 Hi everybody, welcome back to theCUBE's coverage of RSA 2023, we're here at Moscone West. All the action is going on, keynote action is here. South and North is insane. I mean it's just vendor booths and the traffic of the practitioners and the vendors and the technologists and the consultants and the analysts, it's just out of control. Raj Rajamani is here, he's the chief product officer of DICE, which is CrowdStrike. And I want to learn more about what you guys have going on. Data Identity Cloud and End Point is what DICE stands for. Raj, welcome to theCUBE, good to see you. Thanks Dave, thank you for having me. Yeah, our pleasure. So you're telling me off camera, you're relatively new to the company. Yes. Why did you join CrowdStrike? I think CrowdStrike over the years has tackled some of the most relevant and deep cybersecurity challenges and proven that they can scale it and protect most of the brands that we all use every day. So when I had the opportunity to join this winning team, it was a no-brainer for me to bring my craft to a company that will allow me to paint on a much broader canvas than I had earlier. So you guys talk about cloud native application, protection, CNAP, we're going to talk about that. But before we get into it, it's like, why is protecting apps so difficult? I think there's a tremendous amount of diversity in apps as well as when they get deployed into the cloud, how companies are approaching the cloud. Many of them are taking a multi-cloud strategy in order to have some level of pricing control and leverage, as well as making sure that they don't have all their eggs in the same basket. So when you add all of these components together, Dave, the complexity just explodes to the point where you cannot really be managing security with a few simple solutions. And that has led to a proliferation of point products and solutions like CSPM, like CIEM. And that's where I think things have kind of gone a little too far and I suspect in the next few years, we expect things to kind of come together and consolidate a little bit and in an effort to solve the cloud security challenges. Well, the other thing too is customers, they want different tooling that might exist on different clouds, somebody like say, yeah, I really like BigQuery, so I want to do some stuff with Google and I want to use their AI or now, hey, I want to go to Azure because they got GPT now. And so that, as much as we think that that might stop, it's probably not going to stop. So that's probably good news for you guys. But what's your CNAP strategy kind of vision and your story? Okay, in one single sentence, we stop breaches. And this is something that CrowdStrike coined this particular phrase or tagline well over a decade ago. And it is very timeless and it's very elegant, so appropriate to what we are actually doing. And this is also the reason why we've been so successful in cloud security, right? So I mentioned, Dave, that because of the complexity, it has given rise to a number of point products like CSPM products like Viz, Orca, Armitic and so on. And a number of them have solved a very, very important subset of problems like identifying misconfigurations and exposures and vulnerabilities. But they have also in the very recent past in the last three months essentially kind of said, hey, there is more to cloud security than just misconfigurations than exposures and vulnerabilities. You need runtime protection. So what are these vendors who excel at a one-trick product doing? They're all partnering with different vendors like Sentinel-1 to try bolting together or bringing together a more comprehensive CNAP product or solution to the market. And that's where I think CrowdStrike has played the long game over the years. We have always focused on stopping breaches. And we are also one of the preeminent incident response vendors or service providers for anyone that is compromised that has a breach. So when we go in, we actually do a lot of analysis and the metrics are very compelling. We have seen a dramatic increase in the number of adversaries that are trying to recon or understand your cloud assets and topology. There's been a 95% increase in the number of cloud-based exploits here over here. They're also using a lot of identity-based attacks. So if you look at the most common reasons why cloud security gets compromised, Dave, the number one reason is misplaced or lost credentials. Number two are various misconfigurations. I'm sure you've read about some company that put their customer data into an S3 bucket that someone else was able to read. I've seen some data protection companies actually do that. And number three is classic exploit of the vulnerabilities. So you need to cover the entire spectrum. And of course, over the last few years, there's also been an increasing concern around supply chain attacks, right? So there are very, very few solutions that are able to cover the spectrum, entire spectrum starting from scanning the code to make sure that they do not have any back doors, any malware, any hidden secrets before they get deployed into the workloads. Products that can also protect you in runtime against runtime attacks, protect you against credential theft and lateral movement of these attacks, as well as the classic misconfigurations and runtime and the exposures and vulnerabilities. And that's where we come in by pulling all of these things together into a single platform, which is our Falcon platform. And the beauty of this whole solution, Dave, is that every piece