 From the SiliconANGLE Media Office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Dave Vellante. Hi everybody, this is Dave Vellante, and welcome to this special CUBE conversation on a very important topic, cyber security and cyber resiliency. With me today is Stefan Voss, who's the Senior Director of Product Management for Data Protection Software and Cybersecurity and Compliance at Dell EMC. Stefan, thanks for coming on helping us understand this very important topic ahead of RSA World. Yeah, my pleasure, thanks Dave for having me. You're welcome, so let's talk about the environment today. We have for years seen, you know, back up, we're seeing back up evolve into data protection. Obviously disaster recovery is there, certainly long-term retention, but increasingly cyber resilience is part of the conversation. What are you seeing from customers? Yeah, definitely, we're seeing that evolution as well. It's definitely a changing market and what a perfect fit, right? We have to worry about right of breach, what happens when I get attacked, how can I recover? And the technologies we have, right, that we have for business resiliency, back up, they all apply, they all apply more than ever, but sometimes they have to be architected in a different way. So folks are very sensitive to that and they realize that they have great technologies. I'm glad you mentioned the focus on recovery because we have a lot of conversations in theCUBE about the CIO and how he or she should be communicating to the board or the CISO, how they should be communicating to the board. That conversation has changed quite dramatically over the last 10 years. Cyber is a board level issue when you talk to certainly large companies every quarter they're talking about cyber and not just in terms of what they're doing to keep the bad guys out, but really what the processes are to respond, what the right regime is, cybersecurity is obviously a team sport, it's not just the responsibility of the CISO or the SecOps team or the IT team, everybody has to be involved and be aware of it. Are you seeing that awareness at board levels within your customer base and maybe even at smaller companies? 100%, I think the company's size almost doesn't matter, everybody can lose their business fairly quickly. And there's one thing that not Petia, that very bad sort of attack told us is that it can be very devastating. And so if we don't have a process and if we don't treat it as a team sport, well be uncoordinated. So first of all, we learned that recovery is real and we need to have a recovery strategy. Doesn't mean we don't do detection, so the NISC continuum applies. But the CISOs are much more interested in the actual data recovery than they ever were before, which is very interesting. And then you learn that the process is as important as the technology. So in other words, Bob Bender, fabulous quote from Founders Federal, the notion of sweating before the game, being prepared, having a notion of a cyber recovery runbook, right? Because the nature of the disasters are changing. So therefore we have to think about using the same technologies in a different way. And I said that at the open, things are shifting from just a pure backup and recovery spectrum to much broader. The ROI is changing. People are trying to get more out of their data protection infrastructure than just insurance. And certainly risk management and cyber resiliency and response is part of that. How is the ROI equation changing? Yeah, I mean, it's a very valid question. We do have, people are asking for the ROI. We have to take a risk based approach, right? We are mitigating risk. It's never fun to have any data protection or business resilience topology because it's incremental cost, right? But we do that for a reason. We need to be able to have an operational recovery strategy, a recovery strategy from a geographic disaster and of course now more so than ever a recovery strategy from a cyber attack, right? And so therefore we have to think about, not so much the ROI, but what is my risk reduction, right? By having sort of that process in place but also the confidence that I can get to the data that I need to recover. And we're going to get into that a little bit later when we talk about the business impact analysis but I want to talk about data isolation. Obviously ransomware is a hot topic today and this notion of creating an air gap. What is data isolation from your perspective? What are customers doing there? Yeah, I mean, I think almost every customer has a variant of data isolation. It's clear that it works. We've seen this from the not pet you attack again where we were at large logistics company, right? Found data of the domain controller on a system that went maintenance in Nigeria. So a system that was offline but we don't want to operate that way. So we want to get the principles of isolation because we know it kind of reduces the attack surface, right? From the internal actor, from ransomware variants, you name it, right? All of these are, when you have stuff on the network it's theoretically fair game for the attacker. So that Nigeria example was basically by luck there was a system offline under maintenance that happened to be isolated and so they were able to recover from that system. Absolutely, and another example was, of course critical data, that domain controller because that's what this attack happened to go after was on tape. And so this just shows and proves that isolation works. The challenge we were running into with every customer we worked with was the recovery time especially when you have to do selective recovery more often, we want to be able to get the benefits of online media but also get sort of the benefits of isolation. Yeah, I mean, you don't want to recover from tape. Tape is there as a last resort and hopefully you never have to go to it. How are customers sort of adopting this data isolation strategy and policy? Who's involved? What are some of the prerequisites that they need to think about? Yeah, so the good thing, first things first, right? We have technology we know and love so our data protection appliances where we started architecting this workflow that we can use. So in other words, you don't have to learn a new technology buy something else. There's an incremental investment, yes. And then we have to think about who's involved. So that earlier point, the security folks are almost always involved and they should be involved. Sometimes they fund the project. Sometimes it comes out of IT, right? So this is the collaborative effort and then to the extent it's necessary, of course you want to have GRC so the risk people involved to make sure that we really focus on the most important critical assets, right? Now ahead of RSA, let's talk a little bit about what's going on in that