(bright, upbeat music) >> Hello, brilliant humans and welcome to this special programming on theCUBE featuring Women of the Cloud, brought to you by AWS. My name is Savannah Peterson, and I am very excited to be joined by a brilliant woman both in supply chain as well as digital transformation. Please welcome Jeanette Barlow, VP of Product at Instacart. Jeanette, thank you so much for joining us from Boston today. How you doing? >> Thank you. I'm doing well, thank you. And thank you to the Amazon team for letting me join you. I'm excited to participate in this. I think it's such an important topic to learn all about how as women we're helping shape the future of business, supply chain, consumer experiences. So thank you very much. >> That's fantastic to have you and to be really celebrating women of the cloud properly. To start us off, how long, let's just, let's run with this. How long have you been a woman of the cloud? (Jeanette and Savannah laugh) >> Oh, probably since there, before there was a cloud, actually I have spent my entire career in enterprise technology and I spent nearly 25 years actually with IBM. And, you know, I remember when the internet really took off as far as a highly accessible thing and then the very beginnings of e-commerce where it was really the wild west and it was such a different experience than you get now. And I've been very fortunate throughout that journey to have a variety of roles from sales, marketing, communications. I eventually landed in product management and that's pretty much where I stayed. >> Savannah: At least for now. >> At least for now. >> Sounds like you're very curious. I can tell that you are a very curious person. Since you've been around for what I would consider a, an impressive period of time in an industry, especially when there were not a ton of women to reference or receive mentorship from, what was the initial catalyst or spark or inspiration for you to pursue a career in technology? >> I'll be really honest, getting out of college with college debt, money. (Savannah laughs) The best salary, I'm not going to sugarcoat that but once I landed there, it just was so amazing how technological advance advances were fundamentally changing the way businesses would work or how humans could get things done. And that whole, my whole career trajectory has been very much working at the forefront of new areas whether that be collaboration, software or supply chain which is, obviously we're all well aware, such a deep and important area and even low-code workflow automation before I came to Instacart. >> I love the transparency there. It's a indicator of a great leader and that level of authenticity. Were there any hurdles that you felt you had to overcome in the beginning or was the curiosity enough to power through the initial first few years that are always tough for anyone, no matter their gender or career? >> I think I was a very fortunate person. I do want to say that, sure, there are a lot of long hours and I often felt that I had to be more prepared, maybe than some of my colleagues that were men back, way back in the day. But I had the very good fortune of working for companies throughout my history that really believed in an equitable and respectful workplace. And I had wonderful mentors, both women and men, along the way who really were there to help develop talent. So I never felt that I had sort of a glass ceiling. I definitely felt that I had to to sit there and assert a point of view, at times. >> Savannah: Mm-Hm. >> But, I've seen this whole industry and space change and it's not just gender, but also racial backgrounds educational backgrounds, that neurodiversity I'm now seeing much greater respect for listening to that chorus of voices because we do get better, much better outcomes that way. >> Absolutely. I couldn't agree more and I'm happy to hear that you've been supported along your journey. I think the industry can definitely get a bad rap and there are a lot of people paving the way for us. I want to talk a little bit about supply chain because I don't know about you, but for me I don't think there were as many people talking about the industry and probably what you do, say four years ago, as are now. How did you find your way into supply chain and what is it about helping that be more efficient that excites you? >> Yes. There's nothing like a shortage of toilet paper to get people to. (Savannah laughs) Or to understand what supply chain means. And I, as tough as those times were, especially at the beginning of the pandemic and the uncertainty, it was so exciting for those of us in supply chain because suddenly people got what we did like- >> Savannah: Mm-Hm. >> And they were interested in hearing about it. So I really, I really have, we did enjoy that. I got exposed to that because ultimately I served as the Vice President of Product Management and Strategy for IBM, Sterling Supply Chain which was a very large brand within the IBM portfolio, serving over 10,000 clients worldwide, really focused on their omnichannel order management and their other supply chain processes around order to cash, procure to pay, logistics and things like that. And when you start to learn about the intricacies and that choreography needed across so many players in the value chain, it's an absolutely fascinating puzzle. And- >> Savannah: Yeah. >> Often the further away from the consumer experience you got, the more analog it became. And so the opportunity to start to digitize and transform that was really something that was very, very intriguing. And now here at Instacart, the opportunity to sort of parlay that into one of probably the most complex supply chains that there are, grocery, food just adds another level- >> Yeah. >> Of excitement intrigue to the work. >> I can only imagine there are, I'm just thinking about it right now. I'm not sure there are many supply chains, if any that touch as many lives as food does, as, I mean so is that what brought you, you joined Instacart relatively recently if I'm not mistaken, within the last year. Is that what brought you to them? Was the complexity of that global challenge? >> Absolutely. That was definitely the start of it, was so intriguing to me to see, to, the more I learned about Instacart when they approached me was also they're really changing an industry that's been very static for many, many years, right? And they're fundamentally reshaping that industry. One that's, as you said, is crucial to the everyday lives of pretty much everyone. And I was intrigued by that. But I was also intrigued by the breadth at which they're approaching this, not just the marketplace, but how we are helping retailers through our Instacart platform actually reach their consumers in ways that they like to shop whether it's online or in the store. We are also very, very committed to not just serving from a convenience standpoint, but actually improving access to healthy and nutritious food for as many people as might need that. So it just, core to the complexity of the problem the criticality of it, but also just frankly speaking to the core of who Instacart is as a company, I, it just felt like it was like a culmination of a lot of things to have this opportunity to work here. >> Sounds like a fantastic opportunity. I want to dive a little bit deeper into the technology side there. How is Instacart's technology helping grocers with varying levels of scale and geographical challenges and I'm sure a variety of other things and even a digital skillset. How are you helping them navigate their digital transformation? >> You know, this is probably one of the sectors that lags behind other retail sectors as far as digital transformation. And when the progress that's been made over the last four years is tremendous. And the road ahead is still before us is still a long way to go. I mean Instacart built the world's largest grocery marketplace, if you want to think about that. And so we have more than 10 years of experience in understanding the complexity of that. With, again a supply chain that is very, very complex. So last spring we announced the Instacart platform as a way of really putting a name to a lot of work we were already doing. And it's all about opening up the capability and the technology that we have to help grocers reach their customers directly as well as through our marketplace. So we help grocers like Publix, Wegmans, The Fresh Market just hundreds of grocers build out their own storefronts, their own mobile apps and that we are actually powering for them. We help them create some very unique fulfillment models that might serve customers or be new market opportunities. Certainly we have the traditional full service shop, but we also have virtual convenience that can enable delivery in minutes. And in certain geographies and demographics, that's, you know, really important. We are even going in the store with our connected stores technologies that we announced earlier this year, and that is everything from smart cards to scan and pay to wayfinding that it just, it's a lot of very interesting work we're doing and we're very, very fortunate to be able to partner with some of the best and brightest grocery retailers out there as well as retailers and other verticals as well. But grocery store is sort of our core. >> Yeah, I can only imagine some of the conversations that you have and the user behaviors that you get to learn about as people are on their food journey. You teased a little bit there about what's coming next. What else do you think is in our food future? >> Well, I think, you know, the pandemic pushed the grocery industry to get online to start to digitally transform itself, but we believe it's not an either or. There are virtually no one that's exclusively online and we know more and more there's no one that's exclusively you know, only in the store. We really expect to have that blend and I think as long as we're very, very savvy about understanding the, our retailers' needs as well as their customers' needs on how they can really traverse seamlessly between whether they're online or in store, how they can have an engaging experience that's consistent to the brand of the retailer. >> Savannah: Mm-Hm. >> How they can be rewarded for their loyalty. How they can be encouraged to try new things and just have a much more engaging experience with that grocer because food is a very emotional sort of buy, right? I mean, it's a very sensory rich. And so how- >> Sort of? I think you can go ahead and just make that claim. Just for a lot of people, yeah, yeah. We'll endorse that. >> You're right, yeah, it is. Right, we're passionate about our brand of this or that or we want to touch or smell or do things like that. So there's a tremendous amount of innovation you get online, like personalization and other things that you don't get when you get, you walk into the store, everybody's got the same end cap like I see the same end cap as you see and we might be very different. And then vice versa. I get a very much a sensory experience when I'm in the store, right? That I don't have, how do we blend that? And so there's some really interesting things that we're working on with our retail partners to embrace that omnichannel approach. So we create that flywheel of experience and innovation between the two. So I think you're going to see a lot more focus on an omnichannel experience that traverses between the on and the in, online and the in-store. >> Yeah, I, so I love this because you know, we, there's a continued debate around remote and in-person, working remote and in-person events, but it sounds like hybrid is here to stay when it comes to food and and how we eat, which is very exciting. Last question for you, Jeanette. What would you say to someone, a woman of any age who is looking at this video or maybe dreaming about a career in cloud technology? What's your moment of inspiration? >> You know, I think my best advice is all, you know, stay curious. Just be in love with not even just the technology for technology's sake, but what the technology can unlock as far as an experience and focus on building those experiences. Not only for your direct customer in my case, retailers, grocers, but for their customer. Trying to understand that. And I think if you can connect those dots, you know the cloud is the limit, let's put it that way. (Jeanette and Savannah laugh) >> I'll take it upon that. I love that. Jeanette Barlow, thank you so much for joining us. The team at Instacart is lucky to have you. And thank you to our audience for joining us for this special program on theCUBE featuring Women of the Cloud. My name is Savannah Peterson and I look forward to celebrating more brilliant women like Jeanette with you all soon. (upbeat, happy music)

>> John Furrier: Hello, welcome back to theCUBE's coverage of Cloud Native Security Con 2023 North America the inaugural event. I'm John Furrier, host of theCUBE, along with Dave Alonte and Lisa Martin covering from the studio. But we have on location Emmy Eide, who is with Red Hat, director of Supply Chain Security. Emmy, great to have you on from location. Thanks for joining us. >> Emmy Eide: Yeah, thank you. >> So everyone wants to know this event is new, it's an aural event, cloud native con, coup con. Very successful. Was this event successful? They all want to know what's going on there. What's the vibe? What's the tracks like? Is it different? Why this event? Was it successful? What's different? >> Yeah, I've really enjoyed being here. The food is wonderful. There's also quite a few vendors here that are just some really cool emerging technologies coming out and a lot from open source, which is really cool to see as well. The talks are very interesting. It's really, they're very diverse in subject but still all security related which is really cool to see. And there's also a lot of different perspectives of how to approach security problems and the people behind them, which I love to see. And it's very nice to hear the different innovative ideas that we can go about doing security. >> We heard from some startups as well that they're very happy with the, with the decision to have a dedicated event. Red Hat is no stranger to open source. Obviously coup con, you guys are very successful there in cloud native con, Now the security con. Why do you think they did this? What's the vibe? What's the rationale? What's your take on this? And what's different from a topic standpoint? >> For non-security specific like events? Is that what you mean? >> What's different from coup con, cloud native con, and here at the cloud native security con? Obviously security's the focus. Is it just deeper dives? Is it more under the hood? Is it root problems or is this beyond Kubernetes? What's the focus, I guess. People want to know, you know, why the new event? >> I mean, there's a lot of focus on supply chain security, right? Like that's the hot topic in security right now. So that's been a huge focus. I can't speak to the differences of those other conferences. I haven't been able to attend them. But I will say that having a security specific conference, it really focuses on the open community and how technology is evolving, and how do you apply security. It's not just talking about tools which I think other conferences tend to focus on just the tools and you can really, I think, get lost in that as someone trying to learn about security or trying to even implement security, but they talk about what it takes to implement those tools, What's behind the people behind implementing those tools? >> Let's get into some of the key topics that we've identified and get your reaction. One, supply chain security, which I know you'll give a lot of commentary on 'cause that's your focus. Also we heard, like, Liz Rice talking about the extended Berkeley packet filtering. Okay, that's big. You know, your root kernel management, that's big. Developer productivity was kind of implied around removing the blockers of security, making it, you know, more aligned with developer first mentality. So that seems to be our takeaway. What's your reaction to those things? You see the same thing? >> I don't have a specific reaction to those things. >> Do you see the same thing happening on the ground there? Are they covering supply? >> Oh, yeah. >> Those three things are they the big focus? >> Yeah. Yeah, I think it's all of those things kind of like wrapped into one, right? But yeah, there's... I'm not sure how to answer your question. >> Well, let's jump into supply chain for instance. 'Cause that has come up a lot. >> Sure. >> What's the focus there on the supply chain security? Is it SBOMs? Is it the container security? What's the key conversations and topics being discussed around supply chain security? >> Well, I think there's a lot of laughter around SBOM right now because no one can really define it, specifically, and everyone's talking about it. So there's, there's a lot more than just the SBOM conversation. We're talking about like full end-to-end development process and that whole software supply chain that goes with it. So there's everything from infrastructure, security, all the way through to like signing transparency logs. Really the full gambit of supply chain, which is is really neat to see because it is such a broad topic. I think a lot of folks now are involved in supply chain security in some way. And so just kind of bringing that to the surface of what are the different people that are involved in this space, thinking about, what's on the top of their mind when it comes to supply chain security. >> How would you scope the order of magnitude of the uptick in supply chain attacks? Is it pretty heavy right now or is it, you know, people with the hair on fire or is it... What's the, give us the taste of the temperature in the room on the supply chain attacks? >> I think most of the folks who are involved in the space understand just that it's increasing. I mean, like, what is it? A 742% increase average annual year, year over year in supply chain attacks. So the amount of attacks increasing is a little daunting, right, for most of us. But it is what it is. So I think most of us right now are just trying to come together to say, "What are you doing that works? This is what I'm doing that works." And in all the different facets of that. 'cause I think we try to throw, we try to throw tools at a lot of problems and this problem is so big and broad reaching that we really are needing to share best practices as a community and as a security community. So this has been, this conference has been really great for that. >> Yeah, I've heard that a lot. You know, too many tools, not enough platform thinking, not enough architecture, needs some structure. Are you seeing any best practice around frameworks and structure around how to start getting in and and building out more of a better approach or posture? I mean, what's that, what's the, what's the state of the union for supply chain, how to handle that? >> Well, I talked about that a little bit in my my keynote that I gave, actually, which was about... And I've heard other other leaders talk about it too. And obviously it keyed my ear just because I'm so passionate about it, about partnership. So you know, empathetic security where the security team that's enforcing the policies, creating the policies, guidelines is working with the teams that are actually doing the production and the development, hand-in-hand, right? Like I can sit there and tell you, "Hey, you have all these problems and here's your security checklist or framework you need to follow." But that's not going to do them any good and it's going to create a ton of holes, right? So actually partnering with them helping them to understand the risks that are associated with their very specific need and use case, because every product has a different kind of quirk to it, right? Like how it's being developed. It might use a different tool and if I sit there and say, "Hey, you need to log on to this, you need to like make your tool work this platform over here and it's not compatible." I'm going to have to completely reframe how I'm doing productization. I need to know that as a security practitioner because me disrupting productization is not something that I should be doing. And I've heard a couple a couple of folks kind of talking about that, the people aspect behind how we implement these tools, the frameworks and the platforms, and how do we draw out risk, right? Like how do we talk about risk with these teams and really make them understand so it's part of their core culture in their understanding. So when they go back to their, when they go back and having to make decisions without me in the room they know they can make those business decisions with the risk as part of that decision. >> I love that empathetic angle because that's really going to, what needs to happen. It's not just, "Hey, that's your department, see you later." Or not even having a knowledge of the information. This idea of team construction, team management is a huge cultural shift. I'm sure the reaction was very positive. How do you explain that to an organization that's out there? Like how do you... what's the first three steps you got to take? Is there anything that you can share for advice people watch you saying, "Yeah we need to we need to change how our teams operate and interact with each other." >> Yeah, I think the first step is to take a good hard look at yourself. And if you are standing there on an ivory tower with a clipboard, you're probably doing it wrong. Check the box security is never going to be any way that works long term. It's going to take you a long time to implement any changes. At Red Hat, we did not look ourselves. You know, we've been doing a lot of great things in supply chain security for a while, but really taking that look and saying, "How can we be more empathetic leaders in the security space?" So we looked at that, then you say, "Okay, what is my my rate of change going to happen?" So if I need to make so many security changes explaining to these organizations, you're actually going to go faster. We improved our efficiency by 2000% just by doing that, just by creating this more empathetic. So why it seems like it's more hands-on, so it's going to be harder, it's easy to send out an email and say, "Hey, meet the security standard, right?" That might seem like the easy way 'cause you don't have time to engage. It's so much faster if you actually engage and share that message and have a a common understanding between the teams that like, "I'm here to deliver a product, so is the security team. The security team's here to deliver that same product and I want to help you do it in a trusted way." Right? >> Yeah. Dave Alonte, my co-host, was just on a session. We were talking together about security teams jumping on every team and putting a C on their jersey to be like the captain of the intramural team, and being involved, and it goes beyond just like the checklist, like you said, "Oh, I got the SBOM list of materials and I got a code scanning thing." That's not enough, is what we're hearing. >> No. >> Is there a framework or a methodology to go beyond that? You got the empathetic, that's really kind of team issue. You got to go beyond some of the tactical things. What's next beyond, you got the empathy and what's that framework structure when you say where you say anything there? >> So what do you do after you have the empathy, right? >> Yeah. >> I would say Salsa is a good place to start, the software levels. Supply chain levels for software artifacts. It's a mouthful. That's a really good maturity framework to start with. No matter what size organization you have, they're just going to be coming out here soon with version one. They release 0.1 a few months back. That's a really good place to give yourself a gut check of where you are in maturity and where you can go, what are best practices. And then there's the SSDF, which is the Secure Software Development framework. I think NIST wrote that one. But that is also a really, a really good framework and they map really well to each other, actually, When you work through Salsa, you're actually working through the SSDF requirements. >> Awesome. Well, great to have you on and great to get that that knowledge. I have to ask you like coup con, I remember when it started in Seattle, their first coup con events, right? Kind of small, similar to this one, but there's a lot of end user activities. Certainly the CNCF kind of was coming together like right after that. What's the end user activity like there this week? That seems to always been the driver of these events. It's a little bit organic. You got some of the key experts coming together, focus. Have you observed any end user activity in terms of contributions, participation? What's the story on the end user piece there? Is it heavy? Is it light? What's the... >> Um, yeah... It seems moderate. I guess somewhere in the middle. I would say largely heavy, but there's definitely participation. There is a lot of communing and networking happening between different organizations to partner together, which is important. But I haven't really paid attention much to like the Twitter side of this. >> Yeah, you've been busy doing the keynotes. How's Red Hat doing all this? You guys have been great positioned with the cloud native movement. Been following the Red Hat's moves since OpenStack days. Really good, good line of product, good open source, Mojo, of course. Good product mix, right, and relevant. Where's the security focus here? Obviously, you guys are clearly focused on security. How's the Red Hat story going on over there? >> There was yesterday a really good talk that explains that super well. It was given by a Red Hatter, connecting all of the open source projects we've been a part of and kind of explaining them. And obviously again, I'm keying in 'cause it's a supply chain kind of conversation, but I'd recommend that anyone who's going to go back and watch these on YouTube to check that one out just to see kind of how we're approaching the security space as well as how we contribute back to the community in that way. >> Awesome. Great to have you on. Final word, I'll give you the final word. What's the big buzz on supply chain? How would you peg the progress there? Feeling good about where things are? What's the current progress on supply chain security? >> I think that it has opened up a lot of doors for communication between security organizations that have tended to be closed. I'm in product security. Product securities, information securities tend to not speak externally about what we're doing. So you don't want to, you know, look bad or you don't want to expose any risk that we have, right? But it is, I think, necessary to open those lines of communication, to be able to start tackling this. It's a big problem throughout all of our industries, and if one supply chain is attacked and those products are used in someone else's supply chain, that can continue, right? So I think it's good. We have a lot of work to do as an industry and the advancements in technology is going to make that a little bit more complicated. But I'm excited for it. >> You can just throw AI at it. That's the big, everyone's doing AI. Just throw AI at it, it'll solve it. Isn't that the new thing? >> I do secure AI though. >> Super important. I love what you're doing there. Supply chain, open source needs, supply chain security. Open source needs this big time. It has to be there. Thank you for the work that you do. Really appreciate you coming on. Thank you. >> Yeah, thanks for having me. >> Yeah, good stuff. Supply chain, critical to open source growth. Open source is going to be the key to success in the future with automation and AI right around the corner. And that's important. This theCUBE covers from cloud native con, security con in North America, 2023. I'm John Furrier. Thanks for watching.

>>Hello everyone. Welcome to the Cube's coverage of AWS Reinvent 22. I'm John Ferer, host of the Cube. Got some great coverage here talking about software supply chain and sustainability in the cloud. We've got a great conversation. Gunner Helickson, Vice President and general manager at Red Hat Enterprise Linux and Business Unit of Red Hat. Thanks for coming on. And Edon Eja Director, Product Management of commercial software services aws. Gentlemen, thanks for joining me today. >>Oh, it's a pleasure. >>You know, the hottest topic coming out of Cloudnative developer communities is slide chain software sustainability. This is a huge issue. As open source continues to power away and fund and grow this next generation modern development environment, you know, supply chain, you know, sustainability is a huge discussion because you gotta check things out where, what's in the code. Okay, open source is great, but now we gotta commercialize it. This is the topic, Gunner, let's get in, get with you. What, what are you seeing here and what's some of the things that you're seeing around the sustainability piece of it? Because, you know, containers, Kubernetes, we're seeing that that run time really dominate this new abstraction layer, cloud scale. What's your thoughts? >>Yeah, so I, it's interesting that the, you know, so Red Hat's been doing this for 20 years, right? Making open source safe to consume in the enterprise. And there was a time when in order to do that you needed to have a, a long term life cycle and you needed to be very good at remediating security vulnerabilities. And that was kind of, that was the bar that you had that you had to climb over. Nowadays with the number of vulnerabilities coming through, what people are most worried about is, is kind of the providence of the software and making sure that it has been vetted and it's been safe, and that that things that you get from your vendor should be more secure than things that you've just downloaded off of GitHub, for example. Right? And that's, that's a, that's a place where Red Hat's very comfortable living, right? >>Because we've been doing it for, for 20 years. I think there, there's another, there's another aspect to this, to this supply chain question as well, especially with the pandemic. You know, we've got these, these supply chains have been jammed up. The actual physical supply chains have been jammed up. And, and the two of these issues actually come together, right? Because as we've been go, as we go through the pandemic, we've had these digital transformation efforts, which are in large part people creating software in order to manage better their physical supply chain problems. And so as part of that digital transformation, you have another supply chain problem, which is the software supply chain problem, right? And so these two things kind of merge on these as people are trying to improve the performance of transportation systems, logistics, et cetera. Ultimately it all boils down to it all. Both supply chain problems actually boil down to a software problem. It's very >>Interesting that, Well, that is interesting. I wanna just follow up on that real quick if you don't mind. Because if you think about the convergence of the software and physical world, you know, that's, you know, IOT and also hybrid cloud kind of plays into that at scale, this opens up more surface area for attacks, especially when you're under a lot of pressure. This is where, you know, you can, you have a service area in the physical side and you have constraints there. And obviously the pandemic causes problems, but now you've got the software side. Can you, how are you guys handling that? Can you just share a little bit more of how you guys are looking at that with Red Hat? What's, what's the customer challenge? Obviously, you know, skills gaps is one, but like that's a convergence at the same time. More security problems. >>Yeah, yeah, that's right. And certainly the volume of, if we just look at security vulnerabilities themselves, just the volume of security vulnerabilities has gone up considerably as more people begin using the software. And as the software becomes more important to kind of critical infrastructure, more eyeballs are on it. And so we're uncovering more problems, which is kind of, that's, that's okay. That's how the world works. And so certainly the, the number of remediations required every year has gone up. But also the customer expectations, as I've mentioned before, the customer expectations have changed, right? People want to be able to show to their auditors and to their regulators that no, we, we, in fact, I can show the providence of the software that I'm using. I didn't just download something random off the internet. I actually have, like you, you know, adults paying attention to the, how the software gets put together. >>And it's still, honestly, it's still very early days. We can, I think the, in as an industry, I think we're very good at managing, identifying remediating vulnerabilities in the aggregate. We're pretty good at that. I think things are less clear when we talk about kind of the management of that supply chain, proving the provenance, proving the, and creating a resilient supply chain for software. We have lots of tools, but we don't really have lots of shared expectations. Yeah. And so it's gonna be interesting over the next few years, I think we're gonna have more rules are gonna come out. I see NIST has already, has already published some of them. And as these new rules come out, the whole industry is gonna have to kind of pull together and, and really and really rally around some of this shared understanding so we can all have shared expectations and we can all speak the same language when we're talking about this >>Problem. That's awesome. A and Amazon web service is obviously the largest cloud platform out there, you know, the pandemic, even post pandemic, some of these supply chain issues, whether it's physical or software, you're also an outlet for that. So if someone can't buy hardware or, or something physical, they can always get the cloud. You guys have great network compute and whatnot and you got thousands of ISVs across the globe. How are you helping customers with this supply chain problem? Because whether it's, you know, I need to get in my networking gears delayed, I'm gonna go to the cloud and get help there. Or whether it's knowing the workloads and, and what's going on inside them with respect open source. Cause you've got open source, which is kind of an external forcing function. You got AWS and you got, you know, physical compute stores, networking, et cetera. How are you guys helping customers with the supply chain challenge, which could be an opportunity? >>Yeah, thanks John. I think there, there are multiple layers to that. At, at the most basic level we are helping customers buy abstracting away all these data central constructs that they would have to worry about if they were running their own data centers. They would have to figure out how the networking gear, you talk about, you know, having the right compute, right physical hardware. So by moving to the cloud, at least they're delegating that problem to AWS and letting us manage and making sure that we have an instance available for them whenever they want it. And if they wanna scale it, the, the, the capacity is there for them to use now then that, so we kind of give them space to work on the second part of the problem, which is building their own supply chain solutions. And we work with all kinds of customers here at AWS from all different industry segments, automotive, retail, manufacturing. >>And you know, you see that the complexity of the supply chain with all those moving pieces, like hundreds and thousands of moving pieces, it's very daunting. So cus and then on the other hand, customers need more better services. So you need to move fast. So you need to build, build your agility in the supply chain itself. And that is where, you know, Red Hat and AWS come together where we can build, we can enable customers to build their supply chain solutions on platform like Red Hat Enterprise, Linux Rail or Red Hat OpenShift on, on aws. We call it Rosa. And the benefit there is that you can actually use the services that we, that are relevant for the supply chain solutions like Amazon managed blockchain, you know, SageMaker. So you can actually build predictive and s you can improve forecasting, you can make sure that you have solutions that help you identify where you can cut costs. And so those are some of the ways we are helping customers, you know, figure out how they actually wanna deal with the supply chain challenges that we're running into in today's world. >>Yeah, and you know, you mentioned sustainability outside of software su sustainability, you know, as people move to the cloud, we've reported on silicon angle here in the cube that it's better to have the sustainability with the cloud because then the data centers aren't using all that energy too. So there's also all kinds of sustainability advantages, Gunner, because this is, this is kind of how your relationship with Amazon's expanded. You mentioned Rosa, which is Red Hat on, you know, on OpenShift, on aws. This is interesting because one of the biggest discussions is skills gap, but we were also talking about the fact that the humans are huge part of the talent value. In other words, the, the humans still need to be involved and having that relationship with managed services and Red Hat, this piece becomes one of those things that's not talked about much, which is the talent is increasing in value the humans, and now you got managed services on the cloud, has got scale and human interactions. Can you share, you know, how you guys are working together on this piece? Cuz this is interesting cuz this kind of brings up the relationship of that operator or developer. >>Yeah, Yeah. So I think there's, so I think about this in a few dimensions. First is that the kind of the, I it's difficult to find a customer who is not talking about automation at some level right now. And obviously you can automate the processes and, and the physical infrastructure that you already have that's using tools like Ansible, right? But I think that the, combining it with the, the elasticity of a solution like aws, so you combine the automation with kind of elastic and, and converting a lot of the capital expenses into operating expenses, that's a great way actually to save labor, right? So instead of like racking hard drives, you can have somebody who's somebody do something a little more like, you know, more valuable work, right? And so, so okay, but that gives you a platform and then what do you do with that platform? >>And if you've got your systems automated and you've got this kind of elastic infrastructure underneath you, what you do on top of it is really interesting. So a great example of this is the collaboration that, that we had with running the rel workstation on aws. So you might think like, well why would anybody wanna run a workstation on, on a cloud? That doesn't make a whole lot of sense unless you consider how complex it is to set up, if you have the, the use case here is like industrial workstations, right? So it's animators, people doing computational fluid dynamics, things like this. So these are industries that are extremely data heavy. They have workstations have very large hardware requirements, often with accelerated GPUs and things like this. That is an extremely expensive thing to install on premise anywhere. And if the pandemic taught us anything, it's, if you have a bunch of very expensive talent and they all have to work from a home, it is very difficult to go provide them with, you know, several tens of thousands of dollars worth of worth of worth of workstation equipment. >>And so combine the rail workstation with the AWS infrastructure and now all that workstation computational infrastructure is available on demand and on and available right next to the considerable amount of data that they're analyzing or animating or, or, or working on. So it's a really interesting, it's, it was actually, this is an idea that I was actually born with the pandemic. Yeah. And, and it's kind of a combination of everything that we're talking about, right? It's the supply chain challenges of the customer, It's the lack of lack of talent, making sure that people are being put their best and highest use. And it's also having this kind of elastic, I think, opex heavy infrastructure as opposed to a CapEx heavy infrastructure. >>That's a great example. I think that's illustrates to me what I love about cloud right now is that you can put stuff in, in the cloud and then flex what you need when you need it at in the cloud rather than either ingress or egress data. You, you just more, you get more versatility around the workload needs, whether it's more compute or more storage or other high level services. This is kind of where this NextGen cloud is going. This is where, where, where customers want to go once their workloads are up and running. How do you simplify all this and how do you guys look at this from a joint customer perspective? Because that example I think will be something that all companies will be working on, which is put it in the cloud and flex to the, whatever the workload needs and put it closer to the work compute. I wanna put it there. If I wanna leverage more storage and networking, Well, I'll do that too. It's not one thing. It's gotta flex around what's, how are you guys simplifying this? >>Yeah, I think so for, I'll, I'll just give my point of view and then I'm, I'm very curious to hear what a not has to say about it, but the, I think and think about it in a few dimensions, right? So there's, there is a, technically like any solution that aan a nun's team and my team wanna put together needs to be kind of technically coherent, right? The things need to work well together, but that's not the, that's not even most of the job. Most of the job is actually the ensuring and operational consistency and operational simplicity so that everything is the day-to-day operations of these things kind of work well together. And then also all the way to things like support and even acquisition, right? Making sure that all the contracts work together, right? It's a really in what, So when Aon and I think about places of working together, it's very rare that we're just looking at a technical collaboration. It's actually a holistic collaboration across support acquisition as well as all the engineering that we have to do. >>And on your, your view on how you're simplifying it with Red Hat for your joint customers making Collabo >>Yeah. Gun, Yeah. Gunner covered it. Well I think the, the benefit here is that Red Hat has been the leading Linux distribution provider. So they have a lot of experience. AWS has been the leading cloud provider. So we have both our own point of views, our own learning from our respective set of customers. So the way we try to simplify and bring these things together is working closely. In fact, I sometimes joke internally that if you see Ghana and my team talking to each other on a call, you cannot really tell who who belongs to which team. Because we're always figuring out, okay, how do we simplify discount experience? How do we simplify programs? How do we simplify go to market? How do we simplify the product pieces? So it's really bringing our, our learning and share our perspective to the table and then really figure out how do we actually help customers make progress. Rosa that we talked about is a great example of that, you know, you know, we, together we figured out, hey, there is a need for customers to have this capability in AWS and we went out and built it. So those are just some of the examples in how both teams are working together to simplify the experience, make it complete, make it more coherent. >>Great. That's awesome. That next question is really around how you help organizations with the sustainability piece, how to support them, simplifying it. But first, before we get into that, what is the core problem around this sustainability discussion we're talking about here, supply chain sustainability, What is the core challenge? Can you both share your thoughts on what that problem is and what the solution looks like and then we can