 Live from the Mandalay Convention Center in Las Vegas, Nevada, it's theCUBE at IBM Insight 2014. Here are your hosts, John Furrier and Dave Vellante. Okay, welcome back everyone. We are here live in Las Vegas for IBM Insight. This is theCUBE where we go out to the events, extract the civil noise. I'm John Furrier, we're at my co's Dave Vellante. Our next guest is Chris Polan, research strategist at IBM X-Force, welcome to theCUBE. Oh thank you, it's a pleasure to be here. So you guys have a security group. Obviously this is not a security conference, IBM Insight's all about big data, big data analytics and some of the software behind it, but soft security is the killer app right now for big data because of a lot of the pattern recognition things that go on with security breaches and the fact that no one knows how they're being hacked or if they're being hacked and if they were hacked, they don't know how they got hacked. So this creates a massive opportunity for data scientists and businesses to really use some of the latest technologies. So give us an update on what you guys are doing at X-Force and some of the things that you're doing around security with big data. Sure, actually, so one of the things we do at X-Force is we try to gather data from just about everywhere. So we're doing things like crawling websites, looking for websites that have malicious software on it. We're gathering spam and looking for phishing emails, finding out what the links are in those emails. We're also collaborating with third parties and pulling in their data. So effectively, we just amass a whole bunch of data and then we're trying to figure out who the bad guys are or what their tactics are and then we put them in our products and we also provide them to customers and we educate customers as a result of it. You know, the reality is that what we're trying to do is to get ahead of the hackers, right? So it turns out for the last 10 years, 15 years, we've been playing defense pretty much predominantly. So if you think about football, for example, the best you can ever have is a draw if you stay on your side of the field. And so we can't really go to their side of the field, you know, unless you're law enforcement, but the goal is to try to at least get enough intelligence so that we're armed before they actually invade our side of the field and that we're all prepared for it. And you're putting sort of, it's like Bill Belichick when he had Spygate with the Jets, you know. So we love football now, just by the way. So feel free to use it. And I'm from New England, by the way, so you're hitting me right where I live. Does it defense when championships though? Well it does, but the best is a draw though, right? If your defense sucks, Dave, you're going to have a bad secondary. The best defense is a good offense. So let's talk about some of the things out there around this, because it is one of those things where the security paradigms are changing with multi-cloud and now with apps out there, API economy, you have so many holes and that kills this notion of perimeters, perimeter-based security. So it's a perimeter-less IT environment. And how does that impact what you guys see? And do you agree that we're moving to a perimeters IT? And what are some of the things that we prescribe for customers? Absolutely, you know, so you think about things like mobile and cloud, and now the internet of things, right? So that's one of the things that we're trying to get our hands around. Effectively, the perimeter is now the data. It's no longer about the perimeter itself. Even things like segmenting different parts of your network are somewhat effective, but they're not perfectly effective because you still need to be able to control the data, assess the data. I mean, where does it come from? Who owns it? What value does it have? And organizations aren't doing a very good job of that in the first place. So we have two problems. One is that there's a perimeter, this perimeter legacy, and the second one is that we've got this data future. And unless we actually understand what the data is, there's no real way to protect it because we don't know who owns it, where it's going, who's supposed to have access to it. It's the whole notion of if you put something on the internet, it's gone forever. It can be copied as many times as you want. So how do we solve that problem? So that's part of the issue that we're dealing with, but so how do you protect the data, but how do you also figure out who's actually trying to steal the data itself? So so much of information security, it seems, is shifting. And I wonder if you could just comment on this from sort of inside out to outside in. When I think about identity management payments, authentication, digital trust, and as well, we seem to be sharing a lot more across society, whether it's firewalls, identity, payments, on and on and on. So how is the security industry, first of all, is that valid? And how is the security industry generally adjusting to that in IBM specifically? Well, so it's interesting because with all new technology, security tends to be a bolt-on at the end of the cycle. So if you look at what businesses are trying to do, they adopt technology because it's either going to increase revenue or reduce costs. I mean, that is the fundamental business model. And then after the fact, they start worrying about