 Live from Las Vegas, Nevada, it's theCUBE at IBM Interconnect 2015. Brought to you by headline sponsor, IBM. Okay, welcome back everyone. We are broadcasting live in Las Vegas for IBM Interconnect. This is theCUBE's special presentation from SiliconANGLE. We're on the ground. We're extracting the synthesizer noise. And sharing that data with you. I'm John Furrier. My co is Dave Vellante. Our next guest is Mitch Free, worldwide I2 national security and defense lead at IBM. Welcome to theCUBE. What's I2 for the folks who don't know, explain what I2 is. And we're going to talk security. You got the black hat and got the symbol. I mean, let's get into this. Okay, so I2 is one of IBM's premier products in the safer planet organization, which is part of IBM analytics. And I2 has been around for about 25 years. It's an intelligence analysis tool that's been used by 4,500 customers around the world. Anyone from national security, police organizations, the security and exchange commission. Anyone that's going after people who are black hats or either on black lists. So any of those nefarious characters that are causing problems on our planet, this is what safer planets all about. We love security. Dave and I, we would probably spend the next whole day just talking about this topic, but let's just start with some basic stuff going on in the industry. Perimeterless security is now normal in the cloud. The old ways, you know, put the far the door, moat, protect, perimeter. All changing so that we see a lot of new technology like APIs and notifications and mobile apps opening up lots of doors. There's traditional holes. You have all kinds of stuff. You know, last week, the whole thing was going on with Lenovo. Oh, I've got them. Didn't look for those, these back doors. So there's a lot of stuff going on from back doors, Trojans to now new ways that apps are accessing databases. So comment on that trend. And we're our customers and all this, because they're like, run, run, run, build maps, top line revenue. You know, it's mobile apps. It's all great for the business, but then all of a sudden, wait a minute, there's also a back side to this. What about that? Yeah, absolutely. So if you look at kind of the customers and they do exactly how you're saying. So in this mandatory, you have to have the moat. You have to have the defenses. You have to have some of the security solutions that are in place now. And as you know, IBM security systems has world-class solutions that do that. But what we're seeing in the industry is that now organizations, let's take, for instance, commercial organizations, they're looking more at who's doing the attacks. Why are they doing the attacks? Whereas before it was simply, there was a breach. I need to do damage control. I need to close the hole. I need to fix this. And then I'll do some remediation after the fact to actually prevent that from the next time. So there was not a lot of focus on attribution, meaning who is actually attacking me? Why are they attacking me? Are they connected to a wider organization? So if you take, let's say, public safety or government organizations, that's always been their focus. Now the commercial organizations are saying, how do I find out who's attacking me? Well, why? Because they want to start to get ahead. They want to find out their modus operandi. They want to take that and plug it back into their remediation techniques so they can perhaps pick them up faster. So if you look across the board, most of the time when there's a breach, that breach has been taking place for about eight months. So explain breach and incident. There's two different, like a breach is like bad. Incident is like less bad than a breach. Well, I think certainly a breach would be a form of an incident. So there's a lot of incidents that go on. So there's a lot of false positives. I mean, the number of alerts that these security operations centers see every day are just absolutely through the roof and they don't have time to check all of those. So an incident could be something as, someone trying to do a denial service attack. A breach, as you said, is more serious when they actually get in the door and they're going around in the background, attempting to ex-filtrate some sort of data or do some sort of malicious damage in sight. And you said on average, that's eight months before an organization realizes that there's a breach. On average, we're seeing eight months and each one of these attacks from a commercial perspective is upwards around 11 million dollars. The classic quote is, well, sorry, Dave, go ahead. Go ahead, I'd love to hear this quote. The classic quote we heard on theCUBE, we recorded is from the government. There's two types of companies. Those that have been hacked by China and those that don't know they've been hacked by China. So in news today, China's dropping Cisco and some big news out there. So there's a hacking war going on and so a company can be out there, not even know that there's a super fish going on and there's super fish being a latest exploit going on. So like, okay, I know I'm hacking, I got a deal with that. Now I'm like, wait a minute, do I have something going on? You can't solve all the, you can't plug all the holes. What do they do? What do customers do with this? So you can't plug all the holes and I won't necessarily comment on any particular country but I would say the quote is in fact correct, meaning there are those that have been and those that will be hacked. And it's a question of what's going to happen once they're inside. So what companies are starting to lean towards, as I mentioned earlier, is they're starting to look at attribution. So if you take attribution, I want to find out who's actually behind the attack because if I can find out who's behind the attack, it's just like tradecraft in a national security organization. I want to know the enemy, I