 From London, England, it's the Cube. Covering Discover 2016 London, brought to you by Hewlett Packard Enterprise. Now, here's your host, Dave Vellante and Paul Gillis. Welcome back to Excel London. It is still bloody cold, it's 27 degrees outside. Beautiful day here, but it feels like we're back in Boston, Paul Gillin and I are pleased to have Vinay Anand here. He's the Vice President and General Manager of Aruba ClearPass. Welcome to the Cube. Nice to be here. Good to see you. So, Aruba now has been integrated, reverse integrated, I guess, I would say, into HPE, what's the vibe? It's very positive, we're doing extremely well. I think the assets, when you combine what we have from Aruba and with HPE, it makes a very, very potent combination. So tell us more about ClearPass. We heard a lot about it yesterday on the Cube, but set it up for our audience. So ClearPass is a network admission control solution. So it essentially is a policy platform for enterprises. Every time you connect a device to an enterprise network, ClearPass intercepts the connection and is able to profile the device and ensure that the device has the right access. And if the device doesn't have the right credentials or is not connecting from the right place, then we can prevent access. So not only does it ensure that the right device and user has access to the right assets in the enterprise, if during that connection, something goes wrong, ClearPass can go and shut down the device. It can go and quarantine it, put it in a separate zone, give you access only to the internet, or even kick you off the network. So it's a very comprehensive platform that allows administrators to define access policies in the network and enforce that. And this is something you know a little bit about. You hold a patent, I believe, on network access related to maybe home. Yeah, yeah, yeah, right. Right, home gateways. Oh, you did your research. We try here on the Cube. LinkedIn is a wonderful place. Okay, so Paul and I were talking yesterday about, you know, the kiddie script that took down the network, the Twitter network, and so forth. Basically attacked, my understanding is that it attacked IP cameras and DVRs. And the factory settings were, devices supposedly made in China, and when the user changed the password, the factory setting remained, and they tunneled in and were able to, would you be able to have thwarted that kind of PDOS attack? Perfect instance, this is exactly what we can prevent. So a digital camera, right? First of all, what we do is when we discover a device, the first thing we do in ClearPass is do network discovery. So we provide visibility of every device that's connected to the network. So when we discover a device, we are able to profile it and say this is a Linux-based camera and this is its behavior. So that is step one. And then we know, because a policy is defined on ClearPass, that says this camera is allowed to connect only to its controller and nowhere else. So when it gets hacked and the camera starts doing other things, connecting to something else, or sending traffic that's not normal, we can detect that and we can actually enforce a policy that kicks the camera off the network. So if we were deployed and if we had the right configuration, we could have prevented this. Now I assume that the IoT is a big opportunity for you in this context because of the security, the big DDOS attack that Dave referred to has got a lot of people spooked about IoT. What specifically value do you bring to that equation? Yeah, so IoT, right, given, so let me step back a little. The challenge with IoT is within enterprises. We're talking of corporate and enterprise IoT, not the wristbands you wear at home and other things. The challenge, first and foremost challenges, there is no visibility. Different groups are bringing on their own devices. The building maintenance guys bring on sensors and other things. Business groups are bringing on different devices. The centralized IT team doesn't have visibility to all the devices that are coming on. So first and foremost, the biggest problem is just visibility. For the IT guy to sit there and say, I know what's on my network. If you turn the dial back about seven, eight years ago, when BYOD started, when we all started using these, this was the same conversation we were having. That's right. I don't know what's on my network. People are bringing all their phones and connecting. So we sorted that out and think of this as just another more extreme instance of the same use case. So first and foremost, we had to find out and discover everything that's on the network. And then we are able to enforce policies and behavior. So in this instance with these botnets, and yesterday there was a bigger attack bringing on a bunch of home routers, hundreds of thousands, similar one. The challenge here is all these devices are getting compromised and they're made to do things they're not normally meant to do. And this is where ClearPass comes in. When a device misbehaves, when this device goes into the network and does things that are not supposed to be normal, the policy defined in the platform instantly identifies that the behavior of the device has changed and this is outside