 The Cube presents Ignite 22, brought to you by Palo Alto Networks. Hey, welcome back to Las Vegas. Lisa Martin here with Dave Vellante. This is day two of the Cube's coverage of Palo Alto Ignite 2022. Dave, we're just talking about how many times we're in Vegas and we were here two weeks ago with our guest who's back in alumni and it's a blur, right? It's true, I lost count. Luckily I don't have a flying red eye tonight so that's good. I'm impressed. I'm excited about that. I enjoyed the nightlife here for a period of time. And we were at Reinvent and what a difference. This is nice and relaxed. You have time. You're not getting bumped in the hallway. A lot of time for learning. So it's been a great show. It's been great. And one of the things that we've been talking about is the supply chain, securing the modern supper supply chain is really complicated. We've got an alumni back with us to talk about what Palo Alto is doing in that respect. Anchor Shaw joins us, the SVP and GM of Cloud Security at Palo Alto Networks. Welcome back. Yeah, happy to be back. Good to see you again, Dave and Lisa. It's been two long weeks. I know, it's been two weeks, yeah. It's kind of crazy. I mean, Reinvent really was a blur and it's like you had everything coming at you and there was obviously a big chunk of security but it was just so much to absorb, right? Yeah, and I couldn't get into any of the sessions versus at Ignite. I mean, you could learn a lot to your point Dave and 70,000 people versus 3,000 in change, big difference. Huge difference, huge difference. So we touched on the CIDR acquisition which was announced at the intent to acquire last month. Let's dig into a little bit more of that and then some of the great things that have been announced in the last couple of days. Well, absolutely. So this is something that we have been marinating for last nine months thinking about how best to secure supply chain and this is software supply chain. The modern application software is fairly complex. Back in the days when I was a developer, it was a simple three tiered application, shipped the code once a year, et cetera. But now with microservices, new architectures, Kubernetes, public cloud, we talked about this. It's getting super complicated and the customers are really worried about securing their entire supply chain which is nothing but the software pipeline. And so we started looking at a whole bunch of companies and CIDR really stood out. I mean, they were the innovators in this space very early days. We've seen supply chain attack but there hasn't been a really good and strong solution in that space and CIDR just delivered that incredible team, great technology, super excited about what that integration will look like in the coming quarters. What do we need to know about them? I mean, I've been honest with you, I wasn't familiar with CIDR until I saw you guys made the announcement of the intent to acquire them. What should we know about them? Why CIDR, what was it that attracted you to them? Yeah, so we have a history of technology acquisitions as you know over the last four years, just in the public cloud we acquire over half a dozen companies, small and large. And typically we are always looking for companies who have the next gen technology available. Technology that is more in tune with how application software is going to look like in future, so we're not always going after companies that are making tens of hundreds of millions of dollars in ARR, we're looking for the right tech, the future. And that's what we found in CIDR, like they have a really strong application security background and AppSec just broadly speaking, supply chain is part of it, but application security just broadly speaking is right for disruption. You've got a lot of vendors who have been around for like last two decades, old school stuff, lots and lots of false positives. So we've been bolstering beefing up our portfolio in the application security space and CIDR really fits right nicely into it because it can, like I said, secure a lot of technology and tooling that software developers use as part of their software supply chain. So great founding team, great technology, it was a perfect fit. Talk about integration, we spoke with Nikesh yesterday with Mir, with a whole bunch of folks, Lee this morning, BJ yesterday as well, and one of the things that seems to stick out at me after, with all the shows that we do is the focus that Palo Alto has on ensuring that it's making the right acquisitions but that it's the integration is really seems to be like leading part of the strategy. That seems to be a little bit of a differentiator to me. Yeah, it absolutely is. There are two ways to integrate a technology into an existing platform. And Prisma Cloud is a platform as you know, Code to Cloud CNAP platform as we call it. One is just kind of slotted in, put the whole thing in a box. And that's basically making one plus one equal to two. We're looking for high leverage in integrations whereby once that integration comes along, it makes the rest of the platform even better and superior. It makes that technology look even better. So that's why there's a lot of focus on ensuring that we're delivering the right type of integration that delivers instant customer value. And that makes the overall platform even superior so customers don't feel like, hey, like there's just one more add-on on top of the other thing. Right, not a bolt-on. So that's why there's a lot of focus on that, getting the strategy nailed because the founding teams generally have a preconceived notion about how the world looks like, then they understand how Prisma Cloud and Palo Alto Networks think about it. And then we sort of merge the two ideas and build something that's incredible. So we're spending a lot of time in integration that honeymoon phase of like, let's high five acquisitions done, that's over. Now it's the grindy work of actually getting this right and getting hundreds and thousands of customers. Well, I like how you don't have the private equity mentality, it's not about EBITDA and cash flow. We'll take care of that. It's about getting that integration, getting that flywheel effect inside the platform. So one plus one equals maybe