 Hello, everyone from Palo Alto, Lisa Martin here. This is theCUBE's coverage of Cloud Native Security on the inaugural event. I'm here with John Furrier in studio in Boston. Dave Vellante joined us and our guest Liz Rice, one of our alumni, is joining us from Seattle. Great to have everyone here. Liz is the Chief Open Source Officer at iSurveillance. She's also the Emeritus Chair, Technical Oversight Committee at CNCF and a co-chair of this new event. Everyone, welcome, Liz. Great to have you back on theCUBE. Thanks so much for joining us today. Thanks so much for having me, pleasure. So, Cloud Native SecurityCon, this is the inaugural event, Liz. This used to be part of KubeCon. It's now its own event in its first year. Talk to us about the importance of having it as its own event from a security perspective. What's going on? Give us your opinions there. Yeah, I think security was becoming so, such an important part of the conversation at KubeCon Cloud NativeCon. And the tag security who are organizing the co-located Cloud Native Security Day, which then turned into a two-day event. They were doing this amazing job and there was so much content and so much activity and so much interest that it made sense to say, actually, this could stand alone as a dedicated event and really dedicate all the time and resources of running a full conference just thinking about Cloud Native Security. And I think that's proven to be true. There's plenty of really interesting talks that we're going to see. Things like a capture the flag. There's all sorts of really good things going on this week. Liz, great to see you. And Dave, great to see you in Boston. Lisa, great, great intro. Liz, you've been a Kube alumni. You've been a great contributor to our program and being part of our team, kind of extracting that signal from the CNCF Cloud Native World KubeCon. This event really kind of to me is a watershed moment because it highlights, not only security as a standalone discussion event, but it's also synergistic with KubeCon. And as co-chair, take us through the thought process on the sessions, the experts. It's got a practitioner vibe there. So we heard from Priyanka early on, bottoms up developer first. And KubeCon shift left was big momentum. This seems to be a breakout of a very focused security. Can you share the rationale and the thoughts behind how this is emerging and how you see this developing? I know it's kind of a small event, kind of test on the waters it seems, but this is really a directional shift. Can you share your thoughts? Yeah, there's just so many different angles that you can consider security. You know, we're seeing a lot of conversations about supply chain security, but there's also runtime security. I'm really excited about EBPF tooling. There's also this opportunity to talk about how do we educate people about security and how do security practitioners get involved in cloud native and how do cloud native folks learn about the security concepts that they need to keep their deployments secure. So there's lots of different groups of people who I think maybe at a KubeCon is so wide it's such a diverse range of topics. If you really just want to focus in, drill down on what do I need to do to run Kubernetes and cloud native applications securely? Let's have a really focused event and just drill down into all the different aspects of that. And I think that's great. It brings the right people together, the practitioners, the experts, the vendors too. Everyone can be here and we can find each other at a smaller event. We're not spread out amongst the thousands of people that would attend a KubeCon. It's interesting, Dave, when we were talking, I'm going to bring you in real quick because AWS, which I think is the bellwether for cloud computing, has now two main shows. AWS Reinvent and Reinforce. Security again, broken out there. You see the classic security events, RSA, Black Hat, those are the industry, kind of mainstream security, very wide. But you start to see the cloud native developer first with both security and cloud native, kind of really growing so fast. This is a major trend for a lot of the ecosystem. You know, and you hear, when you mentioned those other conferences, John, you hear a lot about shift left. There's a little bit of lip service there. And we heard today way more than lip service. I mean, deep practitioner level conversations. And of course, the runtime as well. Liz, you spent a lot of time obviously in your keynote on EBPF. And I wonder if you could share with the audience, why are so excited about that? What makes it a more effective tool compared to other traditional methods? I mean, it sounds like it simplified things. You talked about instrumenting nodes versus workloads. Can you explain that a little bit more detail? Yeah, so with EBPF programs, we can load programs dynamically into the kernel and we can attach them to all kinds of different events that could be happening anywhere on that virtual machine. And if you have the right knowledge about where to hook into, you can observe network events. You can observe file access events. You can observe pretty much anything that's interesting from a security perspective. And because EBPF programs living in the kernel, there's only one kernel shared amongst all of the applications that are running on