what security needs to be wrapped around it. So what we're trying to do is get ahead of this bolt-on after the fact and be part of the conversation up front. And that's a lot of times we talk about things like DevOps, which effectively is the way that you can integrate development and operations so that the two go hand in hand and it sort of becomes, instead of development handing off to operations, and then operations having to figure out how to secure the data, you impose security at the development stage of things. So that's number one. And number two is that all these new technologies, internet of things, mobile cloud, are creating huge amounts of data, as we all know. All of that stuff is an overpowering, a crushing amount of data. And it can be used against the users, right? So there's a privacy concern. If I can steal data from your phone or if in the connected car, I can steal information about your habits, I can do bad things to you. I can invade your home, I can steal the data from your phone, through your car, or whatever it is. But the flip side of that is all this extra data or all this weight of data can also be used to do analysis and find out what kind of security can we impose on this stuff? So who's actually accessing the mobile phone? What kind of, how is it phoning home to different places? What are the apps actually doing from a behavioral perspective? So now we can take that stuff, profile it and say, what's normal behavior and then look for anomalous behavior? And that's effectively what security does. It looks for anomalies among the data that's supposed to be valid in the value space. So how do you do that? So you're sort of trolling through just petabytes of log data and you've got systems to do this. Is it, is it, is it applying Watson to this problem? Can you describe in more detail? Well, it's really interesting because IBM is a big data company fundamentally. When I came here three years ago from QnLabs, I thought the opportunity was we have huge analytics capabilities and that's beautiful for security. It turns out that a lot of what we do, the security organization is just like normal products where it feels like a bolt-on to a lot of things. So now we're finally integrating with things like I2 with SPSS, Big Insights and using that to pour through the data. And so we actually have this initiative going on now with QnLabs, which is our sim, our big data security analytics platform that we're integrating with Big Insights. So now we can take all that data, we collect it from all the instruments in the organization. So the firewalls, the intrusion prevention systems, antivirus, network behavior anomaly, and we put it in the hands of the data scientists and let them create queries, ad hoc queries and try to find interesting things. So that's where we are effectively in the security model right now is what kind of data do we have? What can we look for? What becomes an interesting analytics capability? And then we can feed that into the other things like SPSS because now that we know what we're looking for, we can do predictive modeling and feed it back into our analytics solutions like Qradar which now we're going to look for those same things. So it's a big circle, it's gathering the data, putting it to the data scientist, visualizing it, feeding it into predictive modeling and then updating the rules, the analytic rules at the security side. Have you seen some customers doing some things that you could share with the folks out there and you don't have to go specific in some sensitive areas, to start protecting because we would quote the FBI director said there's two types of companies. Those have been hacked by China and those who have been hacked by China that don't know they've been hacked by China. So this is a huge cybersecurity threat certainly in America for companies but also there's really real sense of information being breached and incidents are increasing all over the place and if you can describe the difference between an incident and a breach. Well that's actually, that is a phenomenal insight actually because I was just going to say when I hear hyperbole like the FBI saying there's two types of people, effectively it's good for, we're a medium, we love the trauma, it's better sales for us but there's a nuance there, right? Well I think you hit it, right? So there's an incident versus a breach, right? And so yes, everybody has some malware in their organization, everybody's been breached to some extent but the question is how severe is it and what's the consequence, right? So are we stealing really important state secrets or the intellectual property that's going to force your business out of business or is it just some nuisance malware that's in there trying to steal credentials and effectively what they're really going to do with that is go and hijack the bank accounts of your employees and not actually affect your business. So there's all these degrees and the unfortunate part of security right now is that we are treating all breaches as if they're, as if they're- The equivalent impact. Right and we also- Because you don't know, they could be looking for credentials to backdoor in from an air conditioning HVAC system. Right, well actually that's a brilliant point because there is no direct evidence that that was how that particular attack occurred by the way, so that's an inference