>> Announcer: From Denver, Colorado, it's theCUBE covering Super Computing '17. Brought to you by Intel. (upbeat techno music) Hey welcome back, everybody. Jeff Frick here with theCUBE. We're at Super Computing 2017 in Denver, Colorado. It's our first trip to the show, 12,000 people, a lot of exciting stuff going on, big iron, big lifting, heavy duty compute. We're excited to have our next guest on. He's Jim Wu, he's the Director of Customer Experience for Falcon Computing. Jim, welcome. Thank you. Good to see you. So, what does Falcon do for people that aren't familiar with the company? Yeah, Falcon Company is in our early stages startup, focus on AVA-based acceleration development. Our vision is to allow software engineers to develop a FPGA-based accelerators, accelerators without FPGA expertise. Right, you just said you closed your B round. So, congratulations on that. >> Jim: Thank you. Yeah, very exciting. So, it's a pretty interesting concept. To really bring the capability to traditional software engineers to program for hardware. That's kind of a new concept. What do you think? 'Cause it brings the power of a hardware system. but the flexibility of a software system. Yeah, so today, to develop FPGA accelerators is very challenging. So, today for the accelerations-based people use very low level language, like a Verilog and the VHDL to develop FPGA accelerators. Which was very time consuming, very labor-intensive. So, our goal is to liberate them to use, C/C++ space design flow to give them an environment that they are familiar with in C/C++. So now not only can they improve their productivity, we also do a lot of automatic organization under the hood, to give them the highest accelerator results. Right, so that really opens up the ecosystem well beyond the relatively small ecosystem that knows how to program their hardware. Definitely, that's what we are hoping to see. We want to the tool in the hands of all software programmers. They can use it in the Cloud. They can use it on premises. Okay. So what's the name of your product? And how does it fit within the stack? I know we've got the Intel microprocessor under the covers, we've got the accelerator, we've got the cards. There's a lot of pieces to the puzzle. >> Jim: Yeah. So where does Falcon fit? So our main product is a compiler, called the Merlin Compiler. >> Jeff: Okay. It's a pure C and the C++ flow that enables software programmers to design APGA-based accelerators without any knowledge of APGA. And it's highly integrated with Intel development tools. So users don't even need to learn anything about the Intel development environment. They can just use their C++ development environment. Then in the end, we give them the host code as well as APGA binaries so they can round on APGA to see a accelerated applications. Okay, and how long has Merlin been GA? Actually, we'll be GA early next year. Early next year. So finishing, doing the final polish here and there. Yes. So in this quarter, we are heavily investing a lot of ease-of-use features. Okay. We have most of the features we want to be in the tool, but we're still lacking a bit in terms of ease-of-use. >> Jeff: Okay. So we are enhancing our report capabilities, we are enhancing our profiling of capabilities. We want to really truly like a traditional C++-based development environment for software application engineers. Okay, that's fine. You want to get it done, right, before you ship it out the door? So you have some Alpha programs going on? Some Beta programs of some really early adopters? Yeah, exactly. So today we provide a 14 day free trial to any customers who are interested. We have it, you can set up your enterprise or you can set up on Cloud. Okay. We provide to where you want your work done. Okay. And so you'll support all the cloud service providers, the big public clouds, all the private clouds. All the traditional data servers as well. Right. So, we are twice already on Aduplas as well as Alibaba Cloud. So we are working on bringing the tool to other public cloud providers as well. Right. So what is some of the early feedback you're getting from some of the people you're talking to? As to where this is going to make the biggest impact. What type of application space has just been waiting for this solution? So our Merlin Compiler is a productivity tool, so any space that FPGA can traditionally play well that's where we want to be there. So like encryption, decryption, video codec, compression, decompression. Those kind of applications are very stable for APGA. Now traditionally they can only be developed by hardware engineers. Now with the Merlin Compiler, all of these software engineers can use the Merlin Compiler to do all of these applications. Okay. And when is the GA getting out, I know it's coming? When is it coming? Approximately So probably first quarter of 2018. Okay, that's just right around the corner. Exactly. Alright, super. And again, a little bit about the company, how many people are you? A little bit of the background on the founders. So we have about 30 employees, at the moment, so we have offices in Santa Clara which is our headquarters. We also have an office in Los Angeles. As well as a Beijing, China. Okay, great. Alright well Jim, thanks for taking a few minutes. We'll be looking for GA in a couple of months and wish you nothing but the best success. Okay, thank you so much, Jeff. Alright, he's Jim Lu I'm Jeff Frick. You're watching theCUBE from supering computing 2017. Thanks for watching. (upbeat techno music)

>> From "theCube" Studios in Palo Alto in Boston bringing you data-driven insights from "theCube" and ETR. This is "Breaking Analysis" with Dave Vellante. >> As an independent pure play company, Palo Alto Networks has earned its status as the leader in security. You can measure this in a variety of ways. Revenue, market cap, execution, ethos, and most importantly, conversations with customers generally. In CISO specifically, who consistently affirm this position. The company's on track to double its revenues in fiscal year 23 relative to fiscal year 2020. Despite macro headwinds, which are likely to carry through next year, Palo Alto owes its position to a clarity of vision and strong execution on a TAM expansion strategy through acquisitions and integration into its cloud and SaaS offerings. Hello and welcome to this week's "Wikibon Cube Insights" powered by ETR and this breaking analysis and ahead of Palo Alto Ignite the company's user conference, we bring you the next chapter on top of the last week's cybersecurity update. We're going to dig into the ETR data on Palo Alto Networks as we promised and provide a glimpse of what we're going to look for at "Ignite" and posit what Palo Alto needs to do to stay on top of the hill. Now, the challenges for cybersecurity professionals. Dead simple to understand. Solving it, not so much. This is a taxonomic eye test, if you will, from Optiv. It's one of our favorite artifacts to make the point the cybersecurity landscape is a mosaic of stovepipes. Security professionals have to work with dozens of tools many legacy combined with shiny new toys to try and keep up with the relentless pace of innovation catalyzed by the incredibly capable well-funded and motivated adversaries. Cybersecurity is an anomalous market in that the leaders have low single digit market shares. Think about that. Cisco at one point held 60% market share in the networking business and it's still deep into the 40s. Oracle captures around 30% of database market revenue. EMC and storage at its peak had more than 30% of that market. Even Dell's PC market shares, you know, in the mid 20s or even over that from a revenue standpoint. So cybersecurity from a market share standpoint is even more fragmented perhaps than the software industry. Okay, you get the point. So despite its position as the number one player Palo Alto might have maybe three maybe 4% of the total market, depending on what you use as your denominator, but just a tiny slice. So how is it that we can sit here and declare Palo Alto as the undisputed leader? Well, we probably wouldn't go that far. They probably have quite a bit of competition. But this CISO from a recent ETR round table discussion with our friend Eric Bradley, summed up Palo Alto's allure. We thought pretty well. The question was why Palo Alto Networks? Here's the answer. Because of its completeness as a platform, its ability to integrate with its own products or they acquire, integrate then rebrand them as their own. We've looked at other vendors we just didn't think they were as mature and we already had implemented some of the Palo Alto tools like the firewalls and stuff and we thought why not go holistically with the vendor a single throat to choke, if you will, if stuff goes wrong. And I think that was probably the primary driver and familiarity with the tools and the resources that they provided. Now here's another stat from ETR's Eric Bradley. He gave us a glimpse of the January survey that's in the field now. The percent of IT buyers stating that they plan to consolidate redundant vendors, it went from 34% in the October survey and now stands at 44%. So we fo we feel this bodes well for consolidators like Palo Alto networks. And the same is true from Microsoft's kind of good enough approach. It should also be true for CrowdStrike although last quarter we saw softness reported on in their SMB market, whereas interestingly MongoDB actually saw consistent strength from its SMB and its self-serve. So that's something that we're watching very closely. Now, Palo Alto Networks has held up better than most of its peers in the stock market. So let's take a look at that real quick. This chart gives you a sense of how well. It's a one year comparison of Palo Alto with the bug ETF. That's the cyber basket that we like to compare often CrowdStrike, Zscaler, and Okta. Now remember Palo Alto, they didn't run up as much as CrowdStrike, ZS and Okta during the pandemic but you can see it's now down unquote only 9% for the year. Whereas the cyber basket ETF is off 27% roughly in line with the NASDAQ. We're not showing that CrowdStrike down 44%, Zscaler down 61% and Okta off a whopping 72% in the past 12 months. Now as we've indicated, Palo Alto is making a strong case for consolidating point tools and we think it will have a much harder time getting customers to switch off of big platforms like Cisco who's another leader in network security. But based on the fragmentation in the market there's plenty of room to grow in our view. We asked breaking analysis contributor Chip Simington for his take on the technicals of the stock and he said that despite Palo Alto's leadership position it doesn't seem to make much difference these days. It's all about interest rates. And even though this name has performed better than its peers, it looks like the stock wants to keep testing its 52 week lows, but he thinks Palo Alto got oversold during the last big selloff. And the fact that the company's free cash flow is so strong probably keeps it at the one 50 level or above maybe bouncing around there for a while. If it breaks through that under to the downside it's ne next test is at that low of around one 40 level. So thanks for that, Chip. Now having get that out of the way as we said on the previous chart Palo Alto has strong opinions, it's founder and CTO, Nir Zuk, is extremely clear on that point of view. So let's take a look at how Palo Alto got to where it is today and how we think you should think about his future. The company was founded around 18 years ago as a network security company focused on what they called NextGen firewalls. Now, what Palo Alto did was different. They didn't try to stuff a bunch of functionality inside of a hardware box. Rather they layered network security functions on top of its firewalls and delivered value as a service through software running at the time in its own cloud. So pretty obvious today, but forward thinking for the time and now they've moved to a more true cloud native platform and much more activity in the public cloud. In February, 2020, right before the pandemic we reported on the divergence in market values between Palo Alto and Fort Net and we cited some challenges that Palo Alto was happening having transitioning to a cloud native model. And at the time we said we were confident that Palo Alto would make it through the knot hole. And you could see from the previous chart that it has. So the company's architectural approach was to do the heavy lifting in the cloud. And this eliminates the need for customers to deploy sensors on prem or proxies on prem or sandboxes on prem sandboxes, you know for instance are vulnerable to overwhelming attacks. Think about it, if you're a sandbox is on prem you're not going to be updating that every day. No way. You're probably not going to updated even every week or every month. And if the capacity of your sandbox is let's say 20,000 files an hour you know a hacker's just going to turn up the volume, it'll overwhelm you. They'll send a hundred thousand emails attachments into your sandbox and they'll choke you out and then they'll have the run of the house while you're trying to recover. Now the cloud doesn't completely prevent that but what it does, it definitely increases the hacker's cost. So they're going to probably hit some easier targets and that's kind of the objective of security firms. You know, increase the denominator on the ROI. All right, the next thing that Palo Alto did is start acquiring aggressively, I think we counted 17 or 18 acquisitions to expand the TAM beyond network security into endpoint CASB, PaaS security, IaaS security, container security, serverless security, incident response, SD WAN, CICD pipeline security, attack service management, supply chain security. Just recently with the acquisition of Cider Security and Palo Alto by all accounts takes the time to integrate into its cloud and SaaS platform called Prisma. Unlike many acquisitive companies in the past EMC was a really good example where you ended up with a kind of a Franken portfolio. Now all this leads us to believe that Palo Alto wants to be the consolidator and is in a good position to do so. But beyond that, as multi-cloud becomes more prevalent and more of a strategy customers tell us they want a consistent experience across clouds. And is going to be the same by the way with IoT. So of the next wave here. Customers don't want another stove pipe. So we think Palo Alto is in a good position to build what we call the security super cloud that layer above the clouds that brings a common experience for devs and operational teams. So of course the obvious question is this, can Palo Alto networks continue on this path of acquire and integrate and still maintain best of breed status? Can it? Will it? Does it even have to? As Holger Mueller of Constellation Research and I talk about all the time integrated suites seem to always beat best of breed in the long run. We'll come back to that. Now, this next graphic that we're going to show you underscores this question about portfolio. Here's a picture and I don't expect you to digest it all but it's a screen grab of Palo Alto's product and solutions portfolios, network cloud, network security rather, cloud security, Sassy, CNAP, endpoint unit 42 which is their threat intelligence platform and every imaginable security service and solution for customers. Well, maybe not every, I'm sure there's more to come like supply chain with the recent Cider acquisition and maybe more IoT beyond ZingBox and earlier acquisition but we're sure there will be more in the future both organic and inorganic. Okay, let's bring in more of the ETR survey data. For those of you who don't know ETR, they are the number one enterprise data platform surveying thousands of end customers every quarter with additional drill down surveys and customer round tables just an awesome SaaS enabled platform. And here's a view that shows net score or spending momentum on the vertical axis in provision or presence within the ETR data set on the horizontal axis. You see that red dotted line at 40%. Anything at or over that indicates a highly elevated net score. And as you can see Palo Alto is right on that line just under. And I'll give you another glimpse it looks like Palo Alto despite the macro may even just edge up a bit in the next survey based on the glimpse that Eric gave us. Now those colored bars in the bottom right corner they show the breakdown of Palo Alto's net score and underscore the methodology that ETR uses. The lime green is new customer adoptions, that's 7%. The forest green at 38% represents the percent of customers that are spending 6% or more on Palo Alto solutions. The gray is at that 40 or 8% that's flat spending plus or minus 5%. The pinkish at 5% is spending is down on Palo Alto network products by 6% or worse. And the bright red at only 2% is churn or defections. Very low single digit numbers for Palo Alto, that's a real positive. What you do is you subtract the red from the green and you get a net score of 38% which is very good for a company of Palo Alto size. And we'll note this is based on just under 400 responses in the ETR survey that are Palo Alto customers out of around 1300 in the total survey. It's a really good representation of Palo Alto. And you can see the other leading companies like CrowdStrike, Okta, Zscaler, Forte, Cisco they loom large with similar aspirations. Well maybe not so much Okta. They don't necessarily rule want to rule the world. They want to rule identity and of course the ever ubiquitous Microsoft in the upper right. Now drilling deeper into the ETR data, let's look at how Palo Alto has progressed over the last three surveys in terms of market presence in the survey. This view of the data shows provision in the data going back to October, 2021, that's the gray bars. The blue is July 22 and the yellow is the latest survey from October, 2022. Remember, the January survey is currently in the field. Now the leftmost set of data there show size a company. The middle set of data shows the industry for a select number of industries in the right most shows, geographic region. Notice anything, yes, Palo Alto up across the board relative to both this past summer and last fall. So that's pretty impressive. Palo Alto network CEO, Nikesh Aurora, stressed on the last earnings call that the company is seeing somewhat elongated deal approvals and sometimes splitting up size of deals. He's stressed that certain industries like energy, government and financial services continue to spend. But we would expect even a pullback there as companies get more conservative. But the point is that Nikesh talked about how they're hiring more sales pros to work the pipeline because they understand that they have to work harder to pull deals forward 'cause they got to get more approvals and they got to increase the volume that's coming through the pipeline to account for the possibility that certain companies are going to split up the deals, you know, large deals they want to split into to smaller bite size chunks. So they're really going hard after they go to market expansion to account for that. All right, so we're going to wrap by sharing what we expect and what we're going to probe for at Palo Alto Ignite next week, Lisa Martin and I will be hosting "theCube" and here's what we'll be looking for. First, it's a four day event at the MGM with the meat of the program on days two and three. That's day two was the big keynote. That's when we'll start our broadcasting, we're going for two days. Now our understanding is we've never done Palo Alto Ignite before but our understanding it's a pretty technically oriented crowd that's going to be eager to hear what CTO and founder Nir Zuk has to say. And as well CEO Nikesh Aurora and as in addition to longtime friend of "theCube" and current president, BJ Jenkins, he's going to be speaking. Wendy Whitmore runs Unit 42 and is going to be several other high profile Palo Alto execs, as well, Thomas Kurian from Google is a featured speaker. Lee Claridge, who is Palo Alto's, chief product officer we think is going to be giving the audience heavy doses of Prisma Cloud and Cortex enhancements. Now, Cortex, you might remember, came from an acquisition and does threat detection and attack surface management. And we're going to hear a lot about we think about security automation. So we'll be listening for how Cortex has been integrated and what kind of uptake that it's getting. We've done some, you know, modeling in from the ETR. Guys have done some modeling of cortex, you know looks like it's got a lot of upside and through the Palo Alto go to market machine, you know could really pick up momentum. That's something that we'll be probing for. Now, one of the other things that we'll be watching is pricing. We want to talk to customers about their spend optimization, their spending patterns, their vendor consolidation strategies. Look, Palo Alto is a premium offering. It charges for value. It's expensive. So we also want to understand what kind of switching costs are customers willing to absorb and how onerous they are and what's the business case look like? How are they thinking about that business case. We also want to understand and really probe on how will Palo Alto maintain best of breed as it continues to acquire and integrate to expand its TAM and appeal as that one-stop shop. You know, can it do that as we talked about before. And will it do that? There's also an interesting tension going on sort of changing subjects here in security. There's a guy named Edward Hellekey who's been in "theCube" before. He hasn't been in "theCube" in a while but he's a security pro who has educated us on the nuances of protecting data privacy, public policy, how it varies by region and how complicated it is relative to security. Because securities you technically you have to show a chain of custody that proves unequivocally, for example that data has been deleted or scrubbed or that metadata does. It doesn't include any residual private data that violates the laws, the local laws. And the tension is this, you need good data and lots of it to have good security, really the more the better. But government policy is often at odds in a major blocker to sharing data and it's getting more so. So we want to understand this tension and how companies like Palo Alto are dealing with it. Our customers testing public policy in courts we think not quite yet, our government's making exceptions and policies like GDPR that favor security over data privacy. What are the trade-offs there? And finally, one theme of this breaking analysis is what does Palo Alto have to do to stay on top? And we would sum it up with three words. Ecosystem, ecosystem, ecosystem. And we said this at CrowdStrike Falcon in September that the one concern we had was the pace of ecosystem development for CrowdStrike. Is collaboration possible with competitors? Is being adopted aggressively? Is Palo Alto being adopted aggressively by global system integrators? What's the uptake there? What about developers? Look, the hallmark of a cloud company which Palo Alto is a cloud security company is a thriving ecosystem that has entries into and exits from its platform. So we'll be looking at what that ecosystem looks like how vibrant and inclusive it is where the public clouds fit and whether Palo Alto Networks can really become the security super cloud. Okay, that's a wrap stop by next week. If you're in Vegas, say hello to "theCube" team. We have an unbelievable lineup on the program. Now if you're not there, check out our coverage on theCube.net. I want to thank Eric Bradley for sharing a glimpse on short notice of the upcoming survey from ETR and his thoughts. And as always, thanks to Chip Symington for his sharp comments. Want to thank Alex Morrison, who's on production and manages the podcast Ken Schiffman as well in our Boston studio, Kristen Martin and Cheryl Knight they help get the word out on social and of course in our newsletters, Rob Hoof, is our editor in chief over at Silicon Angle who does some awesome editing, thank you to all. Remember all these episodes they're available as podcasts. Wherever you listen, all you got to do is search "Breaking Analysis" podcasts. I publish each week on wikibon.com and silicon angle.com where you can email me at david.valante@siliconangle.com or dm me at D Valante or comment on our LinkedIn post. And please do check out etr.ai. They've got the best survey data in the enterprise tech business. This is Dave Valante for "theCube" Insights powered by ETR. Thanks for watching. We'll see you next week on "Ignite" or next time on "Breaking Analysis". (upbeat music)

>> From theCUBE Studios in Palo Alto and Boston, bringing you data driven insights from theCUBE and ETR. This is breaking analysis with Dave Vellante. >> The technology spending outlook is not pretty and very much unpredictable right now. The negative sentiment is of course being driven by the macroeconomic factors in earnings forecasts that have been coming down all year in an environment of rising interest rates. And what's worse, is many people think earnings estimates are still too high. But it's understandable why there's so much uncertainty. I mean, technology is still booming, digital transformations are happening in earnest, leading companies have momentum and they got cash runways. And moreover, the CEOs of these leading companies are still really optimistic. But strong guidance in an environment of uncertainty is somewhat risky. Hello and welcome to this week's Wikibon CUBE Insights Powered by ETR. In this breaking analysis, we share takeaways from ETR'S latest spending survey, which was released to their private clients on October 21st. Today, we're going to review the macro spending data. We're going to share where CIOs think their cloud spend is headed. We're going to look at the actions that organizations are taking to manage uncertainty and then review some of the technology companies that have the most positive and negative outlooks in the ETR data set. Let's first look at the sample makeup from the latest ETR survey. ETR captured more than 1300 respondents in this latest survey. Its highest figure for the year and the quality and seniority of respondents just keeps going up each time we dig into the data. We've got large contributions as you can see here from sea level executives in a broad industry focus. Now the survey is still North America centric with 20% of the respondents coming from overseas and there is a bias toward larger organizations. And nonetheless, we're still talking well over 400 respondents coming from SMBs. Now ETR for those of you who don't know, conducts a quarterly spending intention survey and they also do periodic drilldowns. So just by the way of review, let's take a look at the expectations in the latest drilldown survey for IT spending. Before we look at the broader technology spending intentions survey data, followers of this program know that we reported on this a couple of weeks ago, spending expectations that peaked last December at 8.3% are now down to 5.5% with a slight uptick expected for next year as shown here. Now one CIO in the ETR community said these figures could be understated because of inflation. Now that's an interesting comment. Real GDP in the US is forecast to be around 1.5% in 2022. So these figures are significantly ahead of that. Nominal GDP is forecast to be significantly higher than what is shown in that slide. It was over 9% in June for example. And one would interpret that survey respondents are talking about real dollars which reflects inflationary factors in IT spend. So you might say, well if nominal GDP is in the high single digits this means that IT spending is below GDP which is usually not the case. But the flip side of that is technology tends to be deflationary because prices come down over time on a per unit basis, so this would be a normal and even positive trend. But it's mixed right now with prices on hard to find hardware, they're holding more firms. Software, you know, software tends to be driven by lock in and competition and switching costs. So you have those countervailing factors. Services can be inflationary, especially now as wages rise but certain sectors like laptops and semis and NAND are seeing less demand and maybe even some oversupply. So the way to look at this data is on a relative basis. In other words, IT buyers are reporting 280 basis point drop in spending sentiment from the end of last year. Now, something that we haven't shared from the latest drilldown survey which we will now is how IT bar buyers are thinking about cloud adoption. This chart shows responses from 419 IT execs from that drilldown and depicts the percentage of workloads their organizations have in the cloud today and what the expectation is through years from now. And you can see it's 27% today and it's nearly 50% in three years. Now the nuance is if you look at the question, that ETRS, it's they asked about IaaS and PaaS, which to some could include on-prem. Now, let me come back to that. In particular, financial services, IT, telco and retail and services industry cited expectations for the future for three years out that we're well above the average of the mean adoption levels. Regardless of how you interpret this data there's most certainly plenty of public cloud in the numbers. And whether you believe cloud is an operating environment or a place out there in the cloud, there's plenty of room for workloads to move into a cloud model well beyond mid this decade. So you know, as ho hum as we've been toward recent as-a-service models announced from the likes of HPE with GreenLake and Dell with APEX, the timing of those offerings may be pretty good actually. Now let's expand on some of the data that we showed a couple weeks ago. This chart shows responses from 282 execs on actions their organizations are taking over the next three months. And the Deltas are quite traumatic from the early part of this charter than the left hand side. The brown line is hiring freezes, the black line is freezing IT projects, and the green line is hiring increases and that red line is layoffs. And we put a box around the sort of general area of the isolation economy timeframe. And you can see the wild swings on this chart. By mid last summer, people were kickstarting things and more hiring was going on and the black line shows IT project freezes, you know, came way down. And now, or on the way back up as our hiring freezes. So we're seeing these wild swings in organizational actions and strategies which underscores the lack of predictability. As with supply chains around the world, this is likely due to the fact that organizations, pre pandemic they were optimized for efficiency, not a lot of waste rather than business resilience. Meaning, you know, there's again not a lot of fluff in the system or if there was it got flushed out during the pandemic. And so the need for productivity and automation is becoming increasingly important, especially as actions that solely rely on headcount changes are very, very difficult to manage. Now, let's dig into some of the vendor commentary and take a look at some of the names that have momentum and some of the others possibly facing headwinds. Here's a list of companies that stand out in the ETR survey. Snowflake, once again leads the pack with a positive spending outlook. HashiCorp, CrowdStrike, Databricks, Freshworks and ServiceNow, they round out the top six. Microsoft, they seem to always be in the mix, as do a number of other security and related companies including CyberArk, Zscaler, CloudFlare, Elastic, Datadog, Fortinet, Tenable and to a certain extent Akamai, you can kind of put them sort of in that group. You know, CDN, they got to worry about security. Everybody worries about security, but especially the CDNs. Now the other software names that are highlighted here include Workday and Salesforce. On the negative side, you can see Dynatrace saw some negatives in the latest survey especially around its analytics business. Security is generally holding up better than other sectors but it's still seeing greater levels of pressure than it had previously. So lower spend. And defections relative to its observability peers, that's really for Dynatrace. Now the other one that was somewhat surprising is IBM. You see the IBM was sort of in that negative realm here but IBM reported an outstanding quarter this past week with double digit revenue growth, strong momentum in software, consulting, mainframes and other infrastructure like storage. It's benefiting from the Kyndryl restructuring and it's on track IBM to deliver 10 billion in free cash flow this year. Red Hat is performing exceedingly well and growing in the very high teens. And so look, IBM is in the midst of a major transformation and it seems like a company that is really focused now with hybrid cloud being powered by Red Hat and consulting and a decade plus of AI investments finally paying off. Now the other big thing we'll add is, IBM was once an outstanding acquire of companies and it seems to be really getting its act together on the M&A front. Yes, Red Hat was a big pill to swallow but IBM has done a number of smaller acquisitions, I think seven this year. Like for example, Turbonomic, which is starting to pay off. Arvind Krishna has the company focused once again. And he and Jim J. Kavanaugh, IBM CFO, seem to be very confident on the guidance that they're giving in their business. So that's a real positive in our view for the industry. Okay, the last thing we'd like to do is take 12 of the companies from the previous chart and plot them in context. Now these companies don't necessarily compete with each other, some do. But they are standouts in the ETR survey and in the market. What we're showing here is a view that we like to often show, it's net score or spending velocity on the vertical axis. And it's a measure, that's a measure of the net percentage of customers that are spending more on a particular platform. So ETR asks, are you spending more or less? They subtract less from the mores. I mean I'm simplifying, but that's what net score is. Now in the horizontal axis, that is a measure of overlap which is which measures presence or pervasiveness in the dataset. So bigger the better. We've inserted a table that informs how the dots in the companies are positioned. These companies are all in the green in terms of net score. And that right most column in the table insert is indicative of their presence in the dataset, the end. So higher, again, is better for both columns. Two other notes, the red dotted line there you see at 40%. Anything over that indicates an highly elevated spending momentum for a given platform. And we purposefully took Microsoft out of the mix in this chart because it skews the data due to its large size. Everybody else would cluster on the left and Microsoft would be all alone in the right. So we