 Live from New York, it's theCUBE. Covering AWS Summit New York 2018. Brought to you by Amazon Web Services and it's ecosystem partners. Hello, welcome back everyone. This is theCUBE live in New York City for AWS Amazon Web Services Summit 2018. I'm John Furrier, Jeff Frick here for wall-to-wall coverage here for the one day event. Our next guest is TK Kianini, distinguished engineer at Cisco. Great to have you on theCUBE. Thanks for joining us today. Thanks, great to be here. We have some chat on before they came on camera about protocols, deep packet inspection, networking, I'll see Cisco now moving up the stack. I'm sure back in the day when you were there and now recently, that's been the big debate for Cisco moving up the stack, but the cloud has created a whole new stack, right? So a lot of action. Seems like the same movie from a couple generations ago happening out in real time at a much more accelerated rate. Welcome to theCUBE. Thank you so much. Yeah, you know, anybody who's been in this business for the last 20, 25 years, I always joke and say, you know, same circus, different clowns. You know, it's the same thing again. And it's exciting because you know, I mean, you saw the keynote, the people here, everybody's excited about doing develop on this new thing. It's got new economics, new scale. It's definitely got more security, I think. And yeah, you know, we're just really moving aggressively with our customers towards the future. You know, TK, I want to get your thoughts because one of the things we've been saying on theCUBE, we've been covering Amazon re-invent since 2012, 2013 timeframe. It's really, we've seen the growth, but it's always been a developer haven. You know, cloud native, if you were born on the cloud, like most startups were back in the day, you had great goodness. And then you could become a drop-off and be so big you got to do your own data. So I get that. But the most part, developers check, small, medium-sized business, check now large enterprises, great, developers. Now you're getting clear visibility on operators. So the confluence between operators of networks and infrastructure and IT operations merging together and having some synergy and cohesiveness with developers for applications, new workloads. What's your thoughts on that? Because this is really becoming the big aha moment where I can now operate now at a level and have a developer haven going on. Your thoughts? Yeah, no. So I think you heard it in the keynote today. Security's everybody's problem, right? And it certainly is the developer's problem. It maybe even starts with the developer. You know, threat actors are clever. They were, you could say that threat actors were the first to go cloud first. They're not ashamed of what they use. They're going to get what they want. And so, you know, the idea of providing security as a service to those developers is a new thing, I will say. Usually I'm building products and service for the security expert. Now it's this web app developer, right? And their first question to me is, where's the API? Right, where's my libraries, right? How can I treat you like I treat storage, like I treat networking? They don't want to grow up and become a networking expert. They just want to have their application scale. And so that's the real focus is understanding the customer and building that service at the highest quality. Much of the expertise, I have to mechanize inside of my algorithms and my machine learning. But again, delivering them a service so that they can protect and become incredibly expensive for those threat actors to pursue. And the alternative, the old days, was provision a lot of hardware, do a lot of configuration management, security audits, meeting, put up a perimeter. Now you can create sets of services. Yeah, and a lot of automation, right? That's key, like you don't have enough people to test. You have to automate your test. You don't have enough people to read over documents. You have to automate that acquisition. Everything's about augmentation and automation. Security, all aspects of security are following suit. Yeah. TK, I wonder, you talk a lot about the threat actor evolution. She needs some other interviews and that's really in recurring theme because it's kind of your way you're saying how you have this kind of arms race. But the other big thing that's happened in the threat act is it's gone from the hacker, maybe trying to cause a disruption to nation-state and much more organized. If they, as that has evolved and the amount of resources that they now have to deploy versus just some standalone hacker, how have you seen that evolve? What are some of the responses? That is a, you know, I still get goosebumps thinking about it because back when we started, it was more like, you know, we were just sharing a craft. You know, it was a lot like amateur radio, you know? You broke into something, you shared that scale, not anymore. I mean, these are real nation-state threat actors criminals. They're running a real business, okay? Right. And you do really good, if you do really good security, you're essentially adding to their cost of operation. They don't like that. So it is really a business against a business and they think like a business. They're well-resourced like a business. They're patient. And sometimes, you