 From San Francisco, it's theCUBE. Covering RSA Conference 2019. Brought to you by Forescout. Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA North American Conference in Moscone. They finally finished the remodel. We're excited to be here. We're in the Forescout booth and our next guest is here. He's Scott Stevens, the SVP Global Systems Engineering for Palo Alto Networks. How you doing? I'm doing well, how you doing? Good, so first impressions of the show. I mean, it always amazes me when we come to RSA. We go to a lot of shows, but just the size and the scale and the buzz and the activity here is second to none. It's incredibly crowded. I mean, trying to walk the halls here is a bit of a mess. So, yes. Well, plus nobody can find their way through the new Moscone. Small detail. They're connected differently now, so it's pretty confusing. Right. All right, so let's jump into it. I look over your shoulder, I see zero trust. I see zero trust. Everybody's about zero trust. We had Chase on from Forrester last year was talking about zero trust. You guys are talking about zero trust. What is exactly a zero trust and how should people be thinking about zero trust? Yeah, it's kind of, it's become buzzword bingo along the way, hasn't it? Right, it has. Yeah, so yeah, we've been working with Forrester for about six years now, looking at zero trust architectures. The way, I think the fundamental way you look at zero trust is it's an architectural approach to how do you secure your network, focused on what's most important. And so you focus on the data that's most, that's key to your business and you build your security framework from the data out. And so there's all kinds of buzzword bingo we can play about with zero trust means, but what it allows us to do is to create the right segmentation strategy starting in the data center or the cloud and moving back towards those accessing the data and how do you segment and control that traffic? Because fundamentally what we're dealing with in security is two basic problems that we have to, there's many problems, but two big problems that we have to deal with. First is credential-based attacks. And so do we have, somebody was stolen credentials in the network stealing our data, or do we have an insider who has credentials but they're malicious? They're actually stealing content from the company. The second big problem is software-based attacks, malware, exploits, scripts, right? And so how do we segment the network where we can enforce user behavior and we can watch for malicious software so we can prevent both of those occurrences through one architectural framework and I think zero trust gives us that template building block absent of the buzzword on how we build out those networks because everybody's enterprise network is a little bit different. So it really goes back to kind of roles and access and those types of things because the first one you describe, a credentialed one, if it's somebody in there that they have every right to be there but they're doing behavior that's not necessarily what you expect them to do, what you want them to do, it's atypical, right? So it's kind of identity and rights management is this a different approach or a little bit more sophisticated approach or how has it been different before? No, that's a great question and we have to build those things together. So on the Palo Alto network side, what we do is we do enforcement, layer seven enforcement based on identity. So based on who the user is and what their rights are we are able to control what they allowed access to or what they're not allowed access to and of course if you've got a malicious insider or somebody that's logged in with stolen credentials we can prevent them from doing what they're not allowed to do. And working here with Forescout, we've done a lot of really good integration with them on that identity mapping construct. So how do they help us understand all the identities and all the devices in the network so we can then map that to that user posture and control at layer seven what they're allowed to do or not allowed to do. Right, then on the micro segmentation it's always how far do you segment? You can segment to one that doesn't really do you much good, right? That's just one. So what are some of the things people should think about in their segmentation strategy? Well again, I think you need to start with what's most important. And so if I take a cloud or a data center, clouds and data centers as a starting point are generically the same. Well and how we segment is actually the same. And so we have this, sometimes we think that clouds are more difficult to secure than data centers are the same. Basically we've got north, south traffic, we've got east, west traffic. How do we inspect and how do we segment that? But if you start with what's most important and work your way, if you tell somebody you need to micro segment their network they're going to be done in 14 years, right? So how do we focus on what's the most important critical data to their business? And if we stratify their data sets and their applications that access that data and then move down, we may have 50% of the applications in their cloud or data center that we don't micro segment at all because they're not critical to the business. They're useful to the employees but if something goes wrong