take them out. Now as we noted earlier, Snowflake once again leads with a net score of 64%, well above the 40% line. Having said that, while adoption rates for Snowflake remains strong the company's spending velocity in the survey has come down to Earth. And many more customers are shifting from where they were last year and the year before in growth mode i.e. spending more year to year with Snowflake to now shifting more toward flat spending. So a plus or minus 5%. So that puts pressure on Snowflake's net score, just based on the math as to how ETR calculates, its proprietary net score methodology. So Snowflake is by no means insulated completely to the macro factors. And this was seen especially in the data in the Fortune 500 cut of the survey for Snowflake. We didn't show that here, just giving you anecdotal commentary from the survey which is backed up by data. So, it showed steeper declines in the Fortune 500 momentum. But overall, Snowflake, very impressive. Now what's more, note the position of Streamlit relative to Databricks. Streamlit is an open source python framework for developing data driven, data science oriented apps. And it's ironic that it's net score and shared in is almost identical to those of data bricks, as the aspirations of Snowflake and Databricks are beginning to collide. Now, however, the Databricks net score has held up very well over the past year and is in the 92nd percentile of its machine learning and AI peers. And while it's seeing some softness, like Snowflake in the Fortune 500, Databricks has steadily moved to the right on the X axis over the last several surveys even though it was unable to get to the public markets and do an IPO during the lockdown tech bubble. Let's come back to the chart. ServiceNow is impressive because it's well above the 40% mark and it has 437 shared in on this cut, the largest of any company that we chose to plot here. The only real negative on ServiceNow is, more large customers are keeping spending levels flat. That's putting a little bit pressure on its net score, but that's just conservatives. It's kind of like Snowflakes, you know, same thing but in a larger scale. But it's defections, the ServiceNow as in Snowflake as well. It's defections remain very, very low, really low churn below 2% for ServiceNow, in fact, within the dataset. Now it's interesting to also see Freshworks hit the list. You can see them as one of the few ITSM vendors that has momentum and can potentially take on ServiceNow. Workday, on this chart, it's the other big app player that's above the 40% line and we're only showing Workday HCM, FYI, in this graphic. It's Workday Financials, that offering, is below the 40% line just for reference. Now let's talk about CrowdStrike. We attended Falcon last month, CrowdStrike's user conference and we're very impressed with the product visio, the company's execution, it's growing partnerships. And you can see in this graphic, the ETR survey data confirms the company's stellar performance with a net score at 50%, well above the 40% mark. And importantly, more than 300 mentions. That's second only to ServiceNow, amongst the 12 companies that we've chosen to highlight here. Only Microsoft, which is not shown here, has a higher net score in the security space than CrowdStrike. And when it comes to presence, CrowdStrike now has caught up to Splunk in terms of pervasion in the survey. Now CyberArk and Zscaler are the other two security firms that are right at that 40% red dotted line. CyberArk for names with over a hundred citations in the security sector, is only behind Microsoft and CrowdStrike. Zscaler for its part in the survey is seeing strong momentum in the Fortune 500, unlike what we said for Snowflake. And its pervasion on the X-axis has been steadily increasing. Again, not that Snowflake and CrowdStrike compete with each other but they're too prominent names and it's just interesting to compare peers and business models. Cloudflare, Elastic and Datadog are slightly below the 40% mark but they made the sort of top 12 that we showed to highlight here and they continue to have positive sentiment in the survey. So, what are the big takeaways from this latest survey, this really quick snapshot that we've taken. As you know, over the next several weeks we're going to dig into it more and more. As we've previously reported, the tide is going out and it's taking virtually all the tech ships with it. But in many ways the current market is a story of heightened expectations coming down to Earth, miscalculations about the economic patterns and the swings and imperfect visibility. Leading Barclays analyst, Ramo Limchao ask the question to guide or not to guide in a recent research note he wrote. His point being, should companies guide or should they be more cautious? Many companies, if not most companies, are actually giving guidance. Indeed, when companies like Oracle and IBM are emphatic about their near term outlook and their visibility, it gives one confidence. On the other hand, reasonable people are asking, will the red hot valuations that we saw over the last two years from the likes of Snowflake, CrowdStrike, MongoDB, Okta, Zscaler, and others. Will they return? Or are we in for a long, drawn out, sideways exercise before we see sustained momentum? And to that uncertainty, we add elections and public policy. It's very hard to predict right now. I'm sorry to be like a two-handed lawyer, you know. On the one hand, on the other hand. But that's just the way it is. Let's just say for our part, we think that once it's clear that interest rates are on their way back down and we'll stabilize it under 4% and we have clarity on the direction of inflation, wages, unemployment and geopolitics, the wild swings and sentiment will subside. But when that happens is anyone's guess. If I had to peg, I'd say 18 months, which puts us at least into the spring of 2024. What's your prediction? You know, it's almost that time of year. Let's hear it. Please keep in touch and let us know what you think. Okay, that's it for now. Many thanks to Alex Myerson. He is on production and he manages the podcast for us. Ken Schiffman as well is our newest addition to the Boston Studio. Kristin Martin and Cheryl Knight, they help get the word out on social media and in our newsletters. And Rob Hoff is our EIC, editor-in-chief over at SiliconANGLE. He does some wonderful editing for us. Thank you all. Remember all these episodes, they are available as podcasts. Wherever you listen, just search breaking analysis podcast. I publish each week on wikibon.com and siliconangle.com. Or you can email me at david.vellante@siliconangle.com or DM me @dvellante. Or feel free to comment on our LinkedIn posts. And please do check out etr.ai. They've got the best survey data in the enterprise tech business. If you haven't checked that out, you should. It'll give you an advantage. This is Dave Vellante for theCUBE Insights Powered by ETR. Thanks for watching. Be well and we'll see you next time on Breaking Analysis. (soft upbeat music)

hello I'm John Furrier with thecube and welcome to this special presentation of the cube and Horizon 3.ai they're announcing a global partner first approach expanding their successful pen testing product Net Zero you're going to hear from leading experts in their staff their CEO positioning themselves for a successful Channel distribution expansion internationally in Europe Middle East Africa and Asia Pacific in this Cube special presentation you'll hear about the expansion the expanse partner program giving Partners a unique opportunity to offer Net Zero to their customers Innovation and Pen testing is going International with Horizon 3.ai enjoy the program [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're here with Jennifer Lee head of Channel sales at Horizon 3.ai Jennifer welcome to the cube thanks for coming on great well thank you for having me so big news around Horizon 3.aa driving Channel first commitment you guys are expanding the channel partner program to include all kinds of new rewards incentives training programs help educate you know Partners really drive more recurring Revenue certainly cloud and Cloud scale has done that you got a great product that fits into that kind of Channel model great Services you can wrap around it good stuff so let's get into it what are you guys doing what are what are you guys doing with this news why is this so important yeah for sure so um yeah we like you said we recently expanded our Channel partner program um the driving force behind it was really just um to align our like you said our Channel first commitment um and creating awareness around the importance of our partner ecosystems um so that's it's really how we go to market is is through the channel and a great International Focus I've talked with the CEO so you know about the solution and he broke down all the action on why it's important on the product side but why now on the go to market change what's the what's the why behind this big this news on the channel yeah for sure so um we are doing this now really to align our business strategy which is built on the concept of enabling our partners to create a high value high margin business on top of our platform and so um we offer a solution called node zero it provides autonomous pen testing as a service and it allows organizations to continuously verify their security posture um so we our company vision we have this tagline that states that our pen testing enables organizations to see themselves Through The Eyes of an attacker and um we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities so we created this partner program from a perspective of the partner so the partner's perspective and we've built It Through The Eyes of our partner right so we're prioritizing really what the partner is looking for and uh will ensure like Mutual success for us yeah the partners always want to get in front of the customers and bring new stuff to them pen tests have traditionally been really expensive uh and so bringing it down in one to a service level that's one affordable and has flexibility to it allows a lot of capability so I imagine people getting excited by it so I have to ask you about the program What specifically are you guys doing can you share any details around what it means for the partners what they get what's in it for them can you just break down some of the mechanics and mechanisms or or details yeah yep um you know we're really looking to create business alignment um and like I said establish Mutual success with our partners so we've got two um two key elements that we were really focused on um that we bring to the partners so the opportunity the profit margin expansion is one of them and um a way for our partners to really differentiate themselves and stay relevant in the market so um we've restructured our discount model really um you know highlighting profitability and maximizing profitability and uh this includes our deal registration we've we've created deal registration program we've increased discount for partners who take part in our partner certification uh trainings and we've we have some other partner incentives uh that we we've created that that's going to help out there we've we put this all so we've recently Gone live with our partner portal um it's a Consolidated experience for our partners where they can access our our sales tools and we really view our partners as an extension of our sales and Technical teams and so we've extended all of our our training material that we use internally we've made it available to our partners through our partner portal um we've um I'm trying I'm thinking now back what else is in that partner portal here we've got our partner certification information so all the content that's delivered during that training can be found in the portal we've got deal registration uh um co-branded marketing materials pipeline management and so um this this portal gives our partners a One-Stop place to to go to find all that information um and then just really quickly on the second part of that that I mentioned is our technology really is um really disruptive to the market so you know like you said autonomous pen testing it's um it's still it's well it's still still relatively new topic uh for security practitioners and um it's proven to be really disruptive so um that on top of um just well recently we found an article that um that mentioned by markets and markets that reports that the global pen testing markets really expanding and so it's expected to grow to like 2.7 billion um by 2027. so the Market's there right the Market's expanding it's growing and so for our partners it's just really allows them to grow their revenue um across their customer base expand their customer base and offering this High profit margin while you know getting in early to Market on this just disruptive technology big Market a lot of opportunities to make some money people love to put more margin on on those deals especially when you can bring a great solution that everyone knows is hard to do so I think that's going to provide a lot of value is there is there a type of partner that you guys see emerging or you aligning with you mentioned the alignment with the partners I can see how that the training and the incentives are all there sounds like it's all going well is there a type of partner that's resonating the most or is there categories of partners that can take advantage of this yeah absolutely so we work with all different kinds of Partners we work with our traditional resale Partners um we've worked we're working with systems integrators we have a really strong MSP mssp program um we've got Consulting partners and the Consulting Partners especially with the ones that offer pen test services so we they use us as a as we act as a force multiplier just really offering them profit margin expansion um opportunity there we've got some technology partner partners that we really work with for co-cell opportunities and then we've got our Cloud Partners um you'd mentioned that earlier and so we are in AWS Marketplace so our ccpo partners we're part of the ISP accelerate program um so we we're doing a lot there with our Cloud partners and um of course we uh we go to market with uh distribution Partners as well gotta love the opportunity for more margin expansion every kind of partner wants to put more gross profit on their deals is there a certification involved I have to ask is there like do you get do people get certified or is it just you get trained is it self-paced training is it in person how are you guys doing the whole training certification thing because is that is that a requirement yeah absolutely so we do offer a certification program and um it's been very popular this includes a a seller's portion and an operator portion and and so um this is at no cost to our partners and um we operate both virtually it's it's law it's virtually but live it's not self-paced and we also have in person um you know sessions as well and we also can customize these to any partners that have a large group of people and we can just we can do one in person or virtual just specifically for that partner well any kind of incentive opportunities and marketing opportunities everyone loves to get the uh get the deals just kind of rolling in leads from what we can see if our early reporting this looks like a hot product price wise service level wise what incentive do you guys thinking about and and Joint marketing you mentioned co-sell earlier in pipeline so I was kind of kind of honing in on that piece sure and yes and then to follow along with our partner certification program we do incentivize our partners there if they have a certain number certified their discount increases so that's part of it we have our deal registration program that increases discount as well um and then we do have some um some partner incentives that are wrapped around meeting setting and um moving moving opportunities along to uh proof of value gotta love the education driving value I have to ask you so you've been around the industry you've seen the channel relationships out there you're seeing companies old school new school you know uh Horizon 3.ai is kind of like that new school very cloud specific a lot of Leverage with we mentioned AWS and all the clouds um why is the company so hot right now why did you join them and what's why are people attracted to this company what's the what's the attraction what's the vibe what do you what do you see and what what do you use what did you see in in this company well this is just you know like I said it's very disruptive um it's really in high demand right now and um and and just because because it's new to Market and uh a newer technology so we are we can collaborate with a manual pen tester um we can you know we can allow our customers to run their pen test um with with no specialty teams and um and and then so we and like you know like I said we can allow our partners can actually build businesses profitable businesses so we can they can use our product to increase their services revenue and um and build their business model you know around around our services what's interesting about the pen test thing is that it's very expensive and time consuming the people who do them are very talented people that could be working on really bigger things in the in absolutely customers so bringing this into the channel allows them if you look at the price Delta between a pen test and then what you guys are offering I mean that's a huge margin Gap between street price of say today's pen test and what you guys offer when you show people that they follow do they say too good to be true I mean what are some of the things that people say when you kind of show them that are they like scratch their head like come on what's the what's the catch here right so the cost savings is a huge is huge for us um and then also you know like I said working as a force multiplier with a pen testing company that offers the services and so they can they can do their their annual manual pen tests that may be required around compliance regulations and then we can we can act as the continuous verification of their security um um you know that that they can run um weekly and so it's just um you know it's just an addition to to what they're offering already and an expansion so Jennifer thanks for coming on thecube really appreciate you uh coming on sharing the insights on the channel uh what's next what can we expect from the channel group what are you thinking what's going on right so we're really looking to expand our our Channel um footprint and um very strategically uh we've got um we've got some big plans um for for Horizon 3.ai awesome well thanks for coming on really appreciate it you're watching thecube the leader in high tech Enterprise coverage [Music] [Music] hello and welcome to the Cube's special presentation with Horizon 3.ai with Raina Richter vice president of emea Europe Middle East and Africa and Asia Pacific APAC for Horizon 3 today welcome to this special Cube presentation thanks for joining us thank you for the invitation so Horizon 3 a guy driving Global expansion big international news with a partner first approach you guys are expanding internationally let's get into it you guys are driving this new expanse partner program to new heights tell us about it what are you seeing in the momentum why the expansion what's all the news about well I would say uh yeah in in international we have I would say a similar similar situation like in the US um there is a global shortage of well-educated penetration testers on the one hand side on the other side um we have a raising demand of uh network and infrastructure security and with our approach of an uh autonomous penetration testing I I believe we are totally on top of the game um especially as we have also now uh starting with an international instance that means for example if a customer in Europe is using uh our service node zero he will be connected to a node zero instance which is located inside the European Union and therefore he has doesn't have to worry about the conflict between the European the gdpr regulations versus the US Cloud act and I would say there we have a total good package for our partners that they can provide differentiators to their customers you know we've had great conversations here on thecube with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company and honestly I can just Connect the Dots here but I'd like you to weigh in more on how that translates into the go to market here because you got great Cloud scale with with the security product you guys are having success with great leverage there I've seen a lot of success there what's the momentum on the channel partner program internationally why is it so important to you is it just the regional segmentation is it the economics why the momentum well there are it's there are multiple issues first of all there is a raising demand in penetration testing um and don't forget that uh in international we have a much higher level in number a number or percentage in SMB and mid-market customers so these customers typically most of them even didn't have a pen test done once a year so for them pen testing was just too expensive now with our offering together with our partners we can provide different uh ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with with a traditional manual paint test so and that is because we have our uh Consulting plus package which is for typically pain testers they can go out and can do a much faster much quicker and their pain test at many customers once in after each other so they can do more pain tests on a lower more attractive price on the other side there are others what even the same ones who are providing um node zero as an mssp service so they can go after s p customers saying okay well you only have a couple of hundred uh IP addresses no worries we have the perfect package for you and then you have let's say the mid Market let's say the thousands and more employees then they might even have an annual subscription very traditional but for all of them it's all the same the customer or the service provider doesn't need a piece of Hardware they only need to install a small piece of a Docker container and that's it and that makes it so so smooth to go in and say okay Mr customer we just put in this this virtual attacker into your network and that's it and and all the rest is done and within within three clicks they are they can act like a pen tester with 20 years of experience and that's going to be very Channel friendly and partner friendly I can almost imagine so I have to ask you and thank you for calling the break calling out that breakdown and and segmentation that was good that was very helpful for me to understand but I want to follow up if you don't mind um what type of partners are you seeing the most traction with and why well I would say at the beginning typically you have the the innovators the early adapters typically Boutique size of Partners they start because they they are always looking for Innovation and those are the ones you they start in the beginning so we have a wide range of Partners having mostly even um managed by the owner of the company so uh they immediately understand okay there is the value and they can change their offering they're changing their offering in terms of penetration testing because they can do more pen tests and they can then add other ones or we have those ones who offer 10 tests services but they did not have their own pen testers so they had to go out on the open market and Source paint testing experts um to get the pen test at a particular customer done and now with node zero they're totally independent they can't go out and say okay Mr customer here's the here's the service that's it we turn it on and within an hour you're up and running totally yeah and those pen tests are usually expensive and hard to do now it's right in line with the sales delivery pretty interesting for a partner absolutely but on the other hand side we are not killing the pain testers business we do something we're providing with no tiers I would call something like the foundation work the foundational work of having an an ongoing penetration testing of the infrastructure the operating system and the pen testers by themselves they can concentrate in the future on things like application pen testing for example so those Services which we we're not touching so we're not killing the paint tester Market we're just taking away the ongoing um let's say foundation work call it that way yeah yeah that was one of my questions I was going to ask is there's a lot of interest in this autonomous pen testing one because it's expensive to do because those skills are required are in need and they're expensive so you kind of cover the entry level and the blockers that are in there I've seen people say to me this pen test becomes a blocker for getting things done so there's been a lot of interest in the autonomous pen testing and for organizations to have that posture and it's an overseas issue too because now you have that that ongoing thing so can you explain that particular benefit for an organization to have that continuously verifying an organization's posture yep certainly so I would say um typically you are you you have to do your patches you have to bring in new versions of operating systems of different Services of uh um operating systems of some components and and they are always bringing new vulnerabilities the difference here is that with node zero we are telling the customer or the partner package we're telling them which are the executable vulnerabilities because previously they might have had um a vulnerability scanner so this vulnerability scanner brought up hundreds or even thousands of cves but didn't say anything about which of them are vulnerable really executable and then you need an expert digging in one cve after the other finding out is it is it really executable yes or no and that is where you need highly paid experts which we have a shortage so with notes here now we can say okay we tell you exactly which ones are the ones you should work on because those are the ones which are executable we rank them accordingly to the risk level how easily they can be used and by a sudden and then the good thing is convert it or indifference to the traditional penetration test they don't have to wait for a year for the next pain test to find out if the fixing was effective they weren't just the next scan and say Yes closed vulnerability is gone the time is really valuable and if you're doing any devops Cloud native you're always pushing new things so pen test ongoing pen testing is actually a benefit just in general as a kind of hygiene so really really interesting solution really bring that global scale is going to be a new new coverage area for us for sure I have to ask you if you don't mind answering what particular region are you focused on or plan to Target for this next phase of growth well at this moment we are concentrating on the countries inside the European Union Plus the United Kingdom um but we are and they are of course logically I'm based into Frankfurt area that means we cover more or less the countries just around so it's like the total dark region Germany Switzerland Austria plus the Netherlands but we also already have Partners in the nordics like in Finland or in Sweden um so it's it's it it's rapidly we have Partners already in the UK and it's rapidly growing so I'm for example we are now starting with some activities in Singapore um um and also in the in the Middle East area um very important we uh depending on let's say the the way how to do business currently we try to concentrate on those countries where we can have um let's say um at least English as an accepted business language great is there any particular region you're having the most success with right now is it sounds like European Union's um kind of first wave what's them yes that's the first definitely that's the first wave and now we're also getting the uh the European instance up and running it's clearly our commitment also to the market saying okay we know there are certain dedicated uh requirements and we take care of this and and we're just launching it we're building up this one uh the instance um in the AWS uh service center here in Frankfurt also with some dedicated Hardware internet in a data center in Frankfurt where we have with the date six by the way uh the highest internet interconnection bandwidth on the planet so we have very short latency to wherever you are on on the globe that's a great that's a great call outfit benefit too I was going to ask that what are some of the benefits your partners are seeing in emea and Asia Pacific well I would say um the the benefits is for them it's clearly they can they can uh talk with customers and can offer customers penetration testing which they before and even didn't think about because it penetrates penetration testing in a traditional way was simply too expensive for them too complex the preparation time was too long um they didn't have even have the capacity uh to um to support a pain an external pain tester now with this service you can go in and say even if they Mr customer we can do a test with you in a couple of minutes within we have installed the docker container within 10 minutes we have the pen test started that's it and then we just wait and and I would say that is we'll we are we are seeing so many aha moments then now because on the partner side when they see node zero the first time working it's like this wow that is great and then they work out to customers and and show it to their typically at the beginning mostly the friendly customers like wow that's great I need that and and I would say um the feedback from the partners is that is a service where I do not have to evangelize the customer everybody understands penetration testing I don't have to say describe what it is they understand the customer understanding immediately yes penetration testing good about that I know I should do it but uh too complex too expensive now with the name is for example as an mssp service provided from one of our partners but it's getting easy yeah it's great and it's great great benefit there I mean I gotta say I'm a huge fan of what you guys are doing I like this continuous automation that's a major benefit to anyone doing devops or any kind of modern application development this is just a godsend for them this is really good and like you said the pen testers that are doing it they were kind of coming down from their expertise to kind of do things that should have been automated they get to focus on the bigger ticket items that's a really big point so we free them we free the pain testers for the higher level elements of the penetration testing segment and that is typically the application testing which is currently far away from being automated yeah and that's where the most critical workloads are and I think this is the nice balance congratulations on the international expansion of the program and thanks for coming on this special presentation really I really appreciate it thank you you're welcome okay this is thecube special presentation you know check out pen test automation International expansion Horizon 3 dot AI uh really Innovative solution in our next segment Chris Hill sector head for strategic accounts will discuss the power of Horizon 3.ai and Splunk in action you're watching the cube the leader in high tech Enterprise coverage foreign [Music] [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're with Chris Hill sector head for strategic accounts and federal at Horizon 3.ai a great Innovative company Chris great to see you thanks for coming on thecube yeah like I said uh you know great to meet you John long time listener first time caller so excited to be here with you guys yeah we were talking before camera you had Splunk back in 2013 and I think 2012 was our first splunk.com and boy man you know talk about being in the right place at the right time now we're at another inflection point and Splunk continues to be relevant um and continuing to have that data driving Security in that interplay and your CEO former CTO of his plug as well at Horizon who's been on before really Innovative product you guys have but you know yeah don't wait for a breach to find out if you're logging the right data this is the topic of this thread Splunk is very much part of this new international expansion announcement uh with you guys tell us what are some of the challenges that you see where this is relevant for the Splunk and Horizon AI as you guys expand uh node zero out internationally yeah well so across so you know my role uh within Splunk it was uh working with our most strategic accounts and so I looked back to 2013 and I think about the sales process like working with with our small customers you know it was um it was still very siled back then like I was selling to an I.T team that was either using this for it operations um we generally would always even say yeah although we do security we weren't really designed for it we're a log management tool and we I'm sure you remember back then John we were like sort of stepping into the security space and and the public sector domain that I was in you know security was 70 of what we did when I look back to sort of uh the transformation that I was witnessing in that digital transformation um you know when I look at like 2019 to today you look at how uh the IT team and the security teams are being have been forced to break down those barriers that they used to sort of be silent away would not commute communicate one you know the security guys would be like oh this is my box I.T you're not allowed in today you can't get away with that and I think that the value that we bring to you know and of course Splunk has been a huge leader in that space and continues to do Innovation across the board but I think what we've we're seeing in the space and I was talking with Patrick Coughlin the SVP of uh security markets about this is that you know what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data so Splunk itself is ulk know it's an ingest engine right the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it but without data it doesn't do anything right so how do you drive and how do you bring more data in and most importantly from a customer perspective how do you bring the right data in and so if you think about what node zero and what we're doing in a horizon 3 is that sure we do pen testing but because we're an autonomous pen testing tool we do it continuously so this whole thought I'd be like oh crud like my customers oh yeah we got a pen test coming up it's gonna be six weeks the week oh yeah you know and everyone's gonna sit on their hands call me back in two months Chris we'll talk to you then right not not a real efficient way to test your