 Hello everyone, welcome to this special CUBE conversation here in Palo Alto, California. I'm John Furrier, host of the CUBE. We are two special guests, Kareeb Tuba, CEO of Canada Security, and Caroline Jappek, CMO of Canada Security. Great to see you guys. Thanks for coming on. Appreciate you taking the time, appreciate it. Thanks for having us. So RSA is coming up, big show. Security's at the top of the list of all companies. You guys have a very interesting company. Risk-based vulnerability management is like the core secret sauce. But there's a lot going on. Take a minute to talk about your company. What do you guys do? Why do you exist? Yeah, sure. Thanks for having us. You know, the security landscape, as you very well know, pretty crowded space, a lot of different vendors, a lot of technologies that enterprises and organizations have to deal with. What we do has a lot of complexity behind it, but in practicality for enterprises is actually quite simple. They have many, many data sources that are finding problems for them mapping to their attack surface. What are misconfigurations? Where are their vulnerabilities in your network or your host? Where are their vulnerabilities in your applications? We take in all of that data, specifically from 48 different data sources. We map it to what attackers are doing in the wild, run it through a lens of risk, and then enable the collaboration between IT and security on what to focus on at the tip of the spear with a high degree of fidelity and efficacy so that they know that they can't fix everything, but prioritize the things that matter and are going to move the meter the most. So you guys have emerged as one of those kind of new models, the new guard of security. It's interesting. It's been around for 10 years, but yet a lot's changed in 10 years, but a lot's evolving. Risk-based vulnerability management is the buzzword. R-B-V-M, okay? Really comes from the founder of the company. Why is this becoming an important theme? Because you've got endpoints, you've got all kinds of predictive stuff with data, you've got surface areas growing, but what specifically about this approach, makes it unique and popular? Yeah, I think what's happening is if you, to really answer that question, you have to look at two different ends of the spectrum in terms of the business, the security side and the IT DevOps and application development side. And at the core of that is what was largely traditional tension. If you think about security teams, operations teams, incident response teams, you sit down with them and understand what they do on a day-to-day basis beyond the incident response and reaction side. They have a myriad of tools and technologies that discover problems, typically millions of issues. Then you go to the IT side and the application and DevOps side and they care about building the next application, making sure the systems are up and running. And what happens is we've gotten to the point where they can't possibly fix everything security is asking them to fix. And that's created a lot of tension. People have woken up, started to realize that that tension has to give way to collaboration. And the only way you can do that is enable security to detect all the problems, but then very quickly focus and prioritize on the things that matter. And then go to IT and then tell them specifically what to fix so that they have a high degree of precision and understanding that the needle will be moved relative to what they're asking them to do. So is it the timing of the marketplace and the evolution of the business where it used to be IT that handled it and now security's gotten broader in its scope that there's now too many cooks in the kitchen so to speak? Yeah, it's gotten broader in its scope and there's also been a realization that if you think about the security problem statement, they find all the problems, but if you peel back the layers, you quickly realize they own very little of the remediation path. Who fixes it? They being IT? They being security. You think, okay. Yeah, so it's actually quite fascinating. If you think about who fixes a vulnerability on an operating system like Windows or Linux, it's the IT team. If you think about who fixes or upgrades a Java library or rewrites an application that's DevOps or the application developers. But security's finding all the problems. So they're realizing as they deploy more tools, find more issues and increase the amount of data, they've got to get very precise and really enable an entirely new way of collaborating with IT so that they can get them to focus on the things that matter the most. Cream, I want to dig into some of the complexity but first I want to get to Caroline on the brand and the marketing challenge because it's almost an easy job in the sense because there's a lot of security problems out there to solve, but it's also hard on the other side is that where's the differentiation of so many vendors out there's a lot of noise. How are you looking at the marketplace? Because you guys are emerging in with nice lift on the value proposition, you won some recent awards. How do you view the marketplace? RSA is going to be packed with vendors, it's going to be wall to wall. We got put in the corner, we're going to have a small space with the cube, but there's a lot there and customers are being bombarded. How are you marketing the value proposition? You are right. There's so much noise out there, but we are very clear and precise on the value we bring to our customers. We also let our customers tell the story. So whether it's HSBC or SunTrust or Levi, we work with them very closely with those CSOs with their head of IT to understand their challenges and then to bring those stories to life so we can help other companies because our biggest challenge is that people just don't know that there's a better solution to this problem. This problem's been around a