 from San Francisco, it's theCUBE. Covering RSA Conference 2019, brought to you by Forescout. Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in the Forescout booth at RSA and Moscone Center. 40,000 people walking around and talking about security. It's by far the biggest security event in the world. We're excited to be here. And welcome back at CUBE alumni who's been playing in the security space for a very long time. He's Brad Madari, the EVP from Booz Allen Hamilton. Brad, great to see you. Hey, thanks for having me here today. Absolutely. Yeah, I've already walked about seven miles today and just glad to be here to have a conversation. Yeah, the Fitbit and the walking trackers love this place, right? You feel your circles in a very short period of time. I feel very fit after today, so thank you. But it's pretty interesting, right? So you're in a position where you're advising companies, both government and commercial companies, you know, to come into an environment like this and just be overwhelmed by so many options, right? And you can't buy everything here and you shouldn't buy everything here. So how do you help your clients kind of navigate this crazy landscape? Yeah, it's interesting. So you mentioned 40,000 people. As you can see on the showroom floor behind us, thousands of product companies. And frankly, our clients are confused. There's a lot of tools, a lot of technologies. There's no silver bullet. And our clients are asking a couple of fundamental questions. One, how effective am I? And then once I'm effective, how can I be more efficient with my cybersecurity spend? So it's funny, effective. So how are they measuring effective, right? Because that's kind of a changing amorphous thing to target as well. That's the key question in cybersecurity, is how effective am I? There's lots of tools and technologies. We do a lot of instant response, both commercially and federally. And in general, when looking at past breaches, it's not a tool problem. In most cases, everyone has the best of the best in tools and technologies, but either they're drowning in data and or the tools aren't configured properly. So we're spending a lot of time helping our clients baseline their current environment, help them look at their tool configurations, help them look at their security operations center, helping them figure out can they detect the most recent threats and how quickly can they respond? Right, and then how do they prioritize? That's the thing that always amazes me, because again, you can't do everything. Right. And it's fascinating with the recent elections and kind of the state-funded threats, is that what the bad guys are going after, excuse me, isn't necessarily your personal identifier information or your bank account, but all kinds of things that you may not have thought were that valuable yesterday. Right, I mean, you know, it's funny, we talk a lot about these black swan events. And so you look at NotPetya and with NotPetya, there were some companies that were really hit in a very significant way. And everyone is surprised, right? And we see it time after time, folks caught off guard by these unanticipated attack vectors. It's a big problem, but I think our clients are getting better, they're starting to be more proactive, they're starting to become more integrated communities where they're taking intelligence and using that to better tune and tailor security operation programs. And they're starting to also take the tools and technologies in their environment, better tie them and integrate them with their operational processes and getting better. Right, so another big change in the landscape you said you've been coming here for years is IoT, right? And Cisco called Industrial IoT, or G, you call it. Yeah, and other things. A lot more devices should or should not be connected, well, they're all going to be connected, they weren't necessarily designed to be connected. And you also work on the military side as well, right? I mean, these have significant implications. These things do things, whether it's a turbine, whether it's something in a hospital that's monitoring your heart, or whether it's something in a military scenario. So how are you seeing the adoption of that? Obviously the benefits far outweigh the potential downfalls, but you got to protect for the downfalls. Yeah, you know, the IoT, we view IoT as one of the most pressing cyber security challenges that our clients face today. And it's funny, when we first started engaging in the IoT space, there was a big vocabulary mismatch. You had the Cisco organizations that were talking threat actors and attack vectors, and then you had head of manufacturing that were talking uptime availability and reliability, and they were talking past each other. I think now we're at a turning point where both communities are coming together to recognize that this is a real and imminent threat to the survival of their organization and that they've got to protect their OT environment. They're starting by making sure that they have segmentation in place, but that's not enough. And it's interesting when we look into a lot of the OT environments, I call it the Smithsonian of IT. And so I was looking at one of our client environments and they had a lot of Windows NT devices. I'm like, that's great, I'm a Windows NT expert. I was using that between 1994 and 1996, and I mean, I mean. That's everybody's favorite vulnerability, right? I'm not even a hacker. I'm your guy. And so one of the challenges that we're facing is, how do you go into these legacy environments that have very mission critical operations and integrate cyber security to protect and ensure their mission? And so we're working with companies like Forescale that provide agentless capabilities that allow us to better, one, understand what's in the environment and then be able to apply policies to be able to better protect and defend them. But certainly it's a major issue that everyone's facing. We spend a lot of time talking about issues in manufacturing, but think about the utilities. Think about the power grid. Think about building control systems, HVAC. I was talking to a client that has a very critical mission and I asked them, I'm like, what's your biggest challenge that you face today? And I was thinking they were going to be talking about their mission control system or some of the real critical assets they have. But he said, my biggest challenge is my HVAC. And I'm like, really? He's like, if my HVAC goes down, my operation's going to be disrupted. I'm going to have to coop halfway across the country and that could result in loss of life. It's a big issue. Yeah, it's wild. Triggered all kinds of, I think Mike earlier today said that a lot of the devices, you don't even know you're running NT. It's like a little tiny version of NT that's running underneath this operating system that's running this device. So you don't even know it. And it's funny, you talk about the HVAC, there was a keynote earlier