get into advice? >>Yeah. Well from my point of view, it's, I think, you know, one of the lessons of the last three years is every organization is kind of taking a careful look at how resilient it is. Or ever I should say, every organization learned exactly how resilient it was, right? And that comes from both the, the physical challenges and the logistics challenges that everyone had. The talent challenges you mentioned earlier. And of course the, the software challenges, you know, as everyone kind of embarks on this, this digital transformation journey that, that we've all been talking about. And I think, so I really frame it as, as resilience, right? And and resilience is at bottom is really about ensuring that you have options and that you have choices. The more choices you have, the more options you have, the more resilient you, you and your organization is going to be. And so I know that that's how, that's how I approach the market. I'm pretty sure that's exact, that's how AON is, has approaching the market, is ensuring that we are providing as many options as possible to customers so that they can assemble the right, assemble the right pieces to create a, a solution that works for their particular set of challenges or their unique set of challenges and and unique context. Aon, is that, does that sound about right to you? Yeah, >>I think you covered it well. I, I can speak to another aspect of sustainability, which is becoming increasingly top of mind for our customer is like how do they build products and services and solutions and whether it's supply chain or anything else which is sustainable, which is for the long term good of the, the planet. And I think that is where we have been also being very intentional and focused in how we design our data center. How we actually build our cooling system so that we, those are energy efficient. You know, we, we are on track to power all our operations with renewable energy by 2025, which is five years ahead of our initial commitment. And perhaps the most obvious example of all of this is our work with arm processors Graviton three, where, you know, we are building our own chip to make sure that we are designing energy efficiency into the process. And you know, we, there's the arm graviton, three arm processor chips, there are about 60% more energy efficient compared to some of the CD six comparable. So all those things that are also we are working on in making sure that whatever our customers build on our platform is long term sustainable. So that's another dimension of how we are working that into our >>Platform. That's awesome. This is a great conversation. You know, the supply chain is on both sides, physical and software. You're starting to see them come together in great conversations and certainly moving workloads to the cloud running in more efficiently will help on the sustainability side, in my opinion. Of course, you guys talked about that and we've covered it, but now you start getting into how to refactor, and this is a big conversation we've been having lately, is as you not just lift and ship but re-platform and refactor, customers are seeing great advantages on this. So I have to ask you guys, how are you helping customers and organizations support sustainability and, and simplify the complex environment that has a lot of potential integrations? Obviously API's help of course, but that's the kind of baseline, what's the, what's the advice that you give customers? Cause you know, it can look complex and it becomes complex, but there's an answer here. What's your thoughts? >>Yeah, I think so. Whenever, when, when I get questions like this from from customers, the, the first thing I guide them to is, we talked earlier about this notion of consistency and how important that is. It's one thing, it it, it is one way to solve the problem is to create an entirely new operational model, an entirely new acquisition model and an entirely new stack of technologies in order to be more sustainable. That is probably not in the cards for most folks. What they want to do is have their existing estate and they're trying to introduce sustainability into the work that they are already doing. They don't need to build another silo in order to create sustainability, right? And so there have to be, there has to be some common threads, there has to be some common platforms across the existing estate and your more sustainable estate, right? >>And, and so things like Red Hat enterprise Linux, which can provide this kind of common, not just a technical substrate, but a common operational substrate on which you can build these solutions if you have a common platform on which you are building solutions, whether it's RHEL or whether it's OpenShift or any of our other platforms that creates options for you underneath. So that in some cases maybe you need to run things on premise, some things you need to run in the cloud, but you don't have to profoundly change how you work when you're moving from one place to another. >>And that, what's your thoughts on, on the simplification? >>Yeah, I mean think that when you talk about replatforming and refactoring, it is a daunting undertaking, you know, in today's, in the, especially in today's fast paced work. So, but the good news is you don't have to do it by yourself. Customers don't have to do it on their own. You know, together AWS and Red Hat, we have our rich partner ecosystem, you know AWS over AWS has over a hundred thousand partners that can help you take that journey, the transformation journey. And within AWS and working with our partners like Red Hat, we make sure that we have all in, in my mind there are really three big pillars that you have to have to make sure that customers can successfully re-platform refactor their applications to the modern cloud architecture. You need to have the rich set of services and tools that meet their different scenarios, different use cases. Because no one size fits all. You have to have the right programs because sometimes customers need those incentives, they need those, you know, that help in the first step and last but no needs, they need training. So all of that, we try to cover that as we work with our customers, work with our partners and that is where, you know, together we try to help customers take that step, which is, which is a challenging step to take. >>Yeah. You know, it's great to talk to you guys, both leaders in your field. Obviously Red hats, well story history. I remember the days back when I was provisioning, loading OSS on hardware with, with CDs, if you remember, that was days gunner. But now with high level services, if you look at this year's reinvent, and this is like kind of my final question for the segment is then we'll get your reaction to is last year we talked about higher level services. I sat down with Adam Celski, we talked about that. If you look at what's happened this year, you're starting to see people talk about their environment as their cloud. So Amazon has the gift of the CapEx, the all that, all that investment and people can operate on top of it. They're calling that environment their cloud. Okay, For the first time we're seeing this new dynamic where it's like they have a cloud, but they're Amazon's the CapEx, they're operating. So you're starting to see the operational visibility gun around how to operate this environment. And it's not hybrid this, that it's just, it's cloud. This is kind of an inflection point. Do you guys agree with that or, or having a reaction to that statement? Because I, I think this is kind of the next gen super cloud-like capability. It's, it's, we're going, we're building the cloud. It's now an environment. It's not talking about private cloud, this cloud, it's, it's all cloud. What's your reaction? >>Yeah, I think, well I think it's a very natural, I mean we used words like hybrid cloud, multi-cloud, if, I guess super cloud is what the kids are saying now, right? It's, it's all, it's all describing the same phenomena, right? Which is, which is being able to take advantage of lots of different infrastructure options, but still having something that creates some commonality among them so that you can, so that you can manage them effectively, right? So that you can have kind of uniform compliance across your estate so that you can have kind of, you can make the best use of your talent across the estate. I mean this is a, this is, it's a very natural thing. >>They're calling it cloud, the estate is the cloud. >>Yeah. So yeah, so, so fine if it, if it means that we no longer have to argue about what's multi-cloud and what's hybrid cloud, I think that's great. Let's just call it cloud. >>And what's your reaction, cuz this is kind of the next gen benefits of, of higher level services combined with amazing, you know, compute and, and resource at the infrastructure level. What's your, what's your view on that? >>Yeah, I think the construct of a unified environment makes sense for customers who have all these use cases which require, like for instance, if you are doing some edge computing and you're running it WS outpost or you know, wave lent and these things. So, and, and it is, it is fear for customer to say, think that hey, this is one environment, same set of tooling that they wanna build that works across all their different environments. That is why we work with partners like Red Hat so that customers who are running Red Hat Enterprise Linux on premises and who are running in AWS get the same level of support, get the same level of security features, all of that. So from that sense, it actually makes sense for us to build these capabilities in a way that customers don't have to worry about, Okay, now I'm actually in the AWS data center versus I'm running outpost on premises. It is all one. They, they just use the same set of cli command line APIs and all of that. So in that sense, it's actually helps customers have that unification so that that consistency of experience helps their workforce and be more productive versus figuring out, okay, what do I do, which tool I use? Where >>And on you just nailed it. This is about supply chain sustainability, moving the workloads into a cloud environment. You mentioned wavelength, this conversation's gonna continue. We haven't even talked about the edge yet. This is something that's gonna be all about operating these workloads at scale and all the, with the cloud services. So thanks for sharing that and we'll pick up that edge piece later. But for reinvent right now, this is really the key conversation. How to bake the sustained supply chain work in a complex environment, making it simpler. And so thanks for sharing your insights here on the cube. >>Thanks. Thanks for having >>Us. Okay, this is the cube's coverage of ados Reinvent 22. I'm John Fur, your host. Thanks for watching.

hello I'm John Furrier with thecube and welcome to this special presentation of the cube and Horizon 3.ai they're announcing a global partner first approach expanding their successful pen testing product Net Zero you're going to hear from leading experts in their staff their CEO positioning themselves for a successful Channel distribution expansion internationally in Europe Middle East Africa and Asia Pacific in this Cube special presentation you'll hear about the expansion the expanse partner program giving Partners a unique opportunity to offer Net Zero to their customers Innovation and Pen testing is going International with Horizon 3.ai enjoy the program [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're here with Jennifer Lee head of Channel sales at Horizon 3.ai Jennifer welcome to the cube thanks for coming on great well thank you for having me so big news around Horizon 3.aa driving Channel first commitment you guys are expanding the channel partner program to include all kinds of new rewards incentives training programs help educate you know Partners really drive more recurring Revenue certainly cloud and Cloud scale has done that you got a great product that fits into that kind of Channel model great Services you can wrap around it good stuff so let's get into it what are you guys doing what are what are you guys doing with this news why is this so important yeah for sure so um yeah we like you said we recently expanded our Channel partner program um the driving force behind it was really just um to align our like you said our Channel first commitment um and creating awareness around the importance of our partner ecosystems um so that's it's really how we go to market is is through the channel and a great International Focus I've talked with the CEO so you know about the solution and he broke down all the action on why it's important on the product side but why now on the go to market change what's the what's the why behind this big this news on the channel yeah for sure so um we are doing this now really to align our business strategy which is built on the concept of enabling our partners to create a high value high margin business on top of our platform and so um we offer a solution called node zero it provides autonomous pen testing as a service and it allows organizations to continuously verify their security posture um so we our company vision we have this tagline that states that our pen testing enables organizations to see themselves Through The Eyes of an attacker and um we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities so we created this partner program from a perspective of the partner so the partner's perspective and we've built It Through The Eyes of our partner right so we're prioritizing really what the partner is looking for and uh will ensure like Mutual success for us yeah the partners always want to get in front of the customers and bring new stuff to them pen tests have traditionally been really expensive uh and so bringing it down in one to a service level that's one affordable and has flexibility to it allows a lot of capability so I imagine people getting excited by it so I have to ask you about the program What specifically are you guys doing can you share any details around what it means for the partners what they get what's in it for them can you just break down some of the mechanics and mechanisms or or details yeah yep um you know we're really looking to create business alignment um and like I said establish Mutual success with our partners so we've got two um two key elements that we were really focused on um that we bring to the partners so the opportunity the profit margin expansion is one of them and um a way for our partners to really differentiate themselves and stay relevant in the market so um we've restructured our discount model really um you know highlighting profitability and maximizing profitability and uh this includes our deal registration we've we've created deal registration program we've increased discount for partners who take part in our partner certification uh trainings and we've we have some other partner incentives uh that we we've created that that's going to help out there we've we put this all so we've recently Gone live with our partner portal um it's a Consolidated experience for our partners where they can access our our sales tools and we really view our partners as an extension of our sales and Technical teams and so we've extended all of our our training material that we use internally we've made it available to our partners through our partner portal um we've um I'm trying I'm thinking now back what else is in that partner portal here we've got our partner certification information so all the content that's delivered during that training can be found in the portal we've got deal registration uh um co-branded marketing materials pipeline management and so um this this portal gives our partners a One-Stop place to to go to find all that information um and then just really quickly on the second part of that that I mentioned is our technology really is um really disruptive to the market so you know like you said autonomous pen testing it's um it's still it's well it's still still relatively new topic uh for security practitioners and um it's proven to be really disruptive so um that on top of um just well recently we found an article that um that mentioned by markets and markets that reports that the global pen testing markets really expanding and so it's expected to grow to like 2.7 billion um by 2027. so the Market's there right the Market's expanding it's growing and so for our partners it's just really allows them to grow their revenue um across their customer base expand their customer base and offering this High profit margin while you know getting in early to Market on this just disruptive technology big Market a lot of opportunities to make some money people love to put more margin on on those deals especially when you can bring a great solution that everyone knows is hard to do so I think that's going to provide a lot of value is there is there a type of partner that you guys see emerging or you aligning with you mentioned the alignment with the partners I can see how that the training and the incentives are all there sounds like it's all going well is there a type of partner that's resonating the most or is there categories of partners that can take advantage of this yeah absolutely so we work with all different kinds of Partners we work with our traditional resale Partners um we've worked we're working with systems integrators we have a really strong MSP mssp program um we've got Consulting partners and the Consulting Partners especially with the ones that offer pen test services so we they use us as a as we act as a force multiplier just really offering them profit margin expansion um opportunity there we've got some technology partner partners that we really work with for co-cell opportunities and then we've got our Cloud Partners um you'd mentioned that earlier and so we are in AWS Marketplace so our ccpo partners we're part of the ISP accelerate program um so we we're doing a lot there with our Cloud partners and um of course we uh we go to market with uh distribution Partners as well gotta love the opportunity for more margin expansion every kind of partner wants to put more gross profit on their deals is there a certification involved I have to ask is there like do you get do people get certified or is it just you get trained is it self-paced training is it in person how are you guys doing the whole training certification thing because is that is that a requirement yeah absolutely so we do offer a certification program and um it's been very popular this includes a a seller's portion and an operator portion and and so um this is at no cost to our partners and um we operate both virtually it's it's law it's virtually but live it's not self-paced and we also have in person um you know sessions as well and we also can customize these to any partners that have a large group of people and we can just we can do one in person or virtual just specifically for that partner well any kind of incentive opportunities and marketing opportunities everyone loves to get the uh get the deals just kind of rolling in leads from what we can see if our early reporting this looks like a hot product price wise service level wise what incentive do you guys thinking about and and Joint marketing you mentioned co-sell earlier in pipeline so I was kind of kind of honing in on that piece sure and yes and then to follow along with our partner certification program we do incentivize our partners there if they have a certain number certified their discount increases so that's part of it we have our deal registration program that increases discount as well um and then we do have some um some partner incentives that are wrapped around meeting setting and um moving moving opportunities along to uh proof of value gotta love the education driving value I have to ask you so you've been around the industry you've seen the channel relationships out there you're seeing companies old school new school you know uh Horizon 3.ai is kind of like that new school very cloud specific a lot of Leverage with we mentioned AWS and all the clouds um why is the company so hot right now why did you join them and what's why are people attracted to this company what's the what's the attraction what's the vibe what do you what do you see and what what do you use what did you see in in this company well this is just you know like I said it's very disruptive um it's really in high demand right now and um and and just because because it's new to Market and uh a newer technology so we are we can collaborate with a manual pen tester um we can you know we can allow our customers to run their pen test um with with no specialty teams and um and and then so we and like you know like I said we can allow our partners can actually build businesses profitable businesses so we can they can use our product to increase their services revenue and um and build their business model you know around around our services what's interesting about the pen test thing is that it's very expensive and time consuming the people who do them are very talented people that could be working on really bigger things in the in absolutely customers so bringing this into the channel allows them if you look at the price Delta between a pen test and then what you guys are offering I mean that's a huge margin Gap between street price of say today's pen test and what you guys offer when you show people that they follow do they say too good to be true I mean what are some of the things that people say when you kind of show them that are they like scratch their head like come on what's the what's the catch here right so the cost savings is a huge is huge for us um and then also you know like I said working as a force multiplier with a pen testing company that offers the services and so they can they can do their their annual manual pen tests that may be required around compliance regulations and then we can we can act as the continuous verification of their security um um you know that that they can run um weekly and so it's just um you know it's just an addition to to what they're offering already and an expansion so Jennifer thanks for coming on thecube really appreciate you uh coming on sharing the insights on the channel uh what's next what can we expect from the channel group what are you thinking what's going on right so we're really looking to expand our our Channel um footprint and um very strategically uh we've got um we've got some big plans um for for Horizon 3.ai awesome well thanks for coming on really appreciate it you're watching thecube the leader in high tech Enterprise coverage [Music] [Music] hello and welcome to the Cube's special presentation with Horizon 3.ai with Raina Richter vice president of emea Europe Middle East and Africa and Asia Pacific APAC for Horizon 3 today welcome to this special Cube presentation thanks for joining us thank you for the invitation so Horizon 3 a guy driving Global expansion big international news with a partner first approach you guys are expanding internationally let's get into it you guys are driving this new expanse partner program to new heights tell us about it what are you seeing in the momentum why the expansion what's all the news about well I would say uh yeah in in international we have I would say a similar similar situation like in the US um there is a global shortage of well-educated penetration testers on the one hand side on the other side um we have a raising demand of uh network and infrastructure security and with our approach of an uh autonomous penetration testing I I believe we are totally on top of the game um especially as we have also now uh starting with an international instance that means for example if a customer in Europe is using uh our service node zero he will be connected to a node zero instance which is located inside the European Union and therefore he has doesn't have to worry about the conflict between the European the gdpr regulations versus the US Cloud act and I would say there we have a total good package for our partners that they can provide differentiators to their customers you know we've had great conversations here on thecube with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company and honestly I can just Connect the Dots here but I'd like you to weigh in more on how that translates into the go to market here because you got great Cloud scale with with the security product you guys are having success with great leverage there I've seen a lot of success there what's the momentum on the channel partner program internationally why is it so important to you is it just the regional segmentation is it the economics why the momentum well there are it's there are multiple issues first of all there is a raising demand in penetration testing um and don't forget that uh in international we have a much higher level in number a number or percentage in SMB and mid-market customers so these customers typically most of them even didn't have a pen test done once a year so for them pen testing was just too expensive now with our offering together with our partners we can provide different uh ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with with a traditional manual paint test so and that is because we have our uh Consulting plus package which is for typically pain testers they can go out and can do a much faster much quicker and their pain test at many customers once in after each other so they can do more pain tests on a lower more attractive price on the other side there are others what even the same ones who are providing um node zero as an mssp service so they can go after s p customers saying okay well you only have a couple of hundred uh IP addresses no worries we have the perfect package for you and then you have let's say the mid Market let's say the thousands and more employees then they might even have an annual subscription very traditional but for all of them it's all the same the customer or the service provider doesn't need a piece of Hardware they only need to install a small piece of a Docker container and that's it and that makes it so so smooth to go in and say okay Mr customer we just put in this this virtual attacker into your network and that's it and and all the rest is done and within within three clicks they are they can act like a pen tester with 20 years of experience and that's going to be very Channel friendly and partner friendly I can almost imagine so I have to ask you and thank you for calling the break calling out that breakdown and and segmentation that was good that was very helpful for me to understand but I want to follow up if you don't mind um what type of partners are you seeing the most traction with and why well I would say at the beginning typically you have the the innovators the early adapters typically Boutique size of Partners they start because they they are always looking for Innovation and those are the ones you they start in the beginning so we have a wide range of Partners having mostly even um managed by the owner of the company so uh they immediately understand okay there is the value and they can change their offering they're changing their offering in terms of penetration testing because they can do more pen tests and they can then add other ones or we have those ones who offer 10 tests services but they did not have their own pen testers so they had to go out on the open market and Source paint testing experts um to get the pen test at a particular customer done and now with node zero they're totally independent they can't go out and say okay Mr customer here's the here's the service that's it we turn it on and within an hour you're up and running totally yeah and those pen tests are usually expensive and hard to do now it's right in line with the sales delivery pretty interesting for a partner absolutely but on the other hand side we are not killing the pain testers business we do something we're providing with no tiers I would call something like the foundation work the foundational work of having an an ongoing penetration testing of the infrastructure the operating system and the pen testers by themselves they can concentrate in the future on things like application pen testing for example so those Services which we we're not touching so we're not killing the paint tester Market we're just taking away the ongoing um let's say foundation work call it that way yeah yeah that was one of my questions I was going to ask is there's a lot of interest in this autonomous pen testing one because it's expensive to do because those skills are required are in need and they're expensive so you kind of cover the entry level and the blockers that are in there I've seen people say to me this pen test becomes a blocker for getting things done so there's been a lot of interest in the autonomous pen testing and for organizations to have that posture and it's an overseas issue too because now you have that that ongoing thing so can you explain that particular benefit for an organization to have that continuously verifying an organization's posture yep certainly so I would say um typically you are you you have to do your patches you have to bring in new versions of operating systems of different Services of uh um operating systems of some components and and they are always bringing new vulnerabilities the difference here is that with node zero we are telling the customer or the partner package we're telling them which are the executable vulnerabilities because previously they might have had um a vulnerability scanner so this vulnerability scanner brought up hundreds or even thousands of cves but didn't say anything about which of them are vulnerable really executable and then you need an expert digging in one cve after the other finding out is it is it really executable yes or no and that is where you need highly paid experts which we have a shortage so with notes here now we can say okay we tell you exactly which ones are the ones you should work on because those are the ones which are executable we rank them accordingly to the risk level how easily they can be used and by a sudden and then the good thing is convert it or indifference to the traditional penetration test they don't have to wait for a year for the next pain test to find out if the fixing was effective they weren't just the next scan and say Yes closed vulnerability is gone the time is really valuable and if you're doing any devops Cloud native you're always pushing new things so pen test ongoing pen testing is actually a benefit just in general as a kind of hygiene so really really interesting solution really bring that global scale is going to be a new new coverage area for us for sure I have to ask you if you don't mind answering what particular region are you focused on or plan to Target for this next phase of growth well at this moment we are concentrating on the countries inside the European Union Plus the United Kingdom um but we are and they are of course logically I'm based into Frankfurt area that means we cover more or less the countries just around so it's like the total dark region Germany Switzerland Austria plus the Netherlands but we also already have Partners in the nordics like in Finland or in Sweden um so it's it's it it's rapidly we have Partners already in the UK and it's rapidly growing so I'm for example we are now starting with some activities in Singapore um um and also in the in the Middle East area um very important we uh depending on let's say the the way how to do business currently we try to concentrate on those countries where we can have um let's say um at least English as an accepted business language great is there any particular region you're having the most success with right now is it sounds like European Union's um kind of first wave what's them yes that's the first definitely that's the first wave and now we're also getting the uh the European instance up and running it's clearly our commitment also to the market saying okay we know there are certain dedicated uh requirements and we take care of this and and we're just launching it we're building up this one uh the instance um in the AWS uh service center here in Frankfurt also with some dedicated Hardware internet in a data center in Frankfurt where we have with the date six by the way uh the highest internet interconnection bandwidth on the planet so we have very short latency to wherever you are on on the globe that's a great that's a great call outfit benefit too I was going to ask that what are some of the benefits your partners are seeing in emea and Asia Pacific well I would say um the the benefits is for them it's clearly they can they can uh talk with customers and can offer customers penetration testing which they before and even didn't think about because it penetrates penetration testing in a traditional way was simply too expensive for them too complex the preparation time was too long um they didn't have even have the capacity uh to um to support a pain an external pain tester now with this service you can go in and say even if they Mr customer we can do a test with you in a couple of minutes within we have installed the docker container within 10 minutes we have the pen test started that's it and then we just wait and and I would say that is we'll we are we are seeing so many aha moments then now because on the partner side when they see node zero the first time working it's like this wow that is great and then they work out to customers and and show it to their typically at the beginning mostly the friendly customers like wow that's great I need that and and I would say um the feedback from the partners is that is a service where I do not have to evangelize the customer everybody understands penetration testing I don't have to say describe what it is they understand the customer understanding immediately yes penetration testing good about that I know I should do it but uh too complex too expensive now with the name is for example as an mssp service provided from one of our partners but it's getting easy yeah it's great and it's great great benefit there I mean I gotta say I'm a huge fan of what you guys are doing I like this continuous automation that's a major benefit to anyone doing devops or any kind of modern application development this is just a godsend for them this is really good and like you said the pen testers that are doing it they were kind of coming down from their expertise to kind of do things that should have been automated they get to focus on the bigger ticket items that's a really big point so we free them we free the pain testers for the higher level elements of the penetration testing segment and that is typically the application testing which is currently far away from being automated yeah and that's where the most critical workloads are and I think this is the nice balance congratulations on the international expansion of the program and thanks for coming on this special presentation really I really appreciate it thank you you're welcome okay this is thecube special presentation you know check out pen test automation International expansion Horizon 3 dot AI uh really Innovative solution in our next segment Chris Hill sector head for strategic accounts will discuss the power of Horizon 3.ai and Splunk in action you're watching the cube the leader in high tech Enterprise coverage foreign [Music] [Music] welcome back everyone to the cube and Horizon 3.ai special presentation I'm John Furrier host of thecube we're with Chris Hill sector head for strategic accounts and federal at Horizon 3.ai a great Innovative company Chris great to see you thanks for coming on thecube yeah like I said uh you know great to meet you John long time listener first time caller so excited to be here with you guys yeah we were talking before camera you had Splunk back in 2013 and I think 2012 was our first splunk.com and boy man you know talk about being in the right place at the right time now we're at another inflection point and Splunk continues to be relevant um and continuing to have that data driving Security in that interplay and your CEO former CTO of his plug as well at Horizon who's been on before really Innovative product you guys have but you know yeah don't wait for a breach to find out if you're logging the right data this is the topic of this thread Splunk is very much part of this new international expansion announcement uh with you guys tell us what are some of the challenges that you see where this is relevant for the Splunk and Horizon AI as you guys expand uh node zero out internationally yeah well so across so you know my role uh within Splunk it was uh working with our most strategic accounts and so I looked back to 2013 and I think about the sales process like working with with our small customers you know it was um it was still very siled back then like I was selling to an I.T team that was either using this for it operations um we generally would always even say yeah although we do security we weren't really designed for it we're a log management tool and we I'm sure you remember back then John we were like sort of stepping into the security space and and the public sector domain that I was in you know security was 70 of what we did when I look back to sort of uh the transformation that I was witnessing in that digital transformation um you know when I look at like 2019 to today you look at how uh the IT team and the security teams are being have been forced to break down those barriers that they used to sort of be silent away would not commute communicate one you know the security guys would be like oh this is my box I.T you're not allowed in today you can't get away with that and I think that the value that we bring to you know and of course Splunk has been a huge leader in that space and continues to do Innovation across the board but I think what we've we're seeing in the space and I was talking with Patrick Coughlin the SVP of uh security markets about this is that you know what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data so Splunk itself is ulk know it's an ingest engine right the great reason people bought it was you could build these really fast dashboards and grab intelligence out of it but without data it doesn't do anything right so how do you drive and how do you bring more data in and most importantly from a customer perspective how do you bring the right data in and so if you think about what node zero and what we're doing in a horizon 3 is that sure we do pen testing but because we're an autonomous pen testing tool we do it continuously so this whole thought I'd be like oh crud like my customers oh yeah we got a pen test coming up it's gonna be six weeks the week oh yeah you know and everyone's gonna sit on their hands call me back in two months Chris we'll talk to you then right not not a real efficient way to test your environment and shoot we saw that with Uber this week right um you know and that's a case where we could have helped oh just right we could explain the Uber thing because it was a contractor just give a quick highlight of what happened so you can connect the doctor yeah no problem so um it was uh I got I think it was yeah one of those uh you know games where they would try and test an environment um and with the uh pen tester did was he kept on calling them MFA guys being like I need to reset my password we need to set my right password and eventually the um the customer service guy said okay I'm resetting it once he had reset and bypassed the multi-factor authentication he then was able to get in and get access to the building area that he was in or I think not the domain but he was able to gain access to a partial part of that Network he then paralleled over to what I would assume is like a VA VMware or some virtual machine that had notes that had all of the credentials for logging into various domains and So within minutes they had access and that's the sort of stuff that we do you know a lot of these tools like um you know you think about the cacophony of tools that are out there in a GTA architect architecture right I'm gonna get like a z-scale or I'm going to have uh octum and I have a Splunk I've been into the solar system I mean I don't mean to name names we have crowdstriker or Sentinel one in there it's just it's a cacophony of things that don't work together they weren't designed work together and so we have seen so many times in our business through our customer support and just working with customers when we do their pen tests that there will be 5 000 servers out there three are misconfigured those three misconfigurations will create the open door because remember the hacker only needs to be right once the defender needs to be right all the time and that's the challenge and so that's what I'm really passionate about what we're doing uh here at Horizon three I see this my digital transformation migration and security going on which uh we're at the tip of the spear it's why I joined sey Hall coming on this journey uh and just super excited about where the path's going and super excited about the relationship with Splunk I get into more details on some of the specifics of that but um you know well you're nailing I mean we've been doing a lot of things on super cloud and this next gen environment we're calling it next gen you're really seeing devops obviously devsecops has already won the it role has moved to the developer shift left is an indicator of that it's one of the many examples higher velocity code software supply chain you hear these things that means that it is now in the developer hands it is replaced by the new Ops data Ops teams and security where there's a lot of horizontal thinking to your point about access there's no more perimeter huge 100 right is really right on things one time you know to get in there once you're in then you can hang out move around move laterally big problem okay so we get that now the challenges for these teams as they are transitioning organizationally how do they figure out what to do okay this is the next step they already have Splunk so now they're kind of in transition while protecting for a hundred percent ratio of success so how would you look at that and describe the challenge is what do they do what is it what are the teams facing with their data and what's next what are they what are they what action do they take so let's use some vernacular that folks will know so if I think about devsecops right we both know what that means that I'm going to build security into the app it normally talks about sec devops right how am I building security around the perimeter of what's going inside my ecosystem and what are they doing and so if you think about what we're able to do with somebody like Splunk is we can pen test the entire environment from Soup To Nuts right so I'm going to test the end points through to its I'm going to look for misconfigurations I'm going to I'm going to look for um uh credential exposed credentials you know I'm going to look for anything I can in the environment again I'm going to do it at light speed and and what what we're doing for that SEC devops space is to you know did you detect that we were in your environment so did we alert Splunk or the Sim that there's someone in the environment laterally moving around did they more importantly did they log us into their environment and when do they detect that log to trigger that log did they alert on us and then finally most importantly for every CSO out there is going to be did they stop us and so that's how we we do this and I think you when speaking with um stay Hall before you know we've come up with this um boils but we call it fine fix verifying so what we do is we go in is we act as the attacker right we act in a production environment so we're not going to be we're a passive attacker but we will go in on credentialed on agents but we have to assume to have an assumed breach model which means we're going to put a Docker container in your environment and then we're going to fingerprint the environment so we're going to go out and do an asset survey now that's something that's not something that Splunk does super well you know so can Splunk see all the assets do the same assets marry up we're going to log all that data and think and then put load that