 Welcome in to theCUBE's presentation of AWS Startup Showcase, Open Cloud Innovations. This is season two, episode one of the ongoing series covering exciting hot startups from the AWS ecosystem. Today's episode one of season two theme is open source community and the Open Cloud Innovations. I'm your host, John Furrier of theCUBE. And today we're excited to be joined by Loris Dejawani, who is the CTO, Chief Technology Officer and founder of Sysdig, founded in his backyard with some wine and beer. Great to see you. We're here to talk about Falco, finding cloud threats in real time. Thank you for joining us, Loris. Thank you, good to see you. It's arriving me. Love that your company was founded in your backyard. Classic startup story, you've been growing very, very fast. And the key point of this showcase is to talk about the startups that are making a difference and that are winning and doing well. You guys have done extremely well with your business, congratulations. But the big theme is security. And as organizations have moved their business critical applications to the cloud, the attackers have followed. This is really important in the industry. You guys are in the middle of this. What's your view on this? What's your take? What's your reaction? Yeah, as we, as an ecosystem are moving to the cloud, as more and more we're developing cloud native applications. We're relying on CICD. We're relying on orchestrations and containers. Security is becoming more and more important. And I would say more and more complex. I mean, we're reading every day in the news about attacks, about data leaks and so on. There's rarely a day when there's nothing major happening and that we can see in the press from this point of view. And definitely things are evolving. Things are changing in the cloud. For example, CICD just released a cloud native security and usage report a few days ago. And among the things that we found among our user bases, for example, 66% of containers are running as roots. So still many organizations are adopting a relatively relaxed way to deploy their applications, not because they like doing that, but because it tends to be easier with a little bit less friction. We also found that 27% of users have unnecessary root access and the 73% of the cloud accounts have public history buckets. This is all stuff that is all good, but can generate consequences when you make a mistake. Like typically, your data leaks not because of super sophisticated attacks, but because somebody in your organization forgets maybe some data on a public history bucket or because some credentials that are not restrictive enough maybe are leaked to another team member or on a GitHub repository or something like that. So as infrastructures and this software becomes, let's say more sophisticated and more automated, there's also at the same time more risks and opportunities for misconfigurations that then tend to be very often the source of issues in the cloud. Yeah, those self-inflicted wounds definitely have come up. We've seen people leaving S3 buckets open, it's user error, but those are small little things that get taken care of pretty quickly. That's just hygiene, that's just discipline. Most of those sophisticated enterprises are moving way past that, but now they're adopting more cloud native, right? And as they get into the critical apps, securing them has been challenging. We've talked to many CIOs and CISOs and they say that to us. Yep, it's very challenging, but we're on it. I have to ask you, what should people worry about when securing the cloud? Because they know it's challenging but they know the opportunity on the other side. What are they worried about? What do you see people scared of or addressing or what should I be worried about when securing the cloud? Yeah, definitely. Sometimes when talking about security, I like to compare the old data center and the old monolithic applications to a castle, a middle-aged castle. So what did you do to protect your castle? You used to build very thick walls around it and then a small entrance and be very careful about the entrance, protect the entrance very well. So what we used to do in the data center was protect everything, the whole perimeter in a very aggressive way with firewalls, making sure that there was only very narrow entrance to our data center and as much as possible, like active security there, like firewalls, all of this kind of stuff. Now we're in the cloud. Now everything is much more diffuse, right? Our users, our customers are coming from all over the planet, every country, every geography, every time zone. But also our internal team is coming from everywhere because they're all accessing a cloud environment. Very often from home, from different offices, again, from every different geography, every different country. So in this configuration, the metaphor that I like to use is an amusement park, right? You have a big area with many important things inside and users and operators that are coming from different entrances that you cannot really block. You need to let everything come in and operate together. In this kind of environment, the traditional protection is not really effective. It's overwhelming and it doesn't really serve the purpose that we need. We cannot build a giant wall around our amusement park. We need people to come in. So what we're finding is understanding, getting visibility and doing it in real time is much more important. So it's more like we need to replace the big walls with a granular network of security cameras that allow us to see what's happening in the different areas of our amusement park. And we need to be able to do that in a way that is in real time and allows us to react in a smart way as things