 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Live on, welcome back to theCUBE's live coverage in Boston, Massachusetts. Here for two days, AWS Amazon Web Services reinforced their inaugural conference around security. I'm John Furrier, Dave Vellante, our next guest, Andy Miller, Senior Director, Global Public Cloud at Sophos. Based out of the UK and here in Burlington, Massachusetts. Welcome to theCUBE. Thank you. Looking good, love that jacket, nice color on you. They got the memo? They got the memo jacket. Thanks for having me, it's great to be here, it's great to be a part of AWS's first security event, security focused event. Not by coincidence, you know, happening right here where our US headquarters is, we're very excited to be a part of it. Wanted to share with you guys, I brought you a little gift. That's awesome, definitely a part of our socks. Okay, I'll wear in them tomorrow, so we'll do a little close up on that. Thank you very much. Stu Miniman will love this, he loves socks. He'll have to replace his Star Wars socks for those. Thank you, Andy. Andy, thanks. So I want to get your impression of the show, obviously an inaugural event, and it's interesting, you look at Amazon, we've been covering Amazon for eight years with theCUBE prior to that, just as a company. Love the company, we've obviously success of Clouds, no brainer, but Reinvent is their name of their global conference on the commercial side for all their customers, and everything else they call summits. This is not a summit, this is not an Amazon, what's a summit, this is a branded event with the word Reinvent, but Reinforce, so it kind of gives that a call out. Good call from on their front, is it needed? Why is this show so important? What's your opinion on that? I think it absolutely is, it's very helpful to customers to help them to understand their responsibilities when it comes to security in the cloud, and just like Reinvent was essentially reinventing the network into a digital environment, this is reinforcing their environment, understanding what their responsibilities are, where the cloud provider's very secure infrastructure ends and where their responsibilities with applications and data that resides in the cloud starts. What is your data show in terms of the evolving threat landscape? I mean, there's one school of thoughts, there's, okay, security in the cloud actually, well, it was a concern early on, people say, oh, it's better. That maybe raises the bar, and it lowers the ROI for the bad guys, but what are you seeing? But at the same time, it's more global and distributed, which sort of opens up holes. What do you guys need? So what we're seeing is, is that, the cloud's interesting in that there's not necessarily anything that is new or unique from an attack perspective, it's more of an attack surface perspective. And what I mean by that is, is that with an on-premise environment, sometimes controls are very easy to place around new instances, new workloads being stood up, a change control process that is very controlled, key carded data centers and so forth. Cloud accounts will operate very differently, and one of the things that makes the cloud great is the speed at which you can go to market and stand up new resources. That also creates challenges for customers when it comes to visibility and securing those assets. Yeah, I mean, the guy from Liberty Mutual today in the keynote said his number one challenge is just keeping up with Amazon, the pace of change. I mean, you're seeing that in your client base and how are they dealing with it? Absolutely, one of the conversations that I frequently have with customers when it comes to the visibility and keeping up with Engle is I frequently will say to customers, pull out your cloud bill if you are aware of and know everything that it's on that bill and where it came from, frankly, I'd be very surprised. A lot of them struggle with that, with being able to keep up with that. And it's a, again, a double edged short. It's great as far as a business standpoint and being able to extend your business globally within minutes, but it's also a challenge for them from the security standpoint. And you talk about the challenges that businesses are up against when it comes to cloud security because on-premises has decades of experiences dealing with security, the old days of perimeter-based security, some still do that. Now the perimeter's pretty much gone away with cloud. Cloud native has a different approach. So there seems to be a lot of questions around what to do, what are those challenges and cloud security specifically that businesses face? So you hit the first one, right? The first one is this concept of I build a castle and put a big wall around it and a mode around it, no longer exists, right? The perimeter is a memory. Another one is, as I mentioned before, the speed at which resources are added to the cloud, that's difficult for customers because you can't see it, you can't secure it, right? If you don't know it exists. And then the third thing is really being able to understand how you make security happen within the cloud because those tools that you used on-premise and in your own perimeter don't necessarily exactly translate to the cloud. And it's important to have solutions that are designed for that and that not only work and operate well within the cloud but also don't take away the benefits of the cloud. If you have a solution that's going to slow you down or make it where you can't innovate at the speed of the cloud, you might as well keep it on-prem, you're taking away all the benefit of the cloud. So are you finding, I mean, a lot of times, the early cloud days were a lot of so-called crapplications just going to the