into this long Sim or the smoke logging tools just to have it in Enterprise right that's an immediate future ad that they've got um and then we've got the fix so once we've completed our pen test um we are then going to generate a report and we can talk about these in a little bit later but the reports will show an executive summary the assets that we found which would be your asset Discovery aspect of that a fix report and the fixed report I think is probably the most important one it will go down and identify what we did how we did it and then how to fix that and then from that the pen tester or the organization should fix those then they go back and run another test and then they validate like a change detection environment to see hey did those fixes taste play take place and you know snehaw when he was the CTO of jsoc he shared with me a number of times about it's like man there would be 15 more items on next week's punch sheet that we didn't know about and it's and it has to do with how we you know how they were uh prioritizing the cves and whatnot because they would take all CBDs it was critical or non-critical and it's like we are able to create context in that environment that feeds better information into Splunk and whatnot that brings that brings up the efficiency for Splunk specifically the teams out there by the way the burnout thing is real I mean this whole I just finished my list and I got 15 more or whatever the list just can keeps growing how did node zero specifically help Splunk teams be more efficient like that's the question I want to get at because this seems like a very scale way for Splunk customers and teams service teams to be more so the question is how does node zero help make Splunk specifically their service teams be more efficient so so today in our early interactions we're building customers we've seen are five things um and I'll start with sort of identifying the blind spots right so kind of what I just talked about with you did we detect did we log did we alert did they stop node zero right and so I would I put that you know a more Layman's third grade term and if I was going to beat a fifth grader at this game would be we can be the sparring partner for a Splunk Enterprise customer a Splunk Essentials customer someone using Splunk soar or even just an Enterprise Splunk customer that may be a small shop with three people and just wants to know where am I exposed so by creating and generating these reports and then having um the API that actually generates the dashboard they can take all of these events that we've logged and log them in and then where that then comes in is number two is how do we prioritize those logs right so how do we create visibility to logs that that um are have critical impacts and again as I mentioned earlier not all cves are high impact regard and also not all or low right so if you daisy chain a bunch of low cves together boom I've got a mission critical AP uh CPE that needs to be fixed now such as a credential moving to an NT box that's got a text file with a bunch of passwords on it that would be very bad um and then third would be uh verifying that you have all of the hosts so one of the things that splunk's not particularly great at and they'll literate themselves they don't do asset Discovery so dude what assets do we see and what are they logging from that um and then for from um for every event that they are able to identify one of the cool things that we can do is actually create this low code no code environment so they could let you know Splunk customers can use Splunk sword to actually triage events and prioritize that event so where they're being routed within it to optimize the Sox team time to Market or time to triage any given event obviously reducing MTR and then finally I think one of the neatest things that we'll be seeing us develop is um our ability to build glass cables so behind me you'll see one of our triage events and how we build uh a Lockheed Martin kill chain on that with a glass table which is very familiar to the community we're going to have the ability and not too distant future to allow people to search observe on those iocs and if people aren't familiar with it ioc it's an instant of a compromise so that's a vector that we want to drill into and of course who's better at Drilling in the data and smoke yeah this is a critter this is an awesome Synergy there I mean I can see a Splunk customer going man this just gives me so much more capability action actionability and also real understanding and I think this is what I want to dig into if you don't mind understanding that critical impact okay is kind of where I see this coming got the data data ingest now data's data but the question is what not to log you know where are things misconfigured these are critical questions so can you talk about what it means to understand critical impact yeah so I think you know going back to the things that I just spoke about a lot of those cves where you'll see um uh low low low and then you daisy chain together and they're suddenly like oh this is high now but then your other impact of like if you're if you're a Splunk customer you know and I had it I had several of them I had one customer that you know terabytes of McAfee data being brought in and it was like all right there's a lot of other data that you probably also want to bring but they could only afford wanted to do certain data sets because that's and they didn't know how to prioritize or filter those data sets and so we provide that opportunity to say hey these are the critical ones to bring in but there's also the ones that you don't necessarily need to bring in because low cve in this case really does mean low cve like an ILO server would be one that um that's the print server uh where the uh your admin credentials are on on like a printer and so there will be credentials on that that's something that a hacker might go in to look at so although the cve on it is low is if you daisy chain with somebody that's able to get into that you might say Ah that's high and we would then potentially rank it giving our AI logic to say that's a moderate so put it on the scale and we prioritize those versus uh of all of these scanners just going to give you a bunch of CDs and good luck and translating that if I if I can and tell me if I'm wrong that kind of speaks to that whole lateral movement that's it challenge right print serve a great example looks stupid low end who's going to want to deal with the print server oh but it's connected into a critical system there's a path is that kind of what you're getting at yeah I use Daisy Chain I think that's from the community they came from uh but it's just a lateral movement it's exactly what they're doing in those low level low critical lateral movements is where the hackers are getting in right so that's the beauty thing about the uh the Uber example is that who would have thought you know I've got my monthly Factor authentication going in a human made a mistake we can't we can't not expect humans to make mistakes we're fallible right the reality is is once they were in the environment they could have protected themselves by running enough pen tests to know that they had certain uh exposed credentials that would have stopped the breach and they did not had not done that in their environment and I'm not poking yeah but it's an interesting Trend though I mean it's obvious if sometimes those low end items are also not protected well so it's easy to get at from a hacker standpoint but also the people in charge of them can be fished easily or spearfished because they're not paying attention because they don't have to no one ever told them hey be careful yeah for the community that I came from John that's exactly how they they would uh meet you at a uh an International Event um introduce themselves as a graduate student these are National actor States uh would you mind reviewing my thesis on such and such and I was at Adobe at the time that I was working on this instead of having to get the PDF they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2008 time frame there was a lot of issues around IP being by a nation state being stolen from the United States and that's exactly how they did it and John that's or LinkedIn hey I want to get a joke we want to hire you double the salary oh I'm gonna click on that for sure you know yeah right exactly yeah the one thing I would say to you is like uh when we look at like sort of you know because I think we did 10 000 pen tests last year is it's probably over that now you know we have these sort of top 10 ways that we think and find people coming into the environment the funniest thing is that only one of them is a cve related vulnerability like uh you know you guys know what they are right so it's it but it's it's like two percent of the attacks are occurring through the cves but yeah there's all that attention spent to that and very little attention spent to this pen testing side which is sort of this continuous threat you know monitoring space and and this vulnerability space where I think we play a such an important role and I'm so excited to be a part of the tip of the spear on this one yeah I'm old enough to know the movie sneakers which I loved as a you know watching that movie you know professional hackers are testing testing always testing the environment I love this I got to ask you as we kind of wrap up here Chris if you don't mind the the benefits to Professional Services from this Alliance big news Splunk and you guys work well together we see that clearly what are what other benefits do Professional Services teams see from the Splunk and Horizon 3.ai Alliance so if you're I think for from our our from both of our uh Partners uh as we bring these guys together and many of them already are the same partner right uh is that uh first off the licensing model is probably one of the key areas that we really excel at so if you're an end user you can buy uh for the Enterprise by the number of IP addresses you're using um but uh if you're a partner working with this there's solution ways that you can go in and we'll license as to msps and what that business model on msps looks like but the unique thing that we do here is this C plus license and so the Consulting plus license allows like a uh somebody a small to mid-sized to some very large uh you know Fortune 100 uh consulting firms use this uh by buying into a license called um Consulting plus where they can have unlimited uh access to as many IPS as they want but you can only run one test at a time and as you can imagine when we're going and hacking passwords and um checking hashes and decrypting hashes that can take a while so but for the right customer it's it's a perfect tool and so I I'm so excited about our ability to go to market with uh our partners so that we understand ourselves understand how not to just sell to or not tell just to sell through but we know how to sell with them as a good vendor partner I think that that's one thing that we've done a really good job building bring it into the market yeah I think also the Splunk has had great success how they've enabled uh partners and Professional Services absolutely you know the services that layer on top of Splunk are multi-fold tons of great benefits so you guys Vector right into that ride that way with friction and and the cool thing is that in you know in one of our reports which could be totally customized uh with someone else's logo we're going to generate you know so I I used to work in another organization it wasn't Splunk but we we did uh you know pen testing as for for customers and my pen testers would come on site they'd do the engagement and they would leave and then another release someone would be oh shoot we got another sector that was breached and they'd call you back you know four weeks later and so by August our entire pen testings teams would be sold out and it would be like well even in March maybe and they're like no no I gotta breach now and and and then when they do go in they go through do the pen test and they hand over a PDF and they pack on the back and say there's where your problems are you need to fix it and the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations and then once you've fixed everything you just go back and run another pen test it's you know for what people pay for one pen test they can have a tool that does that every every Pat patch on Tuesday and that's on Wednesday you know triage throughout the week green yellow red I wanted to see the colors show me green green is good right not red and one CIO doesn't want who doesn't want that dashboard right it's it's exactly it and we can help bring I think that you know I'm really excited about helping drive this with the Splunk team because they get that they understand that it's the green yellow red dashboard and and how do we help them find more green uh so that the other guys are in red yeah and get in the data and do the right thing and be efficient with how you use the data know what to look at so many things to pay attention to you know the combination of both and then go to market strategy real brilliant congratulations Chris thanks for coming on and sharing um this news with the detail around the Splunk in action around the alliance thanks for sharing John my pleasure thanks look forward to seeing you soon all right great we'll follow up and do another segment on devops and I.T and security teams as the new new Ops but and super cloud a bunch of other stuff so thanks for coming on and our next segment the CEO of horizon 3.aa will break down all the new news for us here on thecube you're watching thecube the leader in high tech Enterprise coverage [Music] yeah the partner program for us has been fantastic you know I think prior to that you know as most organizations most uh uh most Farmers most mssps might not necessarily have a a bench at all for penetration testing uh maybe they subcontract this work out or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult for us this was a differentiator a a new a new partner a new partnership that allowed us to uh not only perform services for our customers but be able to provide a product by which that they can do it themselves so we work with our customers in a variety of ways some of them want more routine testing and perform this themselves but we're also a certified service provider of horizon 3 being able to perform uh penetration tests uh help review the the data provide color provide analysis for our customers in a broader sense right not necessarily the the black and white elements of you know what was uh what's critical what's high what's medium what's low what you need to fix but are there systemic issues this has allowed us to onboard new customers this has allowed us to migrate some penetration testing services to us from from competitors in the marketplace But ultimately this is occurring because the the product and the outcome are special they're unique and they're effective our customers like what they're seeing they like the routineness of it many of them you know again like doing this themselves you know being able to kind of pen test themselves parts of their networks um and the the new use cases right I'm a large organization I have eight to ten Acquisitions per year wouldn't it be great to have a tool to be able to perform a penetration test both internal and external of that acquisition before we integrate the two companies and maybe bringing on some risk it's a very effective partnership uh one that really is uh kind of taken our our Engineers our account Executives by storm um you know this this is a a partnership that's been very valuable to us [Music] a key part of the value and business model at Horizon 3 is enabling Partners to leverage node zero to make more revenue for themselves our goal is that for sixty percent of our Revenue this year will be originated by partners and that 95 of our Revenue next year will be originated by partners and so a key to that strategy is making us an integral part of your business models as a partner a key quote from one of our partners is that we enable every one of their business units to generate Revenue so let's talk about that in a little bit more detail first is that if you have a pen test Consulting business take Deloitte as an example what was six weeks of human labor at Deloitte per pen test has been cut down to four days of Labor using node zero to conduct reconnaissance find all the juicy interesting areas of the of the Enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at understand and determine where to probe deeper so what you see in that pen test Consulting business is that node zero becomes a force multiplier where those Consulting teams were able to cover way more accounts and way more IPS within those accounts with the same or fewer consultants and so that directly leads to profit margin expansion for the Penn testing business itself because node 0 is a force multiplier the second business model here is if you're an mssp as an mssp you're already making money providing defensive cyber security operations for a large volume of customers and so what they do is they'll license node zero and use us as an upsell to their mssb business to start to deliver either continuous red teaming continuous verification or purple teaming as a service and so in that particular business model they've got an additional line of Revenue where they can increase the spend of their existing customers by bolting on node 0 as a purple team as a service offering the third business model or customer type is if you're an I.T services provider so as an I.T services provider you make money installing and configuring security products like Splunk or crowdstrike or hemio you also make money reselling those products and you also make money generating follow-on services to continue to harden your customer environments and so for them what what those it service providers will do is use us to verify that they've installed Splunk correctly improved to their customer that Splunk was installed correctly or crowdstrike was installed correctly using our results and then use our results to drive follow-on services and revenue and then finally we've got the value-added reseller which is just a straight up reseller because of how fast our sales Cycles are these vars are able to typically go from cold email to deal close in six to eight weeks at Horizon 3 at least a single sales engineer is able to run 30 to 50 pocs concurrently because our pocs are very lightweight and don't require any on-prem customization or heavy pre-sales post sales activity so as a result we're able to have a few amount of sellers driving a lot of Revenue and volume for us well the same thing applies to bars there isn't a lot of effort to sell the product or prove its value so vars are able to sell a lot more Horizon 3 node zero product without having to build up a huge specialist sales organization so what I'm going to do is talk through uh scenario three here as an I.T service provider and just how powerful node zero can be in driving additional Revenue so in here think of for every one dollar of node zero license purchased by the IT service provider to do their business it'll generate ten dollars of additional revenue for that partner so in this example kidney group uses node 0 to verify that they have installed and deployed Splunk correctly so Kitty group is a Splunk partner they they sell it services to install configure deploy and maintain Splunk and as they deploy Splunk they're going to use node 0 to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment so it's a way of doing QA or verifying that Splunk has been configured correctly and that's going to be internally used by kidney group to prove the quality of their services that they've just delivered then what they're going to do is they're going to show and leave behind that node zero Report with their client and that creates a resell opportunity for for kidney group to resell node 0 to their client because their client is seeing the reports and the results and saying wow this is pretty amazing and those reports can be co-branded where it's a pen testing report branded with kidney group but it says powered by Horizon three under it from there kidney group is able to take the fixed actions report that's automatically generated with every pen test through node zero and they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified fixing l11r misconfigurations fixing or patching VMware or updating credentials policies and so on so what happens is node 0 has found a bunch of problems the client often lacks the capacity to fix and so kidney group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services and finally based on the findings from node zero kidney group can look at that report and say to the customer you know customer if you bought crowdstrike you'd be able to uh prevent node Zero from attacking and succeeding in the way that it did for if you bought humano or if you bought Palo Alto networks or if you bought uh some privileged access management solution because of what node 0 was able to do with credential harvesting and attacks and so as a result kidney group is able to resell other security products within their portfolio crowdstrike Falcon humano Polito networks demisto Phantom and so on based on the gaps that were identified by node zero and that pen test and what that creates is another feedback loop where kidney group will then go use node 0 to verify that crowdstrike product has actually been installed and configured correctly and then this becomes the cycle of using node 0 to verify a deployment using that verification to drive a bunch of follow-on services and resell opportunities which then further drives more usage of the product now the way that we licensed is that it's a usage-based license licensing model so that the partner will grow their node zero Consulting plus license as they grow their business so for example if you're a kidney group then week one you've got you're going to use node zero to verify your Splunk install in week two if you have a pen testing business you're going to go off and use node zero to be a force multiplier for your pen testing uh client opportunity and then if you have an mssp business then in week three you're going to use node zero to go execute a purple team mssp offering for your clients so not necessarily a kidney group but if you're a Deloitte or ATT these larger companies and you've got multiple lines of business if you're Optive for instance you all you have to do is buy one Consulting plus license and you're going to be able to run as many pen tests as you want sequentially so now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three and as you grow your business you start to run multiple pen tests concurrently so in week one you've got to do a Splunk verify uh verify Splunk install and you've got to run a pen test and you've got to do a purple team opportunity you just simply expand the number of Consulting plus licenses from one license to three licenses and so now as you systematically grow your business you're able to grow your node zero capacity with you giving you predictable cogs predictable margins and once again 10x additional Revenue opportunity for that investment in the node zero Consulting plus license my name is Saint I'm the co-founder and CEO here at Horizon 3. I'm going to talk to you today about why it's important to look at your Enterprise Through The Eyes of an attacker the challenge I had when I was a CIO in banking the CTO at Splunk and serving within the Department of Defense is that I had no idea I was Secure until the bad guys had showed up am I logging the right data am I fixing the right vulnerabilities are my security tools that I've paid millions of dollars for actually working together to defend me and the answer is I don't know does my team actually know how to respond to a breach in the middle of an incident I don't know I've got to wait for the bad guys to show up and so the challenge I had was how do we proactively verify our security posture I tried a variety of techniques the first was the use of vulnerability scanners and the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable I might have a hundred thousand findings from my scanner of which maybe five or ten can actually be exploited in my environment the other big problem with scanners is that they can't chain weaknesses together from machine to machine so if you've got a thousand machines in your environment or more what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two but what they can tell you is that an attacker could use a load from machine one plus a low from machine two to equal to critical in your environment and what attackers do in their tactics is they chain together misconfigurations dangerous product defaults harvested credentials and exploitable vulnerabilities into attack paths across different machines so to address the attack pads across different machines I tried layering in consulting-based pen testing and the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment human-based pen testing simply doesn't scale to test an infrastructure of that size moreover when they actually do execute a pen test and you get the report oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem and so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale and then to mitigate that problem I tried using breach and attack simulation tools and the struggle with these tools is one I had to install credentialed agents everywhere two I had to write my own custom attack scripts that I didn't have much talent for but also I had to maintain as my environment changed and then three these types of tools were not safe to run against production systems which was the the majority of my attack surface so that's why we went off to start Horizon 3. so Tony and I met when we were in Special Operations together and the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the the power of a 20-year pen testing veteran into the hands of an I.T admin a network engineer in just three clicks and the whole idea is we enable these fixers The Blue Team to be able to run node Zero Hour pen testing product to quickly find problems in their environment that blue team will then then go off and fix the issues that were found and then they can quickly rerun the attack to verify that they fixed the problem and the whole idea is delivering this without requiring custom scripts be developed without requiring credential agents be installed and without requiring the use of external third-party consulting services or Professional Services self-service pen testing to quickly Drive find fix verify there are three primary use cases that our customers use us for the first is the sock manager that uses us to verify that their security tools are actually effective to verify that they're logging the right data in Splunk or in their Sim to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their slas or that the sock understands how to quickly detect and respond and measuring and verifying that or that the variety of tools that you have in your stack most organizations have 130 plus cyber security tools none of which are designed to work together are actually working together the second primary use case is proactively hardening and verifying your systems this is when the I that it admin that network engineer they're able to run self-service pen tests to verify that their Cisco environment is installed in hardened and configured correctly or that their credential policies are set up right or that their vcenter or web sphere or kubernetes environments are actually designed to be secure and what this allows the it admins and network Engineers to do is shift from running one or two pen tests a year to 30 40 or more pen tests a month and you can actually wire those pen tests into your devops process or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment the third primary use case is for those organizations lucky enough to have their own internal red team they'll use node zero to do reconnaissance and exploitation at scale and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at Defcon and so these are the three primary use cases and what we'll do is zoom into the find fix verify Loop because what I've found in my experience is find fix verify is the future operating model for cyber security organizations and what I mean here is in the find using continuous pen testing what you want to enable is on-demand self-service pen tests you want those pen tests to find attack pads at scale spanning your on-prem infrastructure your Cloud infrastructure and your perimeter because attackers don't only state in one place they will find ways to chain together a perimeter breach a credential from your on-prem to gain access to your cloud or some other permutation and then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore they know we've built vulnerability Management Programs to reduce those vulnerabilities so attackers have adapted and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults with exploitable vulnerabilities and through the collection of credentials through a mix of techniques at scale once you've found those problems the next question is what do you do about it well you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data the second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to where is your crown jewels data is in the cloud is it on-prem has it been copied to a share drive that you weren't aware of if a domain user was compromised could they access that crown jewels data you want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure and then finally as you fix these problems you want to quickly remediate and retest that you've actually fixed the issue and this fine fix verify cycle becomes that accelerator that drives purple team culture the third part here is verify and what you want to be able to do in the verify step is verify that your security tools and processes in people can effectively detect and respond to a breach you want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations you also want to make sure that your environment is adhering to the best practices around systems hardening in cyber resilience and finally you want to be able to prove your security posture over a time to your board to your leadership into your regulators so what I'll do now is zoom into each of these three steps so when we zoom in to find here's the first example using node 0 and autonomous pen testing and what an attacker will do is find a way to break through the perimeter in this example it's very easy to misconfigure kubernetes to allow an attacker to gain remote code execution into your on-prem kubernetes environment and break through the perimeter and from there what the attacker is going to do is conduct Network reconnaissance and then find ways to gain code execution on other machines in the environment and as they get code execution they start to dump credentials collect a bunch of ntlm hashes crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment and then as they loudly maneuver they can reuse those credentials and use credential spraying techniques and so on to compromise your business email to log in as admin into your cloud and this is a very common attack and rarely is a CV actually needed to execute this attack often it's just a misconfiguration in kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization here's another example of an internal pen test and this is from an actual customer they had 5 000 hosts within their environment they had EDR and uba tools installed and they initiated in an internal pen test on a single machine from that single initial access point node zero enumerated the network conducted reconnaissance and found five thousand hosts were accessible what node 0 will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the Cyber terrain map and that cyber Terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment so what node zero will do is they'll try to find ways to get code execution reuse credentials and so on in this customer example they had Fortinet installed as their EDR but node 0 was still able to get code execution on a Windows machine from there it was able to successfully dump credentials including sensitive credentials from the lsas process on the Windows box and then reuse those credentials to log in as domain admin in the network and once an attacker becomes domain admin they have the keys to the kingdom they can do anything they want so what happened here well it turns out Fortinet was misconfigured on three out of 5000 machines bad automation the customer had no idea this had happened they would have had to wait for an attacker to show up to realize that it was misconfigured the second thing is well why didn't Fortinet stop the credential pivot in the lateral movement and it turned out the customer didn't buy the right modules or turn on the right services within that particular product and we see this not only with Ford in it but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping the next story I'll tell you is attackers don't have to hack in they log in so another infrastructure pen test a typical technique attackers will take is man in the middle uh attacks that will collect hashes so in this case what an attacker will do is leverage a tool or technique called responder to collect ntlm hashes that are being passed around the network and there's a variety of reasons why these hashes are passed around and it's a pretty common misconfiguration but as an attacker collects those hashes then they start to apply techniques to crack those hashes so they'll pass the hash and from there they will use open source intelligence common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords so here node 0 automatically collected hashes it automatically passed the hashes to crack those credentials and then from there it starts to take the domain user user ID passwords that it's collected and tries to access different services and systems in your Enterprise in this case node 0 is able to successfully gain access to the Office 365 email environment because three employees didn't have MFA configured so now what happens is node 0 has a placement and access in the business email system which sets up the conditions for fraud lateral phishing and other techniques but what's especially insightful here is that 80 of the hashes that were collected in this pen test were cracked in 15 minutes or less 80 percent 26 of the user accounts had a password that followed a pretty obvious pattern first initial last initial and four random digits the other thing that was interesting is 10 percent of service accounts had their user ID the same as their password so VMware admin VMware admin web sphere admin web Square admin so on and so forth and so attackers don't have to hack in they just log in with credentials that they've collected the next story here is becoming WS AWS admin so in this example once again internal pen test node zero gets initial access it discovers 2 000 hosts are network reachable from that environment if fingerprints and organizes all of that data into a cyber Terrain map from there it it fingerprints that hpilo the integrated lights out service was running on a subset of hosts hpilo is a service that is often not instrumented or observed by security teams nor is it easy to patch as a result attackers know this and immediately go after those types of services so in this case that ILO service was exploitable and were able to get code execution on it ILO stores all the user IDs and passwords in clear text in a particular set of processes so once we gain code execution we were able to dump all of the credentials and then from there laterally maneuver to log in to the windows box next door as admin and then on that admin box we're able to gain access to the share drives and we found a credentials file saved on a share Drive from there it turned out that credentials file was the AWS admin credentials file giving us full admin authority to their AWS accounts not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment and so what do you do step one patch the server step two delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login the final story I'll tell is a typical pattern that we see across the board with that combines the various techniques I've described together where an attacker is going to go off and use open source intelligence to find all of the employees that work at your company from there they're going to look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user all it takes is one employee to reuse a breached password for their Corporate email or all it takes is a single employee to have a weak password that's easily guessable all it takes is one and once the attacker is able to gain domain user access in most shops domain user is also the local admin on their laptop and once your local admin you can dump Sam and get local admin until M hashes you can use that to reuse credentials again local admin on neighboring machines and attackers will start to rinse and repeat then eventually they're able to get to a point where they can dump lsas or by unhooking the anti-virus defeating the EDR or finding a misconfigured EDR as we've talked about earlier to compromise the domain and what's consistent is that the fundamentals are broken at these shops they have poor password policies they don't have least access privilege implemented active directory groups are too permissive where domain admin or domain user is also the local admin uh AV or EDR Solutions are misconfigured or easily unhooked and so on and what we found in 10 000 pen tests is that user Behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work and also it becomes very difficult to find that Baseline of normal usage versus abnormal usage of credential login another interesting Insight is there were several Marquee brand name mssps that were defending our customers environment and for them it took seven hours to detect and respond to the pen test seven hours the pen test was over in less than two hours and so what you had was an egregious violation of the service level agreements that that mssp had in place and the customer was able to use us to get service credit and drive accountability of their sock and of their provider the third interesting thing is in one case it took us seven minutes to become domain admin in a bank that bank had every Gucci security tool you could buy yet in 7 minutes and 19 seconds node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations in lateral movement and so on to become domain admin if it's seven minutes today we should assume it'll be less than a minute a year or two from now making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack so that's in the find it's not just about finding problems though the bulk of the effort should be what to do about it the fix and the verify so as you find those problems back to kubernetes as an example we will show you the path here is the kill chain we took to compromise that environment we'll show you the impact here is the impact or here's the the proof of exploitation that we were able to use to be able to compromise it and there's the actual command that we executed so you could copy and paste that command and compromise that cubelet yourself if you want and then the impact is we got code execution and we'll actually show you here is the impact this is a critical here's why it enabled perimeter breach affected applications will tell you the specific IPS where you've got the problem how it maps to the miter attack framework and then we'll tell you exactly how to fix it we'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important the next part is accurate prioritization the hardest part of my job as a CIO was deciding what not to fix so if you take SMB signing not required as an example by default that CVSs score is a one out of 10. but this misconfiguration is not a cve it's a misconfig enable an attacker to gain access to 19 credentials including one domain admin two local admins and access to a ton of data because of that context this is really a 10 out of 10. you better fix this as soon as possible however of the seven occurrences that we found it's only a critical in three out of the seven and these are the three specific machines and we'll tell you the exact way to fix it and you better fix these as soon as possible for these four machines over here these didn't allow us to do anything of consequence so that because the hardest part is deciding what not to fix you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible and then once you fix these three you don't have to re-run the entire pen test you can select these three and then one click verify and run a very narrowly scoped pen test that is only testing this specific issue and what that creates is a much faster cycle of finding and fixing problems the other part of fixing is verifying that you don't have sensitive data at risk so once we become a domain user we're able to use those domain user credentials and try to gain access to databases file shares S3 buckets git repos and so on and help you understand what sensitive data you have at risk so in this example a green checkbox means we logged in as a valid domain user we're able to get read write access on the database this is how many records we could have accessed and we don't actually look at the values in the database but we'll show you the schema so you can quickly characterize that pii data was at risk here and we'll do that for your file shares and other sources of data so now you can accurately articulate the data you have at risk and prioritize cleaning that data up especially data that will lead to a fine or a big news issue so that's the find that's the fix now we're going to talk about the verify the key part in verify is embracing and integrating with detection engineering practices so when you think about your layers of security tools you've got lots of tools in place on average 130 tools at any given customer but these tools were not designed to work together so when you run a pen test what you want to do is say did you detect us did you log us did you alert on us did you stop us and from there what you want to see is okay what are the techniques that are commonly used to defeat an environment to actually compromise if you look at the top 10 techniques we use and there's far more than just these 10 but these are the most often executed nine out of ten have nothing to do with cves it has to do with misconfigurations dangerous product defaults bad credential policies and it's how we chain those together to become a domain admin or compromise a host so what what customers will do is every single attacker command we executed is provided to you as an attackivity log so you can actually see every single attacker command we ran the time stamp it was executed the hosts it executed on and how it Maps the minor attack tactics so our customers will have are these attacker logs on one screen and then they'll go look into Splunk or exabeam or Sentinel one or crowdstrike and say did you detect us did you log us did you alert on us or not and to make that even easier if you take this example hey Splunk what logs did you see at this time on the VMware host because that's when node 0 is able to dump credentials and that allows you to identify and fix your logging blind spots to make that easier we've got app integration so this is an actual Splunk app in the Splunk App Store and what you can come is inside the Splunk console itself you can fire up the Horizon 3 node 0 app all of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool and what you'll show you as I skip forward is hey there's a pen test here are the critical issues that we've identified for that weaker default issue here are the exact commands we executed and then we will automatically query into Splunk all all terms on between these times on that endpoint that relate to this attack so you can now quickly within the Splunk environment itself figure out that you're missing logs or that you're appropriately catching this issue and that becomes incredibly important in that detection engineering