(upbeat music) >> Hello everyone, welcome to this special Cube conversation. I'm John Furrier, host of theCube. We're here in Palo Alto. We've got some remote guests. Going to break down the Fortinet vulnerability, which was confirmed last week as a critical vulnerability that exposed a zero-day flaw for some of their key products, obviously, FortiOS and FortiProxy for remote attacks. So we're going to break this down. It's a real time vulnerability that happened is discovered in the industry. Horizon3.ai is one of the companies that was key in identifying this. And they have a product that helps companies detect and remediate and a bunch of other cool things you've heard on the cube here. We've got James Horseman, an exploit developer. Love the title. Got to got to say, I'm not going to lie. I like that one. And Zach Hanley, who's the chief attack engineer at Horizon3.ai. Gentlemen, first, thank you for joining the Cube conversation. >> Thank you. It's good to be here. >> Yeah, thank you so much for having us. >> So before we get into the whole Fortinet, this vulnerability that was exposed and how you guys are playing into this I just got to say I love the titles. Exploit developer, Chief Attack Engineers, you don't see that every day. Explain the titles Zach, let's start with you. Chief Attack Engineer, what do you do? >> Yeah, sure. So the gist of it is, is that there is a lot to do and the cybersecurity world. And we made up a new engineering title called Attack Engineer because there's so many different things an attacker will actually do over the course of attack. So we just named them an engineer. And I lead that team that helps develop the offensive capabilities for our product. >> Got it. James, you're the Exploit Developer, exploiting. What are you exploiting? What's going on there? >> So what I'll do in a day to day is we'll take N-days, which are vulnerabilities that have been disclosed to a vendor, but not yet publicly patched necessarily or a pocket exists for them. And I'll try to reverse engineer and find them, so we can integrate them into our product and our customers can use them to make sure that they're actually secure. And then if there's no interesting N-days to go after, we'll sometimes search for zero-days, which are vulnerabilities in products that the vendor doesn't yet know about. >> Yeah, and those are most critical. Those things can being really exploited and cause a lot of damage. Well James, thanks for coming on. We're here to talk about the vulnerability that happened with Fortinet and their products zero-day vulnerability. But first with the folks, for context, Horizon3.ai is a new startup rapidly growing. They've been on theCube. The CEOs, Snehal and team have described their product as an autonomous pen testing. But as part of that, they also have more of a different approach to testing environment. So they're constantly putting companies under pressure. Let's get into it. Let's get into this hack. So you guys are kind of like, I call it the early warning detection system. You're seeing things early because your product's constantly testing infrastructure. Okay? Over time, all the time always on. How did this come come about? How did you guys see this? What happened? Take us through. >> Yeah, sure. I'll start off. So on Friday, we saw on Twitter, which is actually a really good source of threat intelligence these days, We saw a person released details that 40 minutes sent advanced warning email that a critical vulnerability had been discovered and that an emergency patch was released. And the details that we saw, we saw that was an authentication bypass and we saw that it affected the 40 OS, 40 proxy and the 40 switch manager. And we knew right off the bat those are some of their most heavily used products. And for us to understand how this vulnerability worked and for us to actually help our clients and other people around the world understand it, we needed to get after it. So after that, James and I got on it, and then James can tell you what we did after we first heard. >> Yeah. Take us through play by play. >> Sure. So we saw it was a 9.8 CVSS, which means it's easy to exploit and low complexity and also kind of gives you the keys that take them. So we like to see those because they're easy to find, easy to go after. They're big wins. So as soon as we saw this come out we downloaded some firmware for 40 OS. And the first few hours were really about unpacking the firmware, seeing if we could even to get it run. We got it running a a VMware VMDK file. And then we started to unpack the firmware to see what we could find inside. And that was probably at least half of the time. There seemed to be maybe a little bit of obfuscation in the firmware. We were able to analyze the VDMK files and get them mounted and we saw that they were, their operating system was compressed. And when we went to decompress them we were getting some strange decompression errors, corruption errors. And we were kind of scratching our heads a little bit, like you know, "What's going on here?" "These look like they're legitimately compressed files." And after a while we noticed they had what seemed to be a different decompression tool than what we had on our systems also in that VMDK. And so we were able to get that running and decompress the firmware. And from there we were off to the races to dive deeper into the differences between the vulnerable firmware and the patch firmware. >> So the compressed files were hidden. They basically hid the compressed files. >> Yeah, we're not so sure if they were intentionally obfuscated or maybe it was just a really old version of that compression algorithm. It was the XZ compression tool. >> Got it. So what happens next? So take us through. So you discovered, you guys tested. What do you guys do next? How did this thing... I mean, I saw the news it hit heavily. You know, they updated, everyone updated their catalog for patching. So this kind of hangs out there. There's a time lag out there. What's the state of the security at that time? Say Friday, it breaks over the weekend, potentially a lot of attacks might have happened. >> Yeah, so they chose to release this emergency pre-warning on Friday, which is a terrible day because most people are probably already swamped with work or checking out for the weekend. And by Sunday, James and I had actually figured out the vulnerability. Well, to make the timeline a little shorter. But generally what we do between when we discover or hear news of the CV and when we actually pocket is there's a lot of what we call patch diffing. And that's when we take the patched version and the unpatched version and we run it through a tool that kind of shows us the differences. And those differences are really key insight into, "Hey, what was actually going on?" "How did this vulnerability happen?" So between Friday and Sunday, we were kind of scratching our heads and had some inspiration Sunday night and we actually figured it out. So Sunday night, we released news on Twitter that we had replicated the exploit. And the next day, Monday morning, finally, Fortinet actually released their PSIRT notice, where they actually announced to the world publicly that there was a vulnerability and here are the mitigation steps that you can take to mitigate the vulnerability if you cannot patch. And they also release some indicators of compromise but their indicators of compromise were very limited. And what we saw was a lot of people on social media, hey asking like, "These indicators of compromise aren't sufficient." "We can't tell if we've been compromised." "Can you please give us more information?" So because we already had the exploit, what we did was we exploited our test Fortinet devices in our lab and we collected our own indicators of compromise and we wrote those up and then released them on Tuesday, so that people would have a better indication to judge their environments if they've been already exploited in the wild by this issue. Which they also announced in their PSIRT that it was a zero-day being exploited in the wild It wasn't a security researcher that originally found the issue. >> So unpack the difference for the folks that don't know the difference between a zero-day versus a research note. >> Yeah, so a zero-day is essentially a vulnerability that is exploited and taken advantage of before it's made public. An N-day, where a security researcher may find something and report it, that and then once they announce the CVE, that's considered an N-day. So once it's known, it's an N-day and once if it's exploited before that, it's a zero-day. >> Yeah. And the difference is zero-day people can get in there and get into it. You guys saw it Friday on Twitter you move into action Fortinet goes public on Monday. The lag between those days is critical time. What was going on? Why are you guys doing this? Is this part of the autonomous pen testing product? Is this part of what you guys do? Why Horizon3.ai? Is this part of your business model? Or was this was one of those things where you guys just jumped on it? Take us through Friday to Monday. >> James, you want to take this one? >> Sure. So we want to hop on it because we want to be able to be the first to have a tool that we can use to exploit our customer system in a safe manner to prove that they're vulnerable, so then they can go and fix it. So the earlier that we have these tools to exploit the quicker our customers can patch and verify that they are no longer vulnerable. So that's the drive for us to go after these breaking exploits. So like I said, Friday we were able to get the firmware, get it decompressed. We actually got a test system up and running, familiarized ourself with the system a little bit. And we just started going through the patch. And one of the first things we noticed was in their API server, they had a a dip where they started including some extra HTTP headers when they proxied a connection to one of their backend servers. And there were, I believe, three headers. There was a HTTP forwarded header, a Vdom header, and a Cert header. And so we took those strings and we put them into our de-compiled version of the firmware to kind of start to pinpoint an area for us to look because this firmware is gigantic. There's tons of files to look at. And so having that patch is really critical to being able to quickly reverse engineer what they did to find the original exploit. So after we put those strings into our firmware, we found some interesting parts centered around authorization and authentication for these devices. And what we found was when you set a specific forwarded header, the system, for lack of better term, thought that you were on the inside. So a lot of these systems they'll have kind of, two methods of entry. One is through the front door, where if you come in you have to provide some credentials. They don't really trust you. You have to provide a cookie or some kind of session ID in order to be allowed to make requests. And the other side is kind of through the back door, where it looks like you are part of the system itself. So if you want to ask for a particular resource, if you look like you're part of the system they're not going to scrutinize you too much. They'll just let you do whatever you want to do. So really the nature of this exploit was we were able to manipulate some of those HTP headers to trick the system into thinking that we were coming in through the back door when we really coming in through the front. >> So take me through that that impact. That means remote execution. I can come in remotely and anonymous and act like I'm on the inside system. >> Yeah. >> And that's the case of the kingdom as you said earlier, right? >> Yeah. So the crux of the vulnerability is it allows you to make any kind of request you want to this system as if you were an administrator. So it lets you control the interfaces, set them up or down, lets you create packet captures, lets you add and remove users. And what we tried to do, which surprisingly the exploit didn't let us do was to create a new admin user. So there was some kind of extra code in there to stop somebody that did get that extra access to create an admin user. And so that kind of bummed us out. And so after we discovered the exploit we were kind of poking around to see what we could do with it, couldn't create an admin user. We were like, "Oh no, what are we going to do?" And eventually we came up with the idea to modify the existing administrator user. And that the exploit did allow us to do. So our initial POC, took some SSH keys adding them to an existing administrative user and then we were able to SSH in through the system. >> Awesome. Great, description. All right, so Zach, let's get to you for a second. So how does this happen? What does this... How did we get here? What was the motivation? If you're the chief attacker and you want to make this exploit happen, take me through what the other guy's thinking and what he did or she. >> Sure. So you mean from like the attacker's perspective, why are they doing this? >> Yeah. How'd this exploit happen? >> Yeah. >> And what was it motivated by? Was it a mistake? Was it intentional? >> Yeah, ultimately, like, I don't think any vendor purposefully creates vulnerabilities, but as you create a system and it builds and builds, it gets more complex and naturally logic bugs happen. And this was a logic bug. So there's no blame Fortinet for like, having this vulnerability and like, saying it's like, a back door. It just happens. You saw throughout this last year, F5 had a very similar vulnerability, VMware had a very similar vulnerability, all introducing authentication bypasses. So from the attacker's mindset, why they're actually going after this is a lot of these devices that Fortinet has, are on the edge of corporate networks and ransomware and whatever else. If you're a an APT, you want to get into organizations. You want to get from the outside to the inside. So these edge devices are super important and they're going to get a lot of eyes from attackers trying to figure out different ways to get into the system. And as you saw, this was in the wild exploited and that's how Fortinet became aware of it. So obviously there are some attackers out there doing this right now. >> Well, this highlights your guys' business model. I love what you guys do. I think it's a unique and needed approach. You take on the role of, I guess white hacker as... white hat hacker as a service. I don't know what to call it. You guys are constantly penetrating, testing, creating value for the customers to avoid in this case a product that's popular that just had the situation and needed to be resolved. And the hard part is how do you do it, right? So again, there's all these things are going on. This is the future of security where you need to have these, I won't say simulations, but constant kind of testing at scale. >> Yeah. >> I mean, you got the edge, it takes one little entry point to get into the network. It could be anywhere. >> Yeah, it definitely security, it has to be continuous these days. Because if you're only doing a pen test once a year or twice a year you have a year to six months of risk just building and building. And there's countless vulnerabilities and countless misconfigurations that can be introduced into a your network as the time goes on. >> Well, autonomous pen testing- >> Just because you're- >> ... is great. That's awesome stuff. I think it just frees up the talent in the organization to do other things and again, get on the real important stuff. >> Just because your network was secure yesterday doesn't mean it's going to be secure today. So in addition to your defense in depth and making sure that you have all the right configurations, you want to be continuously testing the security of your network to make sure that no new vulnerabilities have been introduced. >> And with the cloud native modern application environment we have now, hardware's got to keep up. More logic potential vulnerability could emerge. You just never know when that one N-vulnerability is going to be there. And so constantly looking out for is a really big deal. >> Definitely. Yeah, the switch to cloud and moving into hybrid cloud has introduced a lot more complexity in environments. And it's definitely another hole attackers going and after. >> All right. Well I got you guys here. I really appreciate the commentary on this vulnerability and this exploit opportunity that Fortinet had to move fast and you guys helped them and the customers. In general, as you guys see the security business now and the practitioners out there, there's a lot of pain points. What are the most powerful acute pain points that the security ops guys (laughing) are dealing with right now? Is it just the constant barrage of attacks? What's the real pain right now? >> I think it really matters on the organization. I think if you're looking at it from a in the news level, where you're constantly seeing all these security products being offered. The reality is, is that the majority of companies in the US actually don't have a security staff. They maybe have an IT guy, just one and he's not a security guy. So he's having to manage helping his company have the resources he needs, but also then he's overwhelmed with all the security things that are happening in the world. So I think really time and resources are the pain points right now. >> Awesome. James, any comment? >> Yeah, just to add to what Zach said, these IT guys they're put under pressure. These Fortinet devices, they could be used in a company that just recently transitioned to a lot of work from home because of COVID and whatnot. And they put these devices online and now they're under pressure to keep them up to date, keep them configured and keep them patched. But anytime you make a change to a system, there's a risk that it goes down. And if the employees can't VPN or log in from home anymore, then they can't work. The company can't make money. So it's really a balancing act for that IT guy to make sure that his environment is up to date, while also making sure it's not taken down for any reason. So it's a challenging position to be in and prioritizing what you need to fix and when is definitely a difficult problem. >> Well, this is a great example, this news article and this. Fortinet news highlights the Horizon3.ai advantage and what you guys do. I think this is going to be the table stakes for security in the industry as people have to build their own, I call it the militia. You got to have your own testing. (laughing) You got to have your own way to help protect yourself. And one of them is to know what's going on all the time every day, today and tomorrow. So congratulations and thanks for sharing the exploit here on this zero-day flaw that was exposed. Thanks for for coming on. >> Yeah, thanks for having us. >> Thank you. >> Okay. This is theCube here in Palo Alto, California. I'm John Furrier. You're watching security update, security news, breaking down the exploit, the zero-day flaw that was exploited at least one attack that was documented. Fortinet devices now identified and patched. This is theCube. Thanks for watching. (upbeat music)

>>EDR NDR, what are the differences, which one's better? Are they better together? Today's security stack contains a lot of different tools and types of data and fortunate, as you know, this creates data silos, which leads to vis visibility gaps. EDR is endpoint detection and response. It's designed to monitor and mitigate endpoint attacks, which are typically focused on computers and servers, NDR network detection, and response. On the other hand, monitors network traffic to gain visibility into potential or active cyber threats, delivering real time visibility across the broader network. One of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data, pretty easily network data. On the other hand, much harder to manipulate because attackers and malware can avoid detection at the endpoint. NDR, as you're gonna hear is the only real source for reliable, accurate, and comprehensive data. >>All endpoints use the network to communicate, which makes your network data, the ultimate source of truth. My name is Lisa Martin, and today on the special cube presentation, Tom Binkowski senior director of product marketing at net scout, and I are gonna explore the trends and the vital reasons why relying upon EDR is not quite enough. We're also gonna share with you the growing importance of advanced NDR. Welcome to the series, the growing importance of advanced NDR in the first segment, Tom's gonna talk with me about the trends that are driving enterprise security teams to implement multiple cyber security solutions that enable greater visibility, greater protection. We're also gonna explore Gartner's concept of the security operations center, SOC visibility triad, and the three main data sources for visibility, SIM EDR and NDR in segment two, Tom. And I will talk about the role of NDR and how it overcomes the challenges of EDR as Tom's gonna discuss, as you'll hear EDR is absolutely needed, but as he will explain it, can't be solely relied upon for comprehensive cybersecurity. And then finally, we'll come back for a third and final segment to discuss why not all NDR is created equal. Tom's gonna unpack the features and the capabilities that are most important when choosing an NDR solution. Let's do this. Here comes our first segment. >>Hey, everyone kicking things off. This is segment one. I'm Lisa Martin with Tom Binowski, senior director of product marketing at nets scout. Welcome to the growing importance of advanced NDR. Tom, great to have you on the program, >>Glad to be here. >>So we're gonna be talking about the trends that are driving enterprise security teams to implement multiple cyber security solutions that really enable greater visibility and protection. And there are a number of factors that continue to expand the ECAC service for enterprise networks. I always like to think of them as kind of the spreading amorphously you shared had shared some stats with me previously, Tom, some cloud adoption stats for 2022 94% of all enterprises today use a cloud service and more than 60% of all corporate data is store in the cloud. So, Tom, what are some of the key trends that nets scout is seeing in the market with respect to this? >>Yeah, so just to continue that, you know, those stats that, that migration of workloads to the cloud is a major trend that we're seeing in that was exasperated by the pandemic, right along with working from home. Those two things are probably the most dramatic changes that we we see out there today. But along with that is also this growing sophistication of the network, you know, today, you know, your network environment, isn't a simple hub and spoke or something like that. It is a very sophisticated combination of, you know, high speed backbones, potentially up to a hundred gigabits combination with partner networks. You have, like we said, workloads up in, in private clouds, pub public clouds. So you have this hybrid cloud environment. So, and then you have applications that are multi-tiered, there are pieces and parts. And in all of that, some on your premise, some up in a private cloud, some on a public cloud, some actually pulling data off when you a customer network or potentially even a, a partner network. So really, really sophisticated environment today. And that's requiring this need for very comprehensive network visibility, not only for, for cybersecurity purposes, but also just to make sure that those applications and networks are performing as you have designed them. >>So when it comes to gaining visibility into cyber threats, I, you talked about the, the sophistication and it sounds like even the complexity of these networks, Gartner introduced the concept of the security operations, visibility triad, or the SOC visibility triad break that down for us. It consists of three main data sources, but to break those three main data sources down for us. >>Sure. So Gartner came out a few years ago where they were trying to, you know, summarize where do security operations team get visibility into threats and they put together a triad and the three sides of the trier consists of one, the SIM security information event manager, two, the endpoint or, or data that you get from EDR systems, endpoint detection, response systems. And the third side is the network or the data you get from network detection, response systems. And, you know, they didn't necessarily say one is better than the other. They're basically said that you need all three in order to have comprehensive visibility for cybersecurity purposes. >>So talk, so all, all three perspectives are needed. Talk about what each provides, what are the different perspectives on threat detection and remediation? >>Yeah. So let's start with the SIM, you know, that is a device that is gathering alerts or logs from all kinds of different devices all over your network. Be it routers servers, you know, firewalls IDs, or even from endpoint detection and network detection devices too. So it is, it is the aggregator or consumer of all those alerts. The SIM is trying to correlate those alerts across all those different data sources and, and trying to the best it can to bubble up potentially the highest priority alerts or drawing correlations and, and, and, and giving you some guidance on, Hey, here's something that we think is, is really of importance or high priority. Here's some information that we have across these disparate data sources. Now go investigate the disadvantage of the SIM is that's all it gives you is just these logs or, or, or information. It doesn't give you any further context. >>Like what happened, what is really happening at the end point? Can I get visibility into the, into the files that were potentially manipulated or the, the registry setting or what, what happened on the network? And I get visibility into the packet date or things like that. It that's, so that's where it ends. And, and that's where the, so there other two sides of the equation come in, the endpoint will give you that deeper visibility, endpoint detection response. It will look for known and or unknown threats, you know, at that endpoint, it'll give you all kinds of additional information that is occurring in endpoint, whether it be a registry setting in memory on the file, et cetera. But you know, one of, some of its disadvantages, it's really difficult because really difficult to deploy pervasive because it requires an agent and, you know, not all devices can accept an agent, but what it miss, what is lacking is the context on the network. >>So if I was an analyst and I started pursuing from my SIM, I went down to the end point and, and said, I wanna investigate this further. And I hit a, I hit a dead end from some sort, or I realize that the device that's potentially I should be alerted to, or should be concerned about is an IOT device that doesn't even have an agent on it. My next source of visibility is