of the parameters defined for it. And then we can take enforcement action. Enforcement could be any number of things. With smartphones you had the market obviously consolidate around iOS and Android devices. And I presume that helped, but maybe not. Is the diversity of IoT devices a challenge or are there similar standards for all the things that are out there? It is a challenge. There's a lot of similarity. When you go beyond the application layer and look at the foundation, the hardware and the operating system, there are only so many. And then of course you do different apps. But we are constantly discovering new IoT devices. This is still new, right? This space is emerging. So that is a challenge that the number of devices and the types of devices are much more than what we had with Android and iOS. I hear increasingly from security experts that perimeter security is just a lost cause now. You can't keep the bad guys out which you have to do is isolate, contain, minimize the damage. What you're doing is essentially perimeter security though, isn't it? Well, not exactly. So I spent my whole life doing perimeter security. I know a little bit of the history there. It's not a completely lost cause. You can still stop 99.5% of the attacks, maybe even more. The challenge is that little percentage that you miss, that's becoming more frequent. The attackers are getting smarter. So whenever there's a new attack, perimeter security doesn't know off, then they are not able to stop. Most known attacks, they figure out very well. They are very efficient in stopping most of the attacks. So it's still very valuable and a required component of your security infrastructure. But for those that are slipping through and those are becoming more common and more frequent, this is where you need other capabilities that look at post-breach detection. So the premise here is you will be breached or you are breached. The joke in the security industries, everyone has been hacked. Some of you know that you've been hacked, others don't know. So what do you do when you are compromised? And that's where we come in. We don't stop the bad things coming in. If this is going to get compromised, ClearPass will not stop it. But once it's compromised and starts misbehaving, this is where we come in and we immediately identify where the behavior is off. I think it was about three years ago, the big target credit card theft, as I recall, was caused by an unprotected WiFi router in a target store. Is that the type of problem you could have prevented? Yes. In that specific instance, there was an HVAC controller. There was a building AC system controller that got compromised. Oh, it was an AC system? Yeah, it was an HVAC controller that a contractor had access to it, the HVAC contractor to do maintenance. And their credentials got compromised. So someone else was able to come into that controller and use that as a base to go and infect all the point of sale terminals. So then every time you swipe your credit card, your credit card number was stolen and exfiltrated out. We could have prevented that because we would have profiled the HVAC controller and its connections and its behavior. And when it started connecting to point of sale, we would have immediately identified that this is not normal. And this violates the policy defined and we would have stopped that. Now this assumes that the IT organization has its policy act together, right? Of course. They're good at setting policies, which is probably not always the case. What do you do to help them to do the device? That's a very good point because as the number of devices and the number of things you do in your network becomes more complex, the policy infrastructure becomes more and more difficult. So we provide a very granular and scalable policy framework where you can define policies. For instance, a simple example. If I'm connecting from within the Aruba office, there's one policy that can be assigned to me based on my credentials and my access drives. If I'm connecting from outside, there's a different policy. They could very easily say if when I connect from an unknown location, enforce a second factor of authentication. So instead of my password and everything, it could ask for biometrics. It could say, we don't know if it's you. We need your thumbprint or we need to see your picture. So there's granularity where you can enforce a lot of these, but fundamentally the enterprise needs to know what their access policy is. We provide templates and we provide defaults, but they have to customize it. And your point about sort of not knowing, if those have been infiltrated know it and those that don't, every time you're right, every time you see a survey, X percent say they've been infiltrated and Y percent don't know they have. So at the board level, the discussion is we know we're going to get infiltrated. It's how we respond to that. So you can dig them out. You still should dig them out is what you're saying. You're doing something differently, especially useful for internet of things. I feel like Stuxnet was a milestone in the bad guy world where they just, it created this sort of new level of threat and became much more insidious. And so the stat, and