cloud, okay, so maybe not as much credit card information so maybe it's not as valuable, but are you seeing people hitting the cloud sort of more today than say certain on-prem environments, is it escalating? What is your data show? So there was a study done not too long ago that showed past and projected cloud growth from 2017 to 2022. And what was interesting was the cloud services revenue growth was expected to grow by double. The cloud security spend was expected to grow by more than three times. And we think that was in large part of customers' understanding their responsibilities in the shared security model but also a product of exactly what you say, crapplications, right? One of our first customers that I think of was a convenience store chain. The very first things they moved, store locator and nutritional information applications. If something went wrong with those, yes, it's not great for your business that they can't find your store but it's not credit card data, it's not personal information, so on and so forth. As businesses start moving, really key to the business applications, ERP systems, things like that with real data that's at risk, that's where their focus on security is real strong. So there's a lot of confusion out there. And as I walk around the show floor here, I see, we secure the cloud, we secure the cloud. No, we secure the cloud. And then here from Amazon, we have a shared responsibility model. We secure the infrastructure. A lot of customers think, hey, Amazon has great security, so does Google, so does Microsoft, I'll put it in the cloud, I'll be good to go. Help us clear up some of that confusion. What's your point of view on that? Yeah, I think that when you look at it, customers were at one point extremely afraid of the cloud. And the cloud providers themselves did a great job of talking about why you could trust their infrastructure. In the process, I think customers have a difficult time understanding where their responsibility begins. And what we always like to say is, is the cloud provider's responsible for the security of the cloud, you, Mr. Customer, are responsible for the security in the cloud. And the reason that's important is, the fact is the cloud providers could potentially provide the security in the cloud, but the measure of control that they would have over the applications that you build, the applications that you deploy, who you give access to, and what you allow them to do would be so great. I don't think it would be a really positive experience. Too many permutations. Because the criticism early on in cloud security wasn't that the security was bad, it was that I couldn't enforce the edicts of my organization. There weren't enough features. And now today it's like, you're drinking from this fire hose of features. So is that really the issue? It's up to you to figure out what works for your organization and then apply it. We heard today you got to opt in for things like encryption. You make sure you opt into each availability zone. So that's an individual customer choice. Amazon provides the tools. Okay, but then where do you pick up? Where does Sophos pick up? That's a great segue. So as an example, our new Sophos Cloud Optics product does a great job with that. For instance, uses the AWS CIS benchmarks. And that is a heavy, heavy document that may be difficult for a customer to ingest, but we can run against all of your workloads, your S3 buckets, and see that you're in compliance with that CIS benchmark policy. That's a great place to start. Maybe you have some compliance regulations that you have to follow that have a security component to it, such as PCI, for example. And they would lead you towards things like identity and access management. They would lead you towards, am I following a good password policy, a good updating policy? Am I sure that my S3 buckets are encrypted and not accessible to the internet without some sort of protection in place? All the same. The evolving cloud security landscape is changing on the threat side. We've got now detection, alerts, all these things are going on. You guys have some data on the cyber criminal activity. Up, down, is it more complex, harder to crack? Is it people cracking it? Certainly we know people who are always trying. You can attack anything. We've seen foreign states enabling these groups out there. You see all kinds of cyber criminals. What's the data, sir? So the data shows, I think the most compelling thing. We did a study that we commissioned earlier this year where we placed workloads in 10 of AWS's most popular data centers around the world. And what we saw was the first attempt to compromise one of those assets took all of 52 seconds. 52 seconds after we launched it, there was an attempt to compromise it. More compelling was the fact that on average, it took some total of 40 minutes was the average time before and an attempt to compromise took place. And on top of that, once the asset was discovered, on average, 13 times every single minute of every single hour of every single day over a 30-day period, someone was attempting to compromise this. We ended up totaling over 5 million attempts to compromise this in a 30-day period on 10 assets. So I think the biggest thing is not so much the techniques, but the level of automation that the bad guys have going on. They know that there are assets out there that are not in a state that they necessarily should be and they are doing their level best to find them as absolute. What makes the cloud so attractive to the cyber criminals? I think the biggest thing is that as customers go from the application into some real applications, they know that there is a lot of data there. They also know that customers are, well, this is