>> Live from New York, it's theCUBE, covering AWS Summit New York 2018. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello, welcome back everyone. This is theCUBE live in New York City for AWS Amazon Web Services Summit 2018. I'm John Furrier with Jeff Frick here for wall-to-wall coverage here for the one day event. Our next guest is TK Keanini, distinguished engineer at Cisco. Great to have you on theCUBE. Thanks for joining us today. >> Thanks, great to be here. >> We had some chat on before they came on camera about protocols, deep-packet inspection, networking. I see Cisco now, moving up the stack. I'm sure, back in the day when you were there and recently, that's been the big debate for Sysco of the stack but the cloud has created a whole new stack, right, so a lot of action. Seems like the same movie from a couple generations ago happening out in real time at a much more accelerated rate, welcome to theCube, what's your toughs? >> Thank you so much, yeah, you know, anybody who's been in this business for the last 20-25 years, I always joke and say, you know, same circus, different clowns. You know, it's the same thing again and it's exciting because I mean, you saw the keynote, the people here, everybody's excited about doing develop on this new thing. It's got new economics, new scale, it's definitely got more security, I think, and yeah, we're just really moving aggressively with our customers towards the future. >> You know, TK, I want to get your thoughts 'cause one of the thing we've been saying on theCube, we've been covering Amazon reinvent since 2012, 2013 timeframe and so we've seen the growth but it's always been a developer haven, you know, cloud native, you were born in the cloud, like most startups were back in the day, you had great goodness and then you could become a drop box and be so big you had to do your own data so I get that but for the most part developers check small, medium sized businesses, check now large enterprises, great developers. Now, you're getting clear visibility on operators. So the confluence between operators of networks and infrastructure and IT operations merging together and having some synergy and cohesiveness with developers for applications, new work loads. What's your thoughts on that because this is really becoming the big ah-ha moment where I can now operate now at a level and have a developer haven going on, your thoughts? >> Yeah, no, so I think you heard it in the keynote today, security is everybody's problem, right? And it certainly is the developer's problem, it maybe even starts with the developer. You know, threat actors are clever, you could say that threat actors were the first to go cloud first and they're not ashamed of what they use, they're going to get what they want and so you know, the idea of providing security as a service to those developers is a new thing I will say. Usually I'm building product and service for the security expert. Now, it's this web app developer, right? And their first question to me is "where's the API?", right? "Where's my libraries", right? How can I treat you like I treat storage, like I treat networking? They don't want to grow up and become a networking expert, they just want to have their application scale and so that's the real focus is, understanding the customer and building that service at the highest quality. Much of the expertise, I have to mechanize inside of my algorithms and my machine learning but again, delivering them a service so that they can protect and become incredibly expensive for those threat actors to pursue. >> And the alternative in the old days was provision a lot of hardware, do a lot of configuration management, security audits, meeting, put up a perimeter, now you can create sets of services. >> Yeah, and a lot of automation, right? That's key. Like, you don't have enough people to test. You have to automate your tests. You don't have enough people to read over documents, you have to automate that acquisition. Everything's about augmentation and automation. Security, all aspects of security are following suit. >> Yeah. >> TK, I wonder, you talk a lot about the threat-act revolution, through some other interviews and that's really an recurring theme because it's kind of your way of saying how you have this kind of have this arms race but the other big thing that's happened in the threat act is that it's gone the hacker, maybe trying to cause a disruption to nation states and much more organize. Is that as evolved in the amount of resources that they now have to deploy versus just some stand alone hacker? Have have you seen that evolve, what are some of the responses? >> Yeah, I still get goosebumps thinking about it. 