environment and shoot we saw that with Uber this week right um you know and that's a case where we could have helped oh just right we could explain the Uber thing because it was a contractor just give a quick highlight of what happened so you can connect the doctor yeah no problem so um it was uh I got I think it was yeah one of those uh you know games where they would try and test an environment um and with the uh pen tester did was he kept on calling them MFA guys being like I need to reset my password we need to set my right password and eventually the um the customer service guy said okay I'm resetting it once he had reset and bypassed the multi-factor authentication he then was able to get in and get access to the building area that he was in or I think not the domain but he was able to gain access to a partial part of that Network he then paralleled over to what I would assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains and So within minutes they had access and that's the sort of stuff that we do you know a lot of these tools like um you know you think about the cacophony of tools that are out there in a GTA architect architecture right I'm gonna get like a z-scale or I'm going to have uh octum and I have a Splunk I've been into the solar system I mean I don't mean to name names we have crowdstriker or Sentinel one in there it's just it's a cacophony of things that don't work together they weren't designed work together and so we have seen so many times in our business through our customer support and just working with customers when we do their pen tests that there will be 5 000 servers out there three are misconfigured those three misconfigurations will create the open door because remember the hacker only needs to be right once the defender needs to be right all the time and that's the challenge and so that's what I'm really passionate about what we're doing uh here at Horizon three I see this my digital transformation migration and security going on which uh we're at the tip of the spear it's why I joined sey Hall coming on this journey uh and just super excited about where the path's going and super excited about the relationship with Splunk I get into more details on some of the specifics of that but um you know well you're nailing I mean we've been doing a lot of things on super cloud and this next gen environment we're calling it next gen you're really seeing devops obviously devsecops has already won the it role has moved to the developer shift left is an indicator of that it's one of the many examples higher velocity code software supply chain you hear these things that means that it is now in the developer hands it is replaced by the new Ops data Ops teams and security where there's a lot of horizontal thinking to your point about access there's no more perimeter huge 100 right is really right on things one time you know to get in there once you're in then you can hang out move around move laterally big problem okay so we get that now the challenges for these teams as they are transitioning organizationally how do they figure out what to do okay this is the next step they already have Splunk so now they're kind of in transition while protecting for a hundred percent ratio of success so how would you look at that and describe the challenge is what do they do what is it what are the teams facing with their data and what's next what are they what are they what action do they take so let's use some vernacular that folks will know so if I think about devsecops right we both know what that means that I'm going to build security into the app it normally talks about sec devops right how am I building security around the perimeter of what's going inside my ecosystem and what are they doing and so if you think about what we're able to do with somebody like Splunk is we can pen test the entire environment from Soup To Nuts right so I'm going to test the end points through to its I'm going to look for misconfigurations I'm going to I'm going to look for um uh credential exposed credentials you know I'm going to look for anything I can in the environment again I'm going to do it at light speed and and what what we're doing for that SEC devops space is to you know did you detect that we were in your environment so did we alert Splunk or the Sim that there's someone in the environment laterally moving around did they more importantly did they log us into their environment and when do they detect that log to trigger that log did they alert on us and then finally most importantly for every CSO out there is going to be did they stop us and so that's how we we do this and I think you when speaking with um stay Hall before you know we've come up with this um boils but we call it fine fix verifying so what we do is we go in is we act as the attacker right we act in a production environment so we're not going to be we're a passive attacker but we will go in on credentialed on agents but we have to assume to have an assumed breach model which means we're going to put a Docker container in your environment and then we're going to fingerprint the environment so we're going to go out and do an asset survey now that's something that's not something that Splunk does super well you know so can Splunk see all the assets do the same assets marry up we're going to log all that data and think and then put load that into this long Sim or the smoke logging tools just to have it in Enterprise right that's an immediate future ad that they've got um and then we've got the fix so once we've completed our pen test um we are then going to generate a report and we can talk about these in a little bit later but the reports will show an executive summary the assets that we found which would be your asset Discovery aspect of that a fix report and the fixed report I think is probably the most important one it will go down and identify what we did how we did it and then how to fix that and then from that the pen tester or the organization should fix those then they go back and run another test and then they validate like a change detection environment to see hey did those fixes taste play take place and you know snehaw when he was the CTO of jsoc he shared with me a number of times about it's like man there would be 15 more items on next week's punch sheet that we didn't know about and it's and it has to do with how we you know how they were uh prioritizing the cves and whatnot because they would take all CBDs it was critical or non-critical and it's like we are able to create context in that environment that feeds better information into Splunk and whatnot that brings that brings up the efficiency for Splunk specifically the teams out there by the way the burnout thing is real I mean this whole I just finished my list and I got 15 more or whatever the list just can keeps growing how did node zero specifically help Splunk teams be more efficient like that's the question I want to get at because this seems like a very scale way for Splunk customers and teams service teams to be more so the question is how does node zero help make Splunk specifically their service teams be more efficient so so today in our early interactions we're building customers we've seen are five things um and I'll start with sort of identifying the blind spots right so kind of what I just talked about with you did we detect did we log did we alert did they stop node zero right and so I would I put that you know a more Layman's third grade term and if I was going to beat a fifth grader at this game would be we can be the sparring partner for a Splunk Enterprise customer a Splunk Essentials customer someone using Splunk soar or even just an Enterprise Splunk customer that may be a small shop with three people and just wants to know where am I exposed so by creating and generating these reports and then having um the API that actually generates the dashboard they can take all of these events that we've logged and log them in and then where that then comes in is number two is how do we prioritize those logs right so how do we create visibility to logs that that um are have critical impacts and again as I mentioned earlier not all cves are high impact regard and also not all or low right so if you daisy chain a bunch of low cves together boom I've got a mission critical AP uh CPE that needs to be fixed now such as a credential moving to an NT box that's got a text file with a bunch of passwords on it that would be very bad um and then third would be uh verifying that you have all of the hosts so one of the things that splunk's not particularly great at and they'll literate themselves they don't do asset Discovery so dude what assets do we see and what are they logging from that um and then for from um for every event that they are able to identify one of the cool things that we can do is actually create this low code no code environment so they could let you know Splunk customers can use Splunk sword to actually triage events and prioritize that event so where they're being routed within it to optimize the Sox team time to Market or time to triage any given event obviously reducing MTR and then finally I think one of the neatest things that we'll be seeing us develop is um our ability to build glass cables so behind me you'll see one of our triage events and how we build uh a Lockheed Martin kill chain on that with a glass table which is very familiar to the community we're going to have the ability and not too distant future to allow people to search observe on those iocs and if people aren't familiar with it ioc it's an instant of a compromise so that's a vector that we want to drill into and of course who's better at Drilling in the data and smoke yeah this is a critter this is an awesome Synergy there I mean I can see a Splunk customer going man this just gives me so much more capability action actionability and also real understanding and I think this is what I want to dig into if you don't mind understanding that critical impact okay is kind of where I see this coming got the data data ingest now data's data but the question is what not to log you know where are things misconfigured these are critical questions so can you talk about what it means to understand critical impact yeah so I think you know going back to the things that I just spoke about a lot of those cves where you'll see um uh low low low and then you daisy chain together and they're suddenly like oh this is high now but then your other impact of like if you're if you're a Splunk customer you know and I had it I had several of them I had one customer that you know terabytes of McAfee data being brought in and it was like all right there's a lot of other data that you probably also want to bring but they could only afford wanted to do certain data sets because that's and they didn't know how to prioritize or filter those data sets and so we provide that opportunity to say hey these are the critical ones to bring in but there's also the ones that you don't necessarily need to bring in because low cve in this case really does mean low cve like an ILO server would be one that um that's the print server uh where the uh your admin credentials are on on like a printer and so there will be credentials on that that's something that a hacker might go in to look at so although the cve on it is low is if you daisy chain with somebody that's able to get into that you might say Ah that's high and we would then potentially rank it giving our AI logic to say that's a moderate so put it on the scale and we prioritize those versus uh of all of these scanners just going to give you a bunch of CDs and good luck and translating that if I if I can and tell me if I'm wrong that kind of speaks to that whole lateral movement that's it challenge right print serve a great example looks stupid low end who's going to want to deal with the print server oh but it's connected into a critical system there's a path is that kind of what you're getting at yeah I use Daisy Chain I think that's from the community they came from uh but it's just a lateral movement it's exactly what they're doing in those low level low critical lateral movements is where the hackers are getting in right so that's the beauty thing about the uh the Uber example is that who would have thought you know I've got my monthly Factor authentication going in a human made a mistake we can't we can't not expect humans to make mistakes we're fallible right the reality is is once they were in the environment they could have protected themselves by running enough pen tests to know that they had certain uh exposed credentials that would have stopped the breach and they did not had not done that in their environment and I'm not poking yeah but it's an interesting Trend though I mean it's obvious if sometimes those low end items are also not protected well so it's easy to get at from a hacker standpoint but also the people in charge of them can be fished easily or spearfished because they're not paying attention because they don't have to no one ever told them hey be careful yeah for the community that I came from John that's exactly how they they would uh meet you at a uh an International Event um introduce themselves as a graduate student these are National actor States uh would you mind reviewing my thesis on such and such and I was at Adobe at the time that I was working on this instead of having to get the PDF they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2008 time frame there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it and John that's or LinkedIn hey I want to get a joke we want to hire you double the salary oh I'm gonna click on that for sure you know yeah right exactly yeah the one thing I would say to you is like uh when we look at like sort of you know because I think we did 10 000 pen tests last year is it's probably over that now you know we have these sort of top 10 ways that we think and find people coming into the environment the funniest thing is that only one of them is a cve related vulnerability like uh you know you guys know what they are right so it's it but it's it's like two percent of the attacks are occurring through the cves but yeah there's all that attention spent to that and very little attention spent to this pen testing side which is sort of this continuous threat you know monitoring space and and this vulnerability space where I think we play a such an important role and I'm so excited to be a part of the tip of the spear on this one yeah I'm old enough to know the movie sneakers which I loved as a you know watching that movie you know professional hackers are testing testing always testing the environment I love this I got to ask you as we kind of wrap up here Chris if you don't mind the the benefits to Professional Services from this Alliance big news Splunk and you guys work well together we see that clearly what are what other benefits do Professional Services teams see from the Splunk and Horizon 3.ai Alliance so if you're I think for from our our from both of our uh Partners uh as we bring these guys together and many of them already are the same partner right uh is that uh first off the licensing model is probably one of the key areas that we really excel at so if you're an end user you can buy uh for the Enterprise by the number of IP addresses you're using um but uh if you're a partner working with this there's solution ways that you can go in and we'll license as to msps and what that business model on msps looks like but the unique thing that we do here is this C plus license and so the Consulting plus license allows like a uh somebody a small to mid-sized to some very large uh you know Fortune 100 uh consulting firms use this uh by buying into a license called um Consulting plus where they can have unlimited uh access to as many IPS as they want but you can only run one test at a time and as you can imagine when we're going and hacking passwords and um checking hashes and decrypting hashes that can take a while so but for the right customer it's it's a perfect tool and so I I'm so excited about our ability to go to market with uh our partners so that we understand ourselves understand how not to just sell to or not tell just to sell through but we know how to sell with them as a good vendor partner I think that that's one thing that we've done a really good job building bring it into the market yeah I think also the Splunk has had great success how they've enabled uh partners and Professional Services absolutely you know the services that layer on top of Splunk are multi-fold tons of great benefits so you guys Vector right into that ride that way with friction and and the cool thing is that in you know in one of our reports which could be totally customized uh with someone else's logo we're going to generate you know so I I used to work in another organization it wasn't Splunk but we we did uh you know pen testing as for for customers and my pen testers would come on site they'd do the engagement and they would leave and then another release someone would be oh shoot we got another sector that was breached and they'd call you back you know four weeks later and so by August our entire pen testings teams would be sold out and it would be like well even in March maybe and they're like no no I gotta breach now and and and then when they do go in they go through do the pen test and they hand over a PDF and they pack on the back and say there's where your problems are you need to fix it and the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations and then once you've fixed everything you just go back and run another pen test it's you know for what people pay for one pen test they can have a tool that does that every every Pat patch on Tuesday and that's on Wednesday you know triage throughout the week green yellow red I wanted to see the colors show me green green is good right not red and one CIO doesn't want who doesn't want that dashboard right it's it's exactly it and we can help bring I think that you know I'm really excited about helping drive this with the Splunk team because they get that they understand that it's the green yellow red dashboard and and how do we help them find more green uh so that the other guys are in red yeah and get in the data and do the right thing and be efficient with how you use the data know what to look at so many things to pay attention to you know the combination of both and then go to market strategy real brilliant congratulations Chris thanks for coming on and sharing um this news with the detail around the Splunk in action around the alliance thanks for sharing John my pleasure thanks look forward to seeing you soon all right great we'll follow up and do another segment on devops and I.T and security teams as the new new Ops but and super cloud a bunch of other stuff so thanks for coming on and our next segment the CEO of horizon 3.aa will break down all the new news for us here on thecube you're watching thecube the leader in high tech Enterprise coverage [Music] yeah the partner program for us has been fantastic you know I think prior to that you know as most organizations most uh uh most Farmers most mssps might not necessarily have a a bench at all for penetration testing uh maybe they subcontract this work out or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult for us this was a differentiator a a new a new partner a new partnership that allowed us to uh not only perform services for our customers but be able to provide a product by which that they can do it themselves so we work with our customers in a variety of ways some of them want more routine testing and perform this themselves but we're also a certified service provider of horizon 3 being able to perform uh penetration tests uh help review the the data provide color provide analysis for our customers in a broader sense right not necessarily the the black and white elements of you know what was uh what's critical what's high what's medium what's low what you need to fix but are there systemic issues this has allowed us to onboard new customers this has allowed us to migrate some penetration testing services to us from from competitors in the marketplace But ultimately this is occurring because the the product and the outcome are special they're unique and they're effective our customers like what they're seeing they like the routineness of it many of them you know again like doing this themselves you know being able to kind of pen test themselves parts of their networks um and the the new use cases right I'm a large organization I have eight to ten Acquisitions per year wouldn't it be great to have a tool to be able to perform a penetration test both internal and external of that acquisition before we integrate the two companies and maybe bringing on some risk it's a very effective partnership uh one that really is uh kind of taken our our Engineers our account Executives by storm um you know this this is a a partnership that's been very valuable to us [Music] a key part of the value and business model at Horizon 3 is enabling Partners to leverage node zero to make more revenue for themselves our goal is that for sixty percent of our Revenue this year will be originated by partners and that 95 of our Revenue next year will be originated by partners and so a key to that strategy is making us an integral part of your business models as a partner a key quote from one of our partners is that we enable every one of their business units to generate Revenue so let's talk about that in a little bit more detail first is that if you have a pen test Consulting business take Deloitte as an example what was six weeks of human labor at Deloitte per pen test has been cut down to four days of Labor using node zero to conduct reconnaissance find all the juicy interesting areas of the of the Enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at understand and determine where to probe deeper so what you see in that pen test Consulting business is that node zero becomes a force multiplier where those Consulting teams were able to cover way more accounts and way more IPS within those accounts with the same or fewer consultants and so that directly leads to profit margin expansion for the Penn testing business itself because node 0 is a force multiplier the second business model here is if you're an mssp as an mssp you're already making money providing defensive cyber security operations for a large volume of customers and so what they do is they'll license node zero and use us as an upsell to their mssb business to start to deliver either continuous red teaming continuous verification or purple teaming as a service and so in that particular business model they've got an additional line of Revenue where they can increase the spend of their existing customers by bolting on node 0 as a purple team as a service offering the third business model or customer type is if you're an I.T services provider so as an I.T services provider you make money installing and configuring security products like Splunk or crowdstrike or hemio you also make money reselling those products and you also make money generating follow-on services to continue to harden your customer environments and so for them what what those it service providers will do is use us to verify that they've installed Splunk correctly improved to their customer that Splunk was installed correctly or crowdstrike was installed correctly using our results and then use our results to drive follow-on services and revenue and then finally we've got the value-added reseller which is just a straight up reseller because of how fast our sales Cycles are these vars are able to typically go from cold email to deal close in six to eight weeks at Horizon 3 at least a single sales engineer is able to run 30 to 50 pocs concurrently because our pocs are very lightweight and don't require any on-prem customization or heavy pre-sales post sales activity so as a result we're able to have a few amount of sellers driving a lot of Revenue and volume for us well the same thing applies to bars there isn't a lot of effort to sell the product or prove its value so vars are able to sell a lot more Horizon 3 node zero product without having to build up a huge specialist sales organization so what I'm going to do is talk through uh scenario three here as an I.T service provider and just how powerful node zero can be in driving additional Revenue so in here think of for every one dollar of node zero license purchased by the IT service provider to do their business it'll generate ten dollars of additional revenue for that partner so in this example kidney group uses node 0 to verify that they have installed and deployed Splunk correctly so Kitty group is a Splunk partner they they sell it services to install configure deploy and maintain Splunk and as they deploy Splunk they're going to use node 0 to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment so it's a way of doing QA or verifying that Splunk has been configured correctly and that's going to be internally used by kidney group to prove the quality of their services that they've just delivered then what they're going to do is they're going to show and leave behind that node zero Report with their client and that creates a resell opportunity for for kidney group to resell node 0 to their client because their client is seeing the reports and the results and saying wow this is pretty amazing and those reports can be co-branded where it's a pen testing report branded with kidney group but it says powered by Horizon three under it from there kidney group is able to take the fixed actions report that's automatically generated with every pen test through node zero and they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified fixing l11r misconfigurations fixing or patching VMware or updating credentials policies and so on so what happens is node 0 has found a bunch of problems the client often lacks the capacity to fix and so kidney group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services and finally based on the findings from node zero kidney group can look at that report and say to the customer you know customer if you bought crowdstrike you'd be able to uh prevent node Zero from attacking and succeeding in the way that it did for if you bought humano or if you bought Palo Alto networks or if you bought uh some privileged access management solution because of what node 0 was able to do with credential harvesting and attacks and so as a result kidney group is able to resell other security products within their portfolio crowdstrike Falcon humano Polito networks demisto Phantom and so on based on the gaps that were identified by node zero and that pen test and what that creates is another feedback loop where kidney group will then go use node 0 to verify that crowdstrike product has actually been installed and configured correctly and then this becomes the cycle of using node 0 to verify a deployment using that verification to drive a bunch of follow-on services and resell opportunities which then further drives more usage of the product now the way that we licensed is that it's a usage-based license licensing model so that the partner will grow their node zero Consulting plus license as they grow their business so for example if you're a kidney group then week one you've got you're going to use node zero to verify your Splunk install in week two if you have a pen testing business you're going to go off and use node zero to be a force multiplier for your pen testing uh client opportunity and then if you have an mssp business then in week three you're going to use node zero to go execute a purple team mssp offering for your clients so not necessarily a kidney group but if you're a Deloitte or ATT these larger companies and you've got multiple lines of business if you're Optive for instance you all you have to do is buy one Consulting plus license and you're going to be able to run as many pen tests as you want sequentially so now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three and as you grow your business you start to run multiple pen tests concurrently so in week one you've got to do a Splunk verify uh verify Splunk install and you've got to run a pen test and you've got to do a purple team opportunity you just simply expand the number of Consulting plus licenses from one license to three licenses and so now as you systematically grow your business you're able to grow your node zero capacity with you giving you predictable cogs predictable margins and once again 10x additional Revenue opportunity for that investment in the node zero Consulting plus license my name is Saint I'm the co-founder and CEO here at Horizon 3. I'm going to talk to you today about why it's important to look at your Enterprise Through The Eyes of an attacker the challenge I had when I was a CIO in banking the CTO at Splunk and serving within the Department of Defense is that I had no idea I was Secure until the bad guys had showed up am I logging the right data am I fixing the right vulnerabilities are my security tools that I've paid millions of dollars for actually working together to defend me and the answer is I don't know does my team actually know how to respond to a breach in the middle of an incident I don't know I've got to wait for the bad guys to show up and so the challenge I had was how do we proactively verify our security posture I tried a variety of techniques the first was the use of vulnerability scanners and the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable I might have a hundred thousand findings from my scanner of which maybe five or ten can actually be exploited in my environment the other big problem with scanners is that they can't chain weaknesses together from machine to machine so if you've got a thousand machines in your environment or more what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two but what they can tell you is that an attacker could use a load from machine one plus a low from machine two to equal to critical in your environment and what attackers do in their tactics is they chain together misconfigurations dangerous product defaults harvested credentials and exploitable vulnerabilities into attack paths across different machines so to address the attack pads across different machines I tried layering in consulting-based pen testing and the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment human-based pen testing simply doesn't scale to test an infrastructure of that size moreover when they actually do execute a pen test and you get the report oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem and so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale and then to mitigate that problem I tried using breach and attack simulation tools and the struggle with these tools is one I had to install credentialed agents everywhere two I had to write my own custom attack scripts that I didn't have much talent for but also I had to maintain as my environment changed and then three these types of tools were not safe to run against production systems which was the the majority of my attack surface so that's why we went off to start Horizon 3. so Tony and I met when we were in Special Operations together and the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the the power of a 20-year pen testing veteran into the hands of an I.T admin a network engineer in just three clicks and the whole idea is we enable these fixers The Blue Team to be able to run node Zero Hour pen testing product to quickly find problems in their environment that blue team will then then go off and fix the issues that were found and then they can quickly rerun the attack to verify that they fixed the problem and the whole idea is delivering this without requiring custom scripts be developed without requiring credential agents be installed and without requiring the use of external third-party consulting services or Professional Services self-service pen testing to quickly Drive find fix verify there are three primary use cases that our customers use us for the first is the sock manager that uses us to verify that their security tools are actually effective to verify that they're logging the right data in Splunk or in their Sim to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their slas or that the sock understands how to quickly detect and respond and measuring and verifying that or that the variety of tools that you have in your stack most organizations have 130 plus cyber security tools none of which are designed to work together are actually working together the second primary use case is proactively hardening and verifying your systems this is when the I that it admin that network engineer they're able to run self-service pen tests to verify that their Cisco environment is installed in hardened and configured correctly or that their credential policies are set up right or that their vcenter or web sphere or kubernetes environments are actually designed to be secure and what this allows the it admins and network Engineers to do is shift from running one or two pen tests a year to 30 40 or more pen tests a month and you can actually wire those pen tests into your devops process or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment the third primary use case is for those organizations lucky enough to have their own internal red team they'll use node zero to do reconnaissance and exploitation at scale and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at Defcon and so these are the three primary use cases and what we'll do is zoom into the find fix verify Loop because what I've found in my experience is find fix verify is the future operating model for cyber security organizations and what I mean here is in the find using continuous pen testing what you want to enable is on-demand self-service pen tests you want those pen tests to find attack pads at scale spanning your on-prem infrastructure your Cloud infrastructure and your perimeter because attackers don't only state in one place they will find ways to chain together a perimeter breach a credential from your on-prem to gain access to your cloud or some other permutation and then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore they know we've built vulnerability Management Programs to reduce those vulnerabilities so attackers have adapted and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults with exploitable vulnerabilities and through the collection of credentials through a mix of techniques at scale once you've found those problems the next question is what do you do about it well you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data the second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to where is your crown jewels data is in the cloud is it on-prem has it been copied to a share drive that you weren't aware of if a domain user was compromised could they access that crown jewels data you