know, they sometimes in certain cases, they're going after the week. In some cases, they're incredibly targeted. They're coming after you because you are a center of excellence for that sector. And it doesn't matter, you know, how high you build the wall, they're going to find a way to go under it or go around it or find a way to declare no wall. But yeah, it's fun because like I said, you know, instead of waiting for something to fail, like a hard drive or you're just building IT systems for resiliency, in my world, these threat actors are talented, right? So every day, if I innovate, I force them to innovate. If they innovate, they force me to innovate. That's funny, you say they're running a business. So is that part of your defense is just increasing their cost of goods sold in a major, major way? It really is. You know, we've seen a lot of trends shift. For instance, you know, ransomware a little while ago, that was a big deal because, you know, they'd hold your machine hostage, cost you maybe $200, $300 to get out of it, okay? The problem with that is tomorrow, they're gigs up, okay? Now the shift has been to crypto mining or crypto jacking. If they compromise your machine and can get a quarter out of that machine just by doing Bitcoin mining, they essentially will make 25 cents tomorrow. So they've shifted to a recurring revenue stream. This is important, okay? Because tomorrow and the next day and the next day, they're still undetected, okay? And when I say about raising their cost of operations, if you can find that crypto mining on your network, no matter where your network is, and shut them down, you've just taken a little bit away from their recurring revenue stream, right? And that's the dynamics we face daily. Disruption is key, making it complex and keeping disruption. Having more visibility than they do, having more detection than they do, and basically knowing yourself better than they do is absolutely critical. I want to give you thoughts, TK, on a couple of things. A couple, one observation is, during the Snowden era, the mainstream population in the world, whether it's capital markets or IT, didn't talk much about metadata, that we have to Snowden metadata became a big thing. We now know what metadata is. And now, obviously, with the Russian involvement in the election, spearfishing is now, I mean, it's been out there, but you're seeing specifically what was done there with spearfishing, so easy to pull off. How are we getting better at detecting and preventing against the humans who just think, oh, hey, a job offer for you or a real elegant bait, and certainly with mobile, doesn't have that DNS visibility. Mobile makes it easier to do some spearfishing. Spearfishing is a big deal. Your thoughts on that. Yeah, yeah, and that's, again, that big trend and shift is, a long time ago, we built security systems to watch for people breaking into networks. Today, the threat actors are logging into your network because they've already gotten your credential through some means, okay? So how do you detect somebody who's actually impersonating you on the network? The same sort of security bells are not going to ring. And this applies for cloud or on-prem or anything. It's the same game, and really, being able to do that detection from the telemetry that comes native from the environment is critical. And so really just more analytics, more telemetry, more instrumentation? It is, it's not about the data. It really is about the analytics. I mean, yes, the telemetry has to be necessary and sufficient, but the analytical outcome has to be pointed at exactly that. You are trying to detect fraud. You are trying to detect, you know, it's like in the old days, if I gave you my general ledger, right, and you were an accountant, you would just be looking for errors. Okay, that's fine for operation. But say you're trying to catch a crook. I hand you that same general ledger. You're going to come at it with a pair of different eyes, a different mental model. You're trying to find the crook who's actively hiding from you. That's the type of analytics we're focused on. So this is interesting. You talk about machine learning and AI could be an assistant, you mentioned automation. Stealth Watch Cloud is something that you've mentioned. What is that? What's going on around there? Well, how do you get that lens to be turned on quickly in context? Because real time is about contextual relevance. At any given moment, you got to be ready alert and looking for things. So the beauty of AWS is they can deploy in any one way. You can have your virtual servers. You can have the containerized or you can be serverless. That's the cool thing that cool kids are doing, serverless. You have to provide the same level of threat analytics for all three, no matter what. The good news is it's not about not having the data. AWS gives you a rich set of telemetry from many, many sources. What we do is first synthesize all that together, run our analytics on it, and point out where you may be exposed or there are threat activities that's either maybe even from the inside, not necessarily from the outside in your Snowden account. But there's anomalous activity that requires attention. All of those things, all that developer wants to do is make sure that they deliver to their customers