 Hello everyone, welcome to theCUBE's special presentation of the AWS startup showcase on cybersecurity. This is season three, episode three in the ongoing series covering certain range of startups on Amazon ecosystem. I'm your host, John Furrier. I tell you we're excited to have Clint Sharp here, back on theCUBE co-founder and CEO of Cribble and Ryan Orsi, worldwide head of cloud foundations partners of AWS here to talk about the rise of security data lakes. Jens, thanks for joining us today. Hey, thanks John, great to be back. Ryan, first question to you is, Amazon's got the security data lake in all in the news, I've always been talking about you guys doing shows on there on security live, on AWS, on this. What is Amazon security lake and what problem does it solve? Give us a quick overview of the security lake. Sure, sure, and thanks for having us John. Yeah, Amazon security lake, it's a purpose built data lake specifically for cybersecurity style logging and telemetry. It can accept sources from within your AWS accounts of other environments outside AWS on premises and it standardizes it into a single sort of logging format on the OCSF or the open cybersecurity schema framework. So it's really streamlining and making that process very easy for people to collect all of their security logging information wherever it may be and put it into Amazon security lake in a standardized format. Clint, you've been on theCUBE many times, your company's doing extremely well, from the old days of streaming data. Now data is the center of all the AI that are powering everything. The security data lake is beautiful resource to add value for the practitioners and also solve a lot of the automation problems and also scale with AI. What's your role? What's Cripple's role with the Amazon security lake? Yeah, for sure. So Cripple's the data engine for IT and security and our stream product helps AWS customers get data into their security data lake from outside. So almost all of the enterprises that we're talking to today live in a complex world full of on-premises infrastructure that they're marrying with the cloud, that they're marrying with their network data sources like firewalls and their EDR type of data that's all coming from different places. And security lake is a fantastic way for them to unify all of this data in one central place for analysis. Future data mining and AI potential in there as well. And our stream product helps them integrate all those data sources that are not AWS native data sources and get that data into security data lake in an OCSF compliant way so that they can use it along with all their other data. Everyone's talking about security obviously in the role of data. I mentioned AI earlier. Security is a big hot area. Also the infrastructure, getting all this together, all this data together in real time and also previous data as being a big discussion how do you lay out the architecture? Guys, cloud architecture is huge when you talk about security specifically around this new paradigm coming. You know, we foundations partners I love that title Ryan in your title because cloud security is actually not only viable but it's actually a preferred method for enterprises to start thinking about the future as they start thinking about planning for the AI wave that's here and everyone wants to be well positioned for that. So what's been the response from customers obviously on the security data center to this where are they using it today and how do they see that roadmap going forward? Sure, yeah, I mean, I'd say, you know the use cases we're seeing emerge right now for Amazon security lake specifically are pretty exciting to watch and it's happening as, you know even beyond what we imagined of providing this service to the market segment out there customers are definitely aggregating their AWS logs they're definitely pulling from other clouds and on-premise sources. I'm really excited at Kribble's here today because I will say, you know making that process easier to ingest whatever kind of log you have out there for a holistic picture for again for not just threat hunting but maybe even incident response and investigation to figure out for example, a user or an identity maybe has suffered a stolen credential situation and the investigator the hunter is trying to figure out what other resources in what environment did that credential access? That's where it's really, really important from a customer perspective and we're starting to see this emerge stitching together a holistic picture of what other resources that particular role or user accounts or even if it's a machine account had access to so we're definitely seeing visibility and correlation amongst multiple different data sources become a lot easier for customers to do and we're seeing partners like Kribble step up and really make that ingestion process no matter where the logs are coming from a whole lot easier and I think that's really going to help accelerate even more innovative ideas to getting into predictive response for predictive remediation when you have so much of that visible data in one spot previously it had to be stitched together it had to be moved it was in proprietary storage locations and proprietary logging formats. Clint you guys are well positioned both in the IT the new IT I call it as well as the cloud and now security data lake you're bridging that what's your customers see here give us a quick insight into how their use cases are what they're thinking and how are they preparing for the future with security lake? Yeah so I think the core problem that our customers are seeing is around data growth their data is growing at a 25% kager their budget is not and ultimately how do I retain all the data I need for the potential years back I need to go back to do a breach investigation how do I do that cost effectively and one of the things that we think security data lake is so exciting is because it's open the formats are open the data is owned by the customers and there are multiple things that can go in and get value out of that data including our search product which we're very excited about because the use case for security data lake is I need to go back six months a year and go investigate this threat that I've just discovered how do I do that without having to move all the data and our search product is an amazing opportunity for customers to go search that data in place and go really doing the deep dive into the data lake that's the reason why we're retaining all this data is so that if