwords that it's collected and tries to access different services and systems in your Enterprise in this case node 0 is able to successfully gain access to the Office 365 email environment because three employees didn't have MFA configured so now what happens is node 0 has a placement and access in the business email system which sets up the conditions for fraud lateral phishing and other techniques but what's especially insightful here is that 80 of the hashes that were collected in this pen test were cracked in 15 minutes or less 80 percent 26 of the user accounts had a password that followed a pretty obvious pattern first initial last initial and four random digits the other thing that was interesting is 10 percent of service accounts had their user ID the same as their password so VMware admin VMware admin web sphere admin web Square admin so on and so forth and so attackers don't have to hack in they just log in with credentials that they've collected the next story here is becoming WS AWS admin so in this example once again internal pen test node zero gets initial access it discovers 2 000 hosts are network reachable from that environment if fingerprints and organizes all of that data into a cyber Terrain map from there it it fingerprints that hpilo the integrated lights out service was running on a subset of hosts hpilo is a service that is often not instrumented or observed by security teams nor is it easy to patch as a result attackers know this and immediately go after those types of services so in this case that ILO service was exploitable and were able to get code execution on it ILO stores all the user IDs and passwords in clear text in a particular set of processes so once we gain code execution we were able to dump all of the credentials and then from there laterally maneuver to log in to the windows box next door as admin and then on that admin box we're able to gain access to the share drives and we found a credentials file saved on a share Drive from there it turned out that credentials file was the AWS admin credentials file giving us full admin authority to their AWS accounts not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment and so what do you do step one patch the server step two delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login the final story I'll tell is a typical pattern that we see across the board with that combines the various techniques I've described together where an attacker is going to go off and use open source intelligence to find all of the employees that work at your company from there they're going to look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user all it takes is one employee to reuse a breached password for their Corporate email or all it takes is a single employee to have a weak password that's easily guessable all it takes is one and once the attacker is able to gain domain user access in most shops domain user is also the local admin on their laptop and once your local admin you can dump Sam and get local admin until M hashes you can use that to reuse credentials again local admin on neighboring machines and attackers will start to rinse and repeat then eventually they're able to get to a point where they can dump lsas or by unhooking the anti-virus defeating the EDR or finding a misconfigured EDR as we've talked about earlier to compromise the domain and what's consistent is that the fundamentals are broken at these shops they have poor password policies they don't have least access privilege implemented active directory groups are too permissive where domain admin or domain user is also the local admin uh AV or EDR Solutions are misconfigured or easily unhooked and so on and what we found in 10 000 pen tests is that user Behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work and also it becomes very difficult to find that Baseline of normal usage versus abnormal usage of credential login another interesting Insight is there were several Marquee brand name mssps that were defending our customers environment and for them it took seven hours to detect and respond to the pen test seven hours the pen test was over in less than two hours and so what you had was an egregious violation of the service level agreements that that mssp had in place and the customer was able to use us to get service credit and drive accountability of their sock and of their provider the third interesting thing is in one case it took us seven minutes to become domain admin in a bank that bank had every Gucci security tool you could buy yet in 7 minutes and 19 seconds node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations in lateral movement and so on to become domain admin if it's seven minutes today we should assume it'll be less than a minute a year or two from now making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack so that's in the find it's not just about finding problems though the bulk of the effort should be what to do about it the fix and the verify so as you find those problems back to kubernetes as an example we will show you the path here is the kill chain we took to compromise that environment we'll show you the impact here is the impact or here's the the proof of exploitation that we were able to use to be able to compromise it and there's the actual command that we executed so you could copy and paste that command and compromise that cubelet yourself if you want and then the impact is we got code execution and we'll actually show you here is the impact this is a critical here's why it enabled perimeter breach affected applications will tell you the specific IPS where you've got the problem how it maps to the miter attack framework and then we'll tell you exactly how to fix it we'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important the next part is accurate prioritization the hardest part of my job as a CIO was deciding what not to fix so if you take SMB signing not required as an example by default that CVSs score is a one out of 10. but this misconfiguration is not a cve it's a misconfig enable an attacker to gain access to 19 credentials including one domain admin two local admins and access to a ton of data because of that context this is really a 10 out of 10. you better fix this as soon as possible however of the seven occurrences that we found it's only a critical in three out of the seven and these are the three specific machines and we'll tell you the exact way to fix it and you better fix these as soon as possible for these four machines over here these didn't allow us to do anything of consequence so that because the hardest part is deciding what not to fix you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible and then once you fix these three you don't have to re-run the entire pen test you can select these three and then one click verify and run a very narrowly scoped pen test that is only testing this specific issue and what that creates is a much faster cycle of finding and fixing problems the other part of fixing is verifying that you don't have sensitive data at risk so once we become a domain user we're able to use those domain user credentials and try to gain access to databases file shares S3 buckets git repos and so on and help you understand what sensitive data you have at risk so in this example a green checkbox means we logged in as a valid domain user we're able to get read write access on the database this is how many records we could have accessed and we don't actually look at the values in the database but we'll show you the schema so you can quickly characterize that pii data was at risk here and we'll do that for your file shares and other sources of data so now you can accurately articulate the data you have at risk and prioritize cleaning that data up especially data that will lead to a fine or a big news issue so that's the find that's the fix now we're going to talk about the verify the key part in verify is embracing and integrating with detection engineering practices so when you think about your layers of security tools you've got lots of tools in place on average 130 tools at any given customer but these tools were not designed to work together so when you run a pen test what you want to do is say did you detect us did you log us did you alert on us did you stop us and from there what you want to see is okay what are the techniques that are commonly used to defeat an environment to actually compromise if you look at the top 10 techniques we use and there's far more than just these 10 but these are the most often executed nine out of ten have nothing to do with cves it has to do with misconfigurations dangerous product defaults bad credential policies and it's how we chain those together to become a domain admin or compromise a host so what what customers will do is every single attacker command we executed is provided to you as an attackivity log so you can actually see every single attacker command we ran the time stamp it was executed the hosts it executed on and how it Maps the minor attack tactics so our customers will have are these attacker logs on one screen and then they'll go look into Splunk or exabeam or Sentinel one or crowdstrike and say did you detect us did you log us did you alert on us or not and to make that even easier if you take this example hey Splunk what logs did you see at this time on the VMware host because that's when node 0 is able to dump credentials and that allows you to identify and fix your logging blind spots to make that easier we've got app integration so this is an actual Splunk app in the Splunk App Store and what you can come is inside the Splunk console itself you can fire up the Horizon 3 node 0 app all of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool and what you'll show you as I skip forward is hey there's a pen test here are the critical issues that we've identified for that weaker default issue here are the exact commands we executed and then we will automatically query into Splunk all all terms on between these times on that endpoint that relate to this attack so you can now quickly within the Splunk environment itself figure out that you're missing logs or that you're appropriately catching this issue and that becomes incredibly important in that detection engineering cycle that I mentioned earlier so how do our customers end up using us they shift from running one pen test a year to 30 40 pen tests a month oftentimes wiring us into their deployment automation to automatically run pen tests the other part that they'll do is as they run more pen tests they find more issues but eventually they hit this inflection point where they're able to rapidly clean up their environment and that inflection point is because the red and the blue teams start working together in a purple team culture and now they're working together to proactively harden their environment the other thing our customers will do is run us from different perspectives they'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access what could they do and then from there they'll run us within a specific Network segment okay from within that segment could the attacker break out and gain access to another segment then they'll run us from their work from home environment could they Traverse the VPN and do something damaging and once they're in could they Traverse the VPN and get into my cloud then they'll break in from the outside all of these perspectives are available to you in Horizon 3 and node zero as a single SKU and you can run as many pen tests as you want if you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior you can then inject their credentials and actually show the end-to-end story of how an attacker fished gained credentials of an intern and use that to gain access to sensitive financial data so what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time I'll leave you two things one is what is the AI in Horizon 3 AI those knowledge graphs are the heart and soul of everything that we do and we use machine learning reinforcement techniques reinforcement learning techniques Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs we also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations so the more pen tests we run the smarter we get and all of that is based on our knowledge graph analytics infrastructure that we have finally I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy what I cared about was coverage I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production I want to be able to do that as often as I wanted I want to be able to run pen tests in hours or days not weeks or months so I could accelerate that fine fix verify loop I wanted my it admins and network Engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agent and not have to write custom scripts and finally I didn't want to get nickeled and dimed on having to buy different types of attack modules or different types of attacks I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my Trends in directions over time so I hope you found this talk valuable uh we're easy to find and I look forward to seeing seeing you use a product and letting our results do the talking when you look at uh you know kind of the way no our pen testing algorithms work is we dynamically select uh how to compromise an environment based on what we've discovered and the goal is to become a domain admin compromise a host compromise domain users find ways to encrypt data steal sensitive data and so on but when you look at the the top 10 techniques that we ended up uh using to compromise environments the first nine have nothing to do with cves and that's the reality cves are yes a vector but less than two percent of cves are actually used in a compromise oftentimes it's some sort of credential collection credential cracking uh credential pivoting and using that to become an admin and then uh compromising environments from that point on so I'll leave this up for you to kind of read through and you'll have the slides available for you but I found it very insightful that organizations and ourselves when I was a GE included invested heavily in just standard vulnerability Management Programs when I was at DOD that's all disa cared about asking us about was our our kind of our cve posture but the attackers have adapted to not rely on cves to get in because they know that organizations are actively looking at and patching those cves and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment a concrete example is by default vcenter backups are not encrypted and so as if an attacker finds vcenter what they'll do is find the backup location and there are specific V sender MTD files where the admin credentials are parsippled in the binaries so you can actually as an attacker find the right MTD file parse out the binary and now you've got the admin credentials for the vcenter environment and now start to log in as admin there's a bad habit by signal officers and Signal practitioners in the in the Army and elsewhere where the the VM notes section of a virtual image has the password for the VM well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMS that are unencrypted find the note section and pull out the passwords for those images and then reuse those credentials across the board so I'll pause here and uh you know Patrick love you get some some commentary on on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is uh is rolled through a little bit more on what do you do about it yeah yeah no I love it I think um I think this is pretty exhaustive what I like about what you've done here is uh you know we've seen we've seen double-digit increases in the number of organizations that are reporting actual breaches year over year for the last um for the last three years and it's often we kind of in the Zeitgeist we pegged that on ransomware which of course is like incredibly important and very top of mind um but what I like about what you have here is you know we're reminding the audience that the the attack surface area the vectors the matter um you know has to be more comprehensive than just thinking about ransomware scenarios yeah right on um so let's build on this when you think about your defense in depth you've got multiple security controls that you've purchased and integrated and you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together so when you run a pen test what you want to ask yourself is did you detect node zero did you log node zero did you alert on node zero and did you stop node zero and when you think about how to do that every single attacker command executed by node zero is available in an attacker log so you can now see you know at the bottom here vcenter um exploit at that time on that IP how it aligns to minor attack what you want to be able to do is go figure out did your security tools catch this or not and that becomes very important in using the attacker's perspective to improve your defensive security controls and so the way we've tried to make this easier back to like my my my the you know I bleed Green in many ways still from my smoke background is you want to be able to and what our customers do is hey we'll look at the attacker logs on one screen and they'll look at what did Splunk see or Miss in another screen and then they'll use that to figure out what their logging blind spots are and what that where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base and you'll get all of the pen test results right there in the Splunk console and from that Splunk console you're gonna be able to see these are all the pen tests that were run these are the issues that were found um so you can look at that particular pen test here are all of the weaknesses that were identified for that particular pen test and how they categorize out for each of those weaknesses you can click on any one of them that are critical in this case and then we'll tell you for that weakness and this is where where the the punch line comes in so I'll pause the video here for that weakness these are the commands that were executed on these endpoints at this time and then we'll actually query Splunk for that um for that IP address or containing that IP and these are the