want to know what they're doing, what their weaknesses, what their strong suits are then I can start to take some preventative action. So we want to move from being reactive to proactive. So how do we do that? And the challenge is that a lot of people are focused on, as you mentioned, the moat and the defenses. We need to start taking in data other than just the cyber data. So the traditional IT data. So vendors, including IBM, they're extremely well positioned to take advantage of all of this flow data, all of this data. The bad actors are, there's not that many of them, it's not like a small amount, but there are known targets, groups of people that work together. We learned that on theCUBE as well. Is that true? It is true, but let's not forget about the 16 year old sitting in their basement that's trying to hack in. Now why is that important? From a breach perspective, it may not be that important. But the problem is, once that 16 year old is in the door and they're actually running amok inside of your system, you don't know that it's a 16 year old that's just messing about in his garage or his basement. At that point, then companies start to take damage control. They see that some breaches happen, some credit card information has been exfiltrated, and now they go into damage control and they start to notify all of their customers, hey, I've had a breach, when really in fact nothing's happening with the 16 year old. So the challenge is, who is your attacker? Is it a 16 year old, or is it actually organized crime? Is it some anti-money laundering group? Is it someone trying to fund a terrorist organization? That's the challenge, and that's why you're seeing the focus move towards attribution. Who's in there? That's going to help me decide what are my next steps in terms of damage control, and it's also going to help me on remediation. Mitch, can you talk about the investment, the funding, the spending? It used to all go toward keeping people out of the castle. Given that it's eight months on average that people don't realize they've gotten a breach. How is that investment? How is that spending changing from a customer perspective, and how is it changing from IBM's resource allocation? From protecting the queen and her castle with a moat to trying to detect. So I think if you look at that spending now, the decision makers, and as you've probably heard on the Q before, the decision makers, it's not only the IT department these days. Obviously they have a great influence on what's taking place, but it's actually moving up to the boardroom. So the boardrooms are starting to look at this and say, okay, 11 million dollars on average, I need to start dedicating some funding to see how we can start to enforce our current security systems, meaning who's attacking us. So we're starting to see that funding shifting. Obviously it's like anything else, you have to have the moat in place. After that though, how much are we going to start to dedicate towards the attribution and who's behind the attacks? From the IBM perspective, you can see we've got a lot of investment in IBM security systems, but if you look at Safer Planet and IBM analytics group, lots of investment that's going into actually helping take this tradecraft from our security policing into the cyber threat intelligence space to actually track down who's doing the attacks. So I realize I'm simplifying it, but if you had $100 to spend as an organization, you know, what's the profile look like in terms of just protecting the perimeter versus trying to use things like analytics or other techniques or maybe even internal training to try to remediate some of those problems. Is it 50-50? No, I think you're going to see it move towards 50-50, but it's a long ways from that, but the scale is sliding very quickly now. So I'd say at the moment, you're probably talking 75 on traditional security and 25 maybe on the attribution part. I think you're going to see that shift. And it really needs to go outside. I think you're going to see that shift towards, let's do some cyber threat intelligence because that is really providing me the ability to be proactive. So I think you're going to see that shift. Look, the traditional cybersecurity measures, they always have to invest. I don't think you're going to see that shift more than 50-50. Yeah, that's not going away. So you're probably going to see a little more movement on that. So that's the ideal balance, let's say. And I know we're really simplifying things here, but my question is, what's the headwind for organizations in making that shift? They obviously have the baseline to keep in place the perimeter pieces, the traditional pieces. What's slowing them down? I'd say it's more cultural than it is technical. Like many of these things, when you start to see a shift, people are, you know, they kind of hang on to the traditional methods. And as they start to see more breaches and they start to see more methodologies come out to help them be proactive, then they start to adopt it. So if you look at the forward leaning, let's say boardrooms and also the security operation centers, you'll start to see them shift. In fact, we're hearing this new term quite a bit the next generation security operation center. And in those discussions, you're starting to see this discussion about cyber threat intelligence. I mean, if you look at IBM's X-Force, that's exactly what they provide to our customers. They provide that intelligence on who's out there, what are they doing and why are they doing it to help them with the remediation. So next generation security operation centers, you're going to see that activity. So Dave's question is a good one. I want to just double down on that for a second, Dave. Customers sitting there, okay, they got the investment pie, they're going to be shifting. What do they do? I mean, how do you get, is there like a getting