long time, it's getting worse every day, we're reading about the vulnerabilities that are happening on a regular basis. And we're here to let people know we can fix it and we can do it in a pretty quick and painless way. You mentioned before we came on camera that when you're getting known as the brand gets out there, but when you're in the deals, you win. Can you guys share some commentary on why that's the case, why are you winning? Yeah, but by the way, just to piggyback off that a little bit, there is a really interesting paradigm happening within the security space. If you look at the latest publications, there are 1400 of us all buzzing around with the same words. I think what Caroline and the team have done an exceptional job on, particularly in relative to the positioning, is we don't want to scare people into looking at Kenna. We want to be more ethereal than that and make them understand that we're ushering in a new way away from tension to an era of collaboration with IT DevOps and application teams. That's very different than telling somebody in your messaging, hey, did you hear the latest attack that happened at XYZ? That sort of fear and marketing through FUD is creating a lot of challenges for organizations and candidly is making CISOs and other people in security close the door. I've definitely heard that. Do you think that's happening a lot around here? I think that's happening a lot. I think we're sort of, you know, I like to think that Caroline and the team are sort of at the forefront of leading that initiative and you can, and we're doing it in every way possible to really sort of tell a much more positive story about how security can be smarter and spin in a positive light. In fact, the technology's enabling that, so it's consistent. We live in dark times, unfortunately, a lot of people like if it bleeds, it leads and that's the really kind of bad way to look at it. But back to your point about tension and collaboration because I think that's an interesting thread. There's a ton of tension out there. That's real from the CISOs perspective because there's too many teams. You got Blue Team, Red Team, IT, Governance, Compliance, Full Stack Developers. So you have now too many teams, too many tools that have been bought and it's like people have these platforms, they're drowning in this. How do you guys solve that problem? Yeah, back to that point of collaboration and what we've really found that's been interesting in solving that problem because what we're doing if you step back is we're bringing in all these data sources and where that tension comes in, if you unpack it a little bit, is from different people coming in with different data sources. So IT comes to the table about what to fix with their own point of view. Security comes with their own point of view. Application teams come with their own point of view. Governance and compliance comes with their point of view. What we do is we come in and even though we're technology, we're really aligning people in process. We're saying, look, we're gonna amass all that data. We're gonna very quickly use machine learning and a bunch of algorithms to sift through millions of pieces of data and divine what actually matters. It's empirical, it's evidence-based and we align all the organizations around that filter through risk so that there's agreement on how to measure that, what to prioritize, what to action and what the results look like. And when it turns out that when you get a bunch of people across an organization to get aligned around data that they all agree with as the source of truth, it gets much easier to get them to really focus on the things that ultimately matter. Well, it's a single version of the truth, right? It's a single version that they all can work from. Security isn't telling IT, this should be your priority today when they say, you don't know what my priorities are. It's actually the data that's telling them what their priorities are by role. And that's really important and really gets past all the friction and the fighting in between the teams. Yeah, and that's a great point. Back to my other question, I want to get back to you, Caroline, is what is the success formula look like for you guys? Why are you winning? What are the feedback you're hearing from your customers? Because at the end of the day, references are important but also success is a tell sign. So what's the reasons for the behind the success? Yeah, I'll let Karim talk about being face-to-face with customers because he does that all the time. But what we're seeing is that the customers are resonating with the story that we're telling. They understand they have the problem, we're laying out in a very simple way to be able to solve their solution and that's working. You know, we've redone our positioning, our messaging, we've trained our sales team, people understand the value we can bring and that's what we're communicating and that's what's working. Karim, please add on that, I want to get more into this. Yeah, and on the customer side, what we see, and I'll give you a pretty classic example for us with a very large bank that's a customer of ours, we actually started on the security side, right? We sold to their deputy CISO to deploy and then eventually they doubled down and then deployed globally across 64 countries and that happened sponsored by the CIO. Now we're a security company, so you ask the question, well, why did that get driven in that structure and why did that deal go down ultimately in that way and what was the real value? The value to the security person was clear, I want to aggregate 10 to 12 different data sources, I want to prioritize, I want to collaborate with IT. The value to the CIO was the CIO happens to own all the application developers and all the IT people and the security people on a global basis and so what they wanted to do is they wanted to understand what the risk