source types that surface any sort of activity so what we try to do is help you as quickly and efficiently as possible identify the logging blind spots in your Splunk environment based on the attacker's perspective so as this video kind of plays through you can see it Patrick I'd love to get your thoughts um just seeing so many Splunk deployments and the effectiveness of those deployments and and how this is going to help really Elevate the effectiveness of all of your Splunk customers yeah I'm super excited about this I mean I think this these kinds of purpose-built integration snail really move the needle for our customers I mean at the end of the day when I think about the power of Splunk I think about a product I was first introduced to 12 years ago that was an on-prem piece of software you know and at the time it sold on sort of Perpetual and term licenses but one made it special was that it could it could it could eat data at a speed that nothing else that I'd have ever seen you can ingest massively scalable amounts of data uh did cool things like schema on read which facilitated that there was this language called SPL that you could nerd out about uh and you went to a conference once a year and you talked about all the cool things you were splunking right but now as we think about the next phase of our growth um we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding and as you look at the as you look at the role of the ciso it's mind-blowing to me the amount of sources Services apps that are coming into the ciso span of let's just call it a span of influence in the last three years uh you know we're seeing things like infrastructure service level visibility application performance monitoring stuff that just never made sense for the security team to have visibility into you um at least not at the size and scale which we're demanding today um and and that's different and this isn't this is why it's so important that we have these joint purpose-built Integrations that um really provide more prescription to our customers about how do they walk on that Journey towards maturity what does zero to one look like what does one to two look like whereas you know 10 years ago customers were happy with platforms today they want integration they want Solutions and they want to drive outcomes and I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape and what I would say is the maturing needs of the customer in that environment yeah for sure I think especially if if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere while the security budgets are not going to ever I don't think they're going to get cut they're not going to grow as fast and there's a lot more pressure on organizations to extract more value from their existing Investments as well as extracting more value and more impact from their existing teams and so security Effectiveness Fierce prioritization and automation I think become the three key themes of security uh over the next 18 months so I'll do very quickly is run through a few other use cases um every host that we identified in the pen test were able to score and say this host allowed us to do something significant therefore it's it's really critical you should be increasing your logging here hey these hosts down here we couldn't really do anything as an attacker so if you do have to make trade-offs you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end so you've got that level of of um justification for where to increase or or adjust your logging resolution another example is every host we've discovered as an attacker we Expose and you can export and we want to make sure is every host we found as an attacker is being ingested from a Splunk standpoint a big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were Rogue Raspberry Pi's on the network or if a new box was installed and whether Splunk was installed on it or not so now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from uh finally or second to last use case here on the Splunk integration side is for every single problem we've found we give multiple options for how to fix it this becomes a great way to prioritize what fixed actions to automate in your soar platform and what we want to get to eventually is being able to automatically trigger soar actions to fix well-known problems like automatically invalidating passwords for for poor poor passwords in our credentials amongst a whole bunch of other things we could go off and do and then finally if there is a well-known kill chain or attack path one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise and now you've got a great starting point for glass tables and iocs for actual kill chains that we know are exploitable in your environment and that becomes some super cool Integrations that we've got on the roadmap between us and the Splunk security side of the house so what I'll leave with actually Patrick before I do that you know um love to get your comments and then I'll I'll kind of leave with one last slide on this wartime security mindset uh pending you know assuming there's no other questions no I love it I mean I think this kind of um it's kind of glass table's approach to how do you how do you sort of visualize these workflows and then use things like sore and orchestration and automation to operationalize them is exactly where we see all of our customers going and getting away from I think an over engineered approach to soar with where it has to be super technical heavy with you know python programmers and getting more to this visual view of workflow creation um that really demystifies the power of Automation and also democratizes it so you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team is seeing yeah I think that between us being able to visualize the actual kill chain or attack path with you know think of a of uh the soar Market I think going towards this no code low code um you know configurable sore versus coded sore that's going to really be a game changer in improve or giving security teams a force multiplier so what I'll leave you with is this peacetime mindset of security no longer is sustainable we really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are are working or not and the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past uh nine months due to the Ukrainian War there you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint and this is no longer about financial extortion that is ransomware this is about punishing and destroying companies and you can punish any one of these companies by going after them directly or by going after their suppliers and their Distributors so suddenly your attack surface is no more no longer just your own Enterprise it's how you bring your goods to Market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit if I can get those trucks stuck at the border I can increase spoilage and have the same effect and what we should expect to see is this idea of cyber-enabled economic Warfare where if we issue a sanction like Banning the Russians from traveling there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database that is below the threshold of War that's not going to trigger the 82nd Airborne to be mobilized but it's going to achieve the right effect ban the sale of luxury goods disrupt the supply chain and create shortages banned Russian oil and gas attack refineries to call a 10x spike in gas prices three days before the election this is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture verify it see yourself Through The Eyes of the attacker build that incident response muscle memory and drive better collaboration between the red and the blue teams your suppliers and Distributors and your information uh sharing organization they have in place and what's really valuable for me as a Splunk customer was when a router crashes at that moment you don't know if it's due to an I.T Administration problem or an attacker and what you want to have are different people asking different questions of the same data and you want to have that integrated triage process of an I.T lens to that problem a security lens to that problem and then from there figuring out is is this an IT workflow to execute or a security incident to execute and you want to have all of that as an integrated team integrated process integrated technology stack and this is something that I very care I cared very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board so Patrick I'll leave you with the last word the final three minutes here and I don't see any open questions so please take us home oh man see how you think we spent hours and hours prepping for this together that that last uh uh 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now uh and I think nist has done some really interesting work here around building cyber resilient organizations that have that has really I think helped help the industry see that um incidents can come from adverse conditions you know stress is uh uh performance taxations in the infrastructure service or app layer and they can come from malicious compromises uh Insider threats external threat actors and the more that we look at this from the perspective of of a broader cyber resilience Mission uh in a wartime mindset uh I I think we're going to be much better off and and will you talk about with operationally minded ice hacks information sharing intelligence sharing becomes so important in these wartime uh um situations and you know we know not all ice acts are created equal but we're also seeing a lot of um more ad hoc information sharing groups popping up so look I think I think you framed it really really well I love the concept of wartime mindset and um I I like the idea of applying a cyber resilience lens like if you have one more layer on top of that bottom right cake you know I think the it lens and the security lens they roll up to this concept of cyber resilience and I think this has done some great work there for us yeah you're you're spot on and that that is app and that's gonna I think be the the next um terrain that that uh that you're gonna see vendors try to get after but that I think Splunk is best position to win okay that's a wrap for this special Cube presentation you heard all about the global expansion of horizon 3.ai's partner program for their Partners have a unique opportunity to take advantage of their node zero product uh International go to Market expansion North America channel Partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyber security world we live in and hope you enjoyed this program all the videos are available on thecube.net as well as check out Horizon 3 dot AI for their pen test Automation and ultimately their defense system that they use for testing always the environment that you're in great Innovative product and I hope you enjoyed the program again I'm John Furrier host of the cube thanks for watching

>>Okay. We're back at the area in Las Vegas, Falcon 22. You're watching the cube. My name is Dave Valante. Michael cent is here. He's the chief technology officer at CrowdStrike. Michael. Good to see you. Thanks. Thanks >>For >>Having me. Yeah. So this is your first time I think, on the cube. It is, and, and it's really a pleasure. I've been following you, watching you very closely. You're, you know, quite prominent and, and, you know, very articulate. I loved your keynote talking about what is XDR. I think you guys are gonna do really well in that space, cuz you've got clarity of vision and execution. Talk about some of the announcements that you made this week, particularly interested in, in insight. XDR what's that all about? >>Yeah. So I've been talking about XDR for a while and trying to help push the right narrative. There's a lot of marketing in the industry with XDR. So we've been talking a lot about what it, what it means that the benefit that it provides from a technology perspective, what you need in the architecture. So we firmly believe it's a philosophy and we build all of our technology to work together, but it's bringing in third parties. And that was really a lot of the, the announcements. My keynote was to show everybody the work that we've been doing to bring in data from Zscaler and Proofpoint. And we talked about bringing in data from a whole range of different vendors, firewall vendors, and we've been doing XDR use cases for a long time. So a big part of our strategy is to make security easy. And we've been doing a lot of XDR use cases with our Falcon insight module. So the announcement that I made was to relaunch Falcon insight as insight XDR and it means all of our close to 20,000 customers have access to the product. >>So that gets bundled right in it's like SAS automatically part of the portfolio >>Log off on Friday, come back on Monday and you're good to go. >>And then, and you, you just, you just called out Zscaler and Proofpoint you, I think you also mentioned Palo Alto network, Cisco for net as well. You're pulling in telemetry from, yeah, >>We've got a, we got a long map of, of people that we're integrating with. We talked about Cisco, we talked about for drop and for net, we announced that we're gonna be pulling in telemetry from, from Palo and a range of other vendors, Microsoft and others. And that's what XDR is about. It's about first party and third party integration and making all of the telemetry work together. >>I was talking to George about this yesterday is I think there's a lot of confusion. Sometimes when you have the dogma of cloud native, you know, snowflake, same thing, no, we're not doing OnPrem. This is hybrid. People think that that you're excluding on-prem data, but you're not, you can ingest on-prem data, right? >>We absolutely are not excluding on-prem. We will support and, and secure every workload, whether it's on-prem or in the cloud, whether it's connected to the internet or offline, a lot of the, the indicators of attack and the, and the detection techniques that we have are on the sensor itself. So you don't have to be connected anywhere for that capability to work. You get the benefit when you connect to the cloud of the additional visibility, the additional protection, but the core capabilities on the sensor that we have >>Given that you guys started 11 years ago, plus two days now, and you had that dogma cloud cloud, first cloud cloud, only Nate cloud native. Was there ever a point where you're like, you know, boy, we might be missing some of the market, you know? And, and you, you, you held true to your principles. Two part question. Did you ever question that and by focusing all your resources on cloud, what, what has that given you? >>It's there's been a Eliza focus on having a, a native cloud platform. It's easy to say cloud native. And if you look at a lot of the vendors in the industry today, if you are a, a customer and you ask them, Hey, can you gimme an on-premise product? I'm not gonna buy your product. They've got an on premise product. The problem is when you have two different versions, you end up having compromise. You have to manage two code bases, impact to your engineering team. Their features are different customers. Ultimately are the ones that miss out because if I have the on-prem version or if the cloud version, I may not get the same capability for us, it's been very clear. It's been a laser focus to be a cloud and cloud only from day one. >>You've renamed humo. I gotta stop using humo. I guess it's not called log scale, Falcon, complete log scale. You're bringing together security and observability. Although you're not doing the full spectrum of observability, you're just sort of focusing on, you know, part of it. Can you explain that? >>Yeah. So first of all, we did rebrand and bring the homeo brand closer to a crowd strike by renaming it Falcon log scale. And just to be clear, it's not just the rebranding of the name. We've been spending a lot of time. We made that acquisition in March of, of last year, and we've been doing a lot of work on the technology. We built out long, the Falcon long term retention. We built a whole bunch of capability into the product. So now was the right time to rebrand it as Falcon log scale. And at the same time, we also announced Falcon complete log scale. And it's part of the complete franchise. And that's where customers can get the value and the benefit of log scale, but they don't have to set it up. They don't have to manage it. They leave that to us. >>So you get pretty much involved in, in the, the M and a activity. You talked on stage yesterday about reify and, and what's going on there. You guys got, obviously gotta, still do that. You, but you made investments this week. You announced investments in salt security, the API specialist, and, and also Vanta compliance automation. What's the thinking behind that, you know, explain actually the fund that you guys are sprinkling around as a strategic investor and why those companies. Yeah. >>So there's two, two parts that, that I'm involved in on that part of my team. One is the M and a team. And one is the Falcon fund side of the business. Obviously two very different things. The, the M and a part of CrowdStrike, we're always looking to see for every technology space that we want to get into, you know, what is the best option build by a partner? Sometimes it's built sometimes it's a, it's a hybrid approach of build and partner. Other times we go down the path of M and a, and I was super excited about reify, great company, great technology. And as you said, we made announcements to we're investing as part of the fund into, into van and salt. We, we, we are very blessed. We're very fortunate to have achieved a lot of success in a short period of time. And we think we've got an opportunity to help fledgling companies to help them guide through the process of setting up the company, helping them with engineering principles and guidelines, helping them with the go to market perspective. So the fund is really about that. It's finding the next cybersecurity company working closely together, and it's been a huge success. You had banter and salt on earlier, and there's so much excitement about what they do. >>Yeah. I mean, it's clear, clear, compliment