 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Hey, welcome back everyone. It's theCUBE's live coverage here in Boston, Massachusetts for AWS Reinforce. This is Amazon Web Services inaugural security conference around cloud security. I'm John Furrier. I'm host Dave Vellante. Got special guests. We've got another CISO, Dan Meacham, VP of security and operations at Legendary Entertainment. Great to see you. Thanks for coming on theCUBE. Oh, thank you. It was a great pleasure to be here. We had some fun time watching the Red Sox game the other night. It was the best night to watch baseball. They did win. Always good to go to Fenway Park, but we were talking when we were socializing, watching the Red Sox game at Fenway Park about a lot of your experience. You've seen a lot of waves of technology you've been involved in. Yes, yes. Getting dirty with your hands and getting coding and then, but now running VP of security, you've seen a lot of stuff. You've seen the good, bad and the ugly in a fun business. You guys did hangover, right? Dark night, some really cool videos. Good stuff there. Yeah, and it's just amazing because how much technology has changed over the years and starting back out in the mid 80s and early 90s, sometimes I'm just like, oh, if I can all go back to the IPX, SPX days and just give her a botnets and things like that, that'd be so much easier, right? The big conversation we're having here, obviously, is Amazon security commerce. What's your take on it? Again, security is not new, but they're trying to bring this vibe of shared responsibility. Makes sense because you got to have the security equation. But you're seeing a lot of people really focusing on security. What's your take of so far as an attendee? Well, as we look and, because I like to go to these different things, one, first to thank everybody for coming because it's a huge investment of time and money to be at these different shows. But I go to every single booth to kind of take a look to see where they are because sometimes when we look at some of the different technology, they may have this idea of what they want the company to be and they may be only a couple years old, but we may see it as a totally different application and like to take those ideas and innovate them and steer them in another direction that kind of best suits our needs. But a lot of times you see a lot of replay of the same things over and over again. A lot of folks just kind of miss some of the general ideas and this particular floor that we have, there's some interesting components that are out there. There's a lot of folks that are all about configuration management and autocorrection misconfigured environments and things like that, which is good, but I think when we look at the shared responsibility model and so forth, there's some components that a lot of folks don't really understand, they really have to embrace in their environment. They think, oh, it's just a configuration management, it's just a particular checklist or some other things that may fix something, but we really got to talk about the roots of some of the other things because if it's not in your data center and now somewhere else, it doesn't mean you transferred the liability. You still have the ownership, you still have some practice you got to focus on. Take us through the cloud journey with Legendary. You guys were, put some exchange servers out there that would continue. Yes, and so as we started bringing these other different SaaS models because we didn't want to have the risk of if something went down, we lost everything, but as we did that and started embracing Shadow IT because of this work for this particular department, we realized that there wasn't necessarily an applicable way to manage all of those environments simultaneously. When we mean that from the standpoint, like we had mentioned before, the MFA for each of these different components of the cloud applications. So that naturally led us into something like single sign-on that we can work with that. But as we started looking at the single sign-on and the device management, it wasn't so much that I can't trust your devices, it's how do I trust your device? And so that's when we created this idea of a user-centric security architecture. So it's not necessarily a zero trust, it's more of how can I build a trust around you? So if your phone trusts you based off of IA metrics, let me create a whole world around that trust circle and build some pieces there. Okay, so let me just interrupt, make sure we understand. So you decided to go cloud first, you had some stuff in Colo and then said, okay, we need to really rethink how we secure our operations, right? So you came up with kind of a new approach. Cloud approach. Absolutely, and it's cloud. And so by doing that then, trying to focus in on how we can build that trust, but also better manage the applications, because say for example, if I have a collaboration tool where all my files are, I may want to have some sort of protection on data loss prevention. Well, that cloud application may have its own piece that I can orchestrate with, but then so is this one that's over here and this one over here. And so now I've got to manage multiple policies in multiple locations. So as we were going down that piece, we had to say, how do we lasso the security around all of these applications? And so in that particular piece, we went ahead and we look forward at where is the technology is? So early on, all we had were like very advanced Sims, where if I get reporting on user activity or anomalies, then I had limited actions and activities, which is fine, but then the Canisby world ended up changing. Before they were talking about shallow IT, now they actually do policy enforcement. So then that allowed us to then create a lasso around our cloud applications and say, I want to have a data loss prevention policy that says if you download 5,000 files within one minute, take this action. So before in our Sim, we would get alert