 Cisco, extracting the signal from the noise. It's theCUBE, covering VMworld 2015. Brought to you by VMworld and its ecosystem sponsors. Now your host, Stu Miniman and Brian Gracely. Welcome back to SiliconANGLE TVs, live coverage of VMworld 2015. I'm Stu Miniman and my co-host for this segment is Brian Gracely and we've been digging into the networking discussion. Excited to have somebody that's both a customer and a partner been working with VMworld on the networking side. Actually, been working with the CIRA before that either. So it is Chris Drake who is the CEO of what is now called Armor, until yesterday was known as Firehost. Chris, thank you for joining us. And can you tell us a little bit about kind of your background and about Armor? Absolutely. Well, first off, I'm a military background, third generation paratrooper. You should jump out of the airplanes for any second Airborne Division. And a lot of security people kind of start from the military in their earlier days. And I started building some of the world's first websites for the world's largest organizations. And quickly learned that the security problem was happening on the application layer. And realized that it was growing immensely fast. And so I seeked out to build the world's most secure cloud. And we did that, which was the company name was Firehost. And then over time, a lot of organizations kept asking us, can you secure my cloud or my enterprise IT environment? And so we did, we lost a product called Armor. And we fell in love with the name so much that we actually rebranded our company as Armor. All right, so my understanding now, you're helping to secure other clouds. Are you still doing your own cloud? Absolutely. So when organizations has a workload that's solving for the most paranoid of data, whether it's payments information, healthcare information, intellectual IP, things like that, then we have the proper environment for them, all sitting on VMware, all leveraging the NSX stack, global 1400 customers in 42 countries. And, but yes, we can extend our security into their enterprise IT environment, vCloud Air and other locations. So the most secure cloud in the world is a pretty bold statement. It puts a big target at bull's eye on you guys. Why do you need network virtualization? Security historically has been very demarcation point separation of resources. What does network virtualization do to drive that security? So there's a thing called a humans that creates some complications in the network stack, right? So when you have a cloud environment, they have DevOps and Sysadmins have real time control over the network interfaces and all sorts of activities. And so you have to be able to secure at scale and be agile to the business. And so that's where software defined networking NSX makes sense for us because we can manage those security policies in a dynamic environment. We have 1400 customers. We managed almost 10,000 virtual machines and every one of them was a snowflake, right? Every one of them has different security policies that have to be around every VM and we need to manage that at scale. And so that's our approach to market is to not have these generic security policies where you have DMZs and that's 2005 networking apologies, right? But every single virtual machine has their own fingerprint on what the security posture should be. Yeah, he made a great point, Chris. I mean, you know, being in the network space, I remember even the best security tools out there, if there's incompetence or malevolence out there, you know, the people can kind of screw it up. Can you give us, you know, what's your take on just security in the cloud? You know, we've often said that, I mean, security is given as, you know, often the number one inhibitor to people thinking about cloud or using cloud. So, well, there's some problems in the security space from a vendor perspective because the security vendors, if you know the space which you do is all been solving security to the enterprise, right? So they have not been friendly with multi-tenancy. And so, yes, they have great rules engines and processing that can take a couple IP addresses and have line rate speed inspection. But when you have 1500 customers, like I said, we're all snowflakes in the back end all independent, those rules break down. The processing can't happen fast enough. And so that's where the breakdown is on cloud is the multi-tenancy aspect. Secondly, people are having, they're not having security conversations right now. We are going to have security conversations soon. They are having compliance conversations. And I absolutely can't stand compliance. This is my little soapbox that, you know, if you look at all the breaches over the last 12, 24 months, over half of them were PCI compliant or HIPAA compliant or just certified for compliance. And so the problem with compliance is that it's an annual audit. That's, you know, just like an accounting organization goes through a financial audit. You're doing security audits annually. And then you have DevOps the next day that does something, opens the environment up. And either you find out in 12 more months when the audit comes back or you find out when a hacker breaches you, right? So the problem with security in the cloud is we're not having that conversation right now of true security. We're having a compliant conversation which is not, does not equal security. Yeah, now you just throughout the word DevOps, DevOps is about agility, about moving fast, about continuous integration. How do you justify that? How do you rationalize that with the security posture which, you know, traditionally tends to be don't make as many changes, don't do, but