cycle that I mentioned earlier so how do our customers end up using us they shift from running one pen test a year to 30 40 pen tests a month oftentimes wiring us into their deployment automation to automatically run pen tests the other part that they'll do is as they run more pen tests they find more issues but eventually they hit this inflection point where they're able to rapidly clean up their environment and that inflection point is because the red and the blue teams start working together in a purple team culture and now they're working together to proactively harden their environment the other thing our customers will do is run us from different perspectives they'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access what could they do and then from there they'll run us within a specific Network segment okay from within that segment could the attacker break out and gain access to another segment then they'll run us from their work from home environment could they Traverse the VPN and do something damaging and once they're in could they Traverse the VPN and get into my cloud then they'll break in from the outside all of these perspectives are available to you in Horizon 3 and node zero as a single SKU and you can run as many pen tests as you want if you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior you can then inject their credentials and actually show the end-to-end story of how an attacker fished gained credentials of an intern and use that to gain access to sensitive financial data so what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time I'll leave you two things one is what is the AI in Horizon 3 AI those knowledge graphs are the heart and soul of everything that we do and we use machine learning reinforcement techniques reinforcement learning techniques Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs we also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations so the more pen tests we run the smarter we get and all of that is based on our knowledge graph analytics infrastructure that we have finally I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy what I cared about was coverage I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production I want to be able to do that as often as I wanted I want to be able to run pen tests in hours or days not weeks or months so I could accelerate that fine fix verify loop I wanted my it admins and network Engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agent and not have to write custom scripts and finally I didn't want to get nickeled and dimed on having to buy different types of attack modules or different types of attacks I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my Trends in directions over time so I hope you found this talk valuable uh we're easy to find and I look forward to seeing seeing you use a product and letting our results do the talking when you look at uh you know kind of the way no our pen testing algorithms work is we dynamically select uh how to compromise an environment based on what we've discovered and the goal is to become a domain admin compromise a host compromise domain users find ways to encrypt data steal sensitive data and so on but when you look at the the top 10 techniques that we ended up uh using to compromise environments the first nine have nothing to do with cves and that's the reality cves are yes a vector but less than two percent of cves are actually used in a compromise oftentimes it's some sort of credential collection credential cracking uh credential pivoting and using that to become an admin and then uh compromising environments from that point on so I'll leave this up for you to kind of read through and you'll have the slides available for you but I found it very insightful that organizations and ourselves when I was a GE included invested heavily in just standard vulnerability Management Programs when I was at DOD that's all disa cared about asking us about was our our kind of our cve posture but the attackers have adapted to not rely on cves to get in because they know that organizations are actively looking at and patching those cves and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment a concrete example is by default vcenter backups are not encrypted and so as if an attacker finds vcenter what they'll do is find the backup location and there are specific V sender MTD files where the admin credentials are parsippled in the binaries so you can actually as an attacker find the right MTD file parse out the binary and now you've got the admin credentials for the vcenter environment and now start to log in as admin there's a bad habit by signal officers and Signal practitioners in the in the Army and elsewhere where the the VM notes section of a virtual image has the password for the VM well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMS that are unencrypted find the note section and pull out the passwords for those images and then reuse those credentials across the board so I'll pause here and uh you know Patrick love you get some some commentary on on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is uh is rolled through a little bit more on what do you do about it yeah yeah no I love it I think um I think this is pretty exhaustive what I like about what you've done here is uh you know we've seen we've seen double-digit increases in the number of organizations that are reporting actual breaches year over year for the last um for the last three years and it's often we kind of in the Zeitgeist we pegged that on ransomware which of course is like incredibly important and very top of mind um but what I like about what you have here is you know we're reminding the audience that the the attack surface area the vectors the matter um you know has to be more comprehensive than just thinking about ransomware scenarios yeah right on um so let's build on this when you think about your defense in depth you've got multiple security controls that you've purchased and integrated and you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together so when you run a pen test what you want to ask yourself is did you detect node zero did you log node zero did you alert on node zero and did you stop node zero and when you think about how to do that every single attacker command executed by node zero is available in an attacker log so you can now see you know at the bottom here vcenter um exploit at that time on that IP how it aligns to minor attack what you want to be able to do is go figure out did your security tools catch this or not and that becomes very important in using the attacker's perspective to improve your defensive security controls and so the way we've tried to make this easier back to like my my my the you know I bleed Green in many ways still from my smoke background is you want to be able to and what our customers do is hey we'll look at the attacker logs on one screen and they'll look at what did Splunk see or Miss in another screen and then they'll use that to figure out what their logging blind spots are and what that where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base and you'll get all of the pen test results right there in the Splunk console and from that Splunk console you're gonna be able to see these are all the pen tests that were run these are the issues that were found um so you can look at that particular pen test here are all of the weaknesses that were identified for that particular pen test and how they categorize out for each of those weaknesses you can click on any one of them that are critical in this case and then we'll tell you for that weakness and this is where where the the punch line comes in so I'll pause the video here for that weakness these are the commands that were executed on these endpoints at this time and then we'll actually query Splunk for that um for that IP address or containing that IP and these are the source types that surface any sort of activity so what we try to do is help you as quickly and efficiently as possible identify the logging blind spots in your Splunk environment based on the attacker's perspective so as this video kind of plays through you can see it Patrick I'd love to get your thoughts um just seeing so many Splunk deployments and the effectiveness of those deployments and and how this is going to help really Elevate the effectiveness of all of your Splunk customers yeah I'm super excited about this I mean I think this these kinds of purpose-built integration snail really move the needle for our customers I mean at the end of the day when I think about the power of Splunk I think about a product I was first introduced to 12 years ago that was an on-prem piece of software you know and at the time it sold on sort of Perpetual and term licenses but one made it special was that it could it could it could eat data at a speed that nothing else that I'd have ever seen you can ingest massively scalable amounts of data uh did cool things like schema on read which facilitated that there was this language called SPL that you could nerd out about uh and you went to a conference once a year and you talked about all the cool things you were splunking right but now as we think about the next phase of our growth um we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding and as you look at the as you look at the role of the ciso it's mind-blowing to me the amount of sources Services apps that are coming into the ciso span of let's just call it a span of influence in the last three years uh you know we're seeing things like infrastructure service level visibility application performance monitoring stuff that just never made sense for the security team to have visibility into you um at least not at the size and scale which we're demanding today um and and that's different and this isn't this is why it's so important that we have these joint purpose-built Integrations that um really provide more prescription to our customers about how do they walk on that Journey towards maturity what does zero to one look like what does one to two look like whereas you know 10 years ago customers were happy with platforms today they want integration they want Solutions and they want to drive outcomes and I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape and what I would say is the maturing needs of the customer in that environment yeah for sure I think especially if if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere while the security budgets are not going to ever I don't think they're going to get cut they're not going to grow as fast and there's a lot more pressure on organizations to extract more value from their existing Investments as well as extracting more value and more impact from their existing teams and so security Effectiveness Fierce prioritization and automation I think become the three key themes of security uh over the next 18 months so I'll do very quickly is run through a few other use cases um every host that we identified in the pen test were able to score and say this host allowed us to do something significant therefore it's it's really critical you should be increasing your logging here hey these hosts down here we couldn't really do anything as an attacker so if you do have to make trade-offs you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end so you've got that level of of um justification for where to increase or or adjust your logging resolution another example is every host we've discovered as an attacker we Expose and you can export and we want to make sure is every host we found as an attacker is being ingested from a Splunk standpoint a big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were Rogue Raspberry Pi's on the network or if a new box was installed and whether Splunk was installed on it or not so now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from uh finally or second to last use case here on the Splunk integration side is for every single problem we've found we give multiple options for how to fix it this becomes a great way to prioritize what fixed actions to automate in your soar platform and what we want to get to eventually is being able to automatically trigger soar actions to fix well-known problems like automatically invalidating passwords for for poor poor passwords in our credentials amongst a whole bunch of other things we could go off and do and then finally if there is a well-known kill chain or attack path one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise and now you've got a great starting point for glass tables and iocs for actual kill chains that we know are exploitable in your environment and that becomes some super cool Integrations that we've got on the roadmap between us and the Splunk security side of the house so what I'll leave with actually Patrick before I do that you know um love to get your comments and then I'll I'll kind of leave with one last slide on this wartime security mindset uh pending you know assuming there's no other questions no I love it I mean I think this kind of um it's kind of glass table's approach to how do you how do you sort of visualize these workflows and then use things like sore and orchestration and automation to operationalize them is exactly where we see all of our customers going and getting away from I think an over engineered approach to soar with where it has to be super technical heavy with you know python programmers and getting more to this visual view of workflow creation um that really demystifies the power of Automation and also democratizes it so you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team is seeing yeah I think that between us being able to visualize the actual kill chain or attack path with you know think of a of uh the soar Market I think going towards this no code low code um you know configurable sore versus coded sore that's going to really be a game changer in improve or giving security teams a force multiplier so what I'll leave you with is this peacetime mindset of security no longer is sustainable we really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are are working or not and the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past uh nine months due to the Ukrainian War there you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint and this is no longer about financial extortion that is ransomware this is about punishing and destroying companies and you can punish any one of these companies by going after them directly or by going after their suppliers and their Distributors so suddenly your attack surface is no more no longer just your own Enterprise it's how you bring your goods to Market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit if I can get those trucks stuck at the border I can increase spoilage and have the same effect and what we should expect to see is this idea of cyber-enabled economic Warfare where if we issue a sanction like Banning the Russians from traveling there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database that is below the threshold of War that's not going to trigger the 82nd Airborne to be mobilized but it's going to achieve the right effect ban the sale of luxury goods disrupt the supply chain and create shortages banned Russian oil and gas attack refineries to call a 10x spike in gas prices three days before the election this is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture verify it see yourself Through The Eyes of the attacker build that incident response muscle memory and drive better collaboration between the red and the blue teams your suppliers and Distributors and your information uh sharing organization they have in place and what's really valuable for me as a Splunk customer was when a router crashes at that moment you don't know if it's due to an I.T Administration problem or an attacker and what you want to have are different people asking different questions of the same data and you want to have that integrated triage process of an I.T lens to that problem a security lens to that problem and then from there figuring out is is this an IT workflow to execute or a security incident to execute and you want to have all of that as an integrated team integrated process integrated technology stack and this is something that I very care I cared very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board so Patrick I'll leave you with the last word the final three minutes here and I don't see any open questions so please take us home oh man see how you think we spent hours and hours prepping for this together that that last uh uh 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now uh and I think nist has done some really interesting work here around building cyber resilient organizations that have that has really I think helped help the industry see that um incidents can come from adverse conditions you know stress is uh uh performance taxations in the infrastructure service or app layer and they can come from malicious compromises uh Insider threats external threat actors and the more that we look at this from the perspective of of a broader cyber resilience Mission uh in a wartime mindset uh I I think we're going to be much better off and and will you talk about with operationally minded ice hacks information sharing intelligence sharing becomes so important in these wartime uh um situations and you know we know not all ice acts are created equal but we're also seeing a lot of um more ad hoc information sharing groups popping up so look I think I think you framed it really really well I love the concept of wartime mindset and um I I like the idea of applying a cyber resilience lens like if you have one more layer on top of that bottom right cake you know I think the it lens and the security lens they roll up to this concept of cyber resilience and I think this has done some great work there for us yeah you're you're spot on and that that is app and that's gonna I think be the the next um terrain that that uh that you're gonna see vendors try to get after but that I think Splunk is best position to win okay that's a wrap for this special Cube presentation you heard all about the global expansion of horizon 3.ai's partner program for their Partners have a unique opportunity to take advantage of their node zero product uh International go to Market expansion North America channel Partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyber security world we live in and hope you enjoyed this program all the videos are available on thecube.net as well as check out Horizon 3 dot AI for their pen test Automation and ultimately their defense system that they use for testing always the environment that you're in great Innovative product and I hope you enjoyed the program again I'm John Furrier host of the cube thanks for watching

(upbeat music) >> Hi, everyone, welcome to this program sponsored by HPE. I'm your host, Lisa Martin. We're here talking about being confident and trusting your server security with HPE. I have two guests here with me to talk about this important topic. Cole Humphreys joins us, global server security product manager at HPE, and Ann Potten, trusted supply chain program lead at HPE. Guys, it's great to have you on the program, welcome. >> Hi, thanks. >> Thank you. It's nice to be here. >> Ann let's talk about really what's going on there. Some of the trends, some of the threats, there's so much change going on. What is HPE seeing? >> Yes, good question, thank you. Yeah, you know, cybersecurity threats are increasing everywhere and it's causing disruption to businesses and governments alike worldwide. You know, the global pandemic has caused limited employee availability originally, this has led to material shortages, and these things opens the door perhaps even wider for more counterfeit parts and products to enter the market, and these are challenges for consumers everywhere. In addition to this, we're seeing the geopolitical environment has changed. We're seeing rogue nation states using cybersecurity warfare tactics to immobilize an entity's ability to operate, and perhaps even use their tactics for revenue generation. The Russian invasion of Ukraine is one example. But businesses are also under attack, you know, for example, we saw SolarWinds' software supply chain was attacked two years ago, which unfortunately went unnoticed for several months. And then, this was followed by the Colonial Pipeline attack and numerous others. You know, it just seems like it's almost a daily occurrence that we hear of a cyberattack on the evening news. And, in fact, it's estimated that the cyber crime cost will reach over $10.5 trillion by 2025, and will be even more profitable than the global transfer of all major illegal drugs combined. This is crazy. You know, the macro environment in which companies operate in has changed over the years. And, you know, all of these things together and coming from multiple directions presents a cybersecurity challenge for an organization and, in particular, its supply chain. And this is why HPE is taking proactive steps to mitigate supply chain risk, so that we can provide our customers with the most secure products and services. >> So, Cole, let's bring you into the conversation. Ann did a great job of summarizing the major threats that are going on, the tumultuous landscape. Talk to us, Cole, about the security gap. What is it, what is HPE seeing, and why are organizations in this situation? >> Hi, thanks, Lisa. You know, what we're seeing is as this threat landscape increases to, you know, disrupt or attempt to disrupt our customers, and our partners, and ourselves, it's a kind of a double edge, if you will, because you're seeing the increase in attacks, but what you're not seeing is an equal to growth of the skills and the experiences required to address the scale. So it really puts the pressure on companies, because you have a skill gap, a talent gap, if you will, you know, for example, there are projected to be 3 1/2 million cyber roles open in the next few years, right? So all this scale is growing, and people are just trying to keep up, but the gap is growing, just literally the people to stop the bad actors from attacking the data. And to complicate matters, you're also seeing a dynamic change of the who and the how the attacks are happening, right? The classic attacks that you've seen, you know, in the espionage in all the, you know, the history books, those are not the standard plays anymore. You'll have, you know, nation states going after commercial entities and, you know, criminal syndicates, as Ann alluded to, that there's more money in it than the international drug trade, so you can imagine the amount of criminal interest in getting this money. So you put all that together and the increasing of attacks it just is really pressing down as literally, I mean, the reports we're reading over half of everyone. Obviously, the most critical infrastructure cares, but even just mainstream computing requirements need to have their data protected, "Help me protect my workloads," and they don't have the people in-house, right? So that's where partnership is needed, right? And that's where we believe, you know, our approach with our partner ecosystem this is not HPE delivering everything ourself, but all of us in this together is really what we believe the only way we're going to be able to get this done. >> So, Cole, let's double-click on that, HPE and its partner ecosystem can provide expertise that companies in every industry are lacking. You're delivering HPE as a 360-degree approach to security. Talk about what that 360-degree approach encompasses. >> Thank you, it is an approach, right? Because I feel that security it is a thread that will go through the entire construct of a technical solution, right? There isn't a, "Oh, if you just buy this one server with this one feature, you don't have to worry about anything else." It's really it's everywhere, at least the way we believe it, it's everywhere. And in a 360-degree approach, the way we like to frame it, is it's this beginning with our supply chain, right? We take a lot of pride in the designs, you know, the really smart engineering teams, the designer, technology, our awesome, world-class global operations team working in concert to deliver some of these technologies into the market, that is, you know, a great capability, but also a huge risk to customers. 'Cause that is the most vulnerable place that if you inject some sort of malware or tampering at that point, you know, the rest of the story really becomes mute, because you've already defeated, right? And then, you move in to you physically deployed that through our global operations, now you're in an operating environment. That's where automation becomes key, right? We have software innovations in, you know, our iLO product of management inside those single servers, and we have really cool new GreenLake for compute operations management services out there that give customers more control back and more information to deal with this scaling problem. And then, lastly, as you begin to wrap up, you know, the natural life cycle, and you need to move to new platforms and new technologies, we think about the exit of that life cycle, and how do we make sure we dispose of the data and move those products into a secondary life cycle, so that we can move back into this kind of circular 360-degree approach. We don't want to leave our customers hanging anywhere in this entire journey. >> That 360-degree approach is so critical, especially given, as we've talked about already in this segment, the changes, the dynamics in the environment. Ann, as Cole said, this 360-degree approach that HPE is delivering is beginning in the manufacturing supply chain, seems like the first line of defense against cyberattackers. Talk to us about why that's important and where did the impetus come from? Was that COVID, was that customer demand? >> Yep, yep. Yeah, the supply chain is critical, thank you. So in 2018, we could see all of these cybersecurity issues starting to emerge and predicted that this would be a significant challenge for our industry. So we formed a strategic initiative called the Trusted Supply Chain Program designed to mitigate cybersecurity risk in the supply chain, and really starting with the product life cycle, starting at the product design phase and moving through sourcing and manufacturing, how we deliver products to our customers and, ultimately, a product's end of life that Cole mentioned. So in doing this, we're able to provide our customers with the most secure products and services, whether they're buying their servers for their data center or using our own GreenLake services. So just to give you some examples, something that is foundational to our Trusted Supply Chain Program we've built a very robust cybersecurity supply chain risk management program that includes assessing our risk at all factories and our suppliers, okay? We're also looking at strengthening our software supply chain by developing mechanisms to identify software vulnerabilities and hardening our own software build environments. To protect against counterfeit parts, that I mentioned in the beginning, from entering our supply chain, we've recently started a blockchain program so that we can identify component provenance and trace parts back to their original manufacturers. So our security efforts, you know, continue even after product manufacturing. We offer three different levels of secured delivery services for our customers, including, you know, a dedicated truck and driver, or perhaps even an exclusive use vehicle. We can tailor our delivery services to whatever the customer needs. And then, when a product is at its end of life, products are either recycled or disposed using our approved vendors. So our servers are also equipped with the One-Button Secure Erase that erases every byte of data, including firmware data. And talking about products, we've taken additional steps to provide additional security features for our products. Number one, we can provide platform certificates that allow the user to cryptographically verify that their server hasn't been tampered with from the time it left the manufacturing facility to the time that it arrives at the customer's facility. In addition to that, we've launched a dedicated line of trusted supply chain servers with additional security features, including Secure Configuration Lock, Chassis Intrusion Detection, and these are assembled at our U.S. factory by U.S. vetted employees. So lots of exciting things happening within the supply chain not just to shore up our own supply chain risk, but also to provide our customers with the most secure product. And so with that, Cole, do you want to make our big announcement? >> All right, thank you. You know, what a great setup though, because I think you got to really appreciate the whole effort that we're putting into, you know, bringing these online. But one of the, just transparently, the gaps we had as we proved this out was, as you heard, this initial proof was delivered with assembly in the U.S. factory employees. You know, fantastic program, really successful in all our target industries and even expanding to places we didn't really expect it to. But it's kind of going to the point of security isn't just for one industry or one set of customers, right? We're seeing it in our partners, we're seeing it in different industries than we have in the past. But the challenge was we couldn't get this global right out the gate, right? This has been a really heavy, transparently, a U.S. federal activated focus, right? If you've been tracking what's going on since May of last year, there's been a call to action to improve the nation's cybersecurity. So we've been all in on that, and we have an opinion and we're working hard on that, but we're a global company, right? How can we get this out to the rest of the world? Well, guess what? This month we figured it out and, well, it's take a lot more than this month, we did a lot of work, but we figured it out. And we have launched a comparable service globally called Server Security Optimization Service, right? HPE Server Security Optimization Service for ProLiant. I like to call it, you know, SSOS Sauce, right? Do you want to be clever? HPE Sauce that we can now deploy globally. We get that product hardened in the supply chain, right? Because if you take the best of your supply chain and you take your technical innovations that you've innovated into the server, you can deliver a better experience for your customers, right? So the supply chain equals server technology and our awesome, you know, services teams deliver supply chain security at that last mile, and we can deliver it in the European markets and now in the Asia Pacific markets, right? We could ship it from the U.S. to other markets, so we could always fulfill this promise, but I think it's just having that local access into your partner ecosystem and stuff just makes more sense. But it is a big deal for us because now we have activated a meaningful supply chain security benefit for our entire global network of partners and customers and we're excited about it, and we hope our customers are too. >> That's huge, Cole and Ann, in terms of the significance of the impact that HPE is delivering through its partner ecosystem globally as the supply chain continues to be one of the terms on everyone's lips here. I'm curious, Cole, we just couple months ago, we're at Discover, can you talk about what HPE is doing here from a security perspective, this global approach that it's taking as it relates to what HPE was talking about at Discover in terms of we want to secure the enterprise to deliver these experiences from edge to cloud. >> You know, I feel like for me, and I think you look at the shared-responsibility models and, you know, other frameworks out there, the way I believe it to be is it's a solution, right? There's not one thing, you know, if you use HPE supply chain, the end, or if you buy an HPE ProLiant, the end, right? It is an integrated connectedness with our as-a-service platform, our service and support commitments, you know, our extensive partner ecosystem, our alliances, all of that comes together to ultimately offer that assurance to a customer, and I think these are specific meaningful proof points in that chain of custody, right? That chain of trust, if you will. Because as the world becomes more zero trust, we are going to have to prove ourselves more, right? And these are those kind of technical credentials, and identities and, you know, capabilities that a modern approach to security need. >> Excellent, great work there. Ann, let's go ahead and take us home. Take the audience through what you think, ultimately, what HPE is doing really infusing security at that 360-degree approach level that we talked about. What are some of the key takeaways that you want the audience that's watching here today to walk away with? >> Right, right, thank you. Yeah, you know, with the increase in cybersecurity threats everywhere affecting all businesses globally, it's going to require everyone in our industry to continue to evolve in our supply chain security and our product security in order to protect our customers and our business continuity. Protecting our supply chain is something that HPE is very committed to and takes very seriously. So, you know, I think regardless of whether our customers are looking for an on-prem solution or a GreenLake service, you know, HPE is proactively looking for and mitigating any security risk in the supply chain so that we can provide our customers with the most secure products and services. >> Awesome, Anne and Cole, thank you so much for joining me today talking about what HPE is doing here and why it's important, as our program is called, to be confident and trust your server security with HPE, and how HPE is doing that. Appreciate your insights and your time. >> Thank you so much for having us. >> Thank you, Lisa. >> For Cole Humphreys and Anne Potten, I'm Lisa Martin, we want to thank you for watching this segment in our series, Be Confident and Trust Your Server Security with HPE. We'll see you soon. (gentle upbeat music)

(upbeat music) >> Welcome to theCUBE. I'm Dave Nicholson, and this is part of the continuing conversation about Managing Risk in the Digital Supply Chain. I have with me today Vincent Danen, vice president of product security from Red Hat and Luke Hines security engineering lead from the office of the CTO at Red Hat. Gentlemen, welcome to theCUBE. >> Thank you. >> Great to be here. >> So let's just start out and dive right into this, Vincent, what is the software or digital supply chain? What are we talking about? Yeah, that's a good question. Software supply chain is basically the software that an end user would get from a vendor or in our case, we're talking about open source, so upstream. It is the software that comes in that is part of your package, operating system, applications. It could be something that you get from one vendor, multiple vendors. So we look at in the example of Red Hat, we are one part of the customer's software supply chain. >> So it's interesting that it's coming in from different areas. Do we have a sense for the ratio of kind of commercial software versus open source software that makes up an enterprise today? >> I think that's a really hard thing to answer and I think every enterprise or every company would have a little bit different. Depends if you have an open source vendor that you choose, you may get a significant amount of software from them. Certainly you're not going to get it all. As an example, Red Hat provides thousands of open source packages. We certainly can't provide all of them. There are millions that are out there. So when you're looking at a specific application that you're building, chances are, you could be running that on a managed platform or an enterprise supply platform, but there are going to be packages that you're going to be obtaining from other sources in other communities as well in order to power your applications. >> So, Luke, that sounds like a kind of a vague situation we're looking at in terms of where all of our software is coming from. So what do we need to know about our software supply chain in that context? What do we need to understand? Before we even get anywhere near the idea of securing it, what are some of the issues that arise from that? >> Yeah, so Vincent's touchpoint is a very wide range in ecosystem, multiple sources when we're talking about open source. So essentially awareness is key really. I think a lot of people are really not aware of the sources that they're drawing from to create their own supply chain. So there's multiple supply chains. You can be somebody like Red Hat that the provide software, and then people will leverage Red Hats for their own supply chain. And then you have the cloud provider and they have their own source of software. So I think that the key thing is the awareness of how much you rely upon that ecosystem before we look at the security of the supply chain. It's really understanding your supply chain. >> And just to follow up on that. So can you... I'm sort of checking my own level of understanding on this subject. When you talk about open source code, you're talking about a code base that is often maintained essentially by volunteers, isn't that correct? >> A mix of volunteers and paid professionals where a company has an interest in the open source project, but predominantly I would say it's... Well, I'm not entirely sure, but volunteers make up a substantial part of the ecosystem that is for sure. So it's a mix really. Some people do it because they enjoy writing software. They want to share software. Other people also enjoy working software, but they're in the position that a company pays for them to work on that software. So it's a mix of both. >> Vincent, give us a reminder of reminder of why this is important from a little bit of a higher level. Step back from the data center view of things, from the IT view of things, just from a societal perspective, Vincent, what happens when we don't secure our digital supply chain? What are the things that are put at risk? >> Okay, well, there's a significant number of things that are placed at risk, the security of the enterprise itself. So your own customer data, your own internal corporate data is place at risk if there were a supply chain breach. But further to that for a software provider, and I think that in a lot of cases, most companies today are software providers or software developers. You actually put your own customers at risk as well, not just their data, but their actual... The things that they're working on, any workloads that they may have, an order that they might place as an example. So there's a number of areas where you want to have the security of that supply chain and the software components that you have figured out. You want to be on top of that because there is that risk that trickles down when it comes to an event. I mean, we've seen that with breaches earlier this year, one company is breached multiple companies end up being breached as a result of that. So it's really important. I think we all have a part to play in that I always view it as it's not just about the company itself. So I mean, speaking from a Red Hat perspective, I don't look at it as we're just securing Red Hat, we're securing our customers, and then we're also doing that for their customers as well, because they're writing software that's running on the software that we're providing to them. So there is this trickle down effect that comes, and so I think that every link in that chain, I mean, it's wonderful that it's called a supply chain. It's only as strong as its weakest link. So our view is how do we strengthen every link in that chain? And we're one part of it, but we're kind of looking a little broader, what can we do upstream and how can we help our customers to ensure the security of their part in that supply chain? >> Yeah, I want to talk about that in a broad sense, but let's see if we can get a little bit more specific in terms of what some of the chains look like because it's not just really one chain when you think about it, there's the idea of inherent flaws that can be caught and then there are the things that bad actors might be doing to leverage those flaws. So you've got all of these different things that are converging. So first and Vincent, if you want to toss this to Luke back and forth, it's up to you guys. What about this issue of inherent flaws in code? We referenced this idea of the maintainer community. What are best practices for locking that down to make sure that there aren't inherent flaws or security risks? >> I'll take a stab at it, and then I'll let Luke follow up with maybe some of the technologies that Red Hat provides. And again, speaking to Red Hat as part of that chain. When we're talking about inherent risk, there's a vulnerability that's present upstream. We pull that software to Red Hat. We package it as a component of one of the pieces of software that we provide to our customers. It's our responsibility to pay attention to those upstream potential vulnerabilities, potential risks, and correct them in our code. So that might be taking a patch from upstream, applying it to our software, might be grabbing the latest version from upstream, whatever the case might be, but it's our responsibility to provide that protection for that software to actually remediate that risk, and then our customers can then install the update and apply the mitigation themselves. If we take a look at it from, when we're looking at multiple suppliers where you'd asked earlier about, what part of it is Red Hat and what part of it is self-service open source? When you look at that, the work that Red Hat's doing there as a commercial provider of open source and end user for that little bit that they're going to grab themselves, that Red Hat doesn't provide, it's going to have to do all of those things as well. They're going to have to pay attention to that risk from upstream. They're going to have to pay attention to any potential vulnerabilities and pull that in to figure out, do I need to patch? Where do I need to patch it? And that's something we didn't really touch on was an inventory of the software that you have in place. I mean, you don't know that you need to fix something. You don't even know that it's running. So, I mean, there's a lot of considerations there where you have to pay attention to a lot of sources. Certainly there's metadata, automation, all of these things that make it easier, but it doesn't absolve us of the responsibility across the board to pay attention to these things, whether you're grabbing it from upstream directly or from the vendor. And it's the vendor's responsibility to then be paying attention to things upstream. >> Yeah, so Luke, I want you to kind of riff on that from the perspective that let's just assume that Vincent was just primarily talking about the idea that, okay, we've established that this code is solid and we've got gold copy of it and we know it's okay. There aren't inherent problems in the code as far as we can tell. Well, that's fine. I'm a developer. I go out to pull code and to use. How do I know if it's not been tampered with? How do I know if it's in fact the code that was validated during this process before? What do you do about that? >> So there's several methods there, but I just like to loop back to that point, because I think this is really interesting around, so if you look at a software supply chain, this is a mix of humans and machines, and both have flaws, probably humans a bit more. And a supply chain, you have developers. You have code reviewers, you have your systems administrators that set up the systems, and then you have your machine actors. So you've got your build systems, the various machines that are part of that supply chain. Now the humans, there's a as an attack factor there 'cause typically they will have some sort of identity, which they leverage for access to the supply chain. So quite often a developer's identity can be compromised. So a lot of the time people will have a corporate account that gives them some sort of single sign on access to multiple systems. So the