of data that we collect essentially goes into three different places. If it's thread-related, it goes into a thread graph. If it's asset-related, it goes into an asset graph. And if it's an activity log, it goes into our XDR backplane or data plane, right? And using these three, we are able to kind of stitch together, correlate attacks across multiple different vectors. So if there was a misconfiguration or a vulnerability which got exploited by an attacker, we are able to actually string those together and provide you fewer alerts that actually lead to better results for the customer. Okay, lots unpacked there. Start with WeStop breaches. I hear George on the radio all the time. George Kurtz is the CEO of CrowdStrike talking about it. That's kind of, I like when the CEO gets on and says, you know, I'm going to stand behind my product. So that's a good thing. Let's go back to sort of cloud security in general. So people, I think, have this perception that, well, it's in the cloud, so it's secure. But as you're pointing out, there's a lot of misconfigurations. There's certainly a number of hard-coded secrets in code. It's a lot of the same sort of alerts that are causing most of the problems, as we know. So when you think about the fundamental principles or the first principles of cloud security, how do you guys think about that? So one of the core principles is you stop and try to identify and discover problems as early in the chain as possible. Because that is the best way for you to keep your costs low. And hence, I mentioned that we have one of the best code repository scanning technologies in the market today. We integrate with 16 different repositories, whether it be Docker Hub, GitHub, you know, Amazon's ECR, the Google Azure versions of it, or even Mirantis, JFrog, when, even before the code gets deployed, we can actually scan the code to make sure that there are no vulnerabilities, no malware, no backdoors. And if you can prevent something that is, that has a known backdoor from even getting deployed, that is the best time to stop the attack, right? Because, you know, attackers have one less easy way to kind of get in the door. However, we also believe in defense in depth or defense in layers because no one solution is going to stop all kinds of attacks, right? And I think this is what the CSPM vendors are starting to realize that, hey, while it's great to identify all the misconfigurations and vulnerabilities, that by itself is not enough to prevent preachers. A lot of the incident response services or activity that we get pulled into, Dave, are the same companies that are using one of these CSPM products. So for us to be able to go in and see this, you know, tells us that, hey, there are no silver bullets. You need to kind of layer your security and you need to try stopping attacks as early in the chain as possible. You know, I always say, if I said it once, I said it a hundred times that bad security practices will trump good security every time, right? So, but that notwithstanding, what are you seeing in terms of the greatest, the biggest vulnerabilities specifically in cloud security? Where should we be paying attention? Where are those gaps? I would say the biggest gap right now when I talk to my customers is having the identity pieces tied to your runtime protection, right? There are very, very few products that are actually bringing together aspects of credential theft, securing the credentials. This goes back to my earlier observation, Dave, that the number one reason for exploits and attacks and compromises in the cloud is due to stolen or misplaced credentials, right? Because that's the easiest way for anyone to get in and there are very, very few products that are able to kind of string together and correlate the information, the activity of users, their service accounts, to the different types of changes that are happening in the environment to the runtime attacks that they may be observing and also to some of the vulnerabilities that may be out in the open. So, do you get there that, Rohit Guy had a keynote, you know, identity crisis, which I thought was very clever. In fact, I stole it, but I gave him credit and a couple of posts that I wrote. But so, but how do you do that? You partner with, you know, identity players, like an octa to achieve that or others? How do you, you know, wear the seams and wear the gaps? And how do you solve them? So let's actually talk about one of the best kept secrets of cloud security. So over the last few years, we've organically built a lot of these capabilities. There were one or two acquisitions that we also made, the most notable one being preempt security, which is now fully integrated into our Falcon platform. And what preempt does is it really helps us understand attacker activity. If they get a foothold on your network, they're performing recon, if there are, you know, certain risks and even misconfigurations of your active directory. For instance, are there users with SPN, service principle names, right? Are there certain inactive accounts? Because a lot of times customers do not have the clean hygiene that is required to make sure that when someone leaves the organization, their accounts are disabled, deleted, whatever, right? And we are able to assess the risk of active directory. We are able to monitor the activity of the users. If someone uses a password that we know has been stolen, we can actually, you know, we have a list of all the compromised passwords and we can tell you that that is a weak password