what does DevOps plus security mean for you guys? So DevOps plus security means you must state what is a known good environment, right? And then you need to manage drift from that environment. The things that DevOps do that modifies the cloud infrastructure are things that they may need to do, right? But the problem is that there's no visibility into the changes that they make, whether those are okay changes and it doesn't create more risk in my enterprise or those are horrible changes. And as a CISO, I won't find out until my honor comes back or till I get breached. And so it's really about managing the configurations, knowing what's good and then managing drift from there. And how does NSX help you with that? It's, well, first off is we can have flexible configurations. We were, before NSX, we were having to lock down configurations where the DevOps had no control, right? And they would have to provide a rationale and they need this port opener, this service exposed or whatnot. And we would have to go through an audit process and a validation process, making it not agile. And until NSX were able to expose controls to DevOps and also expose the configurations to our own virtual CISO, if you will, we have a platform that manages policies. We were not able to provide them agile tools. So it's not until our NSX environment that we're actually able to expose functionality to the DevOps to make security not so inconvenient. So Chris, I'm curious, your solutions, do you have to use a vSphere as that? Because NSX does support more than just vSphere. What's your experience and the hypervisor? How important is that as it ties into the NSX? So we are 100% VMware based on the vSphere side. And the importance for us as a security provider is that we don't have to worry about it, right? Is that it's a very solid foundation. And I could focus on having our organization think about security rather than the plumbing, which is the virtualization layer. Also, when I go into large enterprises and they ask, what's your network stack or topology looks like across your virtualization layer? When I say the word VMware, I can get through that conversation easily. If I say other words, that open source technologies or whatnot, that I'm having to defend why open source is secure and those kind of things. So when you're selling your product into other clouds though, did you find the same thing or what was your experience? So the thing that I've seen when I go into other clouds, well, our security only sits inside the virtual machine and other clouds at the moment. So we're only securing the operating system and the underlying things like anti-malware, FIM, logging, all those kinds of activities. The things that I'm excited to hear about in the near future from VMware is how NSX can go across the other clouds. Because what's bothering organizations is the IP space isn't consistent. Is that when you think about multicloud strategy right now, the clouds are their own IP space. And so they can't truly move assets from one cloud to the other because IPs are a pain to change. I don't know if you don't know how that works, but changing DNS record, BGP, things like that, creates downtime. Bit a lot of high profile credit card driven hacks, retail, some other stuff on the web. A lot of customers want to know when they're using an external cloud provider, how do I manage that relationship in terms of things like repudiation, in terms of who should be responsible for that? Like how do you guys think about this sort of shared responsibility of security and what's evolving in the cloud space for who should maybe pay liabilities and stuff like that? Yeah, that's a question we get all the time is identification, right? What is the SLA and the responsibility that if I get breached? Well, first off, it is a shared responsibility. Armor takes on more responsibility than anybody in the space. So if you were to look at all the security requirements for PCI or whatnot, we have 85% coverage for those controls and the 15% the customer has to worry about because we can't simply do it for them. And then a second one is, it's all around the metrics in which you provide the customers. We actually tell the customers what our security KPIs are. And a lot of people don't think about a security KPI. So we think about security KPIs as we guarantee our customers that one of our KPIs is for every two million through positive attacks that come to our network, we get one infection. For every one infection into our network, we average dwell time of one day, right? So that's, and by the way, the industry average on dwell time, which is dwell time is the time of that hacker once they infect the machine until when that infection is taken off and that machine is considered clean. The industry average is 205 days. Wow. Right? And so we are averaging around one day. So we actually deliver KPIs to a customer and we'll wrap an SLA around it as well as we also provide cyber insurance. So we are the only secure cloud that's backed by AIG. So every customer that comes into our environment immediately get $100,000 with the cyber insurance because we know we're a safe driver, right? If you think about the car insurance model, you know, we're a very safe driver. And so AIG can underwrite us on a cyber insurance policy. At the end of the day, this world is going to become an insurance game. You know, you have big organizations spending half a billion dollars a year in cybersecurity and they're still getting breached. They spend half a billion dollars a year in compliance. They still get breached. What do they do? They eventually have to kind of say, we got to buy insurance for it. It's going to happen