that particular machine. So you no longer have to instrument each individual application or each individual pod. There's no more need to inject sidecars. We can apply EBPF based tooling on a per node basis, which just makes things operationally more straightforward. But it's also extremely performant. We can hook these programs into events that typically very lightweight small programs, kind of emitting an event, making a decision about whether to drop a packet, making a decision about whether to allow file access, things of that nature. They're super fast. There's no need to transition between kernel space and user space, which is usually quite a costly operation from performance perspective. So EBPF makes it really, it's taking the security tooling and other forms of tooling networking and observability. We can take these tools into the kernel and it's really efficient there. So, if I may, one just quick follow-up. You gave kind of a space age example in your keynote. When do you think a year from now we'll be able to see some real world examples in action? How far away are we? Well, some of that is already pretty widely deployed. I mean, in my keynote I was talking about Cilium. Cilium is adopted by hundreds of really big scale deployments. The user's file is full of household names who have been using Cilium. And as part of that, they will be using network policies. And I showed some visualizations this morning of a network policy. But again, network policy has been around pretty much since the early days of Kubernetes. It can be quite fiddly to get it right, but there are plenty of people who are using it at scale today. Then we were also looking at some runtime security detection, seeing things like, in my example, exfiltrating the plans to the desktop, looking for suspicious executables. And again, that's a little bit, it's a bit newer, but we do have people running that in production today proving that it really does work and that EBPF is a scalable technology. I've been fascinated by EBPF for years and it's really amazing to see it being used in the real world now. So Liz, you're a maintainer on the Cilium project. Talk about the use of EBPF in the Cilium project. How is it contributing to cloud native security and really helping to change the dials on that from an efficiency from a performance perspective as well as what's in it for me as a business perspective? Mm-hmm. So Cilium is probably best known as a networking plug-in for Kubernetes. When you're running Kubernetes, you have to make a decision about some networking plug-in that you're going to use. And Cilium is an incubating project in the CNCF. It's the most mature of the different CNIs that's in the CNCF at the moment. As I say, very widely deployed. And right from day one, it was based on EBPF. And in fact, some of the people who contribute to the EBPF platform within the kernel are also working on the Cilium project. They've been kind of developed hand in hand for the last six, seven years. So really being able to bring some of that networking capability, it required changes in the kernel that have been put in place several years ago so that now we can build these amazing tools for Kubernetes operators. So we're using EBPF to make the networking stack for Kubernetes and CloudNative really efficient. We can bypass some of the parts of the network stack that aren't necessarily required in a CloudNative deployment. We can use it to make these incredibly fast decisions about network policy. And we also have a sub-project called Tetragon which is a newer part of the Cilium family which uses EBPF to observe these runtime events, the things like people opening a file or changing the permissions on a file or making a socket connection. All of these things that as a security engineer you're interested in who is running executables, who is making network connections, who is accessing files. All of these operations are things that we can observe with Cilium Tetragon. I mean, it's exciting. We've chatted in the past about that EBPF extended Berkeley packet filtering which is about the Linux kernel. And I bring that up Liz because I think this is the trend I'm trying to understand with this event. It's, I hear bottoms up developer, developer first. It feels like it's an under the hood infrastructure security geek fest for practitioners because Brian and his keynote mentioned bind and reference the late Dan Kaminski who was actually found that error in bind in DNS. He mentioned DNS. There's a lot of things that's evolving at the silicon kernel kind of root levels of our infrastructure. This seems to be a major shift in focus and rightfully so. Is that something that you guys talk about or is that coincidence or am I just overthinking this point in terms of how nerdy it's getting in terms of the importance of, you know getting down to the low level aspects of protecting everything. And as we heard also the quote was no software secure. So that's up and down the stack of the kind of the old model. What's your thoughts and reaction to that? Yeah, I think a lot of folks who get into security really are interested in these kind of details. You know, you see right ups of exploits and they're quite often really involved and really require understanding these very deep detailed technical levels. So a lot of us can really geek