was for each of the lines of businesses they had within the organization so that they can hold the business users accountable to paying a small tax for security, not just developing the next billion dollar high net worth application which is extremely important to those businesses but at the same time ensuring that they're secure and so that leverage when you start with security and then branch out in other organizations especially in large multinational organizations is really where the real value comes into the platform. So if I hear you correctly, you come in for security, okay, we can get rid of the noise, help you out, check, win and then the rest of the organization doesn't have security teams per se. Correct. Needs security to be built in from day one. Correct. You're providing a cross connect of value to the other teams. That's right. It's almost like security is code if you will. That's right and nowhere is that more evident in our utilization statistics. So we're a SaaS platform, so of course we like many other SaaS companies do a bunch of analytics on utilization of our customers. More often than not in our large scale enterprises we actually have more IT and non-security users logging in the Kena in a self-service model because they're the ones back to the point you made earlier that are actually driving the remediation path. Take us through how that works. So say I'm interested, okay, you sold me on it. Great, I need the pain relief on the security side. I need the enablement and the empowerment on the collaboration side. What do I do? Do I just plug my databases into you? Is it API driven? Are you on Amazon? Are you on Azure? What's cloud doing? What am I dealing with? Making me through the engagement. Yeah, so we're 100% cloud based platform we'll multi-cloud. So we can deploy in AWS, we can deploy in Google, et cetera. And then what we do is we effectively through a bunch of APIs called connectors that are transparent to the customers, we enable them to bring in their data. So this is everything from traditional scanning data like QALUS, Rapid7, Tenable, more newer data like CrowdStrike, Taneum, Dasass, software composition analysis tools, Whitehat, Veracode, Blackduck, Sonotype, you name it. The list goes on, specifically there's about 48 of them. All of that is basically helps us understand what the totality of the attack surface is. That's very useful for security because they're using multiple tools. We then overlay what we call exploit and tell. This is the data that tells us about what attackers are doing in the wild. Specifically we have five billion pieces of data that tell us about what vulnerabilities are being popped, what's the rate of change, what malware are they being embedded in. That information is used through machine learning to help us prioritize and risk score each of the findings we get from the customer tools. And then where it pivots over to IT is we then allow them to take all of that data and that metadata and asset criticality into what we call risk meters. So they're basically aligned with how IT operates. So for example, if you own all the Linux infrastructure in the cloud, you log in, you'll only see the risk across the infrastructure you own. Whereas if Caroline owns all the endpoint real estate across Windows, she logs in and understands what her risk is across Windows. And then we of course integrate in the ticketing systems to drive the remediation and report up to executives and then over to security about what the workflow is. So you guys really focus in not so much on the security knock or the sock. It's more on indexing, if you will lack of a better description, the surface area. Correct. And getting that prepared from a visibility standpoint to acquire the data. That's right. And then leveraging that across. Across the organizations, yeah. To get that right. It's exactly right. And if you ask, if you, again, double click deeper on that, what's fascinating to watch. So we have an annual or bi-annual report that we do called prioritization or prediction or P2P. And this is all of our customer data completely anonymized in a warehouse and then we run a bunch of reports. And a lot of the analytics we ran initially were around security. Now we're starting to pivot into IT. If you look at our latest report, one of the most interesting things I found in my time here is that the average large scale enterprise has actually no more than 10% remediation capacity. So what does that tell you? That tells you that 90% of the problems are going to go unsolved, which pinpoints why it's even more important to have specific prioritization on the things that matter. They solved the right 10%. At the right time too. At the right time. 10% capacity, operating capacity, assuming it's some automation that might take care of some of the low hanging fruit. Exactly. True dev ops or automation. You can focus on those 10% at that right time. Which, by the way, if you use that capacity for the wrong problems at the wrong time, it's wasted capacity. That's right. That's what you guys are trying to get at. That's exactly right. Work smarter, not harder. So Canada security, what's the vision? What's the next step? Why should someone care about working with you guys? Why is it important to engage you guys? What's the big deal? Is it the risk-based vulnerability kind of origination invention, which is the core of the DNA? Or is it something bigger? What's the vision? What's the why? Yeah. Well, look, for us, we started. Our company was actually founded by a gentleman by the name Ed Bellis, who's the ex-chief security officer at Orbitz. And he founded the company out of a need. We started very early in the traditional peer vulnerability space. This was like classic QALUS Rapid 710able. We then expanded into the application world. So this is starting to take in moving up stack, if you will, full stack. As the environment moves to