 from San Francisco, it's theCUBE. Covering RSA Conference 2019. Brought to you by Forescout. And welcome back everybody, Jefferyk here with theCUBE. We're at the RSA Conference in North America, the brand new reopened Moscone Center. They finally finished the remodel, which we're excited about in the Forescout booth and excited to have a returning CUBE along. I think we had them on last year at RSA, Dr. Chase Cunningham, the principal analyst security and risk for forester. Chase, great to see you again. Thanks for having me. So what's happened in the last year since we last saw you? I'm sure you've been keeping busy and running down lots of crazy risk. It's been really pushing the sort of strategy side around zero trust. I mean, if you look around the show floor, you can't go 75 feet without seeing somebody that's got zero trust on a booth or hear it from somebody. So it's been really pushing that narrative and trying to get people to understand what we're talking about with it. And it's really important because it's a very different way of kind of thinking about the world. And you guys have been talking about it for a while. Decade basically. Right. And then we've got all these new complexity that's thrown in that weren't there a decade ago. You've got IoT, you've got OT, and then you've got hybrid cloud, right? Cause everyone's, there's public cloud, but most big enterprises have some in the public cloud, some on their data center. So you've got these crazy hybrid environment. So how are you kind of adjusting the zero trust game based on some of these new complexities? So really we flipped the script a little bit and said, okay, well, if we were to try and fix this from the start, where would we start? And we'd obviously start around taking care of the largest swath and sort of compromise area, which would probably start with users followed closely by devices. Because if we can take care of those two pieces, we can actually gain some ground and work our way going forward. And if you've heard a lot of the stuff around micro segmentation, our sort of approach to micro segmentation means micro segment everything. We mean users, accounts, devices, IoT, OT, wired, unwired, whatever it is, if you can apply control to it and you can segment it away to gain ground, segment it. So how do you deal with the micro segmentation? Cause ultimately you could segment down to one and then you haven't really accomplished much, right? Right, the network of one is no good. Exactly. So when you think about kind of micro segmentation architectures, how are you creating buckets? What are kind of your logical buckets that you're putting things in? So really it should be based on the function that you're trying to allow to occur. If you look at the way we've architecting networks for the last 20-something years, it's been around sort of use writ large. What we're talking about micro segmentation is if I have micro segmenting devices, those devices should live in a micro segment where devices do device stuff and you can keep control of that and you can see what's coming and leaving. Users should be segmented that way, networks, all of it should be built around function rather than interoperability. Interoperability is a result of good micro segmentation, not the other way around. Right, and that's interesting to say that. We're obviously in the four-scal booth and a big piece of what they're talking about is identifying these devices but then basically restricting their behavior to what they should be doing. So really following along in kind of your zero trust philosophy. Well I say it last year, say the same thing again, like a key piece of this whole thing is knowing what's supposed to be occurring and being able to control it and then respond to it. It's not really that we've changed the evolution of this whole thing, we've just looked at it a little more pragmatically and applying fixes where you can actually start gaining ground. Right, and applying the fixes at all different points in the spectrum as opposed to just trying to create that big giant wall in a moment. Well yeah, moving away from the perimeter model, like the perimeter model has categorically failed and everyone around here seems to understand that that's a reality and we're not saying you shouldn't have your defenses up but your defenses should be much more granular and much more focused on the realities of what enables the business. Right, so I'm just curious to get your perspective, you've been doing this for a while, as you walk around the show floor here and see so many vendors and so many products and so many solutions and so many, you know, kind of bright, shiny objects. You know, how do you make sense of it? How do you help your customers make sense of it because it's not a simple space and I always just think of the poor CISOs sitting there like, how am I supposed to absorb, even just kind of the inbound information about knowing what's going on, much less get to the point of doing evaluation and making purchase decision and implementation decision. So one of the things that we've been really pushing forward with is using virtualization solutions to build architectures, not PowerPoints, not drawing stuff on a whiteboard, like actually using virtualization to build virtual architectures and test and design there. It's actually very similar to the way that we write applications, you iterate. You don't write an app and release it and think you got it right and then you're done. You write pieces of code, you build the app, you iterate, you move on. Because of virtualization, we can do the same thing with security tooling and with networks. So one of our major initiatives is pushing that capability set to our customers to say, this is how you get there and you design and then you build and then you deploy rather than deploy it and hope you got it right. And know that it's not going to be right the first time you buy it, right? You're just