 Good morning everyone, welcome back to theCUBE's coverage of VMware Explorer 23 from the hub at Venetian Expo, Lisa Martin and Dave Vellante. This is our third day of coverage. We've been having great conversations with VMware executives, customers, partners, its ecosystem. We're going to have a great conversation and we're going to talk about cybersecurity, one of my favorite topics. We've got Jason Rawlitz in here, VP and GM of Carbon Block. Jason, welcome to the program. Hey, thanks for having me. Give us a little bit of the picture of the snapshot of Carbon Blocks and see acquisition in 2019. What's going on? Yeah, it's been a pretty interesting ride, I think for the whole company. So look, I think the first couple of years really aligned to the strategy that Pat Gelsinger and Sanjay Pune were driving and transit security, really building in, investing in the business, helping us grow and build our development expertise overseas. We built up sites in Bulgaria, we built up sites in India to something that being part of VMware has been super helpful for. Did a lot of work on integration into the VMware tools, so end user computing, horizon, work we've done in integrating with vSphere and then kind of evolving our offerings, a bit more focus on workloads and workload security. And then here recently, we kind of announced our cloud native detection response. So it's been an evolution, I think through that period of time and it's been a ride, but a lot of fun. I mean, broadly speaking in the security space, I mean, obviously got Microsoft doing its thing, kind of, I hate to say narrow, but narrowly in Microsoft, there's nothing narrow about Microsoft, but you know what I mean, we're within their sort of captive base. And then another big theme seems to be consolidating the myriad tools that are out there. I'm inferring that in a lot of ways, you're kind of focusing on the VMware stack and that is adding value in that sense. Are you participating in that consolidation theme anyway, or is it really more integrating to things like you were talking about, vSphere and Verizon, et cetera? So it's a complicated story. I think the consolidation story is a big one for everybody, especially as the economic turn kind of changes, budgets are getting pressurized and people start saying, hey, wait a minute, do we really need to pay for this? Are we getting the value out of it? We've got multiple solutions, teams, are we getting most out of all those solutions that we really need them? So I think that's a pressure and it becomes more so when economic times turn. The flip side of it, cyber's very complicated and you start finding is that there aren't, it's not like there's one single user in cyber that would use all the tools. They're firewall teams and networking teams. There are kind of the security operation center that's looking at detection and response of incidents. You have teams that are kind of managing a lot of the times endpoint security that are separate. You have a cloud, all these teams, the DevSecOps teams, like these are actually five, six, seven different teams in many cases, all operating from different viewpoints. So I think the nuance of that consolidation story is a question of what are you consolidating for you? The people who really try to do pure budget consolidation, you can save money, but then you start putting yourself into situations where you're not working with the right tools or you have to give up on capabilities in some areas. So I think we've tried to be somewhere in the middle. We try to offer places where you absolutely can get some consolidation. Our focus at Carbon Black is on detection and response from the end point through the workload and now more recently into the cloud native environments and also incorporating networking in kind of NDR network detection response as part of that offering under our XDR label. So that's kind of where we've been at the same time we're absolutely integrated as I said with in user compute as part of that whole zero trust. So if you're thinking about, I'm logging into an application, is the Carbon Black agent there? Is the system safe? Yeah, we're there and we can kind of provide that information so that that decision can be made safely integrating the vSphere. VCDR ransomware recovery is another great example of where Carbon Black is helping to make recovery from ransomware more effective, but that's all happening kind of fully in the background and customers don't even need to know that Carbon Black's a part of that solution. So I'd say it's a mix. The industry still I think balance between that drive for budget and consolidation and ease of use at the same time within those domains, people still want best of breed tools like cyber's heart. It's complex. It's difficult. You need the tools that are best suited for your individual purpose and professionals aren't really willing to trade on quality just for budget and those fights rage on between the proprietor, the practitioners and the folks upstairs. That's kind of a counter poised trend. When you think about consolidation versus best of breed, when you talk to the guys who are really doing well with consolidation and you ask them, well, can you do both? Can you be a consolidator and best of breed? And then of course the answer is, oh yes. Yeah. Okay, what do they got to say? What would you say to that? It's got to be very difficult to be even within a sector to be kind of all things to all people within that sector. Let's say for instance, I'm not worried about identity, but