to what you guys are doing. I want to ask you about your lightweight agent. There, there are other firms that say they have a lightweight agent too. You know, what, what makes your lightweight agent so different? So special? >>Yeah. I've never seen a PowerPoint presentation. That's wrong. It's very easy to, to say your lightweight agent is, is, you know, super lightweight. And many times when you look at them, they're, they're not lightweight. They take a lot of effort to install. They need reboots. If you've got security, that's part of the operating system. If you've got security that requires to reboot, you can't go to a bank and say, Hey, you've got a hundred thousand machines. We're gonna install all of this technology, but you've gotta reboot it once, twice, three times. So what ends up happening is you see deployment cycles that go on for 12 months. I've spoken to organizations here this week that said we had budgeted to roll out your product in 18 months because of what we experienced in the past. And we did it in seven weeks. That's a lightweight agent with no reboot. And then you look at the updates. You look at the CPU resource utilization. So again, very easy to say lightweight. I haven't seen anything like what we've built at crowd strike. >>How do you keep an agent lightweight when you're both acquiring in companies and adding modules? I think you're, you're over 20 modules now. How, how is it that the, the agent can remain so lightweight? >>So we spent a lot of time building out the agent cloud architecture that we have, the, the concept of our agent is very different. It's not collecting data, storing it, trying to sell, send it up. We have a smart agent with smart filtering built in. So we're very careful in terms of the data that we collect, but think of the aperture on a camera. You know, if you wanna let more light in you, you widen the aperture. It's the same as our, our agent. If we wanna bring in more telemetry, we, we widen that aperture. So we're very efficient on the network. And we collect data. When machine process runs, we collect that telemetry. We use it in different ways, but we collect once and reuse it many times. So it's the same agent for NextGen AV for EDR, for our spotlight vulnerability management module. And when we're looking at M M and a, so coming back to your, your question, we will look at technology. And if we can't bring that technology and incorporate it into the agent that we already have, we won't acquire it. Worst thing in security is complexity. When you give an organization, 1, 2, 3, 5 plus agents, and then they have 3, 4, 5 plus management consoles. It's too hard when they're under attack. >>Well, it's like my, my business partner co-host John furrier says is that as an industry, we tend to solve complexity with more complexity. And it's, that's problematic. Can you talk about your, your threat graph? Like, what is that? Is it a, is it a graph database? Is it a purpose built? Is it a time series, database, a combination? What, what is >>That? Yeah, it is a graph database. When we, when, when the company was started, obviously the vision was to crowdsource telemetry from so many machines from millions of devices around the world. And the thesis at the time was as that capability scales out, there's nothing commercially available that will be able to ingest all of that data. And today we are processing over 7 trillion events every single week. We, we can't go and get something off the shelf. So we've had to build the, the technology from the ground up. That's the first part. Secondly, there is a temporal element to this. There's a time element. And we, we have an ontology built where we track the relationship between all the telemetry that we get. The reason why I believe we stand alone in EDI is because of that time element, the relationship that we have, and we just have so much context that makes it easy for the threat hunter speed and, and ease of use is critical in cyber. >>So you see in data in the database world, everything's kind of converging with all this function, you know, 11 years ago, these were pretty rudimentary. I shouldn't say rudimentary, but immature markets they've come a long way. If you had to start, if, if those capabilities that are there today with graph databases and time series databases were available in, in 2010, would you have used off the shelf technology, or would you have still developed your >>Own? We would've done the same thing that we've done today. >>And, and why can you explain what that, what that is it a performance thing? Is it just control? >>Yeah, look, it, it, it's everything that I talked about before, the, the benefit that you get from the approach that we've taken and the scalability that the requirements that we need, we still today, there's nothing that we can, we can go and get off the shelf that can scale and give us the performance that we need that can give us the ability to, to have that relationship data, the ontology of, of what we have in the platform and the way that we inter operate with all of the different modules that just wouldn't exist. We wouldn't have that capability. And what you'd find is we'd be pretty much the same as every other vendor where they have on-prem solutions, they have hybrid hosted solutions. And when you have those trade offs, you see it in the product. >>Yeah. So the, the point is you're very focused on the purpose of your, your proprietary technology. You're not trying to serve the all things to all people. You used the term yesterday in your keynote, which it, it caught my attention. You used the term ground truth, and it has very specific meaning. Can you explain what you meant by what is ground truth, you know, in the world? And what, what, what does it mean to CrowdStrike? Yeah, >>I was talking about ground truth as it relates to the acquisition of reify and the big thing for us, we wanted to bring additional capability to the platform, to give our customers external and internal visibility of all their assets and all their vulnerabilities. What's important with us, with our agent is today, we give you a single source of truth. When we put that agent onto a device, we tell you everything about the hardware. We tell you everything about who's logged in. We tell you everything about the applications that are running the relationships between the, of the device and the application. We're not a CMDB. We feed CMDB with information that is instant, that is live. And when we look at reify, it broadens again, I'll use the same word. It broadens the aperture. It gives us more visibility around what's going on. So we're, we're super excited about that because having information about all of your assets, all of your users, the applications they use, whether they're vulnerable, how you need to protect them, having it at your finger fingertips, it's a game changer >>Contract, can CrowdStrike be a generational company. And what do you have to do to ensure that that outcome occurs? We, >>We, I think we absolutely are. And, and we're we're path paving a path to, you know, really continuing to build out that platform. I said, in my keynote that I think we're at an early innings. I, if you buy, for example, as a customer, our insight module, cuz you wanna start with EDR, you've got 21 modules to go yesterday. Today we, we talked about discover 2.0, we talked about discover for IOT. I talked about the, the repository acquisition, a whole range of technology built on that single cloud agent architecture. And we've heard the success stories here this week from customers that have just gotten so much benefit. They've rolled out one agent and they've turned off eight or nine from other security vendors. So absolutely we can be a generational company with what we're doing. What >>Are the blockers to customers turning on those additional modules? Cause not, not all customers are using our modules. Is it that they've made an investment in an alternative technology and they're sort of hugging onto it or are there other technical blockers? Yes. >>It many times it's the investment, right? So if you've made a, an investment in the company, you've got a year to go, you might wanna sweat that asset. But typically what we find is the benefit that we have. It's a very simple conversation. If we can give people a cost and a technology benefit, they're gonna make the transition to move. There's so many technical benefits. We talked about the single agent, but the actual features of the modules themselves. But the big thing for us is we've done over 4,700 business value assessments where we sit down with an organization and we look at what they have. We look at what their spend is. We look at their FTEs, we look at the security outcomes that they get. And then we come out with a model that shows them technology and business value. And that's what really drives them to make the switch. >>So the business value in that VVA is not just a, a reduction in expected loss. That's part of it, better security you're gonna, you know, be, be, be lower your risk. But you're saying it's also the labor associated with that. Yeah, >>Absolutely. It's it's how do you operationalize the solution? How many people do you need? How long does it take you to respond? You know, how do you interact with third parties with your suppliers is taking in all of that data. We've spent a long time building out that model and it's, it's proving to be very successful customers. Love it. Is >>That, is that sort of novel ROI thinking in the security business or I'm trying to think of, I mean, I know for years it would watch art. Coviello stand up at RSA and tell us how, how this year's worse than last year. And so, but, but, but I never really heard, you know, a strong business case that would resonate with the, with the P and L manager, other than, you know, we gotta do this or we're gonna get hacked and you're gonna be screwed. Is that new thinking? Or am I, did I just miss it? >>I don't know if I wanna size new thinking. I think what happened, what changed was 10, 15 years ago at a conference you'd stand up and everybody would tell you ransomwares up and fishing is up. And at the end of it, people are trying to work out. Is that good? Or is that bad? It went up 20% based off what that doesn't work anymore. Everyone, you know, got tired of that. And a few of us have been doing it for a while. I I'm, I'm sort of two and a half decades into this. And if you, if you try to use that model of scaring people, they switch off, they want to understand the benefit. You know, the break in the car is so you can go and stop safely when you need it. And I look at security the same way we want to accelerate the company. We want to help companies do their job, but security is there to make sure they don't get into trouble. >>Yeah. It's like having two security guards by your side, right? I mean, they're gonna help you get through the crowd and move forward. So Michael, thanks so much for coming to the cube. Thanks for having me your time. You're you're very welcome. All right. Keep it right there. After this short break, Dave ante will be back with the cube live coverage from Falcon 22 at the area in Las Vegas.

(upbeat music) (logo crystals tingle) >> Hi, everybody, welcome back to FalCon22, I'm Dave Vellante and you're watching theCube's continuous coverage, this is day two. We live in an API economy, but APIs, you know, they're sometimes vulnerable, Michael Nicosia is here, he's the Chief Operating Officer and co-founder of Salt Security, API Security Specialist, Michael, welcome to theCUBE, thanks for coming on. >> Thank you so much, Dave, glad to be here. >> You're very welcome. Why did you and your co-founder, is it Roy? >> Yeah. >> Why did you guys start Salt Security? >> So really easy, I mean, as you mentioned, the proliferation of APIs constantly is growing on a year to year basis. So in 2015, when he and I met, we had this idea that it was going to continue to grow and APIs were going to be critical to every organization from an innovation perspective, from a safety perspective and we thought that current tools out there couldn't protect against the new threat vector that we thought was going to happen. And, you know, you fast forward to 2022 and here we are, it's the largest growing threat vector from an API perspective because APIs are just growing like crazy. >> Right. Well, let's talk about the news, CrowdStrike made an investment in your company. >> Michael: Yes. >> Congratulations. >> Michael: Thank you. >> Tell us about that, why it's important, and to have a strategic partner like that. >> Yeah, so first of all, we're super thrilled about the partnership, I mean, it's amazing. And not only the partnership, the strategic investment for us just signifies the importance of our two companies in terms of what we want to do in the field together or in the market together. So the strategic investment is amazing, the partnership is even more amazing just because it's kind of like, you know, the first in its class from an API security perspective, we've got partners from the cloud providers and then the only other partnerships really have is with API Management vendors. So this is unique in that it goes outside the security ecosystem to provide this partnership and the nice thing about it is it's exclusive, excuse me, and it just continues to validate the leadership where we have an API security, as well as obviously a leadership that CrowdStrike has. >> Exclusive in the sense that CrowdStrike's not going to invest in another API competitor and you're not going to take investment from an endpoint- >> Michael: Exactly. >> Or something like that. >> Endpoint or, you know, really cloud workload situation. >> Anything within that vastly expanding portfolio. >> Michael: Exactly. >> So pretty much anybody. >> Michael: Exactly. >> Except network security, from what I saw in the keynote yesterday, that's sort of on the table, for now. So, okay, so why should customers care about this? What's the benefit to them? >> Yeah, so if you think about, the security profile of organizations and where they seem to have potential risk, threat vectors, you know, endpoint, you know, Cloud obviously API becomes a bigger, threat vector as well. So I think the partnership just solidifies the fact that we want to create a better security profile for organizations and we want to make it safe for them to innovate and continue to do what they do. So I think that's the importance and when you put the two together it just creates a larger value proposition, more stickiness from end point to cloud, to APIs. >> So we have a partner, theCUBE, and in New York city and it's called ETR and they do quarterly surveys of CISOs, CIOs, IT buyers, about 12 to 1500 a quarter. And so I was chatting with those guys last week, they knew we were going to be at CrowdStrike and so they ran some data for all the API security vendors and you guys were, you know they had like the Gartner Magic Quadrant but it's not, you know, vision and execution, it's spending momentum and like presence in their survey, it's like market share, mind share. >> Sure. >> You guys were up and to the right, like, way, way, way ahead, I presume that's why you got the attention of CrowdStrike. I found their data set to be incredibly good, that's how we found CrowdStrike years ago, like, "Wow, who's this company?" >> Yeah. >> You know, companies like CrowdStrike, Okta, Zscaler, Snowflake Off The Charts, but you guys were really noticeable. Talk about the spending momentum you're seeing with customers, where's that coming from? >> Yeah, I mean look, for us it's a continuing growing market, it's accelerating and we're still in the, you know, early stages of the market, which is amazing. But if you think about what organizations do, they innovate, right, they innovate through, you know, software, through applications or APIs. So if you think about, you know, how do they continue to innovate safely? They need a solution, like Salt Security to protect from any bad actors that could potentially create any breaches, vulnerabilities. So I think that that's why CISOs in particular are super excited about talking to us, making sure that they have all of their bases covered especially when it comes to applications that they have within their organization, which continues to grow. >> And not to not to be a methodology geek, but the methodology they use is to essentially say, is a customer spending more or less, they subtract the lesses from the mores and that's what you're left with. And one of the lesses is churn, and if you have high churn, you're spending momentum, >> you know- >> Micheal: Yeah. >> In their methodology goes into the tank. So you have obviously admitted you have very low churn is that what you're saying in the field? >> Micheal: Absolutely. >> Why is that? >> Yeah, I mean, again, I think it's, it goes back to the value that we bring to customers. I think, you know, our solution works, we're the only AI/ML-based solution with deep context so we can really take a closer granular look at the APIs, model those APIs, create a baseline and really protect against them. So I mean, our solution works and it works really well and I think we provide value in that, you know, CISOs don't have to worry about any bad actors trying to infiltrate their applications 'cause they know that Salt Security is there protecting them. >> I know you're not the tech guy but you're the founder, co-founder of a technology company so you got to be conversant in the tech, 'cause this is the way it is in our business, so tell us about the tech, what's so cool about it? What's the differentiation? >> Yeah, I guess, and I mentioned that it's really AI/ML based, you know, we leverage big data and it's really the context associated to that, which means that, you know, we can get into granular details of really baselining the API itself. And what we do really well is, because these are unique attacks and these attacks could be days, weeks, months and we're the only vendor that, that can really correlate across that timeline because of the context-based big data that we leverage to be able to, you know, spot these potential bad