want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure and then finally as you fix these problems you want to quickly remediate and retest that you've actually fixed the issue and this fine fix verify cycle becomes that accelerator that drives purple team culture the third part here is verify and what you want to be able to do in the verify step is verify that your security tools and processes in people can effectively detect and respond to a breach you want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations you also want to make sure that your environment is adhering to the best practices around systems hardening in cyber resilience and finally you want to be able to prove your security posture over a time to your board to your leadership into your regulators so what I'll do now is zoom into each of these three steps so when we zoom in to find here's the first example using node 0 and autonomous pen testing and what an attacker will do is find a way to break through the perimeter in this example it's very easy to misconfigure kubernetes to allow an attacker to gain remote code execution into your on-prem kubernetes environment and break through the perimeter and from there what the attacker is going to do is conduct Network reconnaissance and then find ways to gain code execution on other machines in the environment and as they get code execution they start to dump credentials collect a bunch of ntlm hashes crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment and then as they loudly maneuver they can reuse those credentials and use credential spraying techniques and so on to compromise your business email to log in as admin into your cloud and this is a very common attack and rarely is a CV actually needed to execute this attack often it's just a misconfiguration in kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization here's another example of an internal pen test and this is from an actual customer they had 5 000 hosts within their environment they had EDR and uba tools installed and they initiated in an internal pen test on a single machine from that single initial access point node zero enumerated the network conducted reconnaissance and found five thousand hosts were accessible what node 0 will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the Cyber terrain map and that cyber Terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment so what node zero will do is they'll try to find ways to get code execution reuse credentials and so on in this customer example they had Fortinet installed as their EDR but node 0 was still able to get code execution on a Windows machine from there it was able to successfully dump credentials including sensitive credentials from the lsas process on the Windows box and then reuse those credentials to log in as domain admin in the network and once an attacker becomes domain admin they have the keys to the kingdom they can do anything they want so what happened here well it turns out Fortinet was misconfigured on three out of 5000 machines bad automation the customer had no idea this had happened they would have had to wait for an attacker to show up to realize that it was misconfigured the second thing is well why didn't Fortinet stop the credential pivot in the lateral movement and it turned out the customer didn't buy the right modules or turn on the right services within that particular product and we see this not only with Ford in it but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping the next story I'll tell you is attackers don't have to hack in they log in so another infrastructure pen test a typical technique attackers will take is man in the middle uh attacks that will collect hashes so in this case what an attacker will do is leverage a tool or technique called responder to collect ntlm hashes that are being passed around the network and there's a variety of reasons why these hashes are passed around and it's a pretty common misconfiguration but as an attacker collects those hashes then they start to apply techniques to crack those hashes so they'll pass the hash and from there they will use open source intelligence common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords so here node 0 automatically collected hashes it automatically passed the hashes to crack those credentials and then from there it starts to take the domain user user ID passwords that it's collected and tries to access different services and systems in your Enterprise in this case node 0 is able to successfully gain access to the Office 365 email environment because three employees didn't have MFA configured so now what happens is node 0 has a placement and access in the business email system which sets up the conditions for fraud lateral phishing and other techniques but what's especially insightful here is that 80 of the hashes that were collected in this pen test were cracked in 15 minutes or less 80 percent 26 of the user accounts had a password that followed a pretty obvious pattern first initial last initial and four random digits the other thing that was interesting is 10 percent of service accounts had their user ID the same as their password so VMware admin VMware admin web sphere admin web Square admin so on and so forth and so attackers don't have to hack in they just log in with credentials that they've collected the next story here is becoming WS AWS admin so in this example once again internal pen test node zero gets initial access it discovers 2 000 hosts are network reachable from that environment if fingerprints and organizes all of that data into a cyber Terrain map from there it it fingerprints that hpilo the integrated lights out service was running on a subset of hosts hpilo is a service that is often not instrumented or observed by security teams nor is it easy to patch as a result attackers know this and immediately go after those types of services so in this case that ILO service was exploitable and were able to get code execution on it ILO stores all the user IDs and passwords in clear text in a particular set of processes so once we gain code execution we were able to dump all of the credentials and then from there laterally maneuver to log in to the windows box next door as admin and then on that admin box we're able to gain access to the share drives and we found a credentials file saved on a share Drive from there it turned out that credentials file was the AWS admin credentials file giving us full admin authority to their AWS accounts not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment and so what do you do step one patch the server step two delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login the final story I'll tell is a typical pattern that we see across the board with that combines the various techniques I've described together where an attacker is going to go off and use open source intelligence to find all of the employees that work at your company from there they're going to look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user all it takes is one employee to reuse a breached password for their Corporate email or all it takes is a single employee to have a weak password that's easily guessable all it takes is one and once the attacker is able to gain domain user access in most shops domain user is also the local admin on their laptop and once your local admin you can dump Sam and get local admin until M hashes you can use that to reuse credentials again local admin on neighboring machines and attackers will start to rinse and repeat then eventually they're able to get to a point where they can dump lsas or by unhooking the anti-virus defeating the EDR or finding a misconfigured EDR as we've talked about earlier to compromise the domain and what's consistent is that the fundamentals are broken at these shops they have poor password policies they don't have least access privilege implemented active directory groups are too permissive where domain admin or domain user is also the local admin uh AV or EDR Solutions are misconfigured or easily unhooked and so on and what we found in 10 000 pen tests is that user Behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work and also it becomes very difficult to find that Baseline of normal usage versus abnormal usage of credential login another interesting Insight is there were several Marquee brand name mssps that were defending our customers environment and for them it took seven hours to detect and respond to the pen test seven hours the pen test was over in less than two hours and so what you had was an egregious violation of the service level agreements that that mssp had in place and the customer was able to use us to get service credit and drive accountability of their sock and of their provider the third interesting thing is in one case it took us seven minutes to become domain admin in a bank that bank had every Gucci security tool you could buy yet in 7 minutes and 19 seconds node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations in lateral movement and so on to become domain admin if it's seven minutes today we should assume it'll be less than a minute a year or two from now making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack so that's in the find it's not just about finding problems though the bulk of the effort should be what to do about it the fix and the verify so as you find those problems back to kubernetes as an example we will show you the path here is the kill chain we took to compromise that environment we'll show you the impact here is the impact or here's the the proof of exploitation that we were able to use to be able to compromise it and there's the actual command that we executed so you could copy and paste that command and compromise that cubelet yourself if you want and then the impact is we got code execution and we'll actually show you here is the impact this is a critical here's why it enabled perimeter breach affected applications will tell you the specific IPS where you've got the problem how it maps to the miter attack framework and then we'll tell you exactly how to fix it we'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important the next part is accurate prioritization the hardest part of my job as a CIO was deciding what not to fix so if you take SMB signing not required as an example by default that CVSs score is a one out of 10. but this misconfiguration is not a cve it's a misconfig enable an attacker to gain access to 19 credentials including one domain admin two local admins and access to a ton of data because of that context this is really a 10 out of 10. you better fix this as soon as possible however of the seven occurrences that we found it's only a critical in three out of the seven and these are the three specific machines and we'll tell you the exact way to fix it and you better fix these as soon as possible for these four machines over here these didn't allow us to do anything of consequence so that because the hardest part is deciding what not to fix you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible and then once you fix these three you don't have to re-run the entire pen test you can select these three and then one click verify and run a very narrowly scoped pen test that is only testing this specific issue and what that creates is a much faster cycle of finding and fixing problems the other part of fixing is verifying that you don't have sensitive data at risk so once we become a domain user we're able to use those domain user credentials and try to gain access to databases file shares S3 buckets git repos and so on and help you understand what sensitive data you have at risk so in this example a green checkbox means we logged in as a valid domain user we're able to get read write access on the database this is how many records we could have accessed and we don't actually look at the values in the database but we'll show you the schema so you can quickly characterize that pii data was at risk here and we'll do that for your file shares and other sources of data so now you can accurately articulate the data you have at risk and prioritize cleaning that data up especially data that will lead to a fine or a big news issue so that's the find that's the fix now we're going to talk about the verify the key part in verify is embracing and integrating with detection engineering practices so when you think about your layers of security tools you've got lots of tools in place on average 130 tools at any given customer but these tools were not designed to work together so when you run a pen test what you want to do is say did you detect us did you log us did you alert on us did you stop us and from there what you want to see is okay what are the techniques that are commonly used to defeat an environment to actually compromise if you look at the top 10 techniques we use and there's far more than just these 10 but these are the most often executed nine out of ten have nothing to do with cves it has to do with misconfigurations dangerous product defaults bad credential policies and it's how we chain those together to become a domain admin or compromise a host so what what customers will do is every single attacker command we executed is provided to you as an attackivity log so you can actually see every single attacker command we ran the time stamp it was executed the hosts it executed on and how it Maps the minor attack tactics so our customers will have are these attacker logs on one screen and then they'll go look into Splunk or exabeam or Sentinel one or crowdstrike and say did you detect us did you log us did you alert on us or not and to make that even easier if you take this example hey Splunk what logs did you see at this time on the VMware host because that's when node 0 is able to dump credentials and that allows you to identify and fix your logging blind spots to make that easier we've got app integration so this is an actual Splunk app in the Splunk App Store and what you can come is inside the Splunk console itself you can fire up the Horizon 3 node 0 app all of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool and what you'll show you as I skip forward is hey there's a pen test here are the critical issues that we've identified for that weaker default issue here are the exact commands we executed and then we will automatically query into Splunk all all terms on between these times on that endpoint that relate to this attack so you can now quickly within the Splunk environment itself figure out that you're missing logs or that you're appropriately catching this issue and that becomes incredibly important in that detection engineering cycle that I mentioned earlier so how do our customers end up using us they shift from running one pen test a year to 30 40 pen tests a month oftentimes wiring us into their deployment automation to automatically run pen tests the other part that they'll do is as they run more pen tests they find more issues but eventually they hit this inflection point where they're able to rapidly clean up their environment and that inflection point is because the red and the blue teams start working together in a purple team culture and now they're working together to proactively harden their environment the other thing our customers will do is run us from different perspectives they'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access what could they do and then from there they'll run us within a specific Network segment okay from within that segment could the attacker break out and gain access to another segment then they'll run us from their work from home environment could they Traverse the VPN and do something damaging and once they're in could they Traverse the VPN and get into my cloud then they'll break in from the outside all of these perspectives are available to you in Horizon 3 and node zero as a single SKU and you can run as many pen tests as you want if you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior you can then inject their credentials and actually show the end-to-end story of how an attacker fished gained credentials of an intern and use that to gain access to sensitive financial data so what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time I'll leave you two things one is what is the AI in Horizon 3 AI those knowledge graphs are the heart and soul of everything that we do and we use machine learning reinforcement techniques reinforcement learning techniques Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs we also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations so the more pen tests we run the smarter we get and all of that is based on our knowledge graph analytics infrastructure that we have finally I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy what I cared about was coverage I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production I want to be able to do that as often as I wanted I want to be able to run pen tests in hours or days not weeks or months so I could accelerate that fine fix verify loop I wanted my it admins and network Engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agent and not have to write custom scripts and finally I didn't want to get nickeled and dimed on having to buy different types of attack modules or different types of attacks I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my Trends in directions over time so I hope you found this talk valuable uh we're easy to find and I look forward to seeing seeing you use a product and letting our results do the talking when you look at uh you know kind of the way no our pen testing algorithms work is we dynamically select uh how to compromise an environment based on what we've discovered and the goal is to become a domain admin compromise a host compromise domain users find ways to encrypt data steal sensitive data and so on but when you look at the the top 10 techniques that we ended up uh using to compromise environments the first nine have nothing to do with cves and that's the reality cves are yes a vector but less than two percent of cves are actually used in a compromise oftentimes it's some sort of credential collection credential cracking uh credential pivoting and using that to become an admin and then uh compromising environments from that point on so I'll leave this up for you to kind of read through and you'll have the slides available for you but I found it very insightful that organizations and ourselves when I was a GE included invested heavily in just standard vulnerability Management Programs when I was at DOD that's all disa cared about asking us about was our our kind of our cve posture but the attackers have adapted to not rely on cves to get in because they know that organizations are actively looking at and patching those cves and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment a concrete example is by default vcenter backups are not encrypted and so as if an attacker finds vcenter what they'll do is find the backup location and there are specific V sender MTD files where the admin credentials are parsippled in the binaries so you can actually as an attacker find the right MTD file parse out the binary and now you've got the admin credentials for the vcenter environment and now start to log in as admin there's a bad habit by signal officers and Signal practitioners in the in the Army and elsewhere where the the VM notes section of a virtual image has the password for the VM well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMS that are unencrypted find the note section and pull out the passwords for those images and then reuse those credentials across the board so I'll pause here and uh you know Patrick love you get some some commentary on on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is uh is rolled through a little bit more on what do you do about it yeah yeah no I love it I think um I think this is pretty exhaustive what I like about what you've done here is uh you know we've seen we've seen double-digit increases in the number of organizations that are reporting actual breaches year over year for the last um for the last three years and it's often we kind of in the Zeitgeist we pegged that on ransomware which of course is like incredibly important and very top of mind um but what I like about what you have here is you know we're reminding the audience that the the attack surface area the vectors the matter um you know has to be more comprehensive than just thinking about ransomware scenarios yeah right on um so let's build on this when you think about your defense in depth you've got multiple security controls that you've purchased and integrated and you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together so when you run a pen test what you want to ask yourself is did you detect node zero did you log node zero did you alert on node zero and did you stop node zero and when you think about how to do that every single attacker command executed by node zero is available in an attacker log so you can now see you know at the bottom here vcenter um exploit at that time on that IP how it aligns to minor attack what you want to be able to do is go figure out did your security tools catch this or not and that becomes very important in using the attacker's perspective to improve your defensive security controls and so the way we've tried to make this easier back to like my my my the you know I bleed Green in many ways still from my smoke background is you want to be able to and what our customers do is hey we'll look at the attacker logs on one screen and they'll look at what did Splunk see or Miss in another screen and then they'll use that to figure out what their logging blind spots are and what that where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base and you'll get all of the pen test results right there in the Splunk console and from that Splunk console you're gonna be able to see these are all the pen tests that were run these are the issues that were found um so you can look at that particular pen test here are all of the weaknesses that were identified for that particular pen test and how they categorize out for each of those weaknesses you can click on any one of them that are critical in this case and then we'll tell you for that weakness and this is where where the the punch line comes in so I'll pause the video here for that weakness these are the commands that were executed on these endpoints at this time and then we'll actually query Splunk for that um for that IP address or containing that IP and these are the source types that surface any sort of activity so what we try to do is help you as quickly and efficiently as possible identify the logging blind spots in your Splunk environment based on the attacker's perspective so as this video kind of plays through you can see it Patrick I'd love to get your thoughts um just seeing so many Splunk deployments and the effectiveness of those deployments and and how this is going to help really Elevate the effectiveness of all of your Splunk customers yeah I'm super excited about this I mean I think this these kinds of purpose-built integration snail really move the needle for our customers I mean at the end of the day when I think about the power of Splunk I think about a product I was first introduced to 12 years ago that was an on-prem piece of software you know and at the time it sold on sort of Perpetual and term licenses but one made it special was that it could it could it could eat data at a speed that nothing else that I'd have ever seen you can ingest massively scalable amounts of data uh did cool things like schema on read which facilitated that there was this language called SPL that you could nerd out about uh and you went to a conference once a year and you talked about all the cool things you were splunking right but now as we think about the next phase of our growth um we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding and as you look at the as you look at the role of the ciso it's mind-blowing to me the amount of sources Services apps that are coming into the ciso span of let's just call it a span of influence in the last three years uh you know we're seeing things like infrastructure service level visibility application performance monitoring stuff that just never made sense for the security team to have visibility into you um at least not at the size and scale which we're demanding today um and and that's different and this isn't this is why it's so important that we have these joint purpose-built Integrations that um really provide more prescription to our customers about how do they walk on that Journey towards maturity what does zero to one look like what does one to two look like whereas you know 10 years ago customers were happy with platforms today they want integration they want Solutions and they want to drive outcomes and I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape and what I would say is the maturing needs of the customer in that environment yeah for sure I think especially if if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere while the security budgets are not going to ever I don't think they're going to get cut they're not going to grow as fast and there's a lot more pressure on organizations to extract more value from their existing Investments as well as extracting more value and more impact from their existing teams and so security Effectiveness Fierce prioritization and automation I think become the three key themes of security uh over the next 18 months so I'll do very quickly is run through a few other use cases um every host that we identified in the pen test were able to score and say this host allowed us to do something significant therefore it's it's really critical you should be increasing your logging here hey these hosts down here we couldn't really do anything as an attacker so if you do have to make trade-offs you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end so you've got that level of of um justification for where to increase or or adjust your logging resolution another example is every host we've discovered as an attacker we Expose and you can export and we want to make sure is every host we found as an attacker is being ingested from a Splunk standpoint a big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were Rogue Raspberry Pi's on the network or if a new box was installed and whether Splunk was installed on it or not so now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from uh finally or second to last use case here on the Splunk integration side is for every single problem we've found we give multiple options for how to fix it this becomes a great way to prioritize what fixed actions to automate in your soar platform and what we want to get to eventually is being able to automatically trigger soar actions to fix well-known problems like automatically invalidating passwords for for poor poor passwords in our credentials amongst a whole bunch of other things we could go off and do and then finally if there is a well-known kill chain or attack path one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise and now you've got a great starting point for glass tables and iocs for actual kill chains that we know are exploitable in your environment and that becomes some super cool Integrations that we've got on the roadmap between us and the Splunk security side of the house so what I'll leave with actually Patrick before I do that you know um love to get your comments and then I'll I'll kind of leave with one last slide on this wartime security mindset uh pending you know assuming there's no other questions no I love it I mean I think this kind of um it's kind of glass table's approach to how do you how do you sort of visualize these workflows and then use things like sore and orchestration and automation to operationalize them is exactly where we see all of our customers going and getting away from I think an over engineered approach to soar with where it has to be super technical heavy with you know python programmers and getting more to this visual view of workflow creation um that really demystifies the power of Automation and also democratizes it so you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team is seeing yeah I think that between us being able to visualize the actual kill chain or attack path with you know think of a of uh the soar Market I think going towards this no code low code um you know configurable sore versus coded sore that's going to really be a game changer in improve or giving security teams a force multiplier so what I'll leave you with is this peacetime mindset of security no longer is sustainable we really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are are working or not and the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past uh nine months due to the Ukrainian War there you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint and this is no longer about financial extortion that is ransomware this is about punishing and destroying companies and you can punish any one of these companies by going after them directly or by going after their suppliers and their Distributors so suddenly your attack surface is no more no longer just your own Enterprise it's how you bring your goods to Market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit if I can get those trucks stuck at the border I can increase spoilage and have the same effect and what we should expect to see is this idea of cyber-enabled economic Warfare where if we issue a sanction like Banning the Russians from traveling there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database that is below the threshold of War that's not going to trigger the 82nd Airborne to be mobilized but it's going to achieve the right effect ban the sale of luxury goods disrupt the supply chain and create shortages banned Russian oil and gas attack refineries to call a 10x spike in gas prices three days before the election this is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture verify it see yourself Through The Eyes of the attacker build that incident response muscle memory and drive better collaboration between the red and the blue teams your suppliers and Distributors and your information uh sharing organization they have in place and what's really valuable for me as a Splunk customer was when a router crashes at that moment you don't know if it's due to an I.T Administration problem or an attacker and what you want to have are different people asking different questions of the same data and you want to have that integrated triage process of an I.T lens to that problem a security lens to that problem and then from there figuring out is is this an IT workflow to execute or a security incident to execute and you want to have all of that as an integrated team integrated process integrated technology stack and this is something that I very care I cared very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board so Patrick I'll leave you with the last word the final three minutes here and I don't see any open questions so please take us home oh man see how you think we spent hours and hours prepping for this together that that last uh uh 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now uh and I think nist has done some really interesting work here around building cyber resilient organizations that have that has really I think helped help the industry see that um incidents can come from adverse conditions you know stress is uh uh performance taxations in the infrastructure service or app layer and they can come from malicious compromises uh Insider threats external threat actors and the more that we look at this from the perspective of of a broader cyber resilience Mission uh in a wartime mindset uh I I think we're going to be much better off and and will you talk about with operationally minded ice hacks information sharing intelligence sharing becomes so important in these wartime uh um situations and you know we know not all ice acts are created equal but we're also seeing a lot of um more ad hoc information sharing groups popping up so look I think I think you framed it really really well I love the concept of wartime mindset and um I I like the idea of applying a cyber resilience lens like if you have one more layer on top of that bottom right cake you know I think the it lens and the security lens they roll up to this concept of cyber resilience and I think this has done some great work there for us yeah you're you're spot on and that that is app and that's gonna I think be the the next um terrain that that uh that you're gonna see vendors try to get after but that I think Splunk is best position to win okay that's a wrap for this special Cube presentation you heard all about the global expansion of horizon 3.ai's partner program for their Partners have a unique opportunity to take advantage of their node zero product uh International go to Market expansion North America channel Partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyber security world we live in and hope you enjoyed this program all the videos are available on thecube.net as well as check out Horizon 3 dot AI for their pen test Automation and ultimately their defense system that they use for testing always the environment that you're in great Innovative product and I hope you enjoyed the program again I'm John Furrier host of the cube thanks for watching

