(upbeat music) >> Hello everyone, welcome back to theCUBE's coverage of Cloud Native SecurityCon North America 2023. Obviously, CUBE's coverage with our CUBE Center Report. We're not there on the ground, but we have folks and our CUBE Alumni there. We have entrepreneurs there. Of course, we want to be there in person, but we're remote. We've got Ben Hirschberg, CTO and Co-Founder of Armo, a cloud native security startup, well positioned in this industry. He's there in Seattle. Ben, thank you for coming on and sharing what's going on with theCUBE. >> Yeah, it's great to be here, John. >> So we had written on you guys up on SiliconANGLE. Congratulations on your momentum and traction. But let's first get into what's going on there on the ground? What are some of the key trends? What's the most important story being told there? What is the vibe? What's the most important story right now? >> So I think, I would like to start here with the I think the most important thing was that I think the event is very successful. Usually, the Cloud Native Security Day usually was part of KubeCon in the previous years and now it became its own conference of its own and really kudos to all the organizers who brought this up in, actually in a short time. And it wasn't really clear how many people will turn up, but at the end, we see a really nice turn up and really great talks and keynotes around here. I think that one of the biggest trends, which haven't started like in this conference, but already we're talking for a while is supply chain. Supply chain is security. I think it's, right now, the biggest trend in the talks, in the keynotes. And I think that we start to see companies, big companies, who are adopting themselves into this direction. There is a clear industry need. There is a clear problem and I think that the cloud native security teams are coming up with tooling around it. I think for right now we see more tools than adoption, but the adoption is always following the tooling. And I think it already proves itself. So we have just a very interesting talk this morning about the OpenSSL vulnerability, which was I think around Halloween, which came out and everyone thought that it's going to be a critical issue for the whole cloud native and internet infrastructure and at the end it turned out to be a lesser problem, but the reason why I think it was understood that to be a lesser problem real soon was that because people started to use (indistinct) store software composition information in the environment so security teams could look into, look up in their systems okay, what, where they're using OpenSSL, which version they are using. It became really soon real clear that this version is not adopted by a wide array of software out there so the tech surface is relatively small and I think it already proved itself that the direction if everyone is talking about. >> Yeah, we agree, we're very bullish on this move from the Cloud Native Foundation CNCF that do the security conference. Amazon Web Services has re:Invent. That's their big show, but they also have re:Inforce, the security show, so clearly they work together. I like the decoupling, very cohesive. But you guys have Kubescape of Kubernetes security. Talk about the conversations that are there and that you're hearing around why there's different event what's different around KubeCon and CloudNativeCon than this Cloud Native SecurityCon. It's not called KubeSucSecCon, it's called Cloud Native SecurityCon. What's the difference? Are people confused? Is it clear? What's the difference between the two shows? What are you hearing? >> So I think that, you know, there is a good question. Okay, where is Cloud Native Computing Foundation came from? Obviously everyone knows that it was somewhat coupled with the adoption of Kubernetes. It was a clear understanding in the industry that there are different efforts where the industry needs to come together without looking be very vendor-specific and try to sort out a lot of issues in order to enable adoption and bring great value and I think that the main difference here between KubeCon and the Cloud Native Security Conference is really the focus, and not just on Kubernetes, but the whole ecosystem behind that. The way we are delivering software, the way we are monitoring software, and all where Kubernetes is only just, you know, maybe the biggest clog in the system, but, you know, just one of the others and it gives great overview of what you have in the whole ecosystem. >> Yeah, I think it's a good call. I would add that what I'm hearing too is that security is so critical to the business model of every company. It's so mainstream. The hackers have a great business model. They make money, their costs are lower than the revenue. So the business of hacking in breaches, ransomware all over the place is so successful that they're playing offense, everyone's playing defense, so it's about time we can get focus to really be faster and more nimble and agile on solving some of these security challenges in open source. So I think that to me is a great focus and so I give total props to the CNC. I call it the event operating system. You got the security group over here decoupled from the main kernel, but they work together. Good call and so this brings back up to some of the things that are going on so I have to ask you, as your startup as a CTO, you guys have the Kubescape platform, how do you guys fit into the landscape and what's different from your tools for Kubernetes environments versus what's out there? >> So I think that our journey is really interesting in the solution space because I think that our mode really tries to understand where security can meet the actual adoption because as you just said, somehow we have to sort out together how security is going to be automated and integrated in its best way. So Kubescape project started as a Kubernetes security posture tool. Just, you know, when people are really early in their adoption of Kubernetes systems, they want to understand whether the installation is is secure, whether the basic configurations are look okay, and giving them instant feedback on that, both in live systems and in the CICD, this is where Kubescape came from. We started as an open source project because we are big believers of open source, of the power of open source security, and I can, you know I think maybe this is my first interview when I can say that Kubescape was accepted to be a CNCF Sandbox project so Armo was actually donating the project to the CNCF, I think, which is a huge milestone and a great way to further the adoption of Kubernetes security and from now on we want to see where the users in Armo and Kubescape project want to see where the users are going, their Kubernetes security journey and help them to automatize, help them to to implement security more fast in the way the developers are using it working. >> Okay, if you don't mind, I want to just get clarification. What's the difference between the Armo platform and Kubescape because you have Kubescape Sandbox project and Armo platform. Could you talk about the differences and interaction? >> Sure, Kubescape is an open source project and Armo platform is actually a managed platform which runs Kubescape in the cloud for you because Kubescape is part, it has several parts. One part is, which is running inside the Kubernetes cluster in the CICD processes of the user, and there is another part which we call the backend where the results are stored and can be analyzed further. So Armo platform gives you managed way to run the backend, but I can tell you that backend is also, will be available within a month or two also for everyone to install on their premises as well, because again, we are an open source company and we are, we want to enable users, so the difference is that Armo platform is a managed platform behind Kubescape. >> How does Kubescape differ from closed proprietary sourced solutions? >> So I can tell you that there are closed proprietary solutions which are very good security solutions, but I think that the main difference, if I had to pick beyond the very specific technicalities is the worldview. The way we see that our user is not the CISO. Our user is not necessarily the security team. From our perspective, the user is the DevOps and the developers who are working on the Kubernetes cluster day to day and we want to enable them to improve their security. So actually our approach is more developer-friendly, if I would need to define it very shortly. >> What does this risk calculation score you guys have in Kubscape? That's come up and we cover that in our story. Can you explain to the folks how that fits in? Is it Kubescape is the platform and what's the benefit, what's the purpose? >> So the risk calculation is actually a score we are giving to clusters in order for the users to understand where they are standing in the general population, how they are faring against a perfect hardened cluster. It is based on the number of different tests we are making. And I don't want to go into, you know, the very specifics of the mathematical functions, but in general it takes into account how many functions are failing, security tests are failing inside your cluster. How many nodes you are having, how many workloads are having, and creating this number which enables you to understand where you are standing in the global, in the world. >> What's the customer value that you guys pitching? What's the pitch for the Armo platform? When you go and talk to a customer, are they like, "We need you." Do they come to you? Is it word of mouth? You guys have a strategy? What's the pitch? What's so appealing to the customers? Why are they enthusiastic about you guys? >> So John, I can tell you, maybe it's not so easy to to say the words, but I nearly 20 years in the industry and though I've been always around cyber and the defense industry and I can tell you that I never had this journey where before where I could say that the the customers are coming to us and not we are pitching to customers. Simply because people want to, this is very easy tool, very very easy to use, very understandable and it very helps the engineers to improve security posture. And they're coming to us and they're saying, "Well, awesome, okay, how we can like use it. Do you have a graphical interface?" And we are pointing them to the Armor platform and they are falling in love and coming to us even more and we can tell you that we have a big number of active users behind the platform itself. >> You know, one of the things that comes up every time at KubeCon and Cloud NativeCon when we're there, and we'll be in Amsterdam, so folks watching, you know, we'll see onsite, developer productivity is like the number one thing everyone talks about and security is so important. It's become by default a blocker or anchor or a drag on productivity. This is big, the things that you're mentioning, easy to use, engineering supporting it, developer adoption, you know we've always said on theCUBE, developers will be the de facto standards bodies by their choices 'cause developers make all the decisions. So if I can go faster and I can have security kind of programmed in, I'm not shifting left, it's just I'm just having security kind of in there. That's the dream state. Is that what you guys are trying to do here? Because that's the nirvana, everyone wants to do that. >> Yeah, I think your definition is like perfect because really we had like this, for a very long time we had this world where we decoupled security teams from developers and even for sometimes from engineering at all and I think for multiple reasons, we are more seeing a big convergence. Security teams are becoming part of the engineering and the engineering becoming part of the security and as you're saying, okay, the day-to-day world of developers are becoming very tangled up in the good way with security, so the think about it that today, one of my developers at Armo is creating a pull request. He's already, code is already scanned by security scanners for to test for different security problems. It's already, you know, before he already gets feedback on his first time where he's sharing his code and if there is an issue, he already can solve it and this is just solving issues much faster, much cheaper, and also you asked me about, you know, the wipe in the conference and we know no one can deny the current economic wipe we have and this also relates to security teams and security teams has to be much more efficient. And one of the things that everyone is talking, okay, we need more automation, we need more, better tooling and I think we are really fitting into this. >> Yeah, and I talked to venture capitalists yesterday and today, an angel investor. Best time for startup is right now and again, open source is driving a lot of value. Ben, it's been great to have you on and sharing with us what's going on on the ground there as well as talking about some of the traction you have. Just final question, how old's the company? How much funding do you have? Where you guys located? Put a plug in for the company. You guys looking to hire? Tell us about the company. Were you guys located? How much capital do you have? >> So, okay, the company's here for three years. We've passed a round last March with Tiger and Hyperwise capitals. We are located, most of the company's located today in Israel in Tel Aviv, but we have like great team also in Ukraine and also great guys are in Europe and right now also Craig Box joined us as an open source VP and he's like right now located in New Zealand, so we are a really global team, which I think it's really helps us to strengthen ourselves. >> Yeah, and I think this is the entrepreneurial equation for the future. It's really great to see that global. We heard that in Priyanka Sharma's keynote. It's a global culture, global community. >> Right. >> And so really, really props you guys. Congratulations on Armo and thanks for coming on theCUBE and sharing insights and expertise and also what's happening on the ground. Appreciate it, Ben, thanks for coming on. >> Thank you, John. >> Okay, cheers. Okay, this is CUB coverage here of the Cloud Native SecurityCon in North America 2023. I'm John Furrier for Lisa Martin, Dave Vellante. We're back with more of wrap up of the event after this short break. (gentle upbeat music)

(upbeat music) >> Okay, welcome back everyone in live coverage here at theCUBE, Boston, Massachusetts, for AWS re:inforce 22 security conference for Amazon Web Services. Obviously reinvent the end of the years' the big celebration, "re:Mars" is the new show that we've covered as well. The res are here with theCUBE. I'm John Furrier, host with a great guest, Ameesh Divatia, co-founder, and CEO of a company called "Baffle." Ameesh, thanks for joining us on theCUBE today, congratulations. >> Thank you. It's good to be here. >> And we got the custom encrypted socks. >> Yup, limited edition >> 64 bitter 128. >> Base 64 encoding. >> Okay.(chuckles) >> Secret message in there. >> Okay.(chuckles) Secret message.(chuckles) We'll have to put a little meme on the internet, figure it out. Well, thanks for comin' on. You guys are goin' hot right now. You guys a hot startup, but you're in an area that's going to explode, we believe. >> Yeah. >> The SuperCloud is here, we've been covering that on theCUBE that people are building on top of the Amazon Hyperscalers. And without the capex, they're building platforms. The application tsunami has come and still coming, it's not stopping. Modern applications are faster, they're better, and they're driving a lot of change under the covers. >> Absolutely. Yeah. >> And you're seeing structural change happening in real time, in ops, the network. You guys got something going on in the encryption area. >> Yes >> Data. Talk about what you guys do. >> Yeah. So we believe very strongly that the next frontier in security is data. We've had multiple waves in security. The next one is data, because data is really where the threats will persist. If the data shows up in the wrong place, you get into a lot of trouble with compliance. So we believe in protecting the data all the way down at the field, or record level. That's what we do. >> And you guys doing all kinds of encryption, or other things? >> Yes. So we do data transformation, which encompasses three different things. It can be tokenization, which is format preserving. We do real encryption with counter mode, or we can do masked views. So tokenization, encryption, and masking, all with the same platform. >> So pretty wide ranging capabilities with respect to having that kind of safety. >> Yes. Because it all depends on how the data is used down the road. Data is created all the time. Data flows through pipelines all the time. You want to make sure that you protect the data, but don't lose the utility of the data. That's where we provide all that flexibility. >> So Kurt was on stage today on one of the keynotes. He's the VP of the platform at AWS. >> Yes. >> He was talking about encrypts, everything. He said it needs, we need to rethink encryption. Okay, okay, good job. We like that. But then he said, "We have encryption at rest." >> Yes. >> That's kind of been there, done that. >> Yes. >> And, in-flight? >> Yeah. That's been there. >> But what about in-use? >> So that's exactly what we plug. What happens right now is that data at rest is protected because of discs that are already self-encrypting, or you have transparent data encryption that comes native with the database. You have data in-flight that is protected because of SSL. But when the data is actually being processed, it's in the memory of the database or datastore, it is exposed. So the threat is, if the credentials of the database are compromised, as happened back then with Starwood, or if the cloud infrastructure is compromised with some sort of an insider threat like a Capital One, that data is exposed. That's precisely what we solve by making sure that the data is protected as soon as it's created. We use standard encryption algorithms, AES, and we either do format preserving, or true encryption with counter mode. And that data, it doesn't really matter where it ends up, >> Yeah. >> because it's always protected. >> Well, that's awesome. And I think this brings up the point that we want been covering on SiliconAngle in theCUBE, is that there's been structural change that's happened, >> Yes. >> called cloud computing, >> Yes. >> and then hybrid. Okay. Scale, role of data, higher level abstraction of services, developers are in charge, value creations, startups, and big companies. That success is causing now, a new structural change happening now. >> Yes. >> This is one of them. What areas do you see that are happening right now that are structurally changing, that's right in front of us? One is, more cloud native. So the success has become now the problem to solve - >> Yes. >> to get to the next level. >> Yeah. >> What are those, some of those? >> What we see is that instead of security being an afterthought, something that you use as a watchdog, you create ways of monitoring where data is being exposed, or data is being exfiltrated, you want to build security into the data pipeline itself. As soon as data is created, you identify what is sensitive data, and you encrypt it, or tokenize it as it flows into the pipeline using things like Kafka plugins, or what we are very clearly differentiating ourselves with is, proxy architectures so that it's completely transparent. You think you're writing to the datastore, but you're actually writing to the proxy, which in turn encrypts the data before its stored. >> Do you think that's an efficient way to do it, or is the only way to do it? >> It is a much more efficient way of doing it because of the fact that you don't need any app-dev resources. There are many other ways of doing it. In fact, the cloud vendors provide development kits where you can just go do it yourself. So that is actually something that we completely avoid. And what makes it really, really interesting is that once the data is encrypted in the data store, or database, we can do what is known as "Privacy Enhanced Computation." >> Mm. >> So we can actually process that data without decrypting it. >> Yeah. And so proxies then, with cloud computing, can be very fast, not a bottleneck that could be. >> In fact, the cloud makes it so. It's very hard to - >> You believe that? >> do these things in static infrastructure. In the cloud, there's infinite amount of processing available, and there's containerization. >> And you have good network. >> You have very good network, you have load balancers, you have ways of creating redundancy. >> Mm. So the cloud is actually enabling solutions like this. >> And the old way, proxies were seen as an architectural fail, in the old antiquated static web. >> And this is where startups don't have the baggage, right? We didn't have that baggage. (John laughs) We looked at the problem and said, of course we're going to use a proxy because this is the best way to do this in an efficient way. >> Well, you bring up something that's happening right now that I hear a lot of CSOs and CIOs and executives say, CXOs say all the time, "Our", I won't say the word, "Our stuff has gotten complicated." >> Yes. >> So now I have tool sprawl, >> Yeah. >> I have skill gaps, and on the rise, all these new managed services coming at me from the vendors who have never experienced my problem. And their reaction is, they don't get my problem, and they don't have the right solutions, it's more complexity. They solve the complexity by adding more complexity. >> Yes. I think we, again, the proxy approach is a very simple. >> That you're solving that with that approach. >> Exactly. It's very simple. And again, we don't get in the way. That's really the the biggest differentiator. The forcing function really here is compliance, right? Because compliance is forcing these CSOs to actually adopt these solutions. >> All right, so love the compliance angle, love the proxy as an ease of use, take the heavy lifting away, no operational problems, and deviations. Now let's talk about workloads. >> Yeah. >> 'Cause this is where the use is. So you got, or workloads being run large scale, lot a data moving around, computin' as well. What's the challenge there? >> I think it's the volume of the data. Traditional solutions that we're relying on legacy tokenizations, I think would replicate the entire storage because it would create a token wall, for example. You cannot do that at this scale. You have to do something that's a lot more efficient, which is where you have to do it with a cryptography approach. So the workloads are diverse, lots of large files in the workloads as well as structured workloads. What we have is a solution that actually goes across the board. We can do unstructured data with HTTP proxies, we can do structured data with SQL proxies. And that's how we are able to provide a complete solution for the pipeline. >> So, I mean, show about the on-premise versus the cloud workload dynamic right now. Hybrid is a steady state right now. >> Yeah. >> Multi-cloud is a consequence of having multiple vendors, not true multi-cloud but like, okay, they have Azure there, AWS here, I get that. But hybrid really is the steady state. >> Yes. >> Cloud operations. How are the workloads and the analytics the data being managed on-prem, and in the cloud, what's their relationship? What's the trend? What are you seeing happening there? >> I think the biggest trend we see is pipelining, right? The new ETL is streaming. You have these Kafka and Kinesis capabilities that are coming into the picture where data is being ingested all the time. It is not a one time migration. It's a stream. >> Yeah. >> So plugging into that stream is very important from an ingestion perspective. >> So it's not just a watchdog. >> No. >> It's the pipelining. >> It's built in. It's built-in, it's real time, that's where the streaming gets another diverse access to data. >> Exactly. >> Data lakes. You got data lakes, you have pipeline, you got streaming, you mentioned that. So talk about the old school OLTP, the old BI world. I think Power BI's like a $30 billion product. >> Yeah. >> And you got Tableau built on OLTP building cubes. Aren't we just building cubes in a new way, or, >> Well. >> is there any relevance to the old school? >> I think there, there is some relevance and in fact that's again, another place where the proxy architecture really helps, because it doesn't matter when your application was built. You can use Tableau, which nobody has any control over, and still process encrypted data. And so can with Power BI, any Sequel application can be used. And that's actually exactly what we like to. >> So we were, I was talking to your team, I knew you were coming on, and they gave me a sound bite that I'm going to read to the audience and I want to get your reaction to. >> Sure. >> 'Cause I love this. I fell out of my chair when I first read this. "Data is the new oil." In 2010 that was mentioned here on theCUBE, of course. "Data is the new oil, but we have to ensure that it does not become the next asbestos." Okay. That is really clever. So we all know about asbestos. I add to the Dave Vellante, "Lead paint too." Remember lead paint? (Ameesh laughs) You got to scrape it out and repaint the house. Asbestos obviously causes a lot of cancer. You know, joking aside, the point is, it's problematic. >> It's the asset. >> Explain why that sentence is relevant. >> Sure. It's the assets and liabilities argument, right? You have an asset which is data, but thanks to compliance regulations and Gartner says 75% of the world will be subject to privacy regulations by 2023. It's a liability. So if you don't store your data well, if you don't process your data responsibly, you are going to be liable. So while it might be the oil and you're going to get lots of value out of it, be careful about the, the flip side. >> And the point is, there could be the "Grim Reaper" waiting for you if you don't do it right, the consequences that are quantified would be being out of business. >> Yes. But here's something that we just discovered actually from our survey that we did. While 93% of respondents said that they have had lots of compliance related effects on their budgets. 75% actually thought that it makes them better. They can use the security postures as a competitive differentiator. That's very heartening to us. We don't like to sell the fear aspect of this. >> Yeah. We like to sell the fact that you look better compared to your neighbor, if you have better data hygiene, back to the. >> There's the fear of missing out, or as they say, "Keeping up with the Joneses", making sure that your yard looks better than the next one. I get the vanity of that, but you're solving real problems. And this is interesting. And I want to get your thoughts on this. I found, I read that you guys protect more than a 100 billion records across highly regulated industries. Financial services, healthcare, industrial IOT, retail, and government. Is that true? >> Absolutely. Because what we are doing is enabling SaaS vendors to actually allow their customers to control their data. So we've had the SaaS vendor who has been working with us for over three years now. They store confidential data from 30 different banks in the country. >> That's a lot of records. >> That's where the record, and. >> How many customers do you have? >> Well, I think. >> The next round of funding's (Ameesh laughs) probably they're linin' up to put money into you guys. >> Well, again, this is a very important problem, and there are, people's businesses are dependent on this. We're just happy to provide the best tool out there that can do this. >> Okay, so what's your business model behind? I love the success, by the way, I wanted to quote that stat to one verify it. What's the business model service, software? >> The business model is software. We don't want anybody to send us their confidential data. We embed our software into our customers environments. In case of SaaS, we are not even visible, we are completely embedded. We are doing other relationships like that right now. >> And they pay you how? >> They pay us based on the volume of the data that they're protecting. >> Got it. >> That in that case which is a large customers, large enterprise customers. >> Pay as you go. >> It is pay as you go, everything is annual licenses. Although, multi-year licenses are very common because once you adopt the solution, it is very sticky. And then for smaller customers, we do base our pricing also just on databases. >> Got it. >> The number of databases. >> And the technology just reviewed low-code, no-code implementation kind of thing, right? >> It is by definition, no code when it comes to proxy. >> Yeah. >> When it comes to API integration, it could be low code. Yeah, it's all cloud-friendly, cloud-native. >> No disruption to operations. >> Exactly. >> That's the culprit. >> Well, yeah. >> Well somethin' like non-disruptive operations.(laughs) >> No, actually I'll give an example of a migration, right? We can do live migrations. So while the databases are still alive, as you write your. >> Live secure migrations. >> Exactly. You're securing - >> That's the one that manifests. >> your data as it migrates. >> Awright, so how much funding have you guys raised so far? >> We raised 36 and a half, series A, and B now. We raised that late last year. >> Congratulations. >> Thank you. >> Who's the venture funders? >> True Ventures is our largest investor, followed by Celesta Capital, National Grid Partners is an investor, and so is Engineering Capital and Clear Vision Ventures. >> And the seed and it was from Engineering? >> Seed was from Engineering. >> Engineering Capital. >> And then True came in very early on. >> Okay. >> Greenspring is also an investor in us, so is Industrial Ventures. >> Well, privacy has a big concern, big application for you guys. Privacy, secure migrations. >> Very much so. So what we are believe very strongly in the security's personal, security is yours and my data. Privacy is what the data collector is responsible for. (John laughs) So the enterprise better be making sure that they've complied with privacy regulations because they don't tell you how to protect the data. They just fine you. >> Well, you're not, you're technically long, six year old start company. Six, seven years old. >> Yeah. >> Roughly. So yeah, startups can go on long like this, still startup, privately held, you're growing, got big records under management there, congratulations. What's next? >> I think scaling the business. We are seeing lots of applications for this particular solution. It's going beyond just regulated industries. Like I said, it's a differentiating factor now. >> Yeah >> So retail, and a lot of other IOT related industrial customers - >> Yeah. >> are also coming. >> Ameesh, talk about the show here. We're at re:inforce, actually we're live here on the ground, the show floor buzzing. What's your takeaway? What's the vibe this year? What if you had to share what your opinion the top story here at the show, what would be the two top things, or three things? >> I think it's two things. First of all, it feels like we are back. (both laugh) It's amazing to see people on the show floor. >> Yeah. >> People coming in and asking questions and getting to see the product. The second thing that I think is very gratifying is, people come in and say, "Oh, I've heard of you guys." So thanks to digital media, and digital marketing. >> They weren't baffled. They want baffled. >> Exactly. >> They use baffled. >> Looks like, our outreach has helped, >> Yeah. >> and has kept the continuity, which is a big deal. >> Yeah, and now you're a CUBE alumni, welcome to the fold. >> Thank you. >> Appreciate you coming on. And we're looking forward to profiling you some day in our startup showcase, and certainly, we'll see you in the Palo Alto studios. Love to have you come in for a deeper dive. >> Sounds great. Looking forward to it. >> Congratulations on all your success, and thanks for coming on theCUBE, here at re:inforce. >> Thank you, John. >> Okay, we're here in, on the ground live coverage, Boston, Massachusetts for AWS re:inforce 22. I'm John Furrier, your host of theCUBE with Dave Vellante, who's in an analyst session, right? He'll be right back with us on the next interview, coming up shortly. Thanks for watching. (gentle music)