while that is happening. When we detect certain types of malicious activity, we can immediately jump in and either block it or ask the user for a multi-factor authentication. Thereby, preventing a lot of the intractive, intractive intrusion attempts that are happening, which we definitely have reported about in our global threat report, there's been a significant increase in those type of attacks by our adversaries. You'll do that in real time. Yes. We've all experienced that. So, I can't get in or it's going to validate me with an MFA. Okay, that's right. It's okay. How about this issue of agent versus agentless? You guys have a, I think you call it a lightweight but powerful agent. I think that's the terminology that you use. People hear agent. They go, oh no, something else that has to be managed. At the same time, if you're agentless, you have some deficiencies. So maybe explain that. I think, you know, we embrace both agent and agentless approaches and there are different times when an agent-based approach is superior to an agentless one and there are times when an agentless one is probably the best or the only available option. Let's take the classic example of looking for vulnerabilities. A lot of times, at least earlier, we used to scan for vulnerabilities from the network. There was also an option to put an agent or as we call it the sensor to discover the vulnerabilities and that gives you the most high-fidelity as well as real-time information about vulnerability. So let's say you have a version of an application. You upgrade to a newer version. We know that that vulnerability no longer exists and we know that in real-time without you having to perform a scan. But then, when many of these concepts moved to the cloud, Dave, customers were struggling with both these concepts. They were struggling to put the agent. They were also struggling to scan which is where the CSPM vendors came in and had a very innovative solution called side-scanning or an agentless scanning. Fundamentally, they were mounting the devices or the virtual machine images and scanning for it in a different place, not necessarily in the production environment that reduce the load or any kind of imperfections that you may have when you're scanning or probing a live production workload but gave the same level of information or insights that customers were looking for. And that, I thought, was a very cool, innovative way of identifying vulnerabilities. However, in our case, because we have a sensor that also offers runtime protection which is absolutely critical to preventing breaches, we do recommend, we make it very, very simple for our customers to deploy the sensor wherever it is supported. However, there are many, many instances where the sensor is just not supported. Let's take a couple of examples, right? If you look at functions, you know, Lambda or Google Functions or Azure Functions, those do not have a sensor concept. There is no place to deploy an agent too. So what do you do in those situations? We effectively would use an agentless approach and we are totally good with it, right? We want to use the right tools, not because they are an agent or an agentless approach but because we want to stop the breach and we will use any number of those techniques. We have no religion here other than to stop breaches. But if I understand it correctly, Raj, if you can use the agent, you will. Because it's going to give you better protection. That's going to be a higher probability that you'll stop the breach. If you can't, then you'll use a scanning technique and that's yours or the clouds or whosoever. It's a combination. So in some cases, there are APIs that are available. In some cases, we would do a site scanning. So it is absolutely the right harsh for the right course. So when you come in as the new Chief Product Officer, what are you looking for? What's the doctor that took the patient? What's the diagnosis say? Annual checkup, healthy, but you need to lose a little weight. If you want to gain, you got to do some bench presses. What was your diagnosis, Dr. Raj? So the diagnosis is that the patient is ready to check out and actually go win a race, right? And there are a couple of people who've been running this race for a long time and one of them is Nikesh from Palo Alto and the other is Viz. And they've been running this game where they've been talking about a lot of the compliance and things that are doing a lot of things. They're definitely solving a lot of interesting problems. But in terms of outcome, I think customers are still struggling and that's exactly what I've been hearing the last 48 hours as I've been meeting customers, Dave. And I believe this patient is now ready to check out and go run a race and you'll start seeing us being far more vocal about our cloud security capabilities in the coming weeks and months. Tell me more about what customers are saying. What are those conversations like? So the main conversation, especially when it comes to Viz, is that, hey, they've solved one problem. They still do not offer any protection capabilities. Now they're partnering with some other vendor. It's still going to be disjoint. We don't even know when the joint solution will be available and when it is available, what form it'll be available. It definitely is not going to be as well integrated as when everything is coming together in this single platform, which is Falcon. With Prisma, customers absolutely love the breadth of capabilities that Prisma has put together. But remember