no matter how much I spend, right? And so, and you can't be, you can't have great insurance rates until you're determined to be a safe environment. And that's what we are. So Chris, you've been speaking at VMworld. I'm curious what kind of questions you're getting from your peers out there. What maybe misperceptions you're clearing up about NSX or some of the key things that you're helping to deliver? So a couple of things that we've been, one of the topics that I had discussed this week at VMworld was the idea that give up protecting the endpoints, right? That is an unwinnable battle. You know, if we talk about endpoint security, you know, I'll just leave the room. And the reason why is that you have to assume your endpoints are compromised. Also, you have to assume that your network's contested. You have to assume that all your partners and all the integration points that connect into your environment, whatever they told you about their security is not true, right? So first off, have that base assumption and then we can have a good security conversation. And then what we've been talking about is have a data-focused model. And the reason why I say that is what is the data? Don't care about the app, right? I can give you a story about an app that was hacked that no one would think it'd be high security and it wound up being high security requirement is focus on the most sensitive data in your enterprise, whether it's the payments, whether it's healthcare, what's intellectual IP and things like that, and secure that. And when you get the KPIs around the things that I described about dwell time and attack to infection ratio where you feel comfortable as a business, then you can move across the enterprise. The thing that I really preach is that if you're focused on the entire landscape, you'll be ineffective and nauseated. This is where people that are spending half a billion dollars and still losing the battle because they're focused on the endpoints, they're focused on BYOD, they're focused on the network, the corp IT, screw that. Focus on the endpoints on the data where the valuable data lives and you'll have successful security operation. And NSX, this is what's great about the NSX environment is that you can create snowflake-like postures. So you can say, instead of having a non-secure zone and a secure zone within a traditional networking architecture, is that you can focus security postures around every single virtual machine because you may have three web servers in a web farm, but one web server has to run a process at night that has to open up SFDP, for example, and send out something. And you put those web servers in the same posture and now your entire web farm is the same posture of your lowest common security factor, which is SFDP. So we're trying to have data-centric models and a snowflake policy management, which NSX kind of enables. You've been obviously working with NSX for a while. You talked about having worked with NYSERA prior to the acquisition. As you talk to your peers, what can they expect in terms of a transition? I mean, Stu and I both have a lot of networking background. We've been through some of those things. The technology is one piece, the people and processing. What kind of changes did you guys have to go through to make virtualized networking, virtualized security part of what you do? So the biggest change we had to do, well, it was a positive change, was pre-NSX were very manual. Like we said, at any time a certain firewall or a certain sort of network topology adjustment had to happen in real time, we had to go to engineers and have that be executed. And the change that we have was exposing NSX's platform and the capabilities to the customer. And so we worked really hard to integrate with their API set and make it very intuitive for them to add IP groups, service groups, firewall rules and things like that. And another thing that we are enabled to do now is expose those policies into the customer in real time and then map it across a compliance framework or a security framework to say, these are the things that are exposed when the auditor last came in to validate your security requirements or your compliance requirements, how has drift changed? And we can do that in real time now rather than doing it every year. Yeah, so Chris, my friends in the security industry say one of the biggest challenges that we have is that when I deploy something, I need to keep it up to date and networking traditionally has been something, let's put it in there, let's get it all done and then let don't breathe on it. I mean, especially Cisco specifically, it's firmware upgrades, no, I don't want to do that. So can you kind of round that for us and how do we think about upgrades and moving things forward to keep them secure? That's another KPI that we manage and the industry calls it points of risk per device, right? So from a security perspective, there are a international financial institution that spends half a billion dollars a year, drives for what is called a point of risk per device of less than 10, they said around nine. And what a point of risk per device is is for every device connected to the network, how many vulnerabilities is in that device? Could be firmware, could be patch level, all those kind of, it could be firewall rules, all those kinds of things. And but the problem with points of risk per device is you have to have a great patch and vulnerability management process because if you don't, you get downtime. It is the, you know, because if Super Patch Tuesday comes out or whatever, right? And you hit apply to everything, things break. So to get to a very low points of risk per device and have