>> From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. >> Like a marathon runner pumped up on adrenaline, UiPath sprinted to the lead in what is surely going to be a long journey toward enabling the modern automated enterprise. Now, in doing so the company has established itself as a leader in enterprise automation while at the same time, it got out over its skis on critical execution items and it disappointed investors along the way. In our view, the company has plenty of upside potential, but will have to slog through its current challenges, including restructuring its go-to market, prioritizing investments, balancing growth with profitability and dealing with a very difficult macro environment. Hello and welcome to this week's Wikibon Cube insights powered by ETR. In this Breaking Analysis and ahead of Forward 5, UiPath's big customer event, we once again dig into RPA and automation leader, UiPath, to share our most current data and view of the company's prospects relative to the competition and the market overall. Now, since the pandemic, four sectors have consistently outperformed in the overall spending landscape in the ETR dataset, cloud, containers, machine learning/AI, and robotic process automation. For the first time in a long time ML and AI and RPA have dropped below the elevated 40% line shown in this ETR graph with the red dotted line. The data here plots the net score or spending momentum for each sector with we put in video conferencing, we added it in simply to provide height to the vertical access. Now, you see those squiggly lines, they show the pattern for ML/AI and RPA, and they demonstrate the downward trajectory over time with only the most current period dropping below the 40% net score mark. While this is not surprising, it underscores one component of the macro headwinds facing all companies generally and UiPath specifically, that is the discretionary nature of certain technology investments. This has been a topic of conversation on theCUBE since the spring spanning data players like Mongo and Snowflake, the cloud, security, and other sectors. The point is ML/AI and RPA appear to be more discretionary than certain sectors, including cloud. Containers most likely benefit from the fact that much of the activity is spending on internal resources, staff like developers as much of the action in containers is free and open source. Now, security is not shown on this graphic, but as we've reported extensively in the last week at CrowdStrike's Falcon conference, security is somewhat less discretionary than other sectors. Now, as it relates to the big four that we've been highlighting since the pandemic hit, we're starting to see priorities shift from strategic investments like AI and automation to more tactical areas to keep the lights on. UiPath has not been immune to this downward pressure, but the company is still able to show some impressive metrics. Here's a snapshot chart from its investor deck. For the first time UiPath's ARR has surpassed $1 billion. The company now has more than 10,000 customers with a large number generating more than $100,000 in ARR. While not shown in this data, UiPath reported this month in its second quarter close that it had $191 million plus ARR customers, which is up 13% sequentially from its Q1. As well, the company's NRR is over 130%, which is very solid and underscores the low churn that we've previously reported for the company. But with that increased ARR comes slower growth. Here's some data we compiled that shows the dramatic growth in ARR, the blue bars, compared with the rapid deceleration and growth. That's the orange line on the right hand access there. For the first time UiPath's ARR growth dipped below 50% last quarter. Now, we've projected 34% and 25% respectively for the company's Q3 in Q4, which is slightly higher than the upper range of UiPath's CFO, Ashim Gupta's guidance from the last earnings call. That still puts UiPath exiting its fiscal year at a 25% ARR growth rate. While it's not unexpected that a company reaching $1 billion in ARR, that milestone, will begin to show lower, slower growth, net new ARR is well off its fiscal year '22 levels. The other perhaps more concerning factor is the company, despite strong 80% gross margins, remains unprofitable and free cash flow negative. New CEO, Rob Enslin, has emphasized the focus on profitability, and we'd like to see a consistent and more disciplined Rule of 40 or Rule of 45 to 50 type of performance going forward. As a result of this decelerating growth and lowered guidance stemming from significant macro challenges including currency fluctuations and weaker demand, especially in Europe and EP and inconsistent performance, the stock, as shown here, has been on a steady decline. What all growth stocks are facing, you know, challenges relative to inflation, rising interest rates, and looming recession, but as seen here, UiPath has significantly underperformed relative to the tech-heavy NASDAQ. UiPath has admitted to execution challenges, and it has brought in an expanded management team to facilitate its sales transition and desire to become a more strategic platform play versus a tactical point product. Now, adding to this challenge of foreign exchange issues, as we've previously reported unlike most high flying tech companies from Silicon Valley, UiPath has a much larger proportion of its business coming from locations outside of the United States, around 50% of its revenue, in fact. Because it prices in local currencies, when you convert back to appreciated dollars, there are less of them, and that weighs down on revenue. Now, we asked Breaking Analysis contributor, Chip Simonton, for his take on this stock, and he told us, "From a technical standpoint, there's really not much you can say, it just looks like a falling knife. It's trading at an all time low but that doesn't mean it can't go lower. New management with a good product is always a positive with a stock like this, but this is just a bad environment for UiPath and all growth stocks really, and," he added, "95% of money managers have never operated in this type of environment before. So that creates more uncertainty. There will be a bottom, but picking it in this high-inflation, high-interest rate world hasn't worked too well lately. There's really no floor to these stocks that don't have earnings, until you start to trade to cash levels." Well, okay, let's see, UiPath has $1.6 billion in cash in the balance sheet and no debt, so we're a long ways off from that target, the cash value with its current $7 billion valuation. You have to go back to April 2019 to UiPaths Series D to find a $7 billion valuation. So Simonton says, "The stock still could go lower." The valuation range for this stock has been quite remarkable from around $50 billion last May to $7 billion today. That's quite a swing. And the spending data from ETR sort of supports this story. This graphic here shows the net score or spending momentum granularity for UiPath. The lime green is new additions to the platform. The forest green is spending 6% or more. The gray is flat spending. The pink is spending down 6% or worse. And the bright red is churn. Subtract the red from the green and you get net score, which is that blue line. The yellow line is pervasiveness within the data set. Now, that yellow line is skewed somewhat because of Microsoft citations. There's a belief from some that competition from Microsoft is the reason for UiPath's troubles, but Microsoft is really delivering RPA for individuals and isn't an enterprise automation platform at least not today, but it's Microsoft, so you can't discount their presence in the market. And it probably is having some impact, but we think there are many other factors weighing on UiPath. Now, this is data through the July survey but taking a glimpse at the early October returns they're trending with the arrows, meaning less green more gray and red, which is going to lower UiPath's overall net score, which is consistent with the macro headwinds and the business performance that it's been seeing. Now, nonetheless, UiPath continues to get high marks from its customers, and relative to it's peers it maintains a leadership position. So this chart from ETR, shows net score or spending velocity in the vertical access, an overlap or presence in the dataset on the horizontal access. Microsoft continues to have a big presence, and as we mentioned, somewhat skews the data. UiPath has maintained its lead relative to automation anywhere on the horizontal access, and remains ahead of the legacy pack of business process and other RPA vendors. Solonis has popped up in the ETR data set recently as a process mining player and has a pretty high net score. It's a critical space UiPath has entered, via its acquisition of ProcessGold back in October 2019. Now, you can also see what we did is we added in the Gartner Magic Quadrant for robotic process automation. We didn't blow it up here but we circled the position of UiPath. You can see it's leading in both the vertical and the horizontal access, ahead of automation anywhere as well as Microsoft and others. Now, we're still not seeing the likes of SAP, Service Now, and Salesforce showing up in the ETR data, but these enterprise software vendors are in a reasonable position to capitalize on automation opportunities within their installed basis. This is why it's so important that UiPath transitions to an enterprise-wide horizontal play that can cut across multiple ERP, CRM, HCM, and service management platforms. While the big software companies can add automation to their respective stovepipes, and they're doing that, UiPath's opportunity is to bring automation to enable enterprises to build on top of and across these SaaS platforms that most companies are running. Now, on the chart, you see the red arrows slanting down. That signifies the expected trend from the upcoming October ETR survey, which is currently in the field and will run through early next month. Suffice it to say that there is downward spending pressure across the board, and we would expect most of these names, including UiPath, to dip below the 40% dotted line. Now, as it relates to the conversation about platform versus product, let's dig into that a bit more. Here's a graphic from UiPath's investor deck that underscores the move from product to platform. UiPath has expanded its platform from its initial on-prem point product to focus on automating tasks for individuals and back offices to a cloud-first platform approach. The company has added in technology from a number of acquisitions and added organically to those. These include, the previously mentioned, ProcessGold for process discovery, process documentation from the acquisition of StepShot, API automation via the acquisition of Cloud Elements, to its more recent acquisition of Re:infer, a natural language processing specialist. Now, we expect the platform to be a big focus of discussion at Forward 5 next week in Las Vegas. So let's close in on our expectations for the three-day event next week at the Venetian. UiPath's user conference has grown over the years and the Venetian should be by far be the biggest and most heavily attended in the company's history. We expect UiPath to really emphasize the role of automation, specifically in the context of digital transformation, and how UiPath has evolved, again, from point product to platform to support digital transformation. Expect to focus on platform maturity. When UiPath announced its platform intentions back in 2019, which was the last physical face-to-face customer event prior to COVID, it essentially was laying out a statement of direction. And over the past three years, it has matured the platform and taken it from vision to reality. You know, I said the last event, actually, the last event was 2021. Of course, theCUBE was there at the Bellagio in Las Vegas. But prior to that, 2019 is when they laid out that platform vision. Now, in a conjunction with this evolution, the company has evolved its partnerships, pairing up with the likes of Snowflake and the data cloud, CrowdStrike, to provide better security, and, of course, the big Global System Integrators, to help implement enterprise automation. And this is where we expect to hear a lot from customers. I've heard, there'll be over 100 speaking at the show about the outcomes and how they're digitally transforming. Now, I mentioned earlier that we haven't seen the big ERP and enterprise software companies show up yet in the ETR data, but believe me they're out there and they're selling automation and RPA and they're competing. So expect UiPath to position themselves and deposition those companies. Position UiPath as a layer above these bespoke platforms shown here on number four. With process discovery and task discovery, building automation across enterprise apps, and operationalizing process workflows as a horizontal play. And I'm sure there'll be some new graphics on this platform that we can share after the event that will emphasize this positioning. And finally, as we showed earlier in the platform discussion, we expect to hear a lot about the new platform capabilities and use cases, and not just RPA, but process mining, testing, testing automation, which is a new vector of growth for UiPath, document processing. And also, we expect UiPath to address its low code development capabilities to expand the number of people in the organization that can create automation capabilities and automations. Those domain experts is what we're talking about here that deeply understand the business but aren't software engineers. Enabling them is going to be really important, and we expect to hear more about that. And we expect this conference to set the tone for a new chapter in UiPath's history. The company's second in-person gathering, but the first one was last October. So really this is going to be sort of a build upon that, and many in-person events. For the first time this year, UiPath was one of the first to bring back its physical event, but we expect it to be bigger than what was at the Bellagio, and a lot of people were concerned about traveling. Although UiPath got a lot of customers there, but I think they're going to really up the game in terms of attendance this year. And really, that comparison is unfair because UiPath, again, it was sort of the middle of COVID last year. But anyway, we expect this new operations and go-to-market oriented focus from co-CEO, Rob Enslin, and new sales management, we're going to be, you know, hearing from them. And the so-called adult supervision has really been lacking at UiPath, historically. Daniel Dines will no doubt continue to have a big presence at the event and at the company. He's not a figurehead by any means. He's got a deep understanding of the product and the market and we'll be interviewing both Daniel and Rob Enslin on theCUBE to find out how they see the future. So tune in next week, or if you're in Las Vegas, definitely stop by theCUBE. If you're not go to thecube.net, you'll be able to watch all of our coverage. Okay, we're going to leave it there today. I want to thank Chip Simonton again for his input to today's episode. Thanks to Alex Morrison who's on production and manages our podcasts. Ken Schiffman, as well, from our Boston office, our Boston studio. Kristen Martin, and Cheryl Knight, they helped get the word out on social media and in our newsletters. And Rob Hof is our editor in chief over at SiliconANGLE that does some great editing. Thanks all. Remember, these episodes are all available as podcasts wherever you listen. All you got to do is search Breaking Analysis Podcasts. I publish each week on wikibon.com and siliconangle.com, and you could email me at david.vellante@siliconangle.com or DM me @dvellante. If you got anything interesting, I'll respond. If not, please keep trying, or comment on my LinkedIn post and please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE insights powered by ETR. Thanks for watching, and we'll see you next time on Breaking Analysis. (gentle techno music)

>>We're back with the cube at Falcon 2022, Dave ante and Dave Nicholson. We're at the aria. We do of course, a lot of events in Las Vegas. It's the, it's the place to do events. Dave, I think is my sixth or seventh time here this year. At least. I don't know. I lose track. Jeff Swain is here. He's the vice president of global programs store and tech alliances at CrowdStrike. Jeff. Good to see you again. We saw each other at reinvent in July in Boston. >>Yes. Yeah, it was great to see you again, Dave, thank >>Very much. And we talked about making this happen so thrilled to be here at, at, at CrowdStrike Falcon. We're gonna talk today about the CrowdStrike XDR Alliance partners. First of all, what's XDR >>Well, I hope you were paying attention to George's George's keynote this morning. I guess. You know, the one thing we know is that if you ask 10, five people, what XDR is you'll get 10 answers. >>I like this answer a holistic approach to endpoint security. I, that was, >>It was good. Simple. >>That was a good one at black hat. So, but tell us about the XDR Alliance partners program. Give us the update there. >>Yeah, so I mean, we spoke about it reinforced, you know, the XDR program is really predicated on having a robust ecosystem of partners to help us share that telemetry across all of the different parts of our customers' environment. So we've done a lot of work over the last few weeks and trying to bolster that environment specifically, putting a lot of focus on firewall. You'll see that Cisco and fortunate have both joined the XD XDR Alliance. So we're working on that right now. A lot of customer demand for firewall data into the telemetry set. You know, obviously it's a very rich data environment. There's a lot of logs on firewalls. And so it drives a lot of, of, of information that we can, we can leverage. So we're continuing to grow that. And what we're doing is building out different content packs that support different use cases. So firewall is one CAS B is another emails another and we're building, building out the, the partner set right across the board. So it's, it's, it's been a, a great set of >>Activity. So it's it's partners that have data. Yep. There's probably some, you know, Joe Tuchi year old boss used to say that that overlap is better than gaps. So there's sometimes there's competition, but that's from a customer standpoint, overlap is, is better than gaps. So as gonna mention Cisco forte and there are a number of others, they've got data. Yes. And they're gonna pump it into your system, our platform, and you've got the, your platform. You've got the ability to ingest. You've got the cloud native architecture, you've got the analytics and you've got the near real time analysis capability. Right, right. >>Augmented by people as well, which is a really important part of our value proposition. You know, we, it's not just relying purely on AI, but we have a human, a human aspect to it as well to make sure we're getting extremely accurate responses. And then there's the final phase is the response phase. So being able to take action on a CASB, for example, when we have a known bad actor operating in the cloud is a really important, easy action for our customer to take. That's highly valuable. You're >>Talking about your threat hunting capability, right? >>So it's threat hunting and our Intel capability as well. We use all of that information as well as the telemetry to make sure we're making good, actionable >>Decisions, Intel being machine intelligence or, or human and machine >>Human and human and machine intelligence that we have. We have a whole business that's out there gathering Intel. I believe you think to Adam Myers who runs that business. And you know, that Intel is critical to making good decisions for our customers. >>So the X and XDR is extended, correct. Extending to things like firewalls. That's pretty obvious in the security space. Are there some less obvious data sources that you look to extend to at some point? >>Yeah, I think we're gonna continually go with where the customer demand is. And firewalls is one of the first and is very significant. Other one, you'll see that we're announcing support for Microsoft 365 as well as part of this, this announcement, but then we'll still grow out into the other areas. NDR is, you know, a specific area where we've already got a number of partners in that, in that space. And, and we'll grow that as we go. I think one of the really exciting additional elements is the, the OCS F announcement that we made at at, at, at, at reinforced, which also is a shared data scheme across a number of vendors as well. So talking to Mike's point, Microsoft ST's point this morning in his keynote, it's really about the industry getting together to do better job for our customers. And XDR is the platform to do that. And crowd strikes it way of doing it is the only really true, visible way for a customer to get their hands on all that information, make the decision, see the good from the bad and take the action. So I feel like we're really well placed to help our customers in >>That space. Well, Kevin mania referenced this too today, basically saying the industry's doing a better job of collaborations. I mean, sometimes I'm skeptical because we've certainly seen people try to, you know, commercialize private information, private reports. Yeah. But, but, but you're talking about, you know, some of your quasi competitors cooperatives, you know, actually partnering with you now. So that's a, that's a good indicator. Yeah. I want to step back a little bit, talk about the macro, the big conversation on wall street. Everybody wants to talk about the macro of course, for obvious reasons, we just published our breaking analysis, talking about you guys potentially being a generational company and sort of digging into that a little bit. We've seen, you know, cyber investments hold up a little bit better, both in terms of customer spending and of course the stock market better than tech broadly. Yeah. So in that case it would, it would suggest that cyber investments are somewhat non-discretionary. So, but that is my question are cyber investments non-discretionary if, if so, how, >>You know, I think George George calls that out directly in our analyst reports as well that, you know, we believe that cyber is a non-discretionary spend, but I, I actually think it's more than that. I think in this current macro or economic environment where CIOs and CSOs are being asked to sweat their assets for significantly longer period of time, that actually creates vulnerabilities because they have older kit, that's running for a longer period that they normally, you know, round out or churn out of their environment. They're not getting the investment to replace those laptops. They're not getting the, I placement to replace those servers. We have to sweat them for a little bit longer, longer, which means they need to be on top of the security posture of those devices. So that means that we need the best possible telemetry that we can get to protect those in the best possible way. So I actually think not only is it makes it non-discretionary, it actually increases the, the business case for, for, for taking on a, a cyber project. >>And I buy that. I buy that the business case is better potentially for cyber business case. And cyber is about, about risk reduction, right? It's about, it's about reducing expected loss. I, I, I, I, but the same time CISOs don't have an open wallet. They have to compete with other P and L managers. I also think the advantage for CrowdStrike I'm, I'm getting deeper into the architecture and beginning to understand the power of a lightweight agent that can do handle. I think you're up to 22 modules now, correct? Yes. I've got questions on how you keep that lightweight, but, but nonetheless, if you can consolidate the point tools, which is, you know, one of the biggest challenges that, that SecOps teams face that strengthens the ROI as well. >>Absolutely. And if you look at what George was saying this morning in the keynote, the combination of being able to provide tools, not only to the SecOps team, but the it ops team as well, being able to give the it ops team visibility on how many assets they have. I mean, these simple, these are simple questions that we should be able to answer. But often when we ask, you know, an operations leader, can you answer it? It sometimes it's hard for them. We actually have a lot of that information. So we are able to bring that into the platform. We're able to show them, we're able to show them where the assets are, where the vulnerabilities are against those assets and help it ops do a better job as well as SecOps. So the, the strength, the case strengthens, as you said, the CSO can also be talking to the it ops budget. >>The edge is getting more real. We're certainly hearing a lot about it now we're seeing a lot more and you kind of got the, the near edge, like the home Depot and the lows, you know, stores. Yeah. Okay. That I, I can get a better handle on, okay. How do I secure that? I've got some standards, but that's the far edge. It's, it's the, the OT yes. Piece of it. That's sort of the brave new world. What are you seeing there? How do you protect those far flowing estates? >>I think this gets back to the question of what's what's new or what's coming and where do we see the, the next set of workloads that we have to tackle? You know, when we came along first instance, we were really doing a lot of the on-prem on-prem and, and, and known cloud infrastructure suites. Then we started really tackling the broader crowd market with tools and technology to give visibility and control of the overall cloud environment. OT represents that next big addressable market for us, because there are so many questions around devices where they are, how old they are, what they're running. So visibility into the OT network is extremely, extremely important. And, you know, the, the wall that has existed again between the CISO and the OT environments coming down, we're seeing that's closer, closer alignment between the security on both those worlds. So the announcement that we've made around extending our Falcon discover product, to be able to receive and understand device information from the OT network and bring it into the same console as the, the it and the OT in the same console to give one cohesive picture of, of visibility of all of our devices is a major step forward for our customers and for, for the industry as well. >>And we see that being, being able to get the visibility will then lead us to a place of being able to build our AI models, build our response frameworks. So then we can go to a full EDR and then beyond that, there's, you know, all the other things that CrowdStrike do so well, but this is the first step to really the first step on control is visibility. And >>The OT guys are engineers. So they're obviously conscious of this stuff. It's, it's more it's again, you're extending that culture, isn't >>It? Yeah, yeah, yeah. Now when you're looking at threats, great, you want to do things to protect against those threats, but how much, how much of CrowdStrike's time is spent thinking about the friction that's involved in transactions? If I wanna go to the grocery store, think of me as an end point. If I wanna go to the grocery store, if I had to drive through three DUI checkpoints or car safety inspections. Yeah. Every time I went to the grocery store, I wouldn't be happy as an end point as an end user in this whole thing. Ideally, we'd be able just to be authenticated and then not have to worry about anything moving forward. Do you see that as your role, reducing friction 1%, >>That's again, one of the core tenants of, of, of why George founded the company. I mean, he tells the story of sitting on an airplane and seeing an executive who was also on the airplane, trying to boot their machine up and try and get an email out before the plane took off and watching the scanning happen, you know, old school virus scanning happening on the laptop and, and that executive not making it because, and he is like in this day and age, how can we be holding people back with that much friction in their day to day life? So that's one of the, again, founding principles of what we do at CrowdStrike was the security itself needs to support business growth, support, user growth, and actually get out of the way of how people do things. And we've seen progression along that lines. I think the zero trust work that we're doing right now really helps with that as well. >>Our integrations into other companies that play within the zero trust space makes that frictionless experience for the user, because yeah, we, we, we want to be there. We want to know everything that's happening, but we don't wanna see where we always want control points, but that's the value of the telemetry we take. We're taking all the data so we can see everything. And then we pick what we want to review rather than having to do the, the checkpoint approach of stop here. Now, let me see your credentials. Stop here. Let me see your credentials because we have a full field of, of knowledge and information on what the device is doing and what the user is doing. We're able to then do the trust with verify style approach. >>So coming back to the, to the edge in IOT, you know, bringing that zero trust concept to the, to the edge you've got, you've got it. And OT. Okay. So that's a new constituency, but you're consolidating that view. Your job gets harder. Doesn't it? So, so, so talk about how you resolve that. Do do the, do the concepts that you apply to traditional it endpoints apply at the edge. >>So first things we have to do is gain the visibility. And, and so the way in which we're doing that is effectively drawing information out from the OT environment at, by, by having a collector that's sitting there and bringing that into our console, which then will give us the ability to run our AI models and our other, you know, indications of attack or our indicators of misconfiguration into the model. So we can see whether something's good or bad whilst we're doing that. Obviously we're also working on building specific senses that will then sit in OT devices down, you know, one layer down from rather being collected and pulled and brought into the platform, being collected at the individual sensor level when we have that completed. And that requires a whole different ecosystem for us, it means that we have to engage with organizations like Rockwell and Siemens and Schneider, because they're the people who own the equipment, right? Yeah. And we have to certify with them to make sure that when we put technology onto their equipment, we're not going to cause any kind of critical failure that, you know, that could have genuine real world physical disastrous consequences. So we have to be super careful with how we build that, which we're we're in the process of >>Doing are the IOA signatures indicator as a tax. So I don't have to throw a dollar in the jar. Are the IOA signatures substantially similar at, at the edge, or >>I think we learn as we go, you know, first we have to gain the information and understand what good and bad looks like, what the kind of behaviors are there. But what we will see is that, you know, as someone's trying to, there's an actor, you know, making an attack, you know, will be able to see how they're affecting each of those endpoints individually, whether they're trying to take some form of control, whether they're switching them on and off in the edge and the far edge, it's a little bit more binary in terms of the kind of function of the device. It is the valve open or is the valve closed? It's is the production line running or is the production not line running, not running. So we need to be able to see that it's more about protecting the outcomes there as well. But again, you know, it's about first, we have to get the information. That's what this product will help us do, get it into the platform, get our teams over the top of it, learn more about what's going on there and then be able to take action. >>But the key point is the architecture will scale. And that's where the cloud native things comes >>Into. Yeah, it'll, it'll it'll scale. But to your, to your point about the lack of investment and infrastructure means older stuff means potentially wider gaps, bigger security holes, more opportunity for the security sector. Yep. I buy that. That makes sense. I think if it's a valid argument, when you, when you, when you know, we, we loosely talk about internet of things, edge, a lot of those things on the edge, there's probably a trillion dollars worth of a hundred year old garbage, and I'm only slightly exaggerating on the trillion and the a hundred years old, a lot of those critical devices that need to be sensed that are controlling our, our, our, our electrical grid. For example, a lot of those things need to be updated. So, so as you're pushing into that frontier, are you, you know, are, are you extending out developer kits and APIs to those people as they're developing those new things? Well, because some of the old stuff will never work. >>And that's what we're we're seeing is that there is a movement within the industrial control side of things to actually start, you know, doing this. Some, some simple things like removing the air gap from certain systems because you, now we can build a system around it. That's trustable and supportable. So now we can get access there over, over and over a network over the internet to, to, to kind of control a valve set that's down a pipeline or something like that. So there is, there is, there is willingness within the ecosystem, the, the IOT provider ecosystem to give us access to some of those, those controls, which, which wasn't there, which has led to some of some of these issues. Are we gonna be able to get to all of them? No, we're gonna have to make decisions based on customer demand, based on where the big, the big rock lie. And, and so we will continue to do that based on customer feedback on again, on what we see >>And the legacy air gaps in the OT worlds were by design for security reasons, or just sort of >>Mostly because there was no way to, to do before. Right. So it was, was like black >>Connectivity is >>So, so, so it was, people felt more comfortable sending an engineer route to the field truck roll. Yeah, yeah, yeah. To do it rather than expensive, rather. And, and exactly that, again, going back to our macro economic situation, you know, it's a very expensive way of managing and maintaining your fleet if you have to send someone to it every time. So there is a lot of there's, there's a lot of customer demand for change, and we're engaging in that change. And we want, we see a huge opportunity there >>Coming back to the X XDR Alliance, cuz that's kind of where we started. Where do you wanna see that go? What's your vision for that? >>So the Alliance itself has been fundamental in terms of now where we go with the overall platform. We are always constantly looking for customer feedback on where we go next on what additional elements to add that the Alliance members have been this fantastic time and effort in terms of engaging with us so that we can build in responses to their platforms, into, you know, into, into what we do. And they're seeing the value of it. I, I feel that over the next, you know, over the next two year period, we're gonna see those, our XDR Alliance and other XDR alliances growing out to get to each other and they will they'll touch each other. We will have to do it like the OSF project at AWS. And as that occurs, we're gonna be able to focus on customer outcomes, which is, you know, again, if you listen to George, you listen to Mike protecting the customers, the mission of CrowdStrike. So I think that's core to that, to, to that story. What we will see now is it's a great vehicle for us to give a structured approach to partnership. So we'll continue to invest in that. We've, we've got, we've got a pipeline of literally hundreds of, of partners who want to join. We've just gotta do that in a way that's consumable for us and consumable for the customer. >>Jeff Swain. Thanks so much for coming back in the cube. It's great to have you. Yeah. Thanks guys. Thank you. Okay. And thank you for watching Dave Nicholson and Dave ante. We'll be back right after this short break. You're watching the cube from Falcon 22 in Las Vegas, right back.

