 Live from Santa Clara, in the heart of Silicon Valley. It's theCUBE, covering Juniper Nextwork 2016. Brought to you by Juniper. Now, here are your hosts, John Furrier and Stu Miniman. Hello everyone, welcome to theCUBE. This is SiliconANGLE, I mean it's flagship program. We go out to the events and extract the signal from noise. We are here in Silicon Valley live at the Juniper user conference. Next work, hashtag NXT work 16. I'm John Furrier, my co-student minimum analyst at Wikibon Research. Our next guest is Kevin Mandia, founder of Mandiant and CEO of FireEye are just on stage. Welcome to theCUBE, good to see you. Thank you, it's great to be here guys, appreciate it. FireEye, great successful company. Obviously, when public, been doing a lot of security. Your firm that you found in Mandiant, inside the Beltway, getting down and dirty on cyber. Now you see in the presidential debates, it's on every board conversation. It is the top line issue in every single company around the world and certainly the big corporations have either been hacked or currently hacked, don't know it or are being hacked. The perimeter is dead, IoT increases the surface area. This is the new reality. How are you guys handling that? Did I get that right? I mean, how chaotic is the market right now? So, well the market itself is very chaotic in that, well it depends on how you approach the market. When you look at just the volume of vendors, it's chaotic. I mean, I think cyber space became, or cyber security became a marketplace a few years ago where people on the investment side recognized, wait a minute, there's a real market here. There's a big problem here. And I think that we have more cyber security companies today probably than ever in history. But how many ideas do these thousands of companies have? Maybe it's 12. So, you've got chaos from that standpoint where if you're an enterprise and you're buying security, wow, there's more options today than ever before, more promises being given today than ever before and how many are really going to pan out or not. Who knows? From the threat side, and see that side, I didn't know how to take your question there, John, was it from the threat side or the market side? Market side is chaotic. There's a lot of optionality in what you buy and there's a lot of vendors promising a lot of things. Coming to the threat side, I think it's chaotic because there's anonymity on the internet and there's safe harbors to launch attacks with impunity. You don't have to worry about it. There are no risks or repercussions to hacking the United States from certain countries. So, if you can just fire and forget as a bad guy and monetize the results of that, why not do it? And you can't have a deterrence when there's a safe harbor for certain activities. So, I think the chaos is here to stay until maybe one day we'll have world peace and kumbaya and everybody's going to be together. So, cybersecurity's going to be a challenge for the foreseeable future. And great way to break it down too. On the market side, there's the scene from Star Trek where Captain Kirk says, fire everything and that's been the mentality of a lot of the companies. They don't really know what to do. They're just, anything that comes in the door, they just fire it away. That bloom is coming off the rose and we're starting to see some narrowing down to techniques. Can you share the buyer's perspective out there because they're the ones who have been and pick some tool and pick some techniques. Right. Well, when I look at the buyer's perspective, I kind of represent large enterprises, multi-nationals. That's where I spend my time talking to their chief information security officers. And a lot of them have a little bit of a fatigue. They're like, you know, we've bought a lot of products. We've got a lot of people. Are we using 50% of what we bought, yes or no? And of the 50% we are using, are we using 50% of its capability, 90% of its capability, 10% of its capability? And how do I get all this stuff to work together? What's my total cost of ownership here for real? And so I think that's kind of the, we had the threat environment from 2004 to 2014. All these major breaches were reading about. We're still reading about them today, but over the last 10 years, people have made significant investments in security and now they're trying to maximize those investments, get performance out of them, get integration out of them, openness. So I think that's basically it. It's a little bit of a fatigue. You know, some of them are questioning, what do I need to buy? And, but how do I get more out of what I've already invested in is a big thing. Kevin, you made some interesting comments up on stage there. It's great to hear it. You know, when your company gets engaged, the breach happened typically 200 days beforehand. And I think you said every single time you went in, they had antivirus and it was fully up to date, but the malware, you know, got through that. So, you know, security is definitely top of mind for everybody, but it seems like most of what companies are doing isn't working. So, you know, how do you help? Well, it's tough to get it to work. Right now, the way bad guys are breaking is they really are exploiting human trust and then they're exploiting features and software. So if you click on that link or you open a document, you may be compromised. It's, we're doing a good job at enterprise security, defending the network, the machines that face the internet. We have a health and welfare system for those. We defend our perimeter as well, but we have a tougher time preventing attacks hitting you sitting here on your Mac because there's that communication channel to you, John, I could Skype you, I can email you. And I dupe you into opening a document or dupe you into clicking on a malicious link and not everyone's going to be a cyber security expert. And it's easy to masquerade with somebody else in cyberspace. So if I can just get to your machine with anything, any communication, I have an opportunity to hack you. Hard to patch a human. And that's what makes this a problem, right? You've got this exploitive human trust occurring