great uptime is a constant struggle and armor we have points of risk per device, our average of the last six months has been two. You know, and the best in class has been about nine or 10. So realistically, when can we expect to see the armor set of services deployed as a functionality in vCloud air and into this sort of one cloud message that Pat's talking about? Well, I have a breakfast with Bill Fathers tomorrow morning, so we'll work on that. But, you know, but it's deployable now, to be honest, the difference between what's available now because we built this product called Armor Anywhere. So you take armor and bring us anywhere, right? Real creative name. And so, but that's deployable at any environment across the world. The difference between the vCloud air relationship that we want to have and that we're working to execute on is the marketplace integration, right? Is that let's embed ourselves in the marketplace. So when you go into vCloud air's marketplace, you simply add a VM that already has us in there or VMs that already exist, you add us in there and you get billed through your same billing model that you would. And so the technology platform tying into our security team is all there. It's just how efficient is it in the marketplace. Excellent. So Chris, you work pretty closely with the NSX team. Where's the white space? What are you asking for going forward? You know, where do you see this whole space maturing going forward? So the white space is actually, they're working towards solving that, but it's actually based off of real time reporting and on the fly decision making. Because what we are seeing is the world's not turning the world's moving away from signatures. So all the security that's been written in the past is all signature based and we're now going towards algorithms. We're looking for behavior, right? And so we've got to look for behavior in real time. Because if the hacker is able to access information for even a microsecond, it's too late, right? I don't know if you know how memory scraping works and things like that. So they are not even relying on data actually getting to spindles or getting to SSD. They're catching things in flight, in memory, right? And so the white space is to provide people like us that have the security professionals and the algorithms to actually see what's happening in real time and make decisions and block things in real time. So the first request, we see what's going on. The second request, we deny. And that's where we see the space because it's moving that fast. And what's amazing is that's where our focus is is trying to get things in the second packet. And the industry is trying to get things in 205 days. So the industry is pretty behind. All right, so I guess the last question I have for you is, unfortunately, I feel like security has always been the top of mind, but often the bottom of budget when it comes through. Seeing a lot of startups in this space. Some of the other solutions that are helping to simplify the environments take hyper-converted, for example. I hear the people saying, I'm finally getting to do the security initiatives. And when people look at cloud environments and security, as you said, they tackle the governance first, but security comes up. Why is this an important time for the whole security conversation? It's an important time because people are getting tired of their CEOs getting fired and their shareholders getting sued, right? I mean, and the boards are now creating a 30 minute block in every board meeting to talk about risk, right? Because this is now starting to impact people besides the security professionals. And the problem and the opportunity that exists in the space and the problem that exists in the space all at the same time is that you have great security technologies that are being released out there. And the reason why that people are resident from going to the cloud and security is number one issue is they don't know what to do with it. Because the security technologies, I use this analogy, but I think about them as blacksmiths, right? All the security companies are nothing but blacksmiths. They provide swords and shields to organizations. And the organizations don't know how to fight with them. No one's the knights and that's our role, right? We actually wield the weapons to go fight the battles. And so these security organizations, like I want to leverage the cloud and I look at the marketplace and I look at all these swords and shields that are available in the marketplace. I don't know how to operationalize them. I don't have the threat intel team to add the intelligence within the framework to do IP or URL blacklisting. And I don't have the operations team to manage the events that come out of it and to jump on bad threats that fall from those events that I see. This is why you have people like Target that get breached. They spent tons of money. They had FireEye and all these kinds of incredible security technologies. But there was so much noise because they didn't have the intel to siphon down the noise into a needle point to inspect, then they didn't have a security team to jump on the few events that they were able to see. And so until we solve the blackness versus the Knights equation, people are still going to be scared to go into the cloud because they don't know what to do with the tools that are available to them. All right, well, Chris Drake, really appreciate you coming on this talk to this critical issue as we look at cloud and what's going on in networking. Thanks so much for joining us and thank you for watching. We'll be right back with some of our wrap up here on day two here from theCUBE at VMworld 2015.