>>From Las Vegas. It's the cube covering Qualis security conference 2019 you buy quality. >>Hey, welcome back. You're ready. Jeff Frick here with the cube. We're in Las Vegas at the Bellagio, at the quality security conference. It's the 19th year they've been doing this. It's our first year here and we're excited to be here and it's great to have a veteran who's been in this space for so long, to give a little bit more of a historical perspective as to what happened in the past and where we are now and what can we look forward to in the future. So coming right off his keynote is Felipe korto, the chairman and CEO of Qualys. Phillip, great to see you. Thank you. Same, same, same for me. Absolutely. So you touched on so many great, um, topics in your conversation about kind of the shifts of, of, of modern computing from the mainframe to the mini. We've heard it over and over and over, but the key message was really about architecture. If you don't have the right architecture, you can't have the right solution. So how has the evolution of architects of architectures impacted your ability to deliver security solutions for your clients? >>So now that's a very good question. And in fact, you know, what happened is that we started in 1999 with a vision that we could use exactly like a salesforce.com this nascent internet technologies and apply that to security. And uh, so, and mod when you have applied that to essentially changing the way CRM was essentially used and deployed in enterprises and with a fantastic success as we know. So for us, the, I can say today that 19 years later the vision was right. It took a significant longer because the security people are not really, uh, warm at the idea of silently, uh, having the data in their view, which was in place that they could not control. And the it people, they didn't really like at all the fact that suddenly they were not in control anymore of the infrastructure. So we had a lot of resistance. >>I, wherever we always, I always believe, absolutely believe that the, the cloud will be the cloud architecture to go back. A lot of people make the confusion. That was part of the confusion that for people it was a cloud, that kind of magical things someplace would you don't know where. And when I were trying to explain, and I've been saying that so many times that well you need to look at the cloud like compute that can architecture which distribute the competing power far more efficiently than the previous one, which was client server, which was distributing the convening power far better than of course the mainframes and the mini computers. And so if you look at their architectures, so the mainframe were essentially big data centers in uh, in Fort Knox, like settings, uh, private lines of communication to a dump terminal. And of course security was not really issue then because it's security was built in by the IBM's and company. >>Same thing with the mini computer, which then was instead of just providing the computing power to the large, very large company, you could afford it. Nelson and the minicomputer through the advanced in semiconductor technology could reduce a foot Frank. And then they'll bring that computing power to the labs and to the departments. And was then the new era of the digital equipment, the prime, the data general, et cetera. Uh, and then kind of server came in. So what client server did, again, if you look at the architecture, different architecture now silently servers, the land or the internal network and the PC, and that was now allowing to distribute the computing power to the people in the company. And so, but then you needed to, so everybody, nobody paid attention to security because then you were inside of the enterprise. So it started inside the walls of the castle if you prefer. >>So nobody paid attention to that. It was more complex because now you have multiple actors. Instead of having one IBM or one digital equipment, et cetera, suddenly you have the people in manufacturing and the servers, the software, the database, the PCs, and on announcer, suddenly there was the complexity, increasing efficiency, but nobody paid attention to security because it wasn't a needed until suddenly we realized that viruses could come in through the front door being installed innocently. You were absolutely, absolutely compromised. And of course that's the era of the antivirus which came in. And then because of the need to communicate more and more now, Senator, you could not stay only in your castle. You needed to go and communicate to your customers, to your suppliers, et cetera, et cetera. And now he was starting to open up your, your castle to the world and hello so now so that the, the bad guy could come in and start to steal your information. >>And that was the new era of the forward. Now you make sure that those who come in, but of course that was a little bit naive because there were so many other doors and windows, uh, that people could come in, you know, create tunnels and create these and all of that trying to ensure your customers because the data was becoming more and more rich and more, more important or more value. So whenever there is a value, of course the bad guys are coming in to try to sell it. And that was that new era of a willing to pay attention to security. The problem has been is because you have so many different actors, there was nothing really central there that was just selling more and more solutions and no, absolutely like 800 vendors bolting on security, right? And boating on anything is short-lived at the end of the day because you put more and more weight and then you also increase the complexity and all these different solutions you need. >>They need to talk together so you have a better context. Uh, but they want the design to talk together. So now you need to put other system where they could communicate that information. So you complicated and complicated and complicated the solution. And that's the problem of today. So now cloud computing comes in and again, if you look at the architecture of cloud computing, it's again data centers, which is not today I've become thanks to the technology having infinite, almost competing power and storage capabilities. And like the previous that I sent her, the are much more fractured because you just one scale and they become essentially a little bit easier to secure. And by the way, it's your fewer vendors now doing that. And then of course the access can be controlled better. Uh, and then of course the second component is not the land and the one, it's now the internet. >>And the internet of course is the web communications extremely cheap and it brings you an every place on the planet and soon in Morris, why not? So and so. Now the issue today is that still the internet needs to be secure. And today, how are we going to secure the internet? Which is very important thing today because you see today that you can spoof your email, you can spoof your website, uh, you can attack the DNS who, yes, there's a lot of things that the bad guys still do. And in fact, they've said that leverage the internet of course, to access everywhere so they take advantage of it. So now this is obviously, you know, I created the, the trustworthy movement many years ago to try to really address that. Unfortunately, the quality's was too small and it was not really our place today. There's all the Google, the Facebook, the big guys, which in fact their business depend on the internet. >>Now need to do that. And I upload or be diabetic, criticized very much so. Google was the first one to essentially have a big initiative, was trying to push SSL, which everybody understand is secret encryption if you prefer. And to everybody. So they did a fantastic job. They really push it. So now today's society is becoming like, okay, as I said, you want to have, as I said it all in your communication, but that's not enough. And now they are pushing and some people criticize them and I absolutely applaud them to say we need to change the internet protocols which were created at a time when security, you were transferring information from universities and so forth. This was the hay days, you know, of everything was fine. There was no bad guys, you know, the, he'd be days, if you like, of the internet. Everybody was free, everybody was up and fantastic. >>Okay. And now of course, today this protocol needs to be upgraded, which is a lot of work. But today I really believe that if you put Google, Amazon, Facebook altogether, and they can fix these internet protocols. So we could forget about the spoofing and who forgot about all these phishing and all these things. But this is their responsibility. So, and then you have now on the other side, you have now very intelligent devices from in a very simple sensors and you know, to sophisticated devices, the phone, that cetera and not more and more and more devices interconnected and for people to understand what is going. So this is the new environment and whether we always believe is that if you adopt an architecture, which is exactly which fits, which is similar, then we could instead of bolting security in, we can now say that the build security in a voting security on, we could build security in. >>And we have been very proud of the work that we've done with Microsoft, which we announced in fact relatively recently, very recently, that in fact our agent technologies now is bundled in Microsoft. So we have built security with Microsoft in. So from a security perspective today, if you go to the Microsoft as your secretly center, you click on the link and now you have the view of your entire Azure environment. Crazier for quality Sagent. You click on a second link and now you have the view of your significant loss posture, crazy of that same quality. Say Sagent and then you click on the third name with us. Nothing to do with quality. It's all Microsoft. You create your playbook and you remediate. So security in this environment has become click, click, click, nothing to install, nothing to update. And the only thing you bring are your policies saying, I don't want to have this kind of measured machine expose on the internet. >>I want, this is what I want. And you can continuously audit in essentially in real time, right? So as you can see, totally different than putting boxes and boxes and so many things and then having to for you. So very big game changer. So the analogy that I want you that I give to people, it's so people don't understand that paradigm shift is already happening in the way we secure our homes. You put sensors everywhere, you have cameras, you have detection for proximity detection. Essentially when somebody tried to enter your home, all that data is continuously pumped up into an incidence restaurant system. And then from your phone, again across the internet, you can change the temperature of your rooms. You can do what you can see the person who knocks on the door. You can see its face, you can open the door, close the door, the garage door, you can do all of that remotely, another medically. >>And then if there's a burglar then in your house to try to raking immediately the incidents or some system called the cops or the far Marsha difficult fire. And that's the new paradigm. So security has to follow that paradigm. And then you have interesting of the problem today that we see with all the current secretly uh, systems, uh, incidents, response system. They have a lot of false positive, false positive and false negative are the enemy really of security. Because if you are forced visited, you cannot automate the response because then you are going to try to respond to something that is not true. So you are, you could create a lot of damage. And the example I give you that today in the, if you leave your dog in your house and if you don't have the ability, the dog will bark, would move. And then the sensors would say intruder alert. >>So that's becomes a false positive. So how do you eliminate that? By having more context, you can eliminate automatically again, this false positives. Like now you take a fingerprint of your dog and of these voice and now the camera and this and the sensors and the voice can pick up and say, Oh, this is my dog. So then of course you eliminate that for solar, right? Right. Now even if another dog managed to enter your home through a window which was open or whatever for soul, you will know her window was up and but you know you cannot necessarily fix it and the dog opens. Then you will know it's a, it's a, it's not sure about, right? So that's what security is evolving such a huge sea of change, which is happening because of all that internet and today companies today, after leveraging new cloud technology, which are coming, there's so much new technology. >>What people understand is where's that technology coming from? How come silently we have, you know, Dockers netics all these solutions today, which are available at almost no cost because it's all open source. So what happened is that, which is unlike the enterprise software, which were more the Oracle et cetera, the manufacturer of that software today is in fact the cloud public cloud vendors, the Amazon, the Google, the Facebook, the Microsoft. We suddenly needed to have to develop new technology so they could scale at the size of the planet. And then very shrewdly realized that effective that technology for me, I'm essentially going to imprison that technology is not going to evolve. And then I need other technologies that are not developing. So they realized that they totally changed that open source movement, which in the early days of opensource was more controlled by people who had more purity. >>If you prefer no commercial interests, it was all for the good of the civilization and humankind. And they say their licensing model was very complex. So they simplified all of that. And then nothing until you had all this technology coming at you extremely fast. And we have leverage that technology, which was not existing in the early days when when socials.com started with the Linux lamp pour called what's called Linux Apache. My SQL and PHP, a little bit limiting, but now suddenly all this technology, that classic search was coming, we today in our backend, 3 trillion data points on elastic search clusters and we return inflammation in a hundred milliseconds. And then onto the calf cabin, which is again something at open source. We, we, we, and now today 5 million messages a day and on and on and on. So the world is changing and of course, if that's what it's called now, the digital transformation. >>So now enterprises to be essentially agile, to reach out to the customers better and more, they need to embrace the cloud as the way they do, retool their entire it infrastructure. And essentially it's a huge sea of change. And that's what we see even the market of security just to finish, uh, now evolving in a totally different ways than the way it has been, which in the past, the market of security was essentially the market for the enterprise. And I'm bringing you my, my board, my board town solutions that you have to go and install and make work, right? And then you had the, the antivirus essentially, uh, for all the consumers and so forth. So today when we see the marketplace, which is fragmenting in four different segments, which is one is the large enterprise which are going to essentially consolidate those stock, move into the digital transformation, leveraging absolutely dev ops, which isn't becoming the new buyer and of course a soak or they could improve, uh, their it for, to reach out to more customers and more effectively than the cloud providers as I mentioned earlier, which are building security in the, no few use them. >>You don't have to worry about infrastructure, about our mini servers. You need, I mean it is, it's all done for you. And same thing about security, right? The third market is going to be an emergence of a new generation of managed security service providers, which are going to take to all these companies. We don't have enough resources. Okay, don't worry, I'm going to help you, you know, do all that digital transformation. And that if you build a security and then there's a totally new market of all these devices, including the phone, et cetera, which connects and that you essentially want to all these like OT and IOT devices that are all now connected, which of course presents security risk. So you need to also secure them, but you also need to be able to also not only check their edits to make sure that, okay, because you cannot send people anymore. >>So you need to automate the same thing on security. If you find that that phone is compromised, you need to make, to be able to make immediate decisions about should I kill that phone, right? Destroyed everything in it. Should I know don't let that phone connect anymore to my networks. What should I do? Should I, by the way detected that they've downloaded the application, which are not allowed? Because what we see is more and more companies now are giving tablets, do the users. And in doing so now today's the company property. So they could say, okay, you use these tablets and uh, you're not allowed to do this app. So you could check all of that and then automatically remote. But that again requires a full visibility on what you are. And that's why just to finish, we make a big decision about a few, three months ago that we have, we build the ability for any company on the planet to automatically build their entire global HSE inventory, which nobody knows what they have in that old networking environment. >>You don't know what connects to have the view of the known and the unknown, totally free of charge, uh, across on premise and pawn cloud containers, uh, uh, uh, whether vacations, uh, OT and IOT devices to come. So now there's the cornerstone of security. So with that totally free. So, and then of course we have all these additional solutions and we're build a very scalable, uh, up in platform where we can take data in, pass out data as well. So we really need to be and want to be good citizen here because security at the end of the day, it's almost like we used to say like the doctors, you have to have that kind of apricot oath that you cannot do no arm. So if you keep, if you try to take the data that you have, keep it with you, that's absolutely not right because it's the data of your customers, right? >>So, and you have to make sure that it's there. So you have to be a good warning of the data, but you have to make sure that the customer can absolutely take that data to whatever he wants with it, whatever he needs to do. So that's the kind of totally new field as a fee. And finally today there is a new Ash culture change, which is, which is happening now in the companies, is that security has become fronted centers, is becoming now because of GDPR, which has a huge of financial could over you challenge an impact on a company. A data breach can have a huge financial impact. Security has become a board level. More and more social security is changing and now it's almost like companies, if they want to be successful in the future, they need to embrace a culture of security. And now what I used to say, and that was the, the conclusion of my talk is that now, today it DevOps, uh, security compliance, people need to unite. Not anymore. The silos. I do that. This is my, my turf, my servers. You do that, you do this. Everybody in the company can work. I have to work together towards that goal. And the vendors need to also start to inter operate as well and working with our customers. So it's a tall, new mindset, which is happening, but the safes are big. That's what I'm very confident that we're now into that. Finally, we thought, I thought it would have happened 10 years ago, quite frankly. And uh, but now today's already happening. >>She touched on a lot, a lot there. And I'll speak for another two hours if we could. We could go for Tara, but I want to, I want to unpack a couple of things. We've had James Hamilton on you to at AWS. Um, CTO, super smart guy and it was, it was at one of his talks where it really was kind of a splash, a wet water in the face when he talked about the amount of resources Amazon could deploy to just networking or the amount of PhD power he could put on, you know, any little tiny sub segment of their infrastructure platform where you just realize that you just can't, you can't compete, you cannot put those kinds of resources as an individual company in any bucket. So the inevitability of the cloud model is just, it's, it's the only way to leverage those resources. But because of that, how has, how has that helped you guys change your market? How nice is it for you to be able to leverage infrastructure partners? Like is your bill for go to market as well as feature sets? And also, you know, because the other piece they didn't talk about is the integration of all these things. Now they all work together. Most apps are collection of API APIs. That's also changed. So when you look at the cloud provider GCP as well, how does that help you deliver value to your customers? >>Yeah, but the, the, the, the club, they, they don't do everything. You know, today what is interesting is that the clubs would start to specialize themselves more and more. So for example, if you look at Amazon, the, the core value of Amazon since the beginning has been elastic computing. Uh, now today we should look at Microsoft. They leverage their position and they really have come up with a more enterprise friendly solution. And now Google is trying to find also their way today. And so then you have Addy Baba, et cetera. So these are the public cloud, but life is not uniform like is by nature. Divers life wants to leave lunch to find better ways. We see that that's what we have so many different species and it just ended up. So I've also the other phenomena of companies also building their own cloud as well. >>So the word is entering into a more hybrid cloud. And the technology is evolving very fast as well. And again, I was selling you all these open source software. There's a bigger phenomenon at play, which I used to say that people don't really understand that much wood, but it's so obvious is if you look at the printing price, that's another example that gives the printing price essentially allowed, as we all know, to distribute the gospel, which has some advantage of, you know, creating more morality, et cetera. But then what people don't know for the most part, it distributed the treaties of the Arabs on technology, the scientif treaties, because the archives, which were very thriving civilization at the time, I'd collected all the, all the, all the information from India, from many other places and from China and from etc. And essentially at the time all of Europe was pretty in the age they really came up and it now certainty that scientific knowledge was distributed and that was in fact the seeds of the industrial revolution, which then you're up cat coats and use that and creating all these different technologies. >>So that confidence of this dimension of electricity and all of that created the industrial revolution seeded by now, today what is happening is that the internet is the new printing press, which now is distributing the knowledge that not to a few millions of people to billions of people. So the rate today of advancing technology is accelerating and it's very difficult. I was mentioning today, we know today that work and working against some quantum computing which are going to totally change things. Of course we don't know exactly how and you have also it's clear that today we could use genetic, uh, the, the, the, if you look at DNA, which stores so much information, so little place that we could have significant more, you know, uh, memory capabilities that lower costs. So we have embarked into absolutely a new world where things are changing. I've got a little girl, which is 12 years old and fundamentally that new generation, especially of girls, not boys, because the boys are still on, you know, at that age. >>Uh, they are very studious. They absorb so much information via YouTube. They are things like a security stream. They are so knowledgeable. And when you look back at history 2000 years plus ago in Greece, you at 95 plus percent of the population slaves. So a few percent could start to think now, today it's totally changed. And the amount of information they can, they learn. And this absolutely amazing. And you know, she, she's, I would tell you the story which has nothing to do with computing, but as a button, the knowledge of, she came to me the few, few weeks ago and she said, Oh daddy, I would like to make my mother more productive. Okay. So I said, Oh, that's her name is Avia, which is the, which is the, the, the either Greece or Zeus weathered here. And so I say, Evie, I, so that's a good idea. >>So how are you going to do it? I mean, our answer, I was flawed, but that is very simple. Just like with, for me, I'm going to ask her to go to YouTube to learn what she needs to learn. Exactly. And she learns, she draws very well. She learns how to draw in YouTube and it's not a gifted, she's a nice, very nice little girl and very small, but all her friends are like that. Right? So we're entering in a word, which thing are changing very, very fast. So the key is adaptation, education and democracy and democratization. Getting more people access to more. Absolutely. It's very, very important. And then kind of this whole dev ops continuous improve that. Not big. That's a very good point that you make because that's exactly today the new buyer today in security and in it is becoming the DevOps shipper. >>Because what? What are these people? There are engineers which suddenly create good code and then they want to of course ship their code and then all these old silos or you need to do these, Oh no, we need to put the new server, we don't have the capacity, et cetera. How is that going to take three months or a month? And then finally they find a way through, again, you know, all the need for scale, which was coming from the Google, from the Facebook and so forth. And by the way, we can shortcut all of that and we can create and we can run out to auto-ship, our code. Guess what are they doing today? They are learning how to secure all of that, right? So again, it's that ability to really learn and move. And today, uh, one of the problem that you alluded to is that, which the Amazon was saying is that their pick there, they have taken a lot of the talent resources in the U S today because of course they pay them extra to me, what? >>Of course they'll attract that talent. And of course there's now people send security. There's not enough people that even in, but guess what? We realized that few years ago in 2007, we'll make a big decision who say, well, never going to be able to attract the right people in the Silicon Valley. And we've started to go to India and we have now 750 people. And Jack Welch used to say, we went to India for the cost and discover the talent. We went to India for the talent and we discover the cost. And there is a huge pool of tenants. So it's like a life wants to continue to leave and now to, there are all these tools to learn, are there, look at the can Academy, which today if you want to go in nuclear physics, you can do that through your phone. So that ability to learn is there. So I think we need just more and more people are coming. So I'm a very optimistic in a way because I think the more we improve our technologies that we look at the progress we're making genetics and so everywhere and that confidence of technology is really creating a new way. >>You know, there's a lot of conversations about a dystopian future and a utopian future with all these technologies and the machines. And you know what? Hollywood has shown us with AI, you're very utopian side, very optimistic on that equation. What gives you, what gives you, you know, kind of that positive feeling insecurity, which traditionally a lot of people would say is just whack a mole. And we're always trying to chase the bad guys. Generally >>speaking, if I'm a topian in in a way. But on the other end, you'd need to realize that unfortunately when you have to technological changes and so forth, it's also create factors. And when you look at this story in Manatee, the same technological advancement that some countries to take to try to take advantage of fathers is not that the word is everything fine and everything peaceful. In fact, Richard Clark was really their kid always saying that, Hey, you know that there is a sinister side to all the internet and so forth. But that's the human evolution. So I believe that we are getting longterm. It's going to. So in the meantime there's a lot of changes and humans don't adapt well to change. And so that's in a way, uh, the big challenge we have. But I think over time we can create a culture of change and that will really help. And I also believe that probably at some point in time we will re-engineer the human race. >>All right, cool. We'll leave it there. That's going to launch a whole nother couple hours. They leave. Congratulations on the event and a great job on your keynote. Thanks for taking a few minutes with us. Alrighty. It's relief. I'm Jeff. You're watching the cube where the Qualice security conference at the Bellagio in Las Vegas. Thanks for watching. We'll see you next time.

