 Hi everybody, this is Dave Vellante and we're back at RSA-C 2023, the RSA conference. This is really the, we're back to 2019 levels, at least it feels that way. Remember 2020, this was the last conference, it was March of 2020, just right before the lockdown. People were kind of not really sure if they should even be here. Is this a, you know, what's going to happen? And then of course the world's shut down for the better part of two years. But we're back and theCUBE is here. We're really excited myself, John Furrier. We're here all week, Monday, Tuesday, Wednesday, Thursday, live broadcasting here from Moscone West, so stop by and see us. Mohit Tiwari is here, he's the CEO and co-founder of Symmetry Systems. Mohit, thanks for coming on theCUBE. Thanks for having me, really appreciate it. So Symmetry Systems, by the way, you're also a professor at UT Austin, very cool, great school. Our mutual colleague, Bob Metcalf is there as well, but so congratulations on the work that you're doing there. Tell us about Symmetry Systems. Let me ask you the question, I'd love to ask founders. Why did you start the company? Well, so there are two things. One is we care deeply about privacy. I would like me and like other people to have agency over their data. So that was sort of the founding reason, but then it's also about competence. We love building infrastructure. We love doing security work. So we just wanted data and privacy control over data, visibility into data to be built into infrastructure. And when we came out, we just realized, talking to companies, everyone has good intentions, but they just don't have the tooling. So when you say like, oh, Facebook didn't have visibility into where data went, or if you look at octaves, like, hey, contractors, what data was being, it's not that they mean harm, it's just that there's no good tooling for them to have visibility into this data. So that's why we started. When we were prepping for RSA, we had, you know, how little editorial meetings and you put forth key issues. And one of the issues that came up was, one of the criticisms of the security industry is they're building essentially a massive surveillance system. And one of our guys said, you know, yeah, maybe, but it's really the social media companies that are perpetrating that. And you just pointed out, they don't have the tooling. I mean, despite the fact that they have all these resources. So is that what symmetry does? Do you provide infrastructure and tooling to ensure privacy and providence and lineage? Exactly, exactly, exactly. Our precept is very, very simple. If you're an organization, you're deployed, things on the cloud, you will want to understand what data do you have? Where is it? How's it protected? How's it being used? How's it flowing through the environment so that table stakes, compliance is easy, but really you can get a lot of heavy duty security lift done. You can protect the data itself rather than, you know, if you just have a simple question, did contractors touch customer data in the clear, right? You can't answer it. You have to look through hundreds of logs of different tools and such. Whereas if you followed the data, you could just answer that question directly. So your solution simplifies, it allows you to follow the data and makes it simple. Because you can't do it otherwise. Yes. And it's a software platform that does this? Yes, exactly. It's a service that deploys into the customer's cloud. So that's a big decision we made upfront. We don't want to be a regular SaaS where we now become the single point of failure and we host everyone's data. We're providing a service, deploy the service into the customer's cloud environments and wherever the data is, wherever the cloud is, the service just kind of like a flight data recorder. It watches what data do you have like a crawler. It figures out how it's moving. And now you can build workflows on top. You can ask questions that, hey, did data production customer data flow into a dev or a staging environment, right? So all of these are essentially questions around data flows. And you can just ask the question directly. Data type, identity type, and that something happened to it. Okay, so it's not a managed service? Or is it a managed service? Oh, good, good. So managed service is slanted. It's not a SaaS in the classic sense of symmetry. Symmetry's cloud does not need to pull in the customer's data into our cloud. We bundle up everything we do into a virtual machine, into a Kubernetes deployment, and you can ship it into anywhere. Anywhere, any availability zone. I could put it on-prem if I wanted to. Absolutely. In fact, we have customers who have FedRAMP environments and they are deploying symmetry in a FedRAMP environment as well. Where symmetry, I have no access to anything. So it's almost like the deployment model is very similar to classic infrastructure. You kind of push things into the customer's environment. But the software delivery mechanism is all SaaS. Like, you know, CNC of cloud-native tooling kind of lets you be cloud agnostic. You know, push code, push everything into the customer's environment. And they get latest updates. They can control everything. They have visibility into