on the network and that's where NDR comes in. It, it sees what's traversing. The entire network provides you visibility into that from both a metadata and even a ultimately a packer perspective. And maybe, you know, could be deployed a little bit more strategically, but you know, it doesn't have the perspective of the endpoint. So you can see how each of these sort of compliments each other. And that's why, you know, Gartner said that, that you need 'em all, then they all play a role. They all have their pros and cons or advantage and disadvantages, but, you know, bringing them and using 'em together is, is the key. >>I wanna kinda dig into some of the, the EDR gaps and challenges, as you talked about as, as the things evolve and change the network, environment's becoming far more sophisticated and as well as threat actors are, and malware is. So can you crack that open more on some of the challenges that EDR is presenting? What are some of those gaps and how can organizations use other, other, other data sources to solve them? >>Yeah, sure. So, you know, again, just be clear that EDR is absolutely required, right? We, we need that, but as sort of these network environments get more complex, are you getting all kinds of new devices being put on the network that devices being brought into the network that may be, you didn't know of B Y O D devices you have, I T devices, you know, popping up potentially by the thousands in, in, in some cases when new applications or world that maybe can't accept an and endpoint detection or an EDR agent, you may have environments like ICS and skate environments that just, you can't put an endpoint agent there. However, those devices can be compromised, right? You have different environments up in the cloud or SaaS environments again, where you may not be able to deploy an endpoint agent and all that together leaves visibility gaps or gaps in, in, in the security operation triad. Right. And that is basically open door for exploitation >>Open door. Go ahead. Sorry. >>Yeah. And then, then you just have the malware and the, and the attackers getting more sophisticated. They, they have malware that can detect an EDR agent running or some anti malware agent running on device. And they'll simply avoid that and move on to the next one, or they know how to hide their tracks, you know, whether it be deleting files, registry, settings, things like that. You know, so it's, that's another challenge that, that, that just an agent faces. Another one is there are certain applications like my SQL that are, you know, have ministry administrative rights into certain parts of the windows operate system that EDR doesn't have visibility into another area that maybe EDR may not have visibility is, is, is in, you know, malware that tries to compromise, you know, hardware, especially like bios or something like that. So there's a number of challenges as sort of the whole network environment and sophistication of bad actors and malware increases. >>Ultimately, I think one of the things that, that we've learned, and, and we've heard from you in this segment, is that doing business in, in today's digital economy, demands, agility, table stakes, right? Absolutely essential corporate digital infrastructures have changed a lot in response to the dynamic environment, but its businesses are racing to the clouds. Dave Alane likes to call it the forced March to the cloud, expanding activities across this globally distributed digital ecosystem. They also sounds like need to reinvent cybersecurity to defend this continuously expanding threat surface. And for that comprehensive network, visibility is, as I think you were saying is really, really fundamental and more advanced network detection is, and responses required. Is that right? >>That's correct. You know, you know, we, we at ESCO, this is, this is where we come from. Our perspective is the network. It has been over for over 30 years. And, and we, as well as others believe that that network visibility, comprehensive network visibility is fundamental for cyber security as well as network performance and application analysis. So it, it, it's sort of a core competency or need for, for modern businesses today. >>Excellent. And hold that thought, Tom, cause in a moment, you and I are gonna be back to talk about the role of NDR and how it overcomes the challenges of EDR. You're watching the cube, the leader in enterprise tech coverage. Hey everyone, welcome back. This is segment two kicking things off I'm Lisa Martin with Tom Binkowski, senior director of product marketing at nets scout, Tom, great to have you back on the program. >>Good to be here. >>We're gonna be talking about the growing importance of advanced NDR in this series. In this segment specifically, Tom's gonna be talking about the role of NDR and how it overcomes the challenges of EDR. So Tom, one of the things that we talked about previously is one of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data pretty easily, whereas network data, much harder to manipulate. So my question, Tom, for you is, is NDR the only real source for reliable, accurate, comprehensive data. >>I'm sure that's arguable, right? Depending on who you are as a vendor, but you know, it's, it's our, our answer is yes, NDR solutions also bring an analyst down to the packet level. And there's a saying, you know, the, the packet is the ultimate source or source of truth. A bad actor cannot manipulate a packet. Once it's on the wire, they could certainly manipulate it from their end point and then blast it out. But once it hits the wire, that's it they've lost control of it. And once it's captured by a network detection or, or network monitoring device, they can't manipulate it. They can't go into that packet store and, and manipulate those packets. So the ultimate source of truth is, is lies within that packet somewhere. >>Got you. Okay. So as you said in segment one EDR absolutely necessary, right. But you did point out it can't organizations can't solely rely on it for comprehensive cybersecurity. So Tom, talk about the benefits of, of this complimenting, this combination of EDR and NDR and, and how can that deliver more comprehensive cybersecurity for organizations? >>Yeah, so, so one of the things we talked about in the prior segment was where EDR, maybe can't be deployed and it's either on different types of devices like IOT devices, or even different environments. They have a tough time maybe in some of these public cloud environments, but that's where NDR can, can step in, especially in these public cloud environments. So I think there's a misconception out there that's difficult to get packet level or network visibility and public clouds like AWS or Azure or Google and so on. And that's absolutely not true. They have all kinds of virtual tapping capabilities that an NDR solution or network based monitoring solution could take advantage of. And one of the things that we know we spoke about before some of that growing trends of migrating workloads to the cloud, that's, what's driving that those virtual networks or virtual taps is providing visibility into the performance and security of those workloads. >>As they're migrated to public clouds, NDR can also be deployed more strategically, you know, prior segment talking about how the, in order to gain pervasive visibility with EDR, you have to deploy an agent everywhere agents can't be deployed everywhere. So what you can do with NDR is there's a lot fewer places in a network where you can strategically deploy a network based monitoring device to give you visibility into not only that north south traffic. So what's coming in and out of your network, but also the, the, the, the east west traffic too west traversing, you know, within your network environment between different points of your op your, your multi-tiered application, things like that. So that's where, you know, NDR has a, a, a little bit more advantage. So fewer points of points in the network, if you will, than everywhere on every single endpoint. And then, you know, NDR is out there continuously gathering network data. It's both either before, during, and even after a threat or an attack is, is detected. And it provides you with this network context of, of, you know, what's happening on the wire. And it does that through providing you access to, you know, layer two through layer seven metadata, or even ultimately packets, you know, the bottom line is simply that, you know, NDR is providing, as we said before, that that network context that is potentially missing or is missing in EDR. >>Can you talk a little bit about XDR that kind of sounds like a superhero name to me, but this is extended detection and response, and this is an evolution of EDR talk to us about XDR and maybe EDR NDR XDR is really delivering that comprehensive cybersecurity strategy for organizations. >>Yeah. So, you know, it's, it's interesting. I think there's a lot of confusion out there in the industry. What is, what is XDR, what is XDR versus an advanced SIM, et cetera. So in some cases, there are some folks that don't think it's just an evolution of EDR. You know, to me, XDR is taking, look at these, all these disparate data sources. So going back to our, when our first segment, we talked about the, the, the security operations center triad, and it has data from different perspectives, as we were saying, right? And XCR, to me is the, is, is trying to bring them all together. All these disparate data source sets or sources bring them together, conduct some level of analysis on that data for the analyst and potentially, you know, float to the top. The most, you know, important events are events that we, that you know, that the system deems high priority or most risky and so on. But as I, as I'm describing this, I know there are many advanced Sims out there trying to do this today too. Or they do do this today. So this there's this little area of confusion around, you know, what exactly is XDR, but really it is just trying to pull together these different sources of information and trying to help that analyst figure out, you know, what, where's the high priority event that's they should be looking at, >>Right? Getting those high priority events elevated to the top as soon as possible. One of the things that I wanted to ask you about was something that occurred in March of this year, just a couple of months ago, when the white house released a statement from president Biden regarding the nation's cyber security, it included recommendations for private companies. I think a lot of you are familiar with this, but the first set of recommendations were best practices that all organizations should already be following, right? Multifactor authentication, patching against known vulnerabilities, educating employees on the phishing attempts on how to be effective against them. And the next statement in the president's release, focus on data safety practices, also stuff that probably a lot of corporations doing encryption maintaining offline backups, but where the statement focused on proactive measures companies should take to modernize and improve their cybersecurity posture. It was vague. It was deploy modern security tools on your computers and devices to continuously look for and mitigate threats. So my question to you is how do, how do you advise organizations do that? Deploy modern security tools look for and mitigate threats, and where do the data sources, the SOC tri that we talked about NDR XDR EDR, where did they help fit into helping organizations take something that's a bit nebulous and really figure out how to become much more secure? >>Yeah, it was, it was definitely a little vague there with that, with that sentence. And also if you, if you, I think if, if you look at the sentence, deploy modern security tools on your computers and devices, right. It's missing the network as we've been talking about there, there's, there's a key, key point of, of reference that's missing from that, from that sentence. Right. But I think what they mean by deploying monitor security tools is, is really taking advantage of all these, these ways to gain visibility into, you know, the threats like we've been talking about, you're deploying advanced Sims that are pulling logs from all kinds of different security devices or, and, or servers cetera. You're, you're deploying advanced endpoint detection systems, advanced NDR systems. And so on, you're trying to use, you're trying to utilize XDR new technology to pull data from all those different sources and analyze it further. And then, you know, the other one we, we haven't even mentioned yet. It was the, so the security operation and automation, right. Response it's now, now what do we do? We've detected something, but now help me automate the response to that. And so I think that's what they mean by leveraging modern, you know, security tools and so on >>When you're in customer conversations, I imagine they're coming to, to Netscale looking for advice like what we just talked through the vagueness in that statement and the different tools that organizations can use. So when you're talking to customers and they're talking about, we need to gain visibility across our entire network, across all of our devices, from your perspective from net Scout's perspective, what does that visibility actually look like and deliver across an organization that does it well? >>Yeah, we, I mean, I think the simple way to put it is you need visibility. That is both broad and deep. And what I mean by broad is that you need visibility across your network, no matter where that network may reside, no matter what protocols it's running, what, you know, technologies is it, is it virtualized or, or legacy running in a hundred gigabits? Is it in a private cloud, a public cloud, a combination of both. So that broadness, meaning wherever that network is or whatever it's running, that's, that's what you need visibility into. It has to be able to support that environment. Absolutely. And the, the, absolutely when I, we talk about being deep it's, it has to get down to a packet level. It can't be, you know, as high as say, just looking at net flow records or something like that, that they are valuable, they have their role. However, you know, when we talk about getting deep, it has to ultimately get down to the packet level and that's, and we've said this in this time that it's ultimately that source of truth. So that, that's what that's, I think that's what we need. >>Got it. That that depth is incredibly important. Thanks so much, Tom, for talking about this in a moment, you and I are gonna be back, we're gonna be talking about why not all NDR is created equally, and Tom's gonna actually share with you some of the features and capabilities that you should be looking for when you're choosing an NDR solution. You're watching the cube, the leader in enterprise tech coverage, >>And we're clear. >>All right. >>10 45. Perfect. You guys are >>Okay. Good >>Cruising. Well, >>Welcome back everyone. This is segment three. I'm Lisa Martin with Tom gin. Kowski senior director of product marketing at nets scout. Welcome back to the growing importance of advanced NDR in this segment, Tom and I are gonna be talking about the fact that not all NDR is created equally. He's gonna impact the features, the capabilities that are most important when organizations are choosing an NDR solution. Tom, it's great to have you back on the program. >>Great, great to be here. >>So we've, we've covered a lot of content in the first two segments, but as we, as we see enterprises expanding their it infrastructure, enabling the remote workforce, which is here to stay leveraging the crowd cloud, driving innovation, the need for cybersecurity approaches and strategies that are far more robust and deep is really essential. But in response to those challenges, more and more enterprises are relying on NDR solutions that fill some of the gaps that we talked about with some of the existing tool sets in the last segment, we talked about some of the gaps in EDR solutions, how NDR resolves those. But we also know that not all NDR tools are created equally. So what, in your perspective, Tom are some of the absolutely fundamental components of NDR tools that organizations need to have for those tools to really be robust. >>Yeah. So we, we, we touched upon this a little bit in the previous segment when we talked about first and foremost, your NDR solution is providing you comprehensive network visibility that must support whatever your network environment is. And it should be in a single tool. It shouldn't have a one vendor per providing you, you know, network visibility in the cloud and another vendor providing network visibility in a local network. It should be a single NDR solution that provides you visibility across your entire network. So we also talked about it, not only does it need to be broadened like that, but also has to be deep too, eventually down to a packet level. So those are, those are sort of fundamental table stakes, but the NDR solution also must give you the ability to access a robust source of layer two or layer three metadata, and then ultimately give you access to, to packets. And then last but not least that solution must integrate into your existing cybersecurity stack. So in the prior segments, we talked a lot about, you know, the, the SIM, so that, that, that NDR solution must have the ability to integrate into that SIM or into your XDR system or even into your source system. >>Let's kind of double click on. Now, the evolution of NDR can explain some of the differences between the previous generations and advanced NDR. >>Yeah. So let's, let's start with what we consider the most fundamental difference. And that is solution must be packet based. There are other ways to get network visibility. One is using net flow and there are some NDR solutions that rely upon net flow for their source of, of, of visibility. But that's too shallow. You ultimately, you need to get deeper. You need to get down to a pack level and that's again where some, so, you know, you, you want to make sure that your NDR or advanced NDR solution is packet based. Number two, you wanna make sure that when you're pulling packets off the wire, you can do it at scale, that full line rate and in any environment, as we, as we spoke about previously, whether it be your local environment or a public cloud environment, number three, you wanna be able to do this when your traffic is encrypted. As we know a lot of, lot of not of network traffic is encrypted today. So you have the ability to have to have the ability to decrypt that traffic and then analyze it with your NDR system. >>Another, another, another one number four is, okay, I'm not just pulling packets off the wire, throwing full packets into a data storage someplace. That's gonna, you know, fill up a disc in a matter of seconds, right? You want the ability to extract a meaningful set of metadata from layer two to layer seven, the OSI model look at key metrics and conducting initial set of analysis, have the ability to index and compress that data, that metadata as well as packets on these local storage devices on, you know, so having the ability to do this packet capture at scale is really important, storing that packets and metadata locally versus up in a cloud to, you know, help with some compliance and, and confidentiality issues. And then, you know, last final least when we talk about integration into that security stack, it's multiple levels of integration. Sure. We wanna send alerts up into that SIM, but we also want the ability to, you know, work with that XDR system to, or that, that source system to drill back down into that metadata packets for further analysis. And then last but not least that piece of integration should be that there's a robust set of information that these NDR systems are pulling off the wire many times in more advanced mature organizations, you know, security teams, data scientists, et cetera. They just want access to that raw data, let them do their own analysis outside, say the user interface with the boundaries of a, of a vendor's user interface. Right? So have the ability to export that data too is really important and advance in the systems. >>Got it. So, so essentially that the, the, the breadth, the visibility across the entire infrastructure, the depth you mentioned going down to a packet level, the scale, the metadata encryption, is that what net scout means when you talk about visibility without borders? >>Yeah, exactly. You know, we, we have been doing this for over 30 years, pulling packets off of wire, converting them using patent technology to a robust set of metadata, you know, at, at full line rates up to a hundred in any network environment, any protocols, et cetera. So that, that's what we mean by that breadth. And in depth of visibility, >>Can you talk a little bit about smart detection if we say, okay, advanced NDR needs to deliver this threat intelligence, but it also needs to enable smart detection. What does net scout mean by that? >>So what you wanna make sure you have multiple methods of detection, not just a methods. So, you know, not just doing behavioral analysis or not just detecting threats based on known indicators or compromise, what you wanna wanna have multiple ways of detecting threats. It could be using statistical behavioral analysis. It could be using curated threat intelligence. It could be using, you know, open source signature engine, like from Sara COTA or other threat analytics, but to, but you also wanna make sure that you're doing this both in real time and have the ability to do it historically. So after a, a threat has been detected, for example, with another, with another product, say an EDR device, you now want the ability to drill into the data from the network that had occurred in, in, you know, prior to this. So historically you want the ability to comb through a historical set of metadata or packets with new threat intelligence that you've you've gathered today. I wanna be able to go back in time and look through with a whole new perspective, looking for something that I didn't know about, but you know, 30 days ago. So that's, that's what we, what we mean by smart detection. >>So really what organizations need is these tools that deliver a far more comprehensive approach. I wanna get into a little bit more on in integration. You talked about that in previous segments, but can you, can you give us an example of, of what you guys mean by smart integration? Is that, what does that deliver for organizations specifically? >>Yeah, we really it's three things. One will say the integration to the SIM to the security operations center and so on. So when, when an ed, when an NDR device detects something, have it send an alert to the SIM using, you know, open standards or, or, or like syslog standards, et cetera, the other direction is from the SIM or from the so, so one, you know, that SIM that, so is receiving information from many different devices that are, or detecting threats. The analyst now wants the ability to one determine if that's a true threat or not a false positive, if it is a true threat, you know, what help me with the remediation effort. So, you know, an example could be an alert comes into a SIM slash. So, and part of the playbook is to go out and grab the metadata packets associated with this alert sometime before and sometime after when that alert came in. >>So that could be part of the automation coming from the SIM slash. So, and then last one, not least is we alluded to this before is having the ability to export that robust set of layer two through layer seven metadata and or packets to a third party data lake, if you will, and where analysts more sophisticated analysts, data scientists, and so on, can do their own correlation, enrich it with their own data, combined it with other data sets and so on, do their own analysis. So it's that three layers of, of integration, if you will, that really what should be an advanced NDR system? >>All right, Tom, take this home for me. How does nets scout deliver advanced NDRs for organizations? >>We do that via solution. We call Omni the security. This is Netscout's portfolio of, of multiple different cyber security products. It all starts with the packets. You know, our core competency for the last 30 years has been to pull packets off the wire at scale, using patented technologies, for example, adapt service intelligence technologies to convert those broad packets into robust set of layer seven layer two through seven metadata. We refer to that data as smart data with that data in hand, you now have the ability to conduct multiple types of threat detection using statistical behavioral, you know, curative threat intelligence, or even open source. So rules engine, you have the ability to detect threats both in real time, as well as historically, but then a solution goes beyond just detecting threats or investigating threats has the ability to influence the blocking of threats too. So we have integrations with different firewall vendors like Palo Alto, for example, where they could take the results of our investigation and then, you know, create policies, blocking policies into firewall. >>In addition to that, we have our own Omni a E D product or our Arbor edge defense. That's, that's a product that sits in front of the firewall and protects the firewall from different types of attacks. We have integration that where you can, you can also influence policies being blocked in the a E and in last but not least, our, our solution integrates this sort of three methods of integration. As we mentioned before, with an existing security system, sending alerts to it, allowing for automation and investigation from it, and having the ability to export our data for, you know, custom analysis, you know, all of this makes that security stack that we've been talking about better, all those different tools that we have. That's that operations triads that we talked about or visibility triad, we talked about, you know, our data makes that entire triad just better and makes the overall security staff better and makes overall security just, just better too. So that, that that's our solution on the security. >>Got it. On the security. And what you've talked about did a great job. The last three segments talking about the differences between the different technologies, data sources, why the complimentary and collaborative nature of them working together is so important for that comprehensive cybersecurity. So Tom, thank you so much for sharing such great and thoughtful information and insight for the audience. >>Oh, you're welcome. Thank you. >>My pleasure. We wanna thank you for watching the program today. Remember that all these videos are available@thecube.net, and you can check out today's news on Silicon angle.com and of course, net scout.com. We also wanna thank net scout for making this program possible and sponsoring the cube. I'm Lisa Martin for Tomski. Thanks for watching and bye for now.

