 The RSA conference is happening next week at Moscone in San Francisco, and we're super excited to be on site at broadcast row in Moscone West. One of our supporters that makes the Cube coverage possible is Palo Alto Networks. And here with me to talk about the state of the market and what we can expect at RSA 2023 is Ankur Shah. He's the Senior Vice President and General Manager of Prisma Cloud at Palo Alto Networks. Ankur, good to see you again. Thanks for coming on. I likewise, good to see you, Dave. All right, let's talk about the state of cloud security. We're going to dig into some new data from the latest cloud threat report from Unit 42. It's like 35 pages. It's packed. It's not just survey data. It's sensor data. Although there is a survey as well, about 2,500 SecOps pros that focuses on the state of cloud native security that Palo Alto just also released. So a lot to unpack here. Ankur, the new cloud threat report, it's got some staggering findings about how long it takes to detect and respond, multi-factor authentication, who is and who isn't using it. You've got some really interesting examples of a SIM hack that should scare people. What stands out to you? Anything surprising? Yeah, for sure. Look, this is our seventh installment of the report and I've been overseeing all seven of them. And every year it surprises me, the content of it. And I'm eagerly waiting to read the report. So look, this time around, just like last time, thematically, one of the things that stood out was a lot of the supply chain attack. The SIM swap is a cute name, but ultimately it was a supply chain attack. Started with a mobile phone, but ultimately led to breaches in public cloud. So that consistently remains a story. And the reason why a lot of these attack with the supply chain, talk about crypto mining attack in the report as well, is really few buckets of things. One is sort of just misconfigured stuff. We talk about MFA, but a big thing that the report highlights is exposure, internet exposed instances, things of that nature. Another big area is vulnerabilities in open source code. There were literally thousands of malicious open source libraries detected. And ultimately with the modern supply chain, these open source components ultimately make its way through the CI CD pipeline into your cloud. And that's a big threat vector. And with open source libraries, one of the problems is also just a lot of dependencies. So the report talks about that dependency analysis, but those are the big challenges we've seen this threat report, but you're gonna see a rise of supply chain attacks. Again, because the modern software supply chain is complex and with AI and a lot of open source tooling around AI and chat GPT, we're going to see more and more open source components. So it'll be interesting next few months and years. Yeah, there was a really interesting sort of example of a SIM swap scam, which if people aren't familiar with that, you should be. Think about MFA and it's not enough. Also the percent of organizations that have hard-coded credentials inside virtual machines, user data. I mean, so many things in there. Where are organizations in SecOps teams in your view or getting it right and maybe not so right as they approach specifically cloud security? Yeah, before I answer that question, just a double clicking on secrets and credentials in your code repo. Secret scanning is a capability we launched late last year. And just in last few months since our launch, I've been amazed by the number of secrets we've found across our customers. Over 28,000 secrets across 200 customers. So it's happening. It's always been there. We are shining a bright light on that. So that's definitely one area that customers are focused on. Now, typically the customers that we talk to wants to start with visibility and control because they just don't know what's happening in the cloud. So that's just sort of the basic and the bare minimum. The customers who are really getting it right is who are taking the risk prevention first approach. Detecting secrets early on in the code. Detecting open source packages and vulnerabilities. Detecting infrastructure to score mistakes. All of the customers who are moving, shifting left, taking care of the problem early on in the application lifecycle are getting it right. Look, at the end of the day, cloud and modern supply chain, everything is complicated. At the end of the day, there are two primary thing you need to do. Risk reduction and breach prevention. And risk reduction as far to the left as possible. And in terms of breach prevention, what could go wrong does often go wrong. So customers who do have compensating control running in cloud, have active protection, runtime protection. Those tend to be the ones who really get this right. Okay, so Palo Alto Networks, as well as others often talk about, you just did some of this shift left. We're going to talk about that a little bit, but there's also a shift toward consolidated platforms as organizations look to try to reduce the number of security tools in their environment. And my question is that this, I mean, this always sounds good, Ankara, but we never seem to get rid of stuff in IT, we just add. So is this really a trend of customers buying habits changed? Do you have any examples that sort of underscore that? Yeah, look, like you, Dave, and you've been doing this for a long time. And so have I, last 15 years, I've been hearing about market consolidations and platforms, et cetera, hasn't happened yet. Because there hasn't been a company like Palo Alto Network who has painted a big broad vision. We're starting to see the early signs of that just yesterday. Actually a couple of days ago, there was an API security company that was acquired by Akamai. And you're going to see more and more small vendors and startups get folded into large security vendors like Palo Alto Network simply because customers just don't have the appetite to use