started kid? Obviously call IBM, you guys will help them along. But how do I get started? How do I train people? I want to hire young guns to be like my Navy SEALs of security, I got the Air Force, I got the Navy SEALs, the Marines. I mean, is it a discipline thing? Is it how does a company build the culture, hire people and then like engage you guys? That's a very good question. So in the last week, I've probably had eight conversations on that. And it's really companies asking exactly those questions. I want the next generation security operation center, but it's certainly it's about the technology and the solutions, but it's more about how do I set up these security operations centers? What are the best practices? Where do I need to invest in terms of that training? So you mentioned the SEALs, you mentioned all of these, kind of these other disciplines in the military. So obviously you got to have your young guns. I mean, let's face it, a lot of the younger generation out there, they grew up on this stuff, they're very good at it. But let's not forget the old crows as we would call them in the military. The gentlemen or ladies that have been around that have been doing this for years. So now you're seeing a blending of, let's say older generations of the young guns and the old crows. And that's really what we see as optimum midst of that. The old crows are really awesome mentors because they've seen some of the tricks back in the old days, not at the scale. Correct. But as architecturally as an operating environment. Yes, so as an example. I mean, do you see that? It's like, Well, let me just give you one example. Kung Fu's example, Jeff Frick and I were together. Let me give you one example of one customer. So we have a customer that has quite a bit of analysts and they have a lot, a lot of younger generation people in there in the ages, you know, from probably 23 up to 30 years old, but they also have a lot of senior analysts. So one of their requirements was, I need to be able to take my senior analysts who develop a lot of very complex analytics that uncovers insight very quickly. I need to capture that knowledge and put it back into solution. So that is one of the areas that we've done in the safer planning organization with our enterprise insight analysis is we give that customer the opportunity to develop their own analytics for their specific use case and then they get to use it across the enterprise. So there's a case where the old crows are able to actually take their expertise and give it, put it in the hands of the younger analysts. Jeff, John has done theCUBE many times and Dave and I always love to interview him. And one of his comments is, you know, no one writes bomb on a manifest. So it's easy to use an edited to look at stuff, but you got to know with the observation space is that's his word that he uses in the IBM. So big data analytics certainly is a huge driver in this area, right? So, you know, no one writes, I'm hacking you now or there's super fish embedded in your machines. What are you guys doing from a tech standpoint? What do you, what does IBM bring to the table? Because to do that observation space to expand out the attribution and to build that next generation security operations center, you had the tooling. You absolutely have to have the tooling. So I'm glad you mentioned Jeff Jonas because Jeff Jonas has been one of our executive sponsors on this particular program and he's brought a lot of that expertise. In fact, some of his technology is embedded into this solution for exactly that. And you've probably heard Jeff talk about low signals. So we want to pick up the low signals in this massive amount of data. But if you apply this to the cyber threat intelligence space. So typically the cyber solutions are focused on the IT data. We want to bring in additional data from outside. So we want to bring in your HR records. We want to bring in your physical security. So when I swipe a badge and I go on a door. So now I've got location data, any type of telephone data that is not collected in the typical system. So we want to merge all of this data together. That presents a problem. How do I get all of that data in? And I want to do that. Fast enough in real time. Absolutely. One of the requirements from our customers was I want to continuously ingest. And while I'm ingesting, I don't want to do a batch process. I want to be able to do analysis on the data as it's coming in. Enter Jeff Jonas, his technology is absolutely superb at doing that. New data comes in and it automatically does the identity resolution. Immediately on the fly 24 seven, you don't have to wait for some sort of batch process. So the key out of that is I need to run analytics across the entire dataset. A lot of the other vendors, they will do certain parts at a time or they'll do it in disparate data. You're not going to see these signals or the low signals across individual pieces. You put them together, now you start to see insight. So that's what we're doing to tackle this big data problem. And this, the market is just, it's infinite. Every year, you know, Art Covey-Ello writes his Warren Buffett letter and every year I email Art, I say Art, I'm looking back, I spent more, I worked harder, I'm less secure. And when I talk to customers, I say listen, the calculus is pretty straightforward. It's the probability of a breach and the expected loss of that breach. Both are going up. I feel like there's no end in sight to the threat, which makes it a great business. Oftentimes you don't like to talk about the business opportunity, but there's a huge business opportunity for security. Spending keeps increasing. It's a why2k problem that never goes away. It's a why2k problem that never goes away. From a money standpoint. I mean, this is like- It's an arms race, gentlemen. It really is. It's an arms race. And as we all know from the Cold