>>from Las >>Vegas. It's the cues covering quality security Conference 2019 by quality. Hey, welcome back already, Jefe Rick here with the Cube were in Las Vegas at the Bellagio at the Kuala Security Conference. It's the 19th year they've been doing this. It's our first year here, and we're excited to be here. And it's great to have a veteran who's been in this space for so long to give a little bit more of historical perspective as to what happened in the past. Where we are now, what can we look forward to in the future? So coming right off its keynote is Felipe Quarto, the chairman and CEO of Qualities felt great. See, >>Thank you. Same. Same same for me. >>Absolutely. So you touched on so many great topics in your conversation about kind of the shifts of of modern computing, from the mainframe to the mini. We've heard it over and over and over. But the key message was really about architecture. If you don't have the right architecture, you can't have the right solution. How is the evolution of architects of architectures impacted your ability to deliver security solutions for your clients >>So no That's a very good question. And in fact, you know what happened is that we started in 1999 with the vision that we could use exactly like Salesforce. They'll come this nascent Internet technologies and apply that to security. And s and Marc Benioff applied that essentially changing the way serum was essentially used and deployed in enterprises and with a fantastic success as we know. So for us, the I can't say today that 19 years later the vision was right. It took a significant longer because the security people are not really, uh, warm at the idea of Senate Lee, uh, having the data interview which was in place that they could not control. And the i t people, they didn't really like a toll. The fact that certainly they were not in control anymore of the infrastructure. So whether a lot of resistance, I wever, we always I always believe, absolutely believe that the cloud will be the architecture to go back. A lot of people make the confusion That was part of the confusion that for people it was a cloud, that kind of magical things someplace would you don't know where and when I was trying to explain, and I've been saying that so many times that well, you need to look at the club like a computer that can architecture which distribute the computing power for more efficiently than the previous one, which was Clyde Server, which was distributing the computing power for better then, of course, the mainframes and minicomputers. And so if you look at their architecture's so the mainframe were essentially big data centers in in Fort Knox, like setting private lines of communication to damn terminal. And of course, security was not really an issue then, because it's a gritty was building by the IBM said company simply with the minicomputer, which then was, instead of just providing the computing power to the large, very large company could afford it. Now 70 the minicomputer through the advance and say, My conductor technology could reduce the food frank. And then I'll bring the company power to the labs and to the departments. And that was then the new era of the dish, your equipment, the primes, that General et cetera, Uh, and then conservative. So what client service did again? If you look at the architecture, different architectures now, incidently servers LAN or the Internet network and the PC, and that was now allowing to distribute the computing power to the people in the company. And so, but then you needed to so everybody. Nobody paid attention to security because then you were inside of the enterprise. So it starts inside the wars of the castle if you prefer. So nobody paid attention to that. It was more complex because now you have multiple actors instead of having one IBM or one desert equipped. But its center said, You have the people manufacturing the servers. The software that that obeys the PC is an unannounced excellently there was the complexity increased significantly, but nobody paid attention to security because it was not needed. Until suddenly we realized that viruses could come in through the front door being installed innocent. You were absolutely, absolutely compromised. And of course, that's the era of the anti VARS, which came in and then because of the need to communicate more more. Now, Senator, you could not stay only in your castle. You need to go and communicate your customers to your suppliers, et cetera, et cetera. And now you were starting to up and up your your castle to the word and a low now so that the bad guy could come in and start to steal your information. And that's what the new era of the far wall. Now you make sure that those who come in But of course, that was a bit naive because there were so many other doors and windows that people could come in, you know, create tunnels and these and over that transfer, insure your custard. Because the day I was becoming more, more rich and more more important, more value. So whatever this value, of course, the bad guys are coming in to try to sell it. And that was that new era off a win. Each of attention to security. The problem is being is because you have so many different actors. There was nothing really central there. Now. I just suddenly had Maura and more solutions, and now absolutely like 800 vendors. Boarding on security and boating on anything is shortly at the end of the day because you put more more weight, and then you also increasing complexity in all these different solutions. Didn't they need to talk together? So you have a better context, but they weren't designed to talk together. So now you need to put other system where they could communicate that information. So you complicated, complicated, complicated the solution. And that's the problem of today. So now cloud computing comes in and again. If you look at the architecture of cloud computing, it's again Data centers, which not today, have become, thanks to the technology, having infinite, almost company power and storage capabilities. And like the previous data center, there are much more fracture because you just once gave and they become essentially a bit easier to secure. And by the way, it's your fewer vendors now doing that. And then, of course, the access can be controlled better on then. Of course, the second component is that the land and the one it's now the Internet and the Internet, of course, eyes the Web communications extremely cheap, and it brings you in every place on the planet and soon in Morse. Why no so and so now. The issue today is that still the Internet needs to be secure, and today how are you going to secure the Internet? Which is very important thing today because you see today that you can spoof your image, you can spoof your website. You could attack the Deanna's who? Yes, there's a lot of things that the bad guy still do in fact, themselves that ever is the Internet, of course, to access everywhere, so they take advantage of it. So now this is obviously, you know, I created the trustworthy movement many years ago to try to really address that. Unfortunately, qualities was too small, and it was not really our place. Today there's all the Google, the Facebook, the big guys which contract their business, depend on the Internet. Now need to do that and I upload will be been criticised very much so. Google was the 1st 1 to essentially have a big initiative. I was trying to Bush SSL, which everybody understands secret encryption, if you prefer and to everybody. So they did a fantastic job, really push it. So now today's society is becoming like okay, it's a said. You want to have this a settle on your communication, but that's not enough. And now they're pushing and some people criticize them, and I absolutely applaud them to say we need to change the Internet protocols which were created at the time when security you were transferring information from universities. And so for these was a hay days, you know, if everything was fine, there's no bad guys. No, The heebie day is if you like arranging that everybody was free, Everybody was up in fantastic. Okay. And now, of course, today, these poor cold this to be a graded, which is a lot of work. But today I really believe that if you put Google Amazon Facebook altogether and they can fix these internet for records so we could forget about the spoofing and we forget about all these fishing and all this thing this is there responsibility. So and then you have now on the other side, you have now a very intelligent devices from in a very simple sensors and, you know, too sophisticated devices the phone, et cetera, and Maura and more Maur devices interconnected and for people to understand what is being so This is the new environment. And whether we always believe is that if you adopt an architecture which is exactly which fits which is similar, then we could instead of bolting security in, we can also have the build security in voting signal on. We could be in security in. And we have been very proud of the work that went down with my car itself, which we announce, in fact, reluctantly recently, very recently, that, in fact, our agent technologies now it's banned erred in Microsoft. So we have been security with Microsoft in So from a security perspective today, if you go to the Microsoft as your security center, you click on a link, and now you have the view. If you're in tar, is your environment courtesy of record? It's agent. You click on a second link, and now you have the view of your secret cameras. First year, crazy of the same qualities agent. And then you click on the third inning with us. Nothing to do with quite it's It's old Mike ourself you create your playbook and Yuri mediates The security in this environment has become quickly, quick, nothing to in store, nothing to update, and the only thing you bring. All your policies saying I don't want to have this kind of machine exposed on the Internet on what this is what I want and you can continuously owed it essentially in real time, right? So, as you can see, totally different than putting boxes and boxes and so many things. And then I think for you, so very big game changer. So the analogy that I want you that I give to people it's so people understand that paradigm shift. It's already happening in the way we secure our homes. You put sensors everywhere, your cameras of detection, approximately detection. Essentially, when somebody tried to enter your home all that day, that's continuously pumped up into an incident response system. And then from your phone again across the Internet, you can change the temperature of your rooms. You can do it. You can see the person who knocks on the door. You can see its face. You can open the door, close the door, the garage door. You can do all of that remotely and automatically. And then, if there's a burglar, then in your house, who's raking immediately that the incidence response system called the cops or the farmer shirt? If good far. And that's the new paradigm. So security has to follow that product, and then you have interesting of the problem today that we see with all the current security systems incidents Original system developed for a positive force. Positive and negative are the enemy reedy off security? Because if you have forced positive, you cannot automate the response because then you're going to try to respond to something that is that true? So you are. You could create a lot of damage. And the example. I give you that today in the if you leave your dog in your house and if you don't have the ability the dog would bark would move, and then the senses will say intruder alert. So that's become the force. Pretty. So how do you eliminate that? By having more context, you can eliminate automatically again this false positives, like now you, I think a fingerprint of fuel dog and of his voice. And now the camera and this and the sensors on the voice can pick up and say, Oh, this is my dog. So then, of course, you eliminate that forces right now, if if another dog managed to return your home through a window which was open or whatever for so what do we know? A window was open, but you know you can't necessarily fix it on the dog weapons, then you will know it. Sze, not yours. So that's what securities avoiding such a huge sea of change which is happening because of all that injured that end today Companies today after leverages nuclear technology which are coming, there's so much new to college. What people understand is where's that technology coming from? How come silently we have doctors cybernetics a ll these solutions today which are available at almost no cost because it's all open source So what happened is that which is unlike the enterprise software which were Maur the oracle, et cetera, the manufacturer of that software today is in fact the cloud bubbly club Sanders, the Amazon, the Google, the Facebook, the macro self which shouldn't be needed to have to develop new technology so they could scale at the size of the planet. And that very shrewdly realized that if I keep the technology for me, I'm essentially going to imprison. The technology is not going to evolve. And then I need other technologies that I'm not developing. So they realize that they totally changed that open source movement, which in the early days of happens offers more controlled by people who had more purity. If you prefer no commercial interests, it was all for the good, off the civilization and humankind. And they say they're licensing Modern was very complex or the simplified all of that. And then Nelson and you had all this technology coming at you extremely fast. And we have leverage that technology, which was not existing in the early days when when such was not come started with the eunuchs, the lamb, pork or what's called leaks. Apache mice Fewer than Petri limiting Announcer Tiel This technology, like elasticsearch, was coming. We index today now back and three trillion points or less excerpts, clusters, and we return information in 100 minutes seconds and then on the calf campus, which is again something that open source way Baker Now today, five million messages a day and on and on and on. So the word is changing. And of course, if that's what it's called now, the dish transformation now enterprises to be essentially a joy to reach out to the customers better and Maur, they need to embrace the cloud as well, >>right? I >>do retool their entire right infrastructure, and it's such A. It's a huge sea of change, and that's what we see even the market of security just to finish now, evolving in a totally different ways than the way it has Bean, which in the positive market of security was essentially the market for the enterprise. And I'm bringing you might my board, my board, towns, traditions that you have to go in installed and make work. And then you had the the anti virus, essentially for all the consumers and so forth. So today, when we see the marketplace, which is fragmenting in four different segments, which is one is the large enterprise which are going to essentially constantly data start moving to the transformation. Leveraging absolutely develops, which isn't becoming the new buyer. And, of course, so they could improve their I t. For to reach out to more customers and more effectively than the current providers. As I mentioned earlier, which are building security in the knife, you use them. You don't have to worry about infrastructure about how many servers you need, amenities. It's all done for you and something about security. The third market is going to be in an emergence of a new generation of managed Grannie service providers which are going to take all these companies. We don't have enough resources. Okay, Don't worry. I'm going to help you, you know, duel that digital transformation and help you build the security. And then there's a totally new market of all these devices, including the phone, et cetera, which connects and that you essentially I want to all these i, o t and I ot devices that are or now connected, which, of course, present security risk. So I need to also secure them. But you also need to be able to also not only check their health to make sure that okay, because you cannot send people read anymore. So you tournament simply on security. If you find that that phone is compromised, you need to make to be able to make immediate decisions about Should I kill that phone? Destroyed everything in it. Should I Now don't let that phone connect any more to my networks. What should I do? Should I, by the way, detected that they've done with the application which another loud Because what we see is more and more companies are giving tablets to their users and in doing so now, today's the company property so they could say, OK, you use these tablets and you're not allowed to do that so you could check all of that and then automatically. But that again requires full visibility in what you are. And that's why just to finish, we make a big decision about the few three months ago that were We build the ability for any company on the planet to automatically build their targetable itis it eventually, which nobody knows what they have. That old networking environment. You don't know what connects to have the view of the known and the unknown totally free of charge across on premise and pawned crowd continues Web obligations or to united devices to come. So now that's the cornerstone of securities with that totally free. So and then, of course, you have all these additional solutions, and we're being very scalable up in platform where we can take data, a passel data as well. So we really need to be and want to be good citizen here because security at the end of it, it's almost like we used to say, like the doctors, you have to have that kind of feeble court oath that you can do no arms. So if you keep if you try to take the data that you have, keep it with you, that's all.

>> Narrator: From Las Vegas, it's theCUBE, covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey, welcome back, everybody. Jeff Rick here with theCUBE. We're in Las Vegas at the Bellagio at the Qualys Security Conference. They've been doing this for 19 years. They've been in this business for a long time, seen a lot of changes, so we're happy to be here. Our next guest works for Caterpillar. He is Brian Rossi, the senior security manager vulnerability management. Brian, great to see you. >> Thanks for having me. >> So I was so psyched, they had an interview, a gentleman from Caterpillar a few years ago, and it was fascinating to me how far along the autonomous vehicle route Caterpillar is. And I don't think most people understand, right? They see the Waymo cars driving around, and they read about all this stuff. But Caterpillar's been doing autonomous vehicles for a super long time. >> A really long time, a really long time, 25-plus years, pioneering a lot of the autonomous vehicle stuff that's out there. And we've actually, it's been cool, had an opportunity to do some security testing on some of the stuff that we're doing. So, even making it safer for the mines and the places that are using it today. >> Yeah, you don't want one of those big-giant dump-truck things to go rogue. (laughing) >> Off a cliff. Yeah, no, bad idea. >> Huge. Or into a bunch of people. All right, so let's jump into it. So, vulnerability management. What do you focus on, what does that mean exactly? >> So, for me, more on the traditional vulnerability management side. So I stay out of the application space, but my group is focused on identifying vulnerabilities for servers, workstations, endpoints that are out there, working with those IT operational teams to make sure they get those patched and reduce as many vulnerabilities as we can over the course of a year. >> So we've done some stuff with Forescout, and they're the kings of vulnerability sniffing-out. In fact, I think they have an integration with Qualys as well. So, is it always amazing as to how much stuff that gets attached to the network that you weren't really sure was there in the first place? >> Yes, absolutely. (laughs) And it's fun to be on the side that gets to see it all, and then tell people that it's there. I think with Qualys and with some of the other tools that we use, right? We're seeing these things before anybody else is seeing them and we're seeing the vulnerabilities that are associated with them, before anyone else sees them. So it's an interesting job, to tell people what's out there when they didn't even know. >> Right, so another really important integration is with ServiceNow, and you're giving a talk I believe tomorrow on how you use both Qualys and ServiceNow together. Give us kind of the overview of what you're going to be talking about. >> Absolutely, so the overview is really what our motto has been all year, right? Is put work where people work. So what we found was that with our vulnerability management program, we're doing scanning, we're running reports, we're trying to communicate with these IT operational teams to fix what's out there. But that's difficult when you're just sending spreadsheets around and you're trying to email people. There's organizational changes, people are moving around. They might not be responsible for those platforms anymore. And keeping track of all that is incredibly difficult in a global scale, with hundreds of thousands of assets that people are managing. And so we turned to ServiceNow and Qualys to really find a way to easily communicate, not just easily, but also timely, communicate those vulnerabilities to the teams that are responsible for doing it. >> Right, so you guys already had the ServiceNow implementation obviously, it was something that was heavily used. You're kind of implying that that was the screen that a lot of people had open on their desktop all the time. >> We lucked out that we were early in the implementation with ServiceNow. So, Caterpillar was moving from a previous IT service management solution to ServiceNow so we got in on the ground floor with the teams that were building out the configuration management database. We got in with the ground floor with the teams who were operationalizing, using ServiceNow to drive their work. We had the opportunities to just build relationships with them, take those relationships, ask them how they want that to work, and then go build it for them. >> Right, it's so funny because everyone likes to talk about single pane of glass, and to own that real estate that's on our screens that we sit and look at all day long, and it used to be emails. It's not so much email anymore, and ServiceNow is one of those types of apps that when you're in it, you're working it, that is your thing. And it's one thing to sniff out the vulnerabilities and find vulnerabilities, but you got to close the loop. >> Brian: You got to, absolutely. >> And that's really where the ServiceNow piece fits. >> And it's been great. We've seen a dramatic reduction in the number of vulnerabilities that are getting fixed over the course of a 30-day period. And I think it simply is because the visibility is finally there, and it's real-time visibility for these groups. They're not receiving data 50 days after we found it. We're getting them that data as soon as we find it, and they're able to operationalize it immediately. >> Right, and what are some of the actions that are the higher frequency that you've found, that you're triggering, that this process is helping you mitigate? >> I would say, actually, what it's really finding is some of our oldest vulnerabilities, a lot of stuff that people have just let fall off the plate. And they're isolated, right? They may have run patching for a specific vulnerability six months ago, but there was no view to tell them whether or not they got everything. Or maybe it was an asset that was off the network when they were patching, and now it's back on the network. So we're getting them the real-time visibility. Stuff that they may have missed, that they would have never seen before, without this integration. >> So I'd love to get your take on one of the top topics that came in the keynote this morning, both with Dick Clark as well as Philippe, was IoT-5G and the increasing surface-area, attack surface area, vulnerability surface area. You guys, Caterpillar's obviously well into internet of things. You've got a lot of connected devices. I'm sure you're excited about 5G, and I'm sure in a mining environment, or those types of environments are just prime 5G opportunities. Bad news is, your attack surface just grew exponentially. >> Yeah. >> So you're in charge of keeping track of vulnerabilities. How do you balance the opportunity, and what you see that's coming with 5G and connected devices and even a whole other rash of sensors, compared to the threat that you have to manage? >> Certainly in the IoT space it's unique. We can't do the things to those devices that we would do with normal laptops' assets, right? So I think figuring out unique ways to actually deal with them is going to be the hardest part. Finding vulnerabilities is always the easiest thing to do, but dealing with them is going to be the hard part. 5G is going to bring a whole new ballgame to a lot of the technology that we use. Our engineering groups are looking at those, and we're going to be partnering with them all the way through their journey on how to use 5G, how to use IoT to drive better services for our customers, and hopefully security will be with them the whole way. >> Right, the other piece that didn't get as much talk today, but it's a hot topic everywhere else we go is Edge, right? And this whole concept of, do you move the data, do you move the data to the computer or the computer to the data? I'm sure you guys are going to be leveraging Edge in a big way, when you're getting more of that horsepower closer to the sites. There's a lot of challenges with Edge. It's not a pristine data center. There are some nasty environmental conditions and you're limited in power, connectivity, and some of these other things. So when you think about Edge in your world, and maybe you're not thinking of it, but I bet you are, how are you seeing that, again, as an opportunity to bring more compute power closer to where you need it, closer to these vehicles? >> So I think, I wish I had our other security division here with me to talk about it. We're piloting a lot of those things, but that's been a big piece of our digital transformation at Caterpillar, is really leveraging data from those connected devices that are out in the field. And we actually, our Edge has to be brought closer to home. Our engineers pack so much into the little space they have on the devices that are out there, that they don't have room to actually calculate on that data that's out in the field, right? So we are actually bringing the Edge a little closer to home, in order for us to provide the best service for our customers. >> Right, so another take on digital transformation. You talked about Caterpillar's digital transformation. You've been there for five years now. Before that you were at State Farm. Checking on your LinkedIn, right? State Farm is the business of actuarial numbers, right? Caterpillar has got big heavy metal things, and yet you talk about digital transformation. How did you guys, how are you thinking about digital transformation in this heavy-equipment industry that's in construction? Probably not what most people think of as a digital enterprise, but in fact you guys are super aggressively moving in that direction. >> Yeah, and for us, from a securities perspective, it's been all about shift-left, right? We have to get embedded with these groups when they're designing these things. We have to be doing threat models. We have to be doing pen testing. We have to be doing that secure life cycle the entire way through the product. Because with our product line, unlike State Farm where we could easily just make a change to an application so that it was more secure, once we produce these vehicles, and once we roll them out and start selling them, they're out there. And we build our equipment to last, right? So there's not an expectation that a customer is going to come back and say, "I'm ready to buy a new truck two years from now," because of security vulnerability. >> Jeff: Right, right. >> So, yeah, it's a big thing for us to get as early in the development life cycle as possible and partner with those groups. >> I'm curious in terms of the role of the embedded software systems in these things now, compared to what it was five years ago, 10 years ago 'cause you do need to upgrade it. And we've seen with Teslas, right? You get patches and upgrades and all types of things. So I would imagine you're probably a lot more Tesla-like than the Caterpillar of 20 years ago. >> Moving in that direction, and that is the goal, right? We want to be able to get the best services and the most quality services to our customers as soon as possible. >> Right, very cool. Well, Brian, next time we talk, I want to do it on a big truck. >> Okay. >> A big, yellow truck. >> Let's do it. >> I don't want to do it here at the Bellagio. >> Let's do it, all right. >> Okay, excellent. Well, thanks for-- >> Thank you. >> For taking a few minutes, really appreciate it. >> Absolutely. >> All right, he's Brian, I'm Jeff, you're watching theCUBE. We're at the Bellagio in Las Vegas, not on a big yellow truck, out in the middle of nowhere digging up holes and moving big dirt around. Thanks for watching. We'll see you next time. (upbeat techno music)