>>Yeah. >>All right. Welcome back to our third session, which is all about administering analytics at Global Scale. We're gonna be discussing how you can implement security data compliance and governance across the globe at for large numbers of users to ensure thoughts. What is open for everyone across your organization? So coming right up is Cheryl Zang, who is a senior director of product management of Thought spot, and Kendrick. He threw the sports sports director of Systems Engineering. So, Cheryl and Kendrick, the floor is yours. >>Thank you, Tina, for the introduction. So let's talk about analytics scale on. Let's understand what that is. It's really three components. It's the access to not only data but its technology, and we start looking at the intersection of that is the value that you get as an organization. When you start thinking about analytics scale, a lot of times we think of analysts at scale and we look at the cloud as the A seven m for it, and that's a That's an accurate statement because people are moving towards the cloud for a variety of reasons. And if you think about what's been driving, it has been the applications like Salesforce, Forcados, Mongo, DB, among others. And it's actually part of where we're seeing our market go where 64% of the company's air planning to move their analytics to the cloud. And if you think of stock spotted specifically, we see that vast majority of our customers are already in the cloud with one of the Big Four Cloud Data warehouses, or they're evaluated. And what we found, though, is that even though companies are moving their analytics to the cloud, we have not solved. The problem of accessing the data is a matter of fact. Our customers. They're telling us that 10 to 25% of that data warehouse that they're leveraging, they've moved and I'm utilizing. And if you look at in General, Forrester says that 60 to 73% of data that you have is not being leveraged, and if we think about why you go through, you have this process of taking enterprise data, moving it into these cubes and aggregates and building these reports dashboards. And there's this bottleneck typically of that be I to and at the end of the day, the people that are getting that data on the right hand side or on Lee. Anywhere from 20 to 30% of the population when companies want to be data driven is 20 to 30% of the population. Really what you're looking for now it's something north of that. And if you think of Cloud data, warehouse is being the the process and you bring Cloud Data Warehouse and it's still within the same framework. You know? Why invest? Why invest and truly not fix the problem? And if you take that out and your leverage okay, you don't necessarily have the You could go directly against the warehouse, but you're still not solving the reports and dashboards. Why investing truly not scale? It's the three pillars. It's technology, it's data, and it's a accessibility. So if we look at analytics at scale, it truly is being able to get to that north of the 20 to 30% have that be I team become enablers, often organization. Have them be ableto work with the data in the Cloud Data warehouse and allow the cells marking finding supplies and then hr get direct access to that. Ask their own questions to be able to leverage that to be able to do that. You really have to look at your modern data architecture and figure out where you are in this maturity, and then they'll be able to build that out. So you look at this from the left to right and sources. It's ingestion transformation. It's the storage that the technology brains e. It's the data from a historical predictive perspective. And then it's the accessibility. So it's technology. It's data accessibility. And how do you build that? Well, if you look at for a thought to spot perspective, it truly is taking and driving and leveraging the cloud data warehouse architectures, interrogated, essay behind it. And then the accessibility is the search answers pen boards and embedded analytics. If you take that and extend it where you want to augment it, it's adding our partners from E T L R E L t. Perspective like al tricks talent Matile Ian Streaming data from data brings or if you wanna leverage your cloud, data warehouses of Data Lake and then leverage the Martin capability of your child data warehouse. The augmentation leveraging out through its data bricks and data robot. And that's where your data side of that pillar gets stronger, the technologies are enabling it. And then the accessibility from the output. This thought spot. Now, if you look at the hot spots, why and how do we make this technology accessible? What's the user experience we are? We allow an organization to go from 20 to 30% population, having access to data to what it means to be truly data driven by our users. That user experience is enabled by our ability to lead a person through the search process. There are search index and rankings. This is built for search for corporate data on top of the Cloud Data Warehouse. On top of the data that you need to be able to allow a person who doesn't understand analytics to get access to the data and the questions they need to answer, Arcuri Engine makes it simple for customers to take. Ask those questions and what you might think are not complex business questions. But they turn into complex queries in the back end that someone who typically needs to know that's that power user needs to know are very engine. Isolate that from an end user and allows them to ask that question and drive that query. And it's built on an architecture that allows us to change and adapt to the types of things. It's micro services architecture, that we've not only gone from a non grim system to our cloud offering, in a matter of of really true these 23 years. And it's amazing the reason why we can do that, do that and in a sense, future proof your investment. It's because of the way we've developed this. It's wild. First, it's Michael Services. It's able to drive. So what this architecture ER that we've talked about. We've seen different conversations of beyond its thought spot everywhere, which allows us to take that spot. One. Our ability to for search for search data for auto analyzed the Monitor with that govern security in the background and being able to leverage that not only internally but externally and then being able to take thought spot modeling language for that analysts and that person who just really good at creating and let them create these models that it could be deployed anywhere very, very quickly and then taking advantage off the Cloud Data warehouse or the technology that you have and really give you accessibility the technology that you need as well as the data that you need. That's what you need to be able to administer, uh, to take analytics at scale. So what I'm gonna do now is I'm gonna turn it over to Cheryl and she's gonna talk about administration in thought spot. Cheryl, >>thank you very much Can take. Today. I'm going to show you how you can administrator and manage South Spot for your organization >>covering >>streaming topics, the user management >>data management and >>also user adoption and performance monitoring. Let's jump into the demo. >>I think the Southport Application The Admin Council provides all the core functions needed for system level administration. Let's start with user management and authentication. With the user tab. You can add or delete a user, or you can modify the setting for an existing user. For example, user name, password email. Or you can add the user toe a different group with the group's tab. You can add or delete group, or you can manage the group setting. For example, Privileges associated with all the group members, for example, can administrate a soft spot can share data with all users or can manage data this can manage data privilege is very important. It grants a user the privileges to add data source added table and worksheet, manage data for different organizations or use cases without being an at me. There is also a field called Default Pin Board. You can select a set of PIN board that will be shown toe all of the users in that group on their homepage in terms off authentication. Currently, we support three different methods local active directory and samel By default. Local authentication is enabled and you can also choose to have several integration with an external identity provider. Currently, we support actor Ping Identity, Seaside Minor or a T. F. S. The third method is integration with active directory. You can configure integration with L DAP through active directory, allowing you to authenticate users against an elder up server. Once the users and groups are added to the system, we can share pin board wisdom or they can search to ask and answer their own questions. To create a searchable data, we first need to connect to our data warehouses with embraced. You can directly query the data as it exists in the data warehouse without having to move or transfer the data. In this page, you can add a connection to any off the six supported data warehouses. Today we will be focusing on the administrative aspect off the data management. So I will close the tap here and we will be using the connections that are already being set up. Under the Data Objects tab, we can see all of the tables from the connections. Sometimes there are a lot of tables, and it may be overwhelming for the administrator to manage the data as a best practice. We recommend using stickers toe organize your data sets here, we're going to select the Salesforce sticker. This will refined a list off tables coming from Salesforce only. This helps with data, lineage and the traceability because worksheets are curated data that's based on those tables. Let's take a look at this worksheet. Here we can see the joints between tables that created a schema. Once the data analyst created the table and worksheet, the data is searchable by end users. Let's go to search first, let's select the data source here. We can see all of the data that we have been granted access to see Let's choose the Salesforce sticker and we will see all of the tables and work ship that's available to us as a data source. Let's choose this worksheet as a data source. Now we're ready to search the search Insight can be saved either into a PIN board or an answer. Okay, it's important to know that the sticker actually persist with PIN board and answers. So when the user logging, they will be able to see all of the content that's available to them. Let's go to the Admin Council and check out the User Adoption Pin board. The User Adoption Pin board contains essential information about your soft spot users and their adoption off the platform. Here, you can see daily active user, weekly, active user and monthly active user. Count that in the last 30 days you can also see the total count off the pin board and answers that saved in the system. Here, you can see that unique count off users. Now. You can also find out the top 10 users in the last 30 days. The top 10 PIN board consumers and top 10 ad hoc searchers here, you can see that trending off weekly, active users, daily, active users and hourly active users over time. You can also get information about popular pin boards and user actions in the last one month. Now let's zoom in into this chart. With this chart, you can see weekly active users and how they're using soft spot. In this example, you can see 60% of the time people are doing at Hawk search. If you would like to see what people are searching, you can do a simple drill down on quarry tax. Here we can find out the most popular credit tax that's being used is number off the opportunities. At last, I would like to show you assistant performance Tracking PIN board that's available to the ad means this PIN board contains essential information about your soft spot. Instance performance You this pimple. To understand the query, Leighton see user traffic, how users are interacting with soft spot, most frequently loaded tables and so on. The last component toe scowling hundreds of users, is a great on boarding experience. A new feature we call Search Assist helps automate on boarding while ensuring new users have the foundation. They need to be successful on Day one, when new users logging for the first time, they're presented with personalized sample searches that are specific to their data set. In this example, someone in a sales organization would see questions like What were sales by product? Type in 2020. From there are guided step by step process helps introduce new users with search ensuring a successful on boarding experience. The search assist. The coach is a customized in product Walk through that uses your own data and your own business vocabulary to take your business users from unfamiliar to near fluent in minutes. Instead of showing the entire end user experience today, I will focus on the set up and administration side off the search assist. Search Assist is easy to set up at worksheet level with flexible options for multiple guided lessons. Using preview template, we help you create multiple learning path based on department or based on your business. Users needs to set up a learning path. You're simply feeling the template with relevant search examples while previewing what the end user will see and then increase the complexity with each additional question toe. Help your users progress >>in summary. It is easy to administrator user management, data management, management and the user adoption at scale Using soft spot Admin Council Back to you, Kendrick. >>Thank you, Cheryl. That was great. Appreciate the demo there. It's awesome. It's real life data, real life software. You know what? Enclosing here? I want to talk a little bit about what we've seen out in the marketplace and some of them when we're talking through prospects and customers, what they talk a little bit about. Well, I'm not quite area either. My data is not ready or I've got I don't have a file data warehouse. That's this process. In this thinking on, we have examples and three different examples. We have a company that actually had never I hadn't even thought about analytics at scale. We come in, we talked to them in less than a week. They're able to move their data thought spot and ask questions of the billion rose in less than a week now. We've also had customers that are early adoption. They're sticking their toes in the water around the technology, so they have a lot of data warehouse and they put some data at it, and with 11 minute within 11 minutes, we were able to search on a billion rows of their data. Now they're adding more data to combine to, to be able to work with. And then we have customers that are more mature in their process. Uh, they put large volumes of data within nine minutes. We're asking questions of their data, their business users air understanding. What's going on? A second question we get sometimes is my data is not clean. We'll talk Spot is very, very good at finding that type of data. If you take, you start moving and becomes an inner door process, and we can help with that again. Within a week, we could take data, get it into your system, start asking business questions of that and be ready to go. You know, I'm gonna turn it back to you and thank you for your time. >>Kendrick and Carol thank you for joining us today and bringing all of that amazing inside for our audience at home. Let's do a couple of stretches and then join us in a few minutes for our last session of the track. Insides for all about how Canadian Tire is delivering Korean making business outcomes would certainly not in a I. So you're there

>>Hi, everyone. This is L. A from Visa Research today. I would like to tell you about my work with Salim. Earlier. Took from Boston University about how to construct group with invisible inversion from heart problems on ice Arjuna graphs over I say model E eso Let me start this talk by tell you, uh, what is a group with invisible inversion? A group was invisible Inversion is defined by Hulkenberg and Mona In 2003 It says a representation off a group should satisfy two properties. The first is literally that inversion. It's heart. Namely that giving an including off group element X computing Uh, the including off its inverse his heart. The second is that the composition is still easy, namely given the including off X and Y computing the including off X plus y is easy here we're seeing. Plus, is the group operation. So let me explain this definition by going through our favorite example where discreet log it's hard, namely in the Multiplicity group of finance field. We include a group element A as G today, namely, put it into the exponents and more, uh, cute. So given G energy today finding a it's hard. So this group representation at least satisfy one way, as you mean this great look. It's hard. So let's look at at whether this a group satisfied group was invisible inversion. So it turns out it is not because given due to the A finding G to the minus A, it's still easy. So if we say this is the representation off the universe, then computing this reputation is simple. So this is a no example. Off group was invisible invasion. So the work off Falkenburg and Mona started by looking. How can we find group was invisible inversion? And what are the applications off such a group? Representation, >>It turns out, in their sisters. They did not find any group reputation representation that satisfy this property. But instead they find out that if you can find such a group and then they they have >>a cryptographic applications, namely building direct directed transitive signatures a year later in the work off Iraq at or they also find that if you can have this kind of group with invisible inversion there, you can also construct broadcast encryption with a small overhead, and this is before we know how to construct the broadcast encryption with small overhead over Terry's elliptic curve. Paris. So let's look at another attempt off constructing group with invisible inversion. So instead off defining. Still, let's look at a group where we put >>the including in the exponents and instead of defining due to the minus A as the inversion Let's define due to the one over a as the the inverse off do today. So it turns out you can also define that. And it happens that in many groups, minimally, if you more, uh, some special value a que then given G energy to the A, then competing due to the one over A is also conjectured to be hard. But if you define the group element in the experiment in that way, then multiplication in >>the group exponents is also hard, and so we cannot compose. So this is another no example where group inversion is actually difficult to compute. But composition is difficult to compute, uh, either. So for this kind of group, they cannot use this to build directly transitive signatures or broadcast encryption. So now let's make this attempt, uh, visible by allowing thio. So so thio have ability to compute composition. Namely, we represent the including off A as the follows. So first we help you today >>and then we also give an office Kate the circuit which contains a and n such that I take a group element X, and it can output due to the to a model end. So it turns out giving this circuit you have a feasibility off doing composition and in the work off yamakawa at all to show that if and that the underlying off station is io and assuming and it's an R s a moderately then Thistle >>is actually a good construction off group with invisible university. So technically, assuming I oh, we have already know candidates for group was in physical inversion. Uh, but that work still leaves the open problem off constructing group with invisible inversion without using general purpose sophistication. And in this talk, I would like to talk to tell you about a group was inversion candidate from some new certainly problems And the brief logic off this talk is the following. So elliptical insurgencies can be represented by graph, uh, and the graphs has a ship off volcanoes. For example, this one if you look imagine you're looking for a volcano from top to down and this is the Creator, and this is like the direction off going down the volcano. And arguably this is the reason which attracts me to looking to. I certainly problems, and also I certainly graphs can be an I certainly can be used to represent a group called Idea Class Group >>and then eventually we will find some group >>problems on this graph, which we conjecture to be hard. And they use map thes harness to the harness off inverting group elements in the ideal classroom. So this will be the high level overview off this talk. >>So what are a little bit curve? Assertiveness? So to talk about elliptic curve, I certainly okay spend the whole day talking about its mathematical definition and the many backgrounds off elliptic curve. But today we only have 15 minutes. So instead, let me just to give you a highlight help have overview off what I certain this and I certainly is a mapping from when a little bit of curve to another, and I certainly is an interesting equivalence relation between elliptic curves. It's interesting in its mathematical theory, over a finite field and elliptic curve can be identified by its J environment. And later, >>when we talk about elliptic, curve will think about their represented by their environment, which is a number in the finance field >>and given to elliptic curves and namely, given their environments, we can efficiently decide whether these two groups assertiveness, namely in polynomial time. And given these backgrounds, let me now jump to the exciting volcanoes. So it turns out >>the relation among I certainly occurred. Assertiveness curbs can be represented by the I certainly graphs, which looks like volcanoes. So let's first look at the graph on the left and let's fix a degree for that. I certainly so I certainly has different degrees. So let's for simplicity. Think about their crimes. So let's fix a degree Air say equals 23 >>and we will let each of the note in the graph to represent a different elliptic curve, namely a different Jane environment, and each is represent an air degree by certainly so if you fix the degree ill and I certainly is their religions, uh, they just look like what I said, like what kind of going from top to bottom and if, let's say, fix all the >>elliptic curve on the creator or, in general, all the elliptic curves on the same layer off the volcano, Then you allowed to have different degrees. So this is degree L and this is degree M, etcetera, etcetera. And then the graph actually looks like it's almost fully connected. Eso imagine all of them are connected by different degrees. And the graph structure is actually described not too long ago in the pH. Diseases off Davico Hell in 1996 and later it gets popularized in a paper in 2002 because they say, Hey, this looks like a volcano. So now the I certainly will. Kind of is they used in many reference by according the graph. >>So let me tell you a little bit more about the relation off. I certainly and the idea class group. So the short story is, if you fix a layer on the uncertainty graph, say the creator. So actually, all the notes has a 1 to 1 mapping to the group element in an ideal >>class group. The foremost Siri is the ideal class group acts on the, uh, set off a surgeon is which have the same in the more it is a Marine. But we will not go into their, uh in the talk today. So let me give you a simple example. So this is, ah, concrete representation off an ideal class group off seven group elements. And if we fix a J zero j environment off one off the grade curve, let's say this guy represents the identity in the idea class group. And then we let J one to represent one off the class group elements. Then it's inverse is just going one step back from the origin in the opposite direction S O. This is a very important picture we will use exactly the J environments to represent and the idea class group elements eso This is exactly the reputation we're gonna take, except we're gonna work with over the icy modeling. So after giving some mathematical background off elliptical by certainly in a certain graph now, let's talk about competition of problems >>and before jumping into I say model E, let me start from the, uh, more traditionally studied. I certainly problems over the finite field. The first problem is if I