War days, that was really an economic race. So how do you stay ahead of the adversary? And that's really what we're talking about. What's the bad-ass thing you've seen on security in terms of like threat, like that you can speak about? The Super Fisher's one that's been this week, that's pretty significant. That's snuckin' off. What's the heaviest thing that you've seen that you've ever seen? I think the heaviest thing that you see is things that may or may not make it to the press in terms of how the breach occurred. Stuff we don't see. So if you look at one that was recently in the news where you think that the attack came full-frontal right in through the front door, or right in through a very well-published back door, in fact, it happened from, let's say an ancillary type of website that was remotely connected with the organization that was therefore a charitable organization type of way for the company to give back to the community. Well, the infield traders got in and they studied, for six months, they studied the security architecture of that kind of smaller website that really was not connected. It's the weak regabees out in the jungle and they just took it down and bit base camp in there. Well, so what they did is they studied the security architecture and then they discovered that the same person, so these are smart characters, they actually did their intelligence on their target, they determined that the person that set up security on that very small system set up the security on the large main system. So they were first engineered to security to the main system based on the prototype that they saw the quote, I got to get this done over the weekend for the charitable organization. So they took his, they basically went red as mine. Exactly, they read his mind, they tested all of their techniques and then they moved it in for the big kill. That is the most dangerous. So you think something is quite benign, but really it's anything but benign. And the motivation there was dollars, it was money? Absolutely, in this particular case is the filtration of customer data, dollars, and it was in the double digit bill. Double digit billions. Correct. It's an economics arms race is right on and the bad guys have a lot of resources. And then the other vector that I wanted, so I feel like Stuxnet just sort of created a whole new era of security and ideas on what's possible in the future of warfare. Is that a milestone in the security business? I know it's old news now, but I wonder what else is out there that Stuxnet like that we don't know about? It's got to be in this arms race. Sort of a, what era are we in here? Well, if you think about it, they only have to be lucky once. And they can do millions and millions of attacks and they only have to be lucky once. They have plenty of time. They're able to try out new techniques and they're always 24 seven working on those new techniques. So the question is to go after your question, how do we stay ahead of that? Cause it's constantly changing. Get a rethink, get a rethink, a new way to think through security to use their phrase or IBM. And that is exactly it. It's a one shot deal. It could be a zillion attempts and just one penetrates. But the question is, if it costs double digit billions, it's not a money issue because the sales, hey, what are some of the consequences? If you don't do this, there's no no, there's like billions. So the money on the table is there. So if that's the case, how does IBM write the software there? And what do you do with the customers? So they say, okay, just hand over money. Is it cryptography? Is it system Z? I mean, system Z has some serious cryptography. Is that the answer? So like... Well, I mean, look, we can throw a smorgasbord of technology at this. So our approach is we want to be very systematic. So when people come to us, they want to know about next generation SOC. So we have a consulting practice that actually does this. We also had IBM security systems that has a whole host of tools that actually fits in with that consultancy. On the safer planet side of the house, where we use our I2 counter fraud and threat solutions, we're looking at being able to establish a platform that's very flexible and very agile. And that comes directly from our national security experience because the mission is changing. Think about that and carry it over to the commercial space. The mission is changing. I need to have a technical solution that gives me the agility to change as a threat changes and it gives me the flexibility to be able to add in those models as we need. So if you look at what we're doing, we tackled the big data, the identity resolution from Jeff Jonas. We tackled all of those first for an initial customer. Now we went to the next step. How do we use Watson Discovery Advisor? How do we use Watson X4 to do unstructured data? As you well know, the unstructured data is 78% of the data that's coming in. So the key to that is agility and flexibility and be able to do analytics at speed and scale across that entire data set. That's what we put in place. It gives them the most flexibility. And you talked about sort of the national defense trickling into the commercial world, but to me, that stakes of the national defense, I mean, it's, they're huge. And we're talking about, again, the future of warfare here. So are those two related? In other words, are we sort of learning from what we're doing in the governments? Does that actually trickle down into business? Does it trickle down fast enough? So I think what you're seeing is the nexus, let's say national security and even geopolitics with the commercial world. So as you know, there are state actors that are attacking some of the commercial organizations around the world. So it's no longer the 16 year old or let's say an anti-money laundering organization. Of course, they're a threat as well, but now