and we love it because we're media companies, right? Well this is where big data could provide value, right? Exactly, so the thing that we get concerned about is and we track breaches across different years so we actually have a nice little bubble chart, I wish I had it with me right now and you can see the breaches growing but one of the things that concerns me is when you look at how the breaches occurred, a lot of those bubbles are gray which is they haven't been disclosed. How did the company get compromised in the first place? And the thing that means one of two things, it either means that the company knows about it and they just don't want to disclose it which is not really bright because we know from past history that in order to retain customer loyalty which is really what you care about, you would disclose it and you would say, Mayor Culpa, we know how they got in and we put these remedial efforts in place but my suspicion based upon empirical evidence is that they just don't know. They don't, they've got the instrumentation in some cases but they don't actually know how to go through and do the analytics. So the problem is you get hacked, you don't know how you got hacked into, you buy some more technology and then you just hope that they don't hack in again. This is where in human eye we're just talking about Dave when the last segment is that you got Context which is a Context computing marketing that IBM puts out there which is you set the table, you get the data, multiple entities and then the cognitive piece is what you're just referring to which is the human aspect. What's the decision? How do I act on it? What is it? How do I approach it? Is that kind of what you're referring to? Exactly, if you can't do root cause analysis how are you going to stop it from reoccurring? I mean that's effectively number one. Number two is PR. So for every incident you have to have a plan that's not just recovering the data or figuring out what the impact is. It's how do you have, how do you respond from a marketing perspective, retain your customer loyalty because from a business perspective that's the most important thing. And so if you don't have the analytics capability and most customers actually instrument their environments to collect the data, they just don't know how to analyze it and make important decisions with it. So let's talk about the kind of attacks that are out there soon because it's kind of the fun side. Fun, not fun, but I mean. Well I mean think game. It is the movie. It is the movie. It is though, right? I mean you guys are probably all gamers, right? I mean gamers love to shoot things down first person shooter but we, let's talk about the kinds of attacks. You got to throw the malware in there or try to sneak in and kind of be quiet and then there's the active penetration of brute force attacks whether it's DDoS or whatever, right? So I got to ask you about the pattern recognition and the personalities behind the attackers. So talk about the nuance because we've talked to other security experts here on theCUBE and they'd love to talk about we can recognize that guy or we know that pattern. Here he comes again. So pattern recognition is really effective with machine learning and some of these tools you've been mentioning. So talk about some of that stuff around patterns, personalities and whatnot. Well so I think you hit the nail on the head there, right? So one of the things that we try to do is get an attribution and figure out who it is that's attacking you for a number of reasons. You know, you can go to law enforcement number one. It tends to be an inter-country problem, right? So it's not necessarily, we can't necessarily take our FBI and go arrest some guy in Ukraine but we can work with Europol and things like that. You probably won't recover the- Go black ops and take them out that way. Well, yeah. There may be those folks out there. I'm not saying there are but it certainly isn't with us but so you can, you know, figuring out who that person is not necessarily because you can recover your financial losses but because now they can start watching this person and profile them. And so, but the hard part about attribution is usually what the bad guys do is they'll take over some university computer and they'll launch their attacks from there and maybe multiple hops between us and the attacker. So the only way that you can really go back because what you can't do is say, look, I got attacked and I'm going to go attack the university, attack me, get a point of presence there and sort of follow the trail back. As you look at what software they put on your systems in order to compromise it in the first place, you know, so we're seeing a lot of point of sales ram scrapers, for example. And we know that certain factions use something called black paws, other ones use another variant of that. They may break in through third parties, you know, as you pointed out, HVAC contractor, they might do that through phishing schemes and use particular types of malware that are delivered through the phishing emails. And so when we can profile them that way and look at their MO, now we can go back and say, the attribution is definitely some cyber crime organization out of Ukraine or maybe it's a nation state action from, you know, wherever else not implicate anybody in particular. And now we can actually start to