and there were some things we could do and some things we couldn't, but now in the CASB, I can now take that as a piece. So more refined policy. Now, did you guys write that code or did you build it out or did you use cloud? We worked with a partner on help developing all this. So when you think about where the CASBs were five years ago or so, it was all about, can we find shadow IT? Can we find where social security numbers are? Not necessarily, can I manage the environment? So if you were to take a step back to, back in the old days when you had disparate network architecture equipment, right? And you wanted to manage all your switches and firewalls. You had to do a console into each and every one. Over time as it progressed, we now had players out there that can give you a single console that can get in and manage the entire network infrastructure even if it's disparate systems. This is kind of what we're seeing right now within the cloud. We're on a cusp of it. Some of them are doing really good and some of them still have a lot of things to catch up to do. But we're totally stoked about how this is working in this particular space. So talk about where you are now and the landscape that you see in front of you. Obviously you have services. I know we met through McAfee, you have other defenders. You have a lot of people knocking on you and you're selling you stuff. You want to be efficient with your team. You want to leverage the cloud. As you look at the landscape and the future scape as well, what are you thinking about? What's on your mind? What's your priorities? How are you going to navigate that? What are some of the things that's driving you? There's, it's a cornucopia stuff that's out there depending on how you want to look at it. And you can specialize in any particular division. But the biggest things that we really want to focus on is we have to protect our data. We have to protect our devices and we have to protect our users. And so that's kind of the mindset that we're really focused on, on how we integrate. The biggest challenges that we have right now is not so much the capability of the technology because that is continually to evolve and it's going to keep changing. The different challenges that we have when we look in some of these different spaces is the accountability and the incorporation and cooperation because an incident's going to happen. How are you going to engage in that particular incident? How are you going to take action? So just because we put something in the cloud doesn't necessarily mean it was a set and forget kind of thing. Because if it's in my data center then I know I have to put a permit around it. I know I got to do backups. I know I got to do patch management. But if I put it in the cloud I don't have to worry about it. That is not the case. So what we're finding a lot is some of these different vendors are trying to couch that as hey, we'll take care of that for you. But in fact, reality is is you got to stay on top of it. Yeah. And then you got to make sure all the same security practices are in there. So the question I have for you is what's the security view of the cloud versus on-premise as you mentioned in the data center in the perimeter? Okay, that's kind of an older concept. But as you think about security in cloud that cloud security versus on-premise what's the difference? What's the distinction? What's the nuances? Well, if we go old school versus new school. Old school would say I can protect everything in a cloud that's on-prem. That's not necessarily the case that we see today because you have all this smart technology that's actually coming in and it's eliminating your perimeter. I mean, back in the day, you could say, hey, look, we're not going to allow any connections inbound or outbound to only outside the United States because we're just a US based company. Well, that's a great focus. But now when you have mobile devices and smart technology, that's not what's happening. So in my view, there's a lot of different things that you may actually be more secure in the cloud than you are with things that are on-prem based off of the architectural design and the different components you can put in there. So if you think about, if I were to get a crypto locker in-house, I'm kind of, you know, my recovery time objective, recovery point objective is really what was my last backup? Where if I look at it in the cloud perspective, it's where was my last snapshot or where was my overlying, you know, I may have some compliance piece on there that records the revision of a file up to 40 times or 120 times. So if I hit that crypto locker, I have a really high probability to be able to roll back in the cloud faster than I could if I lost something that was in-prem. So I believe there's a lot more advantages in going with the cloud than on-prem, but again, you know, we are a cloud-first company. And is bad user behavior still your biggest challenge? Is it ever? I mean, I get just some crazy stupid things that just- So the cloud doesn't change that, right? No, no, you can't change that with technology, but a lot of it has to be with education and awareness. And so we do have a lot of very restrictive policies in our workforce today, but we talk to our users about that so they understand. And so when we have things that are being blocked for a particular reason, you know, the users know to call us to understand what had happened. And in many cases, you know, they clicked on a link and it was trying to do a binary that was found inside of a picture file of all things on a web browser, or they decided that they wanted to have the latest shareware file to move mass files and then only find out that they downloaded from an inappropriate site that had binaries in it that were bad and coached them to say, no, this is a trusted source, this is the repository where we want you to get these files. But my favorite though is again, you know, again, being cloud first, there's no reason to VPN into our offices for