I'm going to try to do XDR and bring all that together. Hard to be best of breed and a consolidated play. 100%, I mean, I think in the range of which some people are trying to consolidate is enormous, right, it's well beyond that, right? So look, our take here is carbon black really invented endpoint detection response back in 2012. Like that was something that the company brought to bear. And we've always been associated with that user, the SOC user, security operations, the incident responders, the people who are in detecting these advanced breaches, figuring out what's going on, responding and getting it resolved, right? And we started focused on endpoints. Again, that started to bleed into workloads a lot of times. And so for us, the natural expansion we've always been known for is depth of telemetry. It's like, look, how do we do more? How do we do more for that user? And there are two big obvious answers. One was network. So network has always been close to this space. Every EDR has some visibility into the network itself, but it's very light. It's just kind of this thing connects to this, this connects to this, right? So generally people are doing integration with the network, separate tool, bring the data in and try to make it work. It's really hard though. It's hard to connect this network connection to this specific system, this specific process, whatever it is. So we borrowed a page out of actually the NSX Playbook, the massively distributed security, massively distributed inspection playbook and said, look, let's embed network capability in every endpoint, right? So this is something we launched back in March and it provides us network visibility from the view of the endpoint, every endpoint, every workload that's managed and we're able to see what's going on, identify anomalous traffic, tie that back to the endpoint and what's going on inside of it. So really interesting innovation that for our core users is like, great, that's better. That makes my job easier. It helps me track lateral movement. It helps me look at these more advanced threats, right? And then more recently, cloud native detection response was us doing that same and extending it to modern applications environments and saying, hey, you've got to look at those environments. You got to pay attention to Kubernetes and you got to pay attention to containers. We can do that within a tool and we can do that for a user that's used to using our tool. It's a very simple expansion for us and it's something they all need to step into. They want this visibility in the network. And if they're dealing with modern applications, they need that visibility there. So that consolidation story for us is actually quite natural because it's just an extension expansion story and it's staying focused on a user. I think where people get a little bit more trouble is when they start bridging users. You start saying, hey, we're going to do this but we're also going to nail the DevSecOps user and we're also going to nail this one and that one and then it gets really diffuse, right? It's very hard to deliver for that user. And so I think that's where we've tried to balance. Stay focused on one user, one domain. So to that end, I mean, you definitely hear people talking about the network and security coming to you. Obviously Cisco talks about that but that's obviously self-serving. But there is that trend. So you talk about NSX, how do you see, I mean NSX has a lot of security, tooling inside of it. How are you bringing those together? You sort of referenced that. You're not inside of the NSX group, right? There's sort of set of group. But how do you manage that? So when I joined in about two years ago, we were actually combined with the NSVU for about a year and a half into something called the Networking and Advanced Security Business Group. So we did a lot of collaboration which is really what led to this XDR work. Technically, we're separate. So I should say that everything we do, we don't require NSX to be present. We are using some of the code and specifically some of the code that came from a company called Lastline that was acquired in 2020. So we kind of use some of that code and I think we use the approach. Massively distribute how we look at networking which I think is a really smart way to do it. This is what NSX is, like I can't look at everything if I try to put that on a device that would be an enormous device in the data center. Just doesn't work. But if I massively distribute it at every host, it's a manageable thing. We've just taken that further. I said, look, why don't we do that at the end point regardless of whether it's virtualized or not. Could be a laptop, could be an EC2 workload, could be running on bare metal. We don't really care. We run everywhere. As a carbon block, we have to protect all of those systems in sharing an approach. Now, we do integrate with NSX. And a great example of that is if we have a workload system that we detect that there's some problem on, we can actually pass a tag through for that system into NSX, which can tell NSX, hey, I've got a system, I need to shut it down. I need to segment it from the network, but I'm still gonna allow admin access to go in and investigate, a remote desktop to go in and see what's going on. So or to just change where it's, what it's permissioning is. So there are ways we play together. But I should say we're fully independent in terms of our tech. Can you run everywhere, because you can put your agent anywhere? Yeah, sensor runs wherever it needs to