fix a degree, air and I give you a J environment off elliptic curve. Ast one off the note. That's first. Take an easy question. Is it easy to find all off? >>It's certainly neighbors off degree will say there is a polynomial. >>The answer is yes. And the technically there are two different ways. Uh, I will not go to the details off what they are, but what we need to know is they require serving, uh, polynomial off degree or air squares. Let's look at another problem that so imagine I select to random >>curves from an I certainly graph. So think about this. Uncertainty graph is defined over a large field, and they are super polynomial limited graphs off them. I'm choosing to random curves. >>The question is, can you find out an explicit I Certainly between them naming and Emily passed from one to the other. It turns out this >>problem is conjecture to be hard even for quantum computers, and this is exactly what was used in the post to quantum key exchange proposals in those works. So they have different structures could aside the seaside. They're just a different types off in the book is a Marine off the question is off the same nature finding and passed from one curve to the other. So these are not relevant to our work. But I would like to introduce them for for some background, off the history off. I certainly problems, >>So you have a work we need to >>study. I certainly problems over in, I say endogenous. And so the first question is even how to define. And I certainly, uh oh, and I certainly graph over the ring like, uh, over and I say modular. Same. So >>there is a general way off defining it in the special case. So in this talk, I will just talk about the special case because this is easier to understand. So think about I have the have the ability off peaking too. I certainly volcan als over multi and multi cube. That has exactly the same structure. And then I just use a C a c r T composition to stick them together. So namely a J >>zero. The value is the CRT off the J zero over. They're over the small fields P and the Cube and the N S equals to P times Q. And by the way, thes gene variants will be exactly the way to represent an ideal class group off such a size in this example is the ideal class group off, uh, with discriminate minus 250 bucks. Okay, so now let's look at what this magical over this representation. So let's look at back to the problem we start from namely, finding all the insurgents neighbors at this time over. And I see model E eso. I give you the J environment off easier and ask you to find a one off the its neighbors finding the J environment off one off its neighbors. So it turns out, even this problem is hard. And actually, we can prove this problem is as hard as factory and naive. Way off. Explaining off What's going on is that the two methods that work over the finite field that doesn't work anymore, since they both required to solve high degree polynomial model end, and that this is hard where when end is in, I certainly I say modelers. So to be useful for constructing a group off invisible inversion, we actually need to look at this called a joint neighbors. Such problems, namely, if I give you a curve zero, which represents the identity, then another crib, which represents a the group element. Your task is to find its inverse namely one off the E two candidate beneath zero. Yeah, eso it turns out this problem. We also conjectured to it to be hard and we don't know how to base it on how this a factoring, uh, again, the not even reason is the way to solve it over the finite field doesn't work because they both required to solve polynomial off degree higher than one over in i. C model is. And this is exactly the reason that we believe the group inversion is hard over deserve visitation Now. Finally, we also would like to remind the readers that for death according to the definition off group with invisible inversion, we would also like the group elements to be easy to compose. No, that's not. Make another observation that over. If you're finding the joint neighbor off, I certainly off different degree. Say, if I give you a J invent off Iwan and Jane Barrett off you to ask you to find the J environment off the three and they happened to off co prime degree I. Certainly then there is a way to find their joint neighbor because they're cold prime. And there's only one solution to solving the modular polynomial that I haven't defined out. But this is the way we make sure that composition is easy. Normally we output, including that are a cold prime so that they can be composed to summarize that we propose a group candidate group with invisible inversion from any particular I. Certainly it requires a chapter because you need to know the prime factors off. I seem odd early to set up the whole system and generated the including in our me assumption is that certain joint neighbors such problem on the I certainly graphs defined over S a moderately it's hard again group within physical inversion has the application of constructing broadcasting, corruption directed transitive signatures, and it's a very interesting problem to explore

>> Narrator: From theCUBE studios in Palo Alto and Boston connecting with thought leaders all around the world. This is theCUBE conversation. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We are here in our Palo Alto studios today. We got through March, this is some really crazy time. So we're taking advantage of the opportunity to reach out to some of the community leaders that we have in our community to get some good tips and tricks as to know how to kind of deal with this current situation. All the working from home, school from home. And we're really excited to have one of the experts. One of my favorite CUBE guests. We haven't had her around since October 2017, which I find crazy. And we'd love to welcome into theCUBE via the remote dial-in, Rachel Tobac. She is the CEO of SocialProof Security. Rachel, great to see you and I cannot believe that we have not sat down since 2017. >> I know, I can't believe it, it's been so much time. Thanks for having me back. >> Absolutely, but we are good Twitter friends. >> Oh yeah >> Exchanging stuff all the time. So, first of, great to see you. Just a kind of of introduction, tell us a little bit about SocialProof Security and your very unique specialty. >> Yes. SocialProof Security is all about social engineering and protecting you from the those types of attackers. So, basically we help you understand how folks manipulate you and try and gain access to your information. I am an attacker myself so I basically go out, try it, learn what we can learn about how we do our attacks and then go on and train you to protect your organization. So, training and testing. >> Alright. Well, I am going to toot your horn a little bit louder than that because I think it's amazing. I think that you are basically 100% undefeated in hacking people during contests at conventions, live. And it's fascinating to me and why I think it's so important it's not a technical hack at all. It's a human hack, and your success is amazing. And I've seen you do it. There's tons of videos out there with you doing it. So, what are kind of just the quick and dirty takeaways that people need to think about knowing that there are social hackers, not necessarily machine hackers out there, trying to take advantage of them. What are some of these inherit weaknesses that we just have built into the system? >> Yeah, thanks for your kind words too, I appreciate that. The challenge with social engineering is that it leverages your principles of persuasion. The parts of you that you cannot switch off. And so, I might pretend to be similar to you so that I can build rapport with you. And it's really hard for you to switch that off because you want to be a kind person, you want to be nice and trusting. But it's hard, it's a tough world out there and unfortunately criminals will leverage elements of your personality and your preferences against you. So, for instance if I know you have a dog, then I might play a YouTube video of a dog barking and try and gain access to information about your systems and your data, while pretending to be IT support, for example. And that's really tough because, you know three minutes into the conversation we are already talking about our dog breeds and now you want to trust me more. But unfortunately just because we have something in common, it doesn't mean that I am who I say I am. And so, I always recommend people are politely paranoid. It just basically means that you use two methods of communication to confirm that people are who they say they are. And if they are trying to get you to divulge sensitive information or go through with a wire transfer, for instance, you want to make sure that you check that first. We just saw an example of this with Barbara Corcoran. Famously on Shark Tank. Where she has many investments in real estate. And unfortunately a cyber criminal was able to take advantage and get almost $400,000 wired over to them and they did lose that money because they were able to take advantage of the bookkeeper, the accountant and the assistant and folks just were not checking back and forth that people are who they say they were with multiple methods of communication. >> It's crazy. A friend of mine actually is in the real estate business. And we were talking earlier this year and he got a note from his banker. Looked like his banker's email. It was the guy's name that he works with all the time. Was talking about a transfer. It didn't have a bunch of weird misspelling and bad grammar. And all kind of the old school things that kind of would expose it as a hack. And he picked up the phone and called the guy, and said "we don't have a transaction happening right now. "Why did you send this to me?" So it gets really really really good. But lets dive into just a little vocabulary 101. When people talk about "fishing" and "spearphishing" what does that exactly mean for people that aren't really familiar with those terms? >> Sure. Most likely you are going to see it happen over email. In fact, with COVID-19 right now we've seen through Google's Transparency Report on fishing that there's been a 350% increase in fishing attacks. And I believe Brisk had this huge research that said that there were 300,000 plus suspicious COVID 19 fishing websites that were just spun up in the past couple of weeks. It's pretty scary but basically what they are trying to do is get you to input your credentials. They are trying to get access to your machine or your credentials so that they can use them on other high value sites, gain access to your information, your data, points, your sensitive data basically. And use that against you. It's really tough. Unfortunately, criminals don't take a break even in crisis. >> Yeah they are not self-isolating unfortunately, I guess they are sitting there with their computers. So that's interesting. So, I was going to ask you, kind of what is the change in the landscape now. So you answered a little bit there but then the other huge thing that's happening now is everybody is working from home. They are all on Zoom, they are all on Skype, WebEx. And you've actually had some really timely post just recently about little things that people should think about in terms on just settings on Zoom to avoid some of the really unfortunate things that are popping in kind of randomly on Zoom meetings. So, I wonder if you could share some of those tips and tricks with the audience. >> Yeah, absolutely. Some of the big issues that we are seeing recently is what people have coined as Zoombombing. It's all over the news. So you've probably heard about it before but in case you are wondering exactly what that is. It's whenever an attacker either guesses your Zoom ID code and you don't have a password on your Zoom call that you are in the middle of. Or they might gain access to your Zoom ID code because maybe your took a screenshot of your Zoom and posted that to social media. And now if you don't have password protection or your waiting room is on they can just join your call and sometimes you might not notice that they are on the call, which could lead to privacy issues, data breach for instance or just a sensitive data leak. If they join via the phone you might not even notice that they are on the call. And so it's really important to make sure that you have password protection on for your Zoom and you have waiting rooms enabled. And you don't want to take pictures of your workstation. I know that's really tough for folks. because they want to showcase how connected they are during these difficult times I do understand that. But realize that when you take those screenshots of your workstation, this is something that we just saw in the news with Boris Johnson just a few days ago. He posted an image of his zoom call and it included some of the software they used. And so, you just mentioned spearphishing, right? I can look at some of that software get an idea for maybe the version of his operating system the version of some of the software he may be using on his machine and craft a very specific spearfish just for him that I know will likely work on his machine, with his software installed because I understand the version and the known vulnerabilities in that software. So, there's a lot of problems with posting those types of pictures. As a blanket rule you are not going to want to take pictures of your workstation. Especially not now. >> Okay, so, I remember that lesson that you taught me when we're in Houston at Grace Hopper. Do not take selfies in front of your pics, in front of your work laptop. 'Cause as you said, you can identify all types of OS information. Information that gives you incredible advantage when you are trying to hack into my machine. >> Yeah, that's true. And I think a lot of people don't realize they are like, "everybody uses the browser, everybody uses Power Point", for example. But sometimes, the icons and logos that you have on your machine, really give me good information about the exact version and potentially the versions that might be out of data in your machine. When I can look up those non-vulnerabilities pretty easily that's a pretty big risk. The other things that we see is people take screenshots and I can see their desktop and when I can see your desktop, I might know the naming convention that you use for your files which I can name drop with you or talk about on the phone or over email to convince you that I really do have access to your machine like I am IT support or something. >> Yeah, it's great stuff. So for people who want more of this great stuff go to Rachel's Twitter handle. I'm sure we have it here on the lower third. You've got the great piece with. Last week with John Oliver hacking the voting machines like a week before the elections last year which was phenomenal. Now I just saw your in this new HBO piece where you actually just sit down at the desk with the guy running the show and hacker disciplines systems. Really good stuff. Really simple stuff. Let's shift gears one more time, really in terms of what you are doing now. You said you are doing some help in the community to directly help those in need as we go through this crisis. People are trying to find a way to help. Tell us a little bit more about what you are doing. >> Yeah, as soon as I started noticing how intense COVID-19 was wreaking havoc on the hospital and healthcare systems in the world I decided to just make my services available for free. And so I put out a call on my social medias and let folks know "Hey if you need training ,if you need support if you just want to walk through some of your protocols and how I might gain access to your systems or your sensitive data through those protocols, let me know and I'll chat with you" And, I've had an amazing response. Being able to work with hospitals all over the world for free to make sure that they have the support that they need during COVID-19 it really does mean a lot to me because it's tough I feel kind of powerless in this situation there's not a lot that I can personally do there are many brave folks who are out there risking it all every single day to be able to do the work to keep folks safe. So, just trying to do something to help support the healthcare industry as they save lives. >> Well, that's great. I mean, it is great 'cause if you are helping the people that are helping ,you know, you are helping maybe not directly with patients but that's really important work and there's a lot of stuff now that's coming out in terms of, kind of of this tunnel vision on COVID-19 and letting everything else kind of fall by the wayside including other medical procedures and there is going to be a lot of collateral damage that we don't necessarily see because the COVID situation has kind of displaced everything out and kind of blown it out. Anything that you can do to help people get more out of the resources, protect their vulnerability is nothing but goodness. So, thank you for doing that. So, I will give you a last word. What's your favorite, kind of closing line when you are at Black Hat or RSA to these people to give them the last little bit "Come on, don't do stupid things. There is some simple steps you can take to be a little bit less vulnerable" >> Yeah, I think something that we hear a lot is that people kind of give a blanket piece of advice. Like, don't click links. And, that's not really actionable advice. Because a lot of times you are required to click links or download that PDF attachment from HR. And, many times it is legitimate for work. And so, that type of advice isn't really the type of advice I like to give. Instead, I like to say just be politely paranoid and use two methods of communication to confirm if it is legitimate before you go ahead and do that. And, it will take a little bit of time I'm not going to lie it'll take you an extra 30 seconds to 60 seconds to just chat somebody and say "Hey quick question about that thing you sent over" But it can start to change the security consciousness of your culture. And maybe they'll put out a chat while they send out an email from HR to let you know that it is legitimate and then you are kind of starting this cycle at the beginning. Not every single person has to ask individually you can start getting that security consciousness going where people are politely paranoid and they know that you are going to be too so they are going to preempt it and make sure that you understand something is legitimate with a second form of communication. >> Great tip, I am a little taken aback, everybody now wants to get their score so high their customer satisfaction score so after like every transaction you get this silly surveys "How was your time at SafeWay? "Or Bank of America?" All these things Survey Monkey. I don't really know how those businesses stay in anymore. I am not clicking on any Bank of America customer satisfaction or Safeway customer satisfaction link. But I will be politely paranoid and look for the right ones to click on. (giggle) >> That's good and use two methods of communication to confirm they are real. >> That's right,two-factor authentication. Alright,well Rachel, thank you for taking a few minutes of your time. Thank you for your good work with hospitals in the community and really enjoyed catching up. As always, love your work and I'm sure we'll be talking you more on Twitter. >> Thanks for having me on again and I'll see you on the Internet. >> All right, be safe. >> Rachel: Thank you >> All right, that was Rachel. I am Jeff. You are watching theCUBE. We are coming to you from our Palo Alto Studios. Thanks for watching. Stay safe and we'll see you next time. (instrumental music)

>> Paige: Hello everybody and thank you for joining us today for the virtual Vertica BDC 2020. Today's breakout session is entitled End-to-End Security in Vertica. I'm Paige Roberts, Open Source Relations Manager at Vertica. I'll be your host for this session. Joining me is Vertica Software Engineers, Fenic Fawkes and Chris Morris. Before we begin, I encourage you to submit your questions or comments during the virtual session. You don't have to wait until the end. Just type your question or comment in the question box below the slide as it occurs to you and click submit. There will be a Q&A session at the end of the presentation and we'll answer as many questions as we're able to during that time. Any questions that we don't address, we'll do our best to answer offline. Also, you can visit Vertica forums to post your questions there after the session. Our team is planning to join the forums to keep the conversation going, so it'll be just like being at a conference and talking to the engineers after the presentation. Also, a reminder that you can maximize your screen by clicking the double arrow button in the lower right corner of the slide. And before you ask, yes, this whole session is being recorded and it will be available to view on-demand this week. We'll send you a notification as soon as it's ready. I think we're ready to get started. Over to you, Fen. >> Fenic: Hi, welcome everyone. My name is Fen. My pronouns are fae/faer and Chris will be presenting the second half, and his pronouns are he/him. So to get started, let's kind of go over what the goals of this presentation are. First off, no deployment is the same. So we can't give you an exact, like, here's the right way to secure Vertica because how it is to set up a deployment is a factor. But the biggest one is, what is your threat model? So, if you don't know what a threat model is, let's take an example. We're all working from home because of the coronavirus and that introduces certain new risks. Our source code is on our laptops at home, that kind of thing. But really our threat model isn't that people will read our code and copy it, like, over our shoulders. So we've encrypted our hard disks and that kind of thing to make sure that no one can get them. So basically, what we're going to give you are building blocks and you can pick and choose the pieces that you need to secure your Vertica deployment. We hope that this gives you a good foundation for how to secure Vertica. And now, what we're going to talk about. So we're going to start off by going over encryption, just how to secure your data from attackers. And then authentication, which is kind of how to log in. Identity, which is who are you? Authorization, which is now that we know who you are, what can you do? Delegation is about how Vertica talks to other systems. And then auditing and monitoring. So, how do you protect your data in transit? Vertica makes a lot of network connections. Here are the important ones basically. There are clients talk to Vertica cluster. Vertica cluster talks to itself. And it can also talk to other Vertica clusters and it can make connections to a bunch of external services. So first off, let's talk about client-server TLS. Securing data between, this is how you secure data between Vertica and clients. It prevents an attacker from sniffing network traffic and say, picking out sensitive data. Clients have a way to configure how strict the authentication is of the server cert. It's called the Client SSLMode and we'll talk about this more in a bit but authentication methods can disable non-TLS connections, which is a pretty cool feature. Okay, so Vertica also makes a lot of network connections within itself. So if Vertica is running behind a strict firewall, you have really good network, both physical and software security, then it's probably not super important that you encrypt all traffic between nodes. But if you're on a public cloud, you can set up AWS' firewall to prevent connections, but if there's a vulnerability in that, then your data's all totally vulnerable. So it's a good idea to set up inter-node encryption in less secure situations. Next, import/export is a good way to move data between clusters. So for instance, say you have an on-premises cluster and you're looking to move to AWS. Import/Export is a great way to move your data from your on-prem cluster to AWS, but that means that the data is going over the open internet. And that is another case where an attacker could try to sniff network traffic and pull out credit card numbers or whatever you have stored in Vertica that's sensitive. So it's a good idea to secure data in that case. And then we