something bad happens we have the ability to go back in time and really tell the enterprise with some assurance what actually happened with that particular threat and so this is really where customers are getting really excited is about the really long retention and the ability to keep massive volumes of data that's required to secure their enterprises What's the alternative Clint for not having that search you mentioned that's a key use case what's the old way what was the previous alternative? Yeah, so I think that it kind of goes against what security lake stands for which is to centralize all the data but most of the people in the market today are then lifting that data back up making a copy and moving it into some other engine and that's fine if it solves the problem I mean, ultimately users are already familiar with these tools they know how to work with them our stream product can help with that we can help lift the data out of security data lake and move it into other repositories but being able to search that in place especially since a lot of this data is completely worthless until suddenly it's the most valuable data set in the enterprise and so having multiple copies of it everywhere really starts to add the cost up very quickly Yeah, data movement is huge so on the search piece in cybersecurity and the data lake what's the main headroom that people are going to grow into as data comes in you mentioned data is growing massive rate budgets aren't is this an operational benefit is it more insights what's the or is it prevention or is it all the above what's the benefits that come out of the security data and your search in particular? Yeah, so I think it's retention and the ability to have kind of all this data centralized and really you can't ask questions of data you don't have and if you can't cost effectively store it and I think this is where AWS is leading the market is offering customers open alternatives to be able to keep all this data cost effectively because compliance is driving a lot of this for a lot of our customers they have retention needs that may go up to like seven years plus and the idea of just wheeling hard drives into data centers to store all of this data is just not cost effective and we're seeing even a lot of our on-prem you know staunchly on-premises customers looking at security data lake as the place where they're going to go to put all this data because it's the only way that they can afford to meet their compliance requirements. Ryan, what's the large trend that's powering and driving this data lake for cybersecurity? Obviously a no-brainer you see the value is it just pressure? Is it more enabling now? Is it good timing? What's the driver for the movement towards the data lake for cybersecurity? Yeah, it's been a tough problem for the entire site and I'm speaking from personal experience of the cybersecurity industry for many, many years. This is a tough problem. I don't like personally to hear that people have to make trade-offs of what logging and telemetry sources to turn on or off or how long to store those logs and they're up against regulatory compliance pressures retention periods like Clint mentioned. Those have all been traditional challenges or I should say undesirable trade-offs in cybersecurity as an industry. You know we at AWS very customer obsessed with doing a lot of research and investigations and just listening to our field teams that are connected to some of the largest enterprises in the world. How could we possibly solve or help alleviate that issue a little bit for those people out there that have these trade-offs? So really I'd say timing is something we could discuss about like why now? I would say it was always eventually it was always eventually going to happen with AWS because we're constantly focused on where are those big pain points and in cybersecurity, centralized logging in a cost-effective way with a standardized logging format. You know that's kind of industry shaping I would say. It's really a reinvention moment for the industry. So it always was going to happen. I think now the technology supports it and we're really happy to see that these use cases are starting to unlock with different partners around the world. How does AWS view the rise of interoperability Clint and Cribble? They talk about it all the time. Can you guys both talk about this interoperability aspect of it? Super important. Absolutely. And actually in my team Cloud Foundations that run an organization here at AWS is in charge of working with partners like Cribble on a security identity application observability side of the house. And so obviously people are running things in all sorts of environments. As a matter of fact, we've got a public website now for AWS hybrid and multi-clouds support. So you can look that up. That's actually my team helping create those concepts and solutions. So you'll always see us, again, lean into where customers say they need help. That's where we're going to be steering towards and delivering different native services to help them there. So a hundred percent, we definitely want to empower customers to run that full analysis, whether it's predictive, proactive or even reactive like post incidents. We want them to be able to see a full story from endpoints, private data center, cloud, multiple clouds. We want them to be able to see the holistic story and not have to make such a trade-off on that cost versus logging telemetry that's traditionally been an issue. By the way, quick props for you guys at AWS for solution oriented thinking. Obviously tons of high level services. This is one of the benefits of the partner network. So nice call out there, Ryan, appreciate that and notable. Cribble has been an interoperability too, Clint. What's your take on interoperability? You're out in the front lines of your customers. Amazon's got solutions. You're putting it all together. IT, Security Lake, bridge that gap between the solution and the customer. I think this has been one of the kind of travesties of the security industry for the last 10 to 20 years is a lot of very verticalized solutions from vendors that are designed only to interoperate with their own. One of the things that I love about AWS that we share from a values perspective is truly being customers first. And going out and offering customers those options. And when you ask me like, what is Cribble sell? Often what I answer with is choice. Like we're giving our customers the ability to make choices and the ability to continue to make different