developers are coming and this could be somebody in the community as well. Their account is compromised, then they're able to easily backdoor systems. So that's one aspect. And then there is machines as well. There's the whole premise of machines software not being up to date. So when the latest nasty vulnerability is released, machines are updated, then the machines have their flaws. They can be exploited. So I would say it's not just a technical problem. There is a humanistic element to this as well around protecting your supply chain. And I would say a really good perspective to carry when you're looking to, how do I secure my supply chain is treat it like you would a production system. So what do I mean by that? When we put something into production and we've got this very long legacy of treating it with a very strict security context around who can access that people, okay. How much it's upgraded and it's patched? And we seem to not have this same perception around our supply chain and our build systems, the integrity of those, the access of those, the policy around the access and so forth. So that's one giveaway that I would say is a real key focus that you should have is treat it like a production system. Be very mindful about what you're bringing in, who can access it because it is the keys to the kingdom, because if somebody compromises your supply chain, your build systems and so forth, they can compromise the whole chain because the chain is only as strong as the weakest link. So that's what I draw upon it. And around the verifications, there is multiple technologies that you can leverage. So Red Hat, we've got a very robust sign in system that we use so that you can be sure that the packages that we get you have non-repudiation that they've been produced by Red Hat. When you update your system, that's automatically looked after. And there are other systems as well, there's other new technologies that are starting to get a foothold around the provenance of aspects of your build system. So when you're pulling in from these multiple sources of open source communities, you can have some provenance around what you're putting in as well. And yeah, I don't want to bite share too much on the technologies, but there's some exciting stuff starting to happen there as well. >> So let's look at an example of something, because I think it's important to understand all of these different aspects. Recently, I think actually still in the news, we found that some logging software distributed by Apache that's widely used in people's websites to gather information about... To help from a security perspective and to help developers improve things that are going on in websites. A vulnerability was discovered. I guess, first Alibaba, some folks were reported it directly to some folks at Apache and the Apache Organization. And then of all people, some folks from Minecraft mentioned it in a blog. That seems like a crazy way to find out about something that's a critical flaw. Now we're looking at this right now with hindsight. So with hindsight, what could we have done to not be in the circumstances that we're in right now? Vincent, I'll toss that to you first, but again, if Luke is more appropriate, let us know. >> No, it's a great question, and it's a hard question. >> How did you let this happen, Vincent? How did you let this happen? >> It wasn't me, I promise. (Dave laughs) >> What I mean, it's a challenging question I mean, and there's a number of areas where we focused on a lot of what we perceived as critical software. So it comes to web server applications, DNS, a number of the kind of the critical infrastructure that powers the internet. Right or wrong. Do we look at logging software as a critical piece of that? Well, maybe, maybe we should, right? Logging is definitely important as part of an incident response or just an awareness of what's going on. So, I mean, yeah, it probably should have been considered critical software, but I mean, it's open source, right? So there's a number of different logging applications. I imagine now we're scrutinizing those a little bit more, but looking beforehand, how do you determine what's critical until an event like this happens, and it's unfortunate that it happens. And I like to think of these as learning opportunities, and certainly not just for Red Hat, but for this (talking over each other) >> Certainly this is not... Yeah, this is not an indictment of our entire industry. We are all in this together and learning every day. It just highlights how complex the situation is that we're dealing with, right? >> It really is. And I mean, a lot of what we're looking at now is how do we get tools into the hands of developers who can catch some of these things earlier. And there's a lot of commercial offerings, there's a lot of open source tools that are available and being produced that are going to help with these sorts of situations moving forward. But I mean, all the tools on the planet aren't going to help if they're not being used. So, I mean, there has to be an education and an incentive for these developers, particularly, maybe in some upstream communities where they are labors of love and they're passionate projects they're not sponsored or backed by a corporation who's paying for these tools, to be able to use some of them and move that forward. I think that looking at things now, there is work to be done. Obviously there's always going to be work to be done. Not all of these tools, and we have to recognize this, they're not all perfect. They're not going to catch everything. These tools could have been... I mean, I don't know if they were running these tools or not, they could have been, and the tool simply could not have picked them up. So part of it is the proactive part. We talk a lot about shift left and moving these things earlier into the development process and that's great, and we should do it. It certainly should never be seen as a silver bullet or a replacement for a good response. And I think the really important thing to highlight with respect to this, and I mean, this touches on the supply chain issue as well, companies, especially those who never maybe saw themselves as a software development company really have to figure out and understand how to do appropriate response. Part of that is awareness, what do you have installed? Part of it is sources of information. Like how do I find out about a new vulnerability or a potential vulnerability? And then it's just the speed to respond. We know that a number of companies they have, maybe it's a Patch Tuesday, maybe it's a patch 26th of the month, maybe it's patch day of the quarter, we have to learn how to respond to these things quickly so that we can apply these mitigations and these fixes as quickly as possible to them protect ourselves and protect the end users or customers that we have, or to keep the kids from using some backdoors in Minecraft is the word. >> (laughs) Yeah. Look, this is an immensely important subject. To wrap us up on this, Luke, I'd like you to pretend that you just got into an elevator in a moderately tall building, and you have 60 seconds to share with me someone who already trusts you, you don't have to convince me of your credentials or anything. I trust you. What tools specifically do you need me to be running, tools and processes. You've got 60 seconds to say, Dave, if you're not doing these things right now, you're unnecessarily vulnerable. So ready, and go, Luke. >> So automatically update all packages. Always stay up-to-date so that when an issue does hit, you're not having to go back 10 versions and work your way forward. That's the key thing. Ensure that everything you pull in, you're not going to have 100%, but have a very strict requirement that there is non-repudiation, is signed content, so you can verify that it's not being tampered with. For your developers that are producing code, run static, dynamic analysis, API fuzzes, all of these sorts of tools. They will find some vulnerabilities for you. Be part of communities. Be part of communities, help chop the wood and carry the water because the log for Jay, the thing is that was found because it was in the open. If it wasn't any open, it wouldn't have been found. And I've been in this business for a long time. Software developers will always write bugs. I do. Some of them will be security bugs. That's never going to change. So it's not about stopping something that's inevitable. It's about being prepared to react accordingly in our right and correct manner when it does happen so that you can mitigate against those risks. >> Well, we're here on the 35th floor. That was amazing. Thank you, Luke. Vincent, you were in the elevator also listening in on this conversation. Did we miss anything? >> No, I mean, the only thing I'll say is that it's really helpful to partner with an enterprise open source provider, be it Red Hat or anybody else. I don't want to toot our own horn. They do a lot of that work on your behalf that you don't have to do. A lot of the things that Luke was talking about, those providers do, so you don't have to. And that's where you.. I liked that you talked about, hey, you don't have to convince me that I'm trusted, or that I trust you. Trust those vendors. They're literally here to do a lot of that heavy lifting for you and trust the process. Yeah, it's a very, very good point. And I know that sometimes it's hard to get to that point where you are the trusted advisor. Both of you certainly are. And with that, I would like to thank you very much for an interesting conversation. Gentlemen, let's keep in touch. You're always welcome on theCUBE. Luke, second time, getting a chance to talk to you on theCUBE personally. Fantastic. With that, I would like to thank everyone for joining this very special series on theCUBE. Managing risk in the digital supply chain is a critical topic to keep on top of. Thanks for tuning into theCUBE. We'll be back soon. I'm Dave Nicholson saying, thanks again. (upbeat music)

(upbeat music) >> Welcome to theCUBE. I'm Dave Nicholson, and this is part of the continuing conversation about Managing Risk in the Digital Supply Chain. I have with me today Vincent Danen, vice president of product security from Red Hat and Luke Hines security engineering lead from the office of the CTO at Red Hat. Gentlemen, welcome to theCUBE. >> Thank you. >> Great to be here. >> So let's just start out and dive right into this, Vincent, what is the software or digital supply chain? What are we talking about? Yeah, that's a good question. Software supply chain is basically the software that an end user would get from a vendor or in our case, we're talking about open source, so upstream. It is the software that comes in that is part of your package, operating system, applications. It could be something that you get from one vendor, multiple vendors. So we look at in the example of Red Hat, we are one part of the customer's software supply chain. >> So it's interesting that it's coming in from different areas. Do we have a sense for the ratio of kind of commercial software versus open source software that makes up an enterprise today? >> I think that's a really hard thing to answer and I think every enterprise or every company would have a little bit different. Depends if you have an open source vendor that you choose, you may get a significant amount of software from them. Certainly you're not going to get it all. As an example, Red Hat provides thousands of open source packages. We certainly can't provide all of them. There are millions that are out there. So when you're looking at a specific application that you're building, chances are, you could be running that on a managed platform or an enterprise supply platform, but there are going to be packages that you're going to be obtaining from other sources in other communities as well in order to power your applications. >> So, Luke, that sounds like a kind of a vague situation we're looking at in terms of where all of our software is coming from. So what do we need to know about our software supply chain in that context? What do we need to understand? Before we even get anywhere near the idea of securing it, what are some of the issues that arise from that? >> Yeah, so Vincent's touchpoint is a very wide range in ecosystem, multiple sources when we're talking about open source. So essentially awareness is key really. I think a lot of people are really not aware of the sources that they're drawing from to create their own supply chain. So there's multiple supply chains. You can be somebody like Red Hat that the provide software, and then people will leverage Red Hats for their own supply chain. And then you have the cloud provider and they have their own source of software. So I think that the key thing is the awareness of how much you rely upon that ecosystem before we look at the security of the supply chain. It's really understanding your supply chain. >> And just to follow up on that. So can you... I'm sort of checking my own level of understanding on this subject. When you talk about open source code, you're talking about a code base that is often maintained essentially by volunteers, isn't that correct? >> A mix of volunteers and paid professionals where a company has an interest in the open source project, but predominantly I would say it's... Well, I'm not entirely sure, but volunteers make up a substantial part of the ecosystem that is for sure. So it's a mix really. Some people do it because they enjoy writing software. They want to share software. Other people also enjoy working software, but they're in the position that a company pays for them to work on that software. So it's a mix of both. >> Vincent, give us a reminder of reminder of why this is important from a little bit of a higher level. Step back from the data center view of things, from the IT view of things, just from a societal perspective, Vincent, what happens when we don't secure our digital supply chain? What are the things that are put at risk? >> Okay, well, there's a significant number of things that are placed at risk, the security of the enterprise itself. So your own customer data, your own internal corporate data is place at risk if there were a supply chain breach. But further to that for a software provider, and I think that in a lot of cases, most companies today are software providers or software developers. You actually put your own customers at risk as well, not just their data, but their actual... The things that they're working on, any workloads that they may have, an order that they might place as an example. So there's a number of areas where you want to have the security of that supply chain and the software components that you have figured out. You want to be on top of that because there is that risk that trickles down when it comes to an event. I mean, we've seen that with breaches earlier this year, one company is breached multiple companies end up being breached as a result of that. So it's really important. I think we all have a part to play in that I always view it as it's not just about the company itself. So I mean, speaking from a Red Hat perspective, I don't look at it as we're just securing Red Hat, we're securing our customers, and then we're also doing that for their customers as well, because they're writing software that's running on the software that we're providing to them. So there is this trickle down effect that comes, and so I think that every link in that chain, I mean, it's wonderful that it's called a supply chain. It's only as strong as its weakest link. So our view is how do we strengthen every link in that chain? And we're one part of it, but we're kind of looking a little broader, what can we do upstream and how can we help our customers to ensure the security of their part in that supply chain? >> Yeah, I want to talk about that in a broad sense, but let's see if we can get a little bit more specific in terms of what some of the chains look like because it's not just really one chain when you think about it, there's the idea of inherent flaws that can be caught and then there are the things that bad actors might be doing to leverage those flaws. So you've got all of these different things that are converging. So first and Vincent, if you want to toss this to Luke back and forth, it's up to you guys. What about this issue of inherent flaws in code? We referenced this idea of the maintainer community. What are best practices for locking that down to make sure that there aren't inherent flaws or security risks? >> I'll take a stab at it, and then I'll let Luke follow up with maybe some of the technologies that Red Hat provides. And again, speaking to Red Hat as part of that chain. When we're talking about inherent risk, there's a vulnerability that's present upstream. We pull that software to Red Hat. We package it as a component of one of the pieces of software that we provide to our customers. It's our responsibility to pay attention to those upstream potential vulnerabilities, potential risks, and correct them in our code. So that might be taking a patch from upstream, applying it to our software, might be grabbing the latest version from upstream, whatever the case might be, but it's our responsibility to provide that protection for that software to actually remediate that risk, and then our customers can then install the update and apply the mitigation themselves. If we take a look at it from, when we're looking at multiple suppliers where you'd asked earlier about, what part of it is Red Hat and what part of it is self-service open source? When you look at that, the work that Red Hat's doing there as a commercial provider of open source and end user for that little bit that they're going to grab themselves, that Red Hat doesn't provide, it's going to have to do all of those things as well. They're going to have to pay attention to that risk from upstream. They're going to have to pay attention to any potential vulnerabilities and pull that in to figure out, do I need to patch? Where do I need to patch it? And that's something we didn't really touch on was an inventory of the software that you have in place. I mean, you don't know that you need to fix something. You don't even know that it's running. So, I mean, there's a lot of considerations there where you have to pay attention to a lot of sources. Certainly there's a metadata automation, all of these things that make it easier, but it doesn't absolve us of the responsibility across the board to pay attention to these things, whether you're grabbing it from upstream directly or from the vendor. And it's the vendor's responsibility to then be paying attention to things upstream. >> Yeah, so Luke, I want you to kind of riff on that from the perspective that let's just assume that Vincent was just primarily talking about the idea that, okay, we've established that this code is solid and we've got gold copy of it and we know it's okay. There aren't inherent problems in the code as far as we can tell. Well, that's fine. I'm a developer. I go out to pull code and to use. How do I know if it's not been tampered with? How do I know if it's in fact the code that was validated during this process before? What do you do about that? >> So there's several methods there, but I just like to loop back to that point, because I think this is really interesting around, so if you look at a software supply chain, this is a mix of humans and machines, and both have flaws, probably humans a bit more. And a supply chain, you have developers. You have code reviewers, you have your systems administrators that set up the systems, and then you have your machine actors. So you've got your build systems, the various machines that are part of that supply chain. Now the humans, there's a as an attack factor there 'cause typically they will have some sort of identity, which they leverage for access to the supply chain. So quite often a developer's identity can be compromised. So a lot of the time people will have a corporate account that gives them some sort of single sign on access to multiple systems. So the developers are coming and this could be somebody in the community as well. Their account is compromised, then they're able to easily backdoor systems. So that's one aspect. And then there is machines as well. There's the whole premise of machines software not being up to date. So when the latest nasty vulnerability is released, machines are updated, then the machines have their flaws. They can be exploited. So I would say it's not just a technical problem. There is a humanistic element to this as well around protecting your supply chain. And I would say a really good perspective to carry when you're looking to, how do I secure my supply chain is treat it like you would a production system. So what do I mean by that? When we put something into production and we've got this very long legacy of treating it with a very strict security context around who can access that people, okay. How much it's upgraded and it's patched? And we seem to not have this same perception around our supply chain and our build systems, the integrity of those, the access of those, the policy around the access and so forth. So that's one giveaway that I would say is a real key focus that you should have is treat it like a production system. Be very mindful about what you're bringing in, who can access it because it is the keys to the kingdom, because if somebody compromises your supply chain, your build systems and so forth, they can compromise the whole chain because the chain is only as strong as the weakest link. So that's what I draw upon it. And around the verifications, there is multiple technologies that you can leverage. So Red Hat, we've got a very robust sign in system that we use so that you can be sure that the packages that we get you have non-repudiation that they've been produced by Red Hat. When you update your system, that's automatically looked after. And there are other systems as well, there's other new technologies that are starting to get a foothold around the provenance of aspects of your build system. So when you're pulling in from these multiple sources of open source communities, you can have some provenance around what you're putting in as well. And yeah, I don't want to bite share too much on the technologies, but there's some exciting stuff starting to happen there as well. >> So let's look at an example of something, because I think it's important to understand all of these different aspects. Recently, I think actually still in the news, we found that some logging software distributed by Apache that's widely used in people's websites to gather information about... To help from a security perspective and to help developers improve things that are going on in websites. A vulnerability was discovered. I guess, first Alibaba, some folks were reported it directly to some folks at Apache and the Apache Organization. And then of all people, some folks from Minecraft mentioned it in a blog. That seems like a crazy way to find out about something that's a critical flaw. Now we're looking at this right now with hindsight. So with hindsight, what could we have done to not be in the circumstances that we're in right now? Vincent, I'll toss that to you first, but again, if Luke is more appropriate, let us know. >> No, it's a great question, and it's a hard question. >> How did you let this happen, Vincent? How did you let this happen? >> It wasn't me, I promise. (Dave laughs) >> What I mean, it's a challenging question I mean, and there's a number of areas where we focused on a lot of what we perceived as critical software. So it comes to web server applications, DNS, a number of the kind of the critical infrastructure that powers the internet. Right or wrong. Do we look at logging software as a critical piece of that? Well, maybe, maybe we should, right? Logging is definitely important as part of an incident response or just an awareness of what's going on. So, I mean, yeah, it probably should have been considered critical software, but I mean, it's open source, right? So there's a number of different logging applications. I imagine now we're scrutinizing those a little bit more, but looking beforehand, how do you determine what's critical until an event like this happens, and it's unfortunate that it happens. And I like to think of these as learning opportunities, and certainly not just for Red Hat, but for this (talking over each other) >> Certainly this is not... Yeah, this is not an indictment of our entire industry. We are all in this together and learning every day. It just highlights how complex the situation is that we're dealing with, right? >> It really is. And I mean, a lot of what we're looking at now is how do we get tools into the hands of developers who can catch some of these things earlier. And there's a lot of commercial offerings, there's a lot of open source tools that are available and being produced that are going to help with these sorts of situations moving forward. But I mean, all the tools on the planet aren't going to help if they're not being used. So, I mean, there has to be an education and an incentive for these developers, particularly, maybe in some upstream communities where they are labors of love and they're passionate projects they're not sponsored or backed by a corporation who's paying for these tools, to be able to use some of them and move that forward. I think that looking at things now, there is work to be done. Obviously there's always going to be work to be done. Not all of these tools, and we have to recognize this, they're not all perfect. They're not going to catch everything. These tools could have been... I mean, I don't know if they were running these tools or not, they could have been, and the tool simply could not have picked them up. So part of it is the proactive part. We talk a lot about shift left and moving these things earlier into the development process and that's great, and we should do it. It certainly should never be seen as a silver bullet or a replacement for a good response. And I think the really important thing to highlight with respect to this, and I mean, this touches on the supply chain issue as well, companies, especially those who never maybe saw themselves as a software development company really have to figure out and understand how to do appropriate response. Part of that is awareness, what do you have installed? Part of it is sources of information. Like how do I find out about a new vulnerability or a potential vulnerability? And then it's just the speed to respond. We know that a number of companies they have, maybe it's a Patch Tuesday, maybe it's a patch 26th of the month, maybe it's patch day of the quarter, we have to learn how to respond to these things quickly so that we can apply these mitigations and these fixes as quickly as possible to them protect ourselves and protect the end users or customers that we have, or to keep the kids from using some backdoors in Minecraft is the word. >> (laughs) Yeah. Look, this is an immensely important subject. To wrap us up on this, Luke, I'd like you to pretend that you just got into an elevator in a moderately tall building, and you have 60 seconds to share with me someone who already trusts you, you don't have to convince me of your credentials or anything. I trust you. What tools specifically do you need me to be running, tools and processes. You've got 60 seconds to say, Dave, if you're not doing these things right now, you're unnecessarily vulnerable. So ready, and go, Luke. >> So automatically update all packages. Always stay up-to-date so that when an issue does hit, you're not having to go back 10 versions and work your way forward. That's the key thing. Ensure that everything you pull in, you're not going to have 100%, but have a very strict requirement that there is non-repudiation, is signed content, so you can verify that it's not being tampered with. For your developers that are producing code, run static, dynamic analysis, API fuzzes, all of these sorts of tools. They will find some vulnerabilities for you. Be part of communities. Be part of communities, help chop the wood and carry the water because the log for Jay, the thing is that was found because it was in the open. If it wasn't any open, it wouldn't have been found. And I've been in this business for a long time. Software developers will always write bugs. I do. Some of them will be security bugs. That's never going to change. So it's not about stopping something that's inevitable. It's about being prepared to react accordingly in our right and correct manner when it does happen so that you can mitigate against those risks. >> Well, we're here on the 35th floor. That was amazing. Thank you, Luke. Vincent, you were in the elevator also listening in on this conversation. Did we miss anything? >> No, I mean, the only thing I'll say is that it's really helpful to partner with an enterprise open source provider, be it Red Hat or anybody else. I don't want to toot our own horn. They do a lot of that work on your behalf that you don't have to do. A lot of the things that Luke was talking about, those providers do, so you don't have to. And that's where you.. I liked that you talked about, hey, you don't have to convince me that I'm trusted, or that I trust you. Trust those vendors. They're literally here to do a lot of that heavy lifting for you and trust the process. Yeah, it's a very, very good point. And I know that sometimes it's hard to get to that point where you are the trusted advisor. Both of you certainly are. And with that, I would like to thank you very much for an interesting conversation. Gentlemen, let's keep in touch. You're always welcome on theCUBE. Luke, second time, getting a chance to talk to you on theCUBE personally. Fantastic. With that, I would like to thank everyone for joining this very special series on theCUBE. Managing risk in the digital supply chain is a critical topic to keep on top of. Thanks for tuning into theCUBE. We'll be back soon. I'm Dave Nicholson saying, thanks again. (upbeat music)

>>Hello, and welcome back to the cubes coverage of coop con cloud native con 2021. We're here in person at a real event. I'm John farrier host of the cube, but Dave Nicholson, Michael has got great guests here. Two founders of brand new startup, one week old cable on ASCII and Dave Lawrence, uh, with chain guard, former Google employees, open source community members decided to start a company with five other people on total five total. Congratulations. Welcome to the cube. >>Thank you. Thank you for >>Having us. So tell us like a product, you know, we know you don't have a price. So take us through the story because this is one of those rare moments. We got great chance to chat with you guys just a week into the new forms company and the team. What's the focus, what's the vision. >>How far back do you want to go with this story >>And why you left Google? So, you know, we're a gin and tonics. We get a couple of beers I can do that. We can do that. Let's just take over the world. >>Yeah. So we both been at Google, uh, for awhile. Um, the last couple of years we've been really worried about and focused on open-source security risk and supply chain security in general and software. Um, it's been a really interesting time as you probably noticed, uh, to be in that space, but it wasn't that interesting two years ago or even a year and a half ago. Um, so we were doing a bunch of this work at Google and the open source. Nobody really understood it. People kind of looked at us funny at talks and conferences. Um, and then beginning of this year, a bunch of attacks started happening, uh, things in the headlines like solar winds, solar winds attack, like you say, it attack all these different ransomware things happening. Uh, companies and governments are getting hit with supply chain attacks. So overnight people kind of started caring and being really worried about the stuff that we've been doing for a while. So it was a pretty cool thing to be a part of. And it seemed like a good time to start a company and keep your >>Reaction to this startup. How do you honestly feel, I suppose, feeling super excited. Yeah. >>I am really excited. I was in stars before Google. So then I went to Google where there for seven, I guess, Dan, a little bit longer, but I was there for seven years on the product side. And then yeah, we, we, the open source stuff, we were really there for protecting Google and we both came from cloud before that working on enterprise product. So then sorta just saw the opportunity, you know, while these companies trying to scramble and then sort of figure out how to better secure themselves. So it seemed like a perfect, >>The start-up bug and you back in the start up, but it's the timing's perfect. I got to say, this is a big conversation supply chain from whether it's components and software now, huge attack vector, people are taking advantage of it super important. So I'm really glad you're doing it. But first explain to the folks watching what is supply chain software? What's the challenge? What is the, what is the supply chain security challenge or problem? >>Sure. Yeah, it's the metaphor of software supply chain. It's just like physical supply chain. That's where the name came from. And it, it really comes down to how the code gets from your team's keyboard, your team's fingers on those keyboards into your production environment. Um, and that's just the first level of it. Uh, cause nobody writes all of the code. They use themselves. We're here at cloud native con it's hundreds of open source vendors, hundreds of open libraries that people are reusing. So your, your trust, uh, radius and your attack radius extends to not just your own companies, your own developers, but to everyone at this conference. And then everyone that they rely on all the way out. Uh, it's quite terrifying. It's a surface, the surface area explode pretty quickly >>And people are going and the, and the targeting to, because everyone's touching the code, it's open. It's a lot of action going on. How do you solve the problem? What is the approach? What's the mindset? What's the vision on the problems solving solutions? >>Yeah, that's a great question. I mean, I think like you said, the first step is awareness. Like Dan's been laughing, he's been, he felt like a crazy guy in the corner saying, you know, stop building software underneath your desk and you know, getting companies, >>Hey, we didn't do, why don't you tell them? I was telling him for five years. >>Yeah. But, but I think one of his go-to lines was like, would you pick up a thumb drive off the side of the street and plug it into your computer? Probably not. But when you download, you know, an open source package or something, that's actually can give you more privileges and production environments and it's so it's pretty scary. Um, so I think, you know, for the last few years we've been working on a number of open source projects in this space. And so I think that's where we're going to start is we're going to look at those and then try to grow out the community. And we're, we're watching companies, even like solar winds, trying to piece these parts together, um, and really come up with a better solution for themselves. >>Are there existing community initiatives or open source efforts that are underway that you plan to participate in or you chart? Are you thinking of charting a new >>Path? >>Oh, it's that looks like, uh, Thomas. Yeah, the, the SIG store project we kicked off back in March, if you've covered that or familiar with that at all. But we kicked that off back in March of 2021 kind of officially we'd look at code for awhile before then the idea there was to kind of do what let's encrypted, uh, for browsers and Webster, um, security, but for code signing and open source security. So we've always been able to get code signing certificates, but nobody's really using them because they're expensive. They're complicated, just like less encrypted for CAS. They made a free one that was automated and easy to use for developers. And now people do without thinking about it in six stores, we tried to do the same thing for open source and just because of the headlines that were happening and all of the attacks, the momentum has just been incredible. >>Is it a problem that people just have to just get on board with a certain platform or tool or people have too many tools, they abandoned them there, their focus shifts is there. Why what's the, what's the main problem right now? >>Well, I think, you know, part of the problem is just having the tools easy enough for developers are going to want to use them and it's not going to get in our way. I think that's going to be a core piece of our company is really nailing down the developer experience and these toolings and like the co-sign part of SIG store that he was explaining, like it's literally one command line to sign, um, a package, assign a container and then one line to verify on the other side. And then these organizations can put together sort of policies around who they trust and their system like today it's completely black box. They have no idea what they're running and takes a re >>You have to vape to rethink and redo everything pretty much if they want to do it right. If they just kind of fixing the old Europe's sold next solar with basically. >>Yeah. And that's why we're here at cloud native con when people are, you know, the timing is perfect because people are already rethinking how their software gets built as they move it into containers and as they move it into Kubernetes. So it's a perfect opportunity to not just shift to Kubernetes, but to fix the way you build software from this, >>What'd you say is the most prevalent change mindset change of developers. Now, if you had to kind of, kind of look at it and say, okay, current state-of-the-art mindset of a developer versus say a few years ago, is it just that they're doing things modularly with more people? Or is it more new approaches? Is there a, is there a, >>I think it's just paying attention to your building release process and taking it seriously. This has been a theme for, since I've been in software, but you have these very fancy production data centers with physical security and all these levels of, uh, Preston prevention and making sure you can't get in there, but then you've got a Jenkins machine that's three years old under somebody's desk building the code that goes into there. >>It gets socially engineered. It gets at exactly. >>Yeah. It's like the, it's like the movies where they, uh, instead of breaking into jail, they hide in the food delivery truck. And it's, it's that, that's the metaphor that I like perfectly. The fence doesn't work. If your truck, if you open the door once a week, it doesn't matter how big defenses. Yeah. So that's >>Good Dallas funny. >>And I, I think too, like when I used to be an engineer before I joined Google, just like how easy it is to bring in a third party package or something, you know, you need like an image editing software, like just go find one off the internet. And I think, you know, developers are slowly doing a mind shift. They're like, Hey, if I introduce a new dependency, you know, there's going to be, I'm going to have to maintain this thing and understand >>It's a little bit of a decentralized view too. Also, you got a little bit of that. Hey, if you sign it, you own it. If it tracks back to you, okay, you are, your fingerprints are, if you will, or on that chain of >>Custody and custody. >>Exactly. I was going to say, when I saw chain guard at first of course, I thought that my pant leg riding a bike, but then of course the supply chain things coming in, like on a conveyor belt, conveyor, conveyor belt. But that, that whole question of chain of custody, it isn't, it isn't as simple as a process where someone grabs some code, embeds it in, what's going on, pushes it out somewhere else. That's not the final step typically. Yeah. >>So somebody else grabs that one. And does it again, 35 more times, >>The one, how do you verify that? That's yeah, it seems like an obvious issue that needs to be addressed. And yet, apparently from what you're telling us for quite a while, people thought you were a little bit in that, >>And it's not just me. I mean, not so Ken Thompson of bell labs and he wrote the book >>He wrote, yeah, it was a seatbelt that I grew >>Up on in the eighties. He gave a famous lecture called uh, reflections on trusting trust, where he pranked all of his colleagues at bell labs by putting a back door in a compiler. And that put back doors into every program that compiled. And he was so clever. He even put it in, he made that compiler put a backdoor into the disassembler to hide the back door. So he spent weeks and, you know, people just kind of gave up. And I think at that point they were just like, oh, we can't trust any software ever. And just forgot about it and kept going on and living their lives. So this is a 40 year old problem. We only care about it now. >>It's totally true. A lot of these old sacred cows. So I would have done life cycles, not really that relevant anymore because the workflows are changing. These new Bev changes. It's complete dev ops is taken over. Let's just admit it. Right. So if we have ops is taken over now, cloud native apps are hitting the scene. This is where I think there's a structural industry change, not just the community. So with that in mind, how do you guys vector into that in terms of a market entry? What's just thinking around product. Obviously you got a higher, did you guys raise some capital in process? A little bit of a capital raise five, no problem. Todd market, but product wise, you've got to come in, get the beachhead. >>I mean, we're, we're, we're casting a wide net right now and talking to as many customers like we've met a lot of these, these customer potential customers through the communities, you know, that we've been building and we did a supply chain security con helped with that event, this, this Monday to negative one event and solar winds and Citibank were there and talking about their solutions. Um, and so I think, you know, and then we'll narrow it down to like people that would make good partners to work with and figure out how they think they're solving the problem today. And really >>How do you guys feel good? You feel good? Well, we got Jerry Chen coming off from gray lock next round. He would get a term sheet, Jerry, this guy's got some action on it in >>There. Probably didn't reply to him on LinkedIn. >>He's coming out with Kronos for him. He just invested 200 million at CrossFit. So you guys should have a great time. Congratulations on the leap. I know it's comfortable to beat Google, a lot of things to work on. Um, and student startups are super fun too, but not easy. None of the female or, you know, he has done it before, so. Right. Cool. What do you think about today? Did the event here a little bit smaller, more VIP event? What's your takeaway on this? >>It's good to be back in person. Obviously we're meeting, we've been associating with folks over zoom and Google meets for a while now and meeting them in person as I go, Hey, no hard to recognize behind the mask, but yeah, we're just glad to sort of be back out in a little bit of normalization. >>Yeah. How's everything in Austin, everyone everyone's safe and good over there. >>Yeah. It's been a long, long pandemic. Lots of ups and downs, but yeah. >>Got to get the music scene back. Most of these are comes back in the house. Everything's all back to normal. >>Yeah. My hair doesn't normally look like this. I just haven't gotten a haircut since this also >>You're going to do well in this market. You got a term sheet like that. Keep the hair, just to get the money. I think I saw your LinkedIn profile and I was wondering it's like, which version are we going to get? Well, super relevant. Super great topic. Congratulations. Thanks for coming on. Sharing the story. You're in the queue. Great jumper. Dave Nicholson here on the cube date, one of three days we're back in person of course, hybrid event. Cause the cube.net for all more footage and highlights and remote interviews. So stay tuned more coverage after this short break.