'Cause back when we started it was more like, you know, we were just sharing a craft, you know. It was a lot like amateur radio, you know? You broke into something, you shared that skill, not anymore. I mean these are real, a nation state, threat actors, criminals and they're running a real business, okay? >> Right. And if you do really good security, you're essentially adding to their cost of operation and they don't like that. So it is really a business against a business. And they think like a business. They're well resourced like a business, they're patient and sometimes you know, in certain cases going after the weak, in some cases they're incredibly targeted, they're coming after you because you are a center of excellence for that sector and it doesn't matter, you know, how high you build the wall. They're going to find a way to go under it (laughs) or go around it or find a way to declare no wall but yeah, it's fun because like I said, instead of waiting for something to fail, like a hard drive or you're just building IT systems for resiliency, in my world, these threat actors are talented. >> Right. Right? So everyday if intervene, I force them to intervene. If they intervene, they force me to intervene. That's funny you say they're running a business, so is that part of your defense is just increasing their cost of goods to hold in a major, major way? >> It really is, you know, we've seen a lot of trends shift. For instance, you know, Ransomware a little while ago, that was a big deal because you know, they'd hold your machine hostage, it'd cost you $200 maybe $300 to get out of it, okay? The problem with that is tomorrow their gig's up, okay? Now the shift has been to cryptomining or cryptojacking. If they compromise your machine and can get a quarter out of that machine just by doing Bitcoin mining, they will essentially make 25 cents tomorrow, so they've shifted to a recurring revenue stream, okay? This is important, okay? >> Right, right. >> Because tomorrow and the next day and the next day, they're still undetected, okay? And when I say about raising their cost of operations if you can find that cryptomining on your network, no matter where your network is and shut them down, you've just taken a little bit away from their recurring revenue stream, right? And that's the dynamics we're facing daily. >> Disruption is key. Making it complex and keeping disruption. >> Having more visibility than they do, having more detection than they do and basically knowing yourself better than they do. >> Right. >> Is absolutely critical. >> I want to hear your thoughts, TK, on a couple things. One observation is you know, during the Snowden era, you know, the mainstream population and world whether it's capital markets or IT, didn't talk much about "metadata", but then after Snowden, "metadata" became a big thing and we now know what metadata is and now obviously with the Russian involvement in the election, spearfishing is now, I mean its been out there, but you're seeing specifically what was done there with spearfishing, so easy to pull off. >> Yeah. >> How are we getting better at detecting, preventing, against the humans who just think oh hey, a job offer for you, or a real elegant bait and certainly with mobile, doesn't have that DNS visibility, mobile makes it easier to do some spearfishing. Spearfishing is a big deal. >> Yeah. >> Your thoughts on it? >> Yeah, and that's again, that big trend in shift is a long time ago, you know, we built security systems to watch for people breaking into networks. Today, the threat actors are logging into your network 'cause they've already gotten your credentials through some means, okay? So how do you detect somebody who's actually impersonating you on the network? The same sort of security bells are not going to ring. And this applies for a cloud or on pram, or anything. >> Right, right. >> It's the same game and really, you know, being able to do that detection from the telemetry that comes native from then environment is critical. >> And so really just more analytics, more telemetry, more instrumentation? >> It's not about the data, it really is about the analytics. I mean, yes the telemetry has to be necessary and sufficient but the analytical outcome has to be pointed at exactly that, you are trying to detect fraud, you are trying to detect. You know, it's like in the old days, if I gave you my general ledger, right, and you were an accountant, you would just be looking for errors. Okay, that's fine for operation but say you're trying to cath a crook. I hand you that same general ledger, you're going to come at it with a different pair of eyes. >> Right. >> A different mental model. You're trying to find the crook. >> Right. >> Who is actively hiding from you. That's the type of analytics we're focused on. >> So this is interesting, talk about machine learning, and AI could be assist you mention, automation, Stealthwatch Cloud is something that you've mentioned. What is that, what's going on around there, how do you get that lens to be turned on quickly in context? 'Cause real time is about contextual relevance. >> That's right. >> At any given moment you've got to be ready alert and looking for things. >> So the beauty of AWS is they can deploy in any one way. You can have your virtual servers, you can have the containerized, or you can be serverless. That's the thing, the cool kids are doing serverless, okay? >> Right, right. >> You have to provide the same level of threat analytics for all three, no matter what. The good news is, it's not about not having the data. AWS gives you a rich set of telemetry from many, many sources. What we do is first synthesize all that together, run our analytics on it and point out where you may be exposed or there are threat activities that's either, maybe even from the inside, not necessarily from the outside, you know, in your Snowden account but there's anonymous activity that requires attention. All of those things, all that developer wants to do is make sure that they you know, delivered to their customers. Business continuity. >> Right, right, yeah. >> They're