actors that we look for. >> And all this happens in the cloud or? >> Absolutely, it's all... >> You have a server in your office? >> No, no, it's all it's a hundred percent SaaS-based, Cloud-based solution, I think that's one of the reasons why the partnership with CrowdStrike is so amazing as well. >> Talk a little bit more about the synergies between CrowdStrike and Salt Security. >> Tons of synergies, I mean, if you think about from, you know, from the part of being a little fluffy culture, the two companies have similar cultures, we go after similar you know, first Cloud, innovative companies. If you think about kind of the technology that CrowdStrike has put forth, revolutionized the endpoint security, and now moving into the Cloud, you know, leveraging AI and ML, we're doing the exact same thing so I think there's a lot of synergies associated with that. And again, the final point that I'll make is that you know, we think together the, you know, better together story is, resonates just because if you think about all of the areas that you know have potential breaches, these threats, we kind of cover 'em all with the partnership. >> When I talk to a founding, you know, co-founder, who's a go to market pro, I like to ask them how did you know when to scale? I mean, you got to have product market fit, I see so many companies failing because they try to go to market before they have, they try to scale go to market before they have product market, but how did you do it? How did you know when to scale? >> You know, it's tricky, and you got to look at a couple of, you know, factors, you got to look at the market, you got to look at, you know, how much potential opportunity exists and you really need to look at, the momentum that is being established. You know, when you talk to CISOs, kind of, you know, talking to them about projects and how, how they prioritize projects and where API security fits, you know, once it begins to be the top three and you start that momentum and obviously you bringing in the revenue. I think that those are signs that we see, that we say, "Okay, we need to double down on making sure we've got coverage across the world in order for us to support demand." >> And you were the first sales rep, right? >> Michael: Yeah. >> Okay. >> Roy and I, I was the first AE, here was the first SE. >> Okay, but your early go-to market pros are probably different than what you're bringing in today, you didn't have, you know, a lot of BDRs at the time, but you guys were hands on consultants- >> Absolutely. >> Like sort of process consultants, sales folks, right? And then you codify that when you're ready to scale and now you're, is that kind of a, what you're doing? >> Absolutely, I mean, you nailed it, I mean, it's in the early stages, it's validating that there's a problem that exists in the market and how important is that problem, you know, to CISOs. So when we first started we met probably about 50 CISOs where we just had that conversation, not about sales, it was more about, "Hey we just want to talk to you about a problem we think exists in the market, love to get your reaction on that problem and then obviously how you're solving that problem and how much of a priority is that problem," How important is it to you? And then once you have those discussions then you can really find those individuals, early adopters if you will, that are ready to buy and then it kind of proliferates from there. >> And then you have a CRO , I presume, right? So what was that like finding him or her, is a really important first sales hire. >> Super important, yeah. >> How did you go about that? How long did it take? >> Yeah so it took about six to eight months and you know it's really tough because, you know, we look at cultural fit, above everything else. So it's not, that, "Can they do the job?" it's culturally, do they fit in? And you know, how much can that individual scale the organization? So there's a lot of factors associated, there's a lot of individuals associated to, you know with the interview process. So that's how we looked at it and obviously we wanted somebody that had experience in a company our size, was able to scale it and so on. The one tricky thing is, and I'll tell you this, is, you know, for Roy and I, you kind of have to let go a little bit, that was really tough, so knowing that you need to do that is something that- >> A little bit of founderitis? >> Micheal: Yeah. >> Dave: It's hard, right? >> Micheal: It's hard. >> Dave: Yeah, it's your baby. >> It's like, whaat? >> I get it, Michael, thanks so much for coming to theCUBE, congratulations on the news- >> Thank you Dave. >> The investment and good luck. >> Awesome, thank you so much, appreciate it. >> You're really welcome. All right, keep it right there, we'll be back right after this short break. Dave Vellante for theCUBE at FalCon22, CrowdStrike's big user event, we'll be right back. (cheerful bouncy music)

>>Hello, and welcome to the cubes presentation of the AWS startup showcase. This is season two, episode four, the ongoing series covering exciting startups from the AWS ecosystem to talk about cyber security. I'm your host, John feer. And today we're excited to join by a Mediatel Walker, CEO of Quin security and sub IER, vice president of product management of sequence security gentlemen, thanks for joining us today on this showcase. >>Thank you, John PRAs. >>So the title of this session is continuous API protection life cycle to discover, detect, and defend security. APIs are part of it. They're hardened, everyone's using them, but they're they're target for malicious behavior. This is the focus of this segment. You guys are in the leading edge of this. What are the biggest challenges for organizations right now in assessing their security risks? Because you're seeing APIs all over the place in the news, just even this week, Twitter had a whistleblower come out from the security group, talking about their security plans, misleading the FTC on the bots and some of the malicious behavior inside the API interface of Twitter. This is really a mainstream Washington post is reporting on it. New York times, all the global outlets are talking about this story. This is the risk. I mean, yeah, this is what you guys do protect against this. >>Yeah, this is absolutely top of mind for a lot of security folks today. So obviously in the media and the type of attack that that is being discussed with this whistleblower coming out is called reputation bombing. This is not new. This has been going on since I would say at least eight to 10 years where the, the bad actors are using bots or automation and ultimately using APIs on these large social media platforms, whether it's Facebook, whether it's Twitter or some other social media platform and messing with the reputation system of those large platforms. And what I mean by that is they will do fake likes, fake commenting, fake retweeting in the case of Twitter. And what that means is that things that are, should not be very popular, all of a sudden become popular. That that way they're able to influence things like elections, shopping habits, personnel. >>We, we work with similar profile companies and we see this all the time. We, we mostly work on some of the secondary platforms like dating and other sort of social media platforms around music sharing and things like video sharing. And we see this all the time. These, these bots are bad. Actors are using bots, but ultimately it's an API problem. It's not just a bot problem. And that's what we've been trying to sort of preach to the world, which is your bot problem is subset of your API security challenges that you deal as an organization. >>You know, IMIA, we talked about this in the past on a previous conversation, but this really is front and center mainstream for the whole world to see around the challenges. All companies face, every CSO, every CIO, every board member organizations out there looking at this security posture that spans not just information technology, but physical and now social engineering. You have all kinds of new payloads of malicious behavior that are being compromised through, through things like APIs. This is not just about CSO, chief information security officer. This is chief security officer issues. What's your reaction >>Very much so I think the, this is a security problem, but it's also a reputation problem. In some cases, it's a data governance problem. We work with several companies which have very restrictive data governance and data regulations or data residency regulations there to conform to those regulations. And they have to look at that. It's not just a CSO problem anymore. In case of the, the news of the day to day, this is a platform problem. This goes all the way to the, that time CTO of Twitter. And now the CEO of Twitter, who was in charge of dealing with these problems. We see as just to give you an example, we, we work, we work with a similar sort of social media platform that allows Oop based login to their platform that is using tokens. You can sort of sign in with Facebook, sign in with Twitter, sign in with Google. These are API keys that are generated and trusted by these social media platforms. When we saw that Facebook leaked about 50 million of these login credentials or API keys, this was about three, four years ago. I wrote a blog about it. We saw a huge spike in those API keys being used to log to other social media platforms. So although one social platform might be taking care of its, you know, API or what problem, if something else gets reached somewhere else, it has a cascading impact on a variety of platforms. >>You know, that's a really interesting dynamic. And if you think about just the token piece that you mentioned, that's kind of under the coverage, that's a technology challenge, but also you get in the business logic. So let's go back and, and unpack that, okay, they discontinue the tokens. Now they're being reused here. In the case of Twitter, I was talking to an executive here in Silicon valley and they said, yeah, it's a cautionary tale, for sure. Although Twitter's a unique situation, but they abstract out the business value and say, Hey, they had an M and a deal on the table. And so if someone wants to unwind that deal, all I gotta say is, Hey, there's a bot problem. And now you have essentially new kinds of risk in the business have nothing to do with some sign the technology, okay. They got a security breach, but here with Twitter, you have an, an, an M and a deal, an acquisition that's being contested because of the, the APIs. So, so if you're in business, you gotta think to yourself, what am I risking with my API? So every organization should be assessing their security risks, tied to their APIs. This is a huge awakening for them. Where should they start? And that's the, that's the core question. Okay. You got my attention risks with the API. What do I do? >>So when I talked to you in my previous interview, the start is basically knowing what to, in most cases, you see these that are hitting the wire much. Every now there is a major in cases you'll find these APIs are targeted, that are not poorly protected. They're absolutely just not protected at all, which means the security team or any sort of team that is responsible for protecting these APIs are just completely unaware of these APIs being there in the first place. And this is where we talk about the shadow it or shadow API problem. Large enterprises have teams that are geo distributed, and this problem is escalated after the pandemic even more because now you have teams that are completely distributed. They do M and a. So they acquire new companies and have no visibility into their API or security practices. And so there are a lot of driving factors why these APIs are just not protected and, and just unknown even more to the security team. So the first step has to be discover your API attack surface, and then prioritize which APIs you wanna target in terms of runtime protection. >>Yeah. I wanna dig into that API kind of attack surface area management, runtime monitoring capability in a second, but so I wanna get you in here too, because we're talking about APIs, we're talking about attacks. What does an API attack look like? >>Yeah, that's a very good question, John, there are really two different forms of attacks of APIs, one type of attack, exploits, APIs that have known vulnerabilities or some form of vulnerabilities. For instance, APIs that may use a weak form of authentication or are really built with no authentication at all, or have some sort of vulnerability that makes them very good targets for an attacker to target. And the second form of attack is a more subtle one. It's called business logic abuse. It's, it's utilizing APIs in completely legitimate manner manners, but exploiting those APIs to exfiltrate information or key sensitive information that was probably not thought through by the developer or the designers or those APIs. And really when we do API protection, we really need to be able to handle both of those scenarios, protect against abuse of APIs, such as broken authentication, or broken object level authorization APIs with that problem, as well as protecting APIs from business logic abuse. And that's really how we, you know, differentiate against other vendors in this >>Market. So just what are the, those key differentiated ways to identify the, in the malicious intents with APIs? Can you, can you just summarize that real quick, the three ways? >>Sure. Yeah, absolutely. There are three key ways that we differentiate against our competition. One is in the, we have built out a, in the ability to actually detect such traffic. We have built out a very sophisticated threat intelligence network built over the entire lifetime of the company where we have very well curated information about malicious infrastructures, malicious operators around the world, including not just it address ranges, but also which infrastructures do they operate on and stuff like that, which actually helps a lot in, in many environments in especially B2C environments, that alone accounts for a lot of efficacy for us in detecting our weed out bad traffic. The second aspect is in analyzing the request that are coming in the API traffic that is coming in and from the request itself, being able to tell if there is credential abuse going on or credential stuffing going on or known patterns that the traffic is exhibiting, that looks like it is clearly trying to attack the attack, the APM. >>And the third one is, is really more sophisticated as they go farther and farther. It gets more sophisticated where sequence actually has a lot of machine learning models built in which actually profile the traffic that is coming in and separate. So the legitimate or learns the legitimate traffic from the anomalous or suspicious traffic. So as the traffic, as the API requests are coming in, it automatically can tell that this traffic does not look like legitimate traffic does not look like the traffic that this API typically gets and automatically uses that to figure out, okay, where is this traffic coming from? And automatically takes action to prevent that attack? >>You know, it's interesting APIs have been part of the goodness of cloud and cloud scale. And it reminds me of the old Andy Grove quote, founder of, in one of the founders of Intel, you know, let chaos, let, let the chaos happen, then reign it in it's APIs. You know, a lot of people have been creating them and you've got a lot of different stakeholders involved in creating them. And so now securing them and now manage them. So a lot of creation now you're starting to secure them and now you gotta manage 'em. This all is now big focus. As you pointed out, what are some of the dynamics that customers who have to deal with on the product side and, and organization, let, let chaos rain, and then rain in the chaos, as, as the saying goes, what, what do companies do? >>Yeah. Typically companies start off with like, like a mayor talked about earlier. Discovery is really the key thing to start with, like figuring out what your API attack surfaces and really getting your arms around that problem. And typically we are finding customers start that off from the security organization, the CSO organization to really go after that problem. And in some cases, in some customers, we even find like dedicated centers of excellence that are created for API security, which go after that problem to be able to get their arms around the whole API attack surface and the API protection problem statement. So that's where usually that problem starts to get addressed. >>I mean, organizations and your customers have to stop the attacks. A lot of different techniques, you know, run time. You mentioned that earlier, the surface area monitoring, what's the choice. What's the, where are, where are, where is everybody? Is everyone in the, in the boiling water, like the frog and boiling water or they do, they know it's happening? Like what did they do? What's their opportunity to get in >>Position? Yeah. So I, I think let's take a step back a little bit, right? What has happened is if you draw the cloud security market, if you will, right. Which is the journey to the cloud, the security of these applications or APIs at a container level, in terms of vulnerabilities and, and other things that market grew with the journey to the cloud, pretty much locked in lockstep. What has happened in the API side is the API space has kind of lacked behind the growth and explosion in the API space. So what that means is APIs are getting published way faster than the security teams are able to sort of control and secure them. APIs are getting published in environments that the security completely unaware of. We talked about in the past about the parameter, the parameter, as we know, it doesn't exist anymore. It used to be the case that you hit a CDN, you terminate your SSL, you stop your layer three and four DDoS. >>And then you go into the application and do the business logic. That parameter is just gone because it's now could be living in multi-cloud environment. It could be living in the on-prem environment, which