out about the details of that. The flip side of that is that as an application developer you know, as if you're working for a bank working for a media company, you're writing applications you shouldn't have to be worried about what's happening at the kernel level. This might be kind of geeky interesting stuff but really operationally it should be taken care of for you. You've got your work cut out building business value in applications. So I think there's this interesting kind of dual track going on almost if you like of the people who really want to get involved in those nitty gritty details and understand how the underlying, you know the kernel level exploits maybe are working but then how do we make that really easy for people who are running clusters to like you said nothing is ever secure but trying to make things as secure as they can be easily and make things visual, make things accessible make it easy to check whether or not you're compliant with whatever regulations you need to be compliant with that kind of focus on making things usable for the platform team, for the application developers who deliver apps on the platform. I noticed that the word expert was mentioned I mentioned earlier with Priyanka was there a rationale on the 72 sessions? Was there thinking around it? Or was it kind of like these are urgent areas they're obvious low hanging fruit. Was there, take us through the selection process of or is it just let's get 72 sessions going to get this thing right? No, we did think quite carefully about how we wanted to what the different focus areas we wanted to include so we wanted to make sure that we were including things like governance and compliance and that we talk about not just supply chain which is clearly a very hot topic at the moment but also to talk about, you know threat detection runtime security and also really importantly we wanted to have space to talk about education to talk about how people can get involved because maybe when we talk about all these details and we get really technical maybe that's a bit scary for people who are new into the cloud native security space we want to make sure that there are tracks and content that are accessible for newcomers to get involved because given time they'll be just as excited about diving into those kind of kernel level details but everybody needs a place to start and we wanted to make sure there were conversations about how to get started in security how to educate other members of your team in your organization about security so hopefully there's something for everyone. That education- What's the- Oh, sorry, Dave. What's the buzz on AI? We heard Dan talk about, you know chat GPT using to automate spearfishing there's always been this tension between security and speed to market but CISOs are saying, hey, we're going to a zero trust architecture and that's helping us move faster. Will, is the talk on the floor of AI is going to slow us down a little bit until we figure it out or is it actually going to be used as an offensive defensive tool if I can use that angle? Yeah, I think all of the above I actually had an interesting chat this morning was talking with Andy Martin from control plane and we were talking about the risk of AI generated code that attempts to replicate what open source libraries already do. So rather than using an existing open source package an organization might think, well I'll just have my own version and I'll have an AI write it for me and I don't, you know, I'm not a lawyer so I don't know what the intellectual property implications of this will be but imagine companies are just going well, you know, write me an SSL library and that seems terrifying from a security perspective because there could be all sorts of very slightly different AI generated libraries that pick up the same vulnerabilities that exist in open source code. So I think we're going to go through a pretty interesting period of vulnerabilities being found in AI generated code that look familiar and we'll be thinking haven't we seen these vulnerabilities before? Yeah, we did, but they were previously in handcrafted code and now we'll see the same things being generated by AI. I mean, in the same way that if you look at an AI generated picture and it's got, I don't know, extra fingers or, you know, extra ears or something that AI does make mistakes. So Liz, you talked about the education, the enablement of 72 sessions, the importance of Cloud Native Security Con being its own event this year. What are your hopes and dreams for the practitioners to be able to learn from this event? How do you see the event as really supporting the growth, the development of the Cloud Native Security community as a whole? Yeah, I think it's really important that we think of it as a Cloud Native Security community. You know, there are lots of interesting sort of hacker community, security related community. Cloud Native has been very community focused for a long time. And we really saw, particularly through the tag, the security tag, that there was this growing group of people who really wanted to work at that intersection between security and Cloud Native. And yeah, I think things are going really well this week so far. So I hope this is, you know, the first of many editions of this conference. I think it will also be interesting