 Live from New York City, it's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technologies. Okay, welcome back everyone. This is a live CUBE coverage here in New York City at the Grand Hyatt Ballroom. I'm John Furrier with my co-host Dave Vellante. This is CyberConnect 2017, the inaugural conference of a new kind of conference bringing industry and government practitioners together to solve the crisis of this generation, according to General Keith Alexander, who's on stage earlier. Our next guest is the CEO of the company that's underwriting this event, Tom Kemp, co-founder and CEO of Centrify. Congratulations, Tom, we met, we saw you last week, came in the studio in Palo Alto. Day one is coming to a close. Great thing. Yeah, it's been amazing. We've had over 500 people here. We've had, we've been webcasting this. We have 1000 people and of course we got your audience as well, so that clearly over 2000 people participating in this event. So we're really pleased with the initial first day turnout. So obviously this is like a new kind of event, a little bit different than most events in the business. Responses have been very well received, sold out, packed house, getting room only. I couldn't get a chair, strolled in a little, not late, but I mean, towards the end of your keynote, this is the dynamic, this demand for this. Why is this so popular? You guys had a good hunch here. What was been the feedback? Well, it's been, well the feedback's been great, first of all, but the reality is, is that organizations are spending 10% more per year on security, but the reality is the breaches are growing 40 to 70% per year. So no matter how much money they're throwing at it, the problem's getting worse. And so people are, for the most part, kind of throwing up their hands and saying, how can we rethink security as well? So I think there's just a complete hunger to hear best practices from some of the top CISOs, from, you know, we had US Bank CISO, we had Aetna, Blue Cross, Blue Shield, et cetera. What are these guys doing to keep their data secure and make sure that they don't make headlines? So I want to ask you a question on the business front. Obviously we saw last week, Alphabet, aka Google, Twitter and Facebook, in front of the Senate committee, around this influence thing going on with the media. It's still an exploit, but a little bit different than, you know, payload-based stuff that normally is seen with security hacks. Still relevant, caused some problems. You guys have been very successful in Washington. I'm not saying you're lobbying, but as a startup, you ingratiated yourself into the community there, took a different approach. A lot of people are saying that the tech companies could do a better job in D.C. and a lot of times, Google and these guys are treacherous with data. They're trying to figure it out. You took a different approach and the feedback we heard on theCUBE is working. You guys are well-received in there. Obviously the product's good timing to have an identity solution and zero trust philosophy you have. But you did something different. What was the strategy? Why so much success in D.C. for Centrify? Well, we actually partnered with the IT folks and the security people. I mean, we actually spent a lot of time on-site talking with them and actually we built a lot of capabilities for what the government was looking to address from an identity access security perspective. That's just the reality of the situation. And so we took the long haul view. We've done very great in the, two of our largest customers are intelligence agencies, but we actually have over 20% of our sales that goes to the federal government, state and local as well. So you really can't just go in there, spend a lot of money and do a lot of hype. You actually have to roll up your sleeves and help them solve the mission. They call it the mission, right? They have mission and you got to be focused on how you can address them and work with the technologist out there to make sure. So it was just really just blocking and tackling the ground game that got us. The common sense sounds like just do the work. Yeah, do the work, really listen and think about it as a multi-year investment, right? I mean, in a lot of startups that just like, oh, can't get the sale move on, right? But you actually have to realize, especially in security, that most tech companies that have a big security presence, they should get 15, 20% of their business from the U.S. government. That's a big bet for you guys. Were you nervous at first? We obviously have confidence now looking back. I mean, it must have been pretty nerve wracking because it's a big bet. It's a big bet because you also have to meet certain government standards and requirements. You got to get FIP certification. You got to get common criteria. In the cloud, you got to get FedRAMP and that means you also have to have customers in the federal government approve you and bring you in and then you have to go through the lengthy audit process and we're actually about to get our FedRAMP certification just past the audit and that's going to be coming out pretty soon as well. So yeah, to go get common criteria to get FedRAMP, you have to spend a million dollars for those types of certifications. At the same time, working with the large federal agencies. So Tom, you gave us the numbers, 10% more spending every year on security, but breaches are up 40 to 70%. You said in your talk, it's $2 trillion and lost dollars, productivity, IP, et cetera. So obviously it's not working. You've mentioned another number of folks in here talking today. What's their mindset? Is their mindset, this is a do-over or is it just we got to do a better job? I think we're getting to the point where it's going to be a do-over and I think first of all, people realize that the legacy technology that they have have historically focused on premises, but the world's rapidly moving to the cloud, right? And so you need to have cloud-based scale, a cloud-based architecture to deliver security nowadays because the perimeter is completely going away. That's the first thing. And I think there's also realization that there needs to be big data, machine learning applied to this. And