world. There are security frameworks, NIST in particular, is one that's relatively new. I mean, it's kind of 2014, it came out, it's been revised, really focusing on kind of prevent, detect and very importantly respond, something we've talked about a lot. Are people using that framework? Are they doing the kind of self assessments that NIST prescribes? What's your take? Yeah, I think they are, right? So first of all, they are realizing that leaning too much left of breach, in other words, hoping that we can always catch everything, sort of the eggshell perimeter, everybody understands that that's not enough so we have to go in depth and we also have to have a recovery strategy. And so the way I always like to break it down pragmatically is one, what do I prioritize on, right? So we can always spend money on everything but doing a business impact analysis and then maybe governing that in a tool like RSA Archer can help me be a little bit more strategic. And then on the other end, if I can do a better job coordinating, the data recovery along with the incident response, that'll go a long way. You know, and of course that doesn't forego any investment sort of in the detection but it is widely adopted. One of the key parts about the NIST framework is understanding exposure in the supply chain where you may not have total control over one of your suppliers policies but yet they're embedded into your workflow. How are people handling that? Is there a high degree of awareness there? What are you saying? It is absolutely, that's why product security is such an important element and it's the number one priority for Dell security even above and beyond the internal sort of security of our data center is crazy to the sound because we can do a lot of damage right in the market. So certainly supply chain, making sure we have robust products all along the way is something that every customer asks about all the time and it's very important. Let's come back to business impact analysis. We've mentioned it a couple of times now. What is a business impact analysis and how do you guys go about helping your customers conduct one? Yeah, I mean, let's maybe keep it to that example. Let's say I go through this analysis and I find that I'm a little bit fuzzy on the recovery and that's an area I want to invest. You know, and then I buy off on the concept that I have an isolated or a cyber recovery vault and an isolated enclave onto which I can then copy data and make sure that I can get to it when I have to recover. The question then becomes, well, what is business critical mean? And then that's where the business impact analysis will help to say, what is your business critical process? Number one, number two, what are the associated applications, assets? Because so when you have that dependency map it makes it a lot easier to start prioritizing what applications do I put in the vault in other words, right, in this specific example. And then how can I put it into financial terms to justify the investment? Well, we were talking about ROI before. I mean, really we've done actually quite a few studies looking at global 2000 and the cost of downtime. I mean, these are real tangible metrics that if you can reduce the amount of downtime or you can reduce the security threat, you're talking about putting money back in your pocket because global 2000 organizations are losing millions and millions of dollars every year. So it is actually hard ROI even though some people might look at it as softer. I want to talk about isolated data vaults, there's notion of air gaps. What are you guys specifically doing there? Do you have solutions in that area? Yeah, we do. So we are using luckily, so the concepts that we know from business resiliency disaster recovery, right? So our data protection storage, which is very robust, it's very secure, it has very secure replication. So we have the mechanisms to get data into the vault. We have the mechanisms to create a read-only copy, so an immutable copy that I can then go back into. So all of this is there, right? But the problem is how do I automate that workflow? So that's a software that we wrote that goes along with the data protection appliance sale. And what it does, it's all about ingesting that business critical data that I talked about into the secure enclave, and then rendering it into an immutable copy that I can get to when I have nowhere else to go. Okay, so you've got that gap, that air gap. Now, the bad guys will say, hey, I can get through an air gap, I can dress somebody up as a worker and put a stick in. And so how much awareness is there of that exposure? And I know it's maybe, we're hitting the tip of the pyramid here, but it's still important. Can you guys help address that through whether it's processes or product or experience? 100%. So we have, of course, our consulting services that will then work with you on elements of physical security. Or how do I lock down that remaining replication link? It's just about raising the bar for the attacker to make it more likely we'll catch them before they can get to really the prized assets. We're just raising the bar, but yes, those are things we do. So consulting, physical security. How do I do secure reporting out? How do I secure management going in? How do I secure that replication or synchronization link into the vault? All of these are topics that we then discuss if they kind of deviate from the best practices and we have very good answers through our many customer engagements. Stephen, let's talk about some of the specific offerings. RSA is a portfolio company in the Dell Technologies Group. It's a sister company of Dell EMC. What are you guys doing with RSA? Are you integrating with any of their specific products? Maybe you could talk about that a little bit. Yeah, I think so. When you think about recovery and incident response being so important, there's an obvious, right? So what RSA has found, I thought this was very interesting, is that there's lack of coordination between typically the security teams and the data professionals, data restoration professionals. So the more we can bridge that gap through technology, reporting, the better it is, right? So there's a logical affinity between an incident response retainer, activity, and the data recovery solutions that we provide. That's one example, right? So because every day counts, that example that I talked about, not Petia, the specific customer was losing 25 euros every day. If I can shave off one day, it's money in the bank or money not out of the bank. The other area is how do I make sure that I'm strategic about what data I protect in this way? That's the BIA Archer. And then there's some integrations we are looking at from an analytics perspective. Archer being the sort of governance, risk and compliance, workflow, that's