run. Again, bare metal, virtualized, now containers, wherever your kind of most important workloads and the endpoints that kind of support your business run, that's where we're there for. So all of this work and from an integration perspective done during the pandemic, I'm curious what, how did the pandemic kind of catalyze the strategic direction of carbon block as the workforce became remote overnight and we're still, now we're in this hybrid environment. Look, I think the move to home accelerated something that a lot of endpoint companies had been seeing for a while. There's a lot of talk now, the zero trust talk. It's all very much about how the perimeter to the network has become very porous. It used to be, I'm inside my castle. If I'm inside the castle, I'm fine. It's build the walls and I'm fine. And now we know that's not really true. You have to- Green, left or castle? Well, it's a combination. A, the walls are much more porous. And B, a lot of times you're outside. A lot of times like you guys, your laptop's here. There's no network here to defend you, right? The only thing that's here is what's present on your system. The endpoint has to be more stand-alone. I think that's been true for a long time, but companies may or may not have realized that they didn't have as many workers who were taking systems outside the home and all of a sudden, wait a minute. We had some basic protection. We needed a much more advanced capability. And I think that drove a lot in the industry. Oh, look, I think we were poised in the right place because we've been pitching and driving to that all along. How are you using AI specifically inside? Yeah, so a couple of big places. One, we've been using AI and ML for a long time for detection of threats. Like that's, I'd say, common and expected in cybersecurity. One of the more recent things we've done is actually applied machine learning to alert triage. So as you generate alerts, one of the biggest challenges you have is false positives. How do you get those kind of honed in? Well, look, we're learning from users. So as users interact with the system and say, oh, that's not real and don't investigate it. We go, oh, okay, great. We'll take that into account. And so we actually change the way alerts show up. And that's all using AI and ML to kind of make decisions about what comes in. And look, there's a lot more that's kind of in investigation. I think we're trying not to be hasty and just jump on the chat GBT and throw out some feature that is name, cool, whatever. We want to make sure what we're offering is kind of offering real value to the customers. And so we'll see. There's a lot of projects going on. You mentioned some of the personas before are trying to service them. You look at what the cloud has done is it's created this first line of defense. And then you've got the app dev team is being asked to your point to shift left and secure things. And it's really not their thing, but they have to do it now. And you've got the dev sec ops team, which always cares. You've got audit is sort of the last line of defense. So you have all these different personas. And now you've got multiple clouds. So you've got multiple shared responsibility models across clouds. You've got different development environments across clouds, different security policies across clouds. So you end up with this another mosaic and another nightmare. How do you see that playing out? And I guess VMware strategy is to help consolidate all that with your cross cloud strategy. Yeah, I mean, look, I think as with all things, you go through this phase of innovation and experimentation and it's just the blow. It's the expansive, we try everything. And at some point like, well, wait a minute, we got to figure some level of standardization, right? Some way to approach this in a more consistent fashion, right? So absolutely, I mean, VMware is offering a whole set of capabilities aligned around that. From our side, it's kind of back to that core thought. Like, look, you need to be able to do detection or response for the entire to your environment, regardless of whether it's on-prem laptops at home, laptops in the office, work stations, work spaces running on VMware, in the cloud, modern apps. You need to be able to do that same thing consistently across that base. And that's what we're offering from a security tool. So look, we don't really care. I can say it that way. We absolutely have capabilities that align if you're an AWS or Azure or GCP, we show you inventory, we're able to do some things on deployment, et cetera. Modern apps I talked about already. So we're providing the capabilities you need to do that, but you can do it consistently. Your process workflow doesn't change because you've added modern apps or a new cloud. You just have that flowing into the same console. So I think finding those opportunities become really big. Finding tools that allow you to operate across all that because the knee-jerk reaction, especially in cyber, is something new. I need a new tool. Who's got the new tool? And there's like 15, if not 20 startups going, oh yeah, you totally need this new tool. Those guys are off. You need this. And then you end up with too many tools and you're going from one to the next to the next. And then your process is complicated. You're training people. These people are turning over. It's impossible. So I think you have to find these opportunities to say, how can I do something in a consistent fashion as best I can across that and make this thing manageable? And that's