 Hey, everyone. Welcome to the CUBE's presentation of the AWS Startup Showcase. I'm your host, Lisa Martin. This is season two, episode four of our ongoing series that's covering exciting startups from the AWS ecosystem. This episode, we're talking about cybersecurity, detect and protect against threats. I've got two guests with me here from Sunry Security. Please welcome Eric Kedroski, its chief information security officer, and Denise Heyman, its chief revenue officer. Guys, welcome to the program. Wow, thank you. And I should say, welcome back to Denise. You were on at Reinforce, which was just about a month or so ago. And from Reinforce, Denise, we heard a lot about security challenges, expansion of risks. What do you think, and I want to get Eric's perspective as well, what do you think are the biggest challenges that CISOs are currently facing, regardless of industry? Hmm. Well, I'm going to narrow that question down to public cloud and cloud security, right? Because that's what the conference was about, and that's where we're focused. So I get to do that. But from that perspective, right, the CISOs that I speak with on the regular, it is, it's, it's so, there's so much chaos out there, right, about what they're trying to deal with. They're, they're trying to take a look at all of the operational policies and pieces that they've put together in their on-prem world and trying to figure out how do those same things apply in the cloud. So that gets down to things like, how do I, how do I operationalize it? How do I make this work in a new environment? What tools do I need? What processes do I need? What types of people do I need? Right? It just, it threw up everything in the air and said, let's start over, right? Just chaos. And many of them are doing a really awesome job at getting their arms around it by really hiring in the right people and looking at the way that development has run, right? To figure out what's important to these people in their clouds, right? Because it depends on what their own missions are. And Eric, adding on to that, from your seat as a CISO, what are some of the biggest challenges that your peers across industries are tackling? Obviously, there's a, the environment is chaotic and that's probably going to persist. Yeah. I mean, Denise mentioned a few things. You know, the biggest thing I talked to CISOs about, and it's nice when you can have that CISO to CISO discussion because they tend to open up a little bit more and you can tell the stories and show the scars. And one of the things I hear a lot of is that, you know, the scale and the speed at which the cloud operates and how to operationalize security within that context is a big challenge that they're struggling with. And, you know, not to mention the new paradigms and how they've sort of shifted from the data center into the, into the cloud world. And, you know, sometimes a lift and shift of your process or of your way that you did something before in the data center just doesn't work in the cloud. So helping them understand that. And then the big thing is it's almost like focus, you know, it's, there's a huge scale. It moves very quickly, but you really need to focus on what's most important. And that's really by putting like data security and identity security at the center of your cloud security strategy. That's one of the biggest things that I've talked to a lot of CISOs about. So then Eric, how do you advise the CISOs to think about cloud risks or to really be able to stack rank and adjust their security priorities as the environment is so dynamic? Well, it comes back to this, you know, CISOs are looking to protect or minimize risk to their organizations with their most valuable assets in this day and age. That's data. And that starts with understanding not only where all of the data is in your cloud, but more importantly, understanding where the sensitive data is in your cloud, because you could spend a lot of time resource money, which nobody has an infinite supply of, doing the wrong thing. So it's really targeting on where is my most sensitive data and then start wrapping security around that. And I talk about it as like the dual side of the coin, the other side of the coin is the identities. You know, in the data center days, we built networks and those became our security boundaries and we put our tools at those boundaries and we watched what went in and out and we put our controls there. That doesn't really exist in the cloud. So identities really have become those security boundaries. And so that's when I say, put identity and data security at the heart of your strategy. That's what I'm talking about. You know, find your data, classify your data and then determine what has access to it. And then what are they doing with it? And if you start there, you've got a very focused view, but in a very important way. Denise, what are you hearing from customers as Eric was saying, you know, he says, put data and identity at the center of your strategy. What are you hearing from customers in terms of their concerns? Where are they in terms of actually being able to make that happen? Yeah, I mean, every single one of them is struggling with this, right? They are, there's just a staggering amount of things and data and processes that they need to figure out. Many of them in multi-cloud environments, sorry, AWS, but like not everyone is just AWS anymore. And they have to protect, you know, workloads and services and people identities and non-people identities, right, which