even more than two. Can you explain Prisma Cloud, secrets, security? What is that all about? What do we need to know about that? Absolutely. So the developers generally store some stuff in the code repo for their automation work to build applications. And that thing, the API keys or secrets are stored in code repo. It shouldn't be, or even if they are, they should be encrypted or locked down and things of that nature. But the need for speed trumps everything else. Developers want to go fast and sometimes they're like, okay, well, I guess my application needs this particular API access token or secret, I'm just going to stick it in the code. Now the challenge with that is that if somebody gets hold of your code repo, now not only is your code repo, which has all your sensitive data, your code is the life and blood of a technology company, that's in trouble. But also those secrets and API access keys can be used to log into your cloud accounts. And there you may have sensitive customer data, everything that you have as a technology company stored in that public cloud accounts. So that's the worry. It's usually the initial access for the kill chain because that's where the attacks start. Let me get the secret, let me get the API access key and let me see what I can do in public cloud. So we are now giving customers the visibility into where the secrets are stored. More importantly, it's just right there on developer's face in the code repo as they're checking in the code. They say, hey, there's a secret here. Are you sure? Do you want to keep it like this? No? Okay, well, then you can either encrypt it or just get rid of it. So we're bringing security where the developers are in their code repo, et cetera. So I can see a lot of developers saying, yeah, go ahead and encrypt it. So I don't have to do anything extra. It's almost analogy is a very small version of this. It's like, use a password manager, you store all your passwords in your contacts on your phone, right? I mean, somebody gets a hold of your contacts, you're screwed. That's exactly right. And so, but I could still see a lot of developers checking the box. Yeah, just encrypt it, leave it there. But you're saying best practice is to not to do that, right? Yeah, usually you're not supposed to store all your secrets, et cetera, in code repo to begin with. But if you do, you use a key vault like technology to really encrypt it and store it in a secret manner, yeah. There's an old saying, bad user behavior trumps great security every time. Every time. But this is an example where we know you're going to have bad behavior. So we're going to protect the bad behavior. Yeah, and actually, sorry Lisa, just to that point, the bad user behavior trumps good security. The classic example, this happened three weeks ago, three, four weeks ago, where Dropbox, one of the file sharing companies there, 120 plus code repos were exposed. And the way the attack started was a simple social engineering attack, bad user behavior. There was an email, hey, like your passwords that are updated for your, you know, this code plugin, can you enter the password? And boom, now you have access to the code repo. And now if you have secrets inside of it, now, you know, all bets are off. Are there hard coded secrets versus like, I mean like I think like you were saying, like user names and passwords and tokens versus like soft coded secrets? I think this is more, so the two forms of it, you know, the most primary one is what we call the API access keys. And these keys are used to access cloud accounts, workloads and things of that nature. But there are actually secret secrets. Could be database, login passwords, et cetera. The application is using it to spin up databases. Now, you know, you have access to the data stores. Any other application, there's a login password, all of that stuff. So it's less about the user password, but more about the application and databases and things of that nature. So again, everybody should be using password managers. But when you use a password manager, it's going to give you a long list of passwords that are either been compromised or are weak and you just go, ugh, okay. So can you help, how do you help customers identify what the high risk, you know, API access are versus those ones that they may not have to worry about? Look, you know, secrets aside, risk prioritization is one of the biggest topics that our customers have across the board in cloud security. All the security vendors are really, really good at one thing, generating alerts. Everybody does it, they generate an alert. You know, your ring camera, if you've got one, I mean, this pop up every day, like every minute rather, like, can you prioritize it for me? What should I really look at it? So that's the number one thing. What Prisma Cloud does is, you know, contextualize it what the real risk is. They can tell you like, hey, here's the kill chain. If this thing, you know, goes to public internet, these are the potential exposures that you have. So we provide a prioritized risk of critical alerts that customers have to take care of before they can start taking care of more hygiene type of stuff, right? So that's how we do it. Like we leverage a lot of technology. We apply a lot of context. We tell you like, hey, this code repo is not protected by multi-factor authentication. And then there's a secret inside. Are you sure, you know, you don't want to fix it? So that's what we do. But it's a great question, top of mind for all our customers and that's how we think about it across the board versus generating just alerts all the time. Is the strategy, because we all know fishing is the sort of most obvious way, it's the top way in which people get hacked, is your strategy essentially to say, okay, we know that's going to happen. So we're going to try to protect it at the back end. How much of the, maybe it's an industry question more so than just Palo Alto specifically, but how much emphasis do you think the industry is taking or should be taking on stopping that, you know, that those phishing attacks because if that's the number one problem, you know, maybe that's where we should be starting. It's a great question. It's typically the initial vector for