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019. Brought to you by Qualys. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the Bellagio Hotel in Las Vegas, at the Qualys Security Conference. This conference has been going on for 19 years. It's our first time to be here. We're excited to be here, but it's amazing that they've just been clipping along through wave after wave after wave. They've got some new announcements today and we're excited to get the full rundown here. Our next guest is Chris Carlson, the VP of Strategy from Qualys. Chris, great to meet you. >> Great, thanks, great to be here. >> Yeah, so you just got out of your session. How did your session go? >> Yeah, it was fantastic. In fact, that's the great thing about a Qualys Security Conference, because we have the ability to not only interact with our customers and partners, but actually showcase what's new, but also what we're working on coming in the future. >> Jeff: Right. >> And that's really important for us at Qualys because we get the feedback from the customers early, and we can work very closely with them to find the right set of solutions and the right products for their use in their environment and programs. >> Now, the security landscape has changed quite a bit over the last two decades, and Phillipe's keynote, I mean he is right on the edge in terms of really appreciating cloud and the benefits of cloud. You guys have a lot of great integration partners. You know, did you have to re-architect this thing, at some point down the road? I mean it's pretty amazing that you've been at it for two decades and still really sitting in a good spot here as kind of the cloud and IOT and 5G and this next big wave of innovation starts to hit. >> Well that's right, and I think that's why it starts with that vision, but it's not just a vision of where the market is going, but the vision of where technology is going. So when Qualys started, they started in the cloud, and they started with the cloud delivered architecture. And that was really, maybe early for a lot of first customers. 20 years ago security was maybe not as much, and put security in the cloud, that's where all the bad guys are. But it's really that architecture vision technology that allowed us to not only innovate quickly on a platform, but as our customers grew, as our customers moved to the cloud, as our customers moved to IOT and OT and mobile computing and those aspects, we're already there. >> Jeff: Right, right. >> We're already there. So and that is what really the advantage for us is, we don't have to re-architect our platform, we can layer on new capabilities and new services, new products leveraging the existing architecture that we've developed in the cloud. >> Yeah, it's really little bit of good fortune, a little bit of luck, a little bit of smarts, right. >> I think it's maybe a lot of experience and smarts from that. >> Well, it's just funny right, 'cause we had John Chambers on not that long ago, and his kind of computing waves, he was using kind of 10 year waves as kind of the starting points. And Phillipe's were a little bit longer, but it's the same kind of story with mainframes and minis and client server and now cloud, but as he said, and as you've reinforced, if you don't architect it to be able to do that at the beginning, you can't necessary repurpose it for this new application. It's really architecture-specific, and without that kind of vision, you're not going to be able to take advantage. >> That's right. >> Of these kind of new waves. >> Exactly, and I think that architecture breaks down into different levels. So one is systems architecture, but there's also the design architecture. So the technologies that we're using on our platform today aren't the same 20 years ago. We've swapped out those technologies. We use new modern technologies. Technically, like Kafka streaming blasts to do real-time event streaming. Cassandra for object data store. Those did not exist five or six years ago. But from our architecture that we're collecting lightweight data from our customers, and analyzing it in our cloud platform. Doesn't matter if we have one million events, a billion events, a hundred billion events, the platform can scale the process of those. >> Right. The other piece clearly that you've mentioned two or three vocabulary words right there is the open source component. You know, the open source has grown dramatically since the early days of Linux, both in terms of market acceptance as well as kind of new opportunities for things like Kafka to be able to grab that type of , integrate it into your product set and really drive a whole bunch of extra value. >> Yeah, that's right. I think we benefit as Qualys is using some of these open source technologies and we do contribute back, because we work with those teams. If there's any defects or performance enhancements, we do that. But while we've benefited from some of the open source technologies, our customers have benefited as well. Now they've benefited from new technology architectures, but in some cases they've benefited from new security problems. So if you get commercial off-the-shelf software, the vendor produces a security patch, they test that patch and they can apply the patch. In many cases with some open source software it's not like that. The customer has to get the software, compile it, make sure it works. Maybe it doesn't fix the vulnerability, and that's why in that case for them open-source technology can improve some of their IT systems and their business initiatives, but it puts a challenge on security to keep up with all the security risks that are happening across the board. >> Right. So one of the big announcements today was the VMDR. >> That's right. >> Tell us all about it. >> Great, so VMDR stands for Vulnerability Management Detection and Response, and that really is a capability that we've actually had in the platform itself, but the feedback from our customers were that internally their own people, their own process and their own tools created these artificial silos that prevented them from actually doing security detection and remediation at scale quickly. We have all these capabilities in the Qualys platform anyway, but with this new VMDR bundle we're bringing it together with new automation, new workflow, new orchestration, new user interfaces that actually reduce the time to remediate down to near zero in some cases. So, we had an example of a live attack that happened two years ago, WannaCry with EternalBlue, and many companies did nothing for two months. So they had the right tools, but maybe the data silos to go from one application to another application, to one team to another team just increased that length of when they could remediate. Our customers that had Qualys already had that data within the Qualys platform. We can tell them what assets they have, what the vulnerabilities were, that WannaCry was a big thing happening. And then with our patch management they can click one button and then just fix those assets easily. >> Jeff: Right, right. >> That was two years ago. Now this summer something called Blue Key. So Blue Key and Deja Blue is another attack that's happening, is going on right now. People don't know about it. Well, maybe not you. (laughing) Maybe if you're a Windows. >> I got nothing, I got nothing. >> Maybe if he has a Windows Operating System he's being attacked right now, I don't know about that. But a lot of our customers here, they're struggling with that every day. Not that Qualys can't tell them where it is, but they have to rely on another team to actually fix it. And that's what's so exciting about VMDR, Vulnerability Management Detection and Response, is the D and the R, the detection and the response allow them to remediate in a full life-cycle very quickly, very effectively, and with a high confidence that it has actually corrected those issues. >> Yeah, it's really interesting. You know, kind of the application versus platform conversation. You guys are integration partners with ServiceNow. Fred Luddy's been on many, many times, and tells a great story. You know, he wanted to build a platform, but you can't go to market with a platform. You got to go to market with an application, hopefully get some traction, and over time he started adding more applications, and it was pretty interesting listening to you guys. >> Well, I was actually going to stop you right there if you don't mind. >> No. >> The marketing people go to market with the platform. The marketing people say, "Hey version one is a platform." >> To their customers? But nobody's got a line-item to buy a new platform today, right. >> Exactly, and that's sort of the disconnect. >> Right. >> Really with normal enterprise sales models and technology. The marketing sales disconnect versus the technical reality that customers depend on for their environment. >> But if you do it right, then you can build that application stack, and I think in their earnings call, your guys last earnings call, you defined seven specific applications that sit on this platform that enabled in you to bundle and have kind of multi-application integration in the new VDMR. >> Yes, that's right, and I think that the difference with Qualys is they knew that the architecture was important. So our vulnerability management was an application on the architecture when it first launched 20 years ago. >> Right. >> And that really helped us going forward. So from the earnings call it's seven product capabilities on our lightweight agent, but the entire Qualys platform has 19 different product capabilities, in the same platform using the same user interface model and the VMDR takes many of those and bring it together in that single bundle on a per asset basis. >> Okay great, thanks for that clarification. Slight shift of focus. Another thing that came up in Philippe's keynote was kind of re-architecting the sales side and the market bundles that you guys are going to go to market with over time. And he broke it down into really only four big buckets of categories. Cloud providers, I think managed security service providers, enterprises, and I can't remember what the the last one was. Oh, OT and IOT vendors. >> Chris: IOT, correct, yes. >> So as you kind of look forward in the way that you're going to develop your products to go to market, how is that impacting your strategy, and are you seeing that start to play out in the marketplace? >> Yes, when we look at security technology and actually part of his keynote, he had this slide that had, you couldn't zoom in, because there's a million logos on this slide, security companies. And you go to some of the security shows, there's 800 vendors in the exhibit hall. >> Jeff: Oh yeah, we go to RSAC. I mean that that's why, it's chaos, right. >> So it's crazy, it's crazy. And there was an analyst that actually said a couple years ago that whenever there's a new threat, there's a new tech. Here's a new threat vector, now there's five new startups. And is that new threat vector super narrow, and it's only a feature, or is it a product, but our view of Qualys was a little bit different in that while the buying centers may be different, while some of the assets may be different, an OT asset versus a cloud asset versus the endpoint asset, the ability to discover it, identify it, categorize it, assess it, prioritize and remediate it is the same. That is the same. So whether it is a PLC on a shop floor from a car manufacturing, or a ecommerce web server that's running in a public cloud, or an end-user machine, the process to identify assess and remediate is exactly the same through us at Qualys with their platform. Different sensors for different asset types, normalized security data and different remediation approaches for different asset types, but all the same platform. >> But it sounds like you're doing some special stuff with Azure. >> Chris: Yes. >> So, tell us a little bit about kind of what's special about that relationship, what's special about that solution. >> Yeah, and that integration was announced two weeks ago at Microsoft Ignite, which is a big Microsoft show, and that really is a close partnership that we have with Microsoft. We actually did an early integration with them four years ago, but this is a lot deeper. And that really is Phillipe's and Qualys vision that security needs to be built in and not bolted on. >> Jeff: Right. >> That if you take, let's take a car for example. When you buy a car, you don't buy the car without a seat belt, an airbag, maybe a radio. You don't buy it without tires, it all comes together. You don't buy a car, then go to the seatbelt shop, and then buy a car and then go to the airbag shop. It all comes together, and that's what we're very excited about this announcement with Microsoft and Azure is that the vulnerability assessment is powered by Qualys already built into Azure. So there may be a whole set of customers that know nothing about Qualys, know nothing about our 20-year history, know nothing about our conference. they go to Microsoft Azure's, the security center, and it goes, "Assess your vulnerabilities," click a button and there's the vulnerability information. So this opens up a new capability for customers that they may not have used, but more importantly bringing security into IT without them knowing that they're doing security. And that is very powerful. >> So is it like a white label, under the covers or? >> So, it's not a white label, it's a joint integration. >> Chris: Okay. >> And it's a Microsoft Azure. >> Chris: So they eventually have, probably is in the bottom of the report. >> Powered by Qualys, powered by Qualys, right, so we got to have that name in there. >> Right, right, right, good. >> And what's exciting about Microsoft Ignite is that we had a lot of Microsoft IT and dev people come up to our Qualys booth and say, hey I don't know much about Qualys, but I get this report of things that I need to fix, tell me more about what you're doing and how can we help that fix faster. >> Chris: Right. >> And it's really about speed. Time to market, time to acquire customers, time to service customers, but more importantly time to produce new technology, time to secure the new technology, and lastly, unfortunately, time to respond to security events that may have happened in your network. >> And I presume they can buy more of the suite through the, and run it on the Azure stack. >> Yes, that's right. In fact, all of our capabilities can go on there from it, and that really is a strong partnership. In fact the group product manager for Azure is speaking at Qualys Security Conference just later today. That really shows a testament of the deep integration of partnership that we have with them. >> All right, Chris, before I let you go, you're the strategy guy. So as you look down the road in your crystal ball, I won't say more than three years, two years, three years, four years. What are some of the things you're keeping an eye on, what are the things you're excited about, what are the things you're a little concerned about? >> Well, I think that the things that we're excited about is a vision that Philippe and of course Ahmet has painted for it, is that the computing environment is accelerating dramatically, it's fragmenting dramatically. 5g might be a complete game-changer across the board. We have some of our large customers that have a project that they call Data Center Zero. 17 data centers, in two years, no data centers at all. I say that in their corporate offices they have laptops and printers, that's it. How do you secure and assess an environment that is ephemeral and that is virtual and that is remote, and that's where the Qualys platform architecture can move along with those customers. Our very largest customers are the ones leading the charge, not only developing new capabilities, but also using them as they come out. So I think that's what we're very excited about. I think that's some areas that we're working deeper with our customers on, is at the end of the day, it's people, process, and tools. And we're working on the technology capability and stack that can also influence and make the process better, but ultimately the people have to come in and understand that security has to be built in, we have to shift left, integrate it into the dev cycle to really reduce that attack surface and have a stronger, more secure enterprise. >> All right Chris, well, think you're going to be busy for the next couple years. >> It's a exciting time, it's an exciting time for Qualys. >> All right, well again, congrats on the event. >> Thanks very much. >> Thanks for having us. Can't believe it's been here for 19 years and we haven't been here yet. So again, thanks for having us and congrats on all your success. >> Great, fantastic Jeff. >> All right, he's Chris, I'm Jeff. You're watching theCUBE. We're at the Qualys Security Conference in Las Vegas. Thanks for watching. We'll see you next time. (upbeat music)

>>from Las >>Vegas. It's the cues covering quality security Conference 2019 Bike. Wallace. Hey, welcome back It ready? Geoffrey here with the Cube were at the Bellagio in Las Vegas. It's actually raining outside, which is pretty odd, but through the desert is happy. We're here at the Kuala Security Conference. Been going on for 19 years. It's our first time here. We're excited to be here, but we got a really familiar Gaston. She's been on a number of times that Nutanix next, conferences and girls who code conferences, etcetera. So we're happy to have back Wendy Pfeifer. She's the C I O of Nutanix and as of August, early this year, a board member for quality. So great to see you. >>Nice to see you again, too. So it's raining outside. I'll have to get out. >>I know it's pretty, uh, pretty cool, actually. School coming in on the plane. But let's let's jump into a little bit from your C I, Oh, roll. We're talking a lot about security and in the age old thing came up in the keynote. You know, there's companies that have been hacked, and then there's companies that have been hacked and don't know it yet, but we're introducing 1/3 type of the company. Here is one of the themes which is that you actually can prevent, you know, not necessarily getting hacked, but kind of the damage and destruction and the duration once people get in. I'm just curious from your CEO >>hat. How >>do you look at this problem? That the space is evolving so quickly? How do you kind of organize your your thoughts around it? >>Yeah, for me. First of all, um, it starts with good architecture. So whether it's our own products running or third party products running, we need to ensure that those products are architected for resilience. And that third kind of company, the Resilient company, is one that has built in architecture er and a set of tools and service is that are focused on knowing that we will be hacked. But how can we minimize or even eliminate the damage from those hacks? And in this case, having the ability to detect those hacks when their incoming and to stop them autonomously is the key to HQ Wallace's play and the key to what I do as CEO at Nutanix, >>right? So one of the other things that keeps coming up here is kind of a budget allocation to security within the CEO budget on. And I think Mr Clark said that, you know, if you're doing 3% or less, you're losing, and you gotta be spending at least 8%. But I'm curious, because it to me is kind of like an insurance story. How much do you spend? How much do you allocate? Because potentially the downside is enormous. But you can't spend 100% of your budget just on security. So how do you think about kind of allocating budget as a percentage of spin versus the risk? >>Well, I love that question. That's part of the art of being a C i O A. C. So, you know, first of all, we have ah mixed portfolio of opportunities to spend toe hold to divest at any one time, and I t portfolio management has been around for 30 years, 40 years, almost as long as some of the people that I know. However, um, we always have that choice, right? We're aware of risk, and then we have the ability to spend. Now, of course, perfect security is to not operate at all. But that's about that's, you know, swinging too far the wrong way on Dhe. Then we also have that ability, maybe to not protect against anything and just take out a big old cyber security policy. And where is that policy might help us with lawsuits? It wouldn't necessarily have help us with ongoing operations. And so it's somewhere in the middle, and I liked some of the statistics that they share today. One of the big ones for me was that companies that tend to build resilient worlds of cybersecurity tend to spend about 10% of their total I t operating budgets on cyber security. That makes sense to me, and that reflects my track record at Nutanix and elsewhere, roughly in that amount of spending. Now you know, checking the box and saying, Well, we're spending 10% on cybersecurity doesn't really buy us that much, and also we have to think about how we're defining that spend on cyber security. Part of that spend is in building resilient architectures and building resilient code. And uh, that's sort of a dual purpose spend, because that also makes for performance code it makes for scalable, supportable code, et cetera. So you know, we can do well by doing good in this >>case. So again, just to stay on that beam permit, it went. So when you walk the floor at R S. A. And there's 50,000 people and I don't even know how many vendors and I imagine your even your I T portfolio now around security is probably tens of products, if not hundreds, and certainly tens of vendors again. How do you How do you? You kind of approach it. Do you have trusted advisors around certain point solutions? Are you leveraging? You know, system integrators or other types of specialists to help? You kind of sort through and get some clarity around this just kind of mess. >>Well, all of us actually are looking for that magic discernment algorithm. Wouldn't it be great if >>you could just >>walk up to a vendor and apply the algorithm? And ah ha. There's one who's fantastic. We don't have that, and so we've got a lot of layers of ingest. I try to leave room in my portfolio for stealth and emerging technologies because generally the more modern the technology Is the Mauritz keeping pace with the hackers out there and the bad guys out there? Um, we do have sort of that middle layer that surround the ability for us to operate at scale because we also have to operate these technologies. Even the most cutting edge technology sometimes lack some of the abilities for us to ingest them into our operations. And then they're sort of the tried and true bedrock that hopefully is built into products we consume. Everything from public Cloud service is to, uh, you know, hardware and so on. And so there's this range of choices. What we have to dio ultimately is we use that lens of operations and operational capability. And first of all, we also ensure that anything we ingest meets our design standards and our design standards include some things that I think are fascinating. I won't go into too much detail because I know how much you love this detail. But you know, things like are the AP eyes open? What is integration look like? What's the