is PubNet is friendly. And so security teams that are used to protecting apps, using a perimeter defense plus changes, it's gone. You need to figure out where your perimeter is. And therefore we sort of recommend an approach, which is have a uniform view across all your APIs, wherever they could be distributed and have a single point of control across those with a solution like sequence. And there are others also in this space, which is giving you that uniform view, which is first giving you that, you know, outside and looking view of what APIs to protect. And then let's, you sort of take the journey of securing the API life cycle. >>So I would say that every company now hear me out on this indulges me for a second. Every company in the world will be non perimeter based, except for maybe 5% because of maybe unique reason, proprietary lockdown, information, whatever. But for most, most companies, everyone will be in the cloud or some cloud native, non perimeter based security posture. So the question is, how does your platform fit into that trajectory? And specifically, why are you guys in the position in your mind to help customers solve this API problem? Because again, APIs have been the greatest thing about the cloud, right? Yeah. So the goodness is there because of APS. Now you gotta reign it in reign in the chaos. Yeah. What, what about your platform share? What is it, why is it win? Why should customers care about this? >>Absolutely. So if you think about it, you're right, the parameter doesn't exist. People have APIs deployed in multiple environments, multicloud hybrid, you name it sequence is uniquely positioned in a way that we can work with your environment. No matter what that environment is. We're the only player in this space that can protect your APIs purely as a SA solution or purely as an on-prem deployment. And that could be a SaaS platform. It doesn't need to be RackN, but we also support that and we could be a hybrid deployment. We have some deployments which are on your prem and the rest of this solution is in our SA. If you think about it, customers have secured their APIs with sequence with 15 minutes, you know, going live from zero to life and getting that protection instantaneously. We have customers that are processing a billion API calls per day, across variety of different cloud environments in sort of six different brands. And so that scale, that flexibility of where we can plug into your infrastructure or be completely off of your infrastructure is something unique to sequence that we offer that nobody else is offering >>Today. Okay. So I'll be, I'll be a naysayer. Yeah, look, it, we are perfectly coded APIs. We are the best in the business. We're locked down. Our APIs are as tight as a drum. Why do I need you? >>So that goes back to who's answer. Of course, >>Everyone's say that that's, that's great, but that's my argument. >>There are two types of API attacks. One is a tactic problem, which is exploiting a vulnerability in an API, right? So what you're saying is my APIs are secure. It does not have any vulnerability I've taken care of all vulnerabilities. The second type of attack that targets APIs is the business logic. Use this stuff in the news this week, which is the whistleblower problem, which is, if you think APIs that Twitter is publishing for users are perfectly secure. They are taking care of all the vulnerabilities and patching them when they find new ones. But it's the business logic of, you know, REWE liking or commenting that the bots are targeting, which they have no against. Right. And then none of the other social networks too. Yeah. So there are many examples. Uber wrote a program to impersonate users in different geo locations to find lifts, pricing, and driver information and passenger information, completely legitimate use of APIs for illegitimate, illegitimate purpose using bots. So you don't need bots by the way, don't, don't make this about bot versus not. Yeah. You can use APIs sort of for the, the purpose that they're not designed for sort of exploiting their business logic, either using a human interacting, a human farm, interacting with those APIs or a bot form targeting those APIs, I think. But that's the problem when you have, even when you've secured all your problem, all your APIs, you still have to worry about these of challenges. >>I think that's the big one. I think the business logic one, certainly the Twitter highlights that the Uber example is a good one. That is basically almost the, the backlash of having a simplistic API, which people design to. Right. Yeah. You know, as you point out, Twitter is very simple API, hardened, very strong security, but they're using it to maliciously manipulate what's inside. So in a way that perimeter's dead too. Right. So how do you stop that business logic? What's the, what's the solution what's the customer do about that? Because their goal is to create simple, scalable APIs. >>Yeah. I'll, I'll give you a little bit, and then I think Subaru should maybe go into a little bit of the depth of the problem, but what I think that the answer lies in what Subaru spoke earlier, which is our ML. AI is, is good at profiling plus split between the API users, are these legitimate users, humans versus bots. That's the first split we do. The split second split we do is even when these, these are classified users as bots, we will say there are some good bots that are necessary for the business and bad bots. So we are able to split this across three types of users, legitimate humans, good bots and bad bots. And just to give you an example of good bots is there are in the financial work, there are aggregators that are scraping your data and aggregating for end users to consume, right? Your, your, and other type of financial aggregators FinTech companies like MX. These are good bots and you wanna allow them to, you know, use your APIs, whereas you wanna stop the bad bots from using your APIs super, if you wanna add so, >>So good bots versus bad bots, that's the focus. Go ahead. Weigh in, weigh in on your thought on this >>Really breaks down into three key areas that we talk about here, sequence, right? One is you start by discovering all your APIs. How many APIs do I have in my environment that ly immediately highlight and say, Hey, you have, you know, 10,000 APIs. And that usually is an eye opener to many customers where they go, wow. I thought we had a 10th of that number. That usually is an eyeopener for them to, to at least know where they're at. The second thing is to tell them detection information. So discover, detect, and defend detect will tell them, Hey, your APIs are getting traffic from. So and so it addresses so and so infrastructure. So and so countries and so on that usually is another eye opener for them. They then get to see where their API traffic is coming from. Let's say, if you are a, if you're running a pizza delivery service out of California and your traffic is coming from Eastern Europe to go, wait a minute, nobody's trying, I'm not, I'm not, I don't deliver pizzas in Eastern Europe. Why am I getting traffic from that part of the world? So that sort of traffic immediately comes up and it will tell you that it is hitting your unauthenticated API. It is hitting your API. That has, that is vulnerable to a broken object level, that authorization, vulnerable be and so on. >>Yeah, I think, and >>Then comes the different aspect. Yeah. The different aspect is where you can take action and say, I wanna block certain types of traffic, or I wanna rate limit certain types of traffic. If, if you're seeing spikes there or you could maybe insert header so that it passes on to the end application and the application team can use that bit to essentially take a, a conscious response. And so, so the platform is very flexible in allowing them to take an action that suits their needs. >>Yeah. And I think this is the big trend. This is why I like what you guys are doing. One APIs we're built for the goodness of cloud. They're now the plumbing, you know, anytime you see plumbing involved, connection points, you know, that's pretty important. People are building it out and it has made the cloud what it is. Now, you got a security challenge. You gotta add more intelligence, more smarts to it. This is where I think platform versus tools matter. Can you guys just quickly share your thoughts on that? Cuz a lot of your customers and, and future customers have dealt with the sprawls of all these different tools. Right? I got a tool for this. I got a tool for that, but people are gravitating towards platforms, but how many platforms can a customer have? So again, this brings up the point point around how you guys are engaging with customers. Can you share your thoughts on tooling platforms? Your customers are constantly inundated with the same tsunami. Isn't new thing. Why, what, how should they look at this? >>Yeah, I mean, we don't wanna be, we don't wanna add to that alert fatigue problem that affects much of the cybersecurity industry by generating a whole bunch of alerts and so on. So what we do is we actually integrate very well with S IEM systems or so systems and allow customers to integrate the information that we are detecting or mitigating and feed them onto enterprise systems like a Splunk or a Datadog where they may have sophisticated processes built in to monitor, you know, spikes in anomalous traffic or actions that are taken by sequence. And that can be their dashboard where a whole bunch of alerting and reporting actually happens. So we play in the security ecosystem very well by integrating with other products and integrate very tightly with them, right outta the box. >>Okay. Mia, this is a wrap up now for the showcase. Really appreciate you guys sharing your awesome technology and very relevant product for your customers and where we are right now in this we call Supercloud or now multi-cloud or hybrid world of cloud. Share a, a little bit about the company, how people can get involved in your solution, how they can consume it and things they should know about, about sequence security. >>Yeah, we've been on this journey, an exciting journey it's been for, for about eight years. We have very large fortune 100 global 500 customers that use our platform on a daily basis. We have some amazing logos, both in Europe and, and, and in us customers are, this is basically not the shelf product customers not only use it, but depend on sequence. Several retailers. We are sitting in front of them handling, you know, black Friday, cyber, Monday, Christmas shopping, or any sort of holiday seasonality shopping. And we have handled that the journey starts by, by just simply looking at your API attack surface, just to a discover call with sequence, figure out where your APIs are posted work with you to prioritize how to protect them in a sort of a particular order and take the whole life cycle with sequence. This is, this is an exciting phase exciting sort of stage in the company's life. We just raised a very sort of large CDC round of funding in December from Menlo ventures. And we are excited to see, you know, what's next in, in, in the next, you know, 12 to 18 months. It certainly is the, you know, one of the top two or three items on the CSOs, you know, budget list for next year. So we are extremely busy, but we are looking for, for what the next 12 to 18 months are, are in store for us. >>Well, congratulations to all the success. So will you run the roadmap? You know, APIs are the plumbing. If you will, you know, they connection points, you know, you want to kind of keep 'em simple, as they say, keep the pipes dumb and make the intelligence around it. You seem to see more and more intelligence coming around, not just securing it, but does, where does this go in your mind? Where, where do we go beyond once we secure everything and manage it properly, APRs, aren't going away, they're only gonna get better and smarter. Where's the intelligence coming share a little bit. >>Absolutely. Yeah. I mean, there's not a dull moment in the space. As digital transformation happens to most enterprise systems, many applications are getting transformed. We are seeing an absolute explosion in the volume of APIs and the types of APIs as well. So the applications that were predominantly limited to data centers sort of deployments are now splintered across multiple different cloud environments are completely microservices based APIs, deep inside a Kubernetes cluster, for instance, and so on. So very exciting stuff in terms of proliferation of volume of APIs, as well as types of APIs, there's nature of APIs. And we are building very sophisticated machine learning models that can analyze traffic patterns of such APIs and automatically tell legitimate behavior from anomalous or suspicious behavior and so on. So very exciting sort of breadth of capabilities that we are looking at. >>Okay. I mean, yeah. I'll give you the final words since you're the CEO for the CSOs out there, the chief information security officers and the chief security officers, what do you want to tell them? If you could give them a quick shout out? What would you say to them? >>My shout out is just do an assessment with sequence. I think this is a repeating thing here, but really get to know your APIs first, before you decide what and where to protect them. That's the one simple thing I can mention for thes >>Am. Thank you so much for, for joining me today. Really appreciate it. >>Thank you. >>Thank you. Okay. That is the end of this segment of the eight of his startup showcase. Season two, episode four, I'm John for your host and we're here with sequin security. Thanks for watching.

>>Hello, everyone. Welcome to the cubes presentation of the a startup showcase. This is our season two episode four of the ongoing series covering exciting hot startups from the a AWS ecosystem. And here we talk about cybersecurity. I'm John furrier, your host we're joined by Carl Mattson, CISO, chief information security officer of no name security, keep alumni. We just chatted with you at reinforce a business event. We're here to talk about securing APIs from code to production. Carl, thanks for joining. >>Good to see you again. Thanks for the invitation, John. >>You know, one of the hottest topics right now about APIs is, you know, it's a double edged sword, you know, on one hand, it's the goodness of cloud APIs make the cloud. That's the API first. Now you're starting to see them all over the place. Is APIs everywhere, securing them and manage them. It's really a top conversation at many levels. One, you're gonna have a great API, but if you're gonna manipulate the business logic, that's a problem too. So a lot going on with APIs, they're the underpinnings of the modern enterprise. So take us through your view here. How are you guys looking at this? You want to continue to use APIs, they're critical connective tissue in the cloud, but you also gotta have good plumbing. Where, what do you do? How do you secure that? How do you manage it? How do you lock it down? >>Yeah, so the, the more critical APIs become the more important it becomes to look at the, the API as really a, a, a unique class of assets, because the, the security controls we employ from configuration management and asset management, application security, both testing and, and protection like, like EDR, the, the, the platforms that we use to control our environments. They're, they're, they're poorly suited for APIs. And so >>As the API takes prominence in the organization, it goes from this sort of edge case of, of, of a utility now to like a real, a real crown jewel asset. And we have to have, you know, controls and, and technologies in place and, and, and skilled teams that can really focus in on those controls that are, that are unique to the API, especially necessary when the API is carrying like business critical workloads or sensitive data for customers. So we really have to, to sharpen our tools, so to speak, to, to focus on the API as the centerpiece of a, of an application security program, >>You know, you guys have a comprehensive view. I know the philosophy of the company is rooted in, in, in API life cycle development management runtime. Can you take a minute to explain and give an overview of no name security? And then I wanna jump into specifically the security platform and the capabilities. >>Sure. So we're an API security company just under three years old now. And, and we we've taken a new look at the API, looking at it from a, from a, a full lifecycle perspective. So it, it, isn't new to application security professionals that APIs are, are a software asset that needs to be tested for security, vulnerabilities, security testing prior to moving into production. But the reality is, is the API security exposures that are hitting the news almost every day. A lot of those things have to do with things like runtime errors and misconfigurations or changes made on the fly, cuz APIs are, are changed very rapidly. So in order for us to counter API risks, we have to look at the, the full life cycle from, from the moment the developer begins, coding the source code level through the testing gates, through the, the operational configuration. And then to that really sophisticated piece of looking at the business logic. And, and as you mentioned, the, the business logic of the API is, is unique and can be compromised with, with exploits that, that are specific to an API. So looking at the whole continuum of API controls, that's what we focused on. >>It's interesting, you know, we've had APIs for a while. I mean, I've never heard and seen so much activity now more than ever around APIs and security. Why is it recently we're seeing this conversation increase with specific solutions and why are we seeing more breaches and concerns about security? Because APIs are hardened. I mean, like, what's the big deal. Why now what's the big focus? Why is APIs becoming more in the conversation for CSOs and companies to secure? And why is it a problem? >>Well, take, take APIs that we had, you know, eight, 10 years ago, most of those were, were internally facing APIs. And so there were a lot of elements of the API design