happen because in the modern world of cloud, five minutes of delay in understanding that something is wrong mean that you're already being attacked and your data is already being extreme threat. Well, I also love the analogy of the amusement park. And of course, certain rides, we need to be certain height to ride the roller coaster. I guess that's IT credentials or security credentials, as we say, but in all seriousness, the perimeter is dead, we all know that. Also, moats were relied upon as well in the old days. You secure the firewall, nothing comes in, goes out. And then once you're in, you don't know what's going on. Now that's flipped. There's no walls, there's no moats, everyone's in. And so you're saying this kind of security camera kind of model is key. So again, this topic here is securing real time. Yeah. How do you do that? Because it's happening so fast, it's moving. There's a lot of movement, it's not at rest. There's data moving around fast. What's the secret sauce to making real, identifying real-time threats in an enterprise? Yeah, and in our opinion, there are some key ingredients. One is granularity, right? You cannot really understand the threats in your amusement park if you're just watching these from a satellite picture. So you need to be there, you need to be granular, you need to be located in the areas where stuff happens. This means, for example, in security for the clown and in runtime security, it's important to have your sensors that are distributed, that they are able to observe every single endpoint. Not only that, but you also need to look at the infrastructure. From this point of view, cloud providers like Amazon, for example, offer nice facilities. Like for example, there's CloudTrail in AWS that collects in a nice opinionated, consistent way the data that is coming from multiple cloud services. So it's important from one point of view to go deep into the endpoint, into the processes, into what's executing, but also collect this information, like the CloudTrail information and being able to correlate it to. There's no full security without covering all of the bases. So security is a matter of both granularity and being able to go deep and understanding what every single item does, but also being able to go abroad and collect the right data sources and correlate it. And then the real time is really critical. So decisions need to be taken as the data comes in. So the streaming nature of security engines is becoming more and more important. So the step one of cloud security, especially cloud security posture management was very much, let's poll once in a while. Let's invoke the APIs and see what's happening. This is still important, of course, you need to have the bases covered, but more and more the paradigm needs to change to, okay, the data is coming and second by second, instead of asking for the data manually once in a while, second by second, the moment it arrives, you need to be able to detect, correlate, take decisions. And so machine learning is very important, automation is very important, the rules that are coming from the community on a daily basis are very important. Let me ask you a question, because I love this topic, because it's a data problem at the same time, there's some network action going on. I love this idea of no perimeter, you're going to be monitoring or anything, but there's been trade-offs in the past, overhead involved, whether you're monitoring or putting probes in the network or different, there's all kinds of different approaches. How does the new technology with cloud and machine learning change the dynamics of the kinds of approaches? Because it's kind of not old tech, but it's the same similar concepts to network management and other things. What's going on now that's different and what makes this possible today? Yeah, I think from the friction point of view, which is one very important topic here. So this needs to be deployed efficiently and easily and the transparency is possible everywhere, everywhere to avoid blind spots and making sure that everything is captured. And from this point of view, it's very important to integrate with orchestration. It's very important to make use of all of the facilities that Amazon provides. And it's very important to have a system is deployed automatically and not manually. That is in particular the only way to avoid blind spots because if manual deployment is employed, somebody will forget to deploy it somewhere where it's important. And then from the performance point of view, very much, for example, with Falco, our open source runtime security engine, we really took key design decisions at the beginning to make sure that the engine would be able to support and parse millions of events per second with minimal overhead, barely measurable overhead. When you want to design something like that, you know that you need to accept some kind of trade-offs. You need to know that you need to maybe limit a little bit of expressiveness of what can be done, but ease of deployment and performance were more important goals here. And it's not uncommon for SysDeep to have users of Falco or commercial customers that have tens of thousands, hundreds of thousands of machines, easy to machines and sometimes millions of containers. And in these environments, lightweight is key. You want depth, but you want overhead to be really minimal. Okay, so Amnesian Park, a lot of diverse applications, so integration, I get that. Orchestration brings back the Kubernetes angle a little bit and Falco. And overhead and performance, cloud scale. So all these things are working in favor if I get that right. Is that, am I getting that right? You get the cloud scale, you get the integration and open source. Exactly, exactly. And