interaction design look like? And so those things matter, right? Ultimately, we have to be able to consume the data from those things, and then they have to work with our automation, our machine learning tools. Today at Nutanix, for example, you know, we weigh like toe. I'm happy to say we catch, you know, most if not all of any of the threats against us, and we deal with well over 95% of them autonomously. And so were a living example of that resilient organization that is, of course, being attacked, but at the same time hopefully responding in a resilient way. We're not perfect knock on wood, but we're actively engaged. >>So shifting gears a little bit a bit a bit now to your board hat, which again, Congratulations. Some curious. You know, your perspective on kind of breaking through the clutter from the from the board seat Cos been doing this for 19 years. Still relatively small company. But, you know, Philippe talked a lot about kind of company. Percy's me industry security initiatives that have to go through what are some of the challenges and opportunities see sitting at the board seat instead of down in the nitty gritty down the CEO. >>Well, first of all, um, quality is financially a well run responsible organization and one of Philippe and the leadership teams. Goals has always been toe operate profitably and tow. Have that hedge on DSO. What that means is that as consumers, we can count on the longevity of the organization and the company's ability to execute on its road map. It's the road map that I think is particularly attractive about Wallace. You know, I am who I am. I'm an operator. I'm a technologist. And so although I'm a board member and I care about all dimensions of the company, the most attractive component is that this this road map in those 19 years of execution are now coming to fruition at exactly the right time. For those of us who need these tools in these technologies to operate, this is a different kind of platform and its instrumented with machine learning with a I. At a time when the Attackers and the attacks are instrumented that way as well as as you mentioned, we have a lot of noise in the market today, and these point solutions, they're gonna be around for a while, right? We operate a messy and complex and wonderful ecosystem. But at the same time, the more that we can streamline, simplify on and sort of raised that bar. And the more we can depend on the collected data. From all of these point tools to instrument are automated responses, the better off we'll be. And so this is, Ah, platform whose whose time has come and as we see all of the road map items sort of coming to fruition. It's really, really exciting. And it's, you know, just speaking for a moment of someone who's been a leader in various technology companies in the security and, you know, technology space for some time. One of the most disappointing things about many technology startups is that they don't build in that that business strength. Thio have enough longevity and have enough of a hedge to execute on that brilliant vision. And so many brilliant ideas have just not seen the light of day because of a failure to execute. In this case, we have a company with a track record of execution that's monetized the build out of the platform, and now also these game changing technologies are coming to fruition. It's it's really, really exciting to be a part of it. >>So Wendy, you've mentioned a I machine learning Probably get checked. The transfer of a number of times 85 times is this interview. So it's really interesting, you know, kind of there's always a lot of chatter in the marketplace, But you talked about so many threats coming in and we heard about Mickey noticed. Not really for somebody sitting in front of a screen anymore to pay attention, this stuff. So when you look at the opportunity of machine learning and artificial intelligence and how that's going to change the role of the CEO and specifically and security when if you can share your thoughts on what that opens up >>absolutely s so there's kind of two streams here I'd love to talk about. The first is that we've had this concern as we've moved to Public Cloud and I t that i t people would be left behind. But in fact, after sort of ah little Dev ops blip where non i t people were writing code that was them consumed by enterprises were now seen the growth of I t. Again and what this relates to is this In the past, when we wanted to deploy something in public cloud. We had to be able Thio compose an express infrastructure as code. And, um, folks who are great at infrastructure are actually pretty lousy at writing code, and so that was a challenge. But today we have low code and know code tools, things like work Otto, for example, that my team uses that allow us to express the operational processes that we follow sort of the best practices and the accumulated knowledge of these I t professionals. And then we turn the machine on that inefficient code and the machine improves and refines the code. So now, adding machine learning to the mix enables us to have these I t professionals who know more than you'd ever imagine about storage and compute and scaling and data and cybersecurity and so on. And they're able to transform that knowledge into code that a machine can read, refine and execute against. And so we're seeing this leap forward in terms of the ability of some of these tools. Thio transform how we address the scale and the scope in the complexity of these challenges. And so on the one side, I think there's new opportunity for I T professionals and for those who have that operational expertise to thrive because of these tools on the other side, there's also the opportunity for the bad guys in the in the cyberspace. Um, Thio also engage with the use of thes tools. And so the use of these tools, that sort of a baseline level isn't enough. Now we need to train the systems, and the systems need to be responsive, performance resilient. And also, they need to have the ability to be augmented by to be integrated with these tools. And so suddenly we go from having this utopian. Aye, aye. Future where you know, the good looking male or female robot, you know, is the nanny for our kids, um, to something much more practical that's already in place, which is that the machine itself, the computer itself is refining in augmenting the things that human beings are doing and therefore able to be first of all, more responsive, more performance, but also to do that layer of work that is not unique to human discernment. >>Right? We hear that over and over because the press loved to jump on the general. May I think it's much more fun to show robots than then Really, the applied A I, which is lots of just kind of like Dev ops. Lots of little improvements. Yeah, lots of little places. >>Exactly. Exactly. You know, I mean, I kind of like the stories of our robot overlords, you know, take it over to. But the fact is, at the end of the day, these machine, it's just math. It's just mathematics. That's all it is. It's compute. >>So when you find let you go, I won't touch about women in tech. You know, you're a huge proponent of women in tech. You're very active on lots of boards and cure with Adriaan on the girls and Tech board where we last where we last sat down. Um, and you're making moves now. Obviously, you've already got a C title. Now you're doing more bored work. I just wonder if you can kind of share your thoughts of how this thing's kind of movement is progressing. It seems to have a lot of of weight behind it, but I don't know if the numbers air really reflecting that, but you're you're on the front lines. What can you shares? You know, you're trying to help women. That's much getting detect. But to stay into tech, I think, is what most of the stats talk about. >>Yeah, I've got a lot of thoughts on this. I think I'll try to bring our all the vectors together. So I recently was awarded CEO of the year by the Fisher Center for Data and Analytics and thank you very much. And the focus there is on inclusive analytics and inclusive. Aye, aye. And And I think this this is sort of a story that that makes the point. So if we think about all of the data that is training these technology tools and systems, um, and we think about the people who are creating these systems and the leaders who are our building, these systems and so on, for the most part, the groups of people who are working on these things technologists, particularly in Silicon Valley. They're not a diverse set of people. They're mostly male. They're overwhelmingly male. Many are from just a handful of of, um, you know, countries and groups, right? It's it's It's mainly, you know, Caucasian males, Indian males and Asian males. And and because of that, um, this lack of diverse thinking and diverse development is being reflected in the tools in ways that eventually will build barriers for folks who don't share those characteristics. As an example, Natural language processing tooling is trained by non diverse data sets, and so we have challenges with that. For example, people who are older speak a little bit more slowly and have different inflections in general on how they speak. And the voice recognition tools don't recognize them as often. People who have heavy accents, for example, are just not recognized. Yes, you know, I always have a phone, Um, and this is my iPhone and I have had an iPhone for 10 years. Siri, my, you know, helpful Agent has been on the phone in all those years. And in all of those years, um, I have had a daughter named Holly H O l L Y. And every time that I speak Thio, I dictate to Syria to send a message on. I use my daughter's name. Holly. Syria always responds with the spelling. H o L I. The Hindu holiday. Now, in 10 years, Siri has never learned that. When I say Holly, I'm most likely mean my daughter >>was in the context of the sentence. >>Exactly. Never, ever, ever. Because, you know Siri is an Aye aye, if you will. That was built without allowing for true user input through training at the point of conversation. And so s So that's it. That's bad architecture. There's a lot of other challenges with that architecture that reflect on cybersecurity and so on. One tiny example. But I think that, um now more than ever, we need diverse voices in the mix. We need diverse training data. We need, you know, folks who have different perspectives and who understand different interaction design to be not only as a tech entrepreneurs, builders and leaders of country of companies like, you know, girls in tech Support's educating women supporting women entrepreneurs. I'm I'm also on the board of another group called Tech Wald. That's all about bringing US combat veterans into the technology workforce. There's another diverse group of people who again can have a voice in this technology space. There are organizations that I work with that go into the refugee that the permanent refugee camps and find technically qualified folks who can actually build some of this training data for, ah, you know, analytics and a I We need much, much more of that. So, you know, my heart is full of the opportunity for this. My my head's on on fire, you know, and just trying to figure out how can we get the attention of technology companies of government leaders and and before it's too late, are training data sets are growing exponentially year over year, and they're being built in a way that doesn't reflect the potential usage. I was actually thinking about this the other day. I had an elderly neighbor who ah, spoke with me about how excited he waas that he he no longer could drive. He wasn't excited about that. He no longer could drive. He couldn't see very well and couldn't operate a car. And he was looking forward to autonomous vehicles because he was gonna have a mobility and freedom again. Right? Um, but he had asked me to help him to set up something that he had on his computer, and it was actually on his phone. But he there was their voice commands, but But it didn't understand him. He was frustrated. So he said, Could you help me. And I thought, man, if his mobile phone doesn't understand him, how's the autonomous vehicle going to understand him so that the very population who needs these technologies the most will will be left out another digital divide? And and, um, now is the moment while these tools and technologies are being developed, a word about Wallace. You know, when I was recruited for the board, um, you know, they already had 50 50 gender parity on the board. It wasn't even a thing in my interviews. We didn't talk about the fact that I am female at all. We talked about the fact that I'm an operator, that I'm a technologist. And so, um, you know that divide? It was already conquered on HK. Wallace's board that's so not true for many, many other organizations and leadership teams is particularly in California Silicon Valley. And so I think there's a great opportunity for us to make a difference. First of all, people like me who have made it, you know, by representing ourselves and then people of every gender, every color, every ethnicity, immigrants, et cetera, um, need to I'm begging you guys stick with it, stay engaged don't let the mean people. The naysayers force you to drop out. Um, you know, reconnect with your original values and stay strong because that's what it's gonna take. >>It's a great message. And thank you for your passion and all your hard work in the space. And the today it drives better outcomes is not only the right thing to do and a good thing to do that it actually drives better outcomes. >>We see that. >>All right, Wendy, again. Always great to catch up. And congratulations on the award and the board seat and look forward to seeing you next time. Thank you. All right, She's windy. I'm Jeff. You're watching the Cube with a quality security conference at the Bellagio in Las Vegas. Thanks for watching. We'll see you next time.

>>from Las Vegas. It's the cues covering quality security Conference 2019. Bike. Wallace. >>Hey, welcome back it. Ready? Geoffrey here with the Q worth the Bellagio Hotel in Las Vegas for the quality security conference. This thing's been going on for 19 years. I had no idea. It's our first time here, but it's pretty interesting out. Felipe and the team have evolved this security company over a lot of huge technological changes and security changes, and they're still clipping along, doing a lot of cool things in cloud and open source. We're excited of our next guest. She's Laurie McCarthy, the EVP of worldwide field >>operations. Lori, great to see you. >>Thanks. Glad to be here. >>Absolutely. So first off, congratulations in doing some homework for this. I was going through the earnings call. The last turning call, which A was a nice earnings call. You're making money buying back stock. Also, you were promoted or the announcement of your promotion on that call and really some nice, complimentary words from Philippe and the team about the work that you've done actually >>very grateful. Thank you. And >>one of the things we >>talked about, which is unique in your background as you came from a customer. Not It's always a day ago. These shows we have people that I came from customers that went to the vendor, and then we have people that rest of Endor and they went over to the customers. There's a lot of that kind of movement, but he really complimented your execution at CVS as a big reason why you got the promotion that you did. So again. Congrats. But let's talk about, you know, kind of the CVS experience from when you were running it. Not when you're on the quality side. Yeah, that the threats. And CBS is in class nationwide, all kinds of stuff. >>Yeah, well, I mean, you know, just like any other company that's in that health care vertical, you've got so many different things to think about. Additionally, we were also in the retail vertical, so we had a lot of compliance. E's to worry about p c p c i p. I s O. A lot of the programs had been very much, uh, checkbox driven prior to the team that moved in there, including myself, and kind of changed that. So I helped to rebuild the vulnerability program there. And we started to do it in such a way that it was for the sake of security, not just checking a box. And we were really innovated how they do things. A lot of my friends are still there, and they have their own stock now, and we kind of brought everything in house. So a lot of that was outsourced. >>So what was the catalyst to make the change To move from beyond simple compliance and check in the box, Actually making a strategic part of the execution? >>Yeah, at the time and a new sea so had been put into place. And it was someone with that vision, and I think that's what really drove it. I came in just after that and was brought in on the premise that this is what we're going to change and move toward. So I was part of that process from that >>point, right? It clearly, qualities was part of the solution. So what? What did you use calls for their and how is the solution changed? You know, kind of >>so back then when >>you want to call it, >>we're talking. In 9 4010 2011 Right around there. If you opened up the quality platform, you had three things to choose from. Versus today, when you log in, you've got 18 or more, depending. And S O CVS used a little bit of all of that with the mainstay having been the vulnerability management. So I ran to full vulnerability management programs there because we had to keep our pharmacy benefit company and our retail companies separate. So I sort of did double duty, >>Right? So what you doing now on field operations? >>So is the E V p of worldwide for Wallace. I'm running all of the technical account managers for our company way have a unique sales model here, so it's a little different. So everyone in the field to service is our clients rolls up to me, and then that also includes some additional teams, like our federal team, our strategic alliances team and also our subject matter experts >>today. So you said a couple >>times you guys have your account management structure is different than maybe traditional. Kind of >>walk through. Yeah, absolutely. So versus a traditional sales model. We have a salesperson. You have client service person. You have a technical, you know, social architect kind of person. We service our clients all with one person. We have a technical account manager. We break them up into two flavors. We have a presales who are very technical folks that go out and help us get our business. And then those accounts get handed over to our post sales, who are basically the farmers in our business, maintaining and growing our existing clients. What that allows for, which is really special, is we can go in and really build a relationship built on trust and understanding and strategy, because we bring people into our company like myself who have done this, who have sat on that side of the table. So you know, someone comes in and says What? You know, how would you like to buy one of my gizmos? It's a lot different conversation when it's like, Look at what I do with this gizmo like it's amazing. So it's It's kind of a similar feeling that you guys >>have your kind of platform with application strategy enables you to kind of do a land and expand, and in fact you even a something that people can try for free. >>Yeah, absolutely. So we review our model as, like, try and buy. So for both our non clients are freemium service is that we offer our, you know, out of this world for people being able to just log in without even being a client and start to evaluate their environment. And then when they see the value that we bring, it's very easy to translate that into a buy and then likewise, for our clients who sign up for a service or two enabling additional trials and having them work within our new service is as they're being rolled out, is very, very simple, the way our platform is built. So it's just it's a really effortless, very natural progression of business that we that we built. And it's one of the reasons that I work here because as a client, I really enjoyed my relationship with this company because it never felt like I was being sold anything. It always felt like I was being handed solutions to my challenges, and that's what we tried to do. And that's how I lead everyone today is Let's get out, Let's listen, let's strategize and let's see where we fit in with folks, right strategies for, you know, the coming >>future. So must be a team >>approach, though, right? Because one person you know to say, trying to manage the CVS account, that would be, >>Oh, so we have a little bit of a break out in our post side. We have what a new role that I helped get implemented here at the company, which is a major account solution architect they handle are bigger, more complex accounts. So as our platform has matured, so have our clients are bigger. Clients are using more of our platform. They're using it in a more expert way. So we had to answer that with the right kind of people who could speak to that expert level of usage and be able to finance that. So that's a little bit part of it. And on our bigger clients, we do have more of a team approach. We have a product management, a project management organization. The S M E team are subject matter. Experts roll up under me. They're experts in each of our solutions. So it's a sizeable team and they are liaise between product management, engineering our fields and our clients. And that's another support mechanism. And then our support at Wallace is also something that augments our technical account managers jobs on a daily basis. >>So new opportunity with a sure that was recently announced a bundle. Yeah, you're bundled in kind of under the covers, not not really under the covers. So a little bit about how that's gonna work from kind of an account management and and from your kind of point of view, >>So it's It's actually not gonna change much of anything on the way that we are. Mom are our model is a hybrid, right? So we have direct sales that we have indirect sales, even honor in direct sales through partners through relationships like we've just built with azure MSs peas and reach whatever. We still treat every end customer and every partner like a direct customer. So we work very hard to educate her partners, to work with them, to make sure they're successful with our clients. And we're also treating our clients who are through that avenue the same way. So it's it's just gonna blend right in with what we >>d'oh Yeah, that's great, but hopefully it's a sales channel and they get more than they just bought it under the covers and start implementing. >>It's easy for them to jump in with us. And then from there we can build those relationships with perhaps, you know, prospects and folks that aren't our clients now and be able to show them more things that we do. Besides just, you know, the one thing that they might be signing up for at that time, >>right? Right. Okay, great. I want to shift gears a little bit. >>We had windy by front earlier from from Nutanix. When he's a fantastic lady, yes, and she is super super involved in in girls Who Code and women in Tech and trying to drive that kind of forward along a number of parameters everything from the board to getting people jobs, training little girls to staying at staying in the industry. I know that's a big, passionate area of yours. I wonder if you could share some of the activities you guys were doing around women. I could think more specifically, and security is a subset of all tech, but share the some of the activities you have going on. >>So personally, I try to be very involved locally. Four Children. One of them is a daughter. She's too little, quite yet for getting into tact. I have two older sons and s so I try to be really involved in middle school high school. Hey, put me in, Coach, I'll come in and talk to the kids. Generating interest in getting into this field at a young age is what we need to do. They're still aren't enough gals and, honestly, guys heading into our business in college. So I I really take it upon myself as a security professional to try to promote that specifically around women. I'm really pleased that our company supports an organization which I've been a part of for a while, and that's the Executive Woman's Forum, and we sponsor their conference every year, and we sponsor events with them. I personally am part of their mentor program, so that allows me a channel. Thio have ah, unassigned person to work with, and I really enjoy that, and our company itself is just very excellent at promoting and enabling women within our organization. And it's another reason that I really loved working here for the past eight years, >>right? Well, from the top. Because the board, I think, is either for more than half. Yemen, which is certainly half >>women CEO, is very supportive. Our presidents, two men way have a great environment. Thio grow women professionally here in my company, >>right? That's great. So, ah, year from now, when we come back, what are we gonna be talking about? What's kind of on a road map? For the next year, >>we're going to be talking about our data leak efforts, or Sim. We're gonna be talking about our improved Edie, our capabilities that are really gonna put us in the position to be a major player in that market. Um, and who knows? We have such a quick turnaround of innovation here and what we do by the way we do our business. So starting with the technical account manager's boots on the ground with our clients, when we're there listening to all of their challenges, we're also taking that back, and that drives our innovation that the company so we hear what they need, and that's what we provide. So as things changed, we're going to continue to do that digital transformation, of course, is is making that something that we have to be even quicker about. And I think we're doing a good job >>keeping up well. 19 years and counting, making money. Find back, buying back shares to help everyone else's stock delusion. So not that, but nothing but good success. It's all right. Well, Laurie, thanks for taking a few minutes of your day. And again, congratulations on your promotion as well as a terrific event. >>Thank you very much. >>All right. She's Laurie. I'm Jeff. You're watching the Cube with the quality security conference at the Bellagio and lovely >>Las Vegas. Thanks for watching. We'll see you next time.