sort of one of the flagship products of RSA. So you integrate to that framework. And what about analytics? Things like IOC, RSA net witness, are those products that you're sort of integrating to or with or leveraging in any way? Yeah, first off, analytics in general, it's an interesting concept. Now we have data inside our secure enclave, right? So what if we could actually go in and give more confidence to the actual copies that we're storing there? So we have an ecosystem, from an analytics perspective, we work with one specific company. We have a REST API based integration where we then essentially use them to do a vote of confidence on the copy of the raw backup. Is it good? Are there signs that it was corrupted by malware and so forth? So what that helps us do is be more proactive around our recovery because I've knew, I think you're about to say something, but if I knew there's something suspicious, then I can start my analytics activity that much sooner. Well, the light bulb went off in my head. That's what I was, because if I have an air gap, and I was saying before, it's necessary, but insufficient. If I can run analytics on the corpus of the backup data and identify anomalies, I might be able to end run somebody trying to get through that air gap that I just mentioned before. Maybe it's a physical security breach and the analytics might inform me. Is that a reasonable scenario? It is a reasonable scenario, although we do something slightly different. So first of all, detection mechanisms, left of breach stuff is what it is. We love it, we sell it, we use it. But when it comes to backup, they're not off the shelf tools we can just use and say, hey, why don't you scan this backup? It doesn't typically work. So what we do is in the vault, we have time, we have a workbench, so it's almost like sending a specimen to the lab, and then we take a look at it. Are there any signs that there was data corruption that's indicative of a ransomware attack? And when there is such a scenario, we say you might want to take a look at it and do some further investigation. That's when we then look at net witness or working with the security teams. But we can now be of service and say you might want to look at this copy over here. It's suspicious, there's an indicator of compromise and then take the next steps, other than hoping for the best. You mentioned the ecosystem. You mentioned the ecosystem before, I want to double click on that. So talk about the ecosystem, as we said here, it's a team sport, you can't just do it alone. From a platform perspective, is it open? Is it API based? Maybe you could give some examples of how you're working with the ecosystem and how they're leveraging the platform. Yeah, 100%. So like I said, so we have our data protection appliances and that's sort of our plumbing to get the data to where I want. We have the orchestration software. This is the part we're talking about. The orchestration software has a REST API. Everything's documented in Swagger. And the reason we did that is that we can do these orchestrations with third party analytics vendors. That's one use case, right? So I'm here, I have a copy here. Please scan, tell me what you find and then give me an alert if you find something. The other example would be maybe doing a level of resiliency orchestration where you automate the recovery workflow beyond what we would have to offer. There are many examples, but that is how we are enabling the ecosystem essentially. You mentioned founders federal earlier. Is that a customer, is that a reference customer? What can you tell me about them? Yeah, it's a reference customer and they very much saw the need for sort of this type of protection. And if we've been working with them, there's a Dell world last year session that we did with them. And very much the same sort of like the quote said, focus on the process, not only the product and the set of technologies, right? So that's how we've been partnering with them. The quote being sweat before the game, that came from founders federal, that's a great quote. All right, we've talked a lot about just sort of general terms about cyber recovery. What can you tell us, tell the audience what makes Dell EMC cyber recovery different in the marketplace and relative to your competition? How do you pitch me? Yeah, I mean, I think it's a very unique capability because one, you need a large install base and sort of a proven platform to even build it on, right? So when you look at the data domain technology, we have a lot to work with and we have a lot of customers using it. So that's very hard to mimic. We have the orchestration software where we I believe are ahead of the game, right? So the orchestration software that I talked about that gets the data into the vault securely and then our ecosystem, right? So those are really the three things. And then of course we have the consulting services which is also hard to mimic to really design the process around this whole thing. But I think the ecosystem sort of approach is also very powerful. You have a big portfolio, you got the sister company that's sort of well known obviously in this business. Do you also have solutions? I mean, for instance, is there an appliance as part of the portfolio that fits in here? And what is that? Yeah, so you can think of this as if I wanted to really boil it down the two things I would buy is a data domain. It could be the smallest one and a VxRail appliance that runs the software and then I stick that in the vault and then there's sort of that product. So you can think of it as an appliance that happens to go with the software that I talked about that does the orchestration. Okay, so RSA, the premier conference on cyber coming up in a couple of weeks. What do you guys got going there? Give us a little tease. Yeah, absolutely. So it's going to be an awesome show and we will have a booth and so we look forward to a lot of customer conversations and we do have a panel. It's going to be with MasterCard and RSA and myself and we're really going to take it from left of breach all the way to right of breach. Awesome, do you know when that panel is yet? It is, I think on the fifth, I have to check. Which is, which day? It's a day. I want to say it's Wednesday. So it starts on the Monday, right? So there'll be day three. So check the conference schedule. I mean, things change in the last minute, but that's great. MasterCard is an awesome reference customer. We've worked with them in the past and so that's great. Stefan, thanks very much for coming to theCUBE and sharing some of your perspectives and what's coming up at RSA. It's good to have you. Thanks so much, David. Appreciate it. Okay, thanks for watching everybody. This is Dave Vellante from our East Coast headquarters. You're watching theCUBE.