determine who it is that's attacking us. We know where to close it off. We know where to look when we're looking for impact, those kind of things. So it turns out we can't actually attack them back but we can actually work with law enforcement and close off our own vulnerabilities. So I feel like, I wonder if you could comment on speaking of media sensations, but I feel like Stuxnet was sort of a new high watermark or low watermark in the security world. I mean, you had the smartest guys in the world figuring out how to, you know, perpetrate that attack and it just seemed to open Pandora's gate. Is that a fair assessment? Was Stuxnet sort of a new era that set off a renaissance in security, good or bad? Well, I think it's a lot like what we're seeing with governments looking at our communications, right? It's something that's been going on for a long time but that was just the one incident that made the public aware. You know, and eventually, of course, the president came out and said, look, we're behind it. So it gave us a glimpse behind a door that not many people have a view behind. And frankly, I came from, I used to work for the NRO a long time ago. So I got a view into a lot of this stuff. And I will tell you that what we see in the public eye, a lot of stuff that comes from the media is going on for a long time. And the old news for the guys who were inside and know. Right, but then when they message it out to the public, they actually spin it in a construct that's not actually, it's not the truth of the matter behind the scenes. So it is a little bit of a facade anyway. So whenever I see things like Stuxnet, I really wonder what happened, you know, because it is the public view of what, of what the government wants us to know. And what the real motivation behind it was. Well, but as well, the technology breakthroughs that were made is that, I don't know that it's really a technology breakthrough as it was somebody coming up with a really creative idea. Because if you think about, this is the great thing about security, being a hacker is really fun. And I've done black hat penetration testing at one point in my life. Well, you mentioned games actually. I'm no longer a gamer, I'm 50 now. But you are a gamer. For the record. At one point in my life. The best email spammers were gamers and the best security guys are all gamers because it's like, come on, let's call a duty right there. That's right, although my games are a lot, a lot older than call a duty. But the, so the fun part about security is trying to figure out how to break in. If you're not thinking about this movie plot ideas, how would I break into XYZ corporation and then start poking around a little bit and see what they have? You know, you can go on social media and do some big data mining on your own, what we call open source intelligence gathering. And sort of figure out what their profile is and try to come up with these movie plot ideas to break in. Then you simplify it a little bit because movie plots tend to be overly complicated. And then you start looking at what well-funded cyber crime organizations, nation states do, and that's where Stuxnet comes in. If you think about what they did is they created a piece of malware that they were able to install in a nuclear, in a facility that was enriching uranium, and they managed to overtake their SCADA system, send back messages back to the control operator saying everything's fine. Everything's good, right? While they spun the centrifuge out of control. And that's just like the movie plots where somebody comes up to the camera that's pointing down the hallway and manages to put up some film that makes the hallway look normal while they're walking down the hallway. You know what I mean. Right, so it was a function of creativity and coordination to actually make that happen, not necessarily technology breakthrough. I also wanted to ask your opinion on, because I always feel like privacy is the flip side of security. And the other media sensation, of course, is Snowden. A lot of customers certainly talk about it. When you really probe, well, it depends. I guess in Europe, maybe there's a little bit greater sensitivity. But I wonder if you could address that. Do you get that question a lot from customers? What happens when the U.S. government wants to access my data? What does IBM do? Do you tell me to encrypt? Will you fight? What do you do there? You know, we don't get it a lot from organizations, from enterprises. You know, we get it from individuals because it turns out that individuals are largely concerned about their own privacy. And in fact, a little confession, even though I don't game, I actually bought Google Glass about a year ago. And it's kind of an interesting social experiment to wear that around. Most organizations aren't overly concerned. I wouldn't wear it through a casino here in Vegas just because it seems like somebody would get a little upset what stays in Vegas. What happens in Vegas? They might break your arm. Right. But when you walk up to individuals, the first thing they say is, is that thing recording. And so it's kind of interesting. And so when you turn it around and you start talking to individuals, they're the ones who are concerned about their email being monitored about somebody, I can't remember what that movie was about four or five years ago with Will Smith where you could