>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 Special coverage sponsored by AWS Global Partner Network. Right. Welcome back to the cubes. Live coverage of AWS reinvent 2020 were virtual this year. We're not in person. We have to do it remote but the Cuba's virtual And I'm John for your host here with Cube Virtual next guest, Sarah Cooper, who is the general manager of the i o T Solutions with a W s. Sarah. Great to see you. Eso you last year in person. In real life, now we're remote. But thanks for coming on. Thank you. >>Thanks, John. Always good to be on the Cube and great to see you again. I don't know how many years it's been from our initial meeting, but it's been a few. >>Well, we gotta we gotta cube search engine. You were on in 2016, but we saw each other last year on when we're riffing on the i o t. News. A lot of great stuff. I mean, from Speed Racer all the way down through all the industrial stuff. Even more this year. But two things that jumped out at me this year. War is the carrier keynote and also the BlackBerry kind of automotive thing again speaks to kind of two megatrends. Obviously, automotive will get to a second, but the carrier announcement was really interesting. You guys did this thing and I was so impressed with the cold chain, uh, product. It was the connected cold chain. It was called, Um, this is where the carrier, which is known for air conditioning This is critical I o t devices that stays with the vaccines involved. Take a minute to explain what the cold chain connected cold chain project waas. >>Yeah, absolutely. So. So we worked closely and are working closely with Carrier on on a product called Links Now Cold chain. Um, as Dave Gitlin, the CEO of Carrier, described in Andy's keynote eyes about moving perishable goods, things that need certain temperature ranges from point A to point B and that usually it sounds simple. Uh, that's not quite so simple. It's usually you know, least you know, 5 to 25 hops, sometimes as much as 40. Andi zehr these air partial goods This is food. This is medicines. This is vaccines. Very hot topic at the moment. And today you know you're moving between ships and those big tractor trailers, and you've got warehouses with refrigeration units and you've got retail grocery stores with refrigeration units thes air, all different data sources that are owned by different. You know, members of that supply chain that value chain and to end. And so what links does is it pulls the data from all of the curier equipment and then pulls that data and looks across all of this information, using things like machine learning to draw inference and relationship and then be allows us to be able to make smart recommendations on things like routes. Or, if you know, a particular produce might need to stop before its original event to make sure it's got long shelf life. It allows us basically to provide that transparency and toe end, which is so difficult because of the number of players. And it's in part due to curious breath of products. And then, you know, with AWS, we're bringing the digital technology side. We got the i o t. The M l. A lot of big data processing pieces, eh? So we're really excited about that. I have to say It's one of the easiest projects to hire for when you talk about making sure that we're able to reduce food waste from the current 30 to 40% or that we're working on making sure that vaccines are efficacious by the time that they get a vaccination site, engineers sign up pretty quickly. >>You know the cliche. You know, mission driven companies. They're always kind of like people love the work for mission driven companies. In this case, you have a project and group that literally is changing the world. If you think about just the life savings on the on the on the vaccine side, that's obvious. We all can relate to that now with covert on full display. But just in terms of energy consumption, on food, ways to perishables if you get the costs involved to society, hunger around the world. Uh, just >>food is >>just wasted, and there are people starving, right? So when you start looking at this as an instrumentation problem, right, it gets really interesting. So you mentioned supply chain value chain. This is I o t potentially, even Blockchain again. This is a key change. The world area. You guys have a multi year deal with Carrier, So validation. What does that mean? Specifically, you guys gonna provide cloud services? Um, what's that all mean? >>Yeah. So we were bringing our engineering talent as this carrier. This is a code development, so we're actually jointly developing together. They bring a lot of the domain expertise they bring, you know, years and years of experience in refrigeration, Um, and in, you know, track and trace of these products. And we bring engineers who have vast experience at scale in these kinds of inference, challenges and and data management and data quality. And so it's really kind of bringing the best of both worlds. And you see this happening more and more. I think in general, where you've got a company like AWS that has strong digital expertise and a history of product innovation, working with customers that are very innovative themselves, but typically have been innovative in in, you know, traditional hardware products and the two worlds coming together to make sure that we can really solve some of the big challenges that are facing our society today. And, um, again, you know, it's great to wake up in the morning and get to work on a project that has that kind of impact. >>Well, before we move on to the whole BlackBerry automotive thing, which is another whole fascinating thing share something that people might not know about this carrier project. That's important. Um, whether it's something anecdotal, something that you know, Um, that's important. What, what what's what's What else is there that's game changing that you think is important to point out? >>Yeah, you know, I don't know that when we first started working with Carrier on on scoping this project that I had really thought through all the different players that are touched by cold chain. Um, certainly we've got a number of them within Amazon with our our fulfillment technologies and our grocery stores. That that's logical. Um, you think about the shippers and people who are out, you know, um, farming. And you know, I mean, crabmeat is something that moves in these big refrigerated containers, but actually there's there are transportation companies. There's drivers of these big rigs that need to make sure that they're being that they have fuel consumption management. You've got customers, you know, really kind of throughout that piece, freight forwarders. And so really the breath of the people that are touched, not just you and I is consumers of of perishable goods and fruits and produce on DNA medicines, but also really, that full end to end ecosystem on that's That's both the exciting part from A from a business standpoint, but also the exciting part from the technology stand. >>Well, it's great work, and I applaud you for it's one of those things where foodways isn't just a supply chain impacts the rest of the world because you're more efficient. You could distribute food, toe other places where people are hungry and just its overall impact is huge trickle effect. So impact is huge. Okay, now let's talk about the automotive peace. Because last year we had on the Cube folks from BlackBerry and remember them came on like BlackBerry. Isn't that the phone that went extinct by the iPhone? No, no. There's a whole nother io ti automotive thing around. Ivy Ivy? Why intelligent vehicle data platform? You guys just announced a multiyear agreement with them to develop that product combined with some of the I O. T and machine learning. Could you take him in to explain what this relationship is. What does it mean? What does it mean for the industry? >>Yeah, it's It's similar to the carrier relationship. You know we are. We're engineering together. Um, in this instance Q and X, which is a division of BlackBerry, is in 175 million vehicles. I mean, just think about that. They're running under the covers, and they are. They are a safety security layer and a real time operating system. So you know, when you think about all of the products, really end end in Q and X isn't just in automotives. It's in nuclear power plants. It's in manufacturing automation. It's one of those products that that you probably benefit from, but you didn't know it. Um, and in the automotive space, it's the piece that manages the safety certified layers of data coming off of sensors in the car. And so, fundamentally, what we're doing with Ivy is we're up leveling that information today. If you think about a car, you've got 1500 suppliers that are all providing parts into that far, which means that different makes and models have different seats. Sensors to give you wait in the back, you know, seat as an example. And so if do you want to write an application that tries to determine if that weight in the back seat is your dog or not, my dog happens to be bothering me at the moment. Z. >>That's one of the benefits of working at home. You know? >>Absolutely. So we'll use him as an excuse here. But if you want to know if that's a dog on the back seat, um, being able Thio, then figure out the PC electric measurements and the algorithms, um means you have to know what sensors air in that back seat, which means you got to write essentially an application Pir sensor manufacturer for vehicle make and model That doesn't work so fundamentally What Ivy does, is it? It abstracts away the differences between the vendors and then it up levels information by using machine learning and analytics running in the car. To be able to allow a developer to say, you know, a P I. Is there a dog in the car like How simple is that? I don't have to figure out what the weight measurement is. I don't know. I have to know if there's cameras in the car or if there's some other way to know. If the dog I just need to ask, Is there dog in the car? And the A P. I, for my view, will tell you yes, No, or I don't know, you know, because sometimes there isn't the technology to know that. And then the application developer can then use that information to build delightful experiences, things that make your dog behave, hopefully, things that might help protect them on a hot day. Um, you know, in things where you know that if there's a child in the car, you don't play explicit lyrics. If they're fighting in the back seat, you make sure that the cartoons go off until they behave themselves and cartoons come back on. There are lots of in vehicle experiences that can be enabled by this as well as vehicle operations. So, you know, being able to do >>yeah and all that stuff. >>Yeah, Selective recalls making sure that Onley cars that are actually affected need to come in and making sure that that you know, that's that's quantified and that, you know, it is actually safe to drive to the point of recall. All of that could be done on a vehicle by vehicle basis. >>So are you competing with car companies now? >>No, fundamentally, the oe EMS are the Are the companies that that the car manufacturers are those that end up delivering this capability and they own the data. You know, this isn't something where BlackBerry or A W S owns the data the auto manufacturers dio so it's there platforms to make a delightful experience out of, um, we're just helping to make sure that that's as easy as possible and opening up. You know, the potential innovation so that it's, you know, it's certainly their developers internally. But if they want take advantage of the millions of AWS developers now, they could do that. >>Sarah, Great to have you on one of the things. I just want a final questions or final point. Let's get your reaction to Is that it seems to me with the cloud in this post covert scale error when you start to get into edge, um, you know, industrial I o t. You hear things like instrumentation supply chain, these air buzzwords, these air kind of characteristics all kind of in play. But the other observation is partnerships, arm or co engineering. Co development vibe. Is that just unique? Thio what you're doing? Or do you see this as kind of as a template for partnering? Because when you start to get these abstraction layers, the heavy lifting can be under the covers. You have this enablement model. What's your quick take on this? >>Yeah, I think we talk about undifferentiated heavy lifting, a lot of Amazon on defunding mentally. That's different for each industry. And he talked about that. His keynote. And so I think you know you'll see more and more co development and co engineering coming from from companies across when we have big technical challenges and these air complex problems to solve it takes a village >>awesome. Sarah Cooper Thanks for coming on GM of Iot. TIF Solutions A. The best to great success stories. The carrier and Blackberry, one Automotive with Black Braids operating system that powers the safety and for cars and, hopefully, future of application, development and carrier, with the cold connected chain delivering perishable goods, vaccines and food. Changing the game. That's a game changer. Thanks for coming on. >>Thanks, John appreciate. Always good to see you. >>Okay. Cube coverage. Jump shot for your host. Stay with us from or coverage throughout the day and all next couple weeks. Thanks for watching. Yeah. Mhm.

>> From theCUBE Studios in Palo Alto, in Boston connecting with alt leaders all around the world, This is a CUBE conversation. >> Hello everybody, this is Dave Vellante and welcome to this Breaking Analysis. I'm here with Erik Bradley, who's the managing director of ETR and runs their VEN program. Erik good to see you. >> Very nice to see you too Dave. Hope you're doing well. >> Yeah, I'm doing okay hanging in there. You know, you guys in New York are fighting the battle. Looks like we're making some progress here so, you know, all the best, you and your family and the wider community. I'm really excited to have you on today because I had the pleasure of sitting in on a CIO/ CISO panel last week. And we're going to explain sort of what that's all about, but one of the things ETR does that I really like is they go deeper with anecdotal information and it's almost like in-depth interviews in these round tables. So they compliment their quarterly surveys, and their other drill down surveys, with other anecdotal information for people in their community. So it's a tried and true survey practice that adds some color to the dataset. So guys if you bring up the agenda, I want to share with the audience what we're going to talk about today. So, we'll talk a little bit about, you know we just did intros, I want to ask Erik, what ETR VENN is and then we'll go through some of the guests, but if we go back to Erik, explain a little bit about VENN and the whole process and how you guys do that. >> Yeah sure, we should hire you for marketing. You just did a great job, actually, describing that, but about three years ago what we decided was, ETR does an amazing job collecting the data. It can tell you what's happening, who it's happening to and when it's happening. But it can't always tell you why it's happened. So leveraging a lot of my background in twenty-plus years in journalism and institutional Wall Street research, we decided to take the ETR community, the people that actually take the surveys, and start doing interviews with them and start doing events with them. And enable to doing that, we're basically just trying to compliment the survey findings and the data. So what we always say is that ETR will always give you the quantitative answer and VENN will give you the qualitative answer. >> Now guys, let's bring up the agenda slide again, let's take a look at the folks that participated in the round table. Now, for ETR's clients, they actually know the names and the titles and well the company that these guys work for. We've anonymized it for the public. But you had a CIO of a Global Auto Supplier, a CISO of a Diversified Holdings Firm, who actually had some hospitality exposure but also some government contract manufacturing exposure. Chief Architect of a Software ISV and a VP and CISO of a Global Hospitality Resort Chain. So you had three out of the for, Erik, were really in industries that are getting hit hard. Obviously the software company maybe a little bit better. But maybe you can add some color to that. >> Well actually the software company, unfortunately, was getting hit hard as well because they're a software ISV that actually plays into the manufacturing space as well. So, this particular panel of CIOs and CISOs were actually in a very hard hit industries. And are going to make sure we do two more follow-ups with different industry verticals to make sure we're getting a little bit of a wider berth and collect all of that information in a better way. But coming back to this particular call, the whole reason we did this, and as you know, you spoke to my colleague and friend, Sagar Kadakia, who is the Director of Research for ETR, and we were nimble enough to actually change our survey while it was in the field, to start collecting data on what the real-time impact was on the COVID-19 pandemic. We were able to take that information, extrapolate it, and then say okay let's start reading out to these people and dig deeper. Find out why it's happening and even more so, is it permanent? And which vendors are going to win and which vendors might lose from it. So that was the whole reason we set up the series of calls. We've only conducted on so far. We have another one this coming Tuesday as well with four entirely new panelists that are going to be from different industry verticals because, as you astutely pointed out, these verticals were very hard hit and not all of them are as hard as others. So it's important to get a wider cross-section. >> So, guys let's take a look at some of the budget impacts the anecdotal evidence that we gathered here. So let me just scan through it and then Erik, I'll ask you to comment. So, you know, like Erik said, some hard hit industries. All major projects, anything sort of next-generation, have been essentially shelved. That was the ISV. And then another one, we cut at least 70% of the big projects moving forward. He mentioned ServiceNow actually calls them out, but the ServiceNow is a SaaS company they'll probably, you know, weather the storm here. But he did say we've put that on hold. The best comment, you know, "As-a-service has Saved our SaaS." (Erik laughs) That one's great. And then we're going to get into some of the networking commentary. Some really interesting things about how to support the work from home. You know, kind of shifting from a hardened top into remote workers. And then a lot of commentary on security. So, you know, that's sort of a high level scan and there's just so much information here Erik, but maybe you could sort of summarize on some of that commentary. >> Yeah, we should definitely dig into each of those sectors a little more, but to summarize what we're seeing here was the real winners and losers are clear. Not everyone was prepared to have a work from home strategy. Not everyone was prepared to send their workers out. Their VPN wasn't, they didn't have enough bandwidth. So there was a real quick uptick in spending, but longer term we're starting to see that these changes will become more permanent. So the real winners and losers right now, we're going to see on the loser's side traditional networking. The MPLS networking is in a lot of trouble according to all the data and the commentary that we're seeing. It's expensive, it's difficult to ramp to up bandwidth as quickly as you need and it doesn't support remote. So we're seeing that lose out and the winners there are in the SD-WAN space. It's going to be impossible to ignore that going forward and some of our CIO and CISO panelists said that change will be permanent. Also, we're seeing, at the same time, what they were calling a "SaaS and Cloud". Now, we know these trends obviously were already happening but they're being exacerbated. They're happening even more quickly and more strong. And I don't see that changing any time soon. That, of course, is at the expense of network, I'm sorry, data centers. Whether it be your own or hosted. Which has huge ramifications on on-prem hardware. Even the firewall providers. So what we're seeing here is obviously we know things are going to be impacted by this situation. We didn't necessarily expect all of our community members and IT decision-makers to talk about them being possibly permanent. So that on a high level was something that was extremely interesting. And the last one that I would bring up is that as we make this shift towards working from home, towards remote access, you also have to align yourself with the security that can support that. And one of the things that we're seeing in our data side on ETR, is a widening bifurcation between the next-generation security vendors and the more traditional security or the legacy security players. That bifurcation just keeps getting wider and wider and this situation could be the last straw. >> So I want to follow up on a couple of those things. You're talking about sort of the network shift you know, towards the SD-WAN. What people have described to me is that they got a, you know, a hardened top. It's a hierarchical network. It's very well understood and it's safe, right? And now all of a sudden you got all those remote workers and so you've got to completely soft of rethink your whole network architecture. The other thing I want to drill into is your Cloud commentary. There's a comment that I saw, Erik, that really stood out. One of the folks said, "I would like to see the data centers "be completely deleted, if you will, or closed down." I think we're going to see, you know, a lot more of this obviously. Not only from the standpoint of, and you heard this a lot, the kind of paid by the drink. But just generally getting rid of all that sort of so-called non-differentiated heavy-lifting as we often hear about. >> That is a extreme comment. I don't think everyone feels that way. But, yes, the comment was made and we've heard the comment from other people. As you and I both know, the larger the enterprise the harder that is to go completely SaaS. But yeah, when a situation like this has and see the inflexibility of their on-prem infrastructure, yes it becomes something that really has to be addressed and it can become a permanent change. I was also shocked about that comment. That gentleman also stated that his executives outside of the ITs area, the CEO, the CFO, had never ever, ever wanted to discuss Cloud. They did not want to discuss work from home. They did not want to discuss remote access. He said that conversation has changed immediately and to the credit of the actual IT companies out there, the technology companies, they're doing everything they can with this opportunity to make that happen. >> Yeah, and so you're right the whole work from home conversation. To your point earlier, Erik, big chunks of COVID, the post-COVID world are going to remain permanent. Guys bring up the SaaS slide if you will. The SaaS commentary, "As-a-Service Saved our SaaS." "The wittiest quip award" going to the ETR. You know, but you had, what's very interesting to hear folks, in fact I think somebody even called out, "Hey," you know, "we expected Oracle to," you know, "be auditing us but they're actually being supportive "as is IBM." Salesforce was an interesting common, Erik. One of the folks said they would share accounts on-prem, but when they all do the work from home they had to actually buy some more. You also got Cisco with big props. Microsoft was called out. A lot of organizations actually allowing them to defer payments. So the SaaS vendors actually got very high marks didn't they? >> They really did and even I wrote that summary and it was difficult to write that about Oracle because we all know that they're infamous for auditing their own customers in 2009 right after we came out of financial crisis. They have notoriously been a-- I don't know if they found religion and they decided to be nice to their customers, but every-single person mentioned them as one of the vendors that was actually helping. That was very shocking. And we all know that when bad situations happen people become opportunistic. And right now it's really seeming that the SaaS vendors understand that they need a longterm relationship with these customers and they're being altruistic instead. Which is really nice. >> Yeah I think that anybody with a Cloud realizes that hey, we have an opportunity here that the lifetime value of that customer, whereas maybe in 2009 when Oracle didn't have a Cloud, they had to get people in a headlock to try to persevere their, you know, income statement. Let's go to the networking drill down guys, that next slide because Fortinet, some of the things we've been reporting on is the sort of divergence in evaluations between Fortinet and Palo Alto before this whole thing hit, Fortinet has done a really good job with its Cloud offerings. Palo Alto struggles a little bit with trying to figure out the sales compensation, is maybe a little bit behind. Although both companies got strong props and I've talked to a number of customers, Palo Alto is going to be in the mix. Fortinet, from a Cloud standpoint, seems to be doing quite well? Obviously networking, Cisco is the big gorilla there. But we also got call outs from guys like Trend Micro which was interesting, from some of the folks. So, your thoughts on this Erik. >> Yeah, I'll start on the networking side because this is something that I've really, I've dug into quite amount, in not only this panel, but a lot of interviews and it really seems as if as networking refresh starts to come up, and it's coming up with a lot of large enterprises, when your network refresh comes up people are going to do an RFP for SD-WAN. They are sick and tired of paying MPLS network vendors and they really want to look at something else. That was even prior to this situation. Now what we're hearing is this is a permanent change. I particularly had one person say, I wanted to find this quote real quickly if I can, but basically they basically saying that, "From a permanency perspective, the freedom from MTLS "will reduce our networks spend by over half "while more than doubling or tripling our bandwidth." You can't ignore that. You're going to save me money and triple my bandwidth, and hey by the way, my refresh is due. It's something that's coming and it's going to happen. And yes, you mentioned the few right? There's Viptela, there's Velocloud, there's some big players like Cisco. The Palo Alto just acquired CloudGenix in the midst of all of this. They just went and got an SD-WAN player themselves. And they just keep acquiring a portfolio to shift from their on-prem to next-generation. It's going to take some time, because 70% plus of their revenues is still on-prem hardware, but I do believe that their portfolio that they're creating is the way the world is moving. And that's just one comment on the traditional networking versus the next-generation SD-WAN. >> And the customers have indicated, you know it's not easy just to get off of their MPLS network. I mean it takes time, it's like slowly pulling of the bandaid. But, like many things, COVID-19 is sort of accelerating that. We haven't talked about digital transformation. That came up as a maybe more strategic initiative. But one that very clearly has legs. >> You know, David, it's very simple. You just said it. People, when things are going well and they're comfortable, they don't change. And that's the same for an enterpriser company. Hey, everything's great, our revenue's fine. Why would we do this? We'll worry about that next year. Then something like this happens and you realize wow, we've been dragging our feet. That digital transformation that we've been talking about, and we've been a little bit slow to accept, we need to accept it, we need to move now. And yes, it was another one of the major themes and it sounds silly for researchers like you and I because we know this is a theme. We know Clouded option is there, we know digital transformation is there. But, there are still a lot of people that haven't moved as quickly as they should and this is going to be that final catalyst to get them there, without a doubt. Quickly on your point of Fortinet, I was actually very impressed with the commentary that came from that because Fortinet is sometimes one of those names that you think of that maybe plays in a smaller pool or isn't as big as some of the 800 pound gorillas out there. But in other other interviews besides this I've heard the phrase coined of "Forti-everything". So through RND and through acquisition, Fortinet has really expanded the portfolio and right now is their time to shine because when you have smaller satellite, you know, offices and branches that you need to connect, they're really, really good at it. And you don't always want to call a Palo Alto and pay that price when you have smaller branch offices. And I actually, I was glad you brought up Fortinet because it's not a name that we get to herald that often and it was deserving from this panel. >> Yeah and, you know, companies that can secure gateways, secure endpoints, obviously going to have momentum. Zscaler came up, you know I think that, and I'll tell ya, looking at, I've done a couple of breaking analysis on security and Fortinet has been strong in two dimensions. You know ETR is, as our audience is I think getting to know. We really look at two key metrics. One is net score, which is a measure of spending momentum, and the other is market share, which is a measure of pervasiveness. And companies like Fortinet, in security, show up on both of those dimensions so it's notable. >> Yes, it certainly is, it is. And I'm glad you brought up Zscaler too. Very recently by client request, we did a very in-depth research on Zscaler versus Palo Alto Prisma Access and they were very interested. This was before all this happened, you know. Does Palo Alto have a chance of catching up, taking share from Zscaler. And I've had the pleasure, myself, personally hosting Jay the CEO of Zscaler at an event in New York City. And I have nothing but incredible respect for the company. But what we found out through this research is Zscaler, at the moment, their technology is still ahead, according to their answers. There's no doubt. However, there doesn't seem to be any real secret sauce that will stop Palo Alto from catching up. So we do believe the parody of feature set will shrink over time. And then it will come down to Palo Alto obviously has a wider and user base. Now, what's happening today might change that. Because if I had to make a decision right now, for my company on secure web gateway, I'm still probably going to go to Zscaler. It's the name. If I had to choose that in a year from now, Palo Alto might have had a better chance. So in this panel, as you brought up, Zscaler was mentioned numerous times as just the wave of the future. Along with CASB brokers right? Whether you're talking about a Netskoper or Forcepointer. All those people that also play in CASB space to secure your access. Zero trust is no longer a marketing-hype term. It is real and it is becoming more real by the week. >> And so, I want to kind of end on one of the other comments that really struck me because we're constantly talking about okay, do you go with a portfolio of a suite of services or do you go with best of breed? What about startups? Are startups more risky in a crisis like this? And one of your panelists, I just love this comment, he said, "One of things that I've always done," he said, "You always hear about the guy, "oh we're going to go to the gardener, we're going to "check out the magic water, we'll pick out three guys "in the upper right hand corner and test them out." He says, "One of the things I always like to do, "I'll pick two from the upper right "and I'll take one from the lower left." One of the emerging, text, "And I'll give em a shot." It won't win every time, but then he called out FireEye as one of the organizations that he found early that gave them competitive advantage. >> Right. >> Love that comment. >> It's a great comment. And honestly if you're in charge of procurement you'd be stupid not to do that. Not only just to see what the technology is, but now I can play you off the big guys because I have negotiating leverage and I can say oh, well I could always just take their contract. So it's silly not to do it from a business perspective. But from technology perspective, what we kept hearing from these people with the smaller vendors. My partner Peter Steube, my colleague and I, we did the host together, we asked this question really believing that the financial insecurity of the moment and the times would make smaller vendors not viable. We heard the exact opposite. What our panelists said was, "No, I'd be happy "to work with a smaller vendor right now "because they're going to give me pricing flexibility, "they're going to work with me right now. "I don't need to pay them upfront "because we're seeing a permanent shift from CapEx to OpEX, "and the smaller vendors are willing to work with me and I can pay them later." So we were actually surprised to hear that and glad to hear it because, to connect to your other point, the other person who was talking about security and the platform approach versus best of breed, he said "Listen, platform approaches you're already "with the vendor, you can bundle a little bit. "But the problem is, if you're just going to acquire "a new technology every time there's a new threat, "the bad guys are just going to switch the threat. "And you can't acquire indefinitely. "So therefore, best of breed with security "will always beat platform." And that's kind of a message to Palo Alto and Cisco, in my opinion, because they seem to be the ones fighting that out. Even Microsoft now, trying to say they're a platform approach in security. >> Well and this says to me the security business, as we predicted, is going to stay fragmented because you're still going to get that best of breed. You know, just like Cloud is going to be fragmented and it's, you know, multiple vendors. Ever since I've been in this business people are trying to consolidate the number of vendors, but technology moves so quickly, it gives competitive advantage. Erik, awesome! Thank you so much for joining us. I'm looking forward to next Tuesday with the next vendor and love to have you back and talk about it anytime. You're a great guest, thanks so much. >> Certainly, I'll do my best to get a better AV connection the next time guys, I apologize for that. But it was great talking to you tonight. >> Hey we're all learning, you know so, thank you everybody for watching, this is Dave Vellante for theCUBE and we'll see you next time. (upbeat music)