business continuity. They're not interested in security. TK, I got to ask you the question around security around clean sheet of papers. So Pat Gelsinger, cube alumni, now CEO of VMware, said on theCUBE, Dave Vellante, co-host of theCUBE, asked him years ago, is security a do-over with the cloud? This is back when the cloud was being poo-pooed as a security model. I was not secure in the cloud. Now it's looking pretty damn good, right? So- Now it's more secure, I think. Now it's more secure. And that's pretty clear. So, there's a chance for people to get a mulligan, get it redo, to rethink security. How do you engage conversations and how do you advise friends, colleagues, customers around if there's a chance to do security over with a no perimeter model, with a API microservices centric view? What's the strategy? What's the architecture? What's the approach? Yeah, you know, I don't know. There's a couple of cases. It's not a one-size-fits-all. You have a lot of successful businesses transitioning and they really can't turn their back on yesterday. You know, they have to bring that transition forward. So there's that one crowd and they're going to have a different playbook because they have a set of skills and a set of things that are different. On the other end of the extreme, you have businesses that don't know on-prem. I mean, honestly, they were born in the cloud and they are cloud-native, right? And then you have most of everybody who's in between. You know, hybrid, multi-cloud, they're just doing, but functionally, they're all trying to achieve the same thing, which is they're trying to get the elastic economics. They're trying to get parts of their business that are elastic to that elastic compute, right? And then they're trying to, but all in all, you know, the threat actor doesn't care whether they come in through your mobile device or through that cloud workload. They're after something very specific, which is there's something in your organization, in your digital business that they want. They want. So a couple of things on the phone. One is kind of the changing role of identity and security, because as the firewalls and the walls have got to come down, they've got a lot of holes in them. You know, so much more folks on who are you, but to your point, oftentimes they're coming in as you. So the identity maybe not necessarily is a great way. Then you've got this other thing, which is basically pattern detection, right? Anomaly detection. We hear over and over and over that the average time to know that you've been breached is months and many, many days. So how are you kind of factoring in those two things to do a better job? Yeah, so and it is a creative, meaning there are net new ways of establishing identity. For instance, you know, if this thing is acting like a printer and it's acted like a printer for the last 10 years, and one day that device gets up and starts checking out source code. That's a problem, right? Okay, so there's all these sort of things around novelty and around the dimensions of novelty. It may be a volumetric novelty. It might be a protocol novelty in serverless. I'll give you an example with serverless. We treat serverless as a first class object as if it actually was persistent. And if it makes a very novel, you know, API call that it never did before, I think you probably should know about that, right? If it starts to, you know, expel trade 20 gigs of data and never did that before, you probably should take a look at that, right? And these are all things, you know, from a DevOps standpoint, they want to know first, certainly, you know, there really is no excuse in cloud for you to be like, oh, I wouldn't have been able to know that. No, you can, because it's all there. And microservices and containers provide great value here. Incredible value, incredible value. And just again, that dynamic nature of that orchestration, you know, that orchestration brought us to basically a way where, you know, me as a developer, I used to know exactly where I was going to run and how long I was going to run. I have no idea where my code runs anymore, right? And that's the case here. And so security takes a completely different turn there because a lot of things that in your analytics were things that you needed to persist. Those things are gone. Everything's ephemeral now. So what, you know, what if I wanted to run a report for 10 years? Like, what in that 10 years stayed the same? Probably nothing. So you actually have to use a lot of algorithms to say that here's a composite, you know, type of set of data features. And if these things persist over time, you know, it's kind of like the way humans work. Right, right. TK, great to have you on the queue. Thanks for joining us. Thanks for sharing your insight real quick. You're giving a talk with Francisco here, what's your role doing here? We're going to the hallway. Come join me at five o'clock, I think. It's going to be on SouthWatch Cloud. So it'll be a great talk. SouthWatch Cloud. Again, thanks for coming on. CISCO systems, of course, we're covering all the CISCO action at DevNet and the CISCO live just recently and DevNet create the cloud-native portion of the CISCO. We have the stack TK here in theCUBE. Breaking it down, I'm Javar with Jeff Frick. Stay with us. We'll be right back.