that it actually has come on the heels of about 10 or 11 different acquisitions. Now, while they brought it all together under Prisma umbrella, there are still some obvious and visible gaps. The most visible gap being that of protection. So their protection agent reports into a different console, the Cortex console, and not the Prisma console. That is their biggest weakness. So customers are like, I'm using two different consoles anyways, and that leads to a suboptimal performance. I would much rather get everything in a single platform and have the same level of breadth of coverage, and there is only one vendor that is providing it, and that is CrowdStrike. Okay, so your platform, not product, we established that long, long time ago. Can you be both best of breed and at the same time an integrated platform? Two part question, part B is, do you even have to be? I think you have to be because what I have observed over the years, Dave, and I've worked in a number of very iconic companies starting with McAfee back in the day, later Silence, and now more recently here at CrowdStrike. And I have observed that the best product almost always wins. It may take a while, it may take five years, it may take eight years, or 10 years, but eventually the best product absolutely wins. In terms of how do we become best of breed while remaining, while being a platform, I think we are playing to our strengths in a couple of ways. We are leveraging our investments in our graph technology, which is the thread graph and the asset graph, as well as the XTR platform, as well as we are really cultivating and effectively promoting a culture of entrepreneurial excellence. So our teams are operating independently to the extent that they can go, work with customers, make them really successful, operate in a very agile fashion to make sure that when we hear about any problem, any new requirements, we are able to jump on it and turn around, provide the response that they might expect only from a small startup. So it's a small division, small BU, small unit, whatever you want to call it, but they are working in a very entrepreneurial mode to go solve a set of customer problems and they get the benefit of solving on top of the Falcon platform, which over the years has built planet scale technologies in graph and XTR that absolutely help us stitch things together and deliver better outcomes. Yeah, you guys talk about that a lot, your sort of graph capability. What does that get you from a product stand? Explain that. A lot of times what ends up happening, Dave, is when you're collecting information telemetry, you just effectively log them into a central place. Maybe it is a Splunk, maybe it's an elastic, wherever, right? And each one of those is an event which is kind of independent and when you give this to some analyst, the analyst has to go through multiple events, figure out which is the latest, how are these events correlated to one another, how many of these events are part of one single attack chain? By bringing everything together in a single asset or a graph view, what we are able to do is a threat has typically one set of graph visual representation. And we are able to bring together, stitch together all the related events into a single threat. And the nodes get updated and you can also see a timeline view so that you can say, hey, what did this graph look like maybe two hours ago when the attack just was getting started, as well as what does it look like now? How many new nodes have happened? How many external network connections are happening? How many files or registries or services were modified? Those things are much easier for us to explain by bringing them together and encapsulating it in a pill that an analyst can quickly swallow, as opposed to just giving them a big, big list of events that they have to correlate. So there's a purpose-built capability that you guys have, right? And it's a graph database underneath it, right? But how do you, or do you even need to? So the problem that you've always had with graph databases commercially, broadly, and I know you've got a very specific use case here, but I wonder how it applies. You want the expressiveness of graph, but you lose the, I'll call it the flexibility or query elegance, simplicity of relational. Yes. Does that, is that a problem for you? It's not a problem because- And why isn't it? That's where the XDR platform comes in. So we collect the data, we store it both in the graph as well as in the raw telemetry, which is our XDR platform. So if you wanted the raw telemetry, if you just wanted to go see a set of events, you can absolutely do that by going to our investigate page and running the search, looking for IOAs, IOCs, whatever IP addresses that you are looking for, that you're searching for. On the other hand, if you want a simple snapshot, a summary of all the alerts, you go into a different place where you say, hey, this is the graphical representation. How has it evolved over time? And what are the right next steps? Is this a true positive, in which case, what am I going to block? And how am I going to prevent this from happening again in the rest of my fleet? Yeah, okay, great. Raj, thanks so much for coming on theCUBE. It was great, congratulations on the new role. Thank you. Thank you for having me. Welcome, yeah, our pleasure. All right, keep it right there. This is Dave Vellante. John Furrier is also in the House of Cubes. Live coverage of RSA 2023, we'll be right back from Moscone West right after this short break.