in cyberspace right now. And that's the majority of the attacks that we respond to. And you mentioned the perimeter is well, well defended. Certainly that's been a best practice for years, but now in that perimeter model, that now is everyone's recognizing is gone with API's and all those unsafe harbors, attack areas, launching missiles of viruses is that the data center in these areas have been unsupervised in what you're inside. So that brings up the whole machine learning AI piece. So can you share some color around some of the technology because it's not a brute force humans against humans. You have to have, we're hearing CISO saying, hey, I got to leverage technology, machine learning, unsupervised machine learning or whatever algorithms, thoughts on that trend and where that progress bar is. So there's only so many cybersecurity expertise. And the analogy I used on stage today is when you need brain surgery, you need a brain surgeon, not 20 people. And that cybersecurity can be complex. You need to understand routers, understand the Windows operating system, understand the Macs, understand the Linux and the UNIX derivatives. You have to know so much. And there's not one expert on any of this stuff. So it's kind of hard to get that done. And then you're inundated with events. If you're in a security operation center today, you're getting billions of events and you're trying to figure out, how do I climb out of the noise and find the two or three things that might be real here that I have to worry about. So we've got to scale those expertise and we got to minimize the noise. And there are two different challenges. In minimizing the noise, there's a few tools we can do. Virtualization is one, being able to inspect something from a virtual container is a good thing. And to be able to dynamically inspect things rather than what antivirus did, which was static signature based. Processes are faster now. We can do a lot more. Let's use virtualization, machine learning, analytics, threat data. These are all tools at our disposal to minimize from four billion, five billion events to the five to 10 that matter. And that's what we have to do. But we're all, we're still learning how to do better. That's a big data problem in reality. It is. And what's sad is that's even after you filter the data, you're still getting billions of events, you know? So on the compliance side, it's kind of funny. If you want to be compliant, you kind of capture everything and store it in a big bucket. But then when you want to operationalize security, you realize, wow, the bucket's too big here. I can't even massage it. So you almost end up with a different bucket with more security oriented events in it so that you can start with a minimized data set. We'd love to use military analogy as well as football to try to weave in some football. We know you're a big football fan. But let's say with the military analogy, a lot of CSOs want to know who the enemy is. And a lot of times they don't know. You mentioned these safe harbors. But there's also not only safe harbors, there's economies and teams out there. So how does a CSO give some color into that environment of the bad guy? What do they look like metaphorically speaking in terms of the teamwork? Obviously they're orchestrating their maneuvers. They're planning, there's actually monetization you mentioned behind it. There's an underground going on here. Yeah, so I have a different purview than maybe others. The breaches that we respond to at FireEye are generally the ones done by maybe the 5% of the groups out there that are successful against very security mature operations. So they do break into organizations that take security very seriously. So I can't opine about what I call the drive-by shootings. But here's one thing in cyberspace. At a bare minimum, if you can be hacked, you will be hacked. So if you have servers on the internet, you have to patch them. You have to do assessments. You have to do the best you can. And if you have end users, you want to do some kind of safeguards there. I liken that to back in the late 90s, maybe it was 2000. There was a honey net project and it was started by a guy named Lance out of Chicago, Lance Spitzner. And it was an interesting thing. We just put machines online, unarmed and unprepared and they would get compromised in 15 minutes. That just shows you there's a spray and pray of attacks automated by computers every day. So take that off the table. Everybody has to deal with that. That's your bare minimum. So now what happens if you're in certain industries that are targeted? You make something that's of tremendous value and other nations want to have it. Or maybe you're in social media where a lot of nations can't get to the information that maybe our government can get to based on piercing anonymity behind who's saying what online or who's posting videos online. There's certain industries that are going to be targeted and it is very complex to stop those breaches. And I think the balance you have when you have no real deterrence in cyberspace, maybe a deterrent for those activities is outside of cyberspace, is trying to set what is the benchmark? How good do we have to be in security? Do we expect certain industries to prevent attacks from military units? We got to sort that part out but I think that threat is real for people. We've done a good job as a nation over the last few years negotiating with China. I think that we published a report from FireEye that the threat has abated from China and I believe it has, based on all the data points we have, 4,000 customers, the breaches we respond to, whether it's presidential dialogue, the indictment coming from the FBI against Chinese soldiers, all the publications about what the Chinese were doing in cyber espionage. We're seeing what used to be 80 plus attacks a month against Western companies abate down to 10 or less. And we still don't know what's fair game but clearly there's a lower volume. But that's still a threat to everybody. There are two, competition, policy, and... Yeah, just getting a better understanding of what's tolerable or intolerable. And you may be seeing that with