>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey welcome back everybody, Jeff Frick here with theCUBE, we're in Las Vegas at the Bellagio, at the Qualys Security Conference, pretty amazing, it's been going on for 19 years, we heard in the keynote. It's our first time here, and we're excited to have our first guest, he was a keynote earlier this morning, the author of nine books, Richard Clarke, National Security and Cyber Risk expert, and author most recently of "The Fifth Domain." Dick, great to see you. >> Great to be with you. >> Absolutely. So you've been in this space for a very long time. >> I started doing cybersecurity in about 1996 or 1997. >> So early days. And preparing for this, I've watched some of your other stuff, and one of the things you said early on was before there was really nothing to buy. How ironic to think about that, that first there was a firewall, and basic kind of threat protection. Compare and contrast that to walking into RSA, which will be in a couple of months in Moscone, 50,000 people, more vendors than I can count on one hand, now there's too much stuff to buy. Do you look at this evolution? What's your take? And from a perspective of the CIO and the people responsible for protecting us, how should they work through this morass? >> Well, the CIO and the CFO, got used to thinking cyber security costs a little bit, 'cause you can only buy, this is 1997, you can only buy antivirus, firewall, and maybe, in 1997, you could buy an intrusion detection system. Didn't do anything, it just went "beep," but you could buy that too. So you had three things in 1997. And so that resulted in the IT budget having to take a tiny little bit of it, and put it aside for security, maybe 2%, 3% of the budget. Well, now, if you're only spending 2 or 3% of your IT budget on security, somebody owns your company, and it's not you (laughs). >> And that's 2 or 3% of the IT budget, that's not the whole budget. >> No, that's the IT budget. What we found in researching the book, is that secure companies, and there are some, there's companies that don't get hacked, or they get hacked, but the hack gets in, immediately contained, identified, quarantined. The damage is done, but it's easily repaired. Companies that are like that, the resilient companies, are spending 8%, 10%, we found companies at 12 and 17%, of their IT budget on security, and to your point, how many devices do you have to buy? You look at the floor at any of these RSA Conventions, Black Hat, or something, now there are 2000 companies at RSA, and they're all selling something, but their marketing message is all the same. So pity the poor CSO as she goes around trying to figure out, "Well, do I want to talk to that company? "What does it do?" We found that the big banks, and the big corporations, that are secure, have not three, anymore, but 75, 80, different, discreet cybersecurity products on their network, most of it software, some of it hardware. But if you've got 80 products, that's probably 60 vendors, and so you got to, for yourself, there's the big challenge, for a CSO, she's got to figure out, "What are the best products? "How do they integrate? "What are my priorities?" And, that's a tough task, I understand why a lot of the people want to outsource it, because it's daunting, especially for the small and medium-size business, you got to outsource it. >> Right, right. So the good news is, there's a silver lining. So traditionally, and you've talked about this, we talk about it all the time too, there's people that have been hacked and know it, and people that have been hacked and just don't know it yet, and the statistics are all over the map, anywhere you grab it, it used to be hundreds of days before intrusions were detected. Kind of the silver lining in your message is, with proper investments, with proper diligence and governance, you can be in that group, some they're trying to get in all the time, but you can actually stop it, you can actually contain it, you can actually minimize the damage. >> What we're saying is, used to be two kinds of companies, those that are hacked and knew it, and those that are hacked that don't, that didn't know it. Now there's a third kind of company. The company that's stopping the hack successfully, and the average, I think, is a 175 days to figure it out, now it's 175 minutes, or less. The attack gets in, there's all the five or six stages, of what's called "the attack killchain," and gets out very, very quickly. Human beings watching glass, looking at alerts, are not going to detect that and respond in time, it's got to be automated. Everybody says they got AI, but some people really do (laughs), and machine learning is absolutely necessary, to detect things out of the sea of data, 75 different kinds of devices giving you data, all of them alarming, and trying to figure out what's going on, and figure out in time, to stop that attack, quarantine it, you got to move very, very quickly, so you've got to trust machine learning and AI, you got to let them do some of the work. >> It's so funny 'cause people still are peeved when they get a false positive from their credit card company, and it's like (laughs), do you realize how many of those things are going through the system before one elevates to the level that you are actually getting an alert? >> So the problem has always been reducing the number of false positives, and identifying which are the real risks, and prioritizing, and humans can't do that anymore. >> Right, right, there's just too much data. So let's shift gears a little bit about in terms of how this has changed, and again, we hear about it over and over, right, the hacker used to be some malicious kid living in his mom's basement, being mischievous, maybe, actually doing some damage, or stealing a little money. Now it's government-funded, it's state attacks, for much more significant threats, and much more significant opportunities, targets of opportunity. You've made some interesting comments in some of your prior stuff, what's the role of the government? What's the role of the government helping businesses? What's the role of business? And then it also begs the question, all these multinational business, they don't even necessarily just exist in one place, but now, I've got to defend myself against a nation state, with, arguably, unlimited resources, that they can assign to this task. How should corporate CIOs be thinking about that, and what is the role, do you think, of the government? >> Let's say you're right. 20 years ago we actually used to see the number of cyber attacks go up on a Friday night and a Saturday night, because it was boys in their mother's basement who couldn't get a date, you know, and they were down there having fun with the computer. Now, it's not individuals who are doing the attacks. It is, as you say, nation states. It's the Russian Army, Russian Intelligence, Russian Military Intelligence, the GRU. The North Korean Army is funding its development of nuclear weapons by hacking companies and stealing money, all over the world, including central banks, in some cases. So, yeah, the threat has changed, and obviously, a nation state is going to be far more capable of attacking, military is going to be far more capable of attacking, so, CISOs say to me, "I'm being attacked by a foreign military, "isn't that the role of the Pentagon "to defend Americans, American companies?" And General Keith Alexander, who used to run Cyber Command, talks about, if a Russian bomber goes overhead, and drops a bomb on your plant, you expect the United States Air Force to intercept that Russian bomber, that's why you pay your taxes, assuming you pay taxes. What's the difference? General Alexander says, whether that's a Russian bomber attacking your plant, or a Russian cyber attack, attacking your plant, and he says, therefore, people should assume the Pentagon will protect them from foreign militaries. That sounds nice. There's a real ring of truth to that, right? But it doesn't work. I mean, how could the Pentagon defend your regional bank? How could the Pentagon defend the telephone company, or a retail store? It can't. It can barely defend itself, and they're not doing a great job of that either, defending the federal government. So, do you really want the Pentagon putting sensors on your network? Looking at your data? No, you don't. Moreover, they can't. They don't have enough people, they don't have enough skills. At the end of the day, whatever the analogy is about how the Defense Department should defend us from foreign military attack, they can't. And they shouldn't, by the way, in my view. The conclusion that that gets you to, is you got to defend yourself, and you can, right now, if you use the technology that exists. The government has a role, sure. It can provide you warnings, it can provide the community with intelligence, it can fund development and stuff, can train people, but it cannot defend your network, you have to defend your network. >> And you have municipalities, I think it's Atlanta, is the one that keeps getting hit, there's-- >> Well Louisiana, just the other night, the whole state of Louisiana government unplugged from the internet, because it was being hit by a ransomware attack. The whole city of Baltimore's been down, the whole city of Atlanta, as you said. There's a real problem here, because people, many of them are paying the ransom, and they pay the ransom, and they get their network back right away. People ask me, "Can I trust these criminals?" Well you can trust them to give you your network back, because they have a reputation to maintain. Think about that. This whole thing about ransomware depends on their reputation, the bad guys' reputation. If they get a reputation for not giving you your network back when you pay, no one's ever going to pay, so they do give it back, and sometimes that's a lot quicker, and a lot cheaper, than saying no and rebuilding your network. But if we give them the money, what are they doing with it? Yeah, they're buying Ferraris to drive round the streets of Moscow, but some of that money is going back into R&D, so they can develop more effective attacks. >> So it's an interesting take, right, so most people, I think, would say that the cybersecurity war is completely always going to be kind of cat and mouse, whack-a-mole, that the bad guys are always a little step ahead, and you're always trying to catch up, just the way the innovation cycle works. You specifically say no, that's not necessarily always true, that there are specific things you can do to, not necessarily have an impenetrable wall, but to really minimize the impact and neutralize these threats, like a super white blood cell, if you will. So what are those things that companies should be doing, to better increase their probability, their chance, of, I don't know, blocking-- >> Depends on the size of the company. >> Absorbing. >> Depends on the size of the company. But I think whether you're a small-to-medium business, or you're an enterprise, you begin in the same place. And I do this with all of my consulting contracts, I sit down with the leadership of the company individually, and I ask every one of them, "What are you worried about? "What could happen? "What could a bad guy do to you "that matters to your company?" 'Cause what matters to one company may not matter to another company. And you can't spend your entire budget defending the network, so let's figure out exactly what risk we're worried about, and what risk we're just kind of willing to tolerate. And then, we can design security around that, and sometimes that security will be outsourced, to a managed security provider. A lot of it means getting into the cloud, because if you're in Amazon or Microsoft's cloud, you've got some security automatically built in, they've got thousands of people doing the security of the cloud, and if your server's in your basement, good luck. (laughs) >> So, as you look forward, now you said you finished the book earlier in the year, it gets published, and it's out, and that's great, but as you said, it's a fast-moving train, and the spaces develops. 10 years from now, we don't want to look at 10 years from now, it's way too long. But as you look forward the next couple, two, three years, what are you keeping an eye on, that's going to be, again, another sea change of both challenge and opportunity in this space? >> The three technologies we talk about in the book, for the three-year time horizon, 'cause I can't get beyond three years, more machine learning on the defense, but also more machine learning on the offense, and where does that balance work out? To whose advantage? Secondly, quantum computing, which, we don't know how rapidly quantum computing will come onto the market, but we do know it's a risk for some people, in that it might break encryption, if the bad guys get their hands on the quantum computer, so that's a worry. But one I think most immediately, is 5G. What 5G allows people to do, is connect millions of things, at high speed, to the internet. And a lot of those things that will be connected are not defended right now, and are outside firewalls, and don't have end-point protection, and aren't really built into networks on a secure network. So I worry about 5G empowering the Internet of Things, and doing what we call expanding the attack surface, I worry about that. >> Right, Richard, well thank you for taking a few minutes, and congrats on the book, and I'm sure within a couple of years the gears will start turning and you'll put pen to paper and kick another one out for us. >> Number 10. >> All right. He's Richard, I'm Jeff, you're watching theCUBE, we're at the Qualys Security Conference at the Bellagio in Las Vegas, thanks for watching, we'll see you next time. (upbeat music)

>> Live from Boston, Massachusetts, it's The Cube, covering AWS re:Inforce 2019. Brought to you by Amazon web services and its ecosystem partners. >> Hey, welcome back everyone. It's The Cube's live coverage here in Boston, Massachusetts for AWS re:Inforce. This is Amazon web services' inaugural security conference around Cloud security. I'm John Furrier. My host Dave Vellante. We've got special guest, we've got another CSO, Dan Meacham, VP of Security and Operations at Legendary Entertainment. Great to see you. Thanks for coming on The Cube. >> Oh, thank you. It's a very pleasure to be here. >> We had some fun time watching the Red Socks game the other night. It was the best night to watch baseball. They did win. >> Was it ever. >> Always good to go to Fenway Park, but we were talking when we were socializing, watching the Red Socks game at Fenway Park about your experience. You've seen a lot of waves of technology you've been involved in. >> Yes, yes. >> Gettin' dirty with your hands and gettin' coding and then, but now running VP of Security, you've seen a lot of stuff. >> Oh. >> You've seen the good, bad, and the ugly. (laughing) >> Yeah, fun business. >> It is. >> You guys did Hangover, right? >> Yes. >> Dark Knight. >> Yes. >> Some really cool videos. >> Good stuff there, yeah. And it's just amazing cause, you know, how much technology has changed over the years and starting back out in the mid-eighties and early nineties. Sometimes I'm just like, oh, if I could only go back to the IPXSX days and just get rid of botnets and things like that. (laughing) That'd be so much easier. Right? >> The big conversation we're having here, obviously, is Amazon's Security Conference. What's your take on it? Again, security's not new, but their trying to bring this vibe of shared responsibility. Makes sense because they've got half of the security equation, but you're seeing a lot of people really focusing on security. What's your take of, so far, as an attendee? >> Well, as we look and, cause I like to go to these different things. One, first to thank everybody for coming because it's a huge investment of time and money to be at these different shows, but I go to every single booth to kind of take a look to see where they are cause sometimes when we look at some of the different technology, they may have this idea of what they want the company to be and they're maybe only a couple years old, but we may see it as a totally different application and like to take those ideas and innovate them and steer them in another direction that kind of best suits our needs. But a lot of times you see a lot of replay of the same things over and over again. A lot of folks just kind of miss some of the general ideas. And, um, this particular floor that we have, there's some interesting components that are out there. There's a lot of folks that are all about configuration management and auto correction of misconfigured environments and things like that. Which is good, but I think when we look at the shared responsibility model and so forth, there's some components that a lot of folks don't really understand they really have to embrace in their environment. They think, oh it's just a configuration management, it's just a particular checklist or some other things that may fix something, but we really got to talk about the roots of some of the other things because if it's not in your data center and it's out somewhere else, doesn't mean you transfer the liability. You still have the ownership, there's still some practice you got to focus on. >> Take us through the Cloud journey with Legendary. You put some exchange service out there. Continue. >> Yes, and so as we started bringing these other different SaaS models because we didn't want to have the risk of if something went down we lost everything, but as we did that and started embracing Shadow IT, because if this worked for this particular department, we realized that there wasn't necessarily a applicable way to manage all of those environments simultaneous. What we mean after the standpoint, like we mentioned before, the MFA for each of these different components of the Cloud applications. So that naturally led us into something like single sign-on that we can work with that. But as we started looking at the single sign-on and the device management, it wasn't so much that I can't trust you devices, it's how do I trust your device? And so that's when we created this idea of a user-centric security architecture. So it's not necessarily a zero trust, it's more of a, how can I build a trust around you? So, if your phone trusts you based off of iometrics, let me create a whole world around that, that trust circle and build some pieces there. >> Okay, so, let me just interrupt and make sure we understand this. So, you decided to go Cloud-First. You had some stuff in colo and then said, okay, we need to really rethink how we secure our operations, right? So, you came up with kind of a new approach. >> Correct. >> Cloud approach. >> Absolutely. And it's Cloud and so by doing that then, trying to focus in on how we can build that trust, but also better manage the applications because, say for example, if I have a collaboration tool where all my files are, I may want to have some sort of protection on data loss prevention. Well, that Cloud application may have its own piece that I can orchestrate with, but then so does this one that's over here and this one over here and so now I've got to manage multiple policies in multiple locations, so as we were going down that piece, we had to say, how do we lasso the security around all these applications? And so, in that particular piece, we went ahead and we look forward at where is the technology is, so early on, all we had were very advanced sims where if I get reporting on user activity or anomalies, then I had limited actions and activities, which is fine, but then the CASB world ended up changing. Before, they were talking about Shallow IT, now they actually do policy enforcement, so then that allowed us to then create a lasso around our Cloud applications and say, I want to have a data loss prevention policy that says if you download 5,000 files within one minute, take this action. So, before, in our sim, we would get alert and there were some things we could do and some things we couldn't, but now in the CASB I can now take that as a piece. >> So more refined >> Exactly. >> in policy. Now, did you guys write that code? Did you build it out? Did you use Cloud? >> We work with a partner on help developing all this. >> So, when you think about where the CASBs were five years ago or so, it was all about, can we find Shadow IT? Can we find where social security numbers are? Not necessarily can I manage the environment. So, if you were take a step back to back in the old days when you had disparate in network architecture equipment, right? And you wanted to manage all your switches and firewalls, you had to do console on each and every one. Over time as it progressed, we now had players out there that can give you a single console that can get in and manage the entire network infrastructure, even if it's disparate systems. This is kind of what we're seeing right now within the Cloud, where on the cusp of it, some of then are doing really good and some of them still have a lot of things to catch up to do, but we're totally stoked about how this is working in this particular space. >> So, talk about, like, um, where you are now and the landscape that you see in front of you. Obviously, you have services. I know you. We met through McAfee, you have other, some fenders. You have a lot of people knocking on your doors, telling you stuff. You want to be efficient with your team. >> Yes. >> You want to leverage the Cloud. >> Yes. >> As you look at the landscape and a future scape as well, what're you thinking about? What's on your mind? What's your priorities? How're you going to navigate that? What're some of the things that's driving you? >> (sighing) It's a cornucopia of stuff that's out there. (laughing) Depending on how you want to look at it. And you can specialize in any particular division, but the biggest things that we really want to focus on is we have to protect out data, we have to protect our devices, and we have to protect our users. And so that's kind of that mindset that we're really focused on on how we integrate. The biggest challenges that we have right now is not so much the capability of the technology, because that is continually to evolve and it's going to keep changing. The different challenges that we have when we look in some of these different spaces is the accountability and the incorporation and cooperation because a incident's going to happen. How are you going to engage in that particular incident and how are you going to take action? Just because we put something in the Cloud doesn't mean it was a set and forget kind of thing. Because if it was in my data center, then I know I have to put perimeter around it, I know I got to do back-ups, I know I got to do patch management, but if I put it in the Cloud, I don't have to worry about it. That is not the case. So, what we're finding a lot is, some of these different vendors are trying to couch that as, hey we'll take care of that for you, but in fact, reality is is you got to stay on top of it. >> Yeah. And then you got to make sure all the same security practices are in there. So, the question I have for you is: what's the security view of the Cloud versus on premise (muttering) the data's in the perimeter, okay that's kind of an older concept, but as your thinking about security in Cloud, Cloud security versus on premise, what's the difference? What's the distinction? What's the nuances? >> Well, if we go old-school versus new-school, old-school would say, I can protect every thing that's on prem. That's not necessarily the case that we see today because you have all this smart technology that's actually coming in and is eliminating your perimeter. I mean, back in the day you could say, hey, look, we're not going to allow any connections, inbound or outbound, to only outside the United States cause we're just a U.S.-based company. Well, that's a great focus, but now when you have mobile devices and smart technology, that's not what's happening. So, in my view, there's a lot of different things that you may actually be more secure in the Cloud than you are with things that are on prem based off of the architectural design and the different components that you can put in there. So, if you think about it, if I were to get a CryptoLocker in house, my recovery time objective, recovery point objective is really what was my last back-up. Where if I look at it in the Cloud perspective, it's where was my last snapshot? (stuttering) I may have some compliance competes on there that records the revision of a file up to 40 times or 120 times, so if I hit that CryptoLocker, I have a really high probability of being able to roll back in the Cloud faster than I could if I lost something that was in prem. So, idly, there's a lot more advantages in going with the Cloud than on prem, but again, we are a Cloud-First company. >> Is bad user behavior still your biggest challenge? >> Is it ever! I get just some crazy, stupid things that just happen. >> The Cloud doesn't change that, right? >> No! (laughing) No, you can't change that with technology, but a lot of it has to be with education and awareness. And so we do have a lot of very restrictive policies in our workforce today, but we talk to our users about this, so they understand. And so when we have things that are being blocked for a particular reason, the users know to call us to understand what had happened and in many cases it's, you know, they clicked on a link and it was trying to do a binary that found inside of a picture file of all things on a web browser. Or they decided that they wanted to have the latest Shareware file to move mass files and then only find out that they downloaded it from an inappropriate site that had binaries in it that were bad and you coach them to say, no this is a trusted source, this is the repository where we want you to get these files. But my favorite though is, again, being Cloud-First, there's no reason to VPN into our offices for anything because everything is out there and how we coordinate, right? But we do have VPN set up for when we travel to different countries with regards to, as a media company, you have to stream a lot of different things and, so, if we're trying to pitch different pieces that we may have on another streaming video-on-demand service, some of those services and some of those programmings may not be accessible into other countries or regions of the world. So, doing that allows us to share that. So, then, a lot of times, what we find is we have offices and users that're in different parts of the world that will download a free VPN. (laughing) Because they want to to be able to get to certain types of content. >> Sounds good. >> And then when you're looking at that VPN and that connection, you're realizing that that VPN that they got for free is actually be routed through a country that is not necessarily friendly to the way we do business. They're like, okay, so you're pushing all of our data through that, but we have to work through that, there's still coaching. But fortunately enough, by being Cloud-First, and being how things are architected, we see all that activity, where if was all in prem, we wouldn't necessarily know that that's what they were doing, but because of how the user-centric piece is set-up, we have full visibility and we can do some coaching. >> And that's the biggest issue you've got. Bigtime, yes? Visibility. >> What's a good day for a security practitioner? >> (laughing) A good day for a security practitioner. Well, you know, it's still having people grumpy at you because if they're grumpy at you, then you know you're doing you job, right? Because if everybody loves the security guy, then somebody's slipping something somewhere and it's like, hey, wait a minute, are you really supposed to be doing that? No, not necessarily. A good day is when your users come forward and say, hey, this invoice came in and we know that this isn't out invoice, we want to make sure we have it flagged. And then we can collaborate and work with other studios and say, hey, we're seeing this type of vector of attack. So, a good day is really having our users really be a champion of the security and then sharing that security in a community perspective with the other users inside and also communicating back with IT. So, that's the kind of culture we want to have within out organization. Because we're not necessarily trying to be big brother, we want to make it be able to run fast because if it's not easy to do business with us, then you're not going to do business with us. >> And you guys have a lot of suppliers here at the re:Inforce conference. Obviously, Amazon, Cloud. What other companies you working with? That're here. >> That're here today? Well, CrowdStrike is a excellent partner and a lot of things. We'll have to talk on that a little bit. McAfee, with their MVISION, which was originally sky-high, has just been phenomenal in our security architecture as we've gone through some of the other pieces. We do have Alert Logic and also Splunk. They're here as well, so some great folks. >> McAfee, that was the sky-high acquisition. >> That is correct and now it's MVISION. >> And that's the Cloud group within McAfee. What do they do that you like? >> They brought forth the Cloud access security broker, the CASB product, and one of the things that has just been fascinating and phenomenal in working with them is when we were in evaluation mode a couple of years ago and were using the product, we're like, hey, this is good, but we'd really like to use it in this capacity. Or we want to have these artifacts of this intelligence come out of the analytics and, I kid you not, two weeks later the developers would put it out there in the next update and release. And it was like for a couple of months. And we're like, they're letting us use this product for a set period of time, they're listening to what we're asking for, we haven't even bought it, but they're very forward-thinking, very aggressive and addressing the specific needs from the practitioner's view that they integrated into the product. It was no-brainer to move forward with them. And they continue to still do that with us today. >> So that's a good experience. I always like to ask practitioners, what're some things that vendors are doing that either drive your crazy or they shouldn't be doing? Talk to them and say, hey, don't do this or do this better. >> Well, when you look at your stop-doing and your start doing list and how do you work through that? What really needs to be happening is you need your vendor and your account manager to come out on-site once a quarter to visit with you, right? You're paying for a support on an annual basis, or however it is, but if I have this Cloud application and that application gets breached in some way, how do I escalate that? I know who my account manager is and I know the support line but there needs to be an understanding and an integration into my incidents response plan as when I pick up the phone, what' the number I dial? And then how do we engage quickly? Because now where we are today, if I were to have breach, a compromised system administrator account, even just for 20 minutes, you can lose a lot of data in 20 minutes. And you think about reputation, you think about privacy, you think about databases, credit cards, financials. It can be catastrophic in 20 minutes today with the high-speed rates we can move data. So, my challenge back to the vendors is once a quarter, come out and visit me, make sure that I have that one sheet about what that incident response integration is. Also, take a look at how you've implemented Am I still on track with