everything. But, yeah. What's your secret, what's your secret sauce? Is it your ability to surveil? Is it an agent technology? Yeah, so that's really good. So agent is a very loaded word in the sense that, right? But a lot of people don't like agents. But I mean, CrowdStrike's got a powerful agent and they make a big deal out of it as an example. So they turn it into a positive, lightweight. But okay, so maybe not in the classic sense of an agent that needs to be managed, but explain. So I think, yeah, exactly. I think to me, there are three layers that are good to consider independently. One is the plumbing. Some places agents make sense. If you have a laptop or a device out there, agent's not the only way. It's just great. You should have that. For us, what really made sense is where's the most of your data? It's in these giant data stores. You have S3, you have RDS, you have DynamoDB, you have Snowflake, Databricks. You want visibility and control over this stuff first. Stuff that goes out into an endpoint. That's kind of like the nerve endings. You want control over your spinal system first and then you sort of figure out what happens on the edge. So that's where we are starting from where your hybrid cloud environment could be AWS, GCP, could even be on-prem, Azure. Understand what's going on there. And it's a service that drops into every availability zone. And all it needs is sort of like a crawler, read-only access to different types of data stores. And we want to be very systematic. Our superpower really is, A, the deployment model into the customer's cloud. We call it SAS in your cloud, where it's kind of like beamed in like a SAS, but it's in the customer's environment. That's the stage zero. It allowed us as a startup to get into incredibly regulated customers, which if we were a regular SAS, we would never even make it. And is it a send it and forget it type of thing or is it my constantly interacting with it? Yeah, so the way I think about it is that it has to land well and give you wins immediately. That's not negotiable. So once that happens, over time, it's learning from every action that you're doing. So a key part of all this is that your data flow policies, like you observed earlier, they become really compact. They become really simple. And we are helping our customers sort of build out. Here's a set of data flow policies that for any AWS environment makes sense. What's production, what's not? What are contractors who are not? What are external, what's internal, right? This sort of stuff and data flows across them. But then as time goes on, you can get really deliberate about, look, you can really customize it for your own. Like I have very specific, I have a project baby Yoda coming up. I'm Mattel, right? And I want to keep this super secret even from our own infra people, like how would I do it, right? So you can sort of start building your org-specific custom stove pipes, right? And the system has to be super extensible for this. So these, yeah. And how do you price it? Is it capacity pricing? So the pricing model, we are still kind of iterating over it. Our first goal was we don't want to have our customers get nasty surprises. So we picked a very simple sort of infrastructure-centric model where it's, hey, small, medium, large deployment of symmetry, right? And a small environment can watch a pretty big customer environment. And before you run out of capacity, you'll see it coming. So you know, I need to add more small clusters or add a medium cluster and so on. It keeps your blood pressure pretty low. It's just because you have a data lake, you downloaded a bunch of data, all of a sudden your bills won't spike. So that was really important for us. So almost like T-shirt sizes, you know? Like small, medium, large sizes. Exactly. Exactly. It's not for pricing, no matter what you do. It won't be perfect. Exactly. But then we have a pretty rich partner ecosystem. We have customers who are, use it for, we have partners who use it for compliance. We have partners who use it for zero trust assessments. We have partners who use it for incident response. And I think for these deployment scenarios where the use case is very similar and it's kind of like small, you know, bins of time, you know, we are iterating on different pricing models. It's three use cases. Compliance, zero trust and incident response. Right, right. Take zero trust. Yes. You know, hot topic right now. Yes, absolutely. Where do you fit in a zero trust architecture? Absolutely. So if you just go back to the NIST classic diagram, there's a subject, there's an identity, there's the pipe, the network pipe, and then there's a resource, right? In the NIST document, the resource really that matters is data. So there's zero trust for identity, sure you have, you know, authentication, you have continuous authentication, there's the pipe, that's zero trust network access, all this stuff. It's kind of interesting to me that people started with the pipe as opposed to what are we protecting? So we sort of are the zero trust for data where you understand what data do you have. The NIST documents, the CSAT documents now really list this out like, you have to have visibility into what is your crown jewel? What are you protecting? What should the policy be? And then sort of, you know, figure out the identity and the pipe is almost, we're doing it first, but to me logically it sort of fits like, it should be the third thing, right? Because there are many ways to construct pipes, you know, some are network, some are just. What are you learning? When was the company founded? 