>>Welcome back to Falcon 2022. This is Dave LAN. We get a special presentation segment for you today. This is Walter Wall day one of day two's cube coverage, JC Herrera. Here's my designated cohost. Who's the chief human resource officer at CrowdStrike. Craig Neri is to my left. He's the beneficiary and the beneficiary trustee and ambassador of, of operation Motorsport and former us air force. Thank you for your service. Thank you. And Deel Lauder, who is CEO and co-founder of operation Motorsport. Jen, welcome to the cube. Thanks so much for coming on. Great to be JC set this up for us. Explain your role, explain the corporate giving the whole student connection and the veterans take us through that. >>Yeah, sure. Yeah. So as, as head of HR, one of the, one of the things that we do is, is help manage part of the corporate giving strategy. And, and one of those things that, that we love to do is to also invest in students and in our veterans, it's just a part of our giving program. So this partnership with operation Motorsport is really critical to that. And if you want to dive a little bit deeper into that, we just see that there's a gigantic skills gap in cyber security. And so when we, when there's over millions of open roles around the world and 700,000 of 'em in the us alone, we've gotta go close that gap. And so our next gen scholarships that come out of the, that are giving funds are, are awarded to students who are studying cyber security or AI. And the other side of that is that this partnership with operation motor sport, then we get the opportunity to do some internships with veterans through operation motor sport as well, the >>Number 700,000 now, but pre pandemic. I remember number 3 50, 300 50,000. It's it's doubled now just in the us. Amazing. All right, diesel, tell us about the mission of operation motor sport, like who are the beneficiaries let's get into it. >>So operation motor sport engages ill, injured, wounded service members, those that are medically retiring from the service or disabled veterans, these individuals be taken out of their units. They lose their team identity, their purpose. And, and what we do is those that apply to the program and have a desire to work around shiny objects and fast cars and all the great smells or just car guys or gals that we have some of those as well. They, we, we bring them onto the teams as beneficiaries. So embed them into a race team and give them opportunity to find something new. We're a recovery program. We're not about, you know, finding jobs for these folks. It's about networking and getting outta that, you know, outta the dark places where some of them end up going, because this is a, a huge change for them. And, and in doing so, we now expose them to crowd strike. You know, that's, that's one of the new relationships that, that we have where potentially if they want to, they can pursue new opportunities in areas like cyber security. >>And they're chosen through an application process. You're I'm, I'm inferring. >>Yeah. They just go online and say, you know, through word of mouth or through a friend or through the, the USO and other organizations, they go online and they click the apply here and they fill it out. And our beneficiary trustee, Craig, and calls 'em up and says, Hey, tell me about what you're looking for. And, and we, we pair them up with the race team and Craig, >>You're also a, a beneficiary in addition to being the beneficiary trustee. So explain that, what's your story? >>Right. So I started in this organization as a beneficiary. I was the one that hit the button on the website. And, and then a few minutes later, I got a phone call from then Tiffany Lader, diesel's wife, who's our executive director in the organization. And, and I had that same conversation that I now have with beneficiaries today. I did a, I did a full season with them last year in 2021 as a beneficiary. But at the end I realized how big of an impact that this has with folks. Transition can be very difficult, especially if they're ill injured or wounded. And so I asked if I could help if I could give back, cuz it meant such it had such a big impact on me. I'd like to, to help other veterans as well. Can I >>Ask you what made you hit that button? What made you apply? >>That's a great question. So I was one of the very fortunate ones that had a transition coach. I was in the military for 29 years and had a lot of great connections in the military and, and was connected to a coach, a transition coach and just exploring, you know, what that, what that would look like. And she was the one who said, Hey, why don't we, why don't we explore this passion of Motorsports that you have? My family had been going to, to Motorsports events for, you know, 50 years. And so, so I thought back, all right, this is, I like this idea. Let's, let's pursue this. So a quick Google search and operation Motorsport popped up and I hit the button and >>What programs are available in operation >>Motorsport? Yeah. So diesel kind of outline outlined it. We have basically three different programs. We have the, our immersion program, which is exactly what diesel described, where we take that veteran. And we actually immerse them in a race team. They're doing the, exactly what I was doing, doing tires and fuel and whatever the team needs them to do. We also have our emo sports program where folks who can't do the immersion program, immersion program is takes a pretty big time commitment sometimes. And so they just don't have the capacity or abilities to be able to do those. We could put 'em in our emo sports program where they can do it all virtually we're actually, we have a season going on right now where we, we have veterans racing in that emo sports program. And then we have a, a diversionary therapy program where we have a, a Patriot car corral set up at all these tracks. So they can go out with like-minded individuals and spend the day out there with those folks, other veterans. And we do pit pit tours and, and we get 'em out on the track for a little bit of a, you know, highway speeds, nothing ridiculous. But we, we did doing some highway speeds. So we have a, a few, few different ways for them to be >>Involved. So, so the number three is like a splash in the pond, whereas number ones, the, to like full immersion. Right? Correct. And so what are you doing in the full immersion? What is, what is that like? I mean, you're literally changing tires and, and, and you're >>Yeah. You name it. You're >>In the you're you're you're in that sort of sphere of battle, if you will. Right. >>The beauty of this is we could take somebody's capabilities and skill set and we can match it to whatever that looks like on a race team. Some people come in and have no experience whatsoever. And so we find a team that needs, you know, that has a development opportunities where they could come in, their, their initial job might be to fuel fuel cans or, you know, take tires off the car, wipe the car down, it's little things in the beginning. And then slowly as they start to grow and learn, then they take on bigger roles. But we also have different positions. They can be immersed in, in teams, but they can also be immersed in the series. So we have folks that are doing like tech inspections. We have folks that are doing race control up in the, up in the tower, directing race operations. So we have lots of opportunities, tons of potential. We, we foster those relationships and take the folks, whatever their capabilities and, and abilities are and find the right position for >>'em think, thinking about your personal experience, how, how did it, how would you say it affected you? >>Yeah. To understand that you really have to understand military transition. And I think that's where a lot of the folks that have never experienced this really struggle transition from the military is really difficult. And it's really difficult, even if you're, if you're not broken or you don't have some kind of illness or injury, but you add that factor into at the same time and it could be extremely difficult. And that's why we see like the 22, a day suicide rates with veterans, it's very, very high. Right? And so when you, when you come into this program, it, it is a little bit of a leap of faith, right? This is very new experience for somebody, right? For somebody like myself who had 29 years of experience in the military, very senior person in the military. And now you're at the bottom of the totem pole and trying to figure it all out again, it's, it's a, it's a big jump. But what you realize really quickly is a lot of the things that you experience in the military, you experience in that Pata, same exact things, lots of small team environment, lots of diversity, lots of challenges, lots of roadblocks ups downs, you, you deploy just like you would deploy in, in the military, you bring the cars to a track, you execute a mission, then you pack it up and bring it home. So it's, there's so many similarities in >>The process. I mean, yeah. Diesel hearing Craig explained that there are the similarities sound very clear, but, but, but how did how'd you come up with this idea? It makes sense now in retrospect, but somebody just said, Hey, you know, we have this and we have this and we can marry him or no, not >>Really. And it it's a funny story because I always said, I, I, I don't believe in reinventing the wheel, I believe in stealing the car. And so there's a sister organization that we have in the UK called mission Motorsport. And, and, and they invented this five years before we did. And, and they were successful. And I was, you know, through, through friendships and opportunities, I got to witness it in, in 2016. So went over to, to Wales in the UK and, and watched it in action. And we were there for one race weekend, race of remembrance, which is where we go back to, we'll be going back to November, taking 13 beneficiaries over to race in our own race team for a 12 hour race. And that's a whole other story, but that's where it all started. You know, we, we saw the opportunities and said, wow, they're changing lives through recovery, you know, through motor sport and the similarities and what they were achieving. >>Our initial goal was let's just come back and do this again next year, because we need to bring north American transitioning members over to, to witness this and take part. And then fast forward, we said, why stop there? And we stood up an organization. Now I'll tell you that the organization is not what it was, the, the initial vision. This is not where, I mean, I never imagine that we get to this point this day, especially with the announcement this morning, you know, with the partnership with CrowdStrike, it it's huge for us, but we've evolved into something that was very similar to the initial vision. And that was helping, helping medically transitioning service members with their own personal struggles and recovery. You know, the reason we call it operation Motorsport is because operations have no beginning and no end and our, and what we do makes us so different in that we're not a one and done, we take care of these guys. Even when they become alumni, they, they still come back. They, they come back to volunteer, they come back to check in their friends and, and all kinds. It's really, really neat. And, >>And JC of course, CrowdStrike has an affinity for Motorsports, right? You got the logo on the Mercedes. You you've got the safety car at, this is, I think it's called the safety car. Right. That's it? Yeah. So, okay. So that's an obvious connection, but, but where did the idea germinate for this partnership? >>There's so many things, but first and foremost, I think that the, the values of CrowdStrike and those of operation motors were very much aligned. If you think about it, we, we focus a lot on teamwork. There's no way we do these jobs without the teamwork part. We all love data. These guys are all in the data all the time, trying to figure out, you know, what your adversaries are doing. So there's that kind of component to it. And I'd say the last bit is critical thinking. So when we think about our organizations and how well aligned they are, that was a, that was a no brainer. And into the other side of it, we get the opportunity to do mentorship programs. I mean, I think both ways, hopefully I get invited to the Patriot corral. At some point I can go, go work on a car, but we'll do those both ways or mentorship opportunities. If folks from operation motor sport win a team up with a crowd striker. So >>Do you ever get to drive the car? Or is that just an awful question? No, that's >>A good question. Actually I do from the, from the track to the pits, very slow >>Speeds. They don't let you out in the train. That's right. No, I don't get to go out on the track. Diesel, you ever, you ever drive one >>Of these? I, I, I I've been on, on the track on, on different cars, not in the race cars that, that, that, that are on the team, but something that's unique in the Patriot corral, for instance, because JC brought that up is that when we do these Patriot corrals, part of that program at lunchtime is, is taking the individuals and doing parade laps. And now, you know, a parade lap. Well, what's the fun in that, but you drive highway speeds on a racetrack and your own personal car, following a pace car. That's a pretty cool experience. Cool. >>Yeah, that's very cool guys. Congratulations on this program and all your success and all the, the giving that you do for the community and, and your peers really appreciate you guys coming on the cube and telling me great story. Thanks >>For having, thanks for the opportunity. You're very >>Welcome. All right. Keep it right there. Everybody. Dave ante and Dave Nicholson, we'll be back from Falcon 2022 at the area in Las Vegas. You watching the cube.

(upbeat music) >> Okay, we're back to wrap up Fal.con 2022 CrowdStrike's customer event. You're watching theCUBE. My name is Dave Vellante. My co-host, Dave Nicholson, is on injured reserve today, so I'm solo. But I wanted to just give the audience a census to some of my quick takeaways. Really haven't given a ton of thought on this. We'll do review after we check out the videos and the transcripts, and do what we do at SiliconANGLE and theCUBE. I'd say the first thing is, look CrowdStrike continues to expand it's footprint. And, it's adding the identity module, through the preempt acquisition. Working very closely with managed service providers, MSPs, managed security service providers. Having an SMB play. So CrowdStrike has 20,000 customers. I think it could, it could 10X that, you know, over some period of time. As I've said earlier, it's on a path by mid-decade to be a 5 billion company, in terms of revenue. At the macro level, security is somewhat, I'd say it's less discretionary than some other investments. You know, you can, you can probably hold off buying a new storage device. You can maybe clean that up. You know, you might be able to hold off on some of your analytics, but at the end of the day, security is not completely non-discretionary. It's competing. The CISO is competing with other budgets. Okay? So it's, while it's less discretionary, it is still, you know, not an open checkbook for the CISO. Now, having said that, from CrowdStrike standpoint it has an excellent opportunity to consolidate tools. It's one of the biggest problems in the security business Go to Optiv and check out their security taxonomy. It'll make your eyes bleed. There's so many tools and companies that are really focused on one specialization. But really, what CrowdStrike can do with its 22 modules, to say, hey, we can give you ROI and consolidate those. And not only is it risk reduction, it's lowering the labor cost and labor intensity, so you can focus on other areas and free up the biggest problem that CISOs have. It's the lack of enough talent. So, really strong business value and value proposition. A lot of that is enabled by the architecture. We've talked about this. You can check out my breaking analysis that I dropped last weekend, on CrowdStrike. And, you know, can it become a generational company. But it's really built on a cloud-native architecture. George Kurtz and company, they shunned having an on-premise architecture. Much like Snowflake Frank Slootman has said, we're not doing a halfway house. We're going to put all our resources on a cloud-native architecture. The lightweight agent that allows them to add new modules and collect more data, and scale out. The purpose-built threat graph and and time series database, and asset graph that they've built. And very strong use of AI, to not only stop known malware, but stop unknown malware. Identify threats. Do that curation. And really, you know, support the SecOp teams. Product wise, I think the big three takeaways, and there were others, but the big three for me is EDR extending into XDR. You know, X is the extending for, in really, the core of endpoint detection and response, extending that further. Well, it seems to be a big buzzword these days. CrowdStrike, I think, is very focused on making a more complete, a holistic offering, beyond endpoint. And I think it's going to do very well in that space. They're not alone. There are others. It's a very competitive space. The second is identity. Through the acquisition of Preempt. CrowdStrike building that identity module. Partnering with leaders like Okta, to really provide that sort of, treating identity, if you will, as an endpoint. And then sort of Humio is now Falcon Log Scale. Bringing together, you know, the data and the observability piece, and the security piece, is kind of the three big product trends that I saw. I think the last point I'll make, before we wrap, is the ecosystem. The ecosystem here is good. It reminds me, I said, a number of times this week, of ServiceNow in 2013 I think the difference is, CrowdStrike has an SMB play it can go after many more customers, and actually have an even broader platform. And I think it can accelerate its ecosystem faster than ServiceNow was able to do that. I mean, it's got to be, sort of, an open and collaborative sort of ecosystem. You know, ServiceNow is kind of, more of, a one-way street. And I think the other piece of that ecosystem, that we see evolving, into IOT, into the operations technology and critical infrastructure. Which is so important, because critical infrastructure of nations is so vulnerable. We're seeing this in the Ukraine. Security is a key component now of any warfare. And going forward, it's always going to be a key component. Nation states are going to go after trust, or secure infrastructure, or critical infrastructure. Try to disable that and disrupt that. So securing those operation assets is going to be very critical. Not just the refrigerator and the coffee maker, but really going after those critical infrastructures. (chuckles) Getting asked to break. And the last thing I'll say, is the developer platform. We heard from ML that, the opportunity that's there, to build out a PaaS layer, super PaaS layer, if you will, so that developers can add value. I think if that happens, this ecosystem, which is breaking down, will explode. This is Dave Vellante, wrapping up at CrowdStrike, Fal.con 2022, Fal.con 2022. Go to SiliconAngle.com, for all the news. Check out theCUBE.net. You'll see these videos on demand and many others. Check out (indistinct).com for all the research. And look for where we'll be next. Of course, re:Invent is the big fall event, but there are many others in between. Thanks for watching. We're out. (music plays out)

(intro music) >> Hi everybody. Dave Vellante, back with Day Two coverage, we're live at the ARIA Hotel in Las Vegas for fal.con '22. Several thousand people here today. The keynote was, it was a little light. I think people were out late last night, but the keynote was outstanding and it's still going on. We had to break early because we have to strike early today, but we're really excited to have Stephan Goldberg here, Vice President of Technology Alliances at Claroty. And we're going to talk about an extremely important topic, which is the internet of things, the edge, we talk about it a lot. We haven't covered securing the edge here at theCUBE this week. And so Stephan really excited to have you on. >> Thank you for having me. >> You're very welcome. Tell us more about Claroty, C-L-A-R-O-T-Y, a very interesting spelling, but what's it all about? >> Claroty is cybersecurity company that specializes in cyber physical systems, also known as operational technology systems and the extended internet of things. The difference between the traditional IoT and what what everyone calls an IoT in the cyber physical system is that an IoT device has anything connected on the network that traditionally cannot carry an agent, a security camera, a card reader. A cyber physical system is a system that has influence and operates in the physical world but is controlled from the cyberspace. An example would be a controller, a turbine, a robotic arm, or an MRI machine. >> Yeah, so those are really high-end systems, run, are looked after by engineers, not necessarily consumers. So what's what's happening in that world? I mean, we've talked a lot on theCUBE about the schism between OT and IT, they haven't really talked a lot, but in the last several years, they've started to talk more. You look at the ecosystem of IoT providers. I mean, it's companies like Hitachi and PTC and Siemens. I mean, it's the different names than we're used to in IT. What are the big trends that you're seeing the macro? >> So, first of all, traditionally, most manufacturers and environments that were heavy on operations, operational technology, they had the networks air-gapped, completely separated. You had your IT network for business administration, you had the OT network to actually build stuff. Today with emerging technologies and even modern switching architecture everything is being converged. You have the same physical infrastructure in terms of networking, that carries both networks. Sometimes a human error, sometimes a business logic that needs to interconnect these networks to transmit data from the OT side of the house, to the IT side of the house, exposes the OT environment to cyber threats. >> Was that air-gap by design or was it just that there wasn't connectivity? >> It was air-gap by design, due to security and operational reasons, and also ownership in these organizations. The IT-managed space was completely separate from the OT-managed space. So whoever built a network for the controllers to build a car, for example, was an automation engineer and the vendors, that have built these networks, were automation vendors, unlike the traditional Ciscos of the world, that we're specializing in IT. Today we're seeing the IT vendors on the OT side, and the OT vendors, they're worried about the IT side. >> But I mean, tradition, I mean, engineers are control freaks. No offense, but, I'm glad they are, I'm thankful for that. So there must have been some initial reticence to them connecting up these air-gap systems. They went wanted to make sure that they were secure, that they did it right, and presumably that's where you guys come in. What are the exposures and risks of these, of this critical infrastructure that we should be aware of? >> So you're completely right. And from an operational perspective let let's call it change control is very rigorous. So they did not want to go on the internet and just, we're seeing it with adoption of cloud technologies, for example. Cloud as in industry four ago, five ago, cloud as in cyber security. We all heard Amol's keynote from this morning talking about critical infrastructures and we'll touch upon our partnership in a second, but CrowdStrike, CrowdStrike being considered and deployed within these environments is a new thing. It's a new thing because the OT operation managers and the chief information security officers, they understand that air-gap is no longer a valid strategy. From a business perspective, these networks are already connected. We're seeing the trends of cyber attacks, IT cyber attacks, like not Patreon, I'm not talking about the Stoxnet, the targeted OT. I'm talking about WannaCry, EternalBlue, IT vulnerabilities that did not target OT, but due to the outdated and the specification of OT posture on the networks, they hit healthcare, they hit OT much harder than they did IT. >> Was Log4J, did that sleep into OT, or any IT that. >> So, absolutely. >> So Log4J right, which was so pervasive, like so many of these malwares. >> All these vulnerabilities that, it's a windows vulnerability, it has nothing to do with OT. But then when you stop and you say, hold on, my human machine interface workstation, although it has some proprietary software by Rockwell or Siemens running on it, what is the underlying operating system? Oh, hold on, it's Windows. We haven't updated that for like eight years. We were focused on updating the software but not the underlying operating system. The vulnerabilities exist to a greater extent on the OT side of the house because of the same characteristic of operational technology environments. >> So the brute force air-gap approach was no longer viable because the business imperative came in and said, no, we have to connect these systems to digitally transform, or advance our business, there's opportunities to monetize, whatever it was. The business laid that out as an imperative. So now OT engineers have to rethink how they secure it. So what are the steps that they're taking and how does Claroty help? Is there a sort of a playbook, a sequential playbook? >> Absolutely, so before we discussed the maturity curve of adopting an CPS security, or OT security technology, let's touch upon the characteristic of the space and what it led vendors like Claroty to build. So you have the rigorous chain control. You have the security in mind, operations, lowered the risk state of mind. That led vendors, likes of Claroty, to build a solution. And I'm talking about seven, eight years ago, to be passive, mostly passive or passive only to inspect network and to analyze network and focus on detection rather than taking action like response or preventative maintenance. >> Um-hmm. >> It made vendors to build on-prem solutions because of the cloud-averse state of mind of this industry. And because OT is very specific, it led vendors to focus only on OT devices, overlooking what we discussed as IoT, Unfortunately, besides HMI and PLC, the controller in the plant, you also have the security camera. So when you install an OT security solution I'm talking about the traditional ones, they traditionally overlook the security camera or anything that is not considered traditional OT. These three observations, although they were necessary in the beginning, you understand the shortcomings of it today. >> Um-hmm. >> So cloud-averse led to on-prem which leads to war security. It's like comparing CrowdStrike and one of its traditional competitors in the antivirus space. What CrowdStrike innovated is the SaaS first, cloud-native solution that is continuously being updated and provide the best in cloud security, right? And that is very much like what Claroty's building. We decided to go SaaS first and cloud-native solution. >> So, because of cloud-aversion, the industry shows somewhat outdated deployment models, on-prem, which limited scale and created greater diversity, more stovepipes, all the problems that we always talk about. Okay, and so is the answer to that, just becoming more cloud, having more of an affinity to cloud? That was a starting point, right. >> This is exactly it. Air-gap is perceived as secured, but you don't get updates and you don't really know what's going on in your network. If you have a Claroty or a crosswork installer, you have much higher probability detecting fast and responding fast. If you don't have it, you are just blind. You will be bridged, that's the. >> I was going to say, plus, air-gap, it's true, but people can get through air-gaps, too. I mean, it's harder, but Stoxnet. Yeah, look at Stoxnet right, oh, it's mopping the floor, boom, or however it happened, but so yeah. >> Correct. >> So, but the point being, you know, assume that breach, even though I know CrowdStrike thinks that the unstoppable breach is a myth, but you know, you talk to people like Kevin Mandia, it's like, we assume you're going to get breached, right? Let's make that assumption. Yeah, okay, and so that means you've got to have visibility into the network. So what are those steps that you would, what's that maturity model that you referenced before? >> So on top of these underlying principles, which is cloud-native, comprehensive, not OT only, but XIoT, and then bring that the verticalization and OT specificity. On top of that, you're exactly right. There is a maturity curve. You cannot boil the ocean, deploy protections, and change the environment within one day. It starts with discovering everything that is connected to your network. Everything from the traditional workstations to the cameras, and of course ending up with the cyber physical systems on the network. That discovery cannot be only a high level profile, it needs to be in depth to the level you need to know application versions of these devices. If you cannot tell the application version you cannot correlate it to a vulnerability, right? Just knowing that's an HMI or that's a PLC by Siemens is insufficient. You need to know the app version, then you can correlate to vulnerability, then you can correlate to risk. This is the next step, risk assessment. You need to put up a score basically, on each one of these devices. A vulnerability score, risk score, in order to prioritize action. >> Um-hmm. >> These two steps are discovery and thinking about the environment. The next two steps are taking action. After we have the prioritized devices discovered on your network, our approach is that you need to ladle in and deploy protections from a preventative perspective. Claroty delivers recommended policies in the form of access control lists or rules. >> Right. >> That can leverage existing infrastructure without touching a device without patching it, just to protect it. The next step would be detection and response. Once you have these policies deployed you also can leverage them to spot policy deviations. >> And that's where CrowdStrike comes in. So talk about how you guys partner with CrowdStrike, what that integration looks like and what the differentiation is. >> So actually the integration with CrowdStrike crosses the the entire customer journey. It starts with visibility. CrowdStrike and us exchange data on the asset level. With the announcement during FalCon, with Falcon Discover for IoT, we are really, really proud working on that with CrowdStrike. Traditionally CrowdStrike discovered and provided data about the IT assets. And we did the same thing with CPS and OT. Today with Falcon Discover for IoT, and us expanding to the XIoT space, both of us look at all devices but we can discover different things. When you merge these data sets you have an unparalleled visibility into any environment, and specifically OT. The integrations continue, and maybe the second spotlight I'll put, but without diminishing the other ones, is detection and response. It's the XDR Alliance. Claroty is very proud to be one of the first partners, XDR Alliance partners, for CrowdStrike, fitting in to the XDR, to CrowdStrike's XDR, the data that is needed to mitigate and respond and get more context about breaches in these OT environments, but also take action. Also trigger action, via Claroty and leverage Claroty's network-centric capabilities to respond. >> We hear a lot. We heard a lot in today's keynote note about the data, the importance of data, of the graph database. How unique is this Stephan, in the industry, in your view? >> The uniqueness of what exactly? >> Of this joint solution, if you will, this capability. >> I told my counterparts from CrowdStrike yesterday, the go-to market ones and the product management ones. If we are successful with Falcon Discover for IoT, and that product matures, as we plan for it to mature, it will change the industry, the OT security industry, for all of us. Not only for Claroty, for all players in this space. And this is why it's so important for us to stay coordinated and support this amazing company to enter this space and provide better security to organizations that really support our lives. >> We got to leave it there, but this is such an important topic. We're seeing in the war in Ukraine, there's a cyber component in the future of war. >> Yes. >> Today. And what do they do? They go after critical infrastructure. So protecting that critical infrastructure is so important, especially for a country like the United States, which has so much critical infrastructure and a lot to lose. So Stephan, thanks so much. >> Thank you. >> For the work that you're doing. It was great to have you on theCUBE. >> Thank you. >> All right, keep it right there. Dave Vellante for theCUBE. We'll be right back from fal.con '22. We're live from the ARIA in Las Vegas. (techno music)