also connect to a lot of external services. Kafka, Hadoop, S3 are three of them. Voltage SecureData, which we'll talk about more in a sec, is another. And because of how each service deals with authentication, how to configure your authentication to them differs. So, see our docs. And then I'd like to talk a little bit about where we're going next. Our main goal at this point is making Vertica easier to use. Our first objective was security, was to make sure everything could be secure, so we built relatively low-level building blocks. Now that we've done that, we can identify common use cases and automate them. And that's where our attention is going. Okay, so we've talked about how to secure your data over the network, but what about when it's on disk? There are several different encryption approaches, each depends on kind of what your use case is. RAID controllers and disk encryption are mostly for on-prem clusters and they protect against media theft. They're invisible to Vertica. S3 and GCP are kind of the equivalent in the cloud. They also invisible to Vertica. And then there's field-level encryption, which we accomplish using Voltage SecureData, which is format-preserving encryption. So how does Voltage work? Well, it, the, yeah. It encrypts values to things that look like the same format. So for instance, you can see date of birth encrypted to something that looks like a date of birth but it is not in fact the same thing. You could do cool stuff like with a credit card number, you can encrypt only the first 12 digits, allowing the user to, you know, validate the last four. The benefits of format-preserving encryption are that it doesn't increase database size, you don't need to alter your schema or anything. And because of referential integrity, it means that you can do analytics without unencrypting the data. So again, a little diagram of how you could work Voltage into your use case. And you could even work with Vertica's row and column access policies, which Chris will talk about a bit later, for even more customized access control. Depending on your use case and your Voltage integration. We are enhancing our Voltage integration in several ways in 10.0 and if you're interested in Voltage, you can go see their virtual BDC talk. And then again, talking about roadmap a little, we're working on in-database encryption at rest. What this means is kind of a Vertica solution to encryption at rest that doesn't depend on the platform that you're running on. Encryption at rest is hard. (laughs) Encrypting, say, 10 petabytes of data is a lot of work. And once again, the theme of this talk is everyone has a different key management strategy, a different threat model, so we're working on designing a solution that fits everyone. If you're interested, we'd love to hear from you. Contact us on the Vertica forums. All right, next up we're going to talk a little bit about access control. So first off is how do I prove who I am? How do I log in? So, Vertica has several authentication methods. Which one is best depends on your deployment size/use case. Again, theme of this talk is what you should use depends on your use case. You could order authentication methods by priority and origin. So for instance, you can only allow connections from within your internal network or you can enforce TLS on connections from external networks but relax that for connections from your internal network. That kind of thing. So we have a bunch of built-in authentication methods. They're all password-based. User profiles allow you to set complexity requirements of passwords and you can even reject non-TLS connections, say, or reject certain kinds of connections. Should only be used by small deployments because you probably have an LDAP server, where you manage users if you're a larger deployment and rather than duplicating passwords and users all in LDAP, you should use LDAP Auth, where Vertica still has to keep track of users, but each user can then use LDAP authentication. So Vertica doesn't store the password at all. The client gives Vertica a username and password and Vertica then asks the LDAP server is this a correct username or password. And the benefits of this are, well, manyfold, but if, say, you delete a user from LDAP, you don't need to remember to also delete their Vertica credentials. You can just, they won't be able to log in anymore because they're not in LDAP anymore. If you like LDAP but you want something a little bit more secure, Kerberos is a good idea. So similar to LDAP, Vertica doesn't keep track of who's allowed to log in, it just keeps track of the Kerberos credentials and it even, Vertica never touches the user's password. Users log in to Kerberos and then they pass Vertica a ticket that says "I can log in." It is more complex to set up, so if you're just getting started with security, LDAP is probably a better option. But Kerberos is, again, a little bit more secure. If you're looking for something that, you know, works well for applications, certificate auth is probably what you want. Rather than hardcoding a password, or storing a password in a script that you use to run an application, you can instead use a certificate. So, if you ever need to change it, you can just replace the certificate on disk and the next time the application starts, it just picks that up and logs in. Yeah. And then, multi-factor auth is a feature request we've gotten in the past and it's not built-in to Vertica but you can do it using Kerberos. So, security is a whole application concern and fitting MFA into your workflow is all about fitting it in at the right layer. And we believe that that layer is above Vertica. If you're interested in more about how MFA works and how to set it up, we wrote a blog on how to do it. And now, over to Chris, for more on identity and authorization. >> Chris: Thanks, Fen. Hi everyone, I'm Chris. So, we're a Vertica user and we've connected to Vertica but once we're in the database, who are we? What are we? So in Vertica, the answer to that questions is principals. Users and roles, which are like groups in other systems. Since roles can be enabled and disabled at will and multiple roles can be active, they're a flexible way to use only the privileges you need in the moment. For example here, you've got Alice who has Dbadmin as a role and those are some elevated privileges. She probably doesn't want them active all the time, so she can set the role and add them to her identity set. All of this information is stored in the catalog, which is basically Vertica's metadata storage. How do we manage these principals? Well, depends on your use case, right? So, if you're a small organization or maybe only some people or services need Vertica access, the solution is just to manage it with Vertica. You can see some commands here that will let you do that. But what if we're a big organization and we want Vertica to reflect what's in our centralized user management system? Sort of a similar motivating use case for LDAP authentication, right? We want to avoid duplication hassles, we just want to centralize our management. In that case, we can use Vertica's LDAPLink feature. So with LDAPLink, principals are mirrored from LDAP. They're synced in a considerable fashion from the LDAP into Vertica's catalog. What this does is it manages creating and dropping users and roles for you and then mapping the users to the roles. Once that's done, you can do any Vertica-specific configuration on the Vertica side. It's important to note that principals created in Vertica this way, support multiple forms of authentication, not just LDAP. This is a separate feature from LDAP authentication and if you created a user via LDAPLink, you could have them use a different form of authentication, Kerberos, for example. Up to you. Now of course this kind of system is pretty mission-critical, right? You want to make sure you get the right roles and the right users and the right mappings in Vertica. So you probably want to test it. And for that, we've got new and improved dry run functionality, from 9.3.1. And what this feature offers you is new metafunctions that let you test various parameters without breaking your real LDAPLink configuration. So you can mess around with parameters and the configuration as much as you want and you can be sure that all of that is strictly isolated from the live system. Everything's separated. And when you use this, you get some really nice output through a Data Collector table. You can see some example output here. It runs the same logic as the real LDAPLink and provides detailed information about what would happen. You can check the documentation for specifics. All right, so we've connected to the database, we know who we are, but now, what can we do? So for any given action, you want to control who can do that, right? So what's the question you have to ask? Sometimes the question is just who are you? It's a simple yes or no question. For example, if I want to upgrade a user, the question I have to ask is, am I the superuser? If I'm the superuser, I can do it, if I'm not, I can't. But sometimes the actions are more complex and the question you have to ask is more complex. Does the principal have the required privileges? If you're familiar with SQL privileges, there are things like SELECT, INSERT, and Vertica has a few of their own, but the key thing here is that an action can require specific and maybe even multiple privileges on multiple objects. So for example, when selecting from a table, you need USAGE on the schema and SELECT on the table. And there's some other examples here. So where do these privileges come from? Well, if the action requires a privilege, these are the only places privileges can come from. The first source is implicit privileges, which could come from owning the object or from special roles, which we'll talk about in a sec. Explicit privileges, it's basically a SQL standard GRANT system. So you can grant privileges to users or roles and optionally, those users and roles could grant them downstream. Discretionary access control. So those are explicit and they come from the user and the active roles. So the whole identity set. And then we've got Vertica-specific inherited privileges and those come from the schema, and we'll talk about that in a sec as well. So these are the special roles in Vertica. First role, DBADMIN. This isn't the Dbadmin user, it's a role. And it has specific elevated privileges. You can check the documentation for those exact privileges but it's less than the superuser. The PSEUDOSUPERUSER can do anything the real superuser can do and you can grant this role to whomever. The DBDUSER is actually a role, can run Database Designer functions. SYSMONITOR gives you some elevated auditing permissions and we'll talk about that later as well. And finally, PUBLIC is a role that everyone has all the time so anything you want to be allowed for everyone, attach to PUBLIC. Imagine this scenario. I've got a really big schema with lots of relations. Those relations might be changing all the time. But for each principal that uses this schema, I want the privileges for all the tables and views there to be roughly the same. Even though the tables and views come and go, for example, an analyst might need full access to all of them no matter how many there are or what there are at any given time. So to manage this, my first approach I could use is remember to run grants every time a new table or view is created. And not just you but everyone using this schema. Not only is it a pain, it's hard to enforce. The second approach is to use schema-inherited privileges. So in Vertica, schema grants can include relational privileges. For example, SELECT or INSERT, which normally don't mean anything for a schema, but they do for a table. If a relation's marked as inheriting, then the schema grants to a principal, for example, salespeople, also apply to the relation. And you can see on the diagram here how the usage applies to the schema and the SELECT technically but in Sales.foo table, SELECT also applies. So now, instead of lots of GRANT statements for multiple object owners, we only have to run one ALTER SCHEMA statement and three GRANT statements and from then on, any time that you grant some privileges or revoke privileges to or on the schema, to or from a principal, all your new tables and views will get them automatically. So it's dynamically calculated. Now of course, setting it up securely, is that you want to know what's happened here and what's going on. So to monitor the privileges, there are three system tables which you want to look at. The first is grants, which will show you privileges that are active for you. That is your user and active roles and theirs and so on down the chain. Grants will show you the explicit privileges and inherited_privileges will show you the inherited ones. And then there's one more inheriting_objects which will show all tables and views which inherit privileges so that's useful more for not seeing privileges themselves but managing inherited privileges in general. And finally, how do you see all privileges from all these sources, right? In one go, you want to see them together? Well, there's a metafunction added in 9.3.1. Get_privileges_description which will, given an object, it will sum up all the privileges for a current user on that object. I'll refer you to the documentation for usage and supported types. Now, the problem with SELECT. SELECT let's you see everything or nothing. You can either read the table or you can't. But what if you want some principals to see subset or a transformed version of the data. So for example, I have a table with personnel data and different principals, as you can see here, need different access levels to sensitive information. Social security numbers. Well, one thing I could do is I could make a view for each principal. But I could also use access policies and access policies can do this without introducing any new objects or dependencies. It centralizes your restriction logic and makes it easier to manage. So what do access policies do? Well, we've got row and column access policies. Rows will hide and column access policies will transform data in the row or column, depending on who's doing the SELECTing. So it transforms the data, as we saw on the previous slide, to look as requested. Now, if access policies let you see the raw data, you can still modify the data. And the implication of this is that when you're crafting access policies, you should only use them to refine access for principals that need read-only access. That is, if you want a principal to be able to modify it, the access policies you craft should let through the raw data for that principal. So in our previous example, the loader service should be able to see every row and it should be able to see untransformed data in every column. And as long as that's true, then they can continue to load into this table. All of this is of course monitorable by a system table, in this case access_policy. Check the docs for more information on how to implement these. All right, that's it for access control. Now on to delegation and impersonation. So what's the question here? Well, the question is who is Vertica? And that might seem like a silly question, but here's what I mean by that. When Vertica's connecting to a downstream service, for example, cloud storage, how should Vertica identify itself? Well, most of the time, we do the permissions check ourselves and then we connect as Vertica, like in this diagram here. But sometimes we can do better. And instead of connecting as Vertica, we connect with some kind of upstream user identity. And when we do that, we let the service decide who can do what, so Vertica isn't the only line of defense. And in addition to the defense in depth benefit, there are also benefits for auditing because the external system can see who is really doing something. It's no longer just Vertica showing up in that external service's logs, it's somebody like Alice or Bob, trying to do something. One system where this comes into play is with Voltage SecureData. So, let's look at a couple use cases. The first one, I'm just encrypting for compliance or anti-theft reasons. In this case, I'll just use one global identity to encrypt or decrypt with Voltage. But imagine another use case, I want to control which users can decrypt which data. Now I'm using Voltage for access control. So in this case, we want to delegate. The solution here is on the Voltage side, give Voltage users access to appropriate identities and these identities control encryption for sets of data. A Voltage user can access multiple identities like groups. Then on the Vertica side, a Vertica user can set their Voltage username and password in a session and Vertica will talk to Voltage as that Voltage user. So in the diagram here, you can see an example of how this is leverage so that Alice could decrypt something but Bob cannot. Another place the delegation paradigm shows up is with storage. So Vertica can store and interact with data on non-local file systems. For example, HGFS or S3. Sometimes Vertica's storing Vertica-managed data there. For example, in Eon mode, you might store your projections in communal storage in S3. But sometimes, Vertica is interacting with external data. For example, this usually maps to a user storage location in the Vertica side and it might, on the external storage side, be something like Parquet files on Hadoop. And in that case, it's not really Vertica's data and we don't want to give Vertica more power than it needs, so let's request the data on behalf of who needs it. Lets say I'm an analyst and I want to copy from or export to Parquet, using my own bucket. It's not Vertica's bucket, it's my data. But I want Vertica to manipulate data in it. So the first option I have is to give Vertica as a whole access to the bucket and that's problematic because in that case, Vertica becomes kind of an AWS god. It can see any bucket, any Vertica user might want to push or pull data to or from any time Vertica wants. So it's not good for the principals of least access and zero trust. And we can do better than that. So in the second option, use an ID and secret key pair for an AWS, IAM, if you're familiar, principal that does have access to the bucket. So I might use my, the analyst, credentials, or I might use credentials for an AWS role that has even fewer privileges than I do. Sort of a restricted subset of my privileges. And then I use that. I set it in Vertica at the session level and Vertica will use those credentials for the copy export commands. And it gives more isolation. Something that's in the works is support for keyless delegation, using assumable IAM roles. So similar benefits to option two here, but also not having to manage keys at the user level. We can do basically the same thing with Hadoop and HGFS with three different methods. So first option is Kerberos delegation. I think it's the most secure. It definitely, if access control is your primary concern here, this will give you the tightest access control. The downside is it requires the most configuration outside of Vertica with Kerberos and HGFS but with this, you can really determine which Vertica users can talk to which HGFS locations. Then, you've got secure impersonation. If you've got a highly trusted Vertica userbase, or at least some subset of it is, and you're not worried about them doing things wrong but you want to know about auditing on the HGFS side, that's your primary concern, you can use this option. This diagram here gives you a visual overview of how that works. But I'll refer you to the docs for details. And then finally, option three, this is bringing your own delegation token. It's similar to what we do with AWS. We set something in the session level, so it's very flexible. The user can do it at an ad hoc basis, but it is manual, so that's the third option. Now on to auditing and monitoring. So of course, we want to know, what's happening in our database? It's important in general and important for incident response, of course. So your first stop, to answer this question, should be system tables. And they're a collection of information about events, system state, performance, et cetera. They're SELECT-only tables, but they work in queries as usual. The data is just loaded differently. So there are two types generally. There's the metadata table, which stores persistent information or rather reflects persistent information stored in the catalog, for example, users or schemata. Then there are monitoring tables, which reflect more transient information, like events, system resources. Here you can see an example of output from the resource pool's storage table which, these are actually, despite that it looks like system statistics, they're actually configurable parameters for using that. If you're interested in resource pools, a way to handle users' resource allocation and various principal's resource allocation, again, check that out on the docs. Then of course, there's the followup question, who can see all of this? Well, some system information is sensitive and we should only show it to those who need it. Principal of least privilege, right? So of course the superuser can see everything, but what about non-superusers? How do we give access to people that might need additional information about the system without giving them too much power? One option's SYSMONITOR, as I mentioned before, it's a special role. And this role can always read system tables but not change things like a superuser would be able to. Just reading. And another option is the RESTRICT and RELEASE metafunctions. Those grant and revoke access to from a certain system table set, to and from the PUBLIC role. But the downside of those approaches is that they're inflexible. So they only give you, they're all or nothing. For a specific preset of tables. And you can't really configure it per table. So if you're willing to do a little more setup, then I'd recommend using your own grants and roles. System tables support GRANT and REVOKE statements just like any regular relations. And in that case, I wouldn't even bother with SYSMONITOR or the metafunctions. So to do this, just grant whatever privileges you see fit to roles that you create. Then go ahead and grant those roles to the users that you want. And revoke access to the system tables of your choice from PUBLIC. If you need even finer-grained access than this, you can create views on top of system tables. For example, you can create a view on top of the user system table which only shows the current user's information, uses a built-in function that you can use as part of the view definition. And then, you can actually grant this to PUBLIC, so that each user in Vertica could see their own user's information and never give access to the user system table as a whole, just that view. Now if you're a superuser or if you have direct access to nodes in the cluster, filesystem/OS, et cetera, then you have more ways to see events. Vertica supports various methods of logging. You can see a few methods here which are generally outside of running Vertica, you'd interact with them in a different way, with the exception of active events which is a system table. We've also got the data collector. And that sorts events by subjects. So what the data collector does, it extends the logging and system table functionality, by the component, is what it's called in the documentation. And it logs these events and information to rotating files. For example, AnalyzeStatistics is a function that could be of use by users and as a database administrator, you might want to monitor that so you can use the data collector for AnalyzeStatistics. And the files that these create can be exported into a monitoring database. One example of that is with the Management Console Extended Monitoring. So check out their virtual BDC talk. The one on the management console. And that's it for the key points of security in Vertica. Well, many of these slides could spawn a talk on their own, so we encourage you to check out our blog, check out the documentation and the forum for further investigation and collaboration. Hopefully the information we provided today will inform your choices in securing your deployment of Vertica. Thanks for your time today. That concludes our presentation. Now, we're ready for Q&A.