you guys talk about this all the time, the whole rise of big data, but security is probably the best vertical. Big data application. Exactly, it's probably the best vertical because you need real-time instantaneous, should I let this person come into the system or not? Or over time, does this represent malicious activity as well? So I think people are realizing that what they've been doing is not working. They realize they're moving to the cloud. They need to adopt cloud, to not only secure cloud, but have the technology be based in the cloud and they need to apply machine learning to the problem as well. And so you talked about a paradigm shift which I inferred as a mindset shift and how security practices and technologies should be applied. You got a lot of content in there, but can you summarize for our audience sort of the fundamentals? Well, the first fundamental is that the attack vector has completely changed. Before it was all as about vulnerabilities that someone hadn't patched this latest version of Windows, et cetera. Those problems are really solved for the most part. Occasionally it kind of pops in now and then, but for the most part enterprises and governments are good about patching systems, et cetera. You don't hear it about SQL injections anymore. So a lot of those problems have been resolved. But where the attackers are going, they're going after the actual users. And so I know you had the Verizon folks here on theCUBE. And if you look at the latest Verizon data breach report, eight out of 10 breaches involve stolen and compromised credentials, right? And that has grown over the last few years from 50% to 60% now to over 80%. Look at the election, right? You're talking about all this Twitter stuff and Facebook and all that stuff. It's John Podesta's emails getting stolen. It's the Democrats' emails getting stolen. And now that people have the Equifax data, they got even more information to help figure out what your passengers are. The social engineering is a big theme here. Absolutely. They have this data out in the dark web. There's methodologies and there's also, you know, we talk with the Inter-Critical Infrastructure guys that you're partnering with about all the terrorism activity. So there's influence campaigns going on that are influencing through social engineering. But that data is being cross connected for, you know, radicalizing people to kill people in the United States. Well, there's that. And then there's nation states. There's insiders. So the reality is, is that it turns out from a security perspective that we, the humans, we're the weakest link in this. And so yes, there needs to be process. There needs to be technology. There needs to be education here as well. But the reality is that the vast majority of spend on security is for the old stuff. It's like we're trying to fight a land war in Asia. And that's how we're investing. We're still investing in M1 tanks in security. But the reality is that 80% of the breaches are occurring because they're attacking the individuals. They're either fooling them or stealing it by some means or mechanisms. And so the attack vector is now the user. And that's this, and people are probably spending less than 10% securing the users, but it represents 80% of the actual attack vector. Talk about the general. You've had some one-on-one times of them giving a keynote here, gave a keynote this morning. Very inspiring. I mean, I basically heard him pounding on the table. If we don't fix this mess, we're going to be in trouble. It's going to be worse than it is. Think differently, almost reimagining. His vibe was almost about, let's reimagine, let's partner, let's be a community. What else can you share with your interaction with him? I know he's very rare to get to speak. But running the cyber command for the NSA, great on offense, we need work on defense. What have you learned from him that industry could take away? Yeah, I think you hit it, which is, and I didn't realize that there's a bigger opportunity here, which is that in real time, there needs to be more sharing among light constituents. And so, for example, in the energy industry, these organizations, they need to come together and they need to share, not only in terms of roundtables, but they actually need to share data. And it probably needs to happen in the cloud where there's the threats, the attacks that are happening in real time need to be shared with their peers in the industry as well. And so, and I think government needs to also play a part in that as well. Because each of us, we're trying to fight the Russians, and the Chinese and the North Koreans, et cetera, and a enterprise just can't deal with that alone. And so, they need to band together, share information, not only from an educational like we have today, but actually real time information. And then again, leverage that machine learning, that artificial intelligence to say, wait a minute, we've detected this at other of our peers. And so, we should apply some preventative control to stop it. And check us at the center of the government transformation, more than ever, and we're seeing, I mean, again, I just Twitter, Facebook, and Alphabet in front of the Senate, watching the senators kind of fumbling with the marbles, you know, what's Facebook again? I mean, the magnitude of the data and the impact of these new technologies, and with Centrify, the collision between government and industry is happening very rapidly, okay? So the question is, is that, you know, how are you guys seeing this going forward? Is it going to be, you know, the partnership has to come together faster, or will more mandates come in regulations, which could stifle innovation? So there's this dimension going on now where I see the formation of either faster partnership with industry and government, or, hey, industry, if you don't move fast enough, go regulations. That's also what the general brought up as well, is that if you guys don't do something on your own, if you don't fix your own problems, right, then the government's going to step in. Actually, that's what's already starting to happen right now, that if Facebook, Twitter, all these other social networks are not going to do something