(gentle music) >> Hi everybody, this is Dave Vellante of TheCUBE. This is day two of Fal.Con 2022, CrowdStrike's big customer event. Over 2000 people here, a hundred sessions, a lot of deep security talk. Amol Kulkarni is here. He's the chief product and engineering officer at CrowdStrike, and we're going to get into it. Amol, thanks for coming to theCUBE. >> Great to be here. >> I enjoyed your keynote today. It was very informative. First of all, how's the show going for you? >> It's going fantastic. I mean, first and foremost, like to be having everyone here in person, after three years, that's just out the world, right? So great to meet and a lot of great conversations across the board with customers, partners. It's been fantastic. >> Yeah, so I want to start with Cloud Native, it's kind of your dogma. This whole, the new acronym is CNAP Cloud Native Application Protection Platform. >> Amol: That's right. >> There's a mouthful. What is that? How does it relate to what you guys are doing? >> Yeah, so CNAP is what Gartner has coined as the term for covering entire cloud security. And they have identified various components in it. The first and foremost is the runtime protection, cloud workload protection, as we call it. Second is posture management. That's CSBM cloud security posture management. Third is CIEM, which we announced today. And then the fourth is shift left, kind of Dev SecOps part of cloud security. And all together Gartner coins that as a solution or a suite, if you will, to cover various aspects of cloud security. >> Okay, so shift left and then shield right. You still got to shield right. Is that where network security comes in? Which is not your main focus, but okay. So now it explains... Gartner is an acronym. Now I get it. But the CIEM announcement cloud infrastructure entitlement management. So you're managing identities. Is that right? Explain that in more detail. >> So, yeah, so I mean, as in the on-premise world, but even more exacerbated in the crowd world you have lots and lots of identities, both human identities and service accounts that are accessing cloud services. And lot of the time the rigor is not there in terms of what permissions those identities are provisioned with. So are they over provisioned? Do they have lots of rights that they should not have? Are they able... Are services able to connect to resources that they should not be able to connect to all of that falls under the entitlement management, the identity entitlement management part. And that's where CIEM comes in. So what we said is, we have a great identity security story for on-premise, right? And now we are applying that to understand identities, the entitlements they have, secrets that are lying around, maybe leaked, or just, available for adversaries to exploit in the cloud security world. So taking all of that into account and giving you... Giving customers a snapshot view of one single view to say; these are the identities, these are their permissions, this is where you can trim them down because these are the dependencies that are present across services. And you see something that's not right from a dependency perspective, you can say, okay, this connection doesn't make sense. There's something malicious going on here. So there's a lot that you can do by having that scope of identities. Be very narrowed down. It's a first step in the zero trust journey for the cloud infrastructure. >> So I have to ask you when you now extend this conversation to the edge, and operations technology. Traditionally the infrastructure has been air gapped by, you know, brute force air gap. Don't worry about it. And maybe hasn't had to worry so much about the hygiene. So now as you... as the business drives and forces essentially digital connect... Digital transformation and connectivity >> Connectivity. Yeah. >> I mean, wow, that's a playground for the hackers. >> You absolutely nailed it. So most of these infrastructure was not designed with security in mind, unfortunately, right? As you said, most of it was air-gapped, disconnected. And now everything is getting to be connected because the updates are being pushed rapidly changes are happening. So, and that really, in some sense has changed the environment in which these devices are operating. The operational technology, industrial control. We had the colonial pipeline breach last year. And, that really opened people's eyes like, Hey, nation state adversaries are going to come after critical infrastructure. And that can... That is going to cause impact directly to the end end users, to the citizens. So we have to protect this infrastructure. And that's why we announced discover for IOT as a new module that looks at and understands all the IOT and industrial control systems assets. >> So that didn't require an architectural change though. Right? That was a capability that you introduced with partners. Right? Am I right about that? You don't have to re-architect anything. It's just... Your architecture fits perfectly into those scenarios. >> Absolutely, absolutely. Yeah, yeah, yeah. You actually... While the pace of change is there, architectural change is almost very difficult, because these are very large systems. They are built up over time. It take an industrial control system. The tracing speed is very different from a laptop. So yeah, you can't impose any architectural change. It has to be seamless from what the customers have. >> You were talking, I want to go back to CNAP. You were talking about the protecting the run time. You can do that with an agent. You had said agent... In your keynote. Agentless solutions don't give you runtime security protection. Can you double click on that and just elaborate? >> Yeah, absolutely. So what agentless solutions today are doing they're essentially tapping into APIs from AWS or Azure CloudTrail, for example and looking at misconfigurations. So that is indeed a challenge. So that is one part of the story, but that only gives you a partial view. Let's say that an attacker attacks and uses a existing credential. A legitimate credential to access one of the cloud services. And from there they escalate the privileges and then now start branching off the, the CSP, and the agentless-only solutions will not catch that. Right? So what you need is you, you need this agentless part but you have to couple that with; seeing the activity that's actually happening the living of the land attacks that cannot be caught by the CSP end-piece. So you need a combination of agentless and agent runtime to give that overall protection. >> What's the indicator of attack for a hacker that's living off the land, meaning using your own tools against you. >> That's right. So the indicators of attack are saying accessing services, for example, that are not normally accessed or escalating privileges. So you come in as a normal user, but then suddenly you have admin privileges because you have escalated those privileges, or you are moving laterally very rapidly from one place to another, or spraying across a lot of services in order to do reconnaissance and understand what is out there. So it's almost like looking for what is an abnormal attack path, abnormal behavior compared to what is normal and the good part is cloud. There's a lot that is normal, right? It's fairly constrained. It's not like a end user who is downloading stuff from the internet. And like doing all sorts of things. Cloud services are fairly constrained, so you can profile and you can figure out where there is a drift from the normal. And that's really the indicator of attack. In some sense, from cloud services >> In a previous life I want to change subjects. In a previous life. I spent a lot of time with CIOs. Helping them look at their application portfolio, understanding what to rationalize, what to get rid of, what to invest in, you know, bringing in new projects, cause you know, it's just you never throw a stuff away in IT. >> There is no obsolescence >> Right. So, but they wanted to... Anytime you go through these rationalization exercises change management is everything. And one of the hardest things to do was to map and understand the business impact of all the dependencies across the portfolio. Cause when application A needs this dataset. If you retire it, you're going to... It has ripple effects. And you talked about that in a security context today when you were talking about the asset graph and the threat graphs giving you the ability to understand those dependencies. Can you add some color to that? >> Absolutely. Absolutely. So what we've done with the asset graph; It's a fundamental piece of technology that we've been building now for some time that complements the thread graph. And the asset graph looks at: Assets, identities, applications, and configuration. All of those aspects. And the interconnections between them. So if a user is accessing an application on a server, all those, and in what role, all of that relationship is tied together in the asset graph. So what that does now is, it gives you an ability to say this application connects to this application. And that's the dependency on that port, for example. So you can now build up a dependency map and then the thread graph, what it does, it looks at the continuous activity that's happening. So if you now take the events that are coming into the thread graph and the graphical representation of those, combine it with the asset graph, you get that full dependency map. And now you can start doing that impact analysis that you talked about. Which is... It's an unsolved problem, right? And that's why security as I said in my keynote is most people do not have their security tools enabled to the highest level or they don't have full coverage just because the pace of change is so rapid. They cannot keep up with it. So we want to enable change management, at a rapid pace where businesses and customers can say; we are confident about the change management, about the change we are going to implement. Because we know what the potential impact would be. We can validate, test it in a smaller subset and then roll it out quickly. And that's the journey we are on. Sort of the theme of my talk was to make IT and security friends again. >> Right, you talked about that gap and bringing those two together. You also had a great quote in there; 'The pace of change and securities is insane.' And so this assets graph capability, dependencies and the threat graph, help you manage that accelerating pace of change. Before I forget, I want to ask you about your interview with Girls Who Code. What was that like? Who'd you interview? I unfortunately couldn't see it. I apologize. >> Yeah, fantastic. So, Reshma Saujani she heads Girls Who Code and she first off had a very very powerful talk just from her own own experiences. And essentially, like, what do we need to do to get more women into computer science first, but then within that, into cybersecurity. and what all have they done with Girls Who Code. So very, I mean, we were very touched at the audience was like super into her talk. And then I had a chance to chat with her for a few minutes, ask her a few questions. Just my view was more like, okay. What can we do together? What can CrowdStrike do in our position, in to attract more women? We've done a lot in terms of tailoring our job descriptions to make sure it's more... Remove the biases. Tuning the interview processes to be more welcoming and Reshma gave an example saying; 'Hey, many of these interviews, they start with a baseball discussion.' And I mean, some women may maybe interested in it but may not all maybe. And so is that the right? Is it a gender kind-of affirming or gender neutral kind-of discussion or do you want to have other topics? So a lot of that is about training the interviewers because most of the interviewers are men, unfortunately. That's the mix we have. And it was a great discussion. I mean, just like very practical. She's very much focused on increasing the number of people and increasing the pipeline which is honestly the biggest problem. Because if we have a lot of candidates we would definitely hire them and essentially improve the diversity. And we've done a great job with our intern program, for example, which has helped significantly improve the diversity on our workforce. >> And, but the gap keeps getting bigger in terms of unfulfilled jobs. That leads me to developers as a constituency. Because you guys are building the security cloud. You're on a mission to do that. And to me, if you have a security cloud, it's got to be programmable. You're going to have developers there. You don't... From what I can tell you have a specific developer platform, but it's organic. It's sort of happening out there. What's the strategy around, I mean, the developer today is so critical in terms of implementing a lot of security strategy and putting it into action. They've got to secure the run time. They got to worry about the APIs. They got to secure the PaaS. They got to secure the containers. Right, and so what's your developer strategy. >> Yeah, so within cloud security, enabling developers to implement DevSecOps as a as a philosophy, as a strategy, is critical. And so we, we have a lot of offerings there on the shift-left side, for example, you talked about securing containers. So we have container image assessment where we plug in into the container repositories to check for vulnerabilities and bad configuration in the container images. We then complement that with the runtime side where our agent can protect the container from runtime violations, from breakouts, for example. So it's a combination. It's a full spectrum, right? From the developer building an application, all the way to the end. Second I'd say is, we are a very much an API first company. So all of the things that you can do from a user interface perspective, you can do from APIs what is enable that is a bunch of partners a rich partner ecosystem that is building using those APIs. So the developers within our partners are leveraging those APIs to build very cool applications. And the manifestation of that is CrowdStrike store where essentially we have as Josh mentioned, in his ski-notes, we have a agent cloud architecture that is very rich. And we said, okay, why can't we open that up for partners to enable them to leverage that architecture for their scenarios? So we have a lot of applications that are built on the CrowdStrike store, leveraging our platform, right. Areas that we are not in, for example. >> And here, describe it. Is there a PaaS layer that's purpose-built for CrowdStrike so that developers can build applications? >> That's a great question. So I'll say that we have a beginnings of a PaaS layer. We definitely talked about CrowdStrike store as being passed for cybersecurity but there's a lot more to do. And we are in the process of building up an application platform so that customers can build the applications for their SOC workflow or IT workflow and and Falcon Fusion is a key part of that. So Falcon Fusion is our automation platform built right into the security cloud. And what that enables customers to do is to define... Encode their business process the way they want and leverage the platform the way they want. >> It seems like a logical next step. Because you're going to enable a consistent experience across the board. And fulfill your promise, your brand promise, and the capabilities that you bring. And this ecosystem will explode once you announce that. >> And that's the notion we talk about of being the sales force of security. >> Right, right. Yeah. That's the next step. Amol, thank you so much. I got to run and wrap. We really appreciate you coming on theCUBE. >> Thank you very much. >> Congratulations on your keynote and all the success and great event. >> Appreciate it. Thank you very much for the time and great chatting with you. >> You're very welcome. All right, keep it right there. We'll be back very shortly to wrap up from Fal.Con 2022. This is Dave Vellante for theCUBE. (soft electronic music)

>>All we're back. We're wrapping up day two at Falcon 22 from the area in Las Vegas, CrowdStrike CrowdStrike. The action is crazy. Second day, a keynotes. Sean Henry is back. He's the chief security officer at CrowdStrike. He did a keynote today. Sean. Good to see you. Thanks for coming >>Back. Good. See you, Dave. Thanks for having me. >>So, unfortunately, I wasn't able to see your keynote cuz I had to come do cube interviews. You interviewed Kimbo Walden from, from, you know, white house, right? >>National cyber security >>Director. We're gonna talk about that. We're gonna talk about Overwatch, your threat hunting report. I want to share the results with our audience, but start with your, well actually start with the event. We're now in day two, you've had a good chance to talk to customers and partners. What are, what are your observations? Yeah, >>It's first of all, it's been an amazing event over 2200 attendees here. It's really taking top three floors at the area hotel and we've got partners and customers, employees, and to see the excitement and the level of collaboration here is absolutely phenomenal. All these different organizations that are each have a piece of cyber security to see them coming together, all in support of how do you stop breaches? How do you work together to do it? It's really been absolutely phenomenal. You're >>Gonna love the collaboration. We kind of talked about this on our earlier segment is the industry has to do a better job and has been doing a better job. You know, I think you and Kevin laid that out pretty well. So tell me about the interview with the fireside chat with Kimba. What was that like? What topics came up? >>Yeah. Kimba is the principal, deputy national cyber security advisor. She's been there for just four months. She spent over 10 years at DHS, but she most recently came from the private sector in cybersecurity. So she's got that the experience as a private sector expert, as well as a public sector expert and to see her come together in that position. It was great. We talked a lot about some of the strategies the white house is looking to put forth in their new cybersecurity strategy. There was recently an executive order, right? That the, the president put forth that talks about a lot of the things that we're doing here. So for example, the executive order talks about a lot of the legacy type of capabilities being put to pasture and about the government embracing cloud, embracing threat, hunting, embracing EDR, embracing zero trust and identity protection. Those are all the things that the private sector has been moving towards over the last year or two. That's what this is all about here. But to see the white house put that out, that all government agencies will now be embracing that I think it puts them on a much shorter footing and it allows the government to be able to identify vulnerabilities before they get exploited. It allows them to much more quickly identify, have visibility and respond to, to threats. So the government in infrastructure will be safer. And it was really nice to hear her talk about that and about how the private sector can work with the government. >>So you know how this works, you know, having been in the bureau. But so it's the, these executive orders. A lot of times people think, oh, it's just symbolic. And there are a couple of aspects of it. One is president Biden really impressed upon the private sector to, you know, amp it up to, to really focus and do a better job. But also as you pointed out that executive order can adjudicate what government agencies must do must prioritize. So it's more than symbolic. It's actually taking action. Isn't >>It? Yeah. I, I, I think it, I think it's both. I think it's important for the government to lead in this area because while a, a large portion of infrastructure, major companies, they understand this, there is still a whole section of private sector organizations that don't understand this and to see the white house, roll it out. I think that's good leadership and that is symbolic. But then to your second point to mandate that government agencies do this, it really pushes those. That might be a bit reluctant. It pushes them forward. And I think this is the, the, the type of action that as it starts to roll out and people become more comfortable and they start to see the successes. They understand that they're becoming safer, that they're reducing risk. It really is kind of a self-fulfilling prophecy and we see things become much safer. Did, >>Did you guys talk about Ukraine? Was that, was that off limits or did that come up at all? >>It wasn't, it wasn't off limits, but we didn't talk about it because there are so many other things we were discussing. We were talking about this, the cyber security workforce, for example, and the huge gap in the number of people who have the expertise, the capability and the, and the opportunities to them to come into cyber security technology broadly, but then cyber security as a sub sub component of that. And some of the programs, they just had a big cyber workforce strategy. They invited a lot of people from the private sector to have this conversation about how do you focus on stem? How do you get younger people? How do you get women involved? So getting maybe perhaps to the untapped individuals that would step forward and be an important stop gap and an important component to this dearth of talent and it's absolutely needed. So that was, was one thing. There were a number of other things. Yeah. >>So I mean, pre pandemic, I thought the number was 350,000 open cybersecurity jobs. I heard a number yesterday just in the us. And you might have even told me this 7, 7 50. So it's doubled in just free to post isolation economy. I don't know what the stats are, but too big. Well, as a, as a CSO, how much can automation do to, to close that gap? You know, we were talking earlier on the cube about, you gotta keep the humans in the loop, you, you, the, the, the, the Nirvana of the machines will just take care of everything is just probably not gonna happen anytime in the near term, even midterm or long term, but, but, but how can automation play and help close that gap? So >>The, the automation piece is, is what allows this to scale. You know, if we had one company with a hundred endpoints and we had a couple of folks there, you could do it with humans. A lot of it when you're talking about hundreds of millions of endpoints spread around the globe, you're talking about literally trillions of events every week that are being identified, evaluated and determined whether they're malicious or not. You have to have automation and to have using the cloud, using AI, using machine learning, to sort through, and really look for the malicious needle in a stack of needle. So you've gotta get that fidelity, that fine tune review. And you can only do that with automation. What you gotta remember, Dave, is that there's a human being at the end of every one of these attacks. So we've got the bad guys, have humans there, they're using the technology to scale. We're using the technology to scale to detect them. But then when you get down to the really malicious activity, having human beings involved is gonna take it to another level and allow you to eradicate the adversaries from the environment. >>Okay. So they'll use machines to knock on the door when that door gets opened and they're in, and they're saying, okay, where do we go from here? And they're directing strategy. Absolutely. I, I spent, I think gave me a sta I, I wonder if I wrote it down correctly, 2 trillion events per day. Yeah. That you guys see is that I write that down. Right? >>You did. It changes just like the number of jobs. It changes when I started talking about this just a, a year and a half ago, it was a billion a day. And when you look at how it's multiplied exponentially, and that will continue because of the number of applications, because of the number of devices as that gets bigger, the number of events gets bigger. And that's one of the problems that we have here is the spread of the network. The vulnerability, the environment is getting bigger and bigger and bigger as it gets bigger, more opportunities for bad guys to exploit vulnerabilities. >>Yeah. And we, we were talking earlier about IOT and extending, you know, that, that threats surface as well, talk about the Overwatch threat hunting report. What is that? How, how often have you run it? And I'd love to get into some of the results. Yeah. >>So Overwatch is a service that we offer where we have 24 by seven threat hunters that are operating in our customer environments. They're hunting, looking for, looking for malicious activity, malicious behavior. And to the point you just made earlier, where we use automation to sort out and filter what is clearly bad. When an adversary does get what we call fingers on the keyboard. So they're in the box and now a human being, they get a hit on their automated attack. They get a hit that, Hey, we're in, it's kind of the equivalent of looking at the Bober while you're fishing. Yeah. When you see the barber move, then the fisherman jumps up from his nap and starts to reel it in similar. They jump on the keyboard fingers on the keyboard. Our Overwatch team is detecting them very, very quickly. So we found 77,000 potential intrusions this past year in 2021, up to the end of June one, one every seven minutes from those detections. >>When we saw these detections, we were able to identify unusual adversary behavior that we'd not necessar necessarily seen before we call it indicators of attack. What does that mean? It means we're seeing an adversary, taking a new action, using a new tactic. Our Overwatch team can take that from watching it to human beings. They take it, they give it to our, our engineering team and they can write detections, which now become automated, right? So you have, you have all the automation that filters out all the bad stuff. One gets through a bad guy, jumps up, he's on the keyboard. And now he's starting to execute commands on the system. Our team sees that pulls those commands out. They're unusual. We've not seen 'em before we give it to our engineering team. They write detections that now all become automated. So because of that, we stopped over with the 77,000 attacks that we identified. We stopped over a million new attacks that would've come in and exploited a network. So it really is kind of a big circle where you've got human beings and intelligence and technology, all working together to make the system smarter, to make the people smarter and make the customers safer. And you're >>Seeing new IAS pop up all the time, and you're able to identify those and, and codify 'em. Now you've announced at reinforced, I, I, in July in Boston, you announced the threat hunting service, which is also, I think, part of your you're the president as well of that services division, right? So how's that going? What >>What's happening there? What we announced. So we've the Overwatch team has been involved working in customer environments and working on the back end in our cloud for many years. What we've announced is this cloud hunting, where, because of the adoption of the cloud and the movement to the cloud of so many organizations, they're pushing data to the cloud, but we're seeing adversaries really ramp up their attacks against the cloud. So we're hunting in Google cloud in Microsoft Azure cloud in AWS, looking for anomalous behavior, very similar to what we do in customer environments, looking for anomalous behavior, looking for credential exploitation, looking for lateral movement. And we are having a great success there because as that target space increases, there's a much greater need for customers to ensure that it's protected. So >>The cloud obviously is very secure. You got some of the best experts in the planet inside of hyperscale companies. So, and whether it's physical security or logical security, they're obviously, you know, doing a good job is the weakness, the seams between where the cloud provider leaves off and the customer has to take over that shared responsibility model, you know, misconfiguring and S3 bucket is the, you know, the common one, but I'm so there like a zillion others, where's that weakness. Yeah. >>That, that's exactly right. We see, we see oftentimes the it piece enabling the cloud piece and there's a connectivity there, and there is a seam there. Sometimes we also see misconfiguration, and these are some of the things that our, our cloud hunters will find. They'll identify again, the equivalent of, of walking down the hallway and seeing a door that's unlocked, making sure it's locked before it gets exploited. So they may see active exploitation, which they're negating, but they also are able to help identify vulnerabilities prior to them getting exploited. And, you know, the ability for organizations to successfully manage their infrastructure is a really critical part of this. It's not always malicious actors. It's identifying where the infrastructure can be shored up, make it more resilient so that you can prevent some of these attacks from happening. I >>Heard, heard this week earlier, something I hadn't heard before, but it makes a lot of sense, you know, patch Tuesday means hack Wednesday. And, and so I, I presume that the, the companies releasing patches is like a signal to the bad guys that Hey, you know, free for all go because people aren't necessarily gonna patch. And then the solar winds customers are now circumspect about patches. The very patches that are supposed to protect us with the solar winds hack were the cause of the malware getting in and, you know, reforming, et cetera. So that's a complicated equation. Yeah. >>It, it certainly is a couple, couple parts there to unwind. First, when you, you think about patch Tuesday, there are adversaries often, not always that are already exploiting some of those vulnerabilities in the wild. So it's a zero day. It's not yet been patched in some cases hasn't yet been identified. So you've got people who are actively exploiting. It we've found zero days in the course of our threat hunting. We report them in a, in a, in a responsible way. We've gone to Microsoft. We've told them a couple times in the last few months that we found a zero day and give them an opportunity to patch that before anybody goes public with it, because absolutely right when it does go public, those that didn't know about it before recognize that there will be millions of devices depending on the, the vulnerability that are out there and exploitable. And they will absolutely, it will tell everybody that you can now go to this particular place. And there's an opportunity to gain access, to exploit privileges, depending on the criticality of the patch. >>I, I don't, I, I don't, I'm sorry to generalize, but I wanna ask you about the hacker mindset. Let's say that what you just described a narrow set of hackers knows that there's an unpatched, you know, vulnerability, and they're making money off of that. Will they keep that to themselves? Will they share that with other folks in the net? Will they sell that information? Or is it, is it one of those? It depends. It, >>I was just gonna say, it depends you, you beat me to it. It absolutely depends. All of, all of the above would be the answer. We certainly see organ now a nation state for example, would absolutely keep that to themselves. Yeah. Right. Their goal is very different from an organized crime group, which might sell access. And we see them all the time in the underground selling access. That's how they make money nation states. They want to keep a zero day to themselves. It's something they're able to exploit in some cases for months or years, that that, that vulnerability goes undetected. But a nation state is aware of it and exploiting it. It's a, it's a dangerous game. And it just, I think, exemplifies the importance of ensuring that you're doing everything you can to patch in a timely matter. Well, >>Sean, we appreciate the work that you've done in your previous role and continuing to advance education, knowledge and protection in our industry. Thank you for coming on >>You. Thank you for having me. This is a fantastic event. Really appreciate you being here and helping to educate folks. Yeah. >>You guys do do a great job. Awesome. Set that you built and look forward to future events with you guys. My >>Friends. Thanks so much, Dave. Yeah. Thank >>You. Bye now. All right. Appreciate it. All right, keep it right there. We're gonna wrap up in a moment. Live from Falcon 22. You're watching the cube.