a lot of attacks to your point. But there is one thing that technology and AI cannot solve which is the user behavior to your point. Like we can't get into the heads of the user. I mean, you can train them, you can do everything, can't prevent somebody from clicking a button. Of course, there's technology out there for email security that does that, but your point is right, it's going to happen. Now what do you do? How do you protect your applications, your crown jewel? You know, whether it's in the cloud or it's in the code repo. So a lot of what we're trying to do in code security or cloud security or in general at Palo Alto networks is to protect those crown jewel because we can't prevent somebody from doing something. User behavior is hard to change. So it's almost like, okay, you left your front door open, somebody's going to walk in, but oh, they walk into a vault and they don't know where to go and there's nowhere they can, you know, nothing they can take. They can't get to the silverware or the jewelry. I think that's it, yeah. What are some of the things like as we look at we're wrapping up calendar year 22, heading into 23 that customers can look to Palo Alto networks to help them achieve. One of the things that we talked about with Nikash and near yesterday is consolidation. Like, and you guys just did a recent survey about the state of cyber and organizations on average have 366 apps in their environment, 31 security tools, 30 to 50 security tools. Consolidation is really key there. What are some of the things that you're excited about to deliver to customers where consolidation is concerned or software supply chain security is concerned in the next year? Yeah, absolutely. Look, there are over 3000 security vendors and this can be, I mean, you talked about average customer having 300, I was talking to a CISO, this is the last year for one of the largest financial institution, I got how many security tools do you have? He got 120, I said, why? He goes, we have a no vendor left behind policy. Wow. It's crazy. What? Obviously he was joking, but it's crazy, right? Like, that's how the CISOs are. I mean, he was kidding, but recognized that. Wow. Yeah, and this is the state the security industry is in and our mission has been and Lee and Nikesh and Neer talked about it is just platforms, we'll platforms, take moonshots, things long term and especially the macro headwinds that we're seeing. We're hearing more and more from the customers that look, we're not going to buy a point product, then we got to buy another product that stitches it all together. We need platforms, whether it's for zero trust, Prisma Sassi, whether it's cloud, Prisma cloud or for your SOC transformation, XIM and Cortex line of products. So I think you're going to see more and more of that in 2023, I'm confident of that. We heard from Lee today, the world record's 400. Yes. That's crazy. It's going for it. He's got a ways to go, 120. Maybe he wasn't, that guy wasn't kidding about as no vendor left behind policy. Do you have, on our favorite customer story that really articulates the value of what Palo Alto delivers and continues to deliver? Because one of the things that Nikesh said in his keynote was that security is a data problem. Well, every company these days in every industry has to be a data company. But really what they need to be able to be is a secure data company. How are you guys enabling that? Well, absolutely. Look, many customer examples come to mind, but speaking of data, some of our largest customers who are protecting their PCI workloads where they have sensitive data, they're using, for example, Prisma cloud to ensure that malicious attacks don't happen. Then those workloads are used for credit card processing. They're processing tens of thousands of credit card transactions a second and make sure that nobody gets hold of that and that's why they have to make sure that nobody is, no attacker is trying to get hold of the sensitive data to your point. So we have customers across financial services, media and entertainment technology company where we're helping them go as fast as possible in public cloud, go through digital transformation by securing their applications. What's the t-shirt say? I see code. Oh yeah. Secure from code to cloud. Shift happened. Shift happened. Secure from code to cloud. I love that. I was looking at that, going back to that, what's next in Cyber Survey. That said 74% of respondents, and I believe there was 1,300 CIO CXOs that were surveyed globally, but they said security is slowing down DevOps. Can customers look to Palo Alto networks to help them? Be enablers. Yes. 100%. Look, the conversation over the last few years have changed now. Security used to say like, oh, I don't know about these people who are building applications, but DevOps is like security slowing down. I think there's an opportunity for companies like Palo Alto networks to build the bridge between the two. And the way we do it is make the security easy, simple, and not super intrusive, where developers have to do a natural thing. And one part of it, and I talked about it earlier, is bring security where the developers are in their code repo, in their IDE, make it super simple, don't make them do unnatural things. And it just, this is no different from changing the behavior of our kids, right? Like you make them do unnatural things, they're not going to do it. But if it is part of their regular day-to-day operating procedures, I think they're going to be more open to change. So I think it's possible, and Palo Alto has a huge responsibility to bridge the divide between the apps team or the DevOps and the security organization. Lots of great stuff to come. We thank you so much for coming back. Two weeks, only being on two weeks ago. We appreciate your insights, learning more information. It's great to see you at Palo Alto at night. And we'll have to have you back on, because we know that there's so much more to follow with respect to what you're doing and shifting left. Shift happens. Awesome. Lisa, Dave, thank you so much. It's been a pleasure. Thanks so much for Ankur Shah and Dave Vellante. I am Lisa Martin. You're watching theCUBE, the leader in live and emerging tech coverage.