2019, Q4. 2019, so yeah, three years to be young. Okay, so that's interesting. You started just right before COVID. Yes, so RSA 2020 was, we were all in person and then it shut down. So what have you learned in terms of customers cloud, any cloud, including on-prem clouds? What have you learned in terms of deployment? We always hear, everybody has multiple clouds. Are they using your product in multiple clouds? Absolutely. Absolutely. So what's the dynamic like? What are you seeing in terms of cloud adoption? It continues, people talk about how it's slowing down, but it's still much, much faster than the overall market. What are the trends that you're seeing inside of cloud? So one big theme to me is every, even our small startup customers have multiple cloud deployments. It's because someone got a contract with GCP or with a large customer on GCP, they were primarily on AWS, but now they have to go to GCP, right? A lot of big companies are getting deals from Azure, so they'll have something there. Or a lot of times we see data lakes, BigQuery is a huge gravitational pull for data lakes and for product workloads, S3, RDS, like the classic AWS environment is very popular. So the same company will have a data lake team here and a product team there. So for us, the big team that I feel that we are able to deliver to customers is what you referred to earlier. I want my policies, my questions are very simple. I want to be able to say like, hey, I do not want external identities accessing my production data in the clear. Now it doesn't matter if it's in BigQuery or upstream, it's in a product environment like AWS, I want the policies to be monitored and enforced consistently. So the analysis that I like is just like TensorFlow or PyTorch, they do this for your machine learning models. I don't care if it's a CPU, GPU, or FPGA, right? I found simple policies, domain experts writing these policies, like compliance experts or security experts. They're not necessarily cloud permissioning experts or exact data store S3 corner case experts, right? So we want to separate out sort of the implementation from the policy and I think that's the biggest way. And the experience with your solution is identical no matter whether I'm on prem or Google or Azure or AWS or GCP. For Py and large for 80% of your questions, it's identical. That there's a kind of like a long tail 20% use cases where these are corner cases that are unique to your organization and how your organization kind of used AWS off, you know, vintage 2016. AWS was pushing like, hey, service control policies and cross account like this. And now they're like a back or attribute based access control like that. And now there's something else that comes up. CDK based deployments, right? So every sort of like archeology, right? Like you can sort of see different stacks that were all deployed. And sometimes those are corner case things that only make sense. Those questions only make sense for AWS. So barring those edge cases by and large it has to be a consistent kind of view into every cloud, right? Like where is my genomic data across my environment? Just tell me where it is, right? And who should I call to fix the non-compliant or not secure genomic data? These are the two questions that security teams or governance teams most care about, right? Is there a ton of buildup of dormant data around? Thanks for that. So that was the other use case I was going to ask you about was compliance. How bad is it when you go and investigate how severe and acute are the compliance problems that are out there? So I think the saving grace is that auditors as your attacker are a much lower bar than attackers as your attacker. So even though the problems are pretty severe, right? The auditor sort of work with the customers to be like, look, I understand why you don't have full visibility. Of course you can't deploy data classification at the scale of billions of objects. We all understand no one has it. So let's just mark this as accepted risk. But you don't need to if you have more modern machine learning based tooling, right? Similarly for permissions, they sort of just export cloud permissions to the auditor and the auditor is a CPA and says, I guess it looks good, you know? So I think compliance, sort of we have to move, we as security professionals, we have the responsibility, I think, to simplify every big advance in security. We have to simplify it, teach the community, teach both the auditors who are trying their best, teach the customers who are also trying their best like, hey, here's a new tool, here's what this means for you. Now both of you all come meet, look, we all did something great. Because now you can give evidence to why, you know, segregation of duties is being followed. Or why, I mean, simplest question, right? Disaster recovery is a big theme in