that we would not have put in place if we had intended that to be public facing authentication and authorization. That that was, is we kind of get away with a little bit of sloppy hygiene when it's internal to the network. But now that we're exposing those APIs and we're publishing APIs to the world, there's a degree of precision required. So when we, when we put an API out there for public consumption, the stakes are just much higher. The level of precision we need the business criticality, just the operational viability and the integrity of that API has to be precise in a way that really wasn't necessary when the API was sort of a general purpose internal network utility as it was in the past. And then the other, other area of course, is then just the sheer use of a API at the infrastructure layer. So you think about AWS, for example, most of the workloads in the modern cloud, they communicate and talk via API. And so those are even if they're internally facing APIs misconfigurations can occur and they could be public facing, or they could be compromised. And so we wanna look at all, all of the sort of facets of APIs, because now there's so much at stake with getting API security, right. >>You know, this brings up the whole conversation around API to API, and you guys talk about life cycle, right? The full life cycle of an API. Can you take me through that and what you mean by that? Because, you know, some people will say, Hey, APIs are pretty straightforward. You got source code, you can secure it. Code scanning, do a pen test. We're done why the full cycle approach is it because APIs are talking to third parties? Is it because what I mean, what's the reason what, what's the focus, why full life cycle of an API? Why should a company take this approach? >>Sure. So there's, there's really three sort of primary control areas that we look at for, for APIs as like what I call the traditional controls. There would be those to, to test and ensure that the source code itself has as quality or is, is secure. And that can, that can, of course, usually a step one. And that's, that's an important thing to, to do, but let's say let's for the sake of discussion that API that is designed securely is deployed into production, but the production environment in which it's deployed, doesn't protect that API the way that the developer intended. So a great example would be if an API gateway doesn't enforce the authentication policy intended by the developer. And so there we have, there's not the developer's fault. Now we have a misconfiguration in production. And so that's a, that's a type of example also where now a, an attacker can send a sort of a single request to that API without authentication or with, you know, misformed authentication types and, and succeed resulting in data. >>The waft didn't protect against it. It was secure code. And so when we look at the sequence of API controls, they all really have to be in sync because source code is really the first and most important job, but good, good API design and source code doesn't solve all challenges for their production environment. We have to look at the whole life cycle in order to counter the risk IBM's research last year in its X worth survey, estimated that 60% of all API breaches are due to misconfiguration, not to source code design. And so that's really where we have to marry the two of the runtime protection configuration management with the, the, the source code testing and design. >>It's, it's interesting, you know, we've all been around the block, we've seen the early days and you know, it was really great back in the day you sling an API, Hey, you know, Carl, you have an API for that. Oh, sure. I'll bang it out tonight. You know? So, so the, you know, they've gotten better, I'm over simplifying, but you get the idea they've been kind of really cool to work with and connect with systems. It's now plumbing. Okay. So organizations have, are dealing with this, they're dealing with APIs and more of them, how do they know where they stand? Is there like a API discovery capability? What do they do? What does a CSO do? What does a staff do saying, okay, you know what? We don't wanna stop the API movement cuz that's key to the cloud. How do we reign it in? How do we reign in the chaos? What do they do? Is there playbook? What does, how does an organization know exactly where it stands with the state of their APIs? >>Yeah. That, and that's usually where we started a discussion with a, with a customer is, is, is a diagnosis, right? Because when we, when we look at sort of diagnosing what our API risk exposure, the, you know, the, the first critical control is always know your assets and, and that we, we have to discover them. So we, we, we employ usually discovery as the very first step to see the full ecosystem of APIs, whether they're internal, external facing, whether they're routed through a gateway or whether they're routed through a WF, we have to see the full picture and then analyze that API footprint in terms of its network context, it's vulnerabilities, it's configuration qualities so that we can see a picture of where we are now in, in any particular organization, we may find that there's a, a, a, a high quality of source code. >>Perhaps the gaps are in configuration, or we may see the reverse. And so we, we don't necessarily make an assumption about what we'll find, but we know that that observability is really the, the first step in that, in that process is just to really get a firm sort of objective understanding of, of where the APIs are. And, and the really important part about the, the observability to the API inventory is to do it with the context also of the sense of the data types. Because, you know, for example, we see organizations, our own research showed that for organizations over 10,000 employees, the average population of APIs is over 25,000 in each organization, 25,000 AP thousand APIs is an extraordinary amount to, to even contemplate a human understanding of. So we have to fingerprint our APIs. We have to look at the sensitive data types so that we can apply our intellect and our resources towards protecting those APIs, which have, which are carrying sensitive data, or which are carrying critical workloads, because there are a lot of APIs that still remain today, even sort of internally facing utilities, work courses that keep the lights on, but not particularly high risk when it comes to sensitive data. >>So that, that, that triage process of like really honing in on the, on the high risk activity or the high risk APIs that they're carrying sensitive data, and then then sort of risk exposure assessing them and to see where an organization is. That's always the first step, >>You know, it's interesting. I like your approach of having this security platform that gives the security teams, the ability to kinda let the developers do their thing and, and then have this kind of security ops kind of platform to watch and monitor and any potential attacks. So I can see the picture there. I have to ask you though, as a CSO, I mean, what's different now, because back in the old days where API's even on the radar and two, there's a big discussion around software supply chain. This kind of this API is now a new area. As you'd been referring to people, stealing data, things are in transit with APIs. What is the, the big picture, if you had to kind of scope out the magnitude of like the API problem and, and relevance for a fellow CSO, how, how would you have that conversation? You'd be like, Hey, APIs are outta control. You gotta reign it in. Or is it a 10 and a 10? Is it a eight? I mean, yep. Take me through a conversation you're having with security teams or other CSOs around the magnitude of the scoped scoping the problem. >>Yeah. So I, I think of the, the, the API sort of problem space has a lot of echoes to the, to the conversations and the thought processes we were having about public cloud adoption a few years ago. Right. But there was, there were early adopters of public cloud and, and over the course of time, there was sort of a, an acquiescence to public cloud services. And now we have like actually like robust enterprise grade controls available in public cloud. And now we're all racing to get there. If we, if we have anything in the data center left, we're, we're trying to get to the public cloud as fast as possible. And so I think organization by organization, you'll, you'll see a, a, a reminiscent sort of trajectory of, of API utilization, because like an application we're out of gone are the days of the monolithic application, where it's a single, you know, a single website with one code base. >>And I kind of compare that to the data center, this comparison, which is the monolithic application is now sort of being decomposed into microservices and APIs. There are different differences in terms of how far along that decomposition into microservices and organization is. But we definitely see that the, that that trend continues and that applications in the, you know, three to five to 10 year timeframe, they increasingly become only APIs. So that an organization's app development team is almost exclusively creating APIs as, as the, as the output of software development. Whereas there's a, there's a journey to, towards that path that we see. And so, so a security team looking at this problem set, what I, you know, advise for, for a CISO. The looking at this maybe for the first time is to think about this as this is the competency that we, our security teams need to have. That competency may, may be at different degrees of criticality, depending on where that company is in transition. But it's not a, it's not a question of if it's a question of when and how fast do we need to develop this competency in a team because our applications will become almost exclusively APIs over time, just like our infrastructures are on the way to becoming almost exclusively public cloud hosted over time. >>Yeah. I mean, get on the API bus basically is the message like, look it, if you're not on this, you're gonna have a lot of problems. So in a way there's a proactive nature here for security teams at the same time, it's still out there and growing, I mean, the DevOps movement was essentially kind of cavalier, very Maverick oriented, sling APIs around no problem, Linga Franco connecting to other systems and API to an endpoint to another application. That's what it was. And so as it matures, it becomes much more of a, as you say, connective tissue in the cloud native world, this is real. You agree with that obviously? >>Yeah, absolutely. I mean, I think that the, I think that these, these API connections are, are, are the connective tissue of most of what we do right now. Even if we are, are not, you know, presently conscious of it, but they're, they're increasingly gonna become more and more central. So that's, that's, that's a, that's a journey whether, whether the, the focus on API security is to let's say, put the toothpaste back in the tube for something that's already broken, or whether it is preventative or prep preparing for where the organization goes in the future. But both of those, both of those are true. Or both of those are valid reasons to emphasize the investment in API security as a, as a talent processes, technologies all the above. >>Okay. You sold me on I'm the customer for a minute. Okay. And now I'm gonna replay back to you. Hey, Carl, love it. You sold me on this. I'm gonna get out front we're we're in lift and shift mode, but we can see APIs as we start building out our cloud native. And, but I'm really trying to hire a team. I got a skills gap here too. Yep. That's one customer. Yep. The other customers, Hey man, we've been on this train for a while. Kyle. We, we, we feel you, we in DevOps pioneer, we're now scaling out. We got all kinds of sprawl, API sprawl. How do I reign it in? And what do you guys do? What's your answer to those scenarios from a security platform perspective and how does that, what's the value proposition in those scenarios? >>I think the value proposition of what we've done is really to, to lean into the API as the, as the answer key to the problem set. So, you know, whether it's integrating security testing into a code repo, or a C I C D pipeline, we can automate security testing and we can do that very efficiently in, in such a way that one applic when a one API security specialist with the right tools, it ins insulates the organization from having to go out and hire 10 more people, because they've all, all of a sudden have this explosive growth and development. There's so much about API security that can capitalize on automation and capitalize on API integrations. So the API integrations with web application firewalls, with SIM systems, those types of workflows that we can automate really do empower a team to, to use automation to scale and to approach the problem set without needing to go to the, the, sort of the impossible ask of growing these growing teams of people with special skills and, and who aren't available anyways, or they're extremely expensive. So we definitely see ourselves as, as a, as a sort of leaning into the API as, as part of the answer and creating opportunities for automation. >>Yeah. So I got one more kind of customer role play here. I says, I love this. This is a great conversation. You know, there's always the, the person in the room, Carl, hold on, boss. This is gonna complicate everything on the network layer, application changes. There's a lot of risks here. I'm nervous. What's your, how do you guys handle that objection that comes up all the time. You know, the, the person that's always blocking deals like, oh, it's risky implementing no name or this approach. How do you, how do you address the frictionless nature of developers? Wanna try stuff now they wanna get it in and they wanna try things. How do you answer the quote, complication or risk to network and application changes? >>Sure. Two, two really specific answers. The, the first is, is for the developers. We wanna put a API security in their hands because when they can, when they can test and model the security risks on their APIs, while they're developing, like in their IDE and in their code repos, they can iterate through security fixes and bugs like lightning fast. And they, and developers Le really appreciate that. They appreciate having the instant feedback loop within their workspace, within their workbench. So developers love being able to self-service security. And we want to empower developers to, to do that. Self-service rather than tossing code over the fence and waiting two weeks for the security team to test it, then tossing it back with a list of bugs and defects that annoys everybody. It's an inefficient. So >>For the record, just for the record, you guys are self-service to the developers. >>Yeah. Self-service to the developers. And that's really by customer sort of configuration choices. There are configuration choices that have, for example, the security team, establishing policy, establishing boundaries for testing activities that allow the developers to test source code iterate through, you know, defect, fixes, things like that. And then perhaps you establish like a firm control gate that says that, you know, vulnerabilities of, of medium and above are a, have to be remediated prior to that code committing to the next gate. That's the type of control that the security policy owner can can apply, but yes, the developers can self-service service and the, and the security team can set the threshold by which the, the, the, the source code moves through the SDLC. Everybody will. Yep. Exactly. And, and, but we're, we have to, we have to practice that too, because that's a, that's a new way of, of, of the security team and the developers interacting. >>So we, we, we, we have to have patterns that that teams can then adopt procedurally because we aren't, we aren't yet accustomed to having a lot of procedures that work that way. So yeah, we, we have templates, we've got professional services that we want to help those teams get that, that equation, right? Because it it's a, it's a truly win-win situation when you can really stick the landing on getting the developers, the self-service options with the security team, having the confidence level that the controls are employed. And then on, on the network side, by the way, I, I too am mortified of breaking infrastructure and, and which is exactly why, you know, what, what we do architecturally out of band is, is really a, a game changer because there are technologies we can put in, in line, there are disruptors and operational risks that we can incur when we are, where we utilizing a technology that, that can break things, can break business, critical traffic. >>So what we do is we lean into the, the, the sort of the network nodes and the, and the hosts that the organization already has identifying those APIs, creating the behavioral models that really identify misuse in progress, and then automate, blocking, but doing that out of, out of band, that's really important. That's how I feel about our infrastructure. I, I don't want sort of unintended disruption. I want, I want to utilize a platform that's out of band that I can use. That's much more lightweight than, you know, putting another box in, in the network line. Yeah, >>What's interesting is what you're talking about is kind of the new school of thought. And the script has flipped. The old school was solve complexity with more complexity, get in the way, inject some measurements, software agents on the network, get in the way and the developer, Hey, here's a new tool. We agreed in a, in a vacuum, go do this. I think now more than ever, developers are setting the agenda on, on, on the tooling, if it's, and it has to be self-service at our super cloud event that was validated across the board. That if it's self-service, it's gotta be self-service for the developer. Otherwise they won't use it pretty much. >>Oh, well, I couldn't agree more. And the other part too, is like, no matter what business we're in the security business is, is yeah, it has to honor like the, the, the business need for