today where they talked about if a data center, HVAC goes down for, I think she said 60 seconds, stuff starts turning off. So depending on what that thing is powering, that's a pretty significant data point. Yeah, I think where we are in the journey in the OT is we started by creating the burning platform, making sure that there was awareness around, hey, there is a problem, there is a threat. I think we've moved beyond that. We then moved into segmenting the IT and the OT environment. A lot of the major nation-state attacks that we've seen started in the enterprise and moved laterally into the OT environment. So we're starting to get better segmentation in place. Now we're getting to a point where we're moving into the shop floors, the manufacturing facilities, the utilities, and we're starting to understand what's on the network, right? In the IT world, this has probably been struggling with for years and they've started to overcome, but in the OT environment, it's still a problem. So we're understanding what's connected to the network and then building strategies for how we can really protect and defend it. And the difference is, it's not just about protecting and defending, but it's ensuring continuity of mission. It's about being resilient. Right, and being able to find if there's a problem, set down the problem, because I mean, we're almost numb to the data breaches, right? They're in the paper every day. I mean, I think FICO was probably the last big when everyone had a conniption fit. Now it's like, oh, okay, it's another data breach. So it's a big issue. That's right. So one of the things you talked about last time we had John was continuous diagnostic and mitigation. I think it's a really interesting take that's pretty clear in the wording that it's not a buy something, put it in and go on vacation. This is a constant and ongoing process that you have to really be committed to. Yeah, I think that our clients, both federally and commercially, are moving beyond compliance. And if you rewind the clock many years ago, everyone was looking at these compliance scores and saying, good to go. And in reality, if you're compliant, you're really looking in the rear view mirror. And it's really about putting in programs that's continually assessing risk, continuing to take a continuous look at your environment so that you can better understand what are the risks, what are the threats, and that you can prioritize activity and action. And I think the federal government is leading the way with some major programs, like out of DHS, Continuous Diagnostic and Mitigation, where they're really looking to uparmor.gov and really take a more proactive approach to securing critical infrastructure. I'm just curious, because you kind of split the fence between the federal clients and the commercial clients. Everybody's kind of points of view impacts the way they see the world. What if you could share kind of maybe what's more of a federal kind of centric view that wasn't necessarily shared on the commercial side that they prioritize, and then what's kind of the one on the commercial side that the feds are missing? I assume you want to get them both kind of thinking about the same thing, but there's got to be a different set of priorities. Yeah, I think after some of the major commercial breaches, we saw the commercial entities go through a real focused effort to take the tools that they have in the infrastructure to make sure that they're better integrated because in this mass product landscape, there's lots of seams that the adversaries live in, and then better tie the tooling in the infrastructure with security operations. And on the security operations side, take more of an intelligence driven approach, meaning that you're looking at what's going on out in the wild, taking that information, be able to enrich it, and using that to be more proactive, instead of waiting for an event to pop up on a screen, hunt for adversaries in your network. Now we're seeing the commercial market really refining that approach, and now we're seeing our government clients start to adopt and embrace commercial best practices. So I'm curious, I love that line of adversaries live in the seams. We're going to an all hybrid world, right? Public cloud is kicking tail. Most people have stuff in public cloud, they have stuff in their own cloud, they have, it's a very kind of hybrid ecosystem. That sounds like it's making a whole lot of seams. Yeah, just when we think we're getting there, we're getting the enterprise under control, we've got asset management in place, we're modernizing security operations, we're being more hunt driven, more proactive. Now the attack services are expanding. Earlier we talked about the OT environment, that's introducing a much broader and new attack service, but now we're talking about cloud, and it's not just a single cloud, there's multiple cloud providers. And now we're talking about software as a service, and multiple software as a service provider. So it's not just what's in your environment now, it's your extended enterprise that includes cloud, software as a service, IT, or excuse me, OT, IoT, and the problem's getting much more complex. And so it's going to keep us busy for the next couple years. Yeah, I think job security's okay. I think we're going to be busy. All right, Brad, before I let you go, just kind of top trends that you're thinking about, what you guys are looking at as a company as we head in in 2019. Yeah, you know, a couple of things. Booz Allen being deeply rooted in defense and intelligence, we're working to unlocking our tradecraft that we've gained through years of dealing with the adversary and working to figure out how to better apply that to cyber defense, things like advanced threat hunting, things like adversary red teaming, things like being able to do baselining to assess the effectiveness of an organization. And then last but not least, AI. AI is a big trend in the industry. It's probably become one of the most overused buzzwords, but we're looking at specific use cases around artificial intelligence. How do you better accelerate tier one, tier two, event triaging in a sock? How do you better detect adversary movement to enhance detection in your enterprise? And AI is a very major term that's being thrown out at this conference, but we're really looking at how to operationalize that over the next three to five years. Right, right. And the bad guys have it too. And never forget Amara's Law, one of my favorite not quoted enough laws, right? We tend to overestimate in the short term and underestimate in the long term. That's right. So maybe today's buzzword. But three to five years AI is going to be everywhere. Absolutely. All right. Well Brad, thanks for taking a few minutes of your day and stopping by. Thank you. Good to see you again. All right, he's Brad. I'm Jeff. You're watching theCUBE. We're at RSA Conference in downtown San Francisco. Thanks for watching. We'll see you next time.