compliance. How do I show that everything that is business critical data, right, is backed up, is there a data flow to a backup environment? It's a big question, it's incredibly hard to show, but now we can show it. So we sort of want to move both sides of the game forward. It's pretty, you know, you can imagine it's really hard to get done now, but hopefully in a couple years it'll be. You mentioned partners before, maybe talk a little bit more about your partner ecosystem and what you go to market strategy. Absolutely, so we think data and protecting data has to be done in concert with partners who understand the business side intimately. Because you can take people's permissions away from their printers or change the container underneath the developers and they don't really, really care, right? Unless you break some dependency. But if you take the head of data sciences permissions away a week before Black Friday, it's not good. So you have to be really intimate with what's going on in the business. So we have, essentially for each NIST pillar, there are security advisory companies like Zero Trust strategy companies that we partner with Accenture. Zero Trust is a great partner for us. We have customers who sort of deploy data lakes and manage data lakes for them. So we have partners there. We also have incident response, detection response type companies that are partners or they're trying to provide cloud security services, right? So Trace 3 is a kind of innovation forward partner. We partnered with them, TBC. We have kind of like really good local partners as well, regional partners, where we believe that teams that understand the business, they use our power tool responsibly. Like that's sort of the GTM strategy that we are following. The last four months or so with all the generative AI hype and just amazing. What are your thoughts on all that? How are you experimenting, using a foundation models like GPT, what's the fit? Yeah, so to me, there are two parts to it. One big part is just our customers getting a user interface that is incredibly natural, that is tailored to their organization and how the cloud is used. ChadGPT is incredibly good with us. If you ask an Arcane AWS permissions question, it's even better than the AWS definitions, right? So customers can really get tailored answers to that. That's the pro. The tricky bit is a lot of these, even permissioning models, so what data do you have? All this stuff is super sort of private to each organization. So I think the future where like, you can sort of have a foundation model but train it locally to an organization, deploy it locally into the cloud, that's going to be amazing. Just for visibility and understanding proactively and then later on even for detection response kind of use cases. It's going to be interesting to see how that plays out, Mohit. I don't know if you remember, so you know Google search is the best, right? Everybody loves Google search. For a while, you could take Google search and put it on your own website. Remember that? And then they killed the product because they realized, well, let's bring them back to Google, we'll get the advertising revenue. You know, we're far, you know, decades beyond that now, but it's going to be interesting to see how that model plays out. Last question, I'm going to ask you, I know you have some announcements coming up in the future, but maybe you could tease us a little bit as to what's coming. Absolutely, so the one big thing that we're doing is Zero Trust, we believe should really be anchored around your crown jewel data. So in partnership with Accenture's Zero Trust team, we're launching this Data Guard Express. Data Guard is the name of our product, Symmetry Data Guard Express, which is you can deploy it in your cloud and it'll come back and tell you evidence for, hey, here are the concrete things that you need to do and it takes order of days for you to have something really tangible ROI and not just least privilege kind of thing. So it should be exciting. I didn't ask you about a funding model, what, can you talk about your venture capital, how much money you've raised, where are you at? Yeah, so we raised our seed round in 2019, we have finished raising our Series B, our Series B announcement should also be in a month or two from now. We wanted to let the RSA hype sort of dive down. So we are finished raising our Series B at this point. We are about 50 people and set to sort of get into the next. Is it public, how much you've raised? No, not yet. We have a couple of strategic partners who are still finalizing their rounds, their investments. So we're going to wait for another month or so. Great. Well, congratulations on getting the company off the ground and thanks for coming to the queue. Best of luck to you. Thank you so much, Dave. Pleasure to have you. All right, this is a wrap day one here. We're here all week RSA conference 2023. The keynotes are going on right now. I'm here with John Furrier. So come back tomorrow. Thecube.net, siliconangle.com has all the news. Rob Hof is on the ground with his team. Mark Albertson's here, our newest journalist in the cybersecurity space, David Strom. So check it out, we'll see you tomorrow. Thanks for watching.