anything because everything is out there and how we coordinate, right? But we do have VPN set up for when we travel to different countries with regards to, as a media company, you have to stream a lot of different things. And so if we're trying to pitch different pieces that we may have on another streaming video on demand service, you know, some of those services and some of those programings may not be accessible in other countries or regions of the world. So doing that allows us to share that. So then a lot of times what we find is we have offices and users that are in different parts of the world that will download a free VPN because they want to be able to get to certain types of content. And then when you're looking at that VPN and that connection, you're realizing that that VPN that they got for free is actually being routed through a country that is not necessarily friendly to the way we do business. And, you know, they're like, okay, so you're pushing all of our data through that, but we have to work through that and there's some coaching. But fortunately enough, by being cloud-first and being how things are architected, we see all of that activity where if it was all in-prem, we wouldn't necessarily know that that's what they were doing. But because of how the user-centric piece is set up, we have full visibility and we can do some coaching. And that's a big of an issue, guys. Big time, right? Visibility. What's a good day for a security practitioner? A good day for security. Well, you know, it's still having people grumpy at you because if they're grumpy at you, then you know you're doing your job, right? Because if everybody loves a security guy, then somebody's slipping something somewhere and you're just like, hey, wait a minute, are you really supposed to be doing that? No, not necessarily. A good day is when your users come forward and say, hey, this invoice came in and we know that this is in our invoice. We want to make sure that we have it flagged and then we can collaborate and work with other studios and say, hey, we're seeing this type of vector of attack. So a good day is really having our users really be a champion of the security and then sharing that security in a community perspective with the other users inside and also communicating back with IT. So that's the kind of culture we want to have within our organization is we're not necessarily trying to be big brother. We want to make you be able to run faster because if it's not easy to do business with us, then you're not going to do business with us. And you guys got to leave a lot of suppliers here at the Reinforced Commerce, obviously Amazon, Cloud. What other companies are you working with that are here? That are here today. Well, CrowdStrike is an excellent partner on a lot of things. We'll talk on them a little bit. McAfee, it's with their InVision, which was originally sky-high, has just been phenomenal in our security architecture as we've gone through some of the other different pieces. We do have alert logic and also Splunk, they're here as well, so some great folks. McAfee, that was a sky-high acquisition. That is correct, and now it's InVision. And that's the cloud group within McAfee. What do they do that you like? They brought forth the Cloud Access Security Broker, the CASB product. And the one of the things that has just been a fascinating phenomenon working with them is when we were in evaluation mode a couple of years ago and we're using the product, we're like, hey, this is good, but we really like to use it in this capacity, or we want to have these artifacts, or this intelligence, come out from the analytics. And I kid you not, two weeks later, the developers would put it out there to the next update and release. And it was like that for a couple of months, and we're like, they're letting us use this product for a same period of time, they're listening to what we're asking for, we haven't even bought it, but they're very forward thinking, very aggressive and addressing the specific needs from the practitioner's view that they integrated into the product. It was a no-brainer to move forward with them, and they continue to still do that with us today. So that's a good experience. I always like to ask practitioners, what if some things that vendors are doing that either drive you crazy or they shouldn't be doing, talk to them and say, hey, don't do this or do this better? Well, when you look at your stop doing your start doing list and how do you work through that, what really needs to be happening is you need your vendor and your account manager to come out on site once a quarter to visit with you. You're paying for a support on an annual basis or however it is, but if I have this cloud application and that application gets breached in some way, how do I escalate that? I know who my account manager is, and I know the support line, but there needs to be an understanding and an integration into my incident response plan is when I pick up the phone, what's the number I dial and how do I engage quickly? Because now where we are today, if I were to have a breach, a compromised system administrator account, even just for 20 minutes, you can lose a lot of data in 20 minutes. And you think about reputation, you think about privacy, you think about databases, credit cards, financials, it can be catastrophic in 20 minutes today with the high speed of rates that we can move data. So my challenge back to the vendors is once a quarter, come out and visit me, make sure that I have that one sheet about what that incident response integration is. Also, take a look at how you've implemented. Am I still on track with the architecture? Am I using the product I bought from you effectively and efficiently? Or is there something new that I need to be more aware of? Because a lot of times what we see is somebody bought something, but they never leveraged the training, never leveraged the support, and they're only using 10% of the capability of the product and then they just