cloud, as the environment moves to containers, as the environment moves to configuration management, as the environment moves to a much more ephemeral state, that will drive an entirely new set of data sources, that will drive an entirely different new set of priorities, all aligned with the same model of risk. So our view of the future is that we are the platform that enables the organization to understand the totality of the attack surface, that enables collaboration across all the groups that deal with technology within enterprises, and allows them to really prioritize and understand risk in a way that not only fosters the collaboration, but gives you that return on investment that candidly, ultimately, CIOs are looking for. Caroline, the story from a marketing perspective, what's the story you're trying to tell? You know, we started this space. Our founder, Ed Belis, is the father of risk-based vulnerability management, and he loves it when I say that, but it's 100% true. We are continuing down this path. I mean, there are so many companies that have this problem that don't know that there's a better way to solve it. And so for now, our mission is to make sure that we're educating those people, they understand what's possible to do today, and then continuing from there, so. Well, I really appreciate you guys coming in and introducing and sharing more about Canada security. We've been seeing successes. I'm going to ask you about what you guys think about RSA. I'd love to get both of you guys to weigh in. But before we get to the RSA kind of what's coming, take a quick minute to plug the company. What are you guys looking to do? You're hiring, you just got some funding. Give the quick pitches. Yeah, sure, we did. We just closed a $48 million series D round. We had all of our investors and a new investor, Sorenson Ventures, come in. We also had two strategic investors, Citi and HSBC, because we do quite well, very good validation. And we're also quite prominent in the financial services vertical, it helps that. And so for us, it's really about scaling, right? Scaling people, scaling the technology, scaling capabilities. Across the board, and you went to the Department of Engineering, obviously, sales. Engineering sales geographies, it's really about getting the word out there and then being able to follow that up with, with the feet on the street that matter. We're definitely hiring, but we're also growing through OEMs. So we have a relationship with VMware, they're embedding us into their app defense products. And so if you buy app defense from VMware, you are buying Kenna, whether you know it or not. So you can be an ingredient in other products. That's right. And or direct or indirect, probably some channel ecosystem opportunities. That's right. So we're growing on the technology partner OEM front. We're definitely interested in talking to companies that are interested on that front. We should do a whole segment on my fascination with what I call tier two or tier one B clouds, specialty clouds, security clouds. So maybe do that another time. Okay, final question for you guys. RSA is coming this year, 2020. And then a series of other events. Cloud security has been a hot topic since reinforced last year, was launched, we were there kicking off the cube in security. What do you guys expect this year at RSA? What do you think the big themes are going to be? The hype, the meat on the bone. What's the real deal? What's the hype? What do you guys think is going to happen? I'll let you start. Yeah, I can tell you, our theme is the right fight club because we are focused on the right fight that you need to have every day inside your enterprise. It's not focused on all the vulnerabilities that are hitting you because there are hundreds of thousands of them, millions of them, and there's going to be more every single day. It's about fighting the right fight. So if you come by our booth, you'll see that it's going to be very exciting. Of course, don't talk about the fight club vulnerabilities. You know the rules of the fight club. The first rule is to talk to Kenna about the right fight club. That is the first rule. That's cool. Yeah, I mean, it's interesting. You know, as you very well know, every year when people walk away from RSA, there's a few blogs that are written about what was the theme this year. I suspect this year's insecurity specifically is going to be about AI driven security. You know, we've been starting to see that for a while. It started to bleed into last year's event. I think for us in particular, we have a very particular point of view. And our point of view is that it doesn't matter if it's ML, if it's AI, or what type of algorithms you're running. The question is what's the value? What is the value? When you have 1,400 people all screaming to get in the door of an organization, everybody really has to begin to answer that question fundamentally. And I think the people that have that position in the market are the people that are going to be able to stand out. It's interesting. There's always the hype with AI, but it's interesting. I was just trying to figure out when the term, there is no perimeter was kind of first coined in theCUBE. I'm thinking probably about five years ago, it really became a narrative. And then more recently with the cloud, the perimeter is dead as we go, the new edge is out there. So this is, what's the gestation period of real scalable security post perimeter is dead? It's interesting. Years, it seems to be hitting this year. It seems to be the point where, okay, I tried everything. Now I got to be data driven or figure out a way to map the surface area. That's right. That's right. Well, thanks to Kenneth security coming in, a solution for figuring out the vulnerabilities with a real invention. We're going to be covering security at RSA with Kenneth security and others. Thanks for watching. This is theCUBE.