>> Announcer: From San Francisco, it's theCUBE, covering GitLab Commit 2020. Brought to you by GitLab. >> Hi and welcome to CUBE's coverage of GitLab Commit 2020. We're here in San Francisco, actually, the first CUBE event of the year, and I'm Stu Miniman here with John Furrier, the founder of SiliconANGLE, one of our main CUBE hosts. John, always great to kick off the year with you, and of course, we're digging in on the developer world, cloud native. Nothing better than, you know, the opening keynote talks about, you know, there's a line we've been talking for years, software's eating the world and what are the ripples that are happening on. So, Tom, great to see you, and how come it's so cold here in San Francisco? I mean, I could be back in Boston. >> Coldest winter. I've spent summers here years ago, but it's not summer anymore. But Stu, it's football playoffs. Patriots aren't in, so sorry to hear that our Pats didn't make it. But great to see you. I think one of the things this year in 2020, a new decade, 10 years of theCUBE, looking back, we have been on all the major developer waves since 2010. We jumped on the Hadoop wave with Cloudera. We saw the beginning of that wave of OpenStack to cloud, Kubernetes, containers, the whole nine yards. We've been in the developer community. But this year, cloud native not only is going to continue that expansion of developer CUBE action, but the cross-connect with mainstream, and this is to me the biggest trend of the next 20 years is going to be the open systems model of cloud, just like the open systems interconnect in the '80s created a whole new computer industry, changed the landscape, changed the value proposition, this year, I think we're going to start to see real visibility of value creation where the developers are not just the cliche of the value proposition. That's the cliche. Oh yeah, developers (mumbles). No, no, this is a whole nother game change. With CloudScale, with data, with AI, you're seeing again the importance of this. I think cloud native represents to me that next generation, because with multicloud, there are new criterias out there for success, new requirements. Same game, writing software. Whole new dynamic. Networking, Stu. >> Yeah. >> Compute. >> Yeah, John, and I love actually, I think this was a great show to help us kick it off because you talked about those mega waves out there. We've been watching the growth of some of the huge platforms. AWS was on the keynote stage this morning, Google is doing the closing keynote, and of course one of the major acquisitions, you know, in the relatively recent past was Microsoft buying GitHub. And so we know that developers are so important, but the message we heard from GitLab is it's not about silos anymore. They said not only the dev, the sec, and the ops, but finance and marketing. Everyone needs to get on the same page. GitLab's vision, of course, is that everyone should be using the same tools. That was something that I heard, that we both heard last year at AnsibleFest, that if you're in the same tools, sharing the same information, in the same communication channels, you're going to be able to move fast, and that is what companies need to do. They need to be able to react fast. The business should be able to move. Those software cycles need to be shortened. And that's the mission and the big goal that GitLab has, and I think it's representative of the wave we've been seeing. >> Let's get into the keynote analysis, but before we get to that, I want to, you brought up a point about GitHub. I think there's a real dynamic of GitHub being acquired by Microsoft for many reasons. One is Microsoft's got this cloud called Azure, and not the only cloud in town. Amazon has AWS. And so multicloud is going to be a theme we're going to see more and more of. And so this idea of open and transparent community in open source is interesting in a world where everyone's siloing. I mean, let's face it, GitHub is owned by Microsoft. LinkedIn was acquired by Microsoft. You're starting to see the walled garden world come back again where data is really valuable. And so what's interesting to see is you're seeing a company with GitLab, really one of the first ones to say, "Hey, you know what? "We're going to be anti-walled garden. "We're going to be open. "We're going to be transparent." And again, integrated platform. The cloud is demanding companies have integration requirements that are well above what we saw years ago, and this is now a new table stake. This to me is the real walkaway. What's your thoughts on the GitLab keynote and those industry dynamics? >> Yeah, some great points there, John. Right, first of all, open, fully open. You know, the CEO and the CMO, some of the things they were talking about is sometimes the team doesn't know who's doing the contribution because they're getting regular contribution. They said, "Hey, I didn't see them in the group." Oh wait, that's a customer, that's a partner, someone from the outside doing it. Fully open and transparent and remote. They now have over 1100 employees. Four years ago there were nine of them. And it is fully remote. Actually, do a little compare and contrast. Talk about Amazon. John, how many people do we know that have joined Amazon, and the first thing you do is you move to Seattle, because that's just where they have. Now, of course they've got multiple locations. They've got thousands of employees down in DC, in Massachusetts, in New York City, all over the place, but the core decision-making, even though they are very distributed, Seattle is where everything happens. That's where most of the people live. So GitLab, not only is the company remote, but that's the tooling that they've built really is to enable people to work wherever they are. From GitLab's standpoint, they said hey, we have, one of our software people, she lives in New Zealand, and she has her own power. She's completely off the grid except for her internet. As long as she has internet, she can contribute to the team and participate in the building of GitLab. So it's fascinating. You know, we've talked for years ago the future of work and how that happens. So the tooling as enablement not only to allow everybody to work together, but work together wherever they are and that remote capability, and it is very challenging. You know, we watched Zoom IPO last year, and they're trying to help with that whole wave, but we know that there's a challenging dynamic of being able to work wherever you are. >> So they brought up some stats, interesting. Scale and integration are a big theme. Looks like GitLab's getting it. They made some good calls. Have integration, very friendly integration, very open. And they're essentially consolidating a lot of the different tool chains out there. You look at Jenkins and other things out there, from continuous integration and variety through now mainstream. They got 1100 employees, okay. They got a valuation of $2 billion. They just raised $436 million. They have cash on hand of 350 million and they're going to do revenue. So you have essentially scale in GitLab with an integration story which the cloud guys are being forced. That's my opinion. Do you agree with that and do you think that GitLab can continue the pace of growth given where they're at? >> Well, John, they have something that everybody wants. It's that recurring revenue. So in February 2020, they will have passed the 100 million of ARR, and they've announced that they're going to IPO later this year. We're going to have the CEO on later. I'm a little surprised how fast they are looking to IPO, John. We've seen so many companies that not only do they do big raises, but it's not $100 million, it's two or $300 million. You know, when do you have profitability? When do you go public? So I'm a little curious why there's almost a race for GitLab to go IPO. But absolutely they are catching a lot of these waves. When GitHub was taken off the table, boy did I see Google moving fast to work closer with them. It's no coincidence that Amazon is here, because there's been a little bit of concern from GitHub as to, oh, if I'm doing GitHub, does that mean that I'm kind of being pushed closer to Microsoft Azure, as you said, that cloud. I've read recently GitHub's trying to make sure that they stay independent. We know the GitHub team. And the other big thing we saw is GitLab, about three years ago, they really differentiated themself. They are not just a GitHub alternative. You talked about Jenkins. The CICD is a huge piece of what they're doing. The source code management and CICD, putting those together are the core of what they're doing, but they're trying to be a single tool chain. Boy, when I look at the, you know, the mesh of tooling that GitLab kind of is poking at a little bit, we know a lot of these companies. Some of them are public. Some of them are unicorns. You know, to say that, oh, well, we're going to all of your security chaining. We know how deep and gnarly the security world is. But GitLab, being open, they're going to partner with all of these environments. It's not that you can only use the GitLab pieces. But the audacious goal to say that they are going to be kind of the one tool chain to rule them all is a good goal. I'm hugely supportive my entire career of trying to get rid of silos. But we know that you're still going to have corner cases and use cases that I'm going to need to go deeper. I'm still going to use those best of breeds. And that's one of the things that we're going to look at this year, John, that platform, just like I could go all in on AWS, but I'm still going to use lots of tools on Amazon and I'm going to use other clouds. >> What's your take on, great analysis, by the way. What's your take on as cloud native becomes multicloud where you got edge developing, we got outposts. You're seeing Azure with their stuff. Outposts is Amazon. You now have more pressure on speed and agility than ever before. How does GitLab's story play well into that, and as enterprises have to be faster. Not just enterprises, service providers. There's other new companies doing more cloud and on-premises and edge, AKA multicloud, too. >> Yeah, so I actually, I loved the problem statement that they nailed with talking about the tool chain that's out there is they said more than 50% of devops time is wasted on logistics and repetitive tasks. And John, if you talk about multicloud, it's not just simple to say, "Oh, hey, I threw in a Kubernetes layer "and therefore I can move from my Auzre "to my GCP to my AWS." That's not how it works. I have all the underlying things. I have the interface. That tool and user interface knowledge is challenging to overcome. There are some tools like GitLab, of course, that help me span across those environments. HashiCorp is here at the show, a partner of GitLab. I was just meeting with them recently. And of course, they're going to spread across the multiple cloud environments. But that is really where the meat on the bone is, John, if you talk about multicloud and cloud native. Where are these pieces that can help customers make sure that I'm not too deeply locked into one environment and still being able to leverage the various services that I might want to use across multiple clouds. >> Yeah, I mean, to me, the big takeaway, Stu, on the keynote I made in my notes here is that what I was impressed with is, obviously the transparency that they have is, I love the openness. You know, I mean, this whole silo thing's definitely real. You're seeing more and more. So open and transparent's key. But when you look at what they really have here is the integration story, and cloud is forcing that, in my opinion. But they announced what they call a complete devops platform delivered as a single application, from manage, plan, create, verify, package, secure, release, configure, monitor, and defend. The spectrum of a devops platform. So that to me, I think, is the step that needs to be taken. The question I have is how real is it, in your opinion? Is that what a lot of other people are saying that they have? What's your analysis of that story, reality, legit, and what's their prospects? >> Yeah, well, definitely GitLab has great adoption. The two pieces is the SCM and the CI are the core of what they're doing, and they know that's where people usually kind of walk in the door. Then they kind of land and they look to expand from that. GitLab's made a number of acquisitions, and from 2020, they are going to really double down on making sure that they dig deeper into some of those environments, especially security, planning, and ops were the three priorities that they had there. So, you know, John, we know when you talk about you're trying to be all things to all people, there are going to be things that you will do well and things that you can do great, but, so it is an audacious goal, and with a broad community supporting it. >> Well, we know, you've reported on this and we've told stories about it is that if there's too many tools in an enterprise, you have this tool shed effect where there's no real platform around it, and I call it a tool shed, but if you have too many tools laying around, they're not cohesively integrated, that's a problem that becomes tool sprawl. So this has become an issue. We saw it in the big data world. We saw unification as a strategy for that. Databricks, for example, is a great example of one company that's taken advantage of that trend. Is there a tool problem in the dev space that GitLab's taken advantage of? >> Absolutely, John. And I think something we're going to dig in deep today, we've got a couple of practitioners on, we've got the partners, we've got the executive team from GitLab. John, thank you so much for helping me kick off GitLab Commit 2020 and a massive schedule of theCUBE coverage throughout the entire cloud native multicloud ecosystem. All right, be sure to check out thecube.net for all of the shows that we will be out in 2020 as well as a tremendous back catalog that you can search. For John Furrier, I'm Stu Miniman. Thank you for watching theCUBE. (electronic music)

>> From Cambridge, Massachusetts, it's theCUBE covering MIT Chief Data Officer and Information Quality Symposium 2019 brought to you by SiliconANGLE Media. (upbeat techno music) >> Hi everybody, welcome back to Cambridge, Massachusetts. You're watching theCUBE, the leader in tech coverage. We go out to the events. We extract the signal from the noise, and we're here at the MIT CDOIQ Conference, Chief Data Officer Information Quality Conference. It is the 13th year here at the Tang building. We've outgrown this building and have to move next year. It's fire marshal full. Gokula Mishra is here. He is the Senior Director of Global Data and Analytics and Supply Chain-- >> Formerly. Former, former Senior Director. >> Former! I'm sorry. It's former Senior Director of Global Data Analytics and Supply Chain at McDonald's. Oh, I didn't know that. I apologize my friend. Well, welcome back to theCUBE. We met when you were at Oracle doing data. So you've left that, you're on to your next big thing. >> Yes, thinking through it. >> Fantastic, now let's start with your career. You've had, so you just recently left McDonald's. I met you when you were at Oracle, so you cut over to the dark side for a while, and then before that, I mean, you've been a practitioner all your life, so take us through sort of your background. >> Yeah, I mean my beginning was really with a company called Tata Burroughs. Those days we did not have a lot of work getting done in India. We used to send people to U.S. so I was one of the pioneers of the whole industry, coming here and working on very interesting projects. But I was lucky to be working on mostly data analytics related work, joined a great company called CS Associates. I did my Master's at Northwestern. In fact, my thesis was intelligent databases. So, building AI into the databases and from there on I have been with Booz Allen, Oracle, HP, TransUnion, I also run my own company, and Sierra Atlantic, which is part of Hitachi, and McDonald's. >> Awesome, so let's talk about use of data. It's evolved dramatically as we know. One of the themes in this conference over the years has been sort of, I said yesterday, the Chief Data Officer role emerged from the ashes of sort of governance, kind of back office information quality compliance, and then ascended with the tailwind of the Big Data meme, and it's kind of come full circle. People are realizing actually to get value out of data, you have to have information quality. So those two worlds have collided together, and you've also seen the ascendancy of the Chief Digital Officer who has really taken a front and center role in some of the more strategic and revenue generating initiatives, and in some ways the Chief Data Officer has been a supporting role to that, providing the quality, providing the compliance, the governance, and the data modeling and analytics, and a component of it. First of all, is that a fair assessment? How do you see the way in which the use of data has evolved over the last 10 years? >> So to me, primarily, the use of data was, in my mind, mostly around financial reporting. So, anything that companies needed to run their company, any metrics they needed, any data they needed. So, if you look at all the reporting that used to happen it's primarily around metrics that are financials, whether it's around finances around operations, finances around marketing effort, finances around reporting if it's a public company reporting to the market. That's where the focus was, and so therefore a lot of the data that was not needed for financial reporting was what we call nowadays dark data. This is data we collect but don't do anything with it. Then, as the capability of the computing, and the storage, and new technologies, and new techniques evolve, and are able to handle more variety and more volume of data, then people quickly realize how much potential they have in the other data outside of the financial reporting data that they can utilize too. So, some of the pioneers leverage that and actually improved a lot in their efficiency of operations, came out with innovation. You know, GE comes to mind as one of the companies that actually leverage data early on, and number of other companies. Obviously, you look at today data has been, it's defining some of the multi-billion dollar company and all they have is data. >> Well, Facebook, Google, Amazon, Microsoft. >> Exactly. >> Apple, I mean Apple obviously makes stuff, but those other companies, they're data companies. I mean largely, and those five companies have the highest market value on the U.S. stock exchange. They've surpassed all the other big leaders, even Berkshire Hathaway. >> So now, what is happening is because the market changes, the forces that are changing the behavior of our consumers and customers, which I talked about which is everyone now is digitally engaging with each other. What that does is all the experiences now are being captured digitally, all the services are being captured digitally, all the products are creating a lot of digital exhaust of data and so now companies have to pay attention to engage with their customers and partners digitally. Therefore, they have to make sure that they're leveraging data and analytics in doing so. The other thing that has changed is the time to decision to the time to act on the data inside that you get is shrinking, and shrinking, and shrinking, so a lot more decision-making is now going real time. Therefore, you have a situation now, you have the capability, you have the technology, you have the data now, you have to make sure that you convert that in what I call programmatic kind of data decision-making. Obviously, there are people involved in more strategic decision-making. So, that's more manual, but at the operational level, it's going more programmatic decision-making. >> Okay, I want to talk, By the way, I've seen a stat, I don't know if you can confirm this, that 80% of the data that's out there today is dark data or it's data that's behind a firewall or not searchable, not open to Google's crawlers. So, there's a lot of value there-- >> So, I would say that percent is declining over time as companies have realized the value of data. So, more and more companies are removing the silos, bringing those dark data out. I think the key to that is companies being able to value their data, and as soon as they are able to value their data, they are able to leverage a lot of the data. I still believe there's a large percent still not used or accessed in companies. >> Well, and of course you talked a lot about data monetization. Doug Laney, who's an expert in that topic, we had Doug on a couple years ago when he, just after, he wrote Infonomics. He was on yesterday. He's got a very detailed prescription as to, he makes strong cases as to why data should be valued like an asset. I don't think anybody really disagrees with that, but then he gave kind of a how-to-do-it, which will, somewhat, make your eyes bleed, but it was really well thought out, as you know. But you talked a lot about data monetization, you talked about a number of ways in which data can contribute to monetization. Revenue, cost reduction, efficiency, risk, and innovation. Revenue and cost is obvious. I mean, that's where the starting point is. Efficiency is interesting. I look at efficiency as kind of a doing more with less but it's sort of a cost reduction, but explain why it's not in the cost bucket, it's different. >> So, it is first starts with doing what we do today cheaper, better, faster, and doing more comes after that because if you don't understand, and data is the way to understand how your current processes work, you will not take the first step. So, to take the first step is to understand how can I do this process faster, and then you focus on cheaper, and then you focus on better. Of course, faster is because of some of the market forces and customer behavior that's driving you to do that process faster. >> Okay, and then the other one was risk reduction. I think that makes a lot of sense here. Actually, let me go back. So, one of the key pieces of it, of efficiency is time to value. So, if you can compress the time, or accelerate the time and you get the value that means more cash in house faster, whether it's cost reduction or-- >> And the other aspect you look at is, can you automate more of the processes, and in that way it can be faster. >> And that hits the income statement as well because you're reducing headcount cost of your, maybe not reducing headcount cost, but you're getting more out of different, out ahead you're reallocating them to more strategic initiatives. Everybody says that but the reality is you hire less people because you just automated. And then, risk reduction, so the degree to which you can lower your expected loss. That's just instead thinking in insurance terms, that's tangible value so certainly to large corporations, but even midsize and small corporations. Innovation, I thought was a good one, but maybe you could use an example of, give us an example of how in your career you've seen data contribute to innovation. >> So, I'll give an example of oil and gas industry. If you look at speed of innovation in the oil and gas industry, they were all paper-based. I don't know how much you know about drilling. A lot of the assets that goes into figuring out where to drill, how to drill, and actually drilling and then taking the oil or gas out, and of course selling it to make money. All of those processes were paper based. So, if you can imagine trying to optimize a paper-based innovation, it's very hard. Not only that, it's very, very by itself because it's on paper, it's in someone's drawer or file. So, it's siloed by design and so one thing that the industry has gone through, they recognize that they have to optimize the processes to be better, to innovate, to find, for example, shale gas was a result output of digitizing the processes because otherwise you can't drill faster, cheaper, better to leverage the shale gas drilling that they did. So, the industry went through actually digitizing a lot of the paper assets. So, they went from not having data to knowingly creating the data that they can use to optimize the process and then in the process they're innovating new ways to drill the oil well cheaper, better, faster. >> In the early days of oil exploration in the U.S. go back to the Osage Indian tribe in northern Oklahoma, and they brilliantly, when they got shuttled around, they pushed him out of Kansas and they negotiated with the U.S. government that they maintain the mineral rights and so they became very, very wealthy. In fact, at one point they were the wealthiest per capita individuals in the entire world, and they used to hold auctions for various drilling rights. So, it was all gut feel, all the oil barons would train in, and they would have an auction, and it was, again, it was gut feel as to which areas were the best, and then of course they evolved, you remember it used to be you drill a little hole, no oil, drill a hole, no oil, drill a hole. >> You know how much that cost? >> Yeah, the expense is enormous right? >> It can vary from 10 to 20 million dollars. >> Just a giant expense. So, now today fast-forward to this century, and you're seeing much more sophisticated-- >> Yeah, I can give you another example in pharmaceutical. They develop new drugs, it's a long process. So, one of the initial process is to figure out what molecules this would be exploring in the next step, and you could have thousand different combination of molecules that could treat a particular condition, and now they with digitization and data analytics, they're able to do this in a virtual world, kind of creating a virtual lab where they can test out thousands of molecules. And then, once they can bring it down to a fewer, then the physical aspect of that starts. Think about innovation really shrinking their processes. >> All right, well I want to say this about clouds. You made the statement in your keynote that how many people out there think cloud is cheaper, or maybe you even said cheap, but cheaper I inferred cheaper than an on-prem, and so it was a loaded question so nobody put their hand up they're afraid, but I put my hand up because we don't have any IT. We used to have IT. It was a nightmare. So, for us it's better but in your experience, I think I'm inferring correctly that you had meant cheaper than on-prem, and certainly we talked to many practitioners who have large systems that when they lift and shift to the cloud, they don't change their operating model, they don't really change anything, they get a bill at the end of the month, and they go "What did this really do for us?" And I think that's what you mean-- >> So what I mean, let me make it clear, is that there are certain use cases that cloud is and, as you saw, that people did raise their hand saying "Yeah, I have use cases where cloud is cheaper." I think you need to look at the whole thing. Cost is one aspect. The flexibility and agility of being able to do things is another aspect. For example, if you have a situation where your stakeholder want to do something for three weeks, and they need five times the computing power, and the data that they are buying from outside to do that experiment. Now, imagine doing that in a physical war. It's going to take a long time just to procure and get the physical boxes, and then you'll be able to do it. In cloud, you can enable that, you can get GPUs depending on what problem we are trying to solve. That's another benefit. You can get the fit for purpose computing environment to that and so there are a lot of flexibility, agility all of that. It's a new way of managing it so people need to pay attention to the cost because it will add to the cost. The other thing I will point out is that if you go to the public cloud, because they make it cheaper, because they have hundreds and thousands of this canned CPU. This much computing power, this much memory, this much disk, this much connectivity, and they build thousands of them, and that's why it's cheaper. Well, if your need is something that's very unique and they don't have it, that's when it becomes a problem. Either you need more of those and the cost will be higher. So, now we are getting to the IOT war. The volume of data is growing so much, and the type of processing that you need to do is becoming more real-time, and you can't just move all this bulk of data, and then bring it back, and move the data back and forth. You need a special type of computing, which is at the, what Amazon calls it, adds computing. And the industry is kind of trying to design it. So, that is an example of hybrid computing evolving out of a cloud or out of the necessity that you need special purpose computing environment to deal with new situations, and all of it can't be in the cloud. >> I mean, I would argue, well I guess Microsoft with Azure Stack was kind of the first, although not really. Now, they're there but I would say Oracle, your former company, was the first one to say "Okay, we're going to put the exact same infrastructure on prem as we have in the public cloud." Oracle, I would say, was the first to truly do that-- >> They were doing hybrid computing. >> You now see Amazon with outposts has done the same, Google kind of has similar approach as Azure, and so it's clear that hybrid is here to stay, at least for some period of time. I think the cloud guys probably believe that ultimately it's all going to go to the cloud. We'll see it's going to be a long, long time before that happens. Okay! I'll give you last thoughts on this conference. You've been here before? Or is this your first one? >> This is my first one. >> Okay, so your takeaways, your thoughts, things you might-- >> I am very impressed. I'm a practitioner and finding so many practitioners coming from so many different backgrounds and industries. It's very, very enlightening to listen to their journey, their story, their learnings in terms of what works and what doesn't work. It is really invaluable. >> Yeah, I tell you this, it's always a highlight of our season and Gokula, thank you very much for coming on theCUBE. It was great to see you. >> Thank you. >> You're welcome. All right, keep it right there everybody. We'll be back with our next guest, Dave Vellante. Paul Gillin is in the house. You're watching theCUBE from MIT. Be right back! (upbeat techno music)

>> Announcer: Live from San Diego California, it's The Cube. Covering Cisco Live US 2019. Brought to you by Cisco, and it's ecosystem partners. >> Welcome back to The Cube. Lisa Martin with Stu Miniman. Day three of our coverage of Cisco Live. We're pleased to welcome to TheCube, Keith Griffin, Principal Engineer Collaboration from Cisco. Keith, good morning Welcome. >> Morning. Thanks for having me. >> So, lots of announcements this morning, or this week with respect to collaboration, cognitive collaboration. Webex intelligence a lot of Webex users out there. Walk us through Webex intelligence. >> Keith Griffin: Sure well Webex Intelligence and Cognitive Collaboration, it brings together a set of underlying AI and machine learning, that technologies, we loosely break them down into four areas. Relationship intelligence, which is were people insights would sit. Computer vision, where we would see our face recognition and name labels for meetings. Multi-modal bots and assistance where we would have our Webex assistant offer, and audio and speech technologies where we've got some interesting features like noise detection in meetings when you've got those like annoying dogs barking in the background when your having your meeting, and also something that we were just about to release meeting transcription, so that you can no longer have to take meeting notes and our intelligence platform will take the notes for you. >> Stu Miniman: - All right, so Keith Lisa and I did enterprise connect earlier and it's amazing some of the things that are happening. You talk about you know cloud and AI coming into meetings. Part of me is a little worried. I worked in telcom back in the 90's and it feels like in may ways in the last 20 years, we haven't got beyond the, Okay in the first 10 minutes of the meeting, let's make sure everybody's in are the right people talking, are the right people muted, I mean the machines are going to make this really easy for us so that we can stop the human people messing it up right? >> Exactly, exactly and one of the things that's interesting about that, well actually one thing I'll say is that I also can from telecom's in the 90's, I've seen that journey all the way through, and I'm still six to eight minutes late for meetings when I start them and I'd love to blame the technology and lots of people do but let's face it, hands up we're factors in this as well. We have the most amazing non cognitive features like one button to push. A single green button I just have to push that to start the meeting, but guess what I have to don't do? I don't push the button 'cause I'm setting up my laptop, or I'm taking my coat off or I'm generally getting settled in. So the technology assistance at this stage is really good. And what we wanted to do was look at, how can we take the friction out of joining a meeting even when we've got such a simple experience, and we found out things like Webex Assistance where I can just speak to the system definitely does that. It speeds the access to the meeting, but one of the things we tried out with Webex Assistance which were just about the release was call proactive mode. Now proactive mode was where I don't even have to say okay Webex join the meeting. It says to me, "Hey Keith looks like your ready to start your meeting, will I get it started for you." I simply say "yes", and while I'm setting up my laptop and taking off my coat, where were right in on getting the meeting going, and that was something we came across during our early field trials and we saw a huge adoption for customers so we go right on developing that it's going to be available soon. >> One of the things that Stu mentioned we were at Enterprise Connect a couple of months ago, Amy Chain, one of my favorite key notes, she's so animated. I know she was on stage yesterday. She announced people insights a couple of months ago. Let's kind of dig into that as the relationship intelligence. What does that mean, what does that enable, and how is that an enabler of reducing friction? >> Yeah, it's really, it's really on multiple levels I think, there's the before the meeting experience and then during the meeting. So one of the things that we found through a survey that we just recently completed was that, I don't was to misquote it but there was healthy percentage of people I'm going to guess at about 40-45% that spend a significant amount of time before a meeting googling and figuring out who they are meeting with. To try and find out more to have that connection when they get to the meeting. So what if we could just dynamically do that, and there was no need to go search or spend time ahead of the meeting, so that's one area of friction reduced or removed, so you can go right in there and you've got that personalized briefing for the meeting itself. >> So what do I see, is this.., I'm logging into Webex, or is it before the meeting and it, what kind of information about the person I'm talking to does it populate for me? >> Yeah so in the meeting itself, on your roster, you can click on a new icon that's beside the participant, and you can find out public profile information about the user, that's on the meeting, as well as their corporate directory information, if you're in that organization, and also news about their company, so I would have the latest Cisco news and just a general description of what our company does, and if I'm meeting with somebody else, they see that about me, they see my education background, and anything else I choose to offer, and choice is important, the fact that me as an end user, I'm in control of that, I'm in control of that data, I can edit it, I can hide it, I can delete it, I think that's really critical, in this era of data privacy and machine learning eccentric solutions, so that's how it happens in the meeting itself, and we're looking more also at personalized briefings and looking at how we can bring that forward, and also looking at areas like, how we could bring that into the video experience, you don't want to clutter the video experience with all this information, but it would be nice to have something more than even a name label which is useful to have, maybe a title or role or something like that, so we're looking at bringing that across the entire portfolio. >> All right, so Keith, you brought up data privacy, I want you to talk a little bit about some of the other products outside of just, you know, the base Webex, when you talk about things like facial recognition, where is that today, we know is hot button topic, you know, what are seeing and what are the request you're getting from customers. >> Yeah, we're pretty close to be able to release face recognition for name labels and meetings, and the goal of the feature, as the name suggest, is just simply to put a name label on the user, so you have that more personal connection, in the meeting. We're taking our time with the feature, because we want to get the data privacy right from the beginning, it's not something I feel you can add afterwards, you have to have a strong data privacy posture, right from the beginning, so the types of steps that we've taken, are to make sure that this is a disabled feature, so an IT admin must op the organization in, and then individual users must also enroll, and that enrollment step does two things, one, it gives a picture so that we can calculate the mathematical representation of the user for that matching, but also it offers the user the opportunity to consent to their face being used in the system, and that's really critical again back to that point about users being in control of their data, and at any point, they can go back to that, and decide I want to add a new photo, maybe I want to something like a photo with no glasses or with glasses, or with a beard or without a beard to make the system more accurate, but they can go in their and have complete control over that, hide their labels, whatever it is they would want to do. >> Keith, just a follow-up on that, maybe give us, you know, what difference is Webex from some of the other solutions out there when it comes to security and data privacy, there's a lot of new players out there, you know, how does Cisco look at themselves, versus the rest of the floor. >> Yeah, there's a lot of differentiators, probably longer than we would have time for today, but if I take face recognition for example, a lot of those user controls are really critical and important, the way that we can leverage the devices as well as the cloud, I think is a really critical aspect of that, if I think about something like, or noise detection which we haven't talked about from a data privacy point of view, we do that in the device or on the Webex client, not streaming to the cloud, and the idea is to reduce that creep factor at every aspect that we possibly can, right, so addressing data privacy mitigation at every single point, there's no single solution, I think, for it, so when you combine the user controls, where you implement the feature, how you implement the feature, and you roll of that up, it becomes a fairly significant differentiator, I did a session here yesterday, where it was exclusively on data privacy, and I couldn't even present my slides, it turned into an interview, I just stood and answered questions for the hour because people are so interested in this, but the feedback that I got was our posture on data privacy is something that makes the solutions deployable for enterprise customers, and it was great to get that feedback, we've worked hard at it, and we've continued to do that, I think it's something that we actually need to lead with as much as the features themselves. >> So as we look at the Webex platform, and all of the expansions that Cisco has done, one of the biggest complaints with collaboration that we all have as workers is this overload of collaboration apps, and switching back and forth between, Webex and Slack and email and text and all these things, talk to us about what you guys have done to mitigate that, and make Webex a more broad portfolio that would be a greater facilitator of less friction in collaboration. >> Well, that's a really interesting area to talk about, because there's two ways that maybe I would look at that, one is that, from a platform point of view, I think it's no longer good enough to just have phenomenal video and phenomenal audio, and phenomenal share, we have to make sure that we got this intelligent and contextual experience that's woven across that, and then that would bring me to the second part, which is invisible AI, it's making sure that these experiences are, you know, the users don't have to do anything to access them, that they just show up, like meeting transcription, so if I go back and look at a meeting recording afterwards, and all of the notes are neatly organized on a panel on the right hand side, that's AI at work, invisibly for me, and when I go back to review that, I've got everything I need, but I didn't have to go do something to make that happen, so we're trying a lot to focus on these invisible, cognitive experiences throughout the platform. >> Keith, how about the ecosystem, I mean Cisco talks a lot about its partners here, I went through the show floor, collaboration's a big space there, talk a little bit about the expansive ecosystem that Webex has built. >> Yeah and one area in particular that has come up in the last month is that we were able to opensource our MindMeld platform, so we acquired the company MindMeld two years ago, and built Webex assistant using their phenomenal conversationally iPad form, and then took steps in Lorrissa Horton's group to opensource that and make it available to developers and I saw some examples of that yesterday on the show floor, really amazing what people have done, where they've taken Webex assistant and combined it with bots and assistant technology that they've built, on top of the MindMeld data science platform, so I was amazed because it wasn't so long ago when we did that and they have solutions already, so yeah, really interesting first step, but there's a lot more we can do there, I'd like to see us taking Webex assistant and offering extensibility beyond just the MindMeld opensource, I would like to see us look at a multi assistance strategy which we've got, where we could potentially integrate with some of the consumer systems that are out there, consumer assistance in particular, there's a lot that we've done but I think there's a lot more that can be done in bots and the systems phase. >> When we look all of this innovation, the way this innovation that we're riding with, you know, we're in the Devnet zone, Susie Weed talks about the ways of compute, mobile edge, AI everywhere, but also this demand for connectivity, the expansion of 5G that we're expecting, the adoption of wifi 6, how are some of those ways influencing how cognitive collaborations at Cisco is being developed. >> I have never thought about that, but what I would say is that it comes down to one thing, or maybe three things: data, data, data, right, that's, all of those systems produce lots of data, AI machine learning lives on data, it's data and algorithm ultimately, that's what it is, there's tons of algorithms out there, but those areas that you mentioned, those waves, they all produce lots of data and as long as we can act on those, with data privacy in mind, and provide compelling features to customers, I think that it opens up just way more opportunities, and what we've done up to this point cognitive, is really first step type stuff, as amazing as it is, a lot of it is based heavily on supervised machine learning, I think getting to unsupervised learning, reinforcement learning, and acting on those larger data sets is going to bring some really interesting solutions in the future. >> All right, so Keith, look forward a little bit for us, where you know all this machine learning and AI has caused a real growth in some of the breath of the portfolio, what's exciting you kind of in the next six to twelve months, what spaces should we be keeping an eye on in your world. >> One if the areas I've been working most closely on is meeting transcription, and again, it's a tip of the iceberg type solution were we've got the meeting notes and that's great, but I really want to imagine where we could bring that next, so notes are great, but if I didn't have time to go the meeting and I didn't have time to listen to the recording, probably not going to have time for thirty pages of notes, but what if I could get insights and actions, what if I could have Webex assistant help me with that, where I say, okay Webex, what actions did I get on the 10pm meeting yesterday that I missed, that to me is an area that I think it doesn't just personally excite me from a technology point of view, but I think has far reaching impacts for users, and its in approximately that time frame, this is not five years away or ten years away, we're getting there really quickly, so that is the one area that I would really pick out right now, because it gives us the baseline to integrate with a lot of the other cognitive offers we have and really go somewhere with that. >> I would love that, you're right, I mean who has time to listen to a recording let alone read a transcript >> Keith: Right. >> So that's something to look forward to in the future, as well as next time you'll have to come back and give us an example of a customer that has, whether it's a bank or any type of other organization with a lot of work force, you know, distributed work force and some of the big benefits, all the way up to the business, the top line that they're getting so we'll have to look for that for next time. >> Keith: Sure, I'd love to do that. >> Keith, thank you so much for joining Stu and me on theCube this morning, we appreciate it. >> Thanks for having me. >> All right, for Stu Miniman, I'm Lisa Martin, you're watching theCube live from Cisco live, day three, thanks for watching.