Russia even today where it's been alleged the Russians have hacked the Democratic National Committee. There are groups operating out of Russia that people that work with me have responded to for many years and whoever they are, they do this every single day so they must make some money doing this, right? And maybe all these activities are a way to get discussions between nation states to kind of work out the rules of engagement. I don't know if documents will ever exist but you see sovereign nations are concerned about cybersecurity as well. The private sector inside those nations are concerned about it. And maybe there's policy things we can do to get better deterrence. Anyway, that didn't even answer your question. I went straight off on it. Yeah, but Kevin, that's a great topic there. And I mean, we've looked at this and it's obviously, there's so much going on kind of in the international space. If you pull in just cloud computing itself, one of the top questions is, do I need to have sovereignty in my own government? Heck, even I can, there's talk about should we be splintering? Should the US government own it? Are we going to end up with every nation having their own internet? And you talk about things like Russians and the DNC hacking. It's the international situation here seems just very fragmented. Well, I think we see this in an abundance of issues. It's hard to be a multinational and say, well, you know, we're going to take the norms and expectations of US citizens privacy and apply it to our whole company at large. Every country may have different societal norms as to what's the expectation of privacy. So I think you're going to see this issue for a long time because with the internet and the connectedness it provides, we're dealing with issues we've never had to deal with before. So as a multinational organization, this data protection issue and this privacy issue pervades the discussions. So just one other thing I wanted to get your viewpoint on is in many countries, industry and government work closely together. And sometimes, especially from hacking, that's things that's concerning. How is the US doing? Is government working with business? I saw today it was like, you know, it looked like Yahoo was giving the government access to be able to look at emails, looking for spies. You know, I think at the highest level of abstraction, nobody wants good things to happen or bad things to happen to good people. Right, you just don't. So every country has a private sector government relationship and I think that's what drives it. If I'm a CEO of a public company, if the government came to me asking for things, you always look at, is it saving lives, is it protecting people? And quite frankly, you have to abide by the laws of the sovereign nations that host you. So I think every country imposes things on the companies that operate within the region and you just have to abide by their laws, abide by what you're asked to do. So I can't speak to each specific one but I think in general, that's how CEOs think. Like, am I helping somebody? Am I helping society? When I help the government, first you have the legal issues. Second is you want to be helpful. You want to make it a better planet and people operate a lot in that capacity. Do we know who the DNC hackers were? You know, I don't know if somebody does or doesn't. Obviously people know who they are. I could only tell you what I know or what the folks around me know but there's a lot of consistency that whoever hacked the DNC operates out of Russia that they operate on a consistent basis that they've been doing it for a long time and they make a living out of doing it. Talk about the threat detection. You mentioned the drive-by shootings which is kind of like whatever one needs to work out. But FireEye works for some of the top enterprises. Ones that are hardened with security who have full teams, CISOs and everyone who's a chief information security officers. What can the market learn from some of the advanced techniques? Can you share some insight into what people are doing? I mean, the old days was the old honey pot you mentioned, putting servers out there and people don't import scans. Now with virtualization, you got big data, you got almost unlimited cloud computing, new forms of deception, new forms of things are happening. What's the current state of the yard, if you will? I think first things first, you look at how people are breaking in today and some of this is a little tactical. I'm not going out five years but today what I would make sure, FireEye or CISOs, first you got to have the moat. You can't let anything that's on the internet get hacked by publicly available exploits. So you protect the perimeter. Moving past that to the attacks that are successful, you want great spearfishing capability. You want to detect spearfishing. You just have to. Second, you want to advance past antivirus on your endpoint. You got to do that. Third, you want to make sure you do what I call good credential management. You don't want one account that works everywhere all the time and you're not monitoring its use. You want to kind of limit the exposure if somebody gets your domain admin credentials. Fourth, two-factor authentication goes a huge way. To for some of that lateral movement when a bad guy breaks in, what really hurts is when they get the credentials to move around freely in a network and most people have hardened their ability to detect the first inning of a breach but they're less capable of innings two through nine and the first inning is that exploit and getting in. We all harden against that but the minute they get in and they get those valid credentials they're pretty surreptitious on the network. So you want to eliminate that and two-factor authentication. And spearfishing just for the folks watching is when you open up a document and you think it's trusted, that's what you mean. Okay, so that's the key one. Okay, now the ones that are modernizing their infrastructure because again, I think your customers are clearly like the big banks and whatnot have big assets which hold another discussion but the ones that are modernizing