 All right, we're back, we're wrapping up day two at Falcon 22 from the area in Las Vegas. CrowdStrike, CrowdStrike the action is crazy. Second day of keynotes. Sean Henry is back, he's the Chief Security Officer at CrowdStrike, he did a keynote today. Sean, good to see you, thanks for coming back on. Good to see you, Dave, thanks for having me. So unfortunately I wasn't able to see your keynote because I had to come do CUBE interviews. You interviewed Kembo Walden from White House, right? I mean, he is a major player, we're going to talk about that. We're going to talk about Overwatch, your threat hunting report, I want to share the results with our audience, but start with your, well, actually start with the event. We're now in day two, you've had a good chance to talk to customers and partners, what are your observations? Yeah, first of all, it's been an amazing event, over 2,200 attendees here. It's really taking top three floors at the Aria Hotel and we've got partners and customers, employees, and to see the excitement and the level of collaboration here is absolutely phenomenal. All these different organizations that each have a piece of cybersecurity to see them coming together all in support of how do you stop breaches, how do you work together to do it? It's really been absolutely phenomenal. They're going to love the collaboration. We kind of talked about this in our earlier segment is the industry has to do a better job and has been doing a better job. I think you and Kevin laid that out pretty well. So tell me about the interview with the fireside chat with Kembo. What was that like? What topics came up? Yeah, Kembo is the principal deputy national cybersecurity advisor. She's been there for just four months. She spent over 10 years at DHS, but she most recently came from the private sector and cybersecurity. So she's got that experience as a private sector expert, as well as a public sector expert to see her come together in that position. It was great. We talked a lot about some of the strategies the White House is looking to put forth in their new cybersecurity strategy. There was recently an executive order that the president put forth that talks about a lot of the things that we're doing here. So for example, the executive order talks about a lot of the legacy type of capabilities being put to pasture and about the government embracing cloud, embracing threat hunting, embracing EDR, embracing zero trust and identity protection. Those are all the things that the private sector has been moving towards over the last year or two. That's what this is all about here. But to see the White House put that out that all government agencies will now be embracing that, I think it puts them on a much sure of footing and it allows the government to be able to identify vulnerabilities before they get exploited. It allows them to much more quickly identify, have visibility and respond to threats. So the government infrastructure will be safer and it was really nice to hear her talk about that and about how the private sector can work with the government. So you know how this works, having been in the Bureau, but so these executive orders, a lot of times people think, oh, it's just symbolic. And there are a couple of aspects of it. One is President Biden really impressed upon the private sector to amp it up, to really focus and do a better job. But also, as you pointed out, that executive order can adjudicate what government agencies must do, must prioritize. So it's more than symbolic, it's actually taking action. Isn't it? I think it's both. I think it's important for the government to lead in this area. Because while a large portion of infrastructure, major companies, they understand this, there are still a whole section of private sector organizations that don't understand this. And to see the White House roll it out, I think that's good leadership and that is symbolic. But then to your second point, to mandate that government agencies do this, it really pushes those that might be a bit reluctant, it pushes them forward. And I think this is the type of action that as it starts to roll out and people become more comfortable and they start to see the successes, they understand that they're becoming safer, that they're reducing risk. It really is kind of a self-fulfilling prophecy and we see things become much safer. Did you guys talk about Ukraine? Was that off limits or did that come up at all? It wasn't off limits, but we didn't talk about it because there are so many other things we were discussing. We were talking about the cybersecurity workforce, for example, and the huge gap in the number of people who have the expertise, the capability, and the opportunities to them to come into cybersecurity technology broadly, but then cybersecurity as a sub component of that. And some of the programs, they just had a big cyber workforce strategy, they invited a lot of people from the private sector to have this conversation about how do you focus on STEM? How do you get younger people? How do you get women involved? So getting maybe perhaps to the untapped individuals that would step forward and be an important stop gap and an important component to this dearth of talent. And it's absolutely needed. So that was one thing, there were a number of other things. So pre-pandemic, I