I first heard it from somebody at HP and I think it varies, but it's after you get penetrated, it takes on average, whatever, 200, 300, 365 days. It varies by whose source you use, but it's hundreds of days before you realize that. So there's a whole nother branch of security that is emerging around analytics and response. What are your thoughts on that? Where do you see yourselves fitting in? You have a lot of data? Yeah, so that's a very good point. What happens is once you're compromised and you have this piece of code sitting on your system, it's watching the network. It's learning about the network. This is what takes those weeks, months, maybe several months, where it's just sitting and watching, collecting all intel on the network and figuring out what is the right time for me to attack. And on the back end, there's probably communication back to its command and control, getting more instructions, right? So that's what takes that time. Where we can help. So analytics is important. This whole area is called lateral movement or insider attacks. So connecting more and more analytics and behavior of this, let's say this is compromised and the malicious code is sitting here waiting for months together. But during those months, it's probing the network. So if you are tracking every byte coming out of this system, you can see that there's a pattern of behavior where the probes are going out. It's scanning the systems. It's trying to collect information. So that itself is very valuable for you to figure out that there is something abnormal going on. So these category of solutions we're talking about, they are very, very important. We partner, we have a very tight alignment with them. We do a little bit of this, but this is not core to us. Core to us is policy enforcement. But one of the things you could help with, I would think, is helping me understand the value of that device. Because if it's the CEO's device, that's one thing now. I don't know if there's an analog in the internet of things there must be. I don't know if it's a centrifuge of a nuclear power plant that's probably a higher value. The way you define that is your behavior definition is tighter. If there's a very important device, then you define what it can and cannot do with more absolute terms. And you can define the response, presumably, as well. You can define the response. One thing we do on our platform is we have very rich APIs. We integrate with about a hundred different technology partners. So you can orchestrate an entire workflow to happen in an automated fashion and something like this. So these analytics companies, they're all our partners. So what we do is we take input from them so when an analytic solution detects some malicious behavior or something unusual coming out of your laptop, for instance, and it raises a flag and says, I've been seeing this laptop for days, weeks, and suddenly the behavior is different and here are the things it's doing which it's not supposed to do. It can send us a signal and we can immediately quarantine this laptop. All automated, right? And we can restrict access or if necessary, we can kick it off the network. We can shut down the port, the switch port you're connected to. We can raise a trouble ticket on ServiceNow or something else and that can go back to the IT help desk and they can come and tap you on your shoulder and say, what are you doing? All this can be automated. So we automate with the firewalls, with the endpoint security systems, the AV systems, with the MDMs. So any time any of these guys see interesting incidents, that comes to us and we can do the enforcement. By most accounts, the security market is an unholy mess. There are more than 1,000 vendors. I think Panaman estimates the average enterprise has 35 different security products. Do you see any end to this chaos? Well, I think the way it's going to work out is you'll see more and more of these platforms emerge and you'll see more easy integration. So the move now, depending on which corporation you talk to or which enterprise you talk to is, how do I connect these dots? That's the most important thing. The fact that there are 500 or 1,000 companies doing different things just shows you how promising this market is for an entrepreneur and also shows you how much risk there is and the threats that are emerging and they keep getting worse. So you can't stop technology evolution. You can't stop people from coming in with solutions. What you can do is make it easier for enterprises to absorb this. So the more you build these extensible platforms that integrate and connect, the easier it is for the IT guys to deploy multiple solutions from different vendors and make them work in coordination. The market is not mature enough to say everything gets consolidated into two or three vendors or four vendors. We are not even close. And I don't think we'll get there anytime soon. Yeah, chaos is lucrative and great opportunities. I've been a very important topic and great segment. Thank you very much for coming to theCUBE. Appreciate it. Thank you very much. Right there, everybody. We'll be back with our next guest. We're live from Excel London, the docks of London. This is theCUBE, right back.