four, 10, 15 tools, which one of our cloud native security report illustrated. So it's happening. It's not going to happen overnight. We got to be patient. Customers don't want the whole platform to start off. Like I said, they start with their journey with visibility and control. Tell me what I've got first. Then they take the shift-left-risk prevention approach and then runtime protection approach. So we'll get there. And we're seeing early signs like, look, more than 50% of our customers are using more than four of our modules and capabilities. So it's getting there, consolidation is happening. We had a couple of years and I fully expect there to be further consolidation in the space as we build out our portfolio and help our customers really provide a single platform. The last week at our breaking analysis, we actually put up a map of potential acquisition targets. We circled API security as one that was going to happen. We didn't have Akamai as the acquirer, but it was pretty timely. Another finding in the report, go ahead, say it again. What's the next thing you circled? So, there were so many on that map. There's a lot of identity that needs to consolidate as well. That was, I think, the second area that we focused on. So thank you for asking. Identity players now. Yes, right, exactly. So another finding in the study was the developer to security pro ratio keeps widening. Can you explain why that's important and how it impacts security and an organization's approach to security? Yeah, for sure. Look, you and I have talked about it before, but just for the audience, there are over 33 million developers right now and less than three million security professionals. Out of that, the folks who actually understand cloud security is a small percent. So as I talk to customers, there's a real severe shortage of people, security professionals in general, but folks who understand cloud, very, very few, right? And this is happening because, you know, developers are building and shipping application, public cloud vendors, modern CI CD pipeline. It's making it so drop that simple for people to write software. I mean, I don't know if you've been, you know, keeping up with this whole chat GPT and AI mania. I mean, now it is the core point itself, right? I mean, so developers are just co-piloting it. So, you know, over the next couple of years, you're going to see more and more software being built. And I don't know if our enterprises are spending enough money on security. They got to amp up the investment in security to keep up with auto-generated code. I mean, they can barely keep up with the stuff that developer generate. Can you imagine the AI generating code and security teams keeping up with it? So it's going to be fascinating. The only way to solve, like I said, is we got to get more security, professional security spends got to grow, no other way to solve. Yeah, thank you for that. All right, let's shift gears a little bit and talk about Prisma Cloud. So a two-part question. Why is visibility becomes such a hot topic and a big area of focus for cloud? And second, you also, you talk about prevention. Why does this need to be, you know, emphasized? I mean, isn't it obvious? Yeah, great question. So look, the customers that we talked to, the cloud security practitioners under, you know, the SISO, you know, their first job is to just understand what's going on, right? So when we say visibility and control, it's all about, you know, what cloud services am I using? Do I have vulnerabilities? Can you prioritize what's most important for me so that I can go to the DevOps teams and say, hey, fix these top 10 problems? And this is what we mean by visibility, right? Like, tell me what's going on in the cloud. Tell me the top problems and help me fix it, right? And it turns out that that journey itself takes a while, not because of the software and the product itself, just because it requires the centralized security team to work with a whole bunch of line-up businesses and DevOps and applications team. Once they do that, once the security teams owns the trust of the developers by highlighting the most important thing, then they can start having a conversation with the development team and say, hey, do you want us to help you prevent the risk to begin with? If so, let me bring security where you are, which is building a plug-in in your IDE or your source code control system or your CI CD pipeline because that's where the developers are. So it's a two-step process. It takes a while. There's a lot of friction, right? And a core part of Prisma Cloud's mission has been to build the bridge between the security teams and the applications team or the DevOps teams. Yeah, so security is such a complicated matter for a lot of people. There's so many acronyms. So I want to pick your brain on something. I hear people talk about code to cloud security. Yeah. What does that mean? And if you have an example of how a customer would take advantage of that sort of full platform versus single module approach, I'd be interested in that. Absolutely. So the threat factor in the code phase is you have an infrastructure as code. That's misconfigured. You have open source code that has vulnerability. You have your own code that with known vulnerability. You've got secret. These are the types of problems or you have misconfigured version control system. These are the five problems that in the code phase that customers ought to think about. It sounds simple, but there's a lot of work that happens in this application security practice that customers have to worry about it. That's the code phase. Once the code is built, it turns into an image, in a software image, which looks like an application but not yet because it's not deployed in production. At that stage, there could be image poisoning or vulnerable images because they're literally like hundreds of thousands of vulnerable images out there and developers can just download that. So