>> Jeff: Hello, everybody and thank you for Joining us today for the virtual "Vertica VBC" 2020. Today's breakout session has been titled "Optimizing Query Performance and Resource Pool Tuning" I'm Jeff Ealing, I lead Vertica marketing. I'll be your host for this breakout session. Joining me today are Rakesh Banula, and Abhi Thakur, Vertica product technology engineers and key members of the Vertica customer success team. But before we begin, I encourage you to submit questions or comments during the virtual session. You don't have to wait. Just type your question or comment in the question box below the slides and click Submit. There will be a Q&A session at the end of the presentation. We'll answer as many questions we're able to during that time. Any questions we don't address, we'll do our best to answer them offline. Alternatively, visit Vertica forums at forum.vertica.com to post your questions there after the session. Our engineering team is planning to Join the forums to keep the conversation going. Also a reminder that you can maximize your screen by clicking the double arrow button in the lower right corner of your slides. And yes, this virtual session is being recorded, will be available to view on demand this week. We'll send you a notification as soon as it's ready. Now let's get started. Over to you Rakesh. >> Rakesh: Thank you, Jeff. Hello, everyone. My name is Rakesh Bankula. Along with me, we have Bir Abhimanu Thakur. We both are going to cover the present session on "Optimizing Query Performance and Resource Pool Tuning" In this session, we are going to discuss query optimization, how to review the query plans and how to get the best query plans with proper production design. Then discuss on resource allocations and how to find resource contention. And we will continue the discussion on important use cases. In general, to successfully complete any activity or any project, the main things it requires are the plan. Plan for that activity on what to do first, what to do next, what are things you can do in parallel? The next thing you need, the best people to work on that project as per the plan. So, first thing is a plan and next is the people or resources. If you overload the same set of people, our resources by involving them in multiple projects or activities or if any person or resource is sick in a given project is going to impact on the overall completion of that project. The same analogy we can apply through query performance too. For a query to perform well, it needs two main things. One is the best query plan and other is the best resources to execute the plan. Of course, in some cases, resource contention, whether it can be from system side or within the database may slow down the query even when we have best query plan and best resource allocations. We are going to discuss each of these three items a little more in depth. Let us start with query plan. User submits the query to database and Vertica Optimizer generates the query plan. In generating query plans, optimizer uses the statistics information available on the tables. So, statistics plays a very important role in generating good query plans. As a best practice, always maintain up-to-date statistics. If you want to see how query plan looks like, add explain keyword in front of your query and run that query. It displays the query plan on the screen. Other option is BC explained plans. It saves all the explained plans of the queries run on the database. So, once you have a query plan, once you're checking it to make sure plan is good. The first thing I would look for, no statistics are predicted out of range. If you see any of these, means table involved in the query, have no up to date statistics. It is now the time to update the statistics. Next thing to explain plans are broadcast, three segments around the Join operator, global re segments around a group by operators. These indicate during the runtime of the query, data flow between the nodes over the network and will slow down the query execution. As far as possible, prevent such operations. How to prevent this, we will discuss in the projection design topic. Regarding the Join order, check on inner side and outer side, which tables are used, how many rows each side processing. In (mumbles) picking a table, having smaller number of rows is good in case of as shown as, as Join built in memory, smaller the number of rows, faster it is to build the hash table and also helps in consuming less memory. Then check if the plan is picking query specific projection or default projections. If optimizer ignoring any query specific projection, but picking the default super projection will show you how to use query specific hints to follow the plant to pick query specific projections which helps in improving the performance. Okay, here is one example query plan of a query trying to find number of products sold from a store in a given state. This query is having Joins between store table, product table and group by operation to find the count. So, first look for no statistics particularly around storage access path. This plan is not reporting any no statistics. This means statistics are up to date and plan is good so far. Then check what projections are used. This is also around the storage access part. For Join orders check, we have Hash Join in path ID 4 having it In Path ID 6 processing 60,000 rows and outer is in Path ID 7 processing 20 million rows. Inner side processing last record is good. This helps in building hash table quicker by using less memory. Check if any broadcast re segments, Joins in Path ID 4 and also Path ID 3. Both are having inner broadcast, Inners are having 60,000 records are broadcasted to all nodes in the cluster. This could impact the query performance negatively. These are some of the main things which we normally check in the explained plans. Still now, We have seen that how to get good query plans. To get good query plans, we need to maintain up to date statistics and also discussed how to review query plans. Projection design is the next important thing in getting good query plans, particularly in preventing broadcasts re segments. Broadcast re segments happens during Join operation, random existing segmentation class of the projections involved in the Join not matching with the Join columns in the query. These operations causes data flow over the network and negatively impacts the query performance particularly when it transfers millions or billions of rows. These operations also causes query acquire more memory particularly in network send and receive operations. One can avoid these broadcast re segments with proper projection segmentation, say, Join involved between two fact tables, T1, T2 on column I then segment the projections on these T1, T2 tables on column I. This is also called identically segmenting projections. In other cases, Join involved between a fact table and a dimension table then replicate or create an unsegmented projection on dimension table will help avoiding broadcast re segments during Join operation. During group by operation, global re segment groups causes data flow over the network. This can also slow down the query performance. To avoid these global re segment groups, create segmentation class of the projection to match with the group by columns in the query. In previous slides, we have seen the importance of projection segmentation plus in preventing the broadcast re segments during the Join operation. The order by class of production design plays important role in picking the Join method. We have two important Join methods, Merge Join and Hash Join. Merge Join is faster and consumes less memory than hash Join. Query plan uses Merge Join when both projections involved in the Join operation are segmented and ordered on the Join keys. In all other cases, Hash Join method will be used. In case of group by operation too, we have two methods. Group by pipeline and group by Hash. Group by pipeline is faster and consumes less memory compared to group by Hash. The requirements for group by pipeline is, projection must be segmented and ordered by on grouping columns. In all other cases, group by hash method will be used. After all, we have seen importance of stats and projection design in getting good query plans. As statistics are based on estimates over sample of data, it is possible in a very rare cases, default query plan may not be as good as you expected, even after maintaining up-to-date stats and good projection design. To work around this, Vertica providing you some query hints to force optimizer to generate even better query plans. Here are some example Join hints which helps in picking Join method and how to distribute the data, that is broadcast or re segment on inner or outer side and also which group by method to pick. The table level hints helps to force pick query specific projection or skipping any particular projection in a given query. These all hints are available in Vertica documentation. Here are a few general hints useful in controlling how to load data with the class materialization et cetera. We are going to discuss some examples on how to use these query hints. Here is an example on how to force query plan to pick Hash Join. The hint used here is JTYPE, which takes arguments, H for HashJoin, M for MergeJoin. How to place this hint, just after the Join keyword in the query as shown in the example here. Another important Join in this, JFMT, Join For My Type hint. This hint is useful in case when Join columns are lost workers. By default Vertica allocates memory based on column data type definition, not by looking at the actual data length in those columns. Say for example, Join column defined as (mumbles) 1000, 5000 or more, but actual length of the data in this column is, say, less than 50 characters. Vertica going to use more memory to process such columns in Join and also slow down the Join processing. JSMP hint is useful in this particular case. JSMP parameter uses the actual length of the Join column. As shown in the example, using JFMP of V hint helps in reducing the memory requirement for this query and executes faster too. Distrib hint helps in how to force inner or outer side of the Join operator to be distributed using broadcast or re segment. Distrib takes two parameters. First is the outer site and second is the inner site. As shown in the example, DISTRIB(A,R) after Join keyword in the query helps to force re segment the inner side of the Join, outer side, leaving it to optimizer to choose that distribution method. GroupBy Hint helps in forcing query plan to pick Group by Hash or Group by Pipeline. As shown in the example, GB type or hash, used just after group by class in the query helps to force this query to pick Group by Hashtag. See now, we discussed the first part of query performance, which is query plans. Now, we are moving on to discuss next part of query performance, which is resource allocation. Resource Manager allocates resources to queries based on the settings on resource pools. The main resources which resource pools controls are memory, CPU, query concurrency. The important resource pool parameters, which we have to tune according to the workload are memory size, plan concurrency, mass concurrency and execution parallelism. Query budget plays an important role in query performance. Based on the query budget, query planner allocate worker threads to process the query request. If budget is very low, query gets less number of threads, and if that query requires to process huge data, then query takes longer time to execute because of less threads or less parallelism. In other case, if the budget is very high and query executed on the pool is a simple one which results in a waste of resources, that is, query which acquires the resources holds it till it complete the execution, and that resource is not available to other queries. Every resource pool has its own query budget. This query budget is calculated based on the memory size and client and currency settings on that pool. Resource pool status table has a column called Query Budget KB, which shows the budget value of a given resource pool. The general recommendation for query budget is to be in the range of one GB to 10 GB. We can do a few checks to validate if the existing resource pool settings are good or not. First thing we can check to see if query is getting resource allocations quickly, or waiting in the resource queues longer. You can check this in resource queues table on a live system multiple times, particularly during your peak workload hours. If large number of queries are waiting in resource queues, indicates the existing resource pool settings not matching with your workload requirements. Might be, memory allocated is not enough, or max concurrency settings are not proper. If query's not spending much time in resource queues indicates resources are allocated to meet your peak workload, but not sure if you have over or under allocated the resources. For this, check the budget in resource pool status table to find any pool having way larger than eight GB or much smaller than one GB. Both over allocation and under allocation of budget is not good for query performance. Also check in DC resource acquisitions table to find any transaction acquire additional memory during the query execution. This indicates the original given budget is not sufficient for the transaction. Having too many resource pools is also not good. How to create resource pools or even existing resource pools. Resource pool settings should match to the present workload. You can categorize the workload into well known workload and ad-hoc workload. In case of well-known workload, where you will be running same queries regularly like daily reports having same set of queries processing similar size of data or daily ETL jobs et cetera. In this case, queries are fixed. Depending on the complexity of the queries, you can further divide it into low, medium, high resource required pools. Then try setting the budget to 1 GB, 4 GB, 8 GB on these pools by allocating the memory and setting the plan concurrency as per your requirement. Then run the query and measure the execution time. Try couple UP iterations by increasing and then decreasing the budget to find the best settings for your resource pools. For category of ad-hoc workload where there is no control over the number of users going to run the queries concurrently, or complexity of queries user going to submit. For this category, we cannot estimate, in advance, the optimum query budget. So for this category of workload, we have to use cascading resource pool settings where query starts on the pool based on the runtime they have set, then query resources moves to a secondary pool. This helps in preventing smaller queries waiting for resources, longer time when a big query consuming all resources and rendering for a longer time. Some important resource pool monitoring tables, analyze system, you can query resource cues table to find any transaction waiting for resources. You will also find on which resource pool transaction is waiting, how long it is waiting, how many queries are waiting on the pool. Resource pool status gives info on how many queries are in execution on each resource pool, how much memory in use and additional info. For resource consumption of a transaction which was already completed, you can play DC resource acquisitions to find how much memory a given transaction used per node. DC resource pool move table shows info on what our transactions moved from primary to secondary pool in case of cascading resource pools. DC resource rejections gives info on which node, which resource a given transaction failed or rejected. Query consumptions table gives info on how much CPU disk network resources a given transaction utilized. Till now, we discussed query plans and how to allocate resources for better query performance. It is possible for queries to perform slower when there is any resource contention. This contention can be within database or from system side. Here are some important system tables and queries which helps in finding resource contention. Table DC query execution gives the information on transaction level, how much time it took for each execution step. Like how much time it took for planning, resource allocation, actual execution etc. If the time taken is more in planning, which is mostly due to catalog contentions, you can play DC lock releases table as shown here to see how long transactions are waiting to acquire global catalog lock, how long transaction holding GCL x. Normally, GCL x acquire and release should be done within a couple of milliseconds. If the transactions are waiting for a few seconds to acquire GCL x or holding GCL x longer indicates some catalog contention, which may be due to too many concurrent queries or due to long running queries, or system services holding catalog mutexes and causing other transactions to queue up. A query is given here, particularly the system tables will help you further narrow down the contention. You can vary sessions table to find any long-running user queries. You can query system services table to find any service like analyze row counts, move out, merge operation and running for a long time. DC all evens table gives info on what are slower events happening. You can also query system resource usage table to find any particular system resource like CPU memory, disk IO or network throughput, saturating on any node. It is possible once slow node in the cluster could impact overall performance of queries negatively. To identify any slow node in the cluster, we use queries. Select one, and (mumbles) Clearly key one query just executes on initiative node. On a good node, kV one query returns within 50 milliseconds. As shown here, you can use a script to run this, select kV one query on all nodes in the cluster. You can repeat this test multiple times, say five to 10 times then reveal the time taken by this query on all nodes in all tech (mumbles) . If there is any one node taking more than a few seconds compared to other notes taking just milliseconds, then something is wrong with that node. To find what is going on with the node, which took more time for kV one query, run perf top. Perf top gives info on stopped only lister functions in which system spending most of the time. These functions can be counter functions or Vertica functions, as shown here. Based on their systemic spending most of the time we'll get some clue on what is going on with that code. Abhi will continue with the remaining part of the session. Over to you Abhi. >> Bir: Hey, thanks, Rakesh. My name is Abhimanu Thakur and today I will cover some performance cases which we had addressed recently in our customer clusters which we will be applying the best practices just showed by Rakesh. Now, to find where the performance problem is, it is always easy if we know where the problem is. And to understand that, like Rakesh just explained, the life of a query has different phases. The phases are pre execution, which is the planning, execution and post execution which is releasing all the required resources. This is something very similar to a plane taking a flight path where it prepares itself, gets onto the runway, takes off and lands back onto the runway. So, let's prepare our flight to take off. So, this is a use case which is from a dashboard application where the dashboard fails to refresh once in a while, and there is a batch of queries which are sent by the dashboard to the Vertica database. And let's see how we can be able to see where the failure is or where the slowness is. To reveal the dashboard application, these are very shortly queries, we need to see what were the historical executions and from the historical executions, we basically try to find where is the exact amount of time spent, whether it is in the planning phase, execution phase or in the post execution and if they are pretty consistent all the time, which means the plan has not changed in the execution which will also help us determine what is the memory used and if the memory budget is ideal. As just showed by Rakesh, the budget plays a very important role. So DC query executions, one-stop place to go and find your timings, whether it is a timing extra or is it execute plan or is it an abandoned plan. So, looking at the queries which we received and the times from the scrutinize, we find most of the time average execution, the execution is pretty consistent and there is some time, extra time spent in the planning phase which users of (mumbles) resource contention. This is a very simple matrix which you can follow to find if you have issues. So the system resource convention catalog contention and resource contention, all of these contribute mostly because of the concurrency. And let's see if we can drill down further to find the issue in these dashboard application queries. So, to get the concurrency, we pull out the number of queries issued, what is the max concurrency achieved, what are the number of threads, what is the overall percentage of query duration and all this data is available in the V advisor report. So, as soon as you provide scrutinize, we generate the V advisor report which helps us get complete insight of this data. So, based on this we definitely see there is very high concurrency and most of the queries finish in less than a second which is good. There are queries which go beyond 10 seconds and over a minute, but so definitely, the cluster had concurrency. What is more interesting is to find from this graph is... I'm sorry if this is not very readable, but the topmost line what you see is the Select and the bottom two or three lines are the create, drop and alters. So definitely this cluster is having a lot of DDL and DMLs being issued and what do they contribute is if there is a large DDL and DMLs, they cause catalog contention. So, we need to make sure that the batch, what we're sending is not causing too many catalog contention into the cluster which delays the complete plan face as the system resources are busy. And the same time, what we also analyze is the analyze tactics running every hour which is very aggressive, I would say. It should be scheduled to be need only so if a table has not changed drastically that's not scheduled analyzed tactics for the table. A couple more settings has shared by Rakesh is, it definitely plays a important role in the modeled and mode operations. So now, let's look at the budget of the query. The budget of the resource pool is currently at about two GB and it is the 75 percentile memory. Queries are definitely executing at that same budget, which is good and bad because these are dashboard queries, they don't need such a large amount of memory. The max memory as shown here from the capture data is about 20 GB which is pretty high. So what we did is, we found that there are some queries run by different user who are running in the same dashboard pool which should not be happening as dashboard pool is something like a premium pool or kind of a private run way to run your own private jet. And why I made that statement is as you see, resource pools are lik runways. You have different resource pools, different runways to cater different types of plane, different types of flights which... So, as you can manage your resource pools differently, your flights can take off and land easily. So, from this we did remind that the budget is something which could be well done. Now let's look... As we saw in the previous numbers that there were some resource weights and like I said, because resource pools are like your runways. So if you have everything ready, your plane is waiting just to get onto the runway to take off, you would definitely not want to be in that situation. So in this case, what we found is the coolest... There're quite a bit number of queries which have been waited in the pool and they waited almost a second and which can be avoided by modifying the the amount of resources allocated to the resource pool. So in this case, we increase the resource pool to provide more memory which is 80 GB and reduce the budget from two GB to one GB. Also making sure that the plan concurrency is increased to match the memory budget and also we moved the user who was running into the dashboard query pool. So, this is something which we have gone, which we found also in the resource pool is the execution parallelism and how this affects and what what number changes. So, execution parallelism is something which allocates the plan, allocates the number of threads, network buffers and all the data around it before even the query executes. And in this case, this pool had auto, which defaults to the core count. And so, dashboard queries not being too high on resources, they need to just get what they want. So we reduced the execution parallelism to eight and this drastically brought down the amount of threads which were needed without changing the time of execution. So, this is all what we saw how we could tune before the query takes off. Now, let's see what path we followed. This is the exact path what we followed. Hope of this diagram helps and these are the things which we took care of. So, tune your resource pool, adjust your execution parallelism based on the type of the queries the resource pool is catering to and match your memory sizes and don't be too aggressive on your resource budget. And see if you could replace your staging tables with temporary tables as they help a lot in reducing the DDLs and DMLs, reducing the catalog contention and the places where you cannot replace them with the truncate tables, reduce your analyzed statics duration and if possible, follow the best practices for a couple more operations. So moving on, let's let our query take a flight and see what best practices can be applied here. So this is another, I would say, very classic example of query where the query has been running and suddenly stops to fail. And if there is... I think most of the other seniors in a Join did not fit in memory. What does this mean? It basically means the inner table is trying to build a large Hash table, and it needs a lot of memory to fit. There are only two reasons why it could fail. One, your statics are outdated and your resource pool is not letting you grab all the memory needed. So in this particular case, the resource pool is not allowing all the memory it needs. As you see, the query acquire 180 GB of memory, and it failed. When looking at the... In most cases, you should be able to figure out the issue looking at the explained plan of the query as shared by Rakesh earlier. But in this case if you see, the explained plan looks awesome. There's no other operator like in a broadcast or outer V segment or something like that, it's just Join hash. So looking further we find into the projection. So inner is on segmented projection, the outer is segmented. Excellent. This is what is needed. So in this case, what we would recommend is go find further what is the cost. The cost to scan this row seems to be pretty high. There's the table DC query execution in their profiles in Vertica, which helps you drill down to every smallest amount of time, memory and what were the number of rows used by individual operators per pack. So, while looking into the execution engine profile details for this query, we found the amount of time spent is on the Join operator and it's the Join inner Hash table build time, which has taking huge amount of time. It's just waiting basically for the lower operators can and storage union to pass the data. So, how can we avoid this? Clearly, we can avoid it by creating a segmented projection instead of unsegmented projection on such a large table with one billion rows. Following the practice to create the projection... So this is a projection which was created and it was segmented on the column which is part of the select clause over here. Now, that plan looks nice and clean still, and the execution of this query now executes in 22 minutes 15 seconds and the most important you see is the memory. It executes in just 15 GB of memory. So, basically to what was done is the unsegmented projection which acquires a lot of memory per node is now not taking that much of memory and executing faster as it has been divided by the number of nodes per node to execute only a small share of data. But, the customer was still not happy as 22 minutes is still high. And let's see if we can tune it further to make the cost go down and execution time go down. So, looking at the explained plan again, like I said, most of the time, you could see the plan and say, "What's going on?" In this case, there is an inner re segment. So, how could we avoid the inner re segments? We can avoid the inner re segment... Most of the times, all the re segments just by creating the projection which are identically segmented which means your inner and outer both have the same amount, same segmentation clause. The same was done over here, as you see, there's now segment on sales ID and also ordered by sales ID which helps us execute the query drop from 22 minutes to eight minutes, and now the memory acquired is just equals to the pool budget which is 8 GB. And if you see, the most What is needed is the hash Join is converted into a merge Join being the ordered by the segmented clause and also the Join clause. So, what this gives us is, it has the new global data distribution and by changing the production design, we have improved the query performance. But there are times when you could not have changed the production design and there's nothing much which can be done. In all those cases, as even in the first case of Vertica after fail of the inner Join, the second Vertica replan (mumbles) spill to this operator. You could let the system degrade by acquiring 180 GB for whatever duration of minutes the query had. You could simply use this hand to replace and run the query in the very first go. Let the system have all the resources it needs. So, use hints wherever possible and filter disk is definitely your option where there're no other options for you to change your projection design. Now, there are times when you find that you have gone through your query plan, you have gone through every other thing and there's not much you see anywhere, but you definitely look at the query and you feel that, "Now, I think I can rewrite this query." And how what makes you decide that is you look at the query and you see that the same table has been accessed several times in my query plan, how can I rewrite this query to access my table just once? And in this particular use case, a very simple use case where a table is scanned three times for several different filters and then a union in Vertica union is kind of costly operator I would say, because union does not know what's the amount of data which should be coming from the underlying query. So we allocate a lot of resources to keep the union running. Now, we could simply replace all these unions by simple "Or" clause. So, simple "Or" clause changes the complete plan of the query and the cost drops down drastically. And now the optimizer almost know the exact amount of rows it has to process. So change, look at your query plans and see if you could make the execution in the profile or the optimizer do better job just by doing some small rewrites. Like if there are some tables frequently accessed you could even use a "With" clause which will do an early materialization and make use the better performance or for the union which I just shared and replace your left Joins with right Joins, use your (mumbles) like shade earlier for you changing your hash table types. This is the exact part what we have followed in this presentation. Hope this presentation was helpful in addressing, at least finding some performance issues in your queries or in your class test. So, thank you for listening to our presentation. Now we are ready for Q&A.

