 Downtown San Francisco, it's theCUBE, covering RSA North America 2018. Welcome back everybody, Jeff Frick here with theCUBE. We're at RSA-C, the RSA conference, the North American in San Francisco 2018. 40,000 people, it's an amazingly huge and growing conference, because security is obviously at the forefront of everything, especially as everything moves to devices and services and cloud, we can't forget security. And we're excited to have somebody who's kind of got a third party validation kind of point of view on the marketplace to get their perspective. It's Jason Brevenick, and he is the Chief Technology Officer for NSS Labs, so Jason, great to meet you. Great to meet you. So for people that aren't familiar with NSS Labs, give us kind of the overview of what you guys are all about. We work with enterprises to understand their needs and security, and then build and create test environments that create world conditions to assess whether or not a product is a good fit, create comparable environments, so that we can understand fundamentally whether or not the products are delivering around their claims. Right, and recently you've done some work around data center intrusion prevention systems group test. So mouthful, what does that all about? Well, that's all about the recognition that data centers are the keys to the assets for most organizations, and appropriately protecting them is not as easy as deploying a firewall. You need to have much greater inspections on the interactions with systems, whether or not security is being provided, whether the application layer is being properly secured, and so latency and performance and effectiveness against attacks are all measured and then presented in a set of group test reports. Right, so must be getting increasingly complex as there's all these different components now that build up a solution, right? It's not just one set of applications that you're pulling, maybe public data sources, you've got, bring your own devices, you've got this huge string of things that are all built, pulled together. How do you incorporate that into your testing? How do you figure out how these things work together? Because ultimately, that increases your attack surface area, vulnerabilities, I would imagine. Certainly, and we create an environment, an architecture that we propose that based on our interactions with the enterprise is fairly representative of what an enterprise would have, and then we create or simulate the types of interactions you would have with the different systems, generate attacks against them and measure whether or not the products are able to sustain concerted attack from an adversary, all the way into creating evasive techniques so that an attack that is known to be blocked by the technology, we would apply different techniques to make it evasive and see if we can evade the security controls and measure those. So how accurate are people, not to call anybody out, but how accurate are people in assessing the effectiveness of their own products and solutions? That's an interesting mixed bag, you know? I'm sure it must run the gamut, right? It does, it does. Well, you don't want to call out any, beat anybody up, but I would imagine, you know, there's some that are just, are they just like looking at the wrong thing, or how do you sort that all out? It's interesting to see the different perspectives that exist in the security space. Everything from just make the pain stop, where, you know, they want to do simple signature blocking to we really want to understand what's happening and dig deep into the protocols and interactions and understand what's an appropriate interaction beyond whether or not there's an attack there. The fundamental premise we have in our space is there's an absolute shortage of talent in the security space. It understands that just because a standard says something should be, doesn't mean an attacker has to adhere to it. And so there's a ton of breaks in that. And what are some of the things that people just miss as the attack services change? And I just think of, you know, fully automated systems like we've seen in ad tech and advanced, you know, financial trading systems that are now moving more and more into an increasing group of applications that are going to be IoT enabled. They're all going to be connected with 5G, moving very quickly. So the potential for problems becomes pretty significant if, you know, there's a bad actor that gets inserted into that process. Certainly. And it's interesting that the attackers seem to have automation down pretty well. They can get it to move laterally pretty quickly on their own. And ferreting out attacker behavior from just bad user behavior can be very difficult. The presumptions that a lot of technologies, because the standard says something should be, it will be, create these situations where people aren't effectively looking for the ambiguities and standards. And those are abused all the time. When you look at embedded devices, they get deployed and they stay for 10 years. That's 10 years of technical debt that's just deployed and waiting to be exercised and exploited. And having a good general hygiene on operational environments to understand where these risks are, is probably the biggest gap in the enterprise world. On the security side, the reliance on standards and the reliance on assumptions of what should be tend to continue to come back and bite vendors, right? It's funny, so you say just general hygiene. And we talked about that in one of the prior interviews where often we'll hear say there's an Amazon breach or something, then you get to the second paragraph and it's because somebody forgot to set a configuration in the right way. So it's not necessarily the technology or the infrastructure or the safeguards that are put up. It's just somebody forgot to turn the switch on. So why do you think general hygiene is still such a problem? Is it just because it's so complex, things are moving so fast, people are just too busy, is it a symptom of dev ops? I mean, We're human. Yeah, we're human. There we go. There's a thousand things demanding our attention all the time. And without