innovation. We have to honor the business need for, for, for speed. And we have to do our best to, to, to empower the, the sort of the strategy and empower the intent that the developers are, are delivering on. And yes, we need to be, we need to be seeking every opportunity to, to lift that developer up and, and give them the tools sort of in the moment we wanna wrap the developer in armor, not wake them down with an anchor. And that's the, that's the thing that we, we want to keep striving towards is, is making that possible for the security team. >>So you guys are very relevant right now. APIs are the favorite environment for hackers was seeing that with breaches and in the headlines every day, I love this comprehensive approach, developer focused op security team enablement, operationally relevant to all, all, all parties. I have to ask you, how do you answer and, and talk about the competition, cuz with the rise of this trend, a lot of more people entering this market, how should a customer decide between no name and everyone else pitch in API security? What's the, is there nuances? Is there differences? How do you compare what's the differentiation? >>Yeah, I think, you know, the, the, the first thing to mention is that, you know, companies that are in the space of API security, we, we have a lot more in common. We probably have differences cause we're focused on the same problems, but there's, there's really two changes that we've made bringing to market an API platform. Number one is to look full lifecycle. So it used to be that you could buy, you know, DAST and SAS software testing tools, no name has API testing in, so, you know, for source code and for pipeline integrations along with then the runtime and posture management, which is really the production network. And so we really do think that we span east west a much broader set of controls for the API. And then the second characteristic is, is architectural fit. Particularly in a runtime production environment, you have to have a solution that does, does not create significant disruptions. >>It doesn't require agent deployment that can maximize the, the, the infrastructure that an organization already has. So we think our, you know, a big advantage for us in, in the production environment is that we can, we can adapt to the contour of the customer. We don't have to have the customer adapt to the contour of our architecture. So that flexibility really serves well, particularly with complex organizations, global organizations or those that have on, you know, data centers and, and, and public cloud and, and multiple varieties. So our ability to sort of adapt to a customer's architecture really makes us sort of like a universal tool for organizations. And we think that's really, you know, bears out in the, in the customers, in the large organizations and enterprises that have adapted us because we can adapt really any condition. >>Yeah. And that's great alignment too, from an execution consumption standpoint, it's gotta be fast with a developer. You gotta be frictionless as much as possible. Good stuff there. I have to ask you Carl, as, as you are a CISO chief information security officer, you know, your peers are out there. They're they're, they got, man there's so much going on around them. They gotta manage the current, protect the future and architect, the next level infrastructure for security. What do you, what do you see out there as a CSO with your peers in the marketplace? You know, practitioners, you know, evaluating companies, evaluating technologies, managing the threat landscape, unlimited surface area, evolving with the edge coming online, what's on their mind. How do you see it? What's your, what's your view there? What's your vision if you were, if you were in the hot seat in a big organization, I mean, obviously you're got a hot seat there with no name, but you're also, you know, you're seeing both sides of the coin at no name, you know, the CISO. So are they the frog and boiling water right now? Or like, like what's going on in their world right now? How would you describe the state of, of the CISO in cyber security? >>Yeah, there's, there's, there's two kind of tactical themes. I think almost every CISO shares the, the, the, the, the first tactical theme is, is I as a CISO. I probably know there's a technology out there to solve a little bit of every problem possible. Like, that's you objectively true. But what I don't wanna do is I don't wanna buy 75 technologies when I could buy 20 platforms or 12 that could solve that problem set. So the first thing I wanna do is as I, I want to communicate what we do from the perspective of, of like a single platform that does multiple things from source code testing, to posture and configuration to runtime defense, because I, a CISO's sensibilities is, is, is, is challenged by having 15 technologies. I really just want a couple to manage because it's complexity that we're managing when we're managing all these technologies. >>Even if something works for a point problem set, I, I don't want another technology to implement and manage. That's, that's just throwing money. Oftentimes at, at suboptimal, you know, we're not getting the results when we just throw tools at a problem. So the, that that platform concept is I think really appealing cuz every CSO is looking to consider, how do I reduce the number of technologies that I have? The second thing is every organization faces the challenge of talent. So what are, what are my options for talent, for mitigating? What is sort of, I, I can't hire enough qualified people at a remotely reasonable price to staff, what I'd like to. So I have to pursue both the utilizing third parties who have expertise in professional services that I can deploy to, to, to, to solve my problems, but also then to employing automation. So, you know, the, a great example would be if I have a team that has a, you know, a five person application security team, and now next year, my applications security or my, my applications team is gonna develop three times the number of, of applications and APIs. >>I can't scale my team by a factor of three, just to meet that demand. I have to pursue automation opportunities. And so we really want to measure the, the, the successes that we can achieve with automation so that a CISO can look at us as, as an answer to complexity rather than as a source of new complexity, because it is true that we're overwhelmed with the options at our disposal. Most of those options create more complexity than they solve for. And, and, you know, I pursue that in, in my practice, which is to, is to figure out how to sort of limit the complexity of what is already very complicated, you know, role and protecting an organization. >>Got it. And when you, when, when the CSO says Carl, what's in it for me with no name, what's the answer, what's the bumper bumper sticker. >>It, it's reducing complexity. It's making a very sophisticated problem. Set, simple to solve for APIs are a, are a class of assets that there's an answer for that answer includes automation and includes professional services. And we can, we can achieve a high degree of sophistication relatively speaking with a low amount of effort. When we look across our security team, this is a, this is a solvable problem space and, and we can do so pretty efficiently. >>Awesome. Well call, thank you so much for showcasing no name. And the last minute we have here, give a quick plug for the company, give a little stats, some factoids that people might be interested in. How big is the company? What are you guys doing enthusiastic about the solution? Share some, yep. Give the plug. >>Sure. We're, we're, we're a company of just about 300 employees now all across the globe, Asia Pacific, north America, Europe, and the middle east, you know, tremendous success with the release of our, of our software testing module, which we call active testing. We have such a variety of ways also to, to sort of test and take Nona for a test drive from sandboxes to POVs and, and some really amazing opportunities to, to show and tell and have the organizations diagnose quickly where, where they are. And so we, we love to, we love to, to, to show off the platform and, and let people take it for a test drive. So, you know, no name, security.com and any, anywhere in the world, you are, we can, we can deploy a, a, a sales engineer who can help show you the platform and, and show you all the things that, that we can, we can offer for the organization. >>Carl, great insight. Thank you again for sharing the stats and talk about the industry and really showcasing some of the key things you guys are doing in the industry for customers. We really appreciate it. Thanks for coming on. >>Thanks John. Appreciate it. >>Okay. That's the, this is the ADBU startup showcase. John fur, your host season two, episode four of this ongoing series covering the exciting new growing startups from the AWS ecosystem in cybersecurity. Thanks for watching.

>>Welcome back everyone Cube's live coverage here. Day two, two sets, three days of cube coverage here at VMware Explorer. This is our 12th year covering VMware's annual conference, formally called world I'm Jean Dave ante. We'd love seeing the progress and we've got great security comes Tom Gill, senior rights, president general manager, networking and advanced security business group at VMware. Great to see you. Thanks for coming on. Thanks >>For having me. Yeah, really happy we could have you on, you know, I think, I think this is my sixth edition on the cube. Like, do I get freaking flyer points or anything? >>Yeah, you get first get the VIP badge. We'll make that happen. You can start getting credits. >>Okay. There we go. >>We won't interrupt you. No, seriously, you got a great story in security here. The security story is kind of embedded everywhere, so it's not like called out and, and blown up and talked specifically about on stage. It's kind of in all the narratives in, in the VM world for this year. Yeah. But you guys have an amazing security story. So let's just step back into set context. Tell us the security story for what's going on here at VMware and what that means to this super cloud multi-cloud and ongoing innovation with VMware. Yeah, >>Sure thing. So, so probably the first thing I'll point out is that, that security's not just built in at VMware it's built differently, right? So we're not just taking existing security controls and cut and pasting them into, into our software. But we can do things because of our platform because of the virtualization layer that you really can't do with other security tools and where we're very, very focused is what we call lateral security or east west movement of an attacker. Cuz frankly, that's the name of the game these days. Right? Attackers, you gotta assume that they're already in your network. Okay. Already assume that they're there, then how do we make it hard for them to get to what the, the stuff that you really want, which is the data that they're, they're going after. Right. And that's where we, >>We really should. All right. So we've been talking a lot coming into world VMware Explorer and here the event about two things security as a state. Yeah. I'm secure right now. Yeah. Or I, I think I'm secure right now, even though someone might be in my network or in my environment to the notion of being defensible. Yeah. Meaning I have to defend and be ready at a moment's notice to attack, fight, push back red team, blue team, whatever you're gonna call it, but something's happening. I gotta be a to defend. Yeah. >>So you, what you're talking about is the principle of zero trust. So the, the, when we, when I first started doing security, the model was we have a perimeter and everything on one side of the perimeter is dirty, ugly, old internet and everything on this side known good, trusted what could possibly go wrong. And I think we've seen that no matter how good you make that perimeter, bad guys find a way in. So zero trust says, you know what? Let's just assume they're already in. Let's assume they're there. How do we make it hard for them to move around within the infrastructure and get to the really valuable assets? Cuz for example, if they bust into your laptop, you click on a link and they get code running on your machine. They might find some interesting things on your machine, but they're not gonna find 250 million credit cards. Right. Or the, the script of a new movie or the super secret aircraft plans, right. That lives in a database somewhere. And so it's that movement from your laptop to that database. That's where the damage is done. Yeah. And that's where VMware shines. If they don't >>Have the right to get to that database, they're >>Not >>In and it's not even just the right, like, so they're so clever. And so sneaky that they'll steal a credential off your machine, go to another machine, steal a credential off of that. So it's like they have the key to unlock each one of these doors and we've gotten good enough where we can look at that lateral movement, even though it has a credential and a key where like, wait a minute, that's not a real CIS admin making a change. That's ransomware. Yeah. Right. And that's, that's where we, you have to earn your way in. That's right. That's >>Right. Yeah. And we're all, there's all kinds of configuration errors. But also some, some I'll just user problems. I've heard one story where there's so many passwords and username and passwords and systems that the bad guy's scour, the dark web for passwords that have been exposed. Correct. And go test them against different accounts. Oh one hit over here. Correct. And people don't change their passwords all the time. Correct? Correct. That's a known, known vector. We, >>We just, the idea that users are gonna be perfect and never make mistake. Like how long have we been doing this? Like humans with the weakest link. Right. So, so, so people are gonna make mistakes. Attackers are gonna be in here's another way of thinking about it. Remember log for J. Remember that whole ago, remember that was a Christmas time. That was nine months ago. And whoever came up with that, that vulnerability, they basically had a skeleton key that could access every network on the planet. I don't know if a single customer that was said, oh yeah, I wasn't impacted by log for J. So seers, some organized entity had access to every network on the planet. What was the big breach? What was that movie script that got stolen? So there wasn't one. Right? We haven't heard anything. So the point is the goal of attackers is to get in and stay in. Imagine someone breaks into your house, steals your laptop and runs. That's a breach. Imagine someone breaks into your house and stays for nine months. Like it's untenable, the real world. Right, right. >>We don't even go in there. They're still in there >>Watching your closet. Exactly. Moving around, nibbling on your ni line, your cookies. You know what I mean? Drinking your beer. >>Yeah. So, so let's talk about how this translates into the new reality of cloud native, because now know you hear about, you know, automated pen testing is a, a new hot thing right now you got antivirus on data. Yeah. Is hot is hot within APIs, for instance. Yeah. API security. So all kinds of new hot areas, cloud native is very iterative. You know, you, you can't do a pen test every week. Right. You gotta do it every second. Right. So this is where it's going. It's not so much simulation. It's actually real testing. Right. Right. How do you view that? How does that fit into this? Cuz that seems like a good direction to me. >>Yeah. It, it, it fits right in. And you were talking to my buddy AJ earlier about what VMware can do to help our customers build cloud native applications with, with Zu, my team is focused on how do we secure those applications? So where VMware wants to be the best in the world is securing these applications from within looking at the individual piece parts and how they talk to each other and figuring out, wait a minute. That, that, that, that, that should never happen by like almost having an x-ray machine on the ins of the application. So we do it for both for VMs and for container based applications. So traditional apps are VM based. Modern apps are container based and we, and we have a slightly different insertion mechanism. It's the same idea. So for VMs, we do it with the hypervisor, with NSX, we see all the inner workings in a container world. >>We have this thing called a service me that lets us look at each little snippet of code and how they talk to each other. And once you can see that stuff, then you can actually apply. It's almost like common sense logic of like, wait a minute. You know, this API is giving back credit card numbers and it gives five an hour. All of a sudden, it's now asking for 20,000 or a million credit card that doesn't make any sense. Right? The anomalies stick out like a sore thumb. If you can see them. And VMware, our unique focus in the infrastructure is that we can see each one of these little transactions and understand the conversation. That's what makes us so good at that east west or lateral >>Security. Yeah. You don't belong in this room, get out or that that's right. Some weird call from an in-memory database, something over >>Here. Exactly. Where other, other security solutions won't even see that. Right. It's not like there algorithms aren't as good as ours or, or better or worse. It's that, it's the access to the data. We see the, the, the, the inner plumbing of the app. And therefore we can protect >>The app from, and there's another dimension that I wanna get in the table here, cuz to my knowledge only AWS, Google, I, I believe Microsoft and Alibaba and VMware have this, it nitro the equivalent of a nitro. Yes. Project Monterey. Yeah. That's unique. It's the future of computing architectures. Everybody needs a nitro. I've I've written about this. Yeah. Right. So explain your version. Yeah. Project. It's now real. It's now in the market right. Or soon will be. Yeah. Here. Here's our mission salient aspects. Yeah. >>Here's our mission of VMware is that we wanna make every one of our