is why we talk about it from the standpoint of like, you can look at it from the outside in, or you look, you can look at it from the inside out, right? So looking and our belief is that starting with the data and the identity pieces is the most important because, you know, I heard an analogy, now this is maybe an old analogy a while ago, right? But back in the day when there were bank robbers, you know, the bank robbers targeted those banks that had money that had lots of money in the coffers, right? They weren't going after regular apartment buildings or, you know, 7-elevens at the time, right? They were going after where there was the most to lose, right? So if you take that same analogy and say, out of all of this chaos that there is out there and trying to figure out where to start, start by protecting the most sensitive pieces of your information, whether it's personal data, whether it's things that are critical to, you know, your crown jewels of your company, but starting there and then working outwards is the way that we address and advise all of our customers to start. Do you have a magic list of best practices? This is actually a question for both of you. When you're in customer conversations that say, obviously protecting the most sensitive data, start making those important points kind of stacked right, but do you have any best practices that you share in terms of how they can actually make identity and data core to a cloud strategy in a timely fashion? Eric, we'll start with you. Yeah, I mean, this is one that really hits home to me and it goes like this. I'd like to break it down really simply. Number one, you need to understand where all of the data is in your cloud and it might sound easy, but it is not because data is everywhere and there's so many fingers in the pie these days. Number two is classify your data, classify and tag your data. Again, it comes back to, there could be lots of data, but you need to find the stuff that's really, really important to you. So classify it, identify it, tag it so you know where it is. Number three is understand who or what can potentially access your data and what they can do with your data. So now we start to tie in the identities. And then number four is you need to be continuously monitoring to understand what they're doing with that access. Lisa might have the ability to access a piece of really sensitive data, but she might not even know that through a hop and a step and a lateral movement and this and that, but what happens if she does? Someone's got to be watching for that as well. And then again, it's that double sided coin. When you flip that over and look at the identity perspective, you need to understand what the identities are in your cloud and not just your users, which is your typical way of looking at it. You really have to understand your users, but your non people identities as well. And interesting fact is your non people identities and in all of the customers that I see large and small, you know, Fortune 5 to a startup in the cloud, their non people identities outnumber their people identities by 10, 20, 30 times the number. But guess what? Not everybody's looking at those. So identify them, again, calculate their, their permissions, what they can do, understand what data they can access. And then it comes right back to where they kind of merge together. What are they doing with that access? And those are the, you know, the four steps on either side of the coin that we recommend to all of our customers and, and focusing into, to protect their data in their cloud. And the only thing that I would add, the only thing I would add to that is we talk a lot about automation with our customers, right? Especially around remediation, right? Anything that you can automate from a remediation perspective or a discovery perspective, or a monitoring perspective, absolutely do it because the, you know, the clouds and privileges, right? What did we estimate? There are I think 35,000 privileges out there across the three clouds right now, and they're growing somewhere between 20 and 40 a day. So if you're not automated, right, you're trying to keep it up on your whiteboard or in a spreadsheet, like you're behind the moment that you put it in there. So we recommend automating and especially around remediation. Anything that you can automate is absolutely the way to go. Let's talk about now the benefits in it for me for, if I'm an AWS customer, we mentioned at the beginning of the segment, Denise, you were on the Cube at Reinforce, which was just last month or so. It's Chief Security Officer Stephen Schmitt says, and he said this at Reinforce, we're stronger together from an ecosystem perspective. Talk to me, Denise. We'll get your perspective first on the Eric, yours, Sunry, AWS, better together. What does that mean? What's in it for customers? Oh gosh. So first of all, we love our partnership with AWS. And that's not just because we're on here because we are engaged with all different layers within AWS. And we love their culture, their drive on customers, like everything that they do to make sure that their customers are satisfied. It's just, it's an amazing place to follow along, right? And the thing that we love about working on customers together is that they, their mission, right, is to make the cloud accessible to everybody, right, and do it in an easy way. And our mission is to make sure that it's secure. So it's very compatible in terms of how we work together. And they, because of