 Live from Barcelona, Spain. It's theCUBE! Covering Cisco Live Europe. Brought to you by Cisco and its ecosystem partners. Welcome back to sunny Barcelona, everybody. You're watching theCUBE, the leader in live tech coverage. We go out to the events. We extract the signal from the noise. We're here. There's our third day of coverage at Cisco Live Barcelona. I'm Dave Vellante. John Furrier is here. Stu Miniman, all week, John. We've been covering this show wall-to-wall. TK Kianini is here. He's a distinguished engineer and product line CTO for Cisco Analytics. Welcome to theCUBE. Good to see you again. Welcome back to theCUBE, I should say. Thank you very much. So, tell us about your role. You're focused right now on malware, encryption. We want to get into that, but set it up with your role first. Well, I'm trying to raise the costs to the bad guys hiding in your network. I mean, basically, it's an economics thing because, one, there's a lot of places for them to hide and they are innovating just as much as we are. And so, if I can make it more expensive for them to hide and operate, then I'm doing my job. And that means not only using techniques of the past, but developing new techniques. You know, like I said, it's really, unlike a regular IT job, I'm not waiting for a hard drive to fail or a power supply to fail. I have an active adversary that's smart and well-funded. So, if I ship some innovation, I force them to innovate and vice versa. So, you're trying to reduce their ROI incentives? I want to make it too expensive for them to do business. So, what's the strategy there? Because it's an arms race, obviously, you want to use one white hat over a black hat. So, kind of continue to do that. Is it to decentralize, to create more segments? What is the current strategies that you see to make it more complex or less economically viable to just throw resource at a port or whatever? There's sort of two dimensions that are driving change. One, you know, they're trying to make a buck, okay? And, you know, we saw the ransomware stuff. We saw, you know, things that they did to extract money from a victim. Their latest thing now is they've realized that ransomware wasn't a recurring revenue stream for them. Right? And so, what's called cryptojacking is. So, they essentially have taken the cost structure out of doing crypto mining. You know, when you do crypto mining, you'll make a nickel, maybe 10 cents, maybe even 20 cents a day. Just doing this mathematical mining, solving these puzzles. And if you had to do that on your own computer, you'd suck up all this electricity and thing, you'd have some cost structure, right? And less of a margin. But if you go and, you know, breach a thousand computers, maybe 10,000, maybe 100,000, guess what, right? One, you're hiding. So, guess what, today you make a nickel, tomorrow you make another nickel. And so, you know, if you go to the threat wall here, you'd be surprised, there's crypto mining activity taking place here. And nobody knows about it. We have it up on the threat wall because we can detect its behavior. We can't see the actual payloads, because it's all encrypted. But we have techniques now, advanced analytics by which we can now call out its unique behavior, very distinctly. Okay, so you're attacking this problem with data and analytics, is that right? What are the ingredients of your defense? Yeah, I mean, there's sort of a three-layer cake there. First you have, you know, I always say, all telemetry is data, but not all data is telemetry, all right? So, when you go about looking at an observational domain, you know, and in humans we have sight, we have hearing, these are just like the network or the endpoint. And there's telemetry coming out of that, hopefully from the network itself, okay? Because it's the most pervasive. And so, you have this telemetry telling you something about the good guys and the bad guys. And you perform synthesis and analytics, and then you have an analytical outcome. So that's sort of the three-layer cake, is telemetry, analytics, analytical outcome. And what matters to you and me is really the outcome, right? In this case, detecting malicious activity without doing decryption. You mentioned observation, I love this. We've been talking on theCUBE in the past about observation space. Having an observation space is critical because, you know, people don't write bomb on a manifest and ship it, they hide it. It's hidden in the network, even they're high, but also the metadata is hidden. You have to kind of extract that out. That's kind of where you get into the analytics. How does that observation space get set up? How can someone create an observation space? Are they sharing these space? Are they public, private? This becomes kind of almost internet infrastructure. Sounds familiar, network opportunity. Yeah, and you know, the other driver of change is just infrastructure's changing, okay? I mean, in the past, go back 20 years, you had to rent some real estate, you got to put up some racks, some