 Live from Barcelona, Spain, it's theCUBE! Covering Cisco Live 2020, brought to you by Cisco and its ecosystem partners. Welcome back, over 17,000 in attendance here for Cisco Live 2020 in Barcelona. I'm Stu Miniman and my co-host is Dave Vellante and to help us to dig into, of course, one of the most important topics of the day, of course, that security, we're thrilled to have back a distinguished engineer from Cisco, one of our CUBE alumni, TK Keonini. TK, thanks so much for joining us. How you doing, man? Good, good, good, thanks for having me. All right, so TK, it's 2020, it's a new decade. We know the bad actors are still out there. The question always is, it used to be, how do you keep ahead of them? Then I've heard Dave say many times, well, it's not when, it's not if it's when, you probably already have been compromised before, so it gives the latest, what you're seeing out there, what you're talking to customers about in this important space. Yeah, it's kind of an innovation spiral. We innovate, we make it harder for them, and then they innovate, they make it harder for us, and round and round we go. That's been going on for many years. I think the most significant changes that have happened recently have to deal with not essentially their objectives, but how they go about their objectives, and defenders topologies have changed greatly. Instead of just your standard enterprise, you now have hybrid multi-cloud, and all these new technologies. So while all that innovation happens, they get a little clever and they find weaknesses, and round and round we go. So we talked a lot about the sort of changing profile of the threat actors, gone from hacktivists to criminals now, it's a huge business, and nation-states even. What's that profile look like today, and how has that changed over the last decade or so? You know, that's pretty much stayed the same. You know, bad guys are bad guys at some point in time. You know, just how they go about their business, their techniques, they're having to, like I said, innovate around, you know, we make it harder for them. They, you know, on Monday we're safe, on Tuesday we're not, you know, and then on Wednesday it switches again, so. So we talked about kind of this multi-cloud environment. When we talk to customers, it's like, well, I want the developer to be able to build their application and not really have to think too much underneath it. That has to have some unique challenges. We know security, we knew long ago, well, I just go to the cloud, it doesn't mean they take care of it. Some things are there, some things they're going to remind you now, you need to make sure you set certain things, otherwise you could be there. But how do we make sure that security's baked in everywhere and as a practice that everybody's doing? Well, I mean, again, some of the practices hold true, no matter what the environment. I think the big thing with cloud native is, back in the day when you looked at an old legacy data center, you were part sort of administrator, you were part detective. Most people don't even know what's running on there. That's not true in cloud native environments. Some YAML file, some declaration, it says exactly what production should look like, right? And then the machines instantiate production. So, you know, doing things at machine scale forces the human scale people to be explicit. And for me, I mean, that's a breath of fresh air because once you're explicit, then you take the mystery out of what you're protecting. How about in terms of how you detect threats, right? Fishing for credentials has become a huge deal. They're not just, you know, kicking down the door or smashing a window, using your own credentials to get inside your network. So how has that affected the way in which you detect? Yeah, it's a big deal. You know, a lot of great technology has a dual use. And what I mean by that is network cryptology. You know, that whole crypto on the network has made us safer for us to compute over insecure networks. And unfortunately, it works just as well for the bad guys. So, you know, all of their malicious activity is now private too. So, you know, for us, we just have to invent new ways of detecting direct inspection. For instance, I think it's a thing of the past. I mean, we just can't depend on it anymore. We have to have tools of inference. And not only that, but it's gave rise in a lot of innovation on behavioral science. And as you say, you know, it's not that the attacker is breaking into your network anymore, they're logging in. Okay, what do you do then, right? Alice's account, it's not going to set off the triggers. So you have to say, you know, when did Alice start to behave differently? You know, if she's working in accounting, why is she playing around with the source code repository? That's a different thing, right? Yeah, automation is such a big trend, you know, how do we make sure that automation doesn't leave us more vulnerable security? That's right. Because we need to be able to automate, we've gone beyond human scale for most of these configurations. That's exactly right. And how do we, I always say just with security automation in particular, just because you can automate something doesn't mean you should. And you really have to go back and have practices, you know, you could argue that this thing is just a, you know, machine scale automation. You could do math on a legal pad or you can use a computer to do it, right? So apply that to production. If you mechanize something like order entry or whatever you're automating part of your business, use threat modeling, you know, use the standard threat modeling like you would your code. The network is code now, right? And storage is code and everything is code. So, you know, test, automate your testing, do your threat modeling, do all that stuff. Please do not automate for your attacker. The matrix is here. I want to go back to the Alice problem because you're talking about before you have to use inference. So Alice is in the network and you're observing her moves every day. And then, okay, something anomalous occurs, maybe she's doing something that normally she wouldn't do. So you've got to have her profile and her actions sort of who observed, documented, stored, the