their depth and from a technical perspective, they totally understand what we do and how important it is, right? And they, again, they're customer obsessed. So they make sure that their customers get the best things available to them, which is why they bring us to the table. So we, you know, we love that about them. It's a, it's a, just a fantastic partnership. Sounds like Denise, that Sunri and AWS share this passion for customer obsession. I would say so. Yes. Eric, from your seat as the CISO, Sunri plus AWS, better together, how does that enable you to do your job and, and take the steps that you said would advise other CISOs to do? I think there's a number of ways to do this. If I put on the sort of my business hat here for a second, you know, the way that they talk about security as a risk as part of the business, they really are trying to bring it to the forefront that it's not just some IT technical thing off in the corner that you have to think about, that it is a business risk. So they're really big at promoting that and talking about that. They're also really big at helping CISOs and security leaders get there. You know, a lot of security leaders and CISOs came up through the technical ranks and, but getting that seat at the table and we're hearing about how CISOs should be on boards and all these other things and, and they're, they're big at that. And then of course, from the technology perspective, I think I've, you know, I've said it already is that speed and scale, you know, what is AWS brought to the world at the speed and the scale of releasing solutions to the market to customers and then delivering them faster and better and better every single day, every single week and what have you. And so it's also about doing security at speed and scale. And they're enabling organizations like Sunry to do that. So Denise talked about using automations and workflows. That's critical to solving the security challenges in the cloud. And Amazon really provides a platform on which, you know, tools like ourselves or individuals can go out and do that. And again, solve their security challenges at speed and scale to be able to keep up with the pace of the cloud. Absolutely critical to solve those security challenges at speed and scale. Of course, it's so much more challenging and it sounds easier said than done. But Denise, I'd love for you to share a customer story that you think really demonstrates the value that Sunry and AWS are delivering to customers. And then maybe comment on maybe from a target market perspective, what are some particular organizations that could benefit from the partnership with AWS, the integrations? What are your thoughts? Yeah, sure. So, gosh, lots of customers that are in the midst of this transition, right? We see a lot of customers who are, Eric and I were talking about this actually right before we started because every single customer seems to have a different use case, right? Everyone is going about it, you know, from a different place or a different scenario. But lots of them moving from data center to cloud, as you might imagine, right? That is a key use case. The other thing that we're seeing in a lot of financial customers is that they, you know, when cloud first became available, a lot of them went private cloud, right? And they went about it from the standpoint of like, let's just take the same controls, right? Get our arms around it from a private perspective. And now via acquisitions or via workloads that they need in the cloud, they are actually moving to the public cloud in many, many cases. So, where we have the strong partnership around financials especially, right? Because they know that if those customers don't see security on the way in to the cloud, that they will never expand, right? Because it's just, it's a part of their DNA, right? That they have to make sure that their sensitive information is taken care of. So, we have a little, I mean, just a breadth of customers across manufacturing and airlines and financials and insurance. Like, if you're moving to the cloud, you need to make sure that you're protecting it in the right way. Across industries, this is a pan-industry problem every customer, regardless of location, has to address this. Have you seen, Denise, sticking with you, the acceleration of the cloud adoption and migration we've seen the last couple of years? Have you seen any industries in particular you mentioned, financial services, I think of healthcare, manufacturing, some industries that really are prime for coming to San Francisco? Help us figure this out. We're losing time. You know, I can't limit myself to any industry because, I mean, seriously, I know that sounds like a silly answer, but from the standpoint of what's going on out there that, I mean, every industry that is moving to the public cloud needs to be looking at this. The ones that, you know, again, I mentioned those ones that are going through transitions. We also see obviously software companies or companies that were built in the cloud, right? They're just at this point now where they're understanding, gosh, you know, we need to be, well, like, you know, we've kind of got this hardened environment. We've got our policies and procedures down. Now they're worried about things like exfiltration of the cloud or they're worried about lateral movement, right, where, you know, somebody could get access to a role or a privilege and then move within the organization. So they're looking at it at a deeper, more advanced level, which