their infrastructure would change in their data center, go into the cloud, have an opportunity to essentially recast security. What's the do-over strategy or if I'm going to basically wipe the slate clean and start over, what is the tactical playbook? What's your advice? I have to give you, by the way, you can spend two days on the how do I migrate to the cloud and include security in it? So let me just go to the highest level of abstraction and deal with that. If you're a company migrating to the cloud and you're a large multinational, usually the first thing you do is you say, let's go with email. It's high cost internally, maybe someone's better at it. Let's migrate email to the cloud and let's do that. Then you have a few software as a service cloud providers. Then you take your custom apps, your applications. You say, which ones am I willing to put in the cloud? Which ones am I not? And then unfortunately you spend 80% of your time figuring out the hulking middle, which one should go to the cloud, which one shouldn't and people argue about that. But you generally get that right. You get applications out in the cloud and then once you do that and you go through that pain, you get tremendous advantages. And then third becomes, how do I get end user data to the cloud? People are worried about crypto locker. They're worried about someone breaking in and destroying data. Well, let's get that end user data stored somewhere. Is it Dropbox? Is it box.com in those places and they try to figure out policies to govern that. So in general, that's how it works. And crypto a lot. Is that ransomware? Yeah, it's the stuff that you just, it encrypts your drive, your drive becomes useless, your data becomes lost, but they offer for $500 or some amount of Bitcoin. They'll decrypt it for you. Yeah, it gets a great extortion from the security standpoint. All right, so now on the cloud, security practices, you're cool with that. You could advise clients what to look for in the cloud providers like AWS or Google or Oracle or whoever. Great, you want great identity management when people use the cloud? You want to know who's accessing what? I mean, it's going back to the old days when I worked at the Pentagon and that's what we did. We'd look at who's accessing what. In the cloud, you get that opportunity to if the cat's out of the bag on your data, it's an opportunity, let's push it back in maybe and store it somewhere. Make sure you have better identity management than this distributed decentralized storage that we're living with today. And then a great audit trail. I think that the cloud providers will always be pushed for. Give me better visibility, better audit trail. Kevin, final question for you. It's philosophy question. How do you balance the organic innovation that requires from freeing the data up because big data analytics within memory compute allows for really high precision in analytics. But you need metadata access to get signaling points. At the same time, freeing the data exposes potential security risks. How do companies rationalize that? Privacy versus big data kind of thing. Well, I think it depends on industry and what kind of data you need. Nobody, you know, big data can be a challenge as well. You know, it's annoying to look for a needle in a haystack and that's what we were doing even before big data analytics was capable. So I think in different industries you look for, if I'm doing security, what are the security relevant things I need to make decisions, unless at least get those in one place and let's do the analytics on that. And try to separate it from maybe the compliance bucket where some industries for compliance reasons have to store everything for a certain amount of time. So long story short, my answer is it depends. Final, final question, since I just had one pop up my head. All the action we saw at VMworld this year, VMworld show and then Oracle Open World, you're starting to see security and the chip to the app end to end, hypervisor going away on the Oracle side, VMware shrimp with the hypervisor and the never. It's all going to the network. The network is where the action is. Is that the last hope, last passion that needs to be dominated? Is that where the action is? Is that where the most opportunities are? Is that the last mile of security? So the answer is network and endpoint both matter, but you always get the network first and I've lived through this throughout my career where it's always cheaper and easier. Well, I don't know if it's easier, but it's definitely cheaper usually to get network visibility. Networks are managed, end points are hard to manage. You never have an exact number. Am I managing 80% of my end points at my company or 10%? You never know what visibility have. But on your network, you usually can get that. Here's where our offices are. Here's where our cloud providers are. Here's at least cloud providers are paying. Things move on the network so you can see it. You can, but there's also a thing called encryption and you have to decrypt it, but encryption's free. Any end user can grab encryption and you can't decrypt it. So even as the person providing the bandwidth. So it's a tough challenge and that's why you want both. Because another thing, when you take network-based countermeasures, the end users are sitting there going, why can't I print or why can't I get to the web? It's the endpoint security aspect that allows you to flip up a message saying, hey, you currently may have a security problem and you've been blocked from the internet. So in concert is perfect. People have been chasing network and endpoint in concert for a long time now. It's just hard to do. So you kind of want both and you're always chasing both. But the network is the one where you should get 100% visibility, whether it's encrypted or not. It's a lot of action on the network layer. Absolutely, you got to have it. Yeah. All right, Kevin, thanks so much for spending the time here at the Juniper Networks user conference. This is theCUBE bringing all the live coverage from the event here in Silicon Valley. I'm John Furrier, Stu Miniman. We'll be back with more after this short break.