there, no big deal. No impact to the business. And so micro segmentation isn't just a conversation of where we have to do things but it's a conversation contextually in terms of what's relevant and where is it important to do that? And then where do we, you know, where do you do a much less robust job? You always have to have inspection and visibility but there are parts of your network where you're going to be somewhat passive about it. There's parts of your network where you're going to be very aggressive, multi-factor authentication, tight user identity mapping, you know, all of the different aspects. How do we watch for malware? How do we watch for exploits? I'm curious on doing that segmentation on the value of the data set because there's some obvious ones that jump to the top of the list but I'm just curious if customers get into a situation where they really haven't thought about it once you get 10 steps down the list from the top ones or, you know, if you do a forced priority and then the other thing I just think's really interesting in the time we live today is that a lot of the hackers are not necessarily motivated by personal information or trying to suck a little bit of money out of your bank account but other types of data that they want to use for other types of actions like we saw in the election and some of these other, you know, kind of, I want to say softer, kind of softer uses of softer data for different types of activity than the traditional ransomware or malware and how does that map back to, well, I didn't necessarily think that was an important piece of data but, you know, kind of, you know, that's a shifting landscape in that part of this. Certainly, you need to take a look at what's most important and you can stratify into a couple tiers. So you're going to have the top 10 applications and data sets that are critical to the business and we know if something happens there we have to publicly announce, okay, you're going to do a really nice segmentation strategy and implement a full zero trust where we're controlling user access, doing full malware inspection, everything there. You're going to have a second tier of data which kind of gets into your soft target conversation where maybe we're a little less robust with some of the user segmentation and the application controls but we're as aggressively robust on the malware and software-based threats and frankly, being able to inspect and control, find malware, find command and control, find exploits going in or out of those parts of the network, that is very simple to do and zero trust helps us define where are those locations on the data center cloud side but also throughout the enterprise and where should we have those sensors that are enforcing that behavior, right? Just, traffic's exploding, right? Everything's connected, billions of billions of devices, et cetera, et cetera. We don't need to go through the numbers, it's big. So clearly automation is more and more important as we go forward. A lot of buzz about machine learning and artificial intelligence, applying it, but the bad guys have it and the good guys have it. A lot of interesting kind of subtopics in terms of training models and how do you train models and do you have the right type of data but as you kind of sit where you're sitting and net net is just a lot more traffic going through the network whether it's good, bad or otherwise. How do you guys kind of look at automation? How are you kind of looking forward for using artificial intelligence and some of these newer techniques to help just basically get through, get through the mass, if you will. So I think there's two ways to think about artificial intelligence, machine learning, big data analytics, all those good ones. Now we're in another buzzword bingo world now. But the first is, if we're looking at how are we dealing with malware and finding undone malware and blocking it, we've been doing that for years. And so the platform we have uses big data analytics and machine learning in the cloud to process and find all of the unknown malware and make it known and be able to block it. So we find 20 to 30,000 branded pieces of malware every day and within five minutes we find 30,000 every day. So we're analyzing millions and millions of files every day to figure out which ones are malicious. And once we know, within five minutes, we're updating the security posture for all of our connected security devices globally. So whether it's endpoint software or it's our inline next-gen firewalls, we're updating all of our signatures so that the unknown is now known and the known can be blocked. And that's whether we're watching to block the malware coming in or the command and control is using via DNS and URL to communicate and start whatever it's going to do. And you mentioned crypto lockers and there's all kinds of things that can happen. So that's one vector of using ML, AI and ML to prevent the ability for these attacks to succeed. Now, the other side of it I think you were alluding to a little bit more is how do we then take some of the knowledge and the lessons we've learned for what we've been doing now for many years in discovering malware and apply that same AI and ML locally to that customer so that they can detect very creative attacks, very evasive attacks. Or that insider threat, that employee who's