we love working with them on that. Like I said, the financial is kind of moving from private to public now is the perfect time to build it in alongside us. Healthcare, we've seen a recent increase of healthcare, which sort of surprised me. I've not seen healthcare spending a lot of money in this particular area. We've seen, actually just in the last month or so, a big uptick there, which is just interesting. We'll see if it continues. You know, like I said, we see it across industries, not so much at the very, very low end, but we're seeing kind of mid-level enterprises and large enterprises. And there's definite commonalities there, I'm sure, across the folks that you speak to in terms of the challenges that they have, what they're looking to sundry to help them resolve. Erica, I do want to ask you a question about, we talk about the cybersecurity skills gap. It's huge. It's not going to go away overnight. A lot of organizations have different initiatives aimed at helping to reduce it. But talk to me about sundry from a technology perspective. How will it help organizations to mitigate some of the risks that they face because of that skills gap? Yeah, absolutely. I mean, first and foremost, I got to reiterate your point. It's not going away and it's not going to be solved anytime soon. And then you talk about we get right back to speed and scale. The cloud moves very quickly and the scale increases over time and that's not going to stop as well. So it creates this perfect storm. And I'm going to say a word again that some people are probably going to cringe at, but it comes back to automations and workflows. I know in the security industry, especially in rather large enterprises, sometimes they're a little bit hesitant to implement these tools because they're worried about what's going to happen. But the question I ask CISOs all the time is, are you keeping up with it today? And the answer is no. So then I say, well, what's going to happen if you don't do it? And that's what it comes down to. You're never going to be able to find enough staff, enough people in this area. So invest in automations and workflows in the areas that you're comfortable with so that, guess what, somebody in your organization doesn't have to do that job anymore. And then that person can be trained and grow into the roles where you need them in these more specific roles. And so that's how you need to do it. It's almost like investing in automation and workflows just isn't making you more secure, which is your goal, but it's also helping to get your employees to where they need to be, to be more knowledgeable in the cloud. Because if they're only ever looking at very basic things and basically whacking it out and pulling whack-a-mole to solve basic problems, they are never going to up their scales. And you can't just give your employees six months off to go become a cloud expert. So again, it comes back to just stay with the speed and the scale of security in the cloud. It's automations and workflows. And you just have to get comfortable doing it. And if you're not, you really need to think about your strategy because my opinion is you're doing it wrong. Wow. Those are some important words there. Denise, last question for you. With respect to what Eric just said about what companies need to be doing, the need to embrace automation, what are you hearing from customers, especially after they've deployed Sunry? What are they coming to you saying, we had these challenges and thanks to Sunry, we are on our way to reducing a lot of the risks that were in our environment. Yeah. So not only are they reducing the risks, but they're able to do it with less people or put it this way, not adding additional people, which is the worry, right? Whenever you bring on a new solution, the question is always, gosh, we're going to need to hire a team to manage this or can we utilize the team that we have? So there's a huge ROI around bringing the Sunry solution in where they are able to take advantage of resources that they currently have and just making them more productive. Again, we keep saying the same words, but remediation, automation, operationalizing it by creating these workflows is the key and it's a key piece of what Sunry offers to them to make sure that they can take advantage of this. And I think that's a really, really, really big statement because the way that I see this is the vision and the promise of what Sunry brings to the table is that security teams need us for an oversight perspective, but they're actually able to leverage their development teams to be able to do the fixes and the workflows and the operational pieces that we've been talking about. So you don't have to hire new people. You can take advantage of the resources that you have. Again, that's the promise of Sunry. A lot of efficiencies, operational, et cetera, that can be gained from what Sunry is able to deliver to customers. Thank you both so much for joining me today, talking about what it is that you're delivering, the challenges that you're helping CISOs and security operations folks meet and mitigate with the solutions. We appreciate your insights and your time. Thank you, Lisa. Thanks, Lisa. My pleasure. For Eric Kodrowski and Denise Heyman, who we want to thank for partnering with theCUBE for this season. We want to thank you for watching season two, episode four of our ongoing series of the AWS startup showcase. Don't go away. Keep it right here for more action on theCUBE, your leader in tech coverage.