a newer platform for them and they may be struggling with understanding exactly what they need to do differently than they did on-prem in order to secure it. So follow up on that. How do you approach cloud security and how is it different than on-prem? So the biggest difference is, can it work within the fabric of the cloud? Is there tight integration with the things that the cloud providers offer? And do you not in any way hamper the great things about the cloud? Scalability, the option to be available in a matter of seconds. If you are hampering that, then that's not security that's really going to work well. It's the whole benefit of the cloud in the first place. So talking about your cloud solution, what's the big problem that you guys solve? So we have several different solutions that are available from a next generation firewall to our host protection. Our newest offering, Sophos Cloud Optics, is really about helping them to gain that visibility, to understand exactly what they have running in the cloud, prevent it, or present a topology map that shows them how it connects, how it communicates both internally and to the outside world, and then to constantly and continuously evaluate where they are in a security posture. So that's visibility into threats, help look at quality alerts. Yep. Okay, so what's the customer orientation right now? Red, yellow, green. It seems to me it's always red, but so we asked someone earlier, what's a good day in security? It's like when we're still in business, you know. It's a lot of pressure. Again, the hacking just shows you that it's easy to attack, certainly seconds to minutes, things are being compromised. It's going to happen on premise as well. What's the state of the union in your view on? I think for customers there is a feeling sometimes, and I think we as security vendors need to be careful about this, of not presenting the world as impossible to secure, because I believe that it is absolutely possible to secure the world. I think there are some things that customers need to do. I think it's difficult for them sometimes to cut through some of the misinformation, the marketing spend and so on and so forth that's out there, but it's really incumbent upon them to look and read through the materials that are provided by the cloud providers to understand where their responsibilities begin and end, and then find the solutions that they've always used on-prem and been successful with that are ported to the cloud, and if they're not ported to the cloud to look for a different vendor. So why Sophos? So Sophos has been around for 30 years. We have a long history. We've been a security company, always a security company, and we have, frankly, what is a rather long track record in the cloud. We first ported our firewall to the cloud six years ago. We've continued to innovate in the cloud. We are able to do things that other vendors are not to support things that customers want to do, auto-scaling, outbound, gateway, things like that, and we continue to innovate that platform as well as add key pieces to our platform, as such as our cloud optics, which interestingly enough came to us as we were shopping for it as a customer to support our own central infrastructure that runs in AWS. Our security guys thought, hey, we need a product that will help us with visibility and posture management, and then they turned to the organization and said, hey, this is a great product. We ought to look at buying this company, and that's how that acquisition came about. And so what's new with the company? What's going on? What are you guys doing? You've got a lot of it here at Amazon. What are the things you're working on that's important to tell? Yeah, we're basically, at this point, with that acquisition of optics happened, it was a company called Avid Secure. That just went down in January of this year. We released in the first week of April our own skin softless version of the product, and we're really looking to continue that innovation. Our theme this year for our company was evolve. We feel that as the world evolves, security evolves, and we have to evolve as well. And so there's a real focus on constantly evolving our products, innovating and trying to stay one step ahead of the bad guys, unfortunately. Andy, you've been around, we've been around, we've seen all waves come and go. Client server mainframe all the back of those days to now. What do you think of the most important story in the security industry is these days? What is that needs to be told that either is being told or needs to be amplified or isn't being told? What do you think is the high order bid in terms of the most important story? I think there's two fronts to that. One is, as I mentioned, evolve was a big point of discussion in our internal meetings, as well as our partner conferences, and helping customers to understand that their world has to evolve as well. The idea of a perimeter, for instance. There are a lot of companies that still try to stick to that idea of I can build a wall around my business. And the reality is, is between mobile devices, between every employee practically has a laptop now, the idea of keeping that castle wall around your business is just unrealistic. And so customers have to understand that. They also have to understand that migration to the cloud is inevitable and the sooner that they embrace that, the sooner they'll get the benefits of it and the sooner that they can begin the journey to the cloud that we feel it's inevitable. Andy, great insight. The evolving security threat landscape here on theCUBE, live coverage covering AWS Reinforce. We'll be right back with more after this short break. I'm John Furrier with Dave Vellante. We'll be right back.