behaving inappropriately but quietly. And so we've announced over the last week what we call the Cortex XDR set of offerings that involves allowing the customer to build an aggregated data lake which uses the zero trust framework which tells us how to segment, also put sensors in all the places of the network both network sensors and endpoint as we look at how do you secure the endpoint as well as how do you secure the network links. And using those together we're able to stitch those logs together in a data lake that machine learning can now be applied to on a customer by customer basis to find maybe somebody was able to evade because they were very creative or that insider threat again who isn't breaking security rules but they're being evasive we can now find them through machine learning. And the cool thing about zero trust is the prevention architecture that we needed for zero trust becomes the sensor architecture for this machine learning engine. You get dual purpose use out of the architecture of zero trust to solve both the inline prevention and the response architecture that you need. Right. It's a long answer. I know. It's a crazy space. I mean, the numbers in the mass of just throughput in this area is just fascinating. And so we're here in the Forescale booth and they've got a unique take on all the objects and everything is connected to the network we've heard from people earlier. Today is 50, 60, 70% more things connected than they ever even thought. Also, I'm not malicious, but just people plug it in at various remote offices and this and that. IOT, well, the next buzzword didn't go. Right, right, right. There you go. We're hitting them all. What are we missing? So how are you guys working with Forescale? How do the two solutions work together to get a one plus one makes three? And as we were talking a little bit about before getting that concept of what are all these connected devices? What is the device itself? And then who are the users attached to those devices? Forescale has that insight. So we don't do, I always look at that as identity assertion. Device or identity assertion. So how do we define what they are and who they are? What we do then is in working with Forescale we take that knowledge that they have and that turns into identity and device enforcement. And that's how we enforce those postures so that I know employee A isn't allowed to the intellectual property data sets. Employee B is. Well, in the old world of security you just have a rule for how do you get to that? In what we do now with user based and application controls I can on a user by user basis determine what they're allowed to do or not allowed to do. Forescale gives us that insight so that we are able to enforce. They handle making sure they know exactly who it is so we enforce it properly. Right, and for the devices, right? Because you basically assign almost like an identity and a rule to a device. Exactly. And then you don't end up with this weird spaghetti network topology where okay, we have to put all of our IoT devices on these 14 VLANs and we're going to extend them all across our enterprise and all that goes away. All right, so Scott, I'll give you the last word before we sign off. As we look forward to 2019, I can't believe it's March already, scary. What are some of your priorities? What are you working on? What's the rest of the year look like for you? I think you're back to buzzword bingo. We're spending a lot of time right now looking at how do we help our customers with generating that data lake so they can help figure out what's happening within their infrastructure. And as you pivot from the security posture, which of course is where we're always going to pay attention and you help them think about operationalizing that and how do we help the sec ops or the sock figure out what's going on in their network. The data they're dealing with is massive. And so they're looking at haystacks and haystacks and haystacks. And part of the goal of what we're trying to do is help them burn down those haystacks and hand them needles. Because in the end, all they care about is the needles. The hay is getting in the way. And so there's a lot of work that we're doing around machine learning, around optimizing workloads and automation so that we can reduce that complexity. We've been doing it for the last 10 years for network security. How do we take the complexity of all the things we used to do separate and simplify them and automate, so we've automated the feedback loops for network security for the next gen firewall. We've simplified what you can do on the endpoint for traps and how we protect that. We've done with the integrations with Forescat. We're simplifying how you map that identity back and forth. And I think for the rest of the year it's really about simplifying operations and helping quickly determine when something is wrong in the network so you can fix it fast before you're dealing with an exfiltration problem. Not 150 days or whatever the crazy average stat is. How about four hours? What if we try for four hours? That's more better. More better, more better, I think. All right, Scott. Well, thanks for sharing the insight. Thanks for your time. Let's go burn some haystacks. He's Scott. I'm Jeff. You're watching theCUBE. We're at RSA 2019 in San Francisco. Thanks for watching. We'll be right back.