see everything through every camera on the planet. If you're in a retail store, the NSA had access to that and they could follow you around enemy of the state. That's what it was. But that's not the reality of what happens now. If it is, then that would be the real technology sophistication. But so from a privacy perspective, what we really hear it from is things like hospitals who have HIPAA concerns. So they're trying to protect the individual's privacy and not necessarily the privacy of the organization. And the ways that that works is through encryption. It pretty much encryption because nobody's going to give up technology because the functionality is so great. So in other words, I think maybe in three or four years Google Glass will be, everybody's going to have something like Google Glass. It may not be Google Glass because it's a bizarre looking piece of equipment. But when they find out what the killer app is, everybody's going to want it. And then all of a sudden your privacy concerns are going to go away. So if I encrypt my data and take care of my keys and the US government goes to IBM and says I want Dave's data, okay, fine. If you had to give it to them, I'm covered. Would you fight them? Or would you put up a barrier? Would you say, well, why do you want Dave's data? Or would you say here's Dave's data? What's IBM's posture toward that? Well, you know, I don't know what IBM's posture is, but I'll tell you what, my view on that is that your personal data, you can't treat it as if everything is equal. So it's back to that whole- Yeah, the whole threat- My email might contain my grandmother's chocolate chip cookie recipe, which is fine. If the NSA wants that, they can have it. You know, maybe not Nabisco, because I want to keep that, doesn't matter about that. But at the same time, if I'm doing something illicit, then that might be where I'm worried about privacy. So I think we really have to make a decision about where we fight for our privacy rights. At the same time, we just can't give them all up because they came from my neighbor, they came, eventually they came from me type of thing. So the reality is, I think we're at that inflection point right now where we're really worried about privacy. We see government as big brother, but we really need to make some smart decisions. And I don't think that conversation is happening because the general public doesn't think of it in those terms, in terms of risk management. They just think of it as an all or nothing problem. So companies like IBM talk about the hybrid cloud. One of the obvious things to check here is security. So is my security on-premises sort of the same model, the same framework, the same edicts when I go into the IBM public cloud or whatever you're calling it, the hybrid cloud off-premises cloud. And that's a different story because as IBM, we have to protect the customer's data absolutely. So we can't, we as IBM don't know that I'm storing my grandmother's chocolate chip cookie recipe, or if I'm storing hypoprivacy data, right? And so we have to protect that data is if it's the utmost, that needs the utmost protection to it. So that's the problem with being a service provider is that we don't have that context. So, and I think that's the difference between enterprises and individuals and individuals can make that decision or at least customers of enterprises. So our customers may know what data they're putting in there. So it could be a HIPAA workload, it could be whatever, it could be anything. And they're the ones who have to decide where they put their data and where they don't put their data, right? So sometimes you may not want to put your data into a public cloud regardless. But we as IBM have to assume that it's all completely sensitive data and that we protect it out. Chris, thanks for coming on. We got a break here, but I want to give you the final words. Share with the folks out there. Just summarize, you know, the special forces. You guys have the special group, right? So X-Force, talk about the group and just what do they need to know about security in general and just summarize the whole mission into a quick sound bite. So from what we do at the X-Force, our entire goal is to make sure that there is never a patient zero. We want to be able to do analysis, collect the data, do analysis on it and arm our customers before there's actually, before the bad guys actually attack them. And so we're working towards that goal. Security isn't there yet in general. But as IBM, we have the best tools to do this. I think I mentioned that before. And we're confident that we're going to get there and just defeat the bad guys on the defensive side. Yeah, and certainly Steve Mills was talking about, it's no secret the huge R&D budget IBM has and access to massive amounts of computing and database stuff. Special forces, X-Force there, and IBM really protecting the customers. Thanks for coming on theCUBE. Great conversation. Again, security's hot. Security will be really, really a big focus for big data. Getting the insights, actionable insights, understanding how to understand root causes and really protecting us. Congratulations, great work. Love to have you on, thanks for all your time. This is theCUBE. We're here live, extracting the data, sharing that with you here in Las Vegas. At IBM Insight, I'm John Furrier with Dave Vellante. We'll be right back.