>> Announcer: Live from Orlando Florida, it's theCUBE, covering Microsoft Ignite. Brought to you by Cohesity. >> Good morning everyone. You are watching theCUBE's live coverage of Microsoft Ignite 2019 here in Orlando, Florida. I'm your host Rebecca Knight, co-hosting alongside of Stu Miniman. We are joined by Donovan Brown. He is the Principal Cloud Advocate Manager of Methods and Practices Organizations at Microsoft. (laughing) A mouthful of a title. >> Yes. >> Rebecca: We are thrilled to welcome you on. >> Thank you so much. >> You are the man in the black shirt. >> I have been dubbed the man in the black shirt. >> So tell us what that's all about. You're absolutely famous. Whenever we were saying Donovan Brown's going to be here. "The man in the black shirt?" >> Yes. >> So what's that about? >> So it was interesting. The first time I ever got to keynote in an event was in New York in 2015 for Scott Guthrie, the guy who only wears a red shirt. And I remember, I was literally, and this is no exaggeration, wearing this exact black shirt, right, because I bring it with me and I can tell because the tag in the back is worn more than the other black shirts I have just like this one. And I bring this one out for big events because I was in a keynote yesterday and I knew I was going to be on your show today. And I wore it and it looked good on camera. I felt really good. I'm an ex-athlete. We're very superstitious. I'm like I have to wear that shirt in every keynote that I do from now on because if you look further back, you'll see me in blue shirts and all other colored shirts. But from that day forward, it's going to be hard pressed for you to find me on camera on stage without this black shirt on or a black shirt of some type. And there's a really cool story about the black shirt that was. This is what\ I knew it was a thing. So I pack about six or seven black shirts in every luggage. I'm flying overseas to Germany to go Kampf to do a keynote for, I think it was Azure Saturday. Flights were really messed up. they had to check my bag which makes me very uncomfortable because they lose stuff. I'm not too worried about it, it'll be okay. Check my bag, get to Europe. They've been advertising that the black shirt is coming for months and they lose my luggage. And I am now, heart's pounding out of my chest. (laughing) We go to the airport. I'm shopping in the airport because I don't even have luggage. I cannot find a black shirt and I am just thinking this is devastating. How am I going to go to a conference who's been promoting "the black shirt's coming" not wearing a black shirt? And my luggage does not show up. I show up at the event I'm thinking okay, maybe I'll get lucky and the actual conference shirt will be black and then we're all good. I walk in and all I see are white shirts. I'm like this could not be worse. And then now the speakers show up. They're wearing blue shirts, I'm like this cannot be happening. So I'm depressed, I'm walking to the back and everyone's starts saying, "Donovan's here, Donovan's here." And I'm looking to find my polo, my blue polo I'm going to put on. They're like no, no, no, no Donovan. They printed one black shirt just for me. I was like oh my goodness, this is so awesome. So I put the black shirt on, then I put a jacket on over it and I go out and I tell the story of how hard it was to get here, that they lost my luggage, I'm not myself without a black shirt. But this team had my back. And when I unzipped my shirt, the whole place just starts clapping 'cause I'm wearing >> Oh, I love it. >> a black shirt. >> Exactly. So now to be seen without a black shirt is weird. Jessica Dean works for me. We were in Singapore together and it was an off day. So I just wore a normal shirt. She had to take a double take, "Oh no, is that Donovan, my manager "'cause he's not wearing a black shirt?" I don't wear them all the time but if I'm on camera, on stage you're going to see me in a black shirt. >> Rebecca: All right, I like it. >> Well, Donovan, great story. Your team, Methods and Practices makes up a broad spectrum of activities and was relatively recently rebranded. >> Yeah. >> We've talked to some of your team members on theCUBE before, so tell our audience a little bit about the bridges Microsoft's building to help the people. >> Great. No, so that's been great. Originally, I built a team called The League. Right, there's a really small group of just DevOps focused diehards. And we still exist. A matter of fact, we're doing a meet and greet tonight at 4:30 where you can come and meet all five of the original League members. Eventually, I got tasked with a much bigger team. I tell the story. I was in Norway, I went to sleep, I had four direct reports. I literally woke up and I had 20 people reporting to me and I'm like what just happened? And the team's spanned out a lot more than just DevOps. So having it branded as the DevOps Guy doesn't really yield very well for people who aren't diehard DevOps people. And what we feared was, "Donovan there's people who are afraid of DevOps "who now report to you." You can't be that DevOps guy anymore. You have to broaden what you do so that you can actually focus on the IT pros in the world, the modern operations people, the lift and shift with Jeremy, with what Jeramiah's doing for me right, with the lift and shift of workloads . And you still have to own DevOps. So what I did is I pulled back, reduced my direct reports to four and now I have teams underneath me. Abel Wang now runs DevOps. He's going to be the new DevOps guy for me. Jeramiah runs our lift and shift. Rick Klaus or you know the Hat, he runs all my IT Pro and then Emily who's just an amazing speaker for us, runs all of my modern operations. So we span those four big areas right. Modern operations which is sort of like the ops side of DevOps, IT pros which are the low level infrastructure, diehard Windows server admins and then we have DevOps run by Abel which is still, the majority of The League is over there. And then we have obviously the IT pros, modern ops, DevOps and then the left and shift with Jeramiah. >> I'd like to speak a little bit as to why you've got these different groups? How do you share information across the teams but you know really meet customers where they are and help them along 'cause my background's infrastructure. >> Donovan: Sure. >> And that DevOps, was like that religion pounding at you, that absolutely, I mean, I've got a closet full of hoodies but I'm not a developer. Understand? >> Understood. (laughs) It's interesting because when you look at where our customers are today, getting into the cloud is not something you do overnight. It takes lots of steps. You might start with a lift and shift, right? You might start with just adding some Azure in a hybrid scenario to your on-prem scenario. So my IT pros are looking after that group of people that they're still on prem majority, they're trying to dip those toes into the cloud. They want to start using things like file shares or backups or something that they can have, disaster recovery offsite while they're still running the majority of what they're doing on-prem. So there's always an Azure pool to all four of the teams that I actually run. But I need them to take care of where our customers are today and it's not just force them to be where we want them tomorrow and they're not ready to go there. So it's kind of interesting that my team's kind of have every one of those stages of migration from I'm on-prem, do I need to lift and shift do I need to do modern operations, do I need to be doing full-blown DevOps pull all up? So, I think it's a nice group of people that kind of fit the spectrum of where our customers are going to be taking that journey from where they are to enter the cloud. So I love it. >> One of the things you said was getting to the cloud doesn't happen overnight. >> No, it does not. >> Well, you can say that again because there is still a lot of skepticism and reluctance and nervousness. How do you, we talked so much about this digital transformation and technology is not the hard part. It's the people that pose the biggest challenges to actually making it happen. >> Donovan: Right. >> So we're talking about meeting customers where they are in terms of the tools they need. But where do you meet them in terms of where they are just in their approach and their mindset, in terms of their cloud readiness? >> You listen. Believe it or not, you can't just go and tell people something. You need to listen to them, find out what hurts and then start with that one thing is what I tell people. Focus on what hurts the most first. Don't do a big bang change of any type. I think that's a recipe for disaster. There's too many variables that could go wrong. But when I sit down with a customer is like tell me where you are, tell me what hurts, like what are you afraid of? Is it a compliancies? Let me go get you in contact with someone who can tell you about all the comp. We have over 90 certifications on Azure. Let me. whatever your fear is, I bet you I can get you in touch with someone that's going to help you get past that fear. But I don't say just lift, shift, move it all like stop wasting, like no. Let's focus on that one thing. And what you're going to do is you're going to start to build confidence and trust with that customer. And they know that I'm not there just trying to rip and replace you and get out high levels of ACR. I'm trying to succeed with you, right, empower every person in every organization on the planet to achieve more. You do that by teaching them first, by helping them first. You can sell them last, right? You shouldn't have to sell them at all once they trust that what we we're trying to do together is partner with you. I look at every customer more as a partner than a customer, like how can I come with you and we do better things together than either one of us could have done apart. >> You're a cloud psychologist? Almost, right because I always put myself in their position. If I was a customer, what would I want that vendor to do for me? How would they make me feel comfortable and that's the way that I lead. Right, I don't want you going in there selling anything right. We're here to educate them and if we're doing our job on the product side, the answer is going to be obvious that you need to be coming with us to Azure. >> All right. So Donovan, you mentioned you used to be an athlete? >> Donovan: Yes. >> According to your bio, you're still a bit of an athlete. >> Donovan: A little bit, a little bit. >> So there's the professional air hockey thing which has a tie to something going on with the field. Give us a little bit of background. I've got an air hockey table in my basement. Any tips for those of us that aren't, you know? You were ranked 11th in the world. >> At one point, yeah, though I went to the World Championships. It was interesting because that World Championships I wasn't prepared. My wife plays as well. We were like we're just going to go, we're going to support the tournament. We had no expectations whatsoever. Next thing you know, I'm in the round playing for the top 10 in the world. And that's when it got too serious for me and I lost, because I started taking it too serious. I put too much pressure on myself. But professionally, air hockey's like professional foosball or pool. It's grown men taking this sport way too seriously. It's the way I'd describe it. It is not what you see at Chuck E. Cheese. And what was interesting is Damien Brady who works for me found that there is an AI operated air hockey table here on this floor. And my wife was like, oh my gosh, we have to find this machine. Someone tape Donovan playing it. Six seconds later, my first shot I scored it. And I just looked at the poor people who built it and I'm like yeah, I'm a professional air hockey player. This thing is so not ready for professional time but they took down all my information and said we'd love to consult with you. I said I'd love to consult with you too because this could be a lot of fun. Maybe also a great way for professionals to practice, right, because you don't always have someone who's willing to play hours and hours which it takes to get at the professional level. But to have an AI system that I could even teach up my attack, forcing me to play outside of my comfort zone, to try something other than a left wall under or right well over but have to do more cuts because it knows to search for that. I can see a lot of great applications for the professionalized player with this type of AI. It would actually get a lot better. Literally, someone behind me started laughing. "That didn't take long" because it in six seconds I had scored on it already. I'm like okay, I was hoping it was going to be harder than this. >> I'm thinking back to our Dave Cahill interview of AI for everyone, and this is AI for professional air hockey players. >> It is and in one of my demos, Kendra Havens showed AI inside of your IDE. And I remember I tell the story that I remember I started writing software back in the 90s. I remember driving to a software store. You remember we used to have to drive and you'd buy a box and the box would be really heavy because the manuals are in there, and not to mention a stack of floppy discs that you're going to spend hours putting in your computer. And I bought visual C++ 1.52 was my first compiler. I remember going home so excited. And it had like syntax highlighting and that was like this cool new thing and you had all these great breakpoints and line numbers. And now Kendra's on stage typing this repetitives task and then the editor stops her and says, "It looks like you need to do this a little bit more. "You want me to do this for you?" And I'm like what just happened? This is not syntax highlighting. This is literally watching what you do, identifying a repetitive task, seeing the pattern in your code and suggesting that I can finish writing this code for you. It's unbelievable. >> You bring up a great point. Back when I used to write, it was programming. >> Yes. >> And we said programming was you learn the structure, you learn the logic and you write all the lines of what's going to be there. Coding on the other hand usually is taking something that is there, pulling in the pieces, making the modification. >> Right. >> It sounds like we're talking about even the next generation where the intelligence is going to take over. >> It's built right inside of your IDE which is amazing. You were talking about artificial intelligence, not only for the air hockey. But I love the fact that in Azure, we have so many cognitive services and you just like pick these off the shelf. When I wanted to learn artificial intelligence when I was in the university, you had to go for another language called Lisp. That scared half of us away from artificial intelligence because you have to learn another language just to go do this cool thing that back then was very difficult to do and you could barely get it to play chess, let alone play air hockey. But today, cognitive services search, decision-making, chat bots, they're so easy. Anyone, even a non developer, can start adding the power of AI into their products thanks to the stuff that we're doing in Azure. And this is just lighting up all these new possibilities for us, air hockey, drones that are able to put out fires. I've just seen amazing stuff where they're able to use AI and they add it with as little as two lines of code. And all of a sudden, your app is so much more powerful than it was before. >> Donovan, one of the things that really struck me over the last couple years, looking at Microsoft, is it used to be, you'd think about the Microsoft stack. When I think about developers it's like, oh wait are you a .NET person? Well, you're going to be there. The keynote this morning, one of your team members was on stage with Scott Hanselman and was you know choose your language, choose your tools and you're going to have all of them out there. So talk to us a little bit about that transition inside Microsoft. >> Sure. One of the mantras that I've been saying for a while is "any language, any platform". No one believes me . So I had to start proving it. I'm like so I got on stage one year. It was interesting and this is a really rough year because I flew with three laptops. One had Mac OS on it, one of them had Linux on it and one of them had Windows. And what I did is I created a voting app and what I would do is I'd get on stage and say okay everyone that's in this session, go to this URL and start voting. They got to pick what computer I use, they got to pick what language I programmed in and they got to pick where in Azure-eyed I deployed it to. Was it to an app service was it to Docker? I'm like I'm going to prove to you I can do any language in any platform. So I honestly did not know what demo I was going to do. 20 minutes later, after showing them some slides, I would go back to the app and say what did you pick? And I would move that computer in front of me and right there on stage completely create a complete CI/CD pipeline for the language that that audience chose to whatever resources that they wanted on whatever platform that they wanted me. Was like, have I proven this to you enough or not? And I did that demo for an entire year. Any language that you want me to program in and any platform you want me to target, I'm going to do that right now and I don't even know what it's going to be. You're going to choose it for me. I can't remember the last time I did a .NET demo on stage. I did Python this week when I was on stage with Jason Zander. I saw a lot of Python and Go and other demos this year. We love .NET. Don't get us wrong but everyone knows we can .NET. What we're trying to prove right now is that we can do a lot of other things. It does not matter what language you program in. It does not matter where you want to deploy. Microsoft is here to help you. It's a company created by developers and we're still obsessed with developers, not just .NET developers, all developers even the citizen developer which is a developer which is a developer who doesn't have to see the code anymore but wants to be able to add that value to what they're doing in their organization. So if you're a developer, Microsoft is here to help full-stop. It's a powerful mission and a powerful message that you are really empowering everyone here. >> Donovan: Right. >> Excellent. >> And how many developers only program in one language now, right? I thought I remember I used to be a C++ programmer and I thought that was it, right. I knew the best language, I knew the fastest language. And then all of a sudden, I knew CSharp and I knew Java and I knew JavaScript and I brought a lot of PowerShell right now and I write it on and noticed like wow, no one knows one language. But I never leave Visual Studio code. I deploy all my workloads into Azure. I didn't have to change my infrastructure or my tools to switch languages. I just switched languages that fit whatever the problem was that I was trying to solve. So I live the mantra that we tell our customers. I don't just do .NET development. Although I love .NET and it's my go-to language if I'm starting from scratch but sometimes I'm going to go help in an open source project that's written in some other language and I want to be able to help them. With Visual Studio online, we made that extremely easy. I don't even have to set up my development machine anymore. I can only click a link in a GitHub repository and the environment I need will be provisioned for me. I'll use it, check in my commits and then throw it away when I'm done. It's the world of being a developer now and I always giggle 'cause I'm thinking I had to drive to a store and buy my first compiler and now I can have an entire environment in minutes that is ready to rock and roll. It's just I wish I would learn how to program now and not when I was on bulletin boards asking for help and waiting three days for someone to respond. I didn't have Stack Overflow or search engines and things like that. It's just an amazing time to be a developer. >> Yes, indeed. Indeed it is Donovan Brown, the man in the black shirt. Thank you so much for coming on theCUBE. >> My pleasure. Thank you for having me. >> It was really fun. Thank you. >> Take care. >> I'm Rebecca Knight for Stu Miniman. Stay tuned for more of theCUBE's live coverage of Microsoft Ignite. (upbeat music)

>> Announcer: Live from Las Vegas, it's theCUBE, covering ServiceNow Knowledge 2018. Brought to you by ServiceNow. >> Welcome back, everyone, to theCUBE's live coverage of ServiceNow Knowledge 18, here in Las Vegas. I'm your hose, Rebecca Knight, along with my cohost, Dave Vellante. We're joined by Josh Kahn. He is the General Manager of Platforms, ServiceNow. Thanks so much for coming on theCUBE again. >> Yeah, really excited to be here. Thanks for being here and thanks for being part of our event. >> Thank you. >> You're welcome. >> It's been a lot of fun. >> Newly minted. >> Yeah that's right. (laughing) >> Yes, congrats on the recent promotion. So tell us about your new role. >> Yeah, so I run the Platform Business Unit. We use the word platform a lot of different ways at ServiceNow and I think we're trying to get a little bit more clear about that. On the one hand, our platform is the core foundation that all of our applications and all of our customers' applications are built on. It's also a way that independent software vendors and our customers can build their own applications. So what my group is trying to do is really be more thoughtful and structured about how we go about gathering those requirements from our customers and our independent software vendor partners and make sure we're bringing the products to market that meet their needs, and that we're doing all of the things across the board as a company we need to do to make them successful because there's a lot that goes into long-term customer success from the sales teams to the solutions consultants to professional services and the Customer Success Management Team. We're bringing all those things to make sure that, as our customers are building applications, we're helping them be successful. >> I remember we had Erik Brynjolfsson and Andy McAfee on and they were making a point. This was years ago when they wrote their, I think, most recent book. They were saying platforms beat products, I'm like, okay, what do you mean? Look, you can make a great living doing products, but we are entering a platform era. It reminds me of the old Scott McNealy, car dealers versus car makers. If you want to be a car maker in this day and age, unfortunately Sun Microsystems never became that car maker, but you've got to have a platform. What's your perspective on all that? >> I totally agree. I think that every customer I talk to is looking for fewer, more strategic vendors and partners, and they're really saying, hey, be a strategic partner to me. Digital transformation is everywhere. Disruption is everywhere, and they're saying, hey, we need a few people we can really count on to help us build a strategy and execute on that strategy to get to the next place. Isolated, independent pieces of software tend to have a hard time becoming one of those strategic vendors, and I think the more you can be thought of as a platform, the more different kinds of workloads run on the same common shared infrastructure that provide shared data services, that can provide simple ways to get work across each other, the more value that you can bring and the more you can be thought of in that strategic partner realm. >> So you guys are a platform of platforms, we use that terminology a lot, and I think there's no question that for a lot of the C-level executives, particularly the CIOs that I talk to, you are becoming, ServiceNow is becoming a strategic platform provider. Who else is in there? Let's throw some... IBM, because of its huge services in certain industries, for sure, SAP because of its massive ERP estate. I mean, I don't know, Oracle, maybe, but it feels different, but maybe in some cases. Who do you see as your peers? >> The category of players that are in this space are really people that are investing big in the Cloud and investing big in intelligence and automation. And, I think, a lot of times automation can have kind of a negative connotation to it, but we really believe that automation can be used to serve people in the workplace and to make the world work better for people, not just make the world of work work without people. So when you look around at the people that are moving into that strategic realm, it's Cloud players, people who are providing either Cloud infrastructure or Cloud functions, a wide set of microservices capabilities, and people providing applications software as a service that start to cover a broader and broader portfolio. Clearly, Workday is thought of oftentimes as a strategic partner to their customers, because they provide a human capital management capability that's broader than just being a data repository. Salesforce is clearly a strategic partner to the sales and marketing organizations. The reality, though, is a lot of work that happens in the Enterprise cuts across these things, and so there's an opportunity for us to work with the Saleforces and the Workdays and the Googles and the Amazon Web Services of the world to help bring all of those things together. I think that what customers want is not only strategic technology providers, but strategic technology providers that will work with each other to solve customers' problems. >> John Donahoe on, I guess it was Tuesday, was saying we're very comfortable being that horizontal layer. We don't have to be the top layer, although I would observe that the more applications you develop, the more interesting the whole landscape becomes. >> Yeah, well, I think that's absolutely true. We're in the early stages of this, right? If you look at the amount of money that's spent in IT in the enterprise sector and then you start adding up all of these areas that I just mentioned, Cloud and SAS, it's still a very small amount of that overall spent. So clearly, big legacy technology vendors are incredibly relevant still today, but the challenge they'll have is making sure they stay relevant as this tide shifts to more Cloud, more intelligence, more automation in the workplace. >> I wonder if you could walk us through the process that you go through when you are working closely with customers, collaborating, trying to figure out what their problems are and solve them and then also solve the problems they don't even know they have, that you can provide solutions