air conditioning, and you were running on raw iron. Then the hypervisors came, okay? Oh, well, I need another observational, you know, I need eyes and ears on this hypervisor. You got Kubernetes now, you got hybrid cloud, you have even serverless computing, right? These are all things, I need eyes and ears now there, that traditional methods don't get me there. So again, being able to respect the fact that there are multiple environments that my digital business thrives on, and it's not just the traditional stuff, you know, there's the new stuff that we need to invent ways by which to get the telemetry and get the analytical outcome. We talk about this dynamic, because we're seeing this, and we were just talking before we came on camera, we all got our kind of CS degrees in the 80s, but if you look at the decomposition of building blocks with APIs and clouds, there's not a lot of moving disparate parts for good reasons, but also now to your point about having eyes and ears on these components, they're all from different vendors, different clouds, multi-cloud creates more opportunities, but yet more complexity. Software abstraction is going to help manage that. Now you have almost like an operating system concept around it. How are you guys looking at this? Obviously the intent-based networking and HyperFlex anywhere, you're seeing that vision of data being critical, observation space, et cetera, but if you think about holistically, the network is the computer, as Scott McNeely once said. I mean, here we are. This is actually happening, so it's not just cloud A or cloud B on on-premise and edge, it's the totality of the system. This is what's happening. It is, it's absolutely a reality, and the sooner you embrace that, the better, because when the bad guys embrace it first, you have problems, right? And you look at even how they scale techniques, they use their cloud first, okay? They're an innovative bunch, and when you look at cloud, we mentioned the eyes and ears, right? In the past, you had eyes and ears on a body you owned. You're trying to put eyes and ears on a body you don't own anymore. This is public cloud, right? So again, the reality is somebody, these businesses are somewhere on the journey, right? And the journey goes traditional, hypervisor, you have then ultimately hybrid, multi-cloud. So the cost issue comes back to play here. If everything's SaaS and cloud, it's just as easy to start a company on the cloud versus standing up your own infrastructure. Jack, we see the startup wave, but if I'm a state-sponsored terrorist organization, it's easier for me to start a threat. So this lowers the cost to actually threat. So that lowers the IQ needed to be a hacker. So making it harder also helps that. This is kind of where you're going. Explain this dynamic, because it's easy to start threats throw, throw some code at something. I could be in a bedroom anywhere in the world, or I could be a group that gets free open source tools sent to me by a state and act on behalf of China or Russia. Of course, of course. You know, software is software, infrastructure is infrastructure, right? It's the same for the bad guys as the good guys. That's sort of the good news and the bad news. And you look at the way they scale. Techniques they use to stay private. All of these things are valid no matter what side of the line you sit on, right? Math is still math. And again, I just have maybe a fascination for how quickly they innovate, how quickly they ship code, how quickly they scale. You know, these botnets are massive, right? If you look at a botnet, you're looking at a very cloud infrastructure system that expands and contracts. So let's talk a little bit more about scale. You've got way more good guys on the network than bad guys, because first of all, most people are trying to do good and you need more good guys to fight the bad guys. Do things, there's things like infrastructure as code, DevOps, does that help the good guys scale and how so? It, you know, it does. There is a, are you familiar with a concept called the Uda Loop? No. Uda Loop. It was invented by a gentleman, Colonel John Boyd. And he was a jet fighter pilot. And he taught other jet fighter pilots tactics. And he invented this thing called the Uda Loop. And it's O-O-D-A, observe, orient, decide, and act. All right? And the quicker you can spin your Uda Loop, the more disoriented your adversary is. And so speed, speed matters, okay? And so if you can observe, orient, decide, and act faster than your adversary, you create almost a knowledge margin by which they're disoriented. And the speed of DevOps has really brought this to defenders. They can essentially push code and reorient themselves in a cycle that's, frankly, too small of a window for the adversary to even get their bearings, right? And so speed does matter. And this- So changing the conditions of the test, if you will. Of course. For the environment. Of course. On a rabbit is a strategy, whether it's segmenting networks, making things harder