>> Narrator: From San Francisco, its theCUBE. Covering VMware Radio 2019. Brought to you by VMware. >> Welcome to theCUBE, from San Francisco at the VMware Radio 2019 Event. I am Lisa Martin with John Furrier, welcoming back one of our distinguished CUBE alumni, VMware CTO Ray O'Farrell. Ray, welcome back to theCUBE. >> Thank you, very happy to be here. >> This is the fifteenth annual Radio R and D. >> Yes >> Innovation offsite. >> Correct. >> Really competitive there's about eighteen-hundred engineers here, Over a thousand different projects submitted. >> Yes. >> Only about 15 to 20 percent may be selected to be featured here. >> Correct. >> This is the third day or so, talk to us about some of the projects that really caught your attention as really innovative, that really kind of embody the VMware culture of innovation. >> Okay, so the event is an internal event, and, so, but are treated very much in the same way as you would, you know, a more formal, people submitting papers, being peer reviewed and then as you say. A small number of them make it through to the poster sessions or the presentations here. If you look at the broad swat that come in initially, they are very broad, covering everything from technologies that VMware has a lot of focus on whether that's kubernetes virtualization and so on, but also some that are, you know, for the field like virtual reality, augmented reality. You also get quite a few projects which are, fall into how can we be better as a company, So better ways of, if we developed our software using this technology or this approach we'd see better efficiency or ways of testing in new and interesting ways. And I also, for the first time, I think saw a few projects which were more around, less around the technology and more around ways of working together. How can we build teams that work better globally. There's quite a few poster sessions around here about even how to manage and increase the inclusiveness of your team, right? So you're seeing it beyond the technology and instead, how do we as a company become more successful. >> I think that Virtual first is an interesting dynamic, we call it Virtual first because no one has actually built technology for fully virtual teams. >> Yes. >> It's always been kind of collaboration bolted onto pre-existing on premise activity. >> Yeah yeah its a, so our R&D teams, as most R&D teams you're going to see these days are going to be pretty distributed, you are going to have people working from home, you're going to have people in remote sites, you're going to have many project teams, where the actual project itself, right down to the smallest team of ten to fifteen people may well be distributed, so what you got is very core pieces of code being done by teams who are acting remotely. Now, when you think about it, as we work with more and more open source, you're seeing the exact same thing and like the open source community has worked very well in terms of how do you run those projects and so we get to learn from that and we've actually created an office for open source, open source program office, and a lot of what we're trying to figure is how do we make sure to be able to build and leverage that innovation across multiple teams. >> Well Ray, we want to thank you because I know Ray has been around for a while but this is the second year where presses select presses. >> Correct. >> To be invited to get access to some of the projects so we really appreciate that. >> Great idea. >> As CTO of VMware you got to look at the landscape and just look at the organic innovation inside, bring the acquisitions in, and then bring it through to the company architecture. What's, Where's the intersection point on the organic to the CTO, architecture map because you got a lot of great business model going on now, the cloud's looking good. Cloud foundation, yet the Telco business booming, where is the action on the business side, where is this come in, where's the action happening? on the technical business side. >> Yeah on the technical side, what we're seeing is well you've mentioned two questions in there, one is about the innovation and what we will do, how do we fit acquisitions and so on into that mix, we have a fairly formal, I guess, innovation program if I could put it that way. Which basically focuses on what do we do to make sure that we have a really strong culture of innovation as the company, and this event is one of those things. It's not just a few days event, that lead up to it, the lead off from it and so on, that really is focus on make sure we have a culture of innovation in the company. We can create new products, new features as needed, from that. But we also recognize that some of those innovations are going to come from partnerships and from acquisitions, either from partnerships with an Open-source community or in the case of, you saw yesterday, we made an acquisition of a company, Bitnami, which is part of the broader story of us being focused on cloud native applications, what is the best way to be able to, you know, manage that new type of development, container based, kubernetes based and so on. So we're open to wherever that innovation comes from, In fact, that's one of the things I really like about the company. You know, we will look at all the possibilities. And sometimes, you know, as you saw with even some of the partnerships we struck in the last year, you got to be creative. >> So I got to ask you about 5G, one of the things that we're seeing is a lot of hype around 5G, I mean, I was in Vegas, they said 5G LTAE. (laughs) >> Yes. >> E 5GE evolution it wasn't even real 5G. So there's some skepticism, but certainly it's a catalyst. How is 5G impacting your business opportunity in the industry? >> So the Telco industry in general was not particularly virtualized if you go back you know, about two years or three years ago. So one of the key things as people as Telco's are building out, you know, to deal with the 5G infrastructure, there're also saying okay what do I need to build, do I use the way I used to do it? And more and more are saying hey, I should be able to use virtualization, why can I not leverage that same technology which revolutionized Cloud in the data center. So we're seeing some very good business in that space, much of it is what you call the Telco Core, the you know, core infrastructure before you get to the radio networks themselves, but we're also beginning to see even some of that beginning to move out to the radio networks. >> John: Virtualization or software, or both? >> Well virtualization even in fact, that MobileWorld Congress in February I guess, we did some demos of some pretty advanced technologies around network slicing where you're essentially beginning to virtualize the network all the way from the radio network back into the data center itself. >> And the Telco's are certainly from a business that already have been struggling for decades, trying to figure out what that over the top, what their business model could be, will this help them? >> Yeah, well any time, our experience is that anytime you turn something into a flexible software model within that agility within that flexibility you get to do a whole ton of advantages, because you're able to update, you're able to modify, so it's all around flexibility. And everybody talks about you know, how agile you need to be, well, virtualization software, moving into a more software defined model really helps with that. >> Let's talk about, back to Radio 2019, the R and D innovation offsite Radio. Let's talk about customers, how do customer influence projects say from last year to what some of the engineers put together, are these engineers that are having a lot of interactions with customers, what is that influence that customers deliver to VMware's culture of innovation? >> Yeah, it's rather interesting, with more and more we have customers who come to us and actually are asking the question, not necessarily about products, but about the culture of innovation, a question around how do they repeat that or can they learn something from us, and we learn from them too, but it's interesting that the question that has begin to come up more and more as these customers realize we must be agile, we must innovate or else someone is going to get them, from a competitive point of view. They're trying to understand what we do in that space, so that's one aspect of it. In terms of the projects, and what you see here, we do have our professional services organization here, we do have our customer support organization, we do have a lot of our CTO's, a lot of these projects come from offices of the CTO, they all spend a ton of time with customers. We also do make sure for the most part that we get our senior engineers to have an opportunity to go out and visit customers or when customers come on site, that we will have those discussions. So there's a lot of customer input into the mix, where you actually see it showing out or where you should see it begin to appearing more and more, there's a lot of projects here that are deeply systems projects. You'll also find a lot though around pretty basic customer satisfaction things, like user interfaces, ease of licensing all those types of things. So there's a good balance between the two. >> You know one of the things you guys are really doing well in the market place, obviously with the cloud decision with AWS that was a great message to both your field, customer base, how cloud is going to evolve, then cloud foundation, now you got the edge of the network developing, but the software defined data center NSX is doing well. As you start to get into the networking side because the pitch we heard at Dell technologies world was, don't look down, look up the stack. That's where kubernetes is and where the action is on the abstraction layer. There's still a lot of work to do with the networking and security piece of it. >> Correct. >> Where's the innovation angle there, what are the dots to connect on the networking and security side. >> I think probably the biggest focus is on security, almost every customer as they're becoming completely dependent on digital infrastructure just to get there work done. You know like, everything from a farmer to a hospital, they're all digital now, right? Security pops up over and over again. The key products we have in that space are things like, obviously NSX has a large security component to it, but also app defense and some of the projects we do there. So I think security is probably one of the key areas we see that focus. In some ways, what we're seeing is customers coming to us and saying, I want to be able to worry about my applications, can you somehow figure out how to make the IS and the virtualized infrastructure and the security as policy-driven, as automated as possible. And that's where we're focusing. >> You know, one of the things I see as a trend, obviously a student would love, any man would love to be also talking about is the hyper-converged HDI (mumbles) infrastructure really was a tell sign to what customers want, they want to converge everything into an abstraction. >> Correct. >> Into software model, Cloud's hyper-converging. Cloud's is also another. >> Correct. >> Multi-cloud kind of objective. So this notion of consolidating. >> Yeah. >> And kind of creating abstraction is a trend. >> It is, I actually think its really a decision by most customers to say where do I need to focus all of my bandwidth to be successful, and they're saying I want to focus on the layer which is specific to my company. The applications, my customer relations, please somebody help me with all the other stuff. And that's cloud hyper-converge infrastructure VMware. >> John: Do you feel you got like VMware's positioned well in that area? >> I do, I think that in the end, I think we have an interesting blend of what I sometimes use the word agnost or enterprise pragmatic innovation, we know you want to leverage the latest technologies, we know you want to be able to advance in those spaces, but we also know in the end, you know, you are a bank or a hospital, and you need to manage that transition in a fashion which allows you to keep your business going, I think we've been very good at helping companies do that-- >> If I took you on a sales call and I was say, a VMware sales rep or a competitor, obviously the competitors will try to counter what you guys are doing, as we know, we see Cisco out there and others where there's competition, this industry is evolving but you guys have an advantage, what is that pitch to the customer, why VMware over the competition, because they're certainly saying that they can do things better than you guys (mumbles) and vice versa. >> Yeah, I think there's a few advantages, one of them is our enterprise history, our enterprise readiness, some of our competitors obviously have that as well, but you know we are very very strong across all the global, the worlds global enterprises. The other part that you are going to see of course is in some ways we've got the ability to be a little bit of a Switzerland in many cases, our job is effectively to say abstract virtualize your infrastructure, make it easy to manage and optimize and we don't necessarily care what that infrastructure is, is it a public cloud, is it a private cloud, is it a hyper converge infrastructure. So we're able to offer that unified or essential kind of digital infrastructure that goes across all of those things. And within that you're giving choice and flexibility. If you want to move that work load because you think you'll get a better deal on a different cloud, we will help you to do that, or at least make that easier to do. >> Along the spirit of competitive advantage, besides innovation, which we talked about, this very rich history, twenty plus years of innovation at VMware. What are some of the other elements in your opinion that companies like VMware need to have, to be disruptors, couple that come to mind when I think of VMware are partnerships and diversity, what are some of those core elements that really are essential to drive disruption. >> So I often use the phrase which sounds maybe a little bit opposite to disruption, which is resilience, right? Is your company in a position to be able to take either blows from an economy, from competition, and so on. And actually take advantage of those in some ways. And the other part of that is leveraging that innovation as you're trying to say I want to be able to grow and be successful can I do so in a way which that innovation is, I use that word again, pragmatic it fits well with everything you do. I think VMware in my view has a very strong culture, which leads to that, and sometimes we use the phrase of VMware, as a bit of a why culture, people ask why all the time, right? So if I say we're going to do something with project X, some senior engineer is going to say why, now what's even more important, is that often becomes a why not, so you look at some of the partnerships we've done, some of these, where we get into those conversations and you know, the natural thing, well we're not going to partner there, but then somebody says why not, we could partner there, and after that you get some very interesting-- >> We can integrate this into theCUBE Q and A, so right, why block chain? >> Right. (John laughs) Yeah so, the key area where we look at block chain is what actually part has, made some comments on block chain around it being this key almost like the IP story for the future of financial services, right, IP networking so from networking point of view. So what we see is that this is essentially a foundation layer for applications to be built on, not just for financial services, but we see it also showing up more and more in things like supply chain. That's a hard problem, its a distributed problem, its a problem where you get a bunch of customers saying we want to operate as some sort of a group together but one wants to go on prem, the other wants to go on cloud. And that's what, where we've got a unique-- >> The IP metaphor is interesting, I mean, if you look at what IP networking did. >> This is pre-web, this is internet. >> Correct yeah. >> I mean what happened after that was just an amazing shift in our world. So you guys see block chain as a similar paradigm? >> We do see that, well we see, its a layer for which it's be, kind of somewhat ubiquitous layer that then you build these trust applications on top of, right. And so its almost like a platform layer at that stage. That's why when we look at it, its almost becoming kind of a software infrastructure story. >> Well, you know we'd love block chain. We (mumbles) time We're going to talk more in depth. >> You do I saw some of your stuff on block chain online. >> Yeah, great Thanks. >> Yeah. >> So I saw a tweet from you the other day, that of all these poster presentations behind us you were really trying, with all these stickers and things. How is you sticker collection coming along? >> It's coming pretty well, its kind of funny, what you're, me seeing here is a bunch of engineers who are really passionate about the thing they are presenting. So when I find someone and built little LEGO characters, there's little stickers that they build and so on all trying to push to some degree their passion about what they're doing, right? So yesterday I come in here at 7a.m, thought the place would be empty but there was actually a bunch of engineers here. But I was getting all these stickers, right, it was just surprising to me, wow, people put a lot of even artwork into these projects as they try and describe them. >> Well, and what I think about that is it shows creativity and its one of those, you might call it a softer skill, which I don't know why its called softer skills, but thats essential is, is the ability to express that creativity. And also some of the other skills like collaboration and learning how to present even better, which are also elements that the folks that attend Radio get to work on. >> Correct, many of the engineers who present here, this will be their first maybe or their second time presenting to a large group, now they are presenting in front of two thousand people, and in many cases, two thousand of their peers, who know exactly what technology they're talking about, so you can't just give some high-level, oh it might be better kind of thing. Someone will say, where will it be better, how fast will I be, and so on. So, we make sure that if any engineers are looking for training, or want to get some help to do those presentations, we spend quite a bit of time making sure they can get that because that's part of growing them as engineers and as future professionals or business leaders. >> Absolutely, well Ray thank you so much for joining John and me on theCUBE at Radio 2019, great to talk to you, and excited to hear some exciting things to come out of VMworld 2019 which is just around the corner. >> That's right just coming up, Thank you. >> Absolutely. For John Furrier I am Lisa Martin, you're watching theCUBE from VMware Radio 2019 from San Francisco. Thanks for watching. (upbeat music)

(Upbeat music) >> From the Hard Rock hotel in Las Vegas, its theCUBE! Covering the Hosho Con 2018, brought to you by Hosho. >> Okay, welcome back every one, this is theCUBE's exclusive coverage here live in Las Vegas for Hosho Con, the first inaugural event where security and block chain conferences is happening, it's the first of its kind where practitioners and experts get together to talk about the future, and solve some of the problems in massive growth coming they got a lot of them. Its good new and bad news but I guess the most important thing is security again, the first time ever security conference has been dedicated to all the top shelf conversations that need to be had and the news here are covering. Our next guest Greg Pinn who's the head of strategy and products for iComply Investor Services. Great to have you thanks for joining us. >> Very nice to be here >> So, we were just talking before we came on camera about you know all the kind of new things that are emerging with compliance and all these kind of in between your toes details and nuances and trip wires that have been solved in the traditional commercial world, that have gotten quite boring if you will, boring's good, boring means it works. It's a system. But the new model with Block Chain and Token Economics is, whole new models. >> Yeah I think what's so exciting about this is that in the Fiat world, from the traditional financial market, everyone is so entrenched in what they've been doing for 20, 30, 40 years. And the costs are enormous. And Block Chain, Crypto coming in now is like we don't have to do it that way. We have to do compliance. Compliance matters, it's important and it's your legal obligation. But you don't have to do it in the same sort of very expensive, very human way that people have been doing it in the past. >> And Cloud Computing, DevOps model of software proved that automations a wonderful thing >> Right >> So now you have automation and you have potentially AI opportunities to automate things. >> And what we've seen is huge increases in technology, in around machine learning and clustering of data, to eliminate a lot of the human process of doing AML, KYC verification, and that's driving down costs significantly. We can take advantage of that in the Crypto Space because we don't have thousands of people and millions of millions of dollars of infrastructure that we've built up, we're starting fresh, we can learn from the past and throw away all the stuff that doesn't work, or isn't needed anymore. >> Alright let's talk about the emerging state of regulation in the Block Chain community and industry. Where are we? What's the current state of the union? If you had to describe the progress bar you know with zero meaning negative to ten being it's working, where are we? What is the state of >> I think if you'd asked me a year ago I think negative would've been the answer. A year ago there was still a big fight in Crypto about do we even want to be part of Compliance, we don't want to have any involvement in that. Because it was still that sort of, Crypto goes beyond global borders, it goes beyond any of that. What's happened now is people have realized, it doesn't matter if you're dealing in Crypto Currency or traditional currency, or donkeys or mules or computers or whatever, if you're trading goods for value, that falls under Regulatory Landscape and that's what we're hearing from the SCC, from FinCEN, from all the regulators. It's not the form it's the function. So if you've got a security token, that's a security, whether you want it to be or not. You can call it whatever you want, but you're still going to be regulated just like a security. >> And I think most entrepreneurs welcome clarity. People want clarity, they don't want to have to be zigging when they should be zagging. And this is where we see domicile problem. Today it's Malta, tomorrow it's Bermuda. Where is it? I mean no one knows it's a moving train, the big countries have to get this right. >> A hundred percent. And beyond that what we're seeing, what's very, very frustrating for a market as global as this is it's not just country-level jurisdiction, the US you've got State-level jurisdiction as well. Makes it very, very hard when you're running a global business if you're an exchange, if you're any sort of global, with a global client reach. Managing that regulation is very, very difficult. >> You know I interviewed Grant Fondo who's with Goodwin Law Firm, Goodwin Proctor they call it Goodwin now, he's a regulatory guy, and they've been very on the right side of this whole SCC thing in the US. But it points to the issue at hand which is there's a set of people in the communities, that are there to be service providers. Law Firms, Tax, Accounting, Compliance. Then you got technology regulation. Not just financial you have GDPR, it's a nightmare! So okay, do we even need GDPR with Block Chain? So again you have this framework of this growth of internet society, now overlaid to a technical shift. That's going to impact not only technology standards and regulations but the business side of it where you have these needed service providers. Which is automated? Which isn't automated? What's your take on all of this? >> I agree with you a hundred percent, and I think what's helpful is to take a step back and realize while compliance is expensive and a pain and a distraction for a lot of businesses. The end of the day it saves people's lives. And this is what, just like if someone was shooting a gun as you were running down the street, in your house, you're going to call the police, that is what financial institutions are doing to save these industries and individuals that are impacted by this. A lot of it from a Crypto Currency perspective, we have a responsibility because so much of what the average person perception is, is Ross Ulbricht and Silk Road. And we have to dig our way out of that sort of mentality of Crypto being used for negative things. And so that makes it even more important that we are ultra, ultra compliant and what's great about this is there's a lot great opportunities for new vendors to come into the space and harness what existed whether that's harnessing data, different data channels, different IDDent verification channels and creating integrated solutions that enable businesses to just pull this in as a service. It shouldn't be your business, if you're in exchange, compliance is something you have to do. It should not become your business. >> Yeah I totally agree, and it becomes table stakes not a differentiator. >> Exactly >> That's the big thing I learned this week it's people saying security's a differentiator, compliance is a, nah, nah, I have standards. Alright so I got to ask you about the, you know I always had been on the biased side of entrepreneurship which is when you hear regulations and you go whoa, that's going to really stunt the growth of organic innovation. >> Right. But in this case the regulatory peace has been a driver for innovation. Can you share some opinions and commentary on that because I think there's a big disconnect. And I used to be the one saying regulation sucks, let the entrepreneurs do their thing. But now more than ever there's a dynamic, can you just share your thoughts on this? >> Yeah, I mean regulators are not here to drive innovation. That's not what their job is. What's been so interesting about this is that because of regulations coming to Crypto along with these other things, it's allowing businesses to solve the problem of compliance in very exciting, interesting ways. And it's driving a lot of technologies around machine learning, what people like IBM Watson are doing around machine learning is becoming very, very powerful in compliance to reduce that cost. The cost is enormous. An average financial institution is spending 15 percent. Upwards of 15 percent of their revenue per year on compliance. So anything they can do to reduce that is huge. >> Huge numbers >> And we don't want Crypto to get to that point. >> Yeah and I would also love to get the percentage of how much fraud is being eaten into the equation too. I'm sure there's a big number there. Okay so on the compliance side, what are the hard problems that the industry is solving, trying to solve? Could you stack rank the >> I think number one: complexity. Complexity is the biggest. Because you're talking about verifying against sanctions, verifying against politically exposed persons, law enforcement lists, different geographical distributions, doing address verification, Block Chain forensics. The list just stacks and stacks and stacks on the complexity >> It's a huge list. >> It's a huge list >> And it's not easy either. These are hard problems. >> Right, these are very, very difficult problems and there's no one expert for all of these things. And so it's a matter of bringing those things together, and figuring out how can you combine the different levels of expertise into a single platform? And that's where we're going. We're going to that point where it's a single shop, you want to release an ICO? You're an exchange and you need to do compliance? All of that should be able to be handled as a single interface where it takes it off of your hands. The liability is still with the issuer. It's still with the exchange, they can't step away from their regulatory liability, but there's a lot that they can do to ease that burden. And to also just ignore and down-risk people that just don't matter. So many people are in Crypto, not the people here, but there's so many people in Crypto, you buy one tenth of a Bitcoin, you buy a couple of Ether, and you're like okay that was fine. Do we really need to focus our time on those people? Probably not. And a lot of the >> There's a lot big money moving from big players acting in concert. >> And that's where we need to be focused. Is the big money, we need to be focused on where terrorists are acting within Block Chain. That's not to say that Block Chain and Crypto is a terrorist vehicle. But we can't ignore the reality. >> And I think the other thing too is also the adversary side of it is interesting because if you look at what's happening with all these hacks, you're talking about billions of dollars in the hands now of these groups that are highly funded, highly coordinated, funded basically underbelly companies. They get their hands on a quantum computer, I was just talking to another guy earlier today he's like if you don't have a sixteen character password, you're toast. And now it's twenty four so, at what point do they have the resources as the fly wheel of profit rolls in on the hacks. >> You know, one of the interesting things we talk about a lot is we have to rely on the larger community. We can't, I can't, you can't solve all of the problems. Quantum computing's a great example. That's where we look for things like two-factor authentication and other technologies that are coming out to solve those problems. And we need to, as a community, acknowledge That these are real problems and we've identified potential solutions. Whether that's in academia, whether it's in something like a foundation like the Ethereum Foundation, or in the private sector. And it's a combination of those things that are really driving a lot of it's innovation. >> Alright so what's the agenda for the industry if you had to have a list this long, how do you see this playing out tactically over the next twelve months or so as people start to get clarity. Certainly SCC is really being proactive not trying to step on everybody at the same time put some guard rails down and bumpers to let people kind of bounce around within some frame work. >> I think the SCC has taken a very cautious approach. We've seen cease and desist letters, we've seen notifications we haven't seen enormous finds like we see in Fiat. Look at HSBC, look at Deutsche Bank, billions of dollars in fines from the SCC. We're not seeing that I think the SCC understands that we're all sort of moving together. At the same time their responsibility is to protect the investor. And to make sure that people aren't being >> Duped. >> Duped. I was trying to find an appropriate term. >> Suckered >> Suckered, duped. And we've seen that a lot in ICOs but we're not seeing it, the headlines are so often wrong. You see this is an ICO scam. Often it's not a scam, it's just the project failed. Like lots of businesses fail. That doesn't mean it's a scam, it means it was a business fail. >> Well if institutional investors have the maturity to handle they can deal with failures, but not the average individual investor. >> Right, which is why in the US we have the credit investor, where you have to be wealthy enough to be able to sustain the loss. They don't have that anywhere else. So globally the SCC care and the other financial intelligence units globally are monitoring this so we make that we're protecting the investor. To get back to your question, where do I see this going? I think we're going to need to fast track our way towards a more compliant regime. And this I see as being a step-wise approach. Starting with sanctions making sure everyone is screened against the sanction list. Then we're going to start getting more into politically exposed persons, more adverse media, more enhanced due diligence. Where we really have that suite of products and identify the risk based on the type of business and the type of relationship. And that's where we need to get fast. And I don't think the SCC is going to say yeah be there by 2024, it's going to be be there by next year. I was talking to Hartej, he was one of the co founders of Hosho and we were talking on TheCUBE about self-regulation and some self-policing. I think this was self-governed, certainly in the short term. And we were talking about the hallway conversations and this is one of the things that he's been hearing. So the question for you Greg is: What hallway conversations have you overheard, that you kind of wanted to jump into or you found interesting. And what hallway conversations that you've been involved in here. >> I think the most interesting, I mentioned this on a panel and got into a great conversation afterwards, about the importance of the Crypto community reaching out to the traditional financial services community. Because it's almost like looking across the aisle, and saying look we're trying to solve real business problems, we're trying to create great innovative things, you don't have to be scared. And I was speaking at a traditional financial conference last week and there it was all people like this Crypto is scary and it's I don't understand it. >> You see Warren Buffett and Bill Gates poopooing it and freak out. >> But we have an obligation then, we can't wait for them to realize what needs to be done. We need to go to them and say, look we're not scary, look let's sit down. If you can get a seat at a table with a head of compliance at a top tier bank, sit down with them and say let me explain what my Crypto ATM is doing and why it's not a vehicle for money laundering, and how it can be used safely. Those sorts of things are so critical and as a community for us to reach across the aisle, and bring those people over. >> Yeah bridge the cultures. >> Exactly. Because it's night and day cultures but I think there's a lot more in common. >> And both need each other. >> Exactly. >> Alright so great job, thanks for coming on and sharing your insights. >> Thank you so much. >> If you have a quick plug on what you're working on, give the plug for the company. >> Sure, so iComply Investor Services is here to help people who want to issue ICOs, do that in a very compliant way. Because you shouldn't have to worry about all of your compliance and KYC and Block Chain Forensics and all that, you should be worried about raising money for your company and building a product. >> Alright final question since I got you here 'cause this is on my mind. Security token, has got traction, people like it 'cause no problem being security. What are they putting against that these days, what trend are you seeing in the security token? Are they doing equity? I'm hearing from hedge funds and other investors they'll want a little bit of equity preferred and or common, plus the token. Or should the token be equity conversion? What is some of the strings you're seeing? >> You know I think it' really just a matter of do you want paper or do you want a token? Just like a stock certificate is worth nothing without the legal framework behind it. A security token is the same way. So we're seeing where some people are wanting to do equity, where some of their investors want the traditional certificate. And some are fine with the token. We're seeing people do hybrid tokens where it morphs from security to utility or back. Where they're doing very creative things. It's what's so great about the Ethereum Network and the Smart Contracts, is there are all of these great options. The hard part then is, how do you fit those options into regular framework. >> And defending that against being a security, and this is interesting because if it converts to a utility, isn't that what security is? >> So that's the question. >> Then an IPO is an, again this is new territory. >> Right, and very exciting territory. It's an exciting time to be involved in this industry. >> In fact I just had an AE3B Election on tokens, first time ever. >> Yeah it's an amazing state that we're in. Where serious investors are saying yeah token's great for me. Give me the RC20 I'll stick it in my MetaMask Wallet, it's unbelievable where we are. And only more exciting things to come. >> Greg Pinn, thanks for coming on and sharing your insights. TheCUBE covers live here in Las Vegas, Hoshocon, the first security conference in the industry of its kind where everyone's getting together talking about security. Not a big ICO thing, in fact it's all technical, all business all people shaping the industry, it's a community it's TheCUBE coverage here in Las Vegas. Stay with us for more after this short break. (Upbeat music)