where we've been put. Well, to your point about the myriad security tools that organizations have, how is Carbon Block an accelerator or a catalyst in organizations, condensing, consolidating, getting that single pane of glass view over their key endpoints, apps, cloud. So again, I think you have to look at consolidation in domains. I don't think there will ever be one tool to rule them all. Thankfully for that. I think they're always going to be, okay, who are the users? What does that exist in? Can we consolidate tools for them? How can we simplify and kind of reduce the number of things they're looking at? And you just have to do that kind of domain by domain and hopefully you're getting to a better place. In some sense, we're saying, hey, we can do that for the SOC, for detection and response. And we can make your life a lot better. We're collecting really great data. It's deep, it's detailed, it's connected to the network at the end point. You're getting both of those contacts, you're getting containers. That's a huge step. That's better than having five tools there. And I think this is a problem. Like any big problem, how do you solve it? You break it into small chunks. So most companies are sitting on 60, 65, some are over 100 security tools. I mean, it's not like three. It's not like 10. It is an enormous amount. So if I can take that from 60 to 55 to 50, like still a pretty big reduction in complexity, especially if I'm focused on workflow and I'm focused on outcomes. So my job is necessarily to remove 10 tools from an environment. My job is to better achieve the outcome of detecting and responding to threats more effectively, cost effectively, time, you know, all those fronts. If I can do that and I can take some tools out of the environment that help pay for my cost. Fantastic, easy. Right, it's cost reduction for sure. But it's the mission immense is kind of where we try to stay oriented. We're not going into people and saying, you should save money on security. I hate to say you should and try to find ways to be optimized about it. But you got to be careful, right? I think you never want to be the one to say, hey, we saved a lot of money. It's like, yeah, but we got breached but we saved a lot of money. Maybe that trade off wasn't quite right. Well, and you know, you saw when the tech spending contracted, you saw cyber spending held up better and then it broke down. And then it sort of came back and then it sort of hanging in there. But still now you got AI and people are making trade off. The AI's popped back up and people are stealing. It's not like the budgets, you know, have grown, right? So you still see those macro headwinds or is it abated a little bit as we start entering the end of the year? I think there's just pressure in their questions asked, which is why it comes back to value and what you're delivering in terms of outcomes. So I think the ultimate, if you're sitting on 60, 65 tools, so many like, I don't know that all of these are useless. I'm pretty sure some of them are not delivering to the max and maybe you're not returning the money we're spending on them. So you start asking questions about each of those. I think there's more pressure, there's more intensity and freer times in the sort of the pandemic is like, oh my God, we got to handle this new thing and we've never seen it before. Throw money at it, go do whatever you need to do because we're just trying to survive through this. And now like, wait a minute, does that, do we really need a tool for cloud and for this and for that? Does that really make sense? And so you see people asking questions. I think security always holds up well in these environments because the threats don't go away. If anything, they get worse. The war in Ukraine, socio-political stuff, they just get worse. They get more complicated. I spent a lot of time this week talking about ransomware and the extent to which ransomware is a much more sophisticated attack these days than it used to be. It's like a breach and they're doing double extortion. It's expensive. Like it's not just, they're going to take your data and then they're going to try to encrypt you at the end. Stopping the encryption doesn't protect you from ransomware. You've already been hit by the time they get to that. So that doesn't stop, which is why people have to keep investing, but I think there is pressure to say, are we investing well? Are we getting a return on it? Is it actually working? Is there a way that it's actually causing us problems in a personnel front because we have people leaving because they can't operate effectively or it's a really awful job? So I think you have to have a, more of a business conversation, but the needs still there, the budgets are still there and it's just, maybe the diligence that we should have had all along, you could argue, but return to normal in some ways. That sounds good. Jason, thank you so much for coming on, describing the evolution of carbon block, what's new, what customers can get their hands on and some of the trends that you're seeing in the security landscape we know it's ever changing. We're definitely going to keep our eyes on this space. Thank you so much for having us. We're super excited. We've been doing some great innovation. It's a crazy world out there, but we keep pushing forward and we're thrilled to see what's up next. Excellent, we'll keep our eyes peeled. For our guests, I'm for Dave Vellante. I'm Lisa Martin. You're watching theCUBE VMware Explore Day Three of our coverage continues next.