choices no matter what other choices they've made in the past. And so for enterprises, they come with years of decisions that have been made about various technologies that they've acquired or built. And they need all that stuff to work together. And with a lot of vendors that are like, well, my stuff works with my stuff. And what I love about AWS and what I love about our products is they really are customers first with the idea that we should be able to integrate anything and everything and make everything be able to talk to everything and truly give customers the ability to morph their technology solutions to fit the complex environments that they're dealing with today. And I think that that gives them the choice and the ability to continue to grow their enterprises and make new choices in the future that'll be right for them. And I think that's a great segue to my next question, which is as you get all this security data lake in place, you got the interoperability. AI is driving the automation aspect of the infrastructure. Here, that bridge is only going to get accelerated. You mentioned more data, not enough budget, but now capabilities with the data to be actionable. You get the context, you got actionability. This isn't kind of where the action is right now in the infrastructure and security, especially with the automation and AI coming where you can just get all the observable data, back it up, bring it on, and then just manage it with software. So I think AI is going to really level the playing field and especially in the security operation center where if you talk to a lot of CSOs, they're biggest challenge is people. Like I can't hire enough tier one people or tier two or tier three people to come go manage all of these threats that are coming at me constantly. And so making a tier one SOC analyst, giving them the power of just even the next tier up in terms of being able to help them know what questions to ask of their data, help them take actions on behalf of the enterprise that historically would have been in runbooks and AI automated agents, I think is going to be a sea change for the industry. Still very early days. I don't think we have a lot of customer success to stand on top of, but I think everybody sees the potential and everybody's racing to try to level up all of the personnel in the enterprise. The key word is not yet. I mean, Ryan, this is where you guys doing a lot of work on the AWS side. You know, we talked to Cribble all the time. This is the future, but you got to set the foundation, you know, literally architecturally because as automation comes in, you now can get the data, just bringing all the data in. It's more usable because you got cloud scale and you're going to have scale with software and AI coming. So again, perfect opportunity for the folks that were, you know, classic enterprises and big data. I mean, Clint, big data days in 2010, you know, it's finally here, right? So now people got to put it in place. They got to put it into practice and start the operational shift. This is the big discussion. How do I set up my operations to make sure we don't get foreclosed the benefits of AI? That's part of the thing I just wanted to mention real fast. Automation's been around for a while, but with Amazon Security Lake and increased visibility you have across all of your security flow and trade across your environment, this provides a finer resolution onto some of the factors that maybe led to some uncomfortable feelings from certain CSOs or security teams to automate remediation or automate response based off of certain information coming in. Now they have a more clear picture. So we see that confidence level in general of what people are willing to automate, increasing as a result of just having better visibility over their security logs. Clint, great time to be in security with data. You've been in the data business for a long time. We mentioned big data throwback there, but you know, as the, I mean, security is a tough industry, let's face it. The pace of play is high, it's fast. You got adversaries out there. You know, it's a great time to be in security. It's kind of an interesting comment, but with data now, there's so much more capabilities. What's your view as you look at this from a CEO perspective founder and you've seen the wave hitting, what's going through your mind? Yeah, I think for me, it's always about meeting the challenges that we're hearing from, you know, our CSO customers, which is how do we deal with a complex threat landscape? How do we continue to, you know, like I mentioned earlier, scale the people inside of that operation? And ultimately, you can't ask questions of data you don't have. And so that's where I think, you know, a lot of the innovation around making this cost effective for enterprises and making it to where they can, the security budget, you know, it is a cost center, it's an insurance policy. And while we like to think that security budgets are always, always increasing, the CSOs that I talked to say, look, you know, I'm constrained and every dollar you save me here is I can go deploy on people, on other new technologies that can really help, you know, give me confidence. Like Ryan said, that we're, you know, that we're going to be able to find these big threats that are coming at us constantly. And honestly, you know, it's fatiguing to think about the battle that they're facing every day, that the threats are coming every day, they'd never relent. And so, you know, how can we give them back, you know, the choice and control that give them the ability to go, make them as secure as possible? Yeah, Ryan, this is exactly what we've been saying. Certainly last year at Reinvent this year, I'm sure there's going to be a lot of security late conversations going on. As your customers and partners look at the future, okay, what do you hope to see continue to progress in the coming months? And as this rolls out, what are some of the things that you expect to see happen from a product standpoint, feel free to share some open information there if you have it, no need to release any of the news coming out from Reinvent probably, but as you guys look forward, you have a roadmap, you have a vision. What do you hope to see with the security late? Well, I would say, look, the trend in terms of what to expect with security late, it's going to continue, we're going to double down with something common you've seen AWS do, like remove undifferentiated heavy lifting from the value chain through partners like Crivel, through