there's a lot of security risks there. Somebody can introduce a piece of malware. And the last phase is the runtime. This is where when the, if all your attempts at fixing problems early on in the pipeline didn't work, now you've got problems that you've got to deal with in production, hundreds and thousands of containers with vulnerabilities, misconfigurations, secrets, and publicly exposed instances, sensitive data leakage, all kinds of problems. So this is what we mean by code to cloud, checking, doing security checks, every stage of the application pipeline, and ensuring that you minimize the risk and then obviously continuously monitoring your cloud footprint so that if there is an attacker who is trying to gain access to your crown jewel, customers can prevent that. So let's stay on code to cloud for a minute. We did it before, we threw on the term shift left. Why is it important to bring security to developers? Don't they have enough to do already? Well, that's the relationship that you want to have with developers. I mean, obviously I'm kidding, but they've become a critical part of securing an enterprise, but they're not SecOps pros necessarily. So I wonder if you could add some color there. Yeah, look, it is important because the only way to secure this is to train the developers to secure by design. Look, ultimately the Nirvana is, every developer understands the security risk, it's part of the pipeline, they always do the right thing. That's not going to happen automatically, right? Because the default setting for the developer is to ship as quickly as possible because somebody's breathing down their neck to ship the code as fast as possible, right? Engineers always want to get stuff out there. So by bringing that security and training and making sure that the security is not intrusive, there are not a lot of false positives where developers can take corrective action, that is the role of the centralized security team to train, to educate, to have the right tooling in place. Because look, I'm yet to, I mean, I run a large R&D organization, I'm yet to talk to a developer who says, I don't care about security, everybody cares about security. It's just that the security traditionally, the way it's done, it's too intrusive, it's too complicated, and it just simply does not work in the modern CICD pipeline. Within a second, the code's got to move to the next phase. And if your security tool is taking ours, and it's not real-time, it simply just won't work. Great, thank you, Ankar. Let's talk about RSA. It's going to be a big show. What are you looking forward to next week? I presume you're going to, I know Palo Alto's there in force, I presume you're going to be there. What should we look for? Yeah, it's going to be, we're going to have a big presence. Palo Alto wide, we have a big CISO event on the Tuesday evening. We're going to have Jerry Seinfeld and Lanny Kravitz share some security jokes and poems or music notes. I'm going to be there obviously, lots of customer meeting. And look, I love all the industry events, a rainforest ignite, you name it, but RSA is my favorite. It got taken away in the middle of COVID. Last year I was there, but it was quiet. But this time, this is going to be one of the busiest out of say, I think people are hungry to network, to understand what's happening in the cloud and security in general. So it's going to be exciting. It's going to be crazy. It's going to feel like 2019 and that's the feeling I've been missing for a while. You know, it's interesting because you're right. 2020, I think RSA was one of the last physical shows. What? I wasn't there last year, but you're saying it was quiet. It's not going to be quiet this year. I wonder if you could comment, it's like pre and post isolation economy. I wonder if you can comment on some of the big changes that we're likely to hear about. You talk about foundation models like GPT, you know, they're definitely going to be part of the conversation. Any thoughts on other things that have changed that you expect that you want to highlight? Yeah, for sure. Look, I was there at the RSA just before it got shut down in 2020 after COVID. And I was like, I hope nothing serious happened. Nothing did. You know, look, this year, I am looking forward to figuring out what the sandbox nominees that that's my go-to place usually to understand what are the top companies. There is going to be a lot of conversation around AI for sure. I expect plenty of conversation on cloud. I think it's been a theme for the last many years. You know, we're disrupting the, you know, seam space without XIM. So there's going to be a plenty of discussion on SOC transformation. I fully expect that. So I think, you know, some things will remain the same, but I fully expect there to be a lot of conversations around AI. And I'm really looking forward to hearing from customers. You know, is this top of mind for them? Just in terms of securing AI. Yeah, they got so much in their plate. His, his, yet another trend. Let's, let's wrap. Do a tease for me on the code to cloud summit. You guys got this coming up in June. What's that all about? Yeah, you know, we are just having a whole bunch of customers as part of this event. Look, there's not enough knowledge and training that we can share with the world on the DevSecOps and DevOps practices. So, you know, I'm going to take your role at the event and interviewing some of my top product people and have the whole world here about how to secure by design and how to do code to cloud security. So looking forward to it, it's going to be exciting. All right, Angershout. Thanks so much for helping us preview RSA. We'll see you next week. Yeah, likewise. Thanks, Dave. Good to catch up again. Yeah, cool. Okay, yes. Next week, the cubes going to be live in broadcast row in Moscone West all week. Stop by and see us if you're in town. And if not, you can catch all the action on thecube.net. Thank you for watching.