the artchitecture? Am I using the product I bought from you effectively and efficiently? Or is there something new that I need to be more aware of? Because a lot of times what we see is somebody bought something, but they never leveraged the training, never leveraged the support. And they're only using 10% of the capability of the product and then they just get frustrated and then they spend money and go to the next product down the road, which is good for the honeymoon period, but then you run into the same process again. So, a lot of it really comes back to vendor management more so than it is about the technology and the relationship. >> My final question is: what tech are you excited about these days? Just in general in the industry. Obviously security, you've got the Cloud, you're Cloud-First, so you're on the cutting edge, you've got some good stuff going on. You've got a historical view. What's exciting you these days from a tech perspective? >> Well, over the last couple of years, there's been two different technologies that have really started to explode that I really am excited about. One was leveraging smart cameras and facial recognition and integrating physical stock with cyber security stock. So, if you think about from another perspective, Cameras, surveillance today is, you know, we rewind to see something happen, maybe I can mark something. So, if somebody jumped over a fence, I can see cause it crossed the line. Now the smart cameras over the last three or four or five years have been like, if I lost a child in a museum, I could click on child, it tells me where it is. Great. Take that great in piece and put it in with your cyber, so now if you show up on my set or you're at one of our studios, I want the camera to be able to look at your face, scrub social media and see if we can get a facial recognition to know who you are and then from that particular piece, say okay, has he been talking trash about our movies? Is he stalking one of our talent? From those different perspectives. And then, moreover, looking at the facial expression itself. Are you starstruck? Are you angry? Are you mad? So, then that way, I know instantly in a certain period of time what the risk is and so I can dispatch appropriately to have security there or just know that this person's just been wandering around because they're a fan and they want to know something. So, maybe one of those things where we can bring them a t-shirt and they'll move on onto their way and they're happy. Versus somebody that's going to show up with a weapon and we have some sort of catastrophic event. Now, the second technology that I'm really pretty excited about. Is when we can also talk a little about with the Five G technology. So, when everybody talk about FIJI, you're like, oh, hey, this is great. This is going to be faster, so why are we all stoked about things being super, super fast on cellular? That's the technical part. You got to look at the application or the faculty of things being faster. To put it into perspective, if you think about a few years ago when the first Apple TV came out, everybody was all excited that I could copy my movies on there and then watch it on my TV. Well, when internet and things got faster, that form factor went down to where it was just constantly streaming from iTunes. Same thing with the Google Chrome Cast or the Amazon Fire Stick. There's not a lot of meat to that, but it's a lot of streaming on how it works. And so when you think about the capability from that perspective, you're going to see technology change drastically. So, you're smartphone that holds a lot of data is actually probably going to be a lot smaller because it doesn't have to have all that weight to have all that stuff local because it's going to be real-time connection, but the fascinating thing about that, though, is with all that great opportunity also comes great risk. So, think about it, if we were to have a sphere and if we had a sphere and you had the diameter of that sphere was basically technology capability. As that diameter grows, the volume of the technology that leverages that grows, so all the new things that come in, he's building. But as that sphere continue to grow, what happens is the surface is your threat. Is your threat vector. As it continue to grow, that's going to continue to grow. (stuttering) There's a little but of exponential components, but there's also a lot of mathematical things on how those things relate and so with Five G, as we get these great technologies inside of our sphere, that threat scape on the outside is also going to grow. >> Moore's law in reverse, basically. >> Yeah. >> Surface area is just balloon to be huge. That just kills the perimeter argument right there. >> It does. >> Wow. And then we heard from Steve and Schmidt on the keynote. They said 90% of IOT data, thinking about cameras, is HTTP, plain text. >> Exactly. And it's like, what're you-- >> Oh, more good news! >> Yeah. (laughing) >> At least you'll always have a job. >> Well, you know, someday-- >> It's a good day in security. Encrypt everywhere, we don't have time to get into the encrypt everywhere, but quick comment on this notion of encrypting everything, what's your thoughts? Real quick. (sighing) >> All right, so. >> Good, bad, ugly? Good idea? Hard? >> Well, if we encrypt everything, then what does it really mean? What're we getting out? So, you remember when everybody was having email and you had, back in the day, you had your door mail, netscape navigator and so forth, and thought, oh, we need to have secure email. So then they created all these encryption things in the email, so then what happens? That's built into the applications, so the email's no longer really encrypted. >> Yeah. >> Right? So I think we're going to see some things like that happening as well. Encryption is great, but then it also impedes progress when it comes to forensics, so it's only good until you need it. >> Awesome. >> Dan, thanks so much here on the insights. Great to have you on The Cube, great to get your insights and commentary. >> Well, thank you guys, I really appreciate it. >> You're welcome. >> All right, let's expecting to steal is from noise, talking to practitioner CSOs here at re:Inforce. Great crowd, great attendee list. All investing in the new Cloud security paradigm, Cloud-First security's Cube's coverage. I'm John Furrier, Dave Vellante. Stay tuned for more after this short break. (upbeat music)

>> From the Hard Rock Hotel in Las Vegas, It's theCUBE, covering HoshoCon 2018. Brought to you by Hosho. >> Okay, welcome back everyone. We're here for CUBE's live coverage here in Las Vegas for HoshoCon. This is the first industry conference where the smartest people in security are together talking about blockchain security. That's all they're talking about here. It's a bridge between multiple diverse communities from developers, white hat hackers, technologist, the business people all kind of coming together. This is theCUBE's coverage, I'm John, for our next guest Anand Prakash, who's the founder for AppSecure. He's also the number one bounty hunter in the world. He's hacked everything you could think of; exchanges, crypto exchanges, Facebook, Twitter, Uber. Welcome to theCUBE, thanks for joining me. >> Uh, thank you John. >> So, you've hacked a lot of people, so let's, before we get started, who have you hacked? You've hacked an exchange. >> Yeah. >> Exchanges plural? >> Most of the exchanges. >> Mostly the exchanges? >> Yeah, ICOs. >> ICOs? >> Yeah, and bunch of other MNCs. >> Twitter, Facebook? >> Twitter, Uber, Facebook, and then Tinder. Yeah. >> A lot. >> Yeah, a lot. I cannot say the name. >> You're the number one bounty hunter. Just to clarify you're a white hat hacker, which means you go out and you do a service for companies. And it's well known that Facebook has put bounties out there. So, you take them up on their offer, or-- >> Yeah, so basically companies say us, hack us, and we'll pay you. So, we go and try to hack their systems, and say this is how we are able to discover a vulnerability, and this is how it can be exploited against your users to steal data, to hack your systems. And then they basically say, this is how much we are going to pay you for this exploit. How did you get into this, how did you get started? >> So, it started with a simple Phishing hack in 2008. It was an Orkut phishing hack, and one of my friend telling me to hack his Orkut account. And I Googled, how to hack Orkut account, and I wasn't having any technical knowledge at that point of time. No coding, no knowledge, nothing. I just Googled it and found ten steps, and I followed that ten steps. Created a fake page, I sent it to my friend, and he basically clicked on it, and there it is, username and password. (laughs) >> He fell for the trap >> Definitely, >> right away. >> Yeah. >> So, quick Google kiddie script kind of thing going on there, which is cool. Okay, now you're doing it full-time, and it's interesting here, this is the top security conference. Those are big names up there, Andreas was giving keynote. But I was fascinated by your two discussion panels, or sessions. Yesterday you talked about hacking an exchange, and today it was about how to hack Facebook, Twitter, these guys as part of the bounties. This is fascinating because everyone's getting hacked. I mean you see the numbers. >> Yeah. >> I mean, half a billion dollars, 60 million here, 10 million. So, people are vulnerable and it's pretty easy. So, first question for you is how easy is it these days and how hard is it to protect yourself? >> So, the attacks, the technologies, and then attacks are getting more sophisticated, and hackers are trying newer and newer exploits. So, it's good for companies and descryptpexion just to employ ethical hackers, white hat hackers, and moodapentas, and bunch of other stuff to secure their assets. So, it's, you wouldn't say for companies not doing security, then it's very easy for someone like us to hack their systems, but there were companies doing Golden Security. They are already have an internal security team, external folks securing their systems, then it's difficult. But, it's not that difficult. Let's talk about your talk yesterday about the exchange. Take us through what you talked about there that got some rave reviews. How did you attack the exchange? What did you learn? Take us through some of the exchanges you hacked and how, and why the outcome? >> Yeah, so, we have been auditing bunch of ISOs and exchanges from past two months, and quite a good number. So, what we see is most of them, don't have security, basic security text in place. So I can log into anyone's account. They have a password screen on the UA, but I can simply type it in without, without no indication or alteration, I can just log into anyone's account, and then I can get fund's out of their system. Very similar to, one issue which we found in talk in sale, was we were able to see PIA information of all the users. All the passwords details and everything, who has done KYC. So, there are lot of information disclosures in the API. And the main thing which we hackers do is we try to test this systems manually instead of going more into an automated kind of approach, running some scanner to figure out sets of hues. So, scanners are, sorry. Scanners are obviously good, but they're not that much good in finding out all the logical loopholes. >> So, you manually go in there, brute force, kind of thing? >> Yeah, not exactly, not that brute forcing, >> Not brute force. >> but of our own ways of doing things, and there are lot of good bounty hunters or white hat hackers, who are better than me and who are doing things. So, it becomes more and more sophisticated. We don't know when you get hacked. >> So, when the bounties are out there, does Facebook just say, hey, go to town? Or they give you specific guidance, so, you just, they say go at us? What do you do? >> Yeah, so basically the publicist sends some kind of legal documentation around it, and some kind of scoping on the top targets to hack. And then, they basically publish their reward size, and everything, and the policy and everything around. And then we just go through it. We try to hack it and then we report it to their team, via channel, and then they fix it, and then they come back to us saying, this is how we fixed it and this is what the impact was, and this is how much we're going to pay you. >> And then they just they pay you. >> Yeah, my yesterday's talk was mainly focused on hacking these ICOs, and descryptpexion in the past. Some of the case studies which we have done in the past, and obviously we can't disclose customer names, but we directed some of the information, and showed them how we helped them. >> What should ICO's learn, what should exchanges learn from your experience? What's the walkaway for them? Besides being focused on security. What specifically do you share? >> Yeah, so to be very frank, I know few of the companies and bunch of companies who don't appreciate white hat hackers at all. So, these are ICOs and crypexinges. So, the first and foremost thing they should do is, if they are not having any internal, external, if they are having any internal security team right now, then they should go further back down the program to make sure people like us, or people like other white hat hackers, go and hack their systems and tell them ethically. >> How does a bounty, how does someone set that up? >> So, uh-- >> Have you helped people do that? >> Yeah, so, our company does that. We help them setting up a bug bounty program from scratch, and we manage it by our typewriting platforms, and we invite private, and we do it privately, and we invite ethical hackers to hack into their systems ethically. And then we do have arguments with bunch of them, and that's how they're going to secure. >> So, how does that work, they call you up on the phone? Or they send you an email? They send you a telegram? How do they get in touch with, the website? They do face-to-face with you? They have to do it electronically? What's the process? >> For the bounty hunting? >> Yeah, for setting up a bounty program. >> Yeah, for setting up a bounty program with our company, we basically get on Skype call with them, we explain them what is going to be their budget and everything. How good their security team is, and if they are not having any internal security team, what I know, then we never suggest them going for the bounty program because they may end up paying huge amount of money. (John laughs) So, then we basically sell our pen testing services to them, and say, this is, you should go out for a pen testing service first, and then you should go for a bounty program. >> Because they could be paying way too much in bounties. >> Yeah, yeah. >> Yeah, 'cause they don't know what their exposure is. So, you do some advisory, consulting, get them set up, help them scale up their security practice basically. >> Yes, yes, yes. Their entire security team. >> So what was the questions at the sessions? What were some of the things the audience was asking you? Did any good questions come out that you were surprised by, or you expected? >> No, so, all of, so, for the very first talk, about the hacking the crypexion and all, all of them were surprised. They thought putting up a two-factor authentication, or something like that, makes their account secure. But it's not like that. (both laughing) We hack on the APIs. So, it's very, very, very super easy for us most of the time. >> So, the APIs are where the vulnerabilities are? >> Yeah. >> Mainly. >> The APIs, the URLs. >> Yeah. So, you guys use cloud computing at all? Do you use extra resource? I saw a bunch of stories out there about quantum computers, and that makes things better on the encryption side. What's your thoughts on all that, and hubbub? >> Yeah, so mainly we use anomaly intercepting proxy to intercept these calls, which are going on a straight to PS outputting, out of our own SSLP, 'cause the safety we get, and then trusting it. So, we try to plane to the APIs and them doing stuff. We don't need a big, high-end machine to hack into services. >> Gotcha, so you're dealing with them in the wire transmission. So, what do you, tell me about the conference here, what of some of the hallway conversations you've had? What's your observation? The folks that could not make it here, what's it like? What's the vibe like? What's it like here? >> So, they missed lot of things. (both laughing) And um, it was first Blockchain Security Conference, and I've been flying from all over doing the art, to just attend this conference. I was here one month back for Defcon and Black Hat, and for some other hacking event. >> So, you wanted to come here? >> Yeah. >> Yeah, I meet a lot of cool people here. I met so many great people. >> I planned it out even before Defcon Black Hat. (laughs) >> Okay, go 'head. >> I had to go to Hosho. (giggles) >> I think this is an important event 'cause I think it's like a new kind of black hat. Because it's a new culture, new architecture. Blockchain's super important, there's a lot of interest. And there's a lot of immature companies out there that are building fast, and they need to ramp up. And they're getting ICO money, which is like going public, so, it's like being grown-up before you're grown-up. And you got to get there faster. And I mean, that seems to be, do you agree with that? >> Um, yeah, definitely so. A lot of people love putting money into ICOs then what if they go tag, then people don't know about security that much, so, it's a big-- >> So, what are you excited about? Stepping back from the bounty hunter that you are, as you look at the tech industry, security, and blockchain in general, what are you most excited about? What are you working on? >> So, frankly saying, so, I'm looking forward to hack, articulately hack more and more exchanges, and uh, I believe none of them should die the legal tag, but, that's where most of the money is going to be in the future. So, that's the most interesting thing. Blockchain security is the most-- >> Yeah, that's where the money is. >> Yeah, yeah, yeah. >> The modern day bank robbery. It's happening. Global, modern, bank robbery. (Anand laughs) Andreas is right, by the way. (Anand giggles) He talked about that today. It's not like the old machine gun, give me the teller way. Give me your cash drawer, on, it's-- >> That was a very nice talk. >> It's other people from other banks with licenses. >> Yup. >> The new bank robbers. Well, thanks for coming on theCUBE, sharing your story, appreciate it. >> Thank you. >> Great to have you on. >> Thank you for inviting me. >> You're a real big celebrity in the space, and your work's awesome, and love the fact that you're ethically hacking. >> Yeah, by the way, I'm not the world's number one bounty hunter. I'm just-- >> Number two. >> Not number two, maybe, there are lot people out there. >> You're up there. >> I'm just learning and-- >> We could do a whole special or a Netflix series on the bounty hunting. >> Yeah, yeah. (laughs) >> And follow you around. (both laughing) And now, thanks for coming out, appreciate it. >> Thank you. >> Good to see you. >> Good to see-- >> All right. More CUBE coverage after this short break, stay with us. Here, live, in HoshoCon. First security conference around Blockchain. I'm John Furrier, thanks for watching. (upbeat techno music)

from the Hard Rock Hotel in Las Vegas it's the cube recovering no joke on 2018 brought to you by Osho okay welcome back everyone we're here live here at hosts show con in Las Vegas the first security conference for blockchain its inaugural event and we're here with Gabriel Shepherd VP of strategy at Global Strike for host show they're the hosts of the event although it's an industry conference for the entire community all coming together Gabriel thanks for coming on and spend the time yeah thanks for having me thanks for you know supporting the event and we appreciate your team coming out and covering what we're trying to build here well we think it's super important now so you guys are doing a great service for the industry and stepping up and put in the event together and so props to you guys thank you this is not a hosts show sales like conference you guys aren't selling anything you're doing the service for the community so props to you guys in the team great stuff and we know this is a kernel of all the smartest people and its really an industry event so it shows in the session so appreciate that yes we think it's important because you know we see a lot of trends the queue has a unique advantage in how we cover hundreds of events and yeah so we get to go we see a horizontal observation space from the industry and when you have formation like this with the community this is important you guys have up leveled the conversation focused the conversation around blockchain where security is the top-level conversation that's it no I feel pitches right so for the folks watch and this is really one of those events where it's not a huge number of people here like the thousands and thousands of other blockchain shows that make money off events this is about community and around getting the conversations and having substantive conversations so great job so for the folks watching the content agenda is super awesome host show con-com you go browse it but give us some color commentary on some of the types of speakers here the diversity yeah I think I think the first thing that we wanted to accomplish was with Hojo Khan was we we wanted to put front and center the conversations that were not taking place at other events there are plenty of platforms and opportunities for companies early-stage companies to go pitch there are other great conference organizers that do events and have their own wheelhouse but what we wanted to do was put together a conference that was focused around a type of conference that we ourselves would want to attend as a cybersecurity firm and you know after traveling the world I mean you know you you and artesia spoke many times and hosho has sponsored quite a few events around the world after attending by the end of 2018 will attended something like a hundred plus events in some capacity and so it was clear to us early on that companies weren't our conferences weren't going to focus on security or at least put them on the main stage where I believed that they should be at least with all the hacks happening so what we wanted to do was bring together thought leadership with respect to security technical leadership with respect to developers and security engineers and we wanted to bridge those two what I mean by that is we wanted thought leadership that could get executives to start the non-technical people so start thinking about security in the larger format and how it's applicable to their company but what we also wanted to do is we wanted to connect these non-technical people with the technical people in an intimate setting where they could learn think about the brain power that we have in this hotel for hosho Khan you've got the minds of Andre Assante innopolis Diego's LDR of RSK Michael berkland of shape-shift josub Kuan of hosho we've got Ron stone from c4 you've got an on Prakash a world-class white hat bug bounty hunter consider what he's top-5 bug bounty hunter for our top top bug bounty hunter for Facebook five years in a row the the level of the calibre of technical talent in this building has the potential to solve problems that Enterprise has been trying to solve individually for years but those conversations don't take place in earnest with the non-technical people and so the idea behind hoshikawa was to bridge those to provide education that's what we're doing things like workshops sure we have keynotes and panels but we also have the ability to teach non-technical people how to enable two-factor authentication how to set up PGP for your email how to set up your hardware wallet these things aren't these conversations are not the bridge is a clearly established we interview people from on the compliance side all the way down to custodial services which again the diversity is not a group think events just giving them more props here because I think you guys did a great job worthy of promotion because you not only bridge the communities together you're bringing people in cross functionally colonizing and the asset test for me is simple the groupthink event is when everyone's kind of rah rah each other I know this conditions we got Andre is saying hey if you put database substitute database for blockchain and it reads well it's not a real revolutionary thing and oh all you custodian services you're screwed I mean so you have perspectives on both side that's right and there's contentious conversation that's right and that to me proves it and as well as the sessions are highly attended or we don't want it we don't want a panel of everybody in agreeance because we know that's not reality i mean that you you bring up the issue of curse of custody a prime example is we had a great talk a four-person panel led by Joe Kelly who's the CEO of Unchained Capital he had a panel with traditional equities custodian Paul pooi from edge wallet Joseph Kwon is the CEO of hosho and there was clear differences of opinion with respect to custody and it got a little contentious but isn't that the point yeah it's to have these conversations in earnest and let's put them out in the public on what's right and what's wrong for the community and let the community to decide the best way forward that's the best is exactly what you want to do I gotta ask you what are the big surprises for you what have you learned what's the big reveal for you that you've super surprised you or are things you expected what were some of the things that went on here yeah I think the biggest surprise to me was the positive feedback that we received you know I understand that we know people maybe looked at how shock on year one and said hosho like they're a cybersecurity firm what are they doing running a conference right but my background is a you know I've produced conferences I have a former employee of South by Southwest I believe a big an experience and so when we started to put this together we thought we knew we would make mistakes and we certainly made mistakes with respect to programming and schedule and just things that we had didn't think about attention to detail but we had plans far in that the mistakes were mitigated that they weren't exposed to the public right there behind the scenes fires that kind like a wedding or a party but no one actually really notices sure we put them out behind the scenes nobody that the our guests don't notice and that was my biggest concern I'm pleasantly surprised at the positive feedback we've yet to get any negative feedback publicly on Twitter telegram anecdotally individually people now they made just being nice to my face but I feel good about what the response that we've got it's been good vibes here so I gotta ask you well sure the DJ's were great last night good experience yeah experience and knowledge and and networking has been a theme to correct I lost him the networking dynamics I saw a lot of people I had I had ran to some people I met for the first time we've had great outreach that with the queue was integrated in people very friendly talked about the networking and that's been going on here yeah I mean this panels are great I'd love to hear from from panels and solo presentations but a lot of work gets done in the hallways and we have a saying in the conference business hallway hustlers right the ones that are hustling in the hallways are those early stage entrepreneurs or trying to close deals trying to figure out how to get in front of the right person serendipitously are at the bar at the same time as somebody they want to meet that is to me conference 101 that is the stuff I grew up on and so we wanted to make sure that we were encouraging those interactions through traffic flow so you'll notice that they're strategically the content rooms are strategically placed so that when you're changing rooms people are forced to cross interact with each other because they're forced to bump into each other and if you look at the programming we purposefully to our demise to be honest year one put a lot of programming that was conflicted with each other we made people make a decision about what talk they wanted to go to because there were two really compelling people at the same time or 10 minutes off yeah and so you had to make a decision vote with your feet you got to vote with your feet and and and from a conference perspective we call that FOMO right we want our guests to FOMO not because we want them to miss a particular talk but because we want them to be so overwhelmed with content and opportunity with networking that they when they walk away they've had a good experience they're fulfilled but they they think I got to go back here too because that thing I missed I'm not gonna miss this yeah we will point out to you guys made a good call on film all the session everything so everything's gonna be online we'll help guys do that yep so the video is gonna be available for everyone to look on demand you also had some good broadcast here we had a couple shows the cubes been here your mobile mention the DJs yeah yeah so good stuff so okay hallway conversations our lobby con as we call it when people hang up a lot on it's always good hallway con so what Gabriel in your mind as you walked around what was some of the hallway culture that you overheard and and that you thought were interesting and what hall would cartridges were you personally involved in the personal conversations I was involved with is why isn't somebody not this station why someone not Gardens but I will tell you i from what I heard from from conference attendees the conversations that I heard taking place were and I hope Jonathan doesn't mind but Jonathan Nelson from hack fund spoke on our main stage and I hope he doesn't mind me speaking out of turn but he came to me said this is one of the best run blockchain conferences I've ever been to and to have somebody like Jonathan say that who has done hundreds of talks and thousands was really meaningful but but what was more important is to talk to him and him feel comfortable enough to sit down with me and just talk generally that's the vibe we want for every attendant we want you to feel comfortable meeting with people in the hallway who you've never met and be vulnerable from a security perspective you know Michael Turpin for example sitting down and talking proactively about being the AT&T hack great these are opportunities for people to really talk about what's happened and be vulnerable and have the opportunity to educate us all how to get better as an industry you know the other thing I want to get your thoughts on is obviously the program's been phenomenal in the content side thank you but community is really important to us we're of a community model to q you guys care about the community aspect of this and as a real event you want to have an ongoing year after year and hopefully it'll get bigger I think it will basically our results we're seeing talk about the community impact because what you're really talking about there is community that's right well I mean Vegas we talk about there's multiple communities right regionally post-show is a Vegas based company we're born here we close I think forty some employees all based here in Las Vegas which is our home so the first thing that we did with respect to community as we created a local local price if you're a Nevada resident we didn't want you to have to invest a significant amount of money to come to something in your own