for. >> Actually, it's amazing, because in a lot of cases, the innovation, and this has been a phenomenal week, because I've gotten to meet with so many customers and see what they're doing. And what tends to happen with ServiceNow is the IT organization, oftentimes, it starts there. The IT organization brings it in for IT service management, and people start using that to request things that they need from IT, and they very quickly say, man, I have a process that would really benefit from exactly what you just did. Can you build my application on that? And so there starts to become this tidal wave of people asking the IT organization if they can start hosting applications on the platform. I'll give you one example from a company called Cox Automotive. Donna Woodruff, who's an innovation leader there and leads the ServiceNow platform team, found a process where they had a set of safety checks they do at all these remote sites as part of a car auctions, and it was a very spreadsheet-driven process that involved a lot of people doing manual checks, but it also had regulatory implications, insurance implications, and workplace happiness implications. And they were able to take this, put it on ServiceNow, and automate a lot of that process, make it faster, I should say digitize it, 'cause you still need the people going through and doing the checks, but were able to digitize it and make that person's job that much better. These applications are all over the place. They're in shared email inboxes, they're in Excel spreadsheets, they're in legacy applications. We don't actually have to go drive the innovation and the ideas. They end up coming to the ServiceNow platform owners and our customers. >> I'd like you to comment on some of the advantages of the platform and maybe some of the challenges that you face. When I think about enterprise software, I would generally characterize enterprise software as not a great user experience, oftentimes enterprise software products don't play well with other software products. They're highly complex. Oftentimes there's lots of customerization required, which means it's really hard to go from one state to another. Those are things that you generally don't suffer from. Are there others that give you advantages? And what are maybe some of the challenges that you face? >> I think it's true. Enterprise software, you used to have to train yourself to it. It's like, hey, we're going to roll out the new system. How are we going to train all the users? But you don't do that with the software we use in the consumer world. You download it from the app store and you start using it. If you can't figure it out, it's not going to go. >> You aint going to use it. >> Josh: Exactly right. So we put a lot of that thought process from the consumer world into our technology, but not just the technology we provide. We're trying to make it easier for our customers to then provide that onto their internal and external customers as well. Things like the Mobile Application Builder that we showed earlier today, that's coming in Madrid, it's an incredibly simple way to build a beautiful mobile application for almost anything in the workplace. And, again, as I was saying before, a lot of the ideas for applications come from people in the workplace. We've got to make it easy enough for them to not only to identify what the application potential is, but then build something that's amazing. What we're trying to do is put a lot of those design concepts, not just into the end products we sell, but into tools and technology that are part of the platform and the Platform Business Unit so that our customers can build something just like it in terms of experience, usability, simplicity, and power without having to have as many developers as we do. >> You and I have known each other for a number of years now, and just as we observed the other day, off camera, that you've been forced into a lot of challenges. I say forced, but welcomed a lot of challenges. >> I love it, I love it. >> All right, I mean, it's like, hey, I'll take that. No problem. You've had a variety of experiences at large companies. Things you've learned, opportunities ahead, maybe advice you'd give for others, like the hard stuff. >> I think one of the biggest things I've learned here, particularly at ServiceNow, is just the importance of staying focused on customers rather than competitors. I think a lot of times when you're in the business roles or strategy roles, you can really think a lot about who am I competing against, and you can forget that you really just need to solve the customer's problem as well as you possibly can. Be there for them when they need it. Have something that's compelling that addresses their needs, and stay laser-focused on what works for them, and at the end of the day you're got be successful. So that's a strategy we've really tried to take to heart at ServiceNow, is put the customers at the center of everything we do. We don't worry that much about competitors. They're out there and we know they're there and we study them, but it's really the customer that gets us up every morning. >> You know, it's interesting, I've had this, as well as John Furrier has, had this conversation with Andy Jassy a lot, and they're insanely focused on the customer where he says, even though he'll say, we get into a competitive situation, we'll take on anybody, but his point was both methods can work. Your former company, I would put into the very competitive, Oracle, I think, is the same way. Microsoft maybe used to me, maybe that's changing, but to a great extent would rip your face off if you were a competitor. My question is this: Is the efficacy of the head-to-head, competitive drive as effective as it used to be, and are we seeing a change toward a customer-centric success model? >> I think there's two things going on. I think one is once a market really kind of reaches maturity, the competitive dynamic really heats up. >> Dave: 'Cause you got to gain share. >> Yeah, you got to gain share. And today, in the Cloud world, in the intelligence world, there's just so much opportunity that you could just keep going for a long time before you even bump into people. I think in mature markets it's different, so I think a lot of times, partly at EMC, that was one of the dynamics we had is a very, very mature market on on-premise storage, and so you had to go head-to-head every time. But I think there's also the changing tenor of the world. People have a lot less, they don't care for that kind of dialogue as much anymore. They don't like it when you come in and talk bad about anybody else. So I think there's both dynamics at one, and the markets we're in, they're so new, they're growing so fast that it's not as important, but also, people don't care for it. I don't think it helps, if anything, sometimes it makes people wonder if they ought to be, oh, I didn't think about talking to them, maybe we should go call the competitor you just mentioned. (laughing) so, all that said, when you get into a fight, you got to fight hard and you got to come with the best stuff, so I think that's the reality. >> Dave: Great answer. >> That's a good note to end on. Thanks so much, Josh, for coming on theCUBE again. It's been a real pleasure having you here. >> All right. Thank you, I really appreciate it. >> I'm Rebecca Knight for Dave Vellante. We will have more from ServiceNow Knowledge 18 just after this. (techy music)

[Narrator] Live from Las Vegas, it's theCUBE. Covering VMworld 2017. Brought to you by VMware, and it's ecosystem partner. >> Hi, I'm Stu Miniman, here with my cohost Keith Townsend. You're watching theCUBE's coverage of VMworld 2017 here in Las Vegas. Happy to welcome to the program two guests who are going to dig into what's happening in the cloud space. A big, big hot topic of the show. Dave Shacochis, who is the vice president of product management at CenturyLink, Ajay Patel, SVP/GM of now Cloud Provider Software at VMware. Gentlemen, thanks so much for joining us. >> Thank you Stu. >> Nice to see you again Stu. >> Alright, so Dave. Here's a question we've asked coming into this week. VMware was doing this vCloud Air for a bunch of years. They're a competitor, no they're a partner with the vCloud network ... vCloud air now went over to OVH, and I think they waited 48 hours before they made this big deal with AWS so, tell us how the relationship has been not just one of the 4,500 service providers, but you're sitting on panels with VMware, you're one of the larger partners. >> We were on a panel discussion and we were talking about this earlier today. I think when vCloud Air launched we had some of these same conversations, and there were probably cube discussions where almost the same question was asked. What I said back then, and what a lot of us in the service provider community said back then, and we say it again now, is that ... And this is true, not just of VMware, but this is true of any enterprise architect, you run a better system, you build better software when you're running it 24-7 as a live service. It's just better. The software is better. The user experience is better. You're thinking about integration angles, and availability issues. The software gets better when you run it operationally, and VMware's technology got better when they launched vCloud Air and figured out that their virtualization technology, what they had been working with the service provider community around for years, it improved when they went and launched it and lived the life of a service provider. So we're actually excited about that. We're aligning to the same architecture. What's nice is that what they're running in the cloud, in the VMware cloud foundation, is the same thing we're running in our cloud-neutral facilities inside of the CenturyLink data center footprint. So, it's very interoperable. >> Ajay please ... >> So my response would be there are a few things that I've changed. One is, there wasn't a Cloud provider software business unit. I am dedicated to making the likes of David successful. Taking that IP and commercializing that, that's fundamental to our strategy. Second one is, we rebranded this to VMware cloud providers. The idea is you can get VMware cloud in one of three ways. You can build it yourself, get it on VMware cloud or AWS, more importantly but get it through our partners. Your choice based on the best cloud that fits your needs. So it's that level playing field, both on go to market, in terms of Geoff Waters, now the cloud sales leader over all of the different programs, technology, IP being made available, compensation neutrality ... These are all the things we "learn" from our VCM experience, if you will to do this right. So that we continue driving multi-cloud strategy, and certainly about centered around customer choice. >> Can we talk about the basic difference between those three delivery methods? From a customer's perspective, what's the difference in the look and feel of those? >> I think at the end of the day it's about getting VMware value in an integrated fashion. But that's not just sufficient, so when you go to cloud it's no longer just say, "Give me a virtualized environment." That's the "hard bit" of packaging stuff infrastructure, but that's not enough value. On top of that is the application is really the value. Managing that application, and the life cycle of the value. This is where the likes of CenturyLink really come into play. So we believe we're kind of democratizing in terms of the consumption of a cloud stack in one of three ways. It's really customer preference, and really how much burden they want to take on. On the private cloud side they're building it instead of buying it as a service. They prefer to go on AWS for whatever reason for their cloud strategy. They now have a VMware choice. Or they can go to a partner like CenturyLink to help them manage the entire journey including managing multiple clouds. So it's really about the customer choice, what's right for them versus putting them in a silo. >> What's really been good for us especially around the VMware cloud foundation reference architecture is that it starts to make the private clouds react predictably. Our offer net has now been architected and based around VMware Cloud Foundation. It stands up with the software defined data center architecture at each layer of the stack. We don't have to orchestrate nearly as many technology sets in order to make a private cloud app. We've been running hosted private cloud for as long as there have been hosted private clouds. CenturyLink has been managing as part of the cloud service provider program and all its earlier naming variances. But what this latest architecture allows us to do is not only remove the number of things that we need to integrate against, the integration code we need to write and all the different vendor technologies we need to orchestrate against it, it pulls it all into one scale out software, a divine stack, which makes our customer experience better. It drives better self-service, more reliable self-service, into the hands of our customers so that they can move faster. It allows our private cloud to become more predictable so that we can start managing it with our multi-cloud cloud application manager product. So we launched that earlier this year. It was a combination of some of the managed hosting tools and capabilities that we've had back in the days. It combines in the abstraction software we got from a company called ElasticBox that we acquired last year. We weave that together into one multi-cloud layer, so it now looks at private clouds and other public clouds as just another deployment destination on that multi-cloud managing journey. >> Effectively competition moving above the SVC layer. We're kind of making SVC common. Let's compete on the value, and the solution that we both want. >> Ironically this was the promise of open source projects to make this common platform across private, public, and multi-clouds. You use the term that a lot of people may not be familiar with, cloud neutral facilities. What is that term? >> A cloud neutral facility is one that can basically get you connected to a number of different cloud deployment form factors. It's not a one note show, a one approach kind of model. It's really about a service provider that from... When you said the term facility, that can really just be a service provider environment that basically gets the particular workload to the best execution venue for that individual set of run time conditions. To us, being in more of a cloud neutral posture, certainly means we're bringing some parts of our hosted environment, whether it's private or We have a multi-tenant environment that we can provision to as well. We use that multi-tenant environment to actually speed up our own development of higher level services. And then we partner across the different cloud service providers like AWS and Microsoft Azure. We tie into that. It's really about looking at the data center as an extension of all the potential run time venues, both ones that you might build on your own, and then ones that are available to you. >> Dave, I want you to expand on that. One of the things I've been getting out of this week is that maturation of how we've been talking about clouds. A couple years ago I was critical of VMware. It was like, any device, any application, one cloud. I was like "Wrong". No. Amazon. Absolutely, 100 percent public cloud ... I think they understand, if not 100 percent, we'll see where Amazon goes in the future. You said you're tying into the likes of Amazon and Azure. I'm assuming that's direct connect, and those kinds of services. How do we think of CenturyLink? Where do you add value? How do you make money in these various pieces? I remember (old company name) was one of the vCloud era data centers, and boy margins were going to be real tight on something like that. >> Our multi-cloud posture and the direction we see things going is really one that starts and the largest anchor point for CenturyLink's strategy is the strength of our network. It's all the places that that network can take us. A lot of the investments that we've made in virtualization management, a lot of the investments we've made around managing workloads inside data centers we control has really been a precursor to how we need to evolve the core of our network, and how our networking is becoming more software defined. We built and we launched, as I said before, CenturyLink Cloud which is a multi-tenant hosting environment. That has been a huge IT accelerator for us. As we've started to advance and start to figure out how do we manage virtualization inside the core of our points of presence on the network, and as our network starts to expand, as most folks know, we're in the closing stages of the announced acquisition of level three, as that transaction completes and the whole network gets even stronger, and now we have more software assets to be able to drive even further into the core of that network. So it starts from the network and everything we do from either a cloud neutral or multi-cloud perspective is really around helping customers at the workload layer to really thicken that network value proposition. >> I'm also excited about the whole notion of competing on the edge. And once you have a network of this scale, and the ability to then distribute, compute, either on the edge, consult in the back, or even leverage third party probably clouds, seamlessly with a high bandwidth, low jitter network. I think that's a foundational infrastructure that's needed. These guys have really done a good job of kind of bringing that to bear. Pretty excited about that opportunity. >> Ajay, wondering if you can give us a little color on service providers. When I go to most service providers, most of them, networking key strength, obviously we know CenturyLink, Telco, all that kind of background. Management layer. Most service providers build their own. So there's a lot of pieces now, when I see the cloud foundation suite and they're embracing it. How did you work through some of those, "Hey, no, we've got our way of doing things. We know better." As opposed to embracing them. Where is that give and take? >> I think what's happening is, depending on the sophistication of the service provider, the larger ones have the ability to kind of create a bare metal service, kind of drive higher automation, have the infrastructure spend to drive that. As you go a little bit down the market, they're really looking for "a cloud in a box". You and I spoke about this last year, right? They want an easy to type experience for the end customers without the cost and the complexity of building one. So my opportunity as a service provider business is, how do I give them that platform? That multi-tenant platform that can cover resources? But in the future, elastically leverage a VMware cloud on AWS, right, as an endpoint that they can start to use for geo distribution, DR, or simply new capacity. So we're going to see a world where they're going to start mixing and matching what they build, what they buy and how they drive that. And the management solution around that, around a high performance network, is going to be the future that I see together. >> So one of the buzzwords over the past few year in the industry has been the invisible infrastructure. This concept that infrastructure should be something that people use and don't see. How does CenturyLink help support, not necessarily making an invisible infrastructure, but this concept that this is something we use and don't see. From the network, to the software layer that we're now talking about. Where's the differentiating value that CenturyLink brings versus me rolling my own? >> Yeah, I think where we've been making most of our investments, and where we've been driving and focusing on success for our customers has been up at that managed services and application layer. The way we view the infrastructure layer of the stack ... When we think of stacks, we think of the network at the base level of the foundation, data center infrastructure at the next tier up and then workloads and applications. It's not a groundbreaking tiered model, but it's helped me kind of think and organize a lot of what's in our business. When it comes to the infrastructure layer, as I said before, we're in a highly interoperable posture with a lot of the other partner clouds, because our network can link us there pretty seamlessly, and because we still know how to orchestrate enough at the infrastructure layer. But the investment has really been inside the core of the network, as we start driving that virtualization capabilities into the core, and then up at the workload layer, what we're really trying to work around is creating, as in all computer science problems, an abstraction layer. The trick about an abstraction layer in our part of the world, and in our part of the industry is not creating one that creates a new layer of lock in. That allows each of the individual underpinning infrastructure venues to do their thing, and do what they're good at. We build that abstraction layer with the idea of a best execution venue mindset that lets each of those individual underpinning infrastructure offerings, whether its the VCF architecture or hosted up on AWS, or whether it's one of the other particular software platforms because of geography or performance, or service capabilities that they're good at. The trick of creating an abstraction layer is not locking anybody in or reducing those platforms to lowest common denominator. So what our cloud application manager offering being able to manage our private cloud based on VCF, as well as manage other environments down the road ... That's really where we try to make that infrastructure invisible is to sort of create a lightweight abstraction layer that they can think more at the workload layer than at the individual nuts and bolts layer. >> The great thing about creating an abstraction layer, when you own the underlying infrastructure, it makes it a lot easier to support. So I want to make sure that I understand this concept from the ground up. You talked about the network as being the glue or the foundation that ties all this together, especially with the level three acquisition. From an ILT perspective, if I need those far flung services I have the physical network capability to get it there. If I need to put (data terminology) in at the edge, we just had a guest on talking about (data terminology), and at the edge. And get that data into a CenturyLink data center using VCF to get it there and consistently have that same level of abstraction, and then I can build cloud native applications on Azure, Google Compute... (cross talking) and it's a consistent experience across that whole abstraction layer. >> Right. Right. Going back to that idea that, what we call the hybrid IT stack of network infrastructure and workloads, what we're trying to build is a platform that spans those layers, that doesn't try to own or be one or indifferentiate at one of those layers, is build a connective tissue that spans them, so a workload running on the right infrastructure venue connected to the right networks. We're investing in orchestration that crosses all of that, and it's really some of the great conversations we've been having this week with VMware about what they're thinking, we think PTS is interesting because container based deployment models are going to be what makes the most sense as you get further into the core of the network and out towards the edge. We think Pulse is interesting. As we start to do more things in our smart cities, and smart venue type of initiatives, that we're doing at the Internet Of Things solutions base as well. >> Ajay, last thing I want to get to is when you look at your partners, how do you see them? Both that similarity that they're going to have, but how do they differentiate, and also how will they participate in the VMware on AWS piece that we've been talking about? >> Yes, so I think I'll break it into two parts. As I talk to customers, the consistent feedback I get is we made resource consumption ubiquitous. And we're hoping to standardize that with VMware Cloud Foundation and other approaches. What's hard is the experienced skillset and knowledge of how to use this technology. So increasingly we're constrained with the folks who know how to take this complexity, put an organized plan together, and drive the set of value in our own applications. So I believe the cloud provider program and the partnership is really about moving up from trying to build infrastructure, to build solutions, and offer value to our partners. And the differentiation is really moving up stack in terms that manage services value. The second part is- They themselves now have a choice. If I'm a regional player, or customer who, everyone's a multinational nowadays, you always have some customer who happens to reach beyond the boundaries ... How do I now go into a new market? How can I leverage VMware Cloud on AWS as another data center? So the management technology we're trying to provide is we will priority manage your endpoint, customer endpoint, or even VMware Cloud. You mix and match what makes business sense. Then abstract the complexity. As we talked about the cloud as a new hardware. How do we take that infrastructure and really make it easy? And the issues are on security, management, are going to be different ... So, application usage, value added services, being able to leverage resources, build or buy is really the basis of our strategy. >> Yep. So we're excited to ... As we know that that program starts to expand a little bit more in 2018 and we've had some early discussions with the VMware team around what that starts to look like, but at our most foundational level, because what we're already launching and what we launched here this week at VMware is just what we call our dedicated cloud compute product, which is now based on the VMware Cloud Foundation reference architecture. It's going to look the exact same as the VMware Cloud Foundation architecture that runs in AWS. Our approach towards managing both is to let their own individual control panels do what they do best, but then manage over the top of it with our cloud application manager service. >> Dave and Ajay. Thank you so much for sharing with us all the updates. Look forward to watching the continued maturation and development of what's happening in the cloud environment. >> Great chat, thank you. >> Thank you. >> Keith Townsend and I will be back with lots more coverage here of VMworld 2017. You're watching theCUBE. (electronic music)