get frustrated and then they spend money and go to the next product down the road, which is good for the honeymoon period, but then you run into the same process again. So a lot of it really comes back to vendor management more so than it is about the technology and the relationship. My final question is what tech are you excited about these days and just in general in the industry, how security, you got the cloud, your cloud first, so you're on the cutting edge, you got some good stuff going on, you got a historical view. What's exciting you these days from a tech perspective? Well, over the last couple of years, there's been two different technologies that have really started to explode that I really am excited about. One was leveraging smart cameras and facial recognition and integrating physical stock with cybersecurity stock. So if you think about it from the perspective, cameras surveillance today is, we rewind to see something happen, maybe I can mark something and so somebody jumped over a fence I can see because it crossed the line. Now the smart cameras over the last three or four or five years have been like, if I lost a child at a museum, I could click on that child, tell me where it is. Great, take that great M piece and put it in with your cyber. So now if you show up on my set or you're at one of our studios, I want the camera to be able to look at your face, scrub social media, see if we can get a facial recognition to know who you are. And then from that particular piece say, okay, has he been talking trash about our movies? Is he stalking one of our talent, from those different perspectives? And then moreover, looking at the facial expression itself, are you starstruck, are you angry, are you mad? So then that way, I know instantly in a certain period of time what the risk is. And so I can dispatch appropriately to have security there or just know that this person's has been wandering around because they're a fan and they want to know something. So maybe one of those things where we can bring them in and give them a T-shirt and they'll move on on to their way and they're happy versus somebody that's going to show up with a weapon and we have some sort of cash drop event. Now the second technology that I'm really pretty excited about is what we can also talk a little bit about with the 5G technology. So when everybody talks about 5G, they're like, oh, hey, this is great. This is going to be faster. So why are we all stoked about things being super, super fast on cellular? That's the technical part. You got to look at the application or the faculty of things being faster. To put it into perspective, if you think about a few years ago when the first Apple TV came out, everybody was all excited that I could copy my movies on there and then watch it on my TV. Well, when internet and things got faster, that form factor went down to where it was just constantly streaming from iTunes. Same thing with the Google Chromecast or the Amazon Fire Stick. There's not a lot of meat to that, but it's a lot of streaming on how it works. And so when you think about the capability from that perspective, you're going to see technology change drastically. So your smartphone that holds a lot of data is actually probably going to get a lot smaller because it doesn't have to have all that weight to have all that stuff local because it's going to be real-time connection. But the fascinating thing about that, though, is with all that great opportunity also comes great risk. So think about it if we were to have a sphere. And if we had a sphere and you had the diameter of that sphere was basically to technology capability. As that diameter grows, the volume of the technology that leverages that grows. So all the new things that come in, he's building. But as that sphere continues to grow, what happens is the surface is your threat, is your threat vector. As it continues to grow, that's going to continue to grow. And there's a little bit of helpful of exponential components, but there's also a lot of mathematical things on how those things relate. And so with 5G, as we get this great technology inside of our sphere, that threatscape on the outside is also going to grow. More's law is in reverse. Basically, the surface area is just going to balloon to be huge. That's, I mean, just kills the perimeter argument right there. It does. Well, and then we heard from Steven Schmidt on the keynote that he said 90% of IoT data, thinking about cameras, is HTTP plain text. Exactly. And I was like, what are you talking about? Oh, more good news. Hey, at least you'll always have a job. Yeah, well, you know, some good day to be able to sleep. Well, encrypt everywhere. We don't have time to get into the encrypt everywhere, but quick comment on this notion of encrypting everything. What's your thoughts real quick? All right. Good bad, ugly, good idea, hard. Well, if we encrypt everything, then what does it really mean? What are really getting out? So remember when everybody was having email and you had, you know, back in the day, your door mail, your Netscape navigator and so forth. And I thought, oh, we need to have secure email. So then they created all these encryption things in the email. So then what happens? That's built into the application. So the email's no longer really encrypted. Yeah. Right? So I think we're going to see some things like that happening as well. Encryption is great, but then it also impedes progress when it comes to forensics. So it's only good until you need it. Yeah. Awesome. Dan, thanks so much for the insights. Great to have you on theCUBE. Great to get your insights and commentary. Well, thank you guys. I really appreciate it. Welcome. All right. Extracting the signal from the noise, talking to practitioners, CISOS here at Reinforced. Great crowd, great attendee list, all investing in the new cloud security paradigm, cloud-first securities, CUBE's coverage. I'm John Furrier, Dave Vellante. Stay tuned for more after this short break. Thank you.