thought the number was 350,000 open cybersecurity jobs. I heard a number yesterday just in the US, you might have even told me, it's 750. So it's doubled in just free to post isolation economy. I don't know what the stats are, but too big. Well, as a CSO, how much can automation do to close that gap? You know, we were talking earlier on theCUBE about, you got to keep the humans in the loop. The nirvana of the machines will just take care of everything. It's just probably not going to happen anytime in the near term, even midterm or long term, but how can automation play and help close that gap? So the automation piece is what allows this to scale. You know, if we had one company with 100 endpoints and we had a couple of folks there, you could do it with humans, a lot of it. When you're talking about hundreds of millions of endpoints, spread around the globe, you're talking about literally trillions of events every week that are being identified, evaluated, and determined whether they're malicious or not. You have to have automation. And to have using the cloud, using AI, using machine learning to sort through and really look for the malicious needle in a stack of needles. So you've got to get that fidelity, that fine-tune review, and you can only do that with automation. What you got to remember, Dave, is that there's a human being at the end of every one of these attacks. So we've got the bad guys have humans there. They're using the technology to scale. We're using the technology to scale, to detect them, but then when you get down to the really malicious activity, having human beings involved is going to take it to another level and allow you to eradicate the adversaries from the environment. Okay, so they'll use machines to knock on the door when that door gets opened, then they're in, and they're saying, okay, where do we go from here? And they're directing strategy. Absolutely. I spent, I think, gave me a stat. I wonder if I wrote it down correctly. Two trillion events per day that you guys see. Did I write that down right? You did. It changes just like the number of jobs. It changes when I started talking about this just a year and a half ago. It was a billion a day. And when you look at how it's multiplied exponentially, and that will continue because of the number of applications, because of the number of devices. As that gets bigger, the number of events gets bigger. And that's one of the problems that we have here is the spread of the network, the vulnerability, the environment is getting bigger and bigger and bigger. As it gets bigger, more opportunities for bad guys to exploit vulnerabilities. Yeah, and we were talking earlier about IoT and extending that threat surface as well. Talk about the Overwatch threat hunting report. What is that? How often have you run it? And I'd love to get into some of the results. Yeah, so Overwatch is a service that we offer where we have 24 by seven threat hunters that are operating in our customer environments. They're hunting, looking for malicious activity, malicious behavior. And to the point you just made earlier, where we use automation to sort out and filter what is clearly bad. When an adversary does get what we call fingers on the keyboard, so they're in the box and now a human being, they get a hit on their automated attack. They get a hit that, hey, we're in. It's kind of the equivalent of looking at the bobber while you're fishing. When you see the bobber move, then the fisherman jumps up from his nap and starts to reel it in, similar. They jump on the keyboard, fingers on the keyboard, our Overwatch team is detecting them very, very quickly. So we found 77,000 potential intrusions this past year in 2021 up to the end of June. One every seven minutes. From those detections, when we saw these detections, we were able to identify unusual adversary behavior that we'd not necessarily seen before. We call it indicators of attack. What does that mean? It means we're seeing an adversary taking a new action, using a new tactic. Our Overwatch team can take that from watching it to human beings. They take it, they give it to our engineering team, and they can write detections, which now become automated, right? So you have all the automation that filters out all the bad stuff, one gets through, a bad guy jumps up, he's on the keyboard, and now he's starting to execute commands on the system. Our team sees that, pulls those commands out, they're unusual, we've not seen them before, we give it to our engineering team, they write detections that now all become automated. So because of that, we stopped over, with the 77,000 attacks that we identified, we stopped over a million new attacks that would have come in and exploited a network. So it really is kind of a big circle where you've got human beings and intelligence and technology all working together to make the system smarter, to make the people smarter, and make the customers safer. And you're seeing new IOAs pop up all the time, and you're able to identify those and codify them. Now you've announced, at Reinforce in July in Boston, you announced the threat hunting service, which is also, I think, part of your president as well, of that services division, right? So how's that going, what's happening there? What we announced, the Overwatch team has been involved