about foreign government's advertising on their platform, they're going to get regulated. So if they don't start doing something, so it's better to be in front of these things right here, the reality is that, yes, from a cybersecurity in terms of protecting users, protecting data, enterprise needs to do more. But you know what, regulations are starting to already occur, so there's a major regulation that came out of New York with the financial services that a lot of these financial firms are talking about, and then in Europe, you've got GDPR, right? And that goes into effect, I think, in May of next year, and there's some serious fines. That could be up to 4% of your revenue as well, while in the past, the kind of the hand slaps that have happened here. So if you do business in Europe, if you're a financial services firm doing business in New York. You're going to run from there, Europe. I mean, regulation, I'm not a big fan of more regulation, I like regulation at the right balance because innovation's key. What have you heard here from talk, shares? Because we didn't have a chance that we'd been broadcasting all day. Share some highlights from today's sessions after Jim from Atno is on there. Which I'm sure you've got a kick out of his history comment. You're a history, Bob. I think, weren't you a history major? I was a history major and computer science, you got that right. You'd be a great data scientist by today's standards. But he had a good point, civilization crumbles when there's no trust. Yeah. That comment, he made that interesting comment. So it's interesting what Atno has done from his presentation was they've invested heavily in models, they've modeled this. And I think that kind of goes back to the whole big data. So I think Atno is a head of the game and it's very impressive what he's put forth as well. And just think about the information that Atno has about their customers, et cetera. That is not something that he wants. But he was also saying that he modeled, you don't model for model's sake because stuff's going on in real time. You know what I'm saying? So the data lake wasn't the answer. I think that was- Well, he said his mistake was, so they were operationalizing the real time, security, big data activity. And he didn't realize it. He said that was the real answer. Not just sort of analyzing the data swamp. Yeah, absolutely. That was the epiphany that he realized. He was, you know, that is where the opportunity was. And it was unconventional tactics too. So what can businesses expect, Tom? What's the business outcome they can expect if they sort of follow the prescription that you talked about and sort of, you know, understand that humans are the weakest link and take actions to remediate that. What kind of business impact can they have? Yeah, so we actually spent, we spent a lot of time on this and we partnered with Forrester, a well-known analyst group, and we did this study with them and they went out and they interviewed 120 large enterprises. And it was really interesting that one group, group A was getting breach left and right and group B, about half the number of breaches, right? It was, and we were like, what is group B doing versus group A? And it had to do with implementing a maturity model as it relates to identity, which is first and foremost, implementing identity assurance, getting, reducing the number of logins, delivering single sign-on multi-factor authentication, which we should all do as consumers as well. Turn on that MFA button for Twitter and your Gmail, et cetera. Then from there, the organizations that were able to limit lateral movement and break down, make sure that people don't have too much access to too many things as well. And there was an incident with Society Generale that there was a back-end IT guy, he became a trader. He started making some losses and so he tried to, he doubled down and he leveraged the credentials that he had as a former IT person to continue trading, even though he kind of turned off all the guardrails right there. And he should have been shut down. When he made that move into that new position, so there's just too much lateral movement allowed. And then from there, you got to implement the concept of lease privilege and then finally you got to audit. And so if you can follow this maturity model, we have seen that organizations have seen significant reduction in the number of breaches out there as well. So that was another thing that I talked about at my keynote that I presented this study that Forrester did by talking to customers. And there turned out to be a significant difference between group A and group B in terms of the number of breaches as well. And that actually tied very well with what Jim was talking about as well, which was, I called a maturity model, he called it just models as well. But there is a path forward that you can better be smarter about security. There's a playbook. There is a playbook. There's a playbook, absolutely. And it revolves around not having a lot of moving parts where human error, and this is where passwords and these directories of stuff out there are siloed. Is that right? Did I get that right? So you want to level. Yeah, that's the first step. I mean, the first step is that we're drowning to see a passwords, right? And we need what's known as identity assurance. We need to reduce the number of passwords. And with the fewer passwords we have, we need to better protect it by adding stronger authentication, multi-factor authentication, the new Face ID technology, which I've been hearing good reviews about coming from Apple as well. I mean, stuff like that and saying, look, before I log into that, yes, I need to do my thumbprint and then take, look at, you know, do the old Face ID, right? And multi-factor authentication, things are good point, and also known as MFA. Exactly. That's not two-factor, it's more than one, but two seems to be popular because you get your phone. Multi-factor, I mean, could be device, IoT device, card readers. Starts getting down into other mechanisms. Is that right? Yeah, absolutely. It's something you have and something you know, right? Answer five questions. Yeah, but you don't, but at the same time, you don't