it's like ingredients of a recipe, you know? And with these ingredients, it's possible to bake a recipe to have a plate that can be more usable, more effective and more efficient than maybe the plates that we're doing in the previous generation. Okay, so I got to ask you about Falco because this came up a lot. We talked about it on our CUBE Conversations already on the internet. Check that out and great conversation there. You guys have close to 40 million plus million downloads of this. You have also AWS Fargate integration. So some significant traction. What does this mean? I mean, what is it telling us? Why is this successful? What are people doing with Falco? I see this as a leading indicator and I know you guys were a sponsor in the project. So congratulations and propelled your business but there's something going on here. What is this as a leading indicator of? Yeah, and for the audience, Falco is the runtime security tool of the cloud native generation essentially. So when we did Falco, we were inspired by previous generation, for example, network intrusion detection system tools and post protection tools and so on. But we created essentially a unique tool that would really be designed for the modern paradigm of containers, cloud, CICD and so on. And Falco essentially is able to collect a bunch of granular information from your applications that are running in the cloud and is a rule engine that is based on policies that are driven by the community essentially that allow you to detect misconfigurations, attacks, anomalous conditions in your cloud applications. Recently, we announced the extension of Falco to support cloud infrastructure and time security by parsing cloud logs like cloud trail and so on. So now Falco can be used at the same time to protect the workloads that are running in virtual machines or containers and also the cloud infrastructure. To give the audience a couple of examples, Falco is able to detect if somebody is running a shell in a radius container or if somebody is downloading a sensitive file from an S3 bucket, all of these in real time. With Falco, we decided to go really, we started in CISD, I was one of the team members that started it, but we decided to go to the community right away because this is one other ingredient, we were talking about the ingredients before and there's not a successful modern security tool without being able to leverage the community and empower the community to contribute to it, to use it, to validate it and so on. And that's also why we contributed Falco to the Cloud Native Computing Foundation so that Falco is a CNCF tool and is blessed by many organizations. We are also partnering with many companies including Amazon. Last year, we released the Fargate Support for Falco and that was done as a project that was done in cooperation with Amazon so that we could have strong runtime security for the containers that are running in Fargate. Well, I got to say, first of all, congratulations and I think that's a bold move to donate or not donate, contribute to the open source community because you're enabling a lot of people to do great things and some people might be scared, they think they might be foreclosing a benefit in the future, but in reality, that is the new business model of open source. So I think that's worth calling out and congratulations. This is the new commercial open source paradigm and it kind of leads into my last question which is why is security well positioned to benefit from open source besides the fact that the new model of getting people enabled and getting scale and getting standards like you're doing makes everybody win. And again, that's a community model, that's not a proprietary approach. So again, open source, again, big part of this. Why won't security benefit from open source? I'm a strong believer. I mean, that we are in a battle. We could say we are in a war, right? The good guys versus the bad guys. The internet is full of bad guys and these bad guys are coordinated, are motivated, are sometimes well funded and well equipped. We win only if we fight this war as a community. So the old paradigm of vendors building their own ivory towers, in their own self-contained ecosystems and us as users, as customers, having many different environments that don't communicate with each other just doesn't take advantage of our capabilities, our strength as a community. So we are much stronger against the bad guys and we have a much better chance doing this war if we adopt a paradigm that allows us to work together. Think only about, for example, I don't know, companies having to train their workforce on the security best practices, on the security tools. It's much better to standardize on something build a stack that is accepted by everybody and talent can focus on learning the stack and becoming a master of the stack rather than every single organization having a different tool. And then it's very hard to attract talent and to have the right people that can help you with your issues and with your goals. So the future of security is going to be open source. I'm a strong believer in that and we'll see more and more examples like Falco of initiatives that really start with the community and for the community. Like we always say in open, open wins always, turn the lights on, put the code out there. And I think the community model is winning. Congratulations, Loris DeGioanni, CTO and founder of Sysdig, congratulations for your success. And thank you for coming on theCUBE for the AWS startup showcase open cloud innovations. Thanks for coming on. Thanks for having me. Okay, it's theCUBE. Stay with us all day long, every day with theCUBE, check us out theCUBE.net. I'm John Furrier, thanks for watching.