enterprise customers. We want their private cloud to be as nimble, as agile, as efficient as the public cloud >>And secure >>And secure. In fact, I'll argue, we can make it actually more secure because we're thinking about putting security everywhere in this infrastructure. Right. Not just on the edges of it. So, so, so, okay. How do we go on that journey? As you pointed out, the public cloud providers realized, you know, five years ago that the right way to build computers was not just a CPU and a GPU graphics process, unit GPU, but there's this third thing that the industry's calling a DPU data processing unit. So there's kind of three pieces of a computer. And the DPU is sometimes called a smart Nick it's the network interface card. It does all that network handling and analytics and it takes it off the CPU. So they've been building and deploying those systems themselves. That's what nitro is. And so we have been working with the major Silicon vendors to bring that architecture to everybody. So, so with vSphere eight, we have the ability to take the network processing that east west inspection. I talked about, take it off of the CPU and put it into this dedicated processing element called the DPU and free up the CPU to run the applications that AJ and team are building. >>So no performance degradation at all, correct. >>To CPU >>Offload. So even the opposite, right? I mean you're running it basically bare metal speeds. >>Yes, yes. And yes. >>And, and, and you're also isolating the, the storage right from the, from the, the, the security, the management. And >>There's an isolation angle to this, which is that firewall that we're putting everywhere. Not just that the perimeter, we put it in each little piece of the server is running when it runs on one of these DPU, it's a different memory space. So even if, if an attacker gets to root in the OS, they it's very, very, never say never, but it's very difficult. >>So who has access to that? That, that resource >>Pretty much just the infrastructure layer, the cloud provider. So it's Google Microsoft, you know, and the enterprise, the >>Application can't get in, >>Can't get in there. Cause it, you would've to literally bridge from one memory space to another, never say never, but it would be very, very, >>It hasn't earned the trust >>To get it's more than Bob wire. It's, it's, it's multiple walls and, and >>It's like an air gap. It puts an air gap in the server itself so that if the server's compromised, it's not gonna get into the network really powerful. >>What's the big thing that you're seeing with this super cloud transition we're seeing, we're seeing, you know, multicloud and this new, not just SAS hosted on the cloud. Yeah. You're seeing a much different dynamic of combination of large scale CapEx, cloud native. And then now cloud native develops on premises and edge kind of changing what a cloud looks like if the cloud's on a cloud. So rubber customer, I'm building on a cloud and I have on-prem stuff. So I'm getting scale CapEx relief from the, from the cap, from the hyperscalers. >>I, I think there's an important nuance on what you're talking about, which is, is in the early days of the cloud customers. Remember those first skepticism? Oh, it'll never work. Oh, that's consumer grade. Oh, that's not really gonna work. And some people realize >>It's not secure. Yeah. >>It, it's not secure that one's like, no, no, no, it's secure. It works. And it, and it's good. So then there was this sort of over rush. Like let's put everything on the cloud. And I had a lot of customers that took VM based applications said, I'm gonna move those onto the cloud. You gotta take 'em all apart, put 'em on the cloud and put 'em all back together again. And little tiny details, like changing an IP address. It's actually much harder than it looks. So my argument is for existing workloads for VM based workloads, we are VMware. We're so good at running VM based workloads. And now we run them on anybody's cloud. So whether it's your east coast data center, your west coast data center, Amazon, Google, Microsoft, Alibaba, IBM keep going. Right. We pretty much every, and >>The benefit of the customer is what you >>Can literally vMotion and just pick it up and move it from private to public public, to private, private, to public, public, back and forth. >>Remember when we called VMO BS years ago. Yeah, yeah, yeah. >>We were really, skeptic is >>Powerful. We were very skeptical. We're like, that'll never happen. I mean, we were, I mean, it's supposed to be pat ourselves on the back. We, well, >>Because it's alchemy, it seems like what you can't possibly do that. Right. And so, so, so, and now we do it across clouds, right? So we can, you know, it's not quite VMO, but it's the same idea. You can just move these things over. I have one customer that had a production data center in the Ukraine, things got super tense, super fast, and they had to go from their private cloud data center in the Ukraine to a public cloud data center outta harm's way. They did it over a weekend, 48 hours. If you've ever migrated data, that's usually six months, right? And a lot of heartburn and a lot of angst, boom. They just drag and drop, moved it on over. That's the power of what we call the cloud operating model. And you can only do this when all your infrastructure's defined in software. >>If you're relying on hardware, load, balancers, hardware, firewalls, you can't move those. They're like a boat anchor. You're stuck with them. And by the way, really, really expensive. And by the way, they eat a lot of power, right? So that was an architecture from the nineties in the cloud operating model, your data center. And this goes back to what you were talking about is just racks and racks of X 86 with these magic DPU or smart necks to make any individual node go blisteringly fast and do all the functions that you used to do in network appliances. >>We just said, AJ taking us to school and everyone else to school on applications, middleware abstraction layer. Yeah. And kit Culver was also talking about this across cloud. We're talking super cloud, super pass. If this continues to happen, which we would think it will happen. What does the security posture look like? It has. It feels to me. And again, this is, this is your wheelhouse. If super cloud happens with this kind of past layer where there's B motioning going on, all kinds of yeah. Spanning applications and data. Yeah. Across environments. Yeah. Assume there's an operating system working on behind the scenes. Right. What's the security posture in all this. Yeah. >>So remember my narrative about like VA guys are getting in and they're moving around and they're so sneaky that they're using legitimate pathways. The only way to stop that stuff is you've gotta understand it at what, you know, we call layer seven at the application layer the in, you know, trying to do security, the infrastructure layer. It was interesting 20 years ago, kind of less interesting 10 years ago. And now it's becoming irrelevant because the infrastructure is oftentimes not even visible, right. It's buried in some cloud provider. So layer seven, understanding, application awareness, understanding the APIs and reading the content. That's the name of the game in security. That's what we've been focused on. Right. Nothing to do with >>The infras. And where's the progress bar on that, that paradigm early one at the 10, 10 being everyone's doing it >>Right now. Well, okay. So we, as a vendor can do this today. All the stuff I talked about about reading APIs, understanding the, the individual services looking at, Hey, wait a minute. This credit card anomalies, that's all shipping production code. Where is it in customer adoption life cycle, early days, 10%. So, so there's a whole lot of headroom. We, for people to understand, Hey, I can put these controls in place. There's software based. They don't require appliances. It's layer seven. So it has contextual awareness and it's works on every single cloud. >>You know, we talk about the pandemic. Being an accelerator really was a catalyst to really rethink. Remember we used to talk about pat his security a do over. He's like, yes, if it's the last thing I'm due, I'm gonna fix security. Well, he decided to go try to fix Intel instead, but, >>But, but he's getting some help from the government, >>But it seems like, you know, CISOs have totally rethought, you know, their security strategy. And, and at least in part is a function of the pandemic. >>When I started at VMware four years ago, pat sat me down in his office and he said to me what he said to you, which is like Tom, he said, I feel like we have fundamentally changed servers. We fundamentally changed storage. We fundamentally changed networking. The last piece of the puzzle of security. I want you to go fundamentally change it. And I'll argue that the work that we're doing with this, this horizontal security understanding the lateral movement east west inspection, it fundamentally changes how security works. It's got nothing to do with firewalls. It's got nothing to do with endpoint. It's a unique capability that VMware is uniquely suited to deliver on. And so pat, thanks for the mission. We delivered it and available >>Those, those wet like web applications firewall for instance are, are around. I mean, but to your point, the perimeter's gone. Exactly. And so you gotta get, there's no perimeter. So it's a surface area problem. Correct. And access and entry, correct. They're entering here easy from some manual error or misconfiguration or bad password that shouldn't be there. They're >>In. Think about it this way. You put the front door of your house, you put a big strong door and a big lock. That's a firewall bad guys, come in the window. Right. And >>Then the window's open and the window with a ladder room. Oh my >>God. Cause it's hot, bad user behavior. Trump's good security >>Every time. And then they move around room to room. We're the room to room people. Yeah. We see each little piece of the thing. Wait, that shouldn't happen. Right. >>I wanna get you a question that we've been seeing and maybe we're early on this, or it might be just a, a false data point. A lot of CSOs and we're talking to are, and people in industry in the customer environment are looking at CSOs and CSOs, two roles, chief information security officer, and then chief security officer Amazon, actually, Steven Schmidt is now CSO at reinforced. They actually called that out. Yeah. And the, and the interesting point that he made, we've had some other situations that verified. This is that physical security is now tied to online to your point about the service area. If I get a password, I still at the keys to the physical goods too. Right. Right. So physical security, whether it's warehouse for them is, or store or retail digital is coming in there. Yeah. So is there a CSO anymore? Is it just CSO? What's the role or are there two roles you see that evolving or is that just, >>Well, >>I circumstance, >>I, I think it's just one. And I think that, that, you know, the stakes are incredibly high in security. Just look at the impact that these security attacks are having on it. It, you know, companies get taken down, Equifax market cap was cut, you know, 80% with a security breach. So security's gone from being sort of a nuisance to being something that can impact your whole kind of business operation. And then there's a whole nother domain where politics get involved. Right. It determines the fate of nations. I know that sounds grand, but it's true. Yeah. And so, so, so companies care so much about it. They're looking for one liter, one throat to choke, you know, one person that's gonna lead security in the virtual domain, in the physical domain, in the cyber domain, in, in, you know, in the actual, well, it is, >>I mean, you mentioned that, but I mean, mean you look at Ukraine. I mean the, the, that, that, that cyber is a component of that war. I mean, that's very clear. I mean, that's, that's new, we've never seen >>This. And in my opinion, the stuff that we see happening in the Ukraine is small potatoes compared to what could happen. Yeah, yeah. Right. So the us, we have a policy of, of strategic deterrents where we develop some of the most sophisticated cyber weapons in the world. We don't use them and we hope never to use them because the, the, our adversaries who could do stuff like, oh, I don't know, wipe out every bank account in north America, or turn off the lights in New York city. They know that if they were to do something like that, we could do something back. >>I, this discuss, >>This is the red line conversation I wanna go there. So >>I had this discussion with Robert Gates in 2016 and he said, we have a lot more to lose, which is really >>Your point. So this brand, so I agree that there's the, to have freedom and Liberty, you gotta strike back with divorce and that's been our way to, to balance things out. Yeah. But with cyber, the red line, people are already in banks. So they're addresses are operating below the red line, red line, meaning before we know you're in there. So do we move the red line down because Hey, Sony got hacked the movie because they don't have their own militia. Yeah. If they were physical troops on the shores of LA breaking into the file cabinets. Yeah. The government would've intervened. >>I, I, I agree with you that it creates, it creates tension for us in the us because our, our adversaries don't have the clear delineation between public and private sector here. You're very, very clear if you're working for the government or you work for an private entity, there's no ambiguity on that. And so, so we have different missions in each department. Other countries will use the same cyber capabilities to steal intellectual, you know, a car design as they would to, you know, penetrate a military network. And that creates a huge hazard for us on the us. Cause we don't know how to respond. Yeah. Is that a civil issue? Is that a, a, a military issue? And so, so it creates policy ambiguity. I still love the clarity of separation of, you know, sort of the various branches of government separation of government from, >>But that, but, but bureau on multinational corporation, you then have to, your cyber is a defensible. You have to build the defenses >>A hundred percent. And I will also say that even though there's a clear D mark between government and private sector, there's an awful lot of cooperation. So, so our CSO, Alex toshe is actively involved in the whole intelligence community. He's on boards and standards and we're sharing because we have a common objective, right? We're all working together to fight these bad guys. And that's one of the things I love about cyber is that that even direct competitors, two big banks that are rivals on the street are working together to share security information and, and private, is >>There enough? Is collaboration Tom in the vendor community? I mean, we've seen efforts to try to, that's a good question, monetize private data, you know? Yeah. And private reports and, >>And, you know, like, so at VMware, we, we, I'm very proud of the security capabilities we've built, but we also partner with people that I think of as direct competitors, we've got firewall vendors and endpoint vendors that we work with and integrate. And so cooperation is something that exists. It's hard, you know, because when you have these kind of competing, you know, so could we do more? Of course we probably could, but I do think we've done a fair amount of cooperation, data sharing, product integration, et cetera, you know, and, you know, as the threats get worse, you'll probably see us continue to do more. >>And the governments is gonna trying to force that too. >>And, and the government also drives standards. So let's talk about crypto. Okay. So there's a new form of encryption coming out called quantum processing, calling out. Yeah. Yeah. Quantum, quantum computers have the potential to crack any crypto cipher we have today. That's bad. Okay. Right. That's not good at all because our whole system is built around these private communications. So, so the industry is having conversations about crypto agility. How can we put in place the ability to rapidly iterate the ciphers in encryption? So when the day quantum becomes available, we can change them and stay ahead of these quantum people. Well, >>Didn't this just put out a quantum proof algo that's being tested right now by the, the community. >>There's a lot of work around that. Correct. And, and, and this is taking the lead on this, but you know, Google's working on it, VMware's working on it. We're very, very active in how do we keep ahead of the attackers and the bad guys? Because this quantum thing is like a, it's a, it's a x-ray machine. You know, it's like, it's like a, a, a di lithium crystal that can power a whole ship. Right. It's a really, really, really powerful >>Tool. It's bad. Things will happen. >>Bad things could happen. >>Well, Tom, great to have you on the cube. Thanks for coming. Take the last minute to just give a plug for what's going on for you here at world this year, VMware explore this year. Yeah. >>We announced a bunch of exciting things. We announced enhancements to our, our NSX family, with our advanced load balancer, with our edge firewall. And they're all in service of one thing, which is helping our customers make their private cloud like the public cloud. So I like to say 0, 0, 0. If you are in the cloud operating model, you have zero proprietary appliances. You have zero tickets to launch a workload. You have zero network taps and zero trust built into everything you do. And that's, that's what we're working on and pushing that further and further. >>Tom Gill, senior vices president head of the networking at VMware. Thanks for coming up for you. Appreciate >>It. Yes. Thanks for having guys >>Always getting the security data. That's killer data and security of the two ops that get the most conversations around dev ops and cloud native. This is the queue bringing you all the action here in San Francisco for VMware. Explore 2022. I'm John furrier with Dave, Alan. Thanks for watching.