the state actors start to come into place. So the nexus of those entities and it's an asymmetrical threat. If you think about a commercial organization compared to a state actor, there's a lot at stake there and it's a very difficult situation. Now, what comes to the table is not only IBM solutions, but you see in the commercial organizations start to cooperate with the government defense. It's a partnership. So now you're going to start to see a lot of sharing of cyber threat intelligence data. And that's why we think that going to, being able to determine who's the threat and why are they there, that's going to become more of a factor in defenses for commercial organizations. And how about the way IBM works with competitors? I mean, yeah, you compete, guys compete head to head, but you're the good guys. HP's the good guys. RSH is the good guys. Symantec's the good guys. How much collaboration is going on at the, within the competitive? So I think you see from the professional organizations, IBM does a lot of work in these professional organizations. The X-Force reports that go out are consumed by people around the world. I mean, some of our competitors and they actually collaborate on that. So on the professional organization side, IBM participates in quite a bit of those on the national defense side, as well as on the commercial side. So I think at that level, you're seeing quite a bit of cooperation, but I mean, again, let's face it, this is business and we want to promote our business. So talk about developer community. Obviously, this is a big developer kind of show. It's not filled as a developer show. What's your take on developers? Are there great resources out now? Is Watson a good thing to play with? And our security developers, nuanced on certain things? And did I like certain tools? What's your view of how a developer building out the next generation security operations center will look like? What tooling? So that's a good question. And I don't think we're seeing a comprehensive approach across your entire question, but what we are seeing is quite a bit of interest on the developer side and the, shall we say the open source. So if you're familiar with GitHub, how you do open source development. So the safer planning organization actually has a GitHub site where we, we place things out in open source like connectors because the key to all of this is getting the data in. So we have developers on the open source site around the world that are actually developing plugins to our tool and they're also developing connectors and they're all made available on GitHub. So we are a strong supporter, IBM in general is a strong supporter on open source as you know, but also safer planning organization is directly contributing to the open source. And it's mainly around the I2 intelligence analysis that can be applied across the spectrum. Obviously that can be applied to cyber threat intelligence as well. I mean, if I was a young kid, I was a computer science major, I would love to go to the security. I think it's one of the most intoxicating, technical, fun. I mean, if you're a gamer, you got to love security. Absolutely. I mean, you must get a lot of gamers who come in saying, I mean, cause it's like first person shooter is security. You have to go at, look at the landscape, look at the targets, understand some of the attributable things. You seeing that, I mean, is that kind of the profile developers? If you look at kind of our profile of the people that are on our team. You play Call of Duty or you could work with security. If you look at the profile, we have quite a bit of the younger generation, but if you look at the people that are on our team, we have former military analysts. We have former security operations center, cyber threat analysts. We have police officers, former police officers. And I think they think that they're in the most exciting part of IBM because of exactly what you said. The other point I might add to that is when we get up and come to work, we know that we're trying to make a safer planet. So that's, you know, that's, maybe that's a little bit of a lofty idea, but when you come to work and you know that you're going after bad guys and you're helping customers and governments go out to bad guys, that's pretty fulfilling. Yeah, that's interesting. I mentioned on the intro, and I'll just end the segment with this kid to comment on it. It's like, they have two ends of the spectrum. There's good guys and bad guys. And the startup that we know from California a whole minute ago started by a bunch of big data math guys in Israel and they did all the intelligence to find the bad guys. So I asked them, why did you start this social sales company? He goes, well, we were sitting at a cafe one time. We said, we're so good at finding the bad guys. Why don't we find the good guys? And so essentially, you know, if you look at IBM Watson, you know, the top here is, oh, you know, social business, you know, it's the reverse on the other side. Find the good guys, find the target customers. You know, that's a big data problem. We actually have a couple of Good guys, bad guys. A couple of customers that are looking for good guys. One of them is from executive security. And another one is if you're trying to lobby, let's say something in Congress or whatever, who are the people that's on your side and how can I leverage them? So it's exactly the same trade graph. How to serve customers, the good guys, how to serve the good guys and get the bad guys. Exactly. Awesome. Well, good guys and bad guys are out there. Big data, cloud scale, new ways, new architectural security centers, super fun area. You must love your job. I do, absolutely. Thank you very much. We are here live at IBM. We'll be right back after this short break. Just talking security, having some fun. We'll be right back. Day three of theCUBE. We'll be right back.