our mutual end customers that are utilizing these services. So, you know, we want to save people on those valuable scarce resources. As Clint mentioned earlier, security resources and even cloud security expert resources are even more scarce these days. They're in very high demand. So, we'd like to continue pulling undifferentiated heavy lifting, normalizing log files, moving things around, it should be a thing of the ancient past, I hope. That's my own personal vision. And you're going to continue to see this ecosystem of partners like Crivel that my team works with, creating and inventing new unique ways either to make ingesting of different log sources easier, or even the other half of this is once that date is there, the analytics, the predictive analytics, potentially, you know, different sort of levels of automation and even comparing analytic sources and analytic processes right next to each other, doing a side by side compare to see what works best for your organization. You know, imagine tailored analytics based off of the industry or vertical or similar companies of your size. Being able to see that is something I'm really hopeful for in the general partner community that's surrounding the Amazon Security Lake Service. The game is still the same. It's data, you got to store it, you got to analyze it, they're in logs, they're everywhere. Crivel Search, Clint, is huge. You guys are talking about this as the first industry search in place query tool, okay? Let's get into it. What's the big thing about it? Why is it important? Why is it the first? Why hasn't anyone done it before? So the problem that we're seeing especially in the security operations center is that ironically kind of a problem that we created with Stream which is the customers want to put data in a lot of different places. And now the data is in a bunch of different places and each one of those different places requires users to be trained on each of those experiences. And so these are all great engines and they have great products that allow users to go deep dive and investigate. But now I need to be able to look across all of those all at once. I need to be able to look at the data in my existing tooling. I need to be able to look at the data at the edge that hasn't even moved yet. And then one of the things that we love about Security Data Lake is, we believe Cripple Search is the first search in place solution especially for security professionals that want familiar piped unlimited query language and a search bar that they're used to. But then let's say that they have a data scientist that wants to go work at that data and they're much more familiar with writing Python or doing Spark jobs. That data is in open formats now so they can go run any analysis tool on there. So while we hope that we are the best, I think that these open formats and open data lakes really align vendor and customer incredibly well. And we only charge for when you're actually running queries. So it's like a light switch, turn it off, you're not using it, you're not getting value out of it, then we're only going to charge you for exactly what you're using. And I think that that also is a very, very fair way for vendors and customers to interacting just like AWS does with their customers. And so we're really excited for the open future that's going to give customers choice in how they analyze this data rather than be forced to analyze it with the tool that they chose five or 10 years ago. And that's the only thing that can go get value out of that data. That's awesome. Clint Sharp, co-founder and CEO of Cribble, Ryan Orsie, Worldwide Head of Cloud Foundation, partners at AWS. Guys, this has been a great session, the folks watching in the industry and also customers and future prospects of Cribble being featured here. Guys, final word, I'll give you guys both the last take here. What should people be thinking about as they set the table for their organizations going forward? We kind of know what's coming. The big AI wave is the hype cycles epic proportions but this value here on the setup, this hype matches the prospects. We all kind of agree. There's upside here in AI. And also for the bad guys too. So like, you know, it's a whole nother game but it's going to be fast and a little loose right now but it's going to be punkered down. People are getting ready. What's your final take and advice that the practitioner is watching? What should they, how should they prepare? How should we be thinking about rolling forward? Ryan, we'll start with you. Sure, I'll start that one, John. So my general advice is don't go at it alone. We all know at the other end of the wire is an adversary. You need as much support as possible. So consider whether you're using a cloud like us, you're using a partner like Cribble. Consider using and surrounding yourself with that ecosystem of third party support for yourselves. There's a lot of great minds on this all dedicated towards helping you get to the more elevated position in your security posture of whatever you're running, wherever you're running. So my general message, don't go at it alone. Build up your ecosystem of great minds like Cribble, like AWS security. And we can all work together to make things better for you in your environment. Clint, take us home. The rise of the security data lakes is here. We're wrapping it up, get the final word, put the plug in, tell us what's up. Yeah, I mean, customers need to think about their data management strategy. What got you to 2023 is not gonna get you to 2033. And so you need to be developing a portfolio of tools for the right place to manage this data. We can help with that in both moving the data and searching the data. And we think that AWS security data lake is the most customer friendly choice on the market today. It's open, it's gonna grow with you. And you own the data and we're really, really excited about a future open ecosystem where customers get to take back control of their data. Clint, congratulations on all your success, been watching your journey, congratulations to the company and your team. Keep at it, we'll see you around and keep plugging and great to have you on the showcase. And Ryan, thanks for coming on board with him as with AWS and partner there. So appreciate your time, gentlemen. Thanks, Ray. Thanks, Sean. Okay, this is the presentation of AWS startup showcase on cybersecurity. Season three, episode three of ongoing series covering exciting startups from AWS ecosystems. I'm John Furrier, your host. Thanks for watching.