working in customer environments and working on the back end in our cloud for many years. What we've announced is this cloud hunting, where because of the adoption of the cloud and the movement to the cloud of so many organizations, they're pushing data to the cloud, but we're seeing adversaries really ramp up their attacks against the cloud. So we're hunting in Google cloud, in Microsoft Azure cloud, in AWS, looking for anomalous behavior, very similar to what we do in customer environments, looking for anomalous behavior, looking for credential exploitation, looking for lateral movement, and we are having a great success there because as that target space increases, there's a much greater need for customers to ensure that it's protected. So the cloud, obviously, is very secure. You got some of the best experts in the planet inside of hyperscale companies. So, whether it's physical security or logical security, they're obviously doing a good job. Is the weakness the seams between where the cloud provider leaves off and the customer has to take over that shared responsibility model, misconfiguring an S3 bucket is the common one, but I'm sure there are like a zillion others. Where's that weakness? Yeah, that's exactly right. We see oftentimes the IT piece enabling the cloud piece and there's a connectivity there and there is a seam there sometimes. We also see misconfiguration and these are some of the things that our cloud hunters will find. They'll identify, again, the equivalent of walking down the hallway and seeing a door that's unlocked, making sure it's locked before it gets exploited. So they may see active exploitation, which they're negating, but they also are able to help identify vulnerabilities prior to them getting exploited. And the ability for organizations to successfully manage their infrastructure is a really critical part of this. It's not always malicious actors. It's identifying where the infrastructure can be shored up, make it more resilient so that you can prevent some of these attacks from happening. I heard this week earlier something I hadn't heard before, but it makes a lot of sense. Patch Tuesday means Hack Wednesday. And so I presume that the company's releasing patches is like a signal to the bad guys that, hey, free for all go because people aren't necessarily going to patch. And then the solar winds, customers are now circumspect about patches. The very patches that are supposed to protect us with the solar winds hack were the cause of the malware getting in and reforming, et cetera. So that's a complicated equation. Yeah, it certainly is. A couple parts there to unwind. First, when you think about patch Tuesday, there are adversaries often, not always, that are already exploiting some of those vulnerabilities in the wild. So it's a zero day. It's not yet been patched. In some cases it hasn't yet been identified. So you've got people who are actively exploiting it. We've found zero days in the course of our threat hunting. We report them in a responsible way. We've gone to Microsoft. We've told them a couple times in the last few months that we found a zero day and give them an opportunity to patch that before anybody goes public with it. Because absolutely right, when it does go public, those that didn't know about it before recognize that there will be millions of devices depending on the vulnerability that are out there and exploitable. And they will absolutely, it will tell everybody that you can now go to this particular place and there's an opportunity to gain access to ex-glade privileges depending on the criticality of the patch. I don't, I'm sorry to generalize but I want to ask you about the hacker mindset. Let's say that what you just described, a narrow set of hackers knows that there's an unpatched vulnerability. And they're making money off of that. Will they keep that to themselves? Will they share that with other folks in the net? Will they sell that information? Or is it one of those? It depends. I was just going to say it depends. You beat me to it. It absolutely depends. All of the above would be the answer. We certainly see now a nation state, for example, would absolutely keep that to themselves. Their goal is very different from an organized crime group which might sell access. And we see them all the time in the underground selling access, that's how they make money. Nation states, they want to keep a zero day to themselves. It's something they're able to exploit in some cases for months or years that vulnerability goes undetected but a nation state is aware of it and exploiting it. It's a dangerous game and it just I think exemplifies the importance of ensuring that you're doing everything you can to patch on a timely matter. Well, Sean, we appreciate the work that you've done in your previous role and continuing to advance education, knowledge and protection in our industry. Thank you for coming on the queue. Thank you for having me. This is a fantastic event. Really appreciate you being here and helping to educate folks. Yeah, you guys do a great job. Awesome set that you built and look forward to future events with you guys. All right, my friend. Thanks so much, Dave. Bye now. I appreciate it. All right, keep it right there. We're going to wrap up in a moment. Live from Falcon 22, you're watching theCUBE.