going to write a check and the problem goes away. And it's much easier if you screw something up virtually to just nuke it and start over than if you try and do it with a bunch of hardware that you can't actually rip and replace. That's interesting, right? Because the digital twin concept has been around in the OT space for a long time. We talk to GE all the time in digital twin in terms of modeling behavior and a turbine engine, something they've been talking about forever. At a healthcare conference, they're talking about digital twinning people, which I thought was pretty interesting. So kind of creepy, but then you think, okay, so I can test medications, I can do these things. And to your point, if I screw it up, I'm screwing up the twin. I'm not necessarily screwing up the real thing. And you talked about it in your last blog post, starting to create some of these environments and architectures to help people do some of this exploration. Yeah, we launched our first one here at RSA on Tuesday night. We actually put out our own Forrester, branded virtual reference architecture. And the good thing is, is the way that we're approaching it, we can actually have our clients build their own semblance of this, because something everybody forgets is there is, this is one of the places where there are snowflakes, right, everyone has their own individual build. So being able to have yours that you build may be different from mine, even though we both line with a strategic concept like zero trust. Right. And we're building a library of those. So is the, is the go to market on that, that you've got kind of an innovation space and people do it within there, or are you giving them the tools to build it on prem? Kind of how's the execution of it? So really it's about, we've published a lot of research that says this is the way to do it. Now we've got this platform and the capability to say this is where you can do it. And then allowing them to go in there and follow that research to actually design and build it and see that it's actually doable. Right, right. So as you're looking forward 2019, I can't believe the calendar's flipped already to March. Crazy. What are your top priorities? What are you working on as you go forward this calendar year? It's mostly about ground truth sort of use cases on this adoption of zero trust across the industry and really getting people to understand that this is something that can be done. So we have write ups going on customers that have deployed zero trust solutions and sort of how they did it, why they did it, where they got benefit from, where they're going with it because we remind people all the time that this is a journey. This is not something I wake up in the morning, build a zero trust network and walk away. This is multi-year in some cases. Well, it's gonna multi-year forever, right? Because the threats keep changing. And the thing I find really fascinating is that the value of what they're attacking is changing dramatically, right? It used to be maybe I just wanted to do some crazy little hacks that change a grade, maybe steal some money from your bank account. But now with some of the political stuff and the state sponsored stuff, there's a lot more complex and softer nuance information that they want to get for much softer nuanced objective. So you're going to have to continue to kind of reevaluate what needs to be locked in tighter and what needs to be less locked up because you can't lock it all up to the same degree. Right, and it's really something that we remind our customers a lot on is that security is being done by the majority of organizations, not because they actually want to do security, it's because security makes the customers have more faith and trust in you, they buy more stuff, your revenue goes up and everyone benefits. Some of these large organizations, they don't have socks and do security operations because they want to be a security company, they're a company that has to do security to get more customers. Right, so they figured that out yet? I mean the trust thing is such a big deal and kind of the big tech backlash that we're seeing what's going on. I had thought that they would have figured it out but it comes up all the time and you have to really wrap people's head around that you're not doing security because you think security is cool or you have to, you know, you need to do it, it's to get more customers to grow the business. This is a business enabler, not a tangential business thing. Right, it's such a high percentage of the interaction between a company and its customers or a company and its suppliers is electronic now anyway, whether it's via web browser or an API call or I mean it's such an important piece because that is the way people interact with companies now, they're not going to the bank branch too often. Well, I mean with the growth of GDPR and privacy and things like that, companies are being mandated by their clients, by their customers to be able to say, how do you secure me? And the business had better be able to answer that. Right, right. But hopefully they're not just to your point, I thought you were going to say they're doing it for the compliance but it's a lot more than just compliance, you shouldn't be doing it just for the compliance. Yeah, I mean I stand on that compliance as kind of a failed approach. If you chase compliance, you will just be compliant. If you actually do security with a strategy in place, you will achieve compliance and that's the difference most people have to wrap their head around but compliance is something you do, not something you strive to be. Love it. Well Chase, thanks for stopping by and sharing your insight and a lot of good work, love keeping track of it, keeping an eye on the blog. Great, thanks for having me. All right, he's Chase, I'm Jeff, you're watching theCUBE, we're at the RSA conference at the Fourscale booth. Thanks for watching, we'll see you next time.