town the second thing we did is we've invited the local Vegas Bitcoin meet up in aetherium meet ups to come and partake and not only participate but contribute to the content and opening day in fact there was so much influx of people from those meetups it wasn't official it wasn't like a program where we had actually a VTEC set up I thought I was gonna be like a meet-up there were so many people that attended we had to on the fly provide AV because we were overwhelmed with the amount of people that showed up so that's a regional community but with respect to the community from blockchain community what we wanted to do is make sure we brought people of all ethnicities all countries we have 26 countries represented in the first blockchain security conference and you had some big-name celebrities here yeah Neil Kittleson Max Keiser you go mama Anan Prakash Yakov Prensky a layer from your side pop popcorn kochenko has some big names yeah I'll see andreas yes here keynoting yeah I'm Michel parkland andreas Diego Zaldivar I mean these lena katina Viren OVA I mean these are big names yeah these big names okay what so so what's your takeaway of you as you know my takeaway is that there's a there's a yearning for this type of event my takeaway is that we're doing something right we have the luxury as hosho and that we're not an events company people think that might be a disadvantage to run a confident you're not a cotton vent company I think it's an advantage yeah because it holds my feet to the fire yeah much closer than an event organiser who doesn't have a company reputation and brand to protect hosho as you know has a good brand in the cybersecurity world with respect to blockchain we don't have the luxury of throwing a poor event giving you a bad experience because that would tarnish house of but also your in the community so you're gonna have direct feedback that's right the other thing too I will say I'm gonna go to a lot of events and there are people who are in the business of doing events and they have a profit motive that's right so they'll know lanyards are all monetize everything is monetized yeah and that sometimes takes away from the community aspect correct and I think you guys did a good job of you know not being profligate on the events you want to yeah a little bit of cash but you didn't / yeah / focus on money-making finding people right for the cash you really needed about the content yeah and the experience for and with the community and I think that's a formula that people want yeah I would like to see the model I would like to see the model changed over time if I'm being honest a majority of crypto conferences today are paid to play so a lot of the content you're getting this sponsored so I'm okay with that but I think it should be delineated between con disclose your disclosure you don't want water down the country but but the conference circuit and crypto is not ready for that it hasn't rest in my opinion hasn't reached that level of maturation yet like I told you I I'm a former South by Southwest guy that like my belief is you create the content and the sponsors will come I don't I don't begrudge conference organizers for for for sponsoring out events because they're really really expensive a cost per attend to manage demand to this hype out there yeah hundreds of dollars per attendee I get it I understand why they do it but what I would like to see is the model change over time whereas as we get more sophisticated as a technology space we should also grow as a vent and conference circuit as well what I mean by that is let's change the model that eventually someday it's free for all attendees to come and those conferences and the costs associated with them are subsidized by companies that want access to the people that are tending them it sounds like an upstream open source project sure how open source became so popular you don't screw with the upstream yep but you have downstream opportunities so if you create a nice upstream model yep that's the cube philosophy as well we totally agree with you and I think you guys are onto something pioneering with the event I think you're motivated to do it the community needs it yeah I think that's ultimately the self governing aspect of it I think you're off to something really good co-creation yeah I'll see we believe in that and the results speak for themselves congratulations thank you so much I appreciate you guys coming here and investing your time and I hope that all our staff has been accommodated and the hard rock is treated you well you guys been great very friendly but I think again you know outside of you guys is a great company and great brand and you guys and speaks for itself and the results this is an important event I agreed because of the timing because of this focus its crypto its crypto revolution its cybersecurity and FinTech all kind of coming together through huge global demand I mean we haven't gotten into IOT and supply chain yeah all the hacks going on with China and these things being reported this is serious business is a lot on the line a lot and you guys having a clear focus on that is really a service business Thank You staff doing it alright our cube coverage here in Las Vegas for host Joe Kahn this is the first conference of its kind where security is front and center it is the conference for security and blockchain bringing the worlds together building the bridges and building the community bridges as well we love that that's our belief as well as the cube coverage here in Vegas tigress more after this short break

from the Hard Rock Hotel in Las Vegas it's the queue recovering the Hojo Kahn 2018 to you by Osho hello everyone welcome back to the cubes exclusive coverage here live in Las Vegas for the first ever security conference around blockchains called Osho con it's put on by host show and industry participants small but intimate and the smartest people in in the industry kind of coming together trying to solve and understand the future for security as it relates to blockchain I'm John furrow your host of the cube next guys anneal keelson who's the CEO of encrypt formerly the NSA's variety experience with security across the board from early days many waves of technology innovation had a panel here talking about you know securing the blockchain and the nuclear codes some basically implying that do you know if you had to secure it the nuclear it's welcome to the cube well thanks thanks John it's great to talk to you um that's exactly it right so the blockchain is is meant to really provide high assurance for a lot of really big transactions right so the internet evolved over time to to hold information to to share information who has ever meant to conduct transactions now we do a lot of e-commerce commerce on it but it wasn't meant to be unchanging right but the blockchain is it said that so the idea is is if we lose control of that if we don't secure it in a way that we can protect our most important digital assets and it's not good enough for anything and so that's why I compared it to you know what would it take to secure something like the nuclear launch codes on it clearly we wouldn't you know there's no reason to but some mindset it's my shift shared focus on okay think that level of impact absolutely money right these people are putting you know it doesn't matter whether you're you're 16 and you're putting your only 500 dollars in crypto or whether you're an institutional investor with five hundred million dollars in it right that that's catastrophic if you lose it right and yet we don't always treat it that way we haven't made the systems easy enough to use for the general user right yeah so we talked about adoption right I mean let's let's talk so if you don't mind let's talk about adoption Yeah right that's why we're here is we're trying to figure out what's it gonna take to get to the next billion users and crypto well it has to be easy and we don't make it easy today in a secure enough way it has to be baked in from the beginning can't be like okay I built an app I built some architecture do some blockchain well by the way security is really hard because we have to make it so complex right for users because it's complex in general right if we build the app first and we get it deployed to say even 50,000 people and then we go back and say you know what we need to build this tree it's more expensive right it's harder to do it's a lays deployment and it confuses users because now they're changing the way that they're interactive let's talk about the adoption in context to architecture it's one of the things that we've been covering certainly the cube folks know in our audience cloud computing has changed the architecture of how people deploy IT and technologies get DevOps horizontally scalable you've had a lot experience over the years and generations of computing evolving through the trend lines here the architecture is interesting so if you think about the architecture of security and blotching in general the security paradigm has to be compatible with a new architecture so it's kind of a moving train at multiple levels so what is the preferred architecture what are some of the blockchain architects and or if you're gonna have token economics you have to have certain business model and our workflows that ties into the technology enablement how should people think about an architectural view to make the adoption or user interface or user experience or where the expectation is kind of new has it all come together so I'm challenging people to think about it differently right so so the blockchain in itself is really pretty secure right it creates an immutable ledger a mutable record where we're going to get in trouble and where we do get in trouble is when you start to transact with it right where you start to actually use a device right whether it's your own phone or it's a computer right you're transacting with it and people don't have the security mechanisms built in there you know and it goes back to what we've talked about for the last 20 years whether it was with the trust computing group the global platform right they've designed the standards so you've got probably in this PC you've got the waltz I guess it's a MacBook Cermak yes yes and your phone right in most computers you've got the security primitives that you need to use hardware to secure those transactions but we're not using them yeah we've been waiting for that kind of killer app to use hardware to secure transactions and blockchain might just be that it's talked about the hard work is doesn't that conversation of kids coming up a lot here in the hallways I was the custodial services today these are two kind of the the business conversation that converts them to technology which is okay hardware is actually a good time to actually implement this Google's doing a lot of stuff with their two-factor authentication with a hardware component you hear Stephan spray get rivets talking about a solution he has it is it the time it's like the perfect storm for just a simple hardware solution I think it is and it and you're right it has to be simple right hardware solutions can get complex we can make them too difficult to use but they don't have to be we like I said we have the firm that was built into most these devices I mean in the billions of devices yeah if you thought to Steven you've heard him talking about the number of devices that are there carrying the primitives he needs needs to use for his his hardware um but if we don't make it simple enough then users won't adopt if they won't use it you know have you used a hardware wallet I'm sure you probably have it yet right it's it's not a simple process today because it requires external pieces external components it's it's it's not a workflow that we understand it's not something we can train to and grown up with it's interesting when I was also talking to Steve off-camera because he had the interviews over but we're talking about the supply chain compromise honestly Bloomberg kind of had the story they had the facts wrong but we kind of understand that that's this hack has been out there for a while around modifying and or a rootkit on the boards you have an brach cat Adam demo live demo on stage and 2015 where they actually showed malware that could not be removed from from memory so I mean it's not this is not new right so but the supply chain has always been and you've been the government you got to know where all the components are right so the old days oh hey outsourced manufacture in China build it the cheapest way possible commodity and D Ram was went down this rip path years and years ago and Japan dominated that and it was low commodity low margin or high Kimani low margin and then Pentium comes out so you're starting to see that hardware supply chain changing what's different now what do people got to do to make sure that the hardware is better what's your opinion on that I don't know if it needs to be better but wouldn't what we need to know is is where the hard work came from we need to know that the hardware is what we expected it to be right that's a really unique question you know we all buy Hardware all the time and you just expect it if it came from vendor that it's what you expected and and and let's talk about something even simpler it's not talking about maliciousness most computers you buy are built to order today right you order you order all the different components yet when you get that at home you don't check to make sure you got the actual RAM that you asked for you have no idea none of us do that right and and likely the vendor doesn't really have a great record to know that absolutely they put in there what you specifically wanted now they intend to write but there's no there's a lot of room in that for changes to be made that aren't expected I guess that for good or bad from malicious or non malicious intent so what that means is that we really need to get used to saying you know what I got this new piece of hardware I got to conduct transactions with that are really critical to my financial survival my my personal privacy and we can't trust them until we know we should be able to trust them so that's where hard work comes into play what sort of trans you're seeing in the hallway conversations you had here and your talk I see people grab you after and talk to you two hallways what are some of the hallway conversations that you've been having here at Osho con I you know the most common question has been how do you convince people that security is important I mean that which is a really really basic way and you know right now life just point them to to news after news article you know to say you know you've got the hardware were reported tax yeah you've got the privacy attacks with with a lot of social media and and and internet companies um if summary this today doesn't believe that security is important I don't know you'll have to convince them so then it becomes a question of how do you get them to adopt it and you know getting getting your your family members to adopt two-factor authentication when it's not as as easy as not adopting it yeah it's sometimes a hard place yeah one things I worry about just kind of just because I'm paranoid sometimes is that yeah what is going on in my with my kids I got four kids 16 to 23 you know I got a Wi-Fi in my house they've got a password on it I'm sure it's been hacked but they're downloading music what the movies I don't know what they're doing at gaming mean there's a service area in my house is pretty much who knows what's going on right I don't even know what's going on in my network this is kind of this in my mind will paranoid but that's what average people think about these days it's like okay I got my own home network at these things going on I'm out in the wild is it a device centric security model that we're moving to do you see it where you know hey my phone you know I don't I know when I leave my phone at home and it takes me three seconds to realize I got to turn the car right so yeah and I leave my wallet at the restaurant when I'm done my meal so these are kind of device centric philosophy is that a better direction you think so I don't know that you can yes and no right for the personal devices but now you know if you go to most networks right with IOT you may have 40 or 50 devices on your network yeah things that don't move you know you may have a light bulb that's got a key to it right it's really about making sure that you own it and then you own the keys I mean that's what it okay that's what security all comes down to you right is key ownership so when you take a look at how you do that we need the systems in place that help us understand where those keys are what they're doing and how we how we cut them off if we need to that's awesome well I was I want to get into what your company's doing but I also wanna I talked about trip I had Middle East general Keith Alexander was with us on at with Amazon almost new region I know you worked with him at the NSA and you know one of the things he's doing at his new startup is a crowdsourcing we're hearing some of that in here as well where people are using crowdsourcing as a way of the security mechanism is that something that you think is viable do you think that this crowd sourcing idea is gonna be helpful or it's just a small piece of the puzzle I think it's I think it's a small piece of the puzzle I think it's the opposite end of the spectrum then a device centric hardware component I think it takes both pieces right it's a matter of making sure you you you know what you have and they use only what you trust and that you're able to connect to the network in a way that you're comfortable and then that crowdsource piece comes in to make sure that you're monitoring kind of all those transactions so so you're a big believer I'm assuming based on the conversation that hardware and software combination is gonna be the preferred user interface I think work it has to be I think we've proven that over the last 20 years I mean cell phones are a good example of that yeah right although we do get some spoofing today and that's been a big talker this cost it's not as prevalent as it was in 1994 yeah yeah I mean I like the idea too of we mean hey if we have we want to know what's in my computer I'd love to go look at a blockchain ledger and say here's what's in my Mac right now wouldn't you that's a good use case of blockchain but but what if you didn't even have to go look at it right what if every time you booted it up it checked it against a a record that was on the blockchain that said you know this is what your Mac should look like and it said you know what you can go ahead and connect to the internet go ahead and conduct that transaction that's the great Act go ahead and that's a great use case all right so what encrypt your company what do you guys doing what's the main focus of your opportunity that you're pursuing so we formed it in May of this year to focus on blockchain security when I left the agency I realized there was this really big gap in the conversation people are having around it I think it's a transformational technology as a skills gap technology gap all the above what are you saying it's both right you've got computer science graduates that come out without a good understanding of hardware security you know it's not being taught in most curriculums it's a it's a it's a general understanding of how to apply the hardware against it it's a general under Sun derp standing of what you can trust right yeah we've got generate a generation now that have grown up with with iPhones in their hands they just assume it's it's okay to use it's just thing you mentioned the computer science programs but I would agree interview started in the 80s so we had to learn computer architectures EE class actually right and you know as gates and all that you know the hard core component stuff as well as coding systems a systems kind of programming model now it's a little bit different more diverse it'll ease a lot of you know new opportunities within computer science so it's broad and certainly in a skill gap that's what comes up a lot we hear obviously more cyber security jobs are open and ever before automation is a term that's been coming known in the cloud business where you starting to see that now a security host shows got this automation component that they're adding in for tooling is the tooling and for developers who actually building stuff out there's it early innings how would you put the progress of some of the tooling that that's reliable I mean this is you know you still got people trying to build products and companies I need help what's the status in your mind the ecosystem around platforms and tooling and open source so over the last ten years there's been a great push to to create better tools I'm a lot of it was done in the open source a lot of those done around Linux because it work Windows honestly Microsoft has done a great job in getting secure boot implemented on every on every PC they supply you know Apple does a great job with their boot security but it they're not making available and mobile is probably the worst example right that the TE the trusted execution environment which is the secure space in a mobile phone isn't open for most developers to access right so you know that hardware component isn't there it's not available so yeah I know I always get this updates when I go to China Hey Apple has an update for you it's like the download mmm is this really Apple right I mean no turn off my iPhone right I mean but this is kind of the the interception of you know the the the fraudulent some of the some of malicious things are going on and that that still is concern but I think generally speaking you got entrepreneurs here not noticed at this conference and some of the earlier investor conferences we've been to there's a ton of alpha entrepreneur activity real smart people trying to build durable technology and solutions this is the main focus so it's kind of like and the capital Mars as we know is pretty much in the toilet right now but you know it's still growth and so we're trying to unpack that what's your opinion on entrepreneurship because it every trough is always an OP tick and we'll probably see some growth and those company that survive and thrive will probably be the leaders right what are you seeing what's your opinion of the landscape event ventures out there so so the crypto markets been really interesting it's all been focused on consumer and crypto there's there and even on the floor today there's a big push into the enterprise market for blockchain and deployments you know Simba is a company that's got a great toolset here today you had to help see how big enterprises understand how to deploy smart contracts into a blockchain in the enterprise you know to me the exciting part is the use case is outside of cryptocurrency and tokens the blockchain brings two to the marketplace I think that's where we'll see the next wave entrepreneurship I'm coming to fundraise that on stage at a comments like hey you know when one of the Q&A sessions substance you think your best proposal and substitute database with blockchain if it means the same is probably not Neri absolutely I'm teasing out essentially that the you know the old guard being replaced with the new guard same same models two new faces you know taking over the industries that not only mean changing them so to speak and security kind of hence to the same way where if you're going to have a distributed and decentralized architecture with IOT with all these things connected with digital assets and digital devices this crews gonna be thought differently what's what's your current take on how to tackle that that world I mean is there a certain approach you found so so so there's I'm not sure going to answer your actual question but but there's there's this really interesting debate like you said aundrea said you know if you can replace database with with blockchain is probably not the right fit and a lot of early crypto adopters have made that argument jimmy song says that publicly all the time right there's no place for blockchain in the enterprise essentially right and and you know you can you can swing both ways but the blockchain offers something to to an enterprise that doesn't require the distribution it offers the ability to create immutability right now the inability to change that record which we don't have in most cases today yeah you know and it's fairly simple and easy to deploy and are not for smart contracts so if we go back to the the use case we talked about where every time a machine boots up and it creates a record of that machine and writes it we've never had that capability we've tried we you know when I was at the agency we built a system that sort of did that but it didn't have the same sort of underlying strength of mechanism yeah it would allow us to trust it forensic way almost you know I interviewed Jimmy song and to have consensus event and you know I don't necessarily agree with him on that point it's like I think there's use cases in the enterprise that actually make blockchain very viable and it's almost like the cloud world you have public and private hybrid coming I mean so that's kind of my take on it and because it's interesting me iBM has been advertising heavily and others are looking at supply chain is low-hanging fruit opportunities right let me talk about the computer and supply chain so supply chain is a chain it's with valued change right than value chains now are changing so you can track it in a way that's efficient that's why wouldn't that be a use case so that's kind of mind dude do you agree with that absolutely I mean I think the distributed nature for a crypto makes a lot of sense but the blockchain in a non distributed manner right in a permission to blockchain makes a lot of sense for a lot of different use cases in big organizations I I agree I've talked to different different people that have just tried to replace databases with blockchain because it sounded cool yeah raising money or want to get some attention get some momentum I want to ask you a question on your new venture and Cripps because you talk to a lot of folks out there you certainly you're historic and pedigree is amazing and security and you've seen a lot of things I'm sure what have you learn what's your observation what's the the learnings that you can take away and share from your conversations is there any patterns that you're seeing emerging that's that's that could help people either navigate understand orientate towards something that they might want to use with the what have you learned so I think the biggest thing I've learned is that this community is the most diverse community I've ever worked with in in technology right you've got people from all walks of life and it's absolutely amazing I mean just walking around the show here walking around consensus I mean it just drives diversity like you've never seen before in tech conferences and that diversity is his driven a thirst for knowledge so the people are completely open to to discussions about security that they've never had before in other realms right so when I talked to him about Harbor based security they get excited and want to learn more and and honestly in the PC community over the last 15 years I got a little pushback on that right there's a while we've heard about that we don't want to right it works the way it is people here realize they're building something brand-new yeah and it's time to build it right and that they really want this to succeed for their own reasons right whether it's a corporate enterprise or whether it's a almost a crypto anarchist right they've all got the same sorts of goals and it's and if there's a cultural thing to I think the Bitcoin money aspect of it pretty much anyone on the age of three that I kind of take a straw poll on it's like they all this is gonna change the world like rabbit knows but it's great right oh I actually heard that in the hallway earlier yes and then the phone just traveling somebody that never heard of Bitcoin how does get a revolution coming on I want to ask you a final question five years where are we in your mind shoot the arrow forward what's happening in five years how does this these dots connect in next couple years or so so I think that if we were able to lay in the groundwork today to make user accessibility to the blockchain easy enough and secure enough I think you'll see that it grows in ways that we that we really can't imagine right you know I can't predict the crypto markets but I think you'll see people starting to use tokens in different ways and I think there's some incredible use cases for tokenization for rewards programs things like that I think enterprises in the next five years are gonna start to figure out what use cases make sense I think they're gonna see great efficiency I think they'll see you know much greater scalability and ease of use the use cases really are gonna be driving all this absolutely well I want to final question since just popped in my head I want to get this out there one trend I'm hearing here at this conference and seeing it kind of boil in into this community is the conversation not just about cryptography and and security cyber security on a global scales now come in because of the hacks gives the nation-states because of the geopolitical landscape you know cyber security is a big conversation now but always probably in the wheelhouse a lot of these guys but a lot of these guys are also kind of adjacent involved with cybersecurity your view of the impact the cybersecurity pressure is gonna have on the industry this industry so I think that that you're hearing the conversation because suddenly security became really really important to people personally right in the past if if you lost money with your bank account it was refunded to you now if somebody steals your private key you're out whatever money was attached to that private key recourse right so it's very personal so people have started to think about all the different things that they need to do to really protect those keys I mean it's it's it's almost an organic conversation that we've been trying to drive for you know 40 years in the space yeah and one of things I worry about is the whole regulatory dry aspect is because it can be a driver or an enabler and a driver or it could be dampening innovation and that's always something to watch out for I think there's a Senate discussion today about it I think there's some great work going on in that space both its senior levels in the Congress as well as the regulatory commissions but it's going to take a lot of Education there's a lot of fear around this space well thanks for come on looking forward to having more conversation with you great to have you on the cube and sharing your insight give a quick plug for n Crypt what do you guys doing what's the update status of the company how do people get ahold of you why do they why should they call you what's what's the update well so like I said we formed in May we've we've grown faster than we would have expected to because there's a thirst for the sorts of things that we're doing them we're we're always happy to talk to talk to any enterprise or a consumer about the use cases around the products that they have how did it fit into the blockchain environment and how to do it securely properly so encrypt calm and kr ypt die here in Maryland we're in Maryland DC area so cool great absolutely basic appreciated live from Toshio con us two cubes coverage of the first security conference John for you watching the Q stay with us for more coverage after this short break