>>Okay. We're back at the area in Las Vegas, Falcon 22. You're watching the cube. My name is Dave Valante. Michael cent is here. He's the chief technology officer at CrowdStrike. Michael. Good to see you. Thanks. Thanks >>For >>Having me. Yeah. So this is your first time I think, on the cube. It is, and, and it's really a pleasure. I've been following you, watching you very closely. You're, you know, quite prominent and, and, you know, very articulate. I loved your keynote talking about what is XDR. I think you guys are gonna do really well in that space, cuz you've got clarity of vision and execution. Talk about some of the announcements that you made this week, particularly interested in, in insight. XDR what's that all about? >>Yeah. So I've been talking about XDR for a while and trying to help push the right narrative. There's a lot of marketing in the industry with XDR. So we've been talking a lot about what it, what it means that the benefit that it provides from a technology perspective, what you need in the architecture. So we firmly believe it's a philosophy and we build all of our technology to work together, but it's bringing in third parties. And that was really a lot of the, the announcements. My keynote was to show everybody the work that we've been doing to bring in data from Zscaler and Proofpoint. And we talked about bringing in data from a whole range of different vendors, firewall vendors, and we've been doing XDR use cases for a long time. So a big part of our strategy is to make security easy. And we've been doing a lot of XDR use cases with our Falcon insight module. So the announcement that I made was to relaunch Falcon insight as insight XDR and it means all of our close to 20,000 customers have access to the product. >>So that gets bundled right in it's like SAS automatically part of the portfolio >>Log off on Friday, come back on Monday and you're good to go. >>And then, and you, you just, you just called out Zscaler and Proofpoint you, I think you also mentioned Palo Alto network, Cisco for net as well. You're pulling in telemetry from, yeah, >>We've got a, we got a long map of, of people that we're integrating with. We talked about Cisco, we talked about for drop and for net, we announced that we're gonna be pulling in telemetry from, from Palo and a range of other vendors, Microsoft and others. And that's what XDR is about. It's about first party and third party integration and making all of the telemetry work together. >>I was talking to George about this yesterday is I think there's a lot of confusion. Sometimes when you have the dogma of cloud native, you know, snowflake, same thing, no, we're not doing OnPrem. This is hybrid. People think that that you're excluding on-prem data, but you're not, you can ingest on-prem data, right? >>We absolutely are not excluding on-prem. We will support and, and secure every workload, whether it's on-prem or in the cloud, whether it's connected to the internet or offline, a lot of the, the indicators of attack and the, and the detection techniques that we have are on the sensor itself. So you don't have to be connected anywhere for that capability to work. You get the benefit when you connect to the cloud of the additional visibility, the additional protection, but the core capabilities on the sensor that we have >>Given that you guys started 11 years ago, plus two days now, and you had that dogma cloud cloud, first cloud cloud, only Nate cloud native. Was there ever a point where you're like, you know, boy, we might be missing some of the market, you know? And, and you, you, you held true to your principles. Two part question. Did you ever question that and by focusing all your resources on cloud, what, what has that given you? >>It's there's been a Eliza focus on having a, a native cloud platform. It's easy to say cloud native. And if you look at a lot of the vendors in the industry today, if you are a, a customer and you ask them, Hey, can you gimme an on-premise product? I'm not gonna buy your product. They've got an on premise product. The problem is when you have two different versions, you end up having compromise. You have to manage two code bases, impact to your engineering team. Their features are different customers. Ultimately are the ones that miss out because if I have the on-prem version or if the cloud version, I may not get the same capability for us, it's been very clear. It's been a laser focus to be a cloud and cloud only from day one. >>You've renamed humo. I gotta stop using humo. I guess it's not called log scale, Falcon, complete log scale. You're bringing together security and observability. Although you're not doing the full spectrum of observability, you're just sort of focusing on, you know, part of it. Can you explain that? >>Yeah. So first of all, we did rebrand and bring the homeo brand closer to a crowd strike by renaming it Falcon log scale. And just to be clear, it's not just the rebranding of the name. We've been spending a lot of time. We made that acquisition in March of, of last year, and we've been doing a lot of work on the technology. We built out long, the Falcon long term retention. We built a whole bunch of capability into the product. So now was the right time to rebrand it as Falcon log scale. And at the same time, we also announced Falcon complete log scale. And it's part of the complete franchise. And that's where customers can get the value and the benefit of log scale, but they don't have to set it up. They don't have to manage it. They leave that to us. >>So you get pretty much involved in, in the, the M and a activity. You talked on stage yesterday about reify and, and what's going on there. You guys got, obviously gotta, still do that. You, but you made investments this week. You announced investments in salt security, the API specialist, and, and also Vanta compliance automation. What's the thinking behind that, you know, explain actually the fund that you guys are sprinkling around as a strategic investor and why those companies. Yeah. >>So there's two, two parts that, that I'm involved in on that part of my team. One is the M and a team. And one is the Falcon fund side of the business. Obviously two very different things. The, the M and a part of CrowdStrike, we're always looking to see for every technology space that we want to get into, you know, what is the best option build by a partner? Sometimes it's built sometimes it's a, it's a hybrid approach of build and partner. Other times we go down the path of M and a, and I was super excited about reify, great company, great technology. And as you said, we made announcements to we're investing as part of the fund into, into van and salt. We, we, we are very blessed. We're very fortunate to have achieved a lot of success in a short period of time. And we think we've got an opportunity to help fledgling companies to help them guide through the process of setting up the company, helping them with engineering principles and guidelines, helping them with the go to market perspective. So the fund is really about that. It's finding the next cybersecurity company working closely together, and it's been a huge success. You had banter and salt on earlier, and there's so much excitement about what they do. >>Yeah. I mean, it's clear, clear, compliment to what you guys are doing. I want to ask you about your lightweight agent. There, there are other firms that say they have a lightweight agent too. You know, what, what makes your lightweight agent so different? So special? >>Yeah. I've never seen a PowerPoint presentation. That's wrong. It's very easy to, to say your lightweight agent is, is, you know, super lightweight. And many times when you look at them, they're, they're not lightweight. They take a lot of effort to install. They need reboots. If you've got security, that's part of the operating system. If you've got security that requires to reboot, you can't go to a bank and say, Hey, you've got a hundred thousand machines. We're gonna install all of this technology, but you've gotta reboot it once, twice, three times. So what ends up happening is you see deployment cycles that go on for 12 months. I've spoken to organizations here this week that said we had budgeted to roll out your product in 18 months because of what we experienced in the past. And we did it in seven weeks. That's a lightweight agent with no reboot. And then you look at the updates. You look at the CPU resource utilization. So again, very easy to say lightweight. I haven't seen anything like what we've built at crowd strike. >>How do you keep an agent lightweight when you're both acquiring in companies and adding modules? I think you're, you're over 20 modules now. How, how is it that the, the agent can remain so lightweight? >>So we spent a lot of time building out the agent cloud architecture that we have, the, the concept of our agent is very different. It's not collecting data, storing it, trying to sell, send it up. We have a smart agent with smart filtering built in. So we're very careful in terms of the data that we collect, but think of the aperture on a camera. You know, if you wanna let more light in you, you widen the aperture. It's the same as our, our agent. If we wanna bring in more telemetry, we, we widen that aperture. So we're very efficient on the network. And we collect data. When machine process runs, we collect that telemetry. We use it in different ways, but we collect once and reuse it many times. So it's the same agent for NextGen AV for EDR, for our spotlight vulnerability management module. And when we're looking at M M and a, so coming back to your, your question, we will look at technology. And if we can't bring that technology and incorporate it into the agent that we already have, we won't acquire it. Worst thing in security is complexity. When you give an organization, 1, 2, 3, 5 plus agents, and then they have 3, 4, 5 plus management consoles. It's too hard when they're under attack. >>Well, it's like my, my business partner co-host John furrier says is that as an industry, we tend to solve complexity with more complexity. And it's, that's problematic. Can you talk about your, your threat graph? Like, what is that? Is it a, is it a graph database? Is it a purpose built? Is it a time series, database, a combination? What, what is >>That? Yeah, it is a graph database. When we, when, when the company was started, obviously the vision was to crowdsource telemetry from so many machines from millions of devices around the world. And the thesis at the time was as that capability scales out, there's nothing commercially available that will be able to ingest all of that data. And today we are processing over 7 trillion events every single week. We, we can't go and get something off the shelf. So we've had to build the, the technology from the ground up. That's the first part. Secondly, there is a temporal element to this. There's a time element. And we, we have an ontology built where we track the relationship between all the telemetry that we get. The reason why I believe we stand alone in EDI is because of that time element, the relationship that we have, and we just have so much context that makes it easy for the threat hunter speed and, and ease of use is critical in cyber. >>So you see in data in the database world, everything's kind of converging with all this function, you know, 11 years ago, these were pretty rudimentary. I shouldn't say rudimentary, but immature markets they've come a long way. If you had to start, if, if those capabilities that are there today with graph databases and time series databases were available in, in 2010, would you have used off the shelf technology, or would you have still developed your >>Own? We would've done the same thing that we've done today. >>And, and why can you explain what that, what that is it a performance thing? Is it just control? >>Yeah, look, it, it, it's everything that I talked about before, the, the benefit that you get from the approach that we've taken and the scalability that the requirements that we need, we still today, there's nothing that we can, we can go and get off the shelf that can scale and give us the performance that we need that can give us the ability to, to have that relationship data, the ontology of, of what we have in the platform and the way that we inter operate with all of the different modules that just wouldn't exist. We wouldn't have that capability. And what you'd find is we'd be pretty much the same as every other vendor where they have on-prem solutions, they have hybrid hosted solutions. And when you have those trade offs, you see it in the product. >>Yeah. So the, the point is you're very focused on the purpose of your, your proprietary technology. You're not trying to serve the all things to all people. You used the term yesterday in your keynote, which it, it caught my attention. You used the term ground truth, and it has very specific meaning. Can you explain what you meant by what is ground truth, you know, in the world? And what, what, what does it mean to CrowdStrike? Yeah, >>I was talking about ground truth as it relates to the acquisition of reify and the big thing for us, we wanted to bring additional capability to the platform, to give our customers external and internal visibility of all their assets and all their vulnerabilities. What's important with us, with our agent is today, we give you a single source of truth. When we put that agent onto a device, we tell you everything about the hardware. We tell you everything about who's logged in. We tell you everything about the applications that are running the relationships between the, of the device and the application. We're not a CMDB. We feed CMDB with information that is instant, that is live. And when we look at reify, it broadens again, I'll use the same word. It broadens the aperture. It gives us more visibility around what's going on. So we're, we're super excited about that because having information about all of your assets, all of your users, the applications they use, whether they're vulnerable, how you need to protect them, having it at your finger fingertips, it's a game changer >>Contract, can CrowdStrike be a generational company. And what do you have to do to ensure that that outcome occurs? We, >>We, I think we absolutely are. And, and we're we're path paving a path to, you know, really continuing to build out that platform. I said, in my keynote that I think we're at an early innings. I, if you buy, for example, as a customer, our insight module, cuz you wanna start with EDR, you've got 21 modules to go yesterday. Today we, we talked about discover 2.0, we talked about discover for IOT. I talked about the, the repository acquisition, a whole range of technology built on that single cloud agent architecture. And we've heard the success stories here this week from customers that have just gotten so much benefit. They've rolled out one agent and they've turned off eight or nine from other security vendors. So absolutely we can be a generational company with what we're doing. What >>Are the blockers to customers turning on those additional modules? Cause not, not all customers are using our modules. Is it that they've made an investment in an alternative technology and they're sort of hugging onto it or are there other technical blockers? Yes. >>It many times it's the investment, right? So if you've made a, an investment in the company, you've got a year to go, you might wanna sweat that asset. But typically what we find is the benefit that we have. It's a very simple conversation. If we can give people a cost and a technology benefit, they're gonna make the transition to move. There's so many technical benefits. We talked about the single agent, but the actual features of the modules themselves. But the big thing for us is we've done over 4,700 business value assessments where we sit down with an organization and we look at what they have. We look at what their spend is. We look at their FTEs, we look at the security outcomes that they get. And then we come out with a model that shows them technology and business value. And that's what really drives them to make the switch. >>So the business value in that VVA is not just a, a reduction in expected loss. That's part of it, better security you're gonna, you know, be, be, be lower your risk. But you're saying it's also the labor associated with that. Yeah, >>Absolutely. It's it's how do you operationalize the solution? How many people do you need? How long does it take you to respond? You know, how do you interact with third parties with your suppliers is taking in all of that data. We've spent a long time building out that model and it's, it's proving to be very successful customers. Love it. Is >>That, is that sort of novel ROI thinking in the security business or I'm trying to think of, I mean, I know for years it would watch art. Coviello stand up at RSA and tell us how, how this year's worse than last year. And so, but, but, but I never really heard, you know, a strong business case that would resonate with the, with the P and L manager, other than, you know, we gotta do this or we're gonna get hacked and you're gonna be screwed. Is that new thinking? Or am I, did I just miss it? >>I don't know if I wanna size new thinking. I think what happened, what changed was 10, 15 years ago at a conference you'd stand up and everybody would tell you ransomwares up and fishing is up. And at the end of it, people are trying to work out. Is that good? Or is that bad? It went up 20% based off what that doesn't work anymore. Everyone, you know, got tired of that. And a few of us have been doing it for a while. I I'm, I'm sort of two and a half decades into this. And if you, if you try to use that model of scaring people, they switch off, they want to understand the benefit. You know, the break in the car is so you can go and stop safely when you need it. And I look at security the same way we want to accelerate the company. We want to help companies do their job, but security is there to make sure they don't get into trouble. >>Yeah. It's like having two security guards by your side, right? I mean, they're gonna help you get through the crowd and move forward. So Michael, thanks so much for coming to the cube. Thanks for having me your time. You're you're very welcome. All right. Keep it right there. After this short break, Dave ante will be back with the cube live coverage from Falcon 22 at the area in Las Vegas.

>>Hi, we're back day two of Falcon, 2022. We're live from the area in Las Vegas, Silicon angles, the queue. My name is Dave Lanta and Rob Picard is here. He's the security lead for Vanta a company that CrowdStrike just made an investment in. Rob. Thanks for coming to the cube. >>Thank you very much. Happy to be here. So >>That's big news. You know, you got a, a big name, like CrowdStrike strategic investment. Tell us about that. >>Yeah, it's very exciting because CrowdStrike obviously is, you know, a major name in the security space and Vanta is a really leading the way in a lot of the compliance automation, but being able to sort of dip into that, that security space more and more having crowd strike behind us is huge. >>What is compliant? Compliance automation. Tell us more about what Vanta does. Yeah. >>So Vanta ultimately is a tool that gives you an automatic way to prepare for your SOC two audit or your ISO 27 0 1 audit or, you know, insert long list of dozens of standards we're working on here. But in the olden days you would provide a thousand screenshots to an auditor that proves that for the past year, past six months, you've been doing what you say you're doing, Banta just plugs directly into your systems and proves that evidence to them without the need for all of >>That. Okay. So software's a service and you yeah. Software charge monthly or okay. >>Yeah, something like that. >>Educate me if I'm cloud first or cloud only can't I just pull a SOC report off of AWS and send that to the auditors and say, here you go, >>That'll help. Right? Like if you, if you do that, if you're in AWS and you pull their, you know, I think their security hub, you can pull some of these controls in. Right. But the question is, what do you do then about your endpoints, right? What do you do about, Hey, did we off board everybody from all of the systems we have enabled, right? All of the SAS systems we use. And so what van does is we integrate with AWS, but we also integrate with every other system you're using, including your HR system and your identity provider, to make sure that, Hey, you know, all of these things are, are working in sync to ensure your compliance. So >>You're relatively new parent, but you ever, you know, the book, if you give a mouse, a cookie, you will, you will, the whole thing is you give a mouse, a cookie, and then 8 million things happen, all these other dependencies. And it goes around and around and around. Yes. He's gonna want some milk. Okay. I feel like it's the same thing in your world, right? I mean, there is, is, is there an end, when do you know you're done? >>Yeah. I mean, ultimately, you know, you're done when the O auditor hands you, your sock to report, you know, you have your at stage, you say, Hey, I'm sock too compliant. Or, you know, your ISO cert, but even then it's gonna keep going. Right. I think the tricky part is there are some key systems that you, you want to have, you know, your eyes on and you wanna be monitoring and making sure that Hey, in a year from now, when that audit happens, I'm not gonna be surprised at what they find. Right. And those are gonna be your cloud provider. Right. Those are gonna be your HR system telling you when people joined, when people left, and those are gonna be your identity provider and your endpoints, right. >>Are you guys obviously compliance experts? Is, is it really a matter of sort of codifying that expertise? Or is there a machine intelligence component involved, you know, discovery? How does it work? >>That's a great question, actually. And I think part of it is, you know, encoding that expertise in the product and making sure that, you know, there's not necessarily, you know, if you ask any given sock to auditor for like, Hey, what controls should I be using that you're gonna audit me against? And it's your job to come up with the control. So they'll provide you some, you know, their set, but it's gonna be different between them, right? The standard itself is not a list of controls, but what we can do is we can provide you that list of controls and say like, Hey, we've actually worked with a ton of auditors and they've worked with us and we can say, this is what you need to do to get started here. And then if you have custom controls to add later, you want you, you can do that. >>But so there's part of that's encoding the expertise, but then part of it is just understanding the world of, of the auditors enough that we can help guide you through it. Because, you know, like you said, you can go to AWS, you can get download a report, right. That says, look, I have, you know, these, so two controls past right now, but the question is, you know, you still have to then go hand that to an auditor, have conversations with them, get through all of their questions back to you. And that can get really, really in the weeds. So we have like teams of experts who sit on calls with auditors and customers and help them through this stuff when needed. Right. And hopefully it's not needed as much when you're, you know, automating most of it. So >>That's a, a component of your offering is, is a services capability. Is that part of the offering? Is that a for pay service? >>Yeah. So, you know, you have to talk to the sales team to understand how they bundle it all, but, you know, essentially we have these professional services teams and these partners that jump in, I think a lot of times it really is just, Hey, like the auditor asks this question. We don't know how to answer it. We'll send somebody to jump on, >>Let's jump on a call. Exactly. But if you need more intense, you >>Know, work services, then maybe that's available. Yeah. >>Okay. And, and is there a privacy aspect of your software? >>Yeah. So Vanta software does actually also support GDPR and CCPA to kind of help you. You know, it's hard to get your head around that stuff. You wanna talk about like encoding expertise, you know, having people inside Vanta who can talk through the product and say like, Hey, this is what we need to test for in a customer's environment. And this is what we need to point to that maybe, you know, you can't automatically test for, but we can give them some template policies or, or procedures for them to have in their company. And we can provide all of that to try to, to help you feel good about, Hey, we're, we're compliant with GDPR or we're compliant with CCPA and we're not gonna have problems here. And, >>And da is data, data sovereignty I presume is, is part of that. Like, >>You know, data sovereignty, man. I'm not the expert on data sovereignty. I'll tell you that. But I know that is definitely a part of that. I don't know, you know, how deep it goes when it comes to, you know, the requirements of any given company. >>Well, it's tricky because a lot of it hasn't been tested in the, in courts of law. That's just sort of guidelines there. Yeah. And then a lot of times you don't, how do you really know where the data is? Right. I mean, you kind of can infer it, but, >>And you can get real clever. You can start encrypting data that sits somewhere here, but you have the keys over here and say, no, no, no, the keys are in the right country. You know, that counts, >>Right. It gets real tricky. It's not really been tested that the logic of that, what are the hard parts of what you guys do and, and, and what makes you different from everybody else out there? >>Yeah. I mean, I think I'd say a couple things are, are really hard about what we do, right. One is maintaining good reputations with auditors because the goal is ultimately that an auditor sees Vanta and they say, okay, Vanta says that checkbox is checked. I don't have to worry about it. And that's where we are with so many auditors today. Right. But that wasn't like that in the beginning, in the beginning, it was, you know, Hey, we're showing you the code that actually looks and checks that box. Right. But the other hard part is just integrating with the long tail of systems that every customer needs, right? Like if you use a certain HR system and we don't support it, then that's gonna really dampen your value that you get outta the product. So the engineering challenges, maintaining a reliable set of both high quality tests and high quality integrations with these surfaces, >>What are the synergies with, with CrowdStrike kind of, you know, it's, maybe it seems obvious, but explain where you pick up and where they leave off. >>Yeah. I think that's a, that's a great point. So, you know, we have a very, like a very, a very simple agent that will run. If you need something on your laptop that says, Hey, look, this laptop, the disc is encrypted, right? The screen lock is set appropriately for my controls, right? So we have some, some basic capabilities it's based on OS query for, for those interested, but it's not a full fledged endpoint protection platform. Right. And that's where something like CrowdStrike can come in where we can integrate with them and say, okay, Hey, if you're ready to move on to something, that's, that's a little bit more full-fledged and a little bit more of a, you know, gonna protect you against malware and that sort of thing. Then you can move onto CrowdStrike and we can integrate directly with them and we can pull all the information we need and we can check all those boxes for you that say, Hey, you have appropriate malware protection, you have discs encrypted, you have whatever it may be. Right. We can pull that information from them. And we can also help you make sure that the people have access to CrowdStrike itself in your company are the right set of people. >>Who do you sell to, do you sell to the audit function within a company? Or do you sell directly to big auditors? Both. >>So it's, we're mainly selling to the whoever's responsible for getting that. So to getting that ISO, getting GDPR, you know, all these sorts of things at a company, right? So for a small business, right, a startup that's like two people could >>Be the developer >>Team. Exactly. We're selling either to the founders or developers or something like that. And we're saying, Hey, you don't wanna think about this at all. We can get you like 80% of the way there without having to send a single screenshot. And then there's like 20% of like, all right, we'll help you, you know, partner you with the right auditor. That's good for your company and, and get you over the line. But then as we go and we sell to a mid-market company, or, you know, even potentially an enterprise, we're talking to people who have very specific expertise in either security or compliance, who also don't wanna have to do all this manual work. >>And it's a pure SAS model. It runs in the cloud. How does it work? I just pointed at whatever software I want to, to, to, to get, you know, certified >>That's exactly right. It's, it's pure SAS. You go to, you know, the app do vanda.com. You log in and then you go to the integrations page, right. You're, you're starting fresh. And you say, okay, well, AWS, here's how you integrate AWS. Right? We use there assume role functionality and stuff like that to pull in, you know, read only data from AWS. And then you can also go to your Okta and you can say, okay, well, I can connect here through Okta, through, you know, an Okta app or I can connect to my Google through an oof that has the right permissions. So we try to just limit the amount of permissions we have or the scope of our, our, you know, roles. But really it's just, you know, it's all API based integrations that we then just pull the data. We need to prove that you're doing what you say you're doing all >>Well, Rob, congratulations on the funding and the activity here at, at CrowdStrike. Good show. So, you know, good luck to you in the future. >>Thank you very much. All right. >>You're very welcome. All right. Keep it right there, Dave. Valante for the cube. We'll be right back, but right after this strip break from Falcon 22, live from the area in Las Vegas,

hi everybody this is dave vellante and this is day two of the cube's coverage of falcon 2022 we're live from the aria in las vegas everybody was out last night at the brooklyn bowl awesome band customers were dancing a lot of fun a lot of business going on here todd crosley's here he's to my left he's the senior director of cloud partnerships at crowdstrike and patrick mcdowell is the global technical lead for security partners at aws these guys have been partnering for a long time and we're going to dig into that partnership gents welcome to the cube thanks for having us thanks happy birthday you're very welcome todd talk about the the history of the relationship you guys are kind of bet business on each other but take us back sure thing so you know yesterday or the day before the company turned 11 years old or so i think george talked a lot about that the other day but uh we've actually been working closely with the amazon team for more than five years at this point and it's really evolved into a strategic collaboration really so uh from an executive on down into field alignment channel alignment uh the marketing team and and the build team where we we work with patrick and his extended team on different service integrations and different uh you know effectively positive security outcomes for the customers together i mean patrick if you think about the history of aws it's like you guys realized you had lightning in a bottle and then also realized wow and ecosystem play is the way to go and when you go to re invent it's palpable the the ecosystem innovation and the the flywheel effect that you've created but what's aws's perspective on the partnership with crowdstrike yeah it's essential to us and our customers right so we've been doing deep integrations probably since i think the first big one of crowdstrike was with guard duty amazon guard duty which is our uh easy to use threat detection service in aws one click on and their threat intelligence actually build is built directly into that service so an aws customer turns on guard duty it's automatically uh being uh enhanced and enriched with falcon x threat intelligence uh by default yeah so the cloud has become the first line of defense for a lot of the csos that i talk to you know everybody's cloud first cloud first and it's like okay that's awesome because cloud has really good security but then it's okay but if there's some differences i got there's a shared security model that i have to understand and and so when you guys talk to customers i know it's you know one of the leadership principles is you got to be focused you know insanely focused on customers crowdstrike very customer focused as well that's how you sort of created this company that is doing such innovative things what are customers telling you um about how they want you to work together what kind of feedback are you getting any other examples that you might have in the future yeah sure thing i'll go first so that well so they they depend on uh the like you said this shared security model but there's ample opportunity where vendors like crowdstrike and we've worked with patrick's team extensively to to pinpoint areas where we can provide so examples of that would be like on the in compute so like you recently released the graviton processors we've had a recent success with a customer where uh they've walked down their digital transformation journey they had they were looking to switch over to the graviton processors and we work closely with patrick's team to say okay we're going to certify our sensor uh on that particular area of compute so the customer continue to enjoy crowdstrike in our single-platform cloud-first native platform to say okay you've got skill sets on the on-prem environment your endpoint environment and good news you're switching to graviton no problem we still support that and we've been able to do that by working closely with each other inclusive not just the architects but the product teams work closely together as well yeah in this customer case um you know uh crowdstrike already supported for amazon linux but this customer a very large customer of ours need to move 10 000 ec2 instances to graviton on red hat linux not amazon linux so we got crowdstrike engineering our engineering our architects and we were able to get this customer red hat support for graviton within two months right in production ready to go and unblock this migration so i love the graviton example so what i always default to when somebody says oh we're cloud native i'd say are you running on graviton uh because because graviton is is is uh amazon's custom silicon that complements what you're doing with intel what you're doing with amd and they're all kinds of different instant types but it's based on an arm system and it's delivering new levels of performance and and an energy reduction if i can use that term um and and it's on a new curve yeah and so tremendous cost savings as well right i think out of the box with no change in the application you're getting 20 and that's and i i don't even think you're really driving it as hard as you can is my assessment but you gotta be considerate of these days so but that's an example of of how you're using from a technology standpoint cloud native and then and then sort of partnering does this you know graviton one graviton true graviton three i'm sure there'll be graviton 10 someday no doubt i think it's a good example of us working closely together paying attention to the customer's needs and making sure they don't they don't miss a step and and still stop the breach and pay attention to their security needs so you're part of the apn the amazon partner network yep what do you got to do to be like certified at an elite level there you probably have to go through a lot of hoops and maybe you could describe what you guys do there and how you work together to ensure that a company is adequate and more than adequate for its customers yeah sure thing so we we've participated in and we're certified in for example the security competency area which elevates us amongst other security isvs we're one of the few that have that um we have the well we participate in the well architected program which means that we've demonstrated a common set of criteria and customer references i mean that's a example um another area where we've participated quite a bit is in in the land of digital supply chains notably aws marketplace where we've uh latched on to many of their features and capabilities and participated in strategic programs whether it be um you know including the channel partner or taking a look at traditional private offers or taking a look at like the looping in the entire ecosystem to make sure the customer gets what they need so how do you integrate with things like control tower where where are the seams and how do you make that as seamless as possible for customers or maybe you can explain what control power yeah so uh they have multiple integrations for control tower for their cspm horizon uh it automatically onboards new aws accounts so uh you know as you're vending accounts you're giving to more devops teams horizon is automatically deploying and being protected those accounts so it has those guard rails in place for customers in a nice easy to use deployment model that you don't have to think about right so control tower in general is uh it kind of gives customers guard rails an easy button if you're new to aws i'm migrating hey aws can you just tell me the best practices how should i set up my accounts i need a landing zone i'm doing migration so it's really like a wizard for getting started in aws and crowdstrike integrates that with falcon discover and as well as falcon horizon and your age so yeah you guys really don't compete um you know maybe there's some overlap overlap is better than than gaps but you know when you when you take something like you know network firewalls and things like that amazon brings that to the table and then crowdstrike will build on top of that is that correct yeah i'll take this one uh so george has said it crowdstrike is not a network security company right however they have an integration using their threat intelligence on on our amazon network firewall so aws amazon and crouchstrike coming together actually have a joint offering for customers in a space that crowdstrike has never been in before itself so i think that's very exciting so yeah yeah all those integrations that pat's talking about we've actually cataloged the whole thing on a github page where we find that's where customers go they took a look at the integration and the supporting documentation we're like okay yeah this makes sense this these two companies augment each other well and it turns out to be a good outcome and you check you'll take telemetry data from the aws cloud you can take it from you know any your agents can run anywhere right and then you bring that in to the or i guess you sort of you index it i in my term in in the aws cloud enables that because you've got virtually unlimited scaling capability and that's kind of where you guys started yeah cloud native dogma that's right yeah it's a competitive differentiator for us uh i we think it's nice we're a market leader in our space and amazon's a market leader in their space and and we've got a lot of synergy together where do you guys last question where do you guys respectively want to see the the relationship go if you had to put on your binoculars or even telescope where do you want to see this go well i think we're i think we're all in the business of accelerating positive security outcomes for the customer and the what we're doing is we're spending a lot of time educating our respective fields and respective customers to know that these these integrations do in fact exist uh they absolutely complement each other we were in a meeting uh you know maybe six ten months ago we're in a cio said i didn't know that the two that the two products work so well together speaking about the control tower and horizon particular example had i known that i would have bought it uh a lot quicker this is this is a great outcome and the fact that you're working with amazon together is a bit of a relief so that was nice yeah i'm gonna echo what george kirk said in his keynote yesterday that like security's a journey xdr is a journey and i think the work that we did on the open cyber security schema framework which is an open source common uh security language that all vendors can use including aws and crowdstrike i think that is where we're going to see uh the the industry rally around in the upcoming year there's so much security data there's a common uh now language that all products and clouds could talk to each other that's right tell tell me more about it ocsf is that right where did that come from and yeah so um it's it's a it's an open source framework and you know both crowdstrike aws and other uh you know players in the industry are like there's a common problem none of our products talk together it's all about customer benefit right so what can we do to democratize security data make things talk well play together everyone wants to do more analytics on lots of data lakes so this is where it's all coming together yeah better collaboration in industry obviously is is needed and then the other piece is education you guys both sort of refer to that that's what i when i come to conferences like this and reinforce as well as a lot of it i mean i remember the first reinforcement was like explaining the shared responsibility model now of course a lot of people understood it but a lot of people didn't when you fast forward to 2022 and reinvent it was a lot more focused on how to really exploit the capabilities that aws has and then here at crowdstrike it's like okay helping practitioners really understand how to take advantage of the full platform and and that's to your point patrick the journey all right guys hey we got to go thanks so much you for having us all right keep it right there fast and furious day two from crowdstrike's falcon 2022. you're watching thecube [Music] you