want to make it to, Too restrictive. Too restrictive, et cetera. But then here's where the machine learning comes in. Then you add the word adaptive in front of multi-factor authentication. If the access is coming from the corporate network, odds are that means that person was bad, got through. So maybe you don't ask as much for much information to actually allow the person on right there. But what if that person was, five minutes ago, was in New York and now he's trying to access from China? Well, wait a minute, right? Or what if it's a device that he or she's never accessed from before as well? So you need to start using that machine learning and look at what is normal behavior and what deviates from that behavior and then factored into the multi-factor authentication. Wow, we've seen major advancements in the last couple of years even in fraud detection. In real time. And is that seeping in to the enterprise? Well, it should. I mean, that's the ironic thing is, is that with our credit card, I mean, we get blocked all the time, right? It is annoying sometimes. But you know, at the end of the day, you say, yeah, thank you for doing it. And so that's in effect, the multi-factor authentication is you calling up the credit card company. Ironically, my credit card, maybe I shouldn't reveal this too much information. Someone will hack me. But I use US Bank right there and we had Jason, the CISO of US Bank right there. But you know, calling in and actually saying, yes, I'm trying to do this transaction represents another form of authentication. Why aren't we doing similar things for people logging on to mission critical servers or applications? It's just, you know, it's just shocking. So I got to ask you a personal question. So you mentioned history and computer science. A lot of security folks that I talked to, when they were little kids, they used to sort of dream about saving the world. Did you do that? Well, I definitely want to do something that adds value to society. So, you know, is this not like the Steve Jobs telling, was it scullied? Do you want to make, you know, sugar water and all that stuff? So I, you know, I- No, but like superhero stuff? You went to that as a kid? Well, I- DC or Marvel. Good versus evil, right? No, I- No, don't ask that question. Exactly. You like them both. But the nice thing about security is, you know, when you're a security vendor, you're actually, the value that you have is real. It's not like, you know, some app or whatever where you get a bunch of teenagers better to waste time and all that stuff. Yeah, the serious business. Yeah, you're in serious business. You're protecting individuals, their personal information, you're protecting corporations, their brand. Look at, look what happened to EquipFacts when there was announced the breach. Their stock went down 13, 14%. Chipotle went down by 400 million. The market cap went. I mean, so nowadays, if you have a, if there's a breach, you've got to short that stock. Yeah, and security is now part of the product because the brand image, not just whatever the value is in the brand and the product, the brand itself is the security. If you're a bank, security is the product. Absolutely. If you're known for being breached, who the heck's going to, who's going to bank with you? There's a whole number of strategy there. Okay, final question for me is this event, what are some of the hallway conversations? What's notable? What can you share for the folks watching? Some of the conversations, the interests, the kind of people here. What was the conversations? Yeah, I mean, the conference, we really did a great job in working with our partner, ICIT, of attracting C-level folks, right? So this was more of a business focus. This was not, you know, people gather around a laptop and try to hack into the guy sitting right next to them as well. And so I think what has come out of the conversations is a better awareness of, as I said before, it's like, you know what, we got to completely, we got to step back, completely rethink of what we're trying to do here as well. Because what we're doing now is not working, right? And so I think it's, in effect, we're kind of forcing some soul searching here as well. And having others present what's been working for them, what technologies, cloud, machine learning, the zero-trust concept, et cetera, where you only, you have to assume that your internal network is just as polluted as the outside. I know this might be early, but what's the current takeaway for you as you ruminate here on theCUBE, that you're going to take back to the ranch in Bello Alto or in Silicon Valley? What's the takeaway personally that you're now going to walk away with? Was there an epiphany? Was there a moment of validation? What can you share about what you're going to walk away with? And there's just a hunger. I mean, there's just a hunger to know more about the business of security, et cetera. I mean, we're just, we were amazed with the turnout here. We're pleased with working with you guys and the level of interest with your viewership. Our webcast, I mean, this is, for the first time event to have both in-person and online, well over 2,000 people participating. That says a lot that there's just a big hunger. So we're going to work with you guys. We're going to work with ICIT and we're going to figure out how we're going to make this bigger and even better because there's an untapped need for a conference such as this. And a whole new generation is coming up through the ranks. Our kids and the younger new millennials, whatever they're called, D or letters they're called, they're going to end up running the cyber. Yeah, absolutely. Absolutely. And so there just needs to be a new way of going about it. Tom, congratulations on a great event. You guys got a lot of credibility in DC. You've earned it. It shows the event, again, good timing, lightning in the bottle, the CyberConnect inaugural event. Cube exclusive coverage in Manhattan here, live in New York City at the Grand Hyatt Ballroom for the CyberConnect 2017, presented by Centrify. I'm here with the CEO and co-founder of Century Tom Camp, I'm John Furrier, Dave Vellante, more live coverage after this short break. Great.