solid processes and procedures, it's easy to miss something. And it's easy in the moment when you've got a big project that needs to launch to say that can wait until next week. And then the next big project comes along and next week is here and it waits until the week after. Next thing, you know, it's forgotten and you've got an old piece architecture, infrastructure or security out there that just isn't being maintained anymore. It's one of the reasons we created an environment that strives to do what we call continuous security validation. So even if you had the best security technologies in the world, it's indistinguishable from no security at all until a breach occurs, right? And so continuous security validation allows us to look at live attacks that you're reasonably gonna face, measure whether or not your security is deployed, is delivering on protections against them and highlights there's a gap. Simply because you're human. The best technology in the world isn't gonna work and managing it well. Right, so are you creating kind of like a digital twin of the key components of my environment back in your lab or are you putting things in my system so that you can do this kind of continual monitoring? We create effectively a virtual remote office and then deploy your security controls and then we attack that remote office for you and measure whether or not your security controls are being effective and whether or not your people with those controls are able to respond effectively, yeah. So what's been the impact of public cloud with the rise of public cloud? Both, obviously, for those applications that are sitting in the public cloud from the enterprise perspective, but now it's creating this kind of hybrid situation where they've still got stuff in the data center, they've got stuff in the public cloud, there's probably some stuff that's migrating in between, maybe it's test dev in the public cloud and it gets deployed internally or maybe they're trying to do a lift and shift out of the data center. So how has the rise of public cloud and with that hybrid cloud and multi-cloud environments impacted your guys world? The biggest shift there I think has been the proliferation of what otherwise would have been well-controlled development environments into production environments. It's so easy to move what evolved in developing a technology into a production world without going and paying attention whether or not all of the right elements are in place. It used to be you developed it, then you moved it into QA and then from QA you got moved into production, now it can go right from dev to production and QA kind of happens in the background. Right, right, and we talked in an earlier conversation too which is before then the security would be layered on after the test dev, right? Once it was moving into production, now let's slap some security on it but now it's got to be incorporated in from day one. So another huge opportunity, I guess to miss that as you roll that into production. It seems like nobody ever thinks about security first. It just isn't the function. No developer ever wakes up in the morning and thinks I need to do secure and then develop features. Their life is all around delivering the value to the customers they're looking for and security prevents them creating the feature velocity they want to deliver. There's always a push and pull there to get the right balance and it's easy when you're not under sustained attack to believe that security isn't important. So how do people adjust their thinking around security or is it just below the surface where it's presumed or how does it become more of kind of an ongoing part of the conversation and a feature that's always baked in during the development versus kind of an afterthought or oh my gosh, my neighbor just got hacked or there's a big story in the Wall Street Journal. I think what we're seeing now in the evolution of software and development is the supply chain involved. It used to be you created systems from scratch and you built it from scratch and you had the opportunity to layer security and as you were going, you would find a weakness, you would design around it, you would overcome it. Now it's more of an assemblage of components to produce an outcome and if security wasn't built in when the component was built, you pretty much lost that opportunity it's hard to go retrofit that. I think we're going to soon see the next phase where these components are going to start building security assumptions in the front but it's going to be a long time much like IoT where things are deployed forever or we start seeing that supply chain evolve on its own and you can assemble secure software from the start. Yeah, it's amazing that it's still kind of an afterthought when these things are in the newspaper every day and it's almost an assumption maybe we're getting a little numb to the thing that you're going to be breached and you're going to have an issue and it's really more kind of how do you react to it, how quickly can you find it, how do you limit the damage because it seems like everybody's getting breached every day. Especially when you consider we have decades of technical debt. There are companies that still run their businesses on mainframes that haven't been produced in 20 years. I didn't even think of that part of it. All right, last question before I let Jason let you go. Big week this week at RSA, what are you looking forward to? Oh, I'm looking forward to really the evolution of advanced endpoint technologies, the delivery of visibility to the enterprise so they can do new response actions based on new knowledge. I'm looking forward to the growth of automation. Automation as it relates to security elements so that we can reduce the human element in the mistakes that are made, right? Yeah, because we certainly need it because it is easy to make mistakes when you go to 1,000 little tasks, right? All right, Jason, well thank you for taking a few minutes of your day and stopping by. Thanks for having me. All right, he's Jason, I'm Jeff. You're watching theCUBE. We're at RSA-C 2018 North America in San Francisco. Thanks for watching.