to get at. So in a way, complexity is better for security. Because if it's more complex, it costs more to penetrate. Complex to whom? To the adversary. That's exactly- To the machine. Exactly. It's very- For the central database, I can just hack in, get all the jewels, leave. That's right. That's right. And again, you know, I think that all of this new technology, and as you mentioned, new processes around these technologies, I think it's really a changing game. The things that are very deterministic, very static, very slow moving, those things are just become easy targets. Low cost targets, if you will. TK, talk about the innovation that you guys are doing around the encryption, detecting malware over encrypted traffic. Yeah. The average person, oh, encrypted traffic. It's totally secure, but you guys have a method to figure out malware behavior over encrypted. Which means the payload can't be penetrated or it's not penetrated. Full, we don't know what's in there, but through network traffic, explain what you're working on. Yeah, well, the paradox begins with the fact that everybody's using networks now. Everything, even your thermostat, your probably your TKettle, is crossing a network somewhere. And in that reality, that transmission should be secure. So the good news is, I no longer have to complain as much about looking at somebody's business and saying, why would you operate in the clear, okay? Now I say, oh my God, your business is about 90% dark, okay? When I talked about technology working well for everyone, it works just as well for the bad guys. So I'm not going to tell this business start operating in the clear anymore so I can expect for malicious activity. No, we have to now infer malicious activity from behavior because the inspection, the direct inspection is no longer available. So we came up with a technique called encrypted traffic analytics. And again, we could have done it just in a product, but what we did that was clever was we went to the enterprise networking group and said, if I could get some new telemetry, I can give you this analytical outcome, okay? That'll allow us to detect malicious activity without doing decryption. And so the network as a sensor, the routers, the switches, all of those things are sending me this rich, rich telemetry by which I can infer this malicious activity without doing any decryption. So payload and network are two separate things contextually because you don't need to look at the payload, the network. Yeah, I mean, if you want to think about it this way, all encrypted traffic starts out unencrypted, okay? It's a very small percentage, but everything in that startup is visible. So we have the routers and switches are sending us that metadata. And then we do something clever. I call it, instead of having direct observation, I need an observational derivative, okay? I need to see its shape and size over time. So at minute five, minute 15, minute 30, I can see its timing and I can model on that timing. And this is where machine learning comes in because it's a science that's just, it's day has come for behavioral science. So I can train on all this data and say, if this malware looks like this at minute five, minute 10, minute 15, then if I see that exact behavior mathematically precise, behavior on your network, I can infer that's the same malware. Okay, and your ability you mentioned just you don't have to decrypt. That gives you more protection, obviously, because you're not exposed, but also presumably better performance. Is that right or is that not a factor? A lot, a lot better performance. The cryptographic protocols themselves are becoming more and more opaque. TLS, which is one of the protocols used to encrypt all of the web traffic, for instance. They just went through a massive revision from 1.2 to version 1.3. It is faster, it is stronger, it's just better. But there's less visible fields now in the header. So, you know, there's a term being thrown around called dark data, and it's getting darker for everyone. So looking at the envelope, looking at the network effect, this is the key thing. The value of the network is now more important than ever. Explain why. Well, it connects everything, right? And there's more things getting connected. And so, as you build, you can reach more customers, you can operate more efficiently, you can bring down your operational costs. There's so many benefits. APIs also add more connection points as well. Integration services. And it's Metcalf's law with a third dimension, and that dimension is data value. Connectivity. I mean, the mesh itself is growing exponentially, right? So, that's just incredibly exciting. Super awesome topic. Looking forward to continuing this conversation. Great conversation, super important, cool and relevant, and more impactful, a lot more action happening. TK, thanks for sharing. Yeah, great to have you on. Hey, keep it right there, everybody. We'll be back to wrap day three from Cisco Live Barcelona. You're watching theCUBE. Stay right there.