to see how the balance between a smaller, more focused event compared to the giant KubeCon and Cloud Native Cons. I, you know, I think there's space for both things, but whether or not there will be other smaller focus areas that want to stand alone and justify being able to stand alone as their own separate conferences, it speaks to the growth of Cloud Native in general that this is worthwhile doing. It is, and it also speaks to, reminds me of our tagline here at the Kube, being able to extract the signal from the noise, having this event as a standalone, being able to extract the value in it from a security perspective, that those practitioners and the community at large is going to be able to glean from these conversations is something that will be important that we'll be keeping our eyes on. Absolutely makes sense to me, yes. Yeah, and I think, you know, one of the things Lisa that I want to get in, and if you don't mind asking Dave his thoughts, because he just did a breaking analysis on the security landscape. And Dave, you know, as Liz talking about some of these root level things, we talk about silicon advances, powering machine learning. We've been covering a lot of that. You've been covering the general security industry. We've got RSA coming up, reinforced with AWS. And as you see the Cloud Native developer first really driving the standards of the super cloud, the multi-cloud, you're starting to see a lot more application focus around latency and kind of controlling that the abstraction layer, you're starting to see a lot more growth. What's your take Dave on what Liz is talking about? Because, you know, you're analyzing the horses on the track, and there's sometimes the old guard security folks, and you got open source continuing to kick butt. And even on the ML side, we've been covering some of these foundation models. You're seeing a real technical growth and open source at all levels. And, you know, you've still got some proprietary machine learning stuff going on, but security's integrating all that. What's your taking, what's your breaking analysis on the security piece here? I mean, to me, the two biggest problems in cyber are just the lack of talent. I mean, it's really hard to find super deep expertise and get it quickly. I think the second is it's just so many tools to deal with. And so the architecture of security is just this mosaic and a mess. That's why I'm excited about initiatives like EVPF because it does simplify things and developers are being asked to do a lot. And I think one of the other things that's emerging is when you, when we talk about industry 4.0 and IIoT, I'm seeing a lot of tools that are dedicated just to that, you know, slice of the world. And I don't think that's the right approach. I think that there needs to be a more comprehensive view where we're seeing, you know, zero trust architectures come together and it's going to take some time. But I think that you're going to definitely see, you know, some rethinking of how to architect security. It's a game of whack-a-mole. But I think the industry is just, the technology industry is doing a really, really good job of, you know, working hard to solve these problems. And I think the answer is not just another bespoke tool. It's a broader thinking around architectures and consolidating some of those tools, you know, with an end game of really addressing the problem in a more comprehensive fashion. Liz, in the last minute or so we have, your thoughts on how automation and scale are driving some of these forcing functions around, you know, taking away the toil and the muck around developers who just want stuff to be code, right? So infrastructure is code. Is that the dynamic here? Is this kind of like new or is it kind of the same game different kind of thing? Because you're seeing a lot more machine learning, a lot more automation going on. What's, what's, is that having an impact here? What's your thoughts? Automation is one of the kind of fundamental underpinnings of cloud native, you know, we're expecting infrastructure to be written as code. We're expecting the platform to be defined in YAML essentially, you know, we're expecting the Kubernetes and surrounding tools to self-heal and to automatically scale and to do things like automated security. But if we think about supply chain, you know, automated dependency scanning, think about runtime, network policy is automated firewalling, if you like for a cloud native era. So I think it's all about making that platform predictable. Automation gives us some level of predictability, even if the underlying hardware changes or the scale changes, so that the application developers have something consistent and standardized that they can write to. And, you know, at the end of the day, it's all about the business applications that run on top of this infrastructure. Business applications and the business outcomes. Liz, we so appreciate your time talking to us about this inaugural event, cloud native security con 23. The value in it for those practitioners, all of the content that's going to be discussed and learned and the growth of the community. Thank you so much, Liz, for sharing your insights with us today. Thanks for having me. For Liz Rice, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's coverage of cloud native security con 23.