not interested in security. >> TK, I've got to ask you the question around security around you know, can you see the papers, so you know, Pat Gelsinger, Cube alumni, now CEO of VMware, said on theCube, Dave Vellante co-host theCube, asked him years ago "is security a do-over with the cloud?". This was back when the cloud was being poo-pood as a security mod, oh it's not secure in the cloud, now it's looking damn good, right, so. >> And now it's more secure, I think, yeah. >> Now it's more secure, and yeah, that's pretty clear. >> Yeah. >> So there's a chance for people to get a mulligan, get a re-do, to rethink security. How do you engage conversations and how do you advise friends, colleagues, customers around if there's a chance to do security over, with a no-perimeter model, with a API microservices centric view. Whats the strategy, what's the architecture, what's the approach? >> Yeah, you know, I don't know, there's a couple of cases, it's not a one size fits all. We have a lot of successful businesses transitioning and they really can't turn their back on yesterday, you know, they have to bring that transition forward. >> Right. >> So there's that one crowd and they're going to have a different playbook because they have a set of skills and a set of things that are different. On the other end of the extreme, you have businesses that don't know on print, I mean, honestly, they were born in the cloud and their cloud made it. >> Yeah. >> And then you have most of everybody who is in between, you know, hybrid, multi-cloud, they're just doing, but functionally they're all trying to achieve the same thing which is, you're trying to get the elastic economics, you're tying to get parts of their business that elastic to that elastic compute, right? But all-in-all, the treat actor doesn't care whether they come in through your mobile device or through that cloud workload, they're after something very specific, which is, there's something in your organization, in your digital business that they want. >> So a couple of thing I want to follow up with. One is kind of the changing world of identity and security because of firewalls and you know, the walls have got to come down, they've got a lot of holes in them. You know, so much more focus on who are you? But to your point, oftentimes they're coming in as you, so the identity maybe not necessarily is a great way. >> That's right. >> Then you've got this other thing which is basically pattern detection, right, and online detection, right and we hear over and over that the average time to know that you've been breached is months and many, many days. So, how are you kind of factoring in those two things to do a better job? >> Yeah, and it is accretive, meaning there are net new ways of establishing identity. For instance, you know, if this thing is acting like a printer and its acted like a printer for the last ten years and one day that device gets up and starts checking out source code, that's a problem, (laughs) right? Okay, so there's all these sort of things around novelty and around the dimensions of novelty. It may be a volumetric novelty, it might be a protocol novelty, in serverless, I'll give you an example with serverless. We treat serverless as a first-class object, as if it actually was persistent and if it makes a very novel API call that it never did before, I think you should probably know about that. >> Yeah. >> If it starts to exfiltrate 20 gigs of data and never did that before, you probably should take a look at that, right? And these are all things from a DevOps standpoint, they want to know first, certainly. You know, there really is no excuse in cloud for you to be like "oh, I wouldn't have been able to know that", no, you can, 'cause it's all there. >> Right, right. >> And microservices in containers provide great value here. >> Incredible value, incredible value. And just again, that dynamic nature of that orchestration, you know, that orchestration brought us to basically a way where, you know, me as a developer, I used to know exactly where I was going to run and how long I was going to run and everything. I have no idea where my code runs anymore, right? And that's the case here and so security takes a completely different turn there because a lot of things that in your analytics were things that you needed to persist, those things are gone, everything's ephemeral now. So what if I wanted to run a report for ten years? Like what in that ten years stayed the same? Probably nothing, okay? So you actually have to use a lot of algorithms to say that heres a composite type of set of data features and if these things persist over time, it's kind of like the way humans work. >> Right, right. >> TK, great to have you on theCube, thanks for joining us, thanks for sharing your insight. Real quick, you're giving a talk for Cisco here? >> Yep. >> Which you're doing in a, working the hallway, give an update. >> Come join me at five o'clock, I think, it's going to be on self-launched clouds, so it will be a great talk. >> Self-launched cloud, again, thanks for coming out to Cisco Systems. >> Alright, thanks. >> And of course we're covering all the Cisco action at DevNet and Cisco Live just recently and DevNet create the cloud native portions of Cisco, and we're going to dissect TK here on theCube. Breaking it down, I'm John Furrier with Jeff Frick, stay with us, we'll be right back.