data's got to be there. And at the same time, you want to make sure, it's always that balance of putting handcuffs on people versus allowing them to do their job and be productive. At the same time as well, you don't want to let the bad guys know that you know that Alice is doing something that she didn't be doing. This is actually not Alice. So all that complexity, how are you dealing with it? And what's the data model look like? Doing it, machines help, let's say that. Machines can help us, you know, you and I, we have only so many sense organs and the cognitive brain can only store so many, so much state. Machines really help us extend that. And so, you know, looking at not three dimensions of change, but 7,000 dimensions of change, right? Something in the machine is going to say, there's an outlier here, that's interesting. And you can get another machine to say, that's interesting, maybe I should focus on that. And you build these analytical pipelines so that at the end of it, you know, they may argue with each other all the way to the end, but at the end you have a very high fidelity indicator that might be at the protocol level, it might be at the behavior level, it might be seven days back or 30 days back. All these temporal and spatial dimensions, it's really cheap to do it with a machine. Yeah, and if we could stay on that for a second. So I've tried to understand, I know that's a high level example, but is it best practice to have the machine take action, or is it an augmentation? And I know it depends on the use case, but how is that sort of playing out? Again, you have to do all of this safely, okay? A lot of things that machines do don't return back to human scale. And it's the stuff that returns back to human scale that humans understand that is useful. So for instance, if machines, you know, find out all these types of assertions, even in medical, you know, right now if you've got so much telemetry going into the medical field, say the machine tells you you have three weeks to live. I mean, you better explain what the heck, how you came about that assertion. It's the same with security, you know, if I'm going to say, look, we're going to quarantine your machine, or we're going to re-image this machine, it's not, I'm not like picking movies for you, or the next song you might want to listen to, this is high stakes. And so when you do things like that, your analytics needs to have what is called entailment. You have to explain what it is, how you got to that assertion. That's become incredibly important in how we measure our effectiveness in doing analytics. That's interesting because you're using a lot of machine intelligence to do this, and a lot of AI is black box. You're saying you cannot endure that black box problem in security. Yeah, that black box is very dangerous. You know, I personally, I feel that things that should be open sourced, this type of technology, it's so advanced that the developer needs to understand it, the tester needs to understand it, certainly the customer needs to understand it. You need to publish papers and be very, very transparent with this domain because if it is in fact, you know, black box, and it's given the authority to automate something, like shut down the power or do things like that, that's when things really start to get dangerous. So, TK, give us the latest on StealthWatch there. Cisco's positioning when it comes to everything we've been talking about here. StealthWatch, again, has been in market for quite some time. It's actually been in market since 2001. And when I look back and see how much has changed, how we've had to keep up with the market. And again, it's not just the algorithms we write for detection, it's the environments have changed, right? When did, when did multi-cloud happen? So, operating again, it's not that StealthWatch wants to go there, customers are going there, and they want the StealthWatch function across their digital business. And so, you know, we've had to make advancements on the changing topology. We've had to make advancements because of things like dark data, you know, the network's opaque now, right? We have to have a lot of inference. So we've just, you know, kept up and stayed ahead of it. You know, we've been spending a lot of time talking to developer communities, and there's a lot of open source tooling out there that's helping enable developers, specifically in security space. You were talking about open source earlier. How does what you've been doing with StealthWatch intersect with that? Yeah, that's always interesting too, because there's been sort of a shift in, let's call them the cool kids, right? The cool kids, they want everything as code, right? So it's not about what's on glass, or you know, a single pane of glass anymore. It's what's StealthWatch as code, right? What's your router as code? Look at DevNet, right? DevNet is basically Cisco as code, and it's beautiful because that is infrastructure as code. I mean, that is the future, and so all the products, not just StealthWatch, have beautiful APIs, and that's really exciting. Well, I've been saying for a while now, it's do you, I think you agree, is that that is a big differentiator for Cisco. I think you're one of the few, if not the only large established player in the enterprise that has figured out that sort of infrastructure as code play. Others have tried and are sort of getting there, but you know, start, stop. You use a term that is really cool, it's like living off the land, you know, bear grills like the guy who lives off the land. So, and threat actors are doing that now. They're using your own installed software and tooling to hack you and steal from you. How are you dealing with that problem? Yeah, it's a tough one. And like I said, you know, much respect. The adversary is talented, and they're patient, they're well funded. Okay, that's where it starts. And so, you know, why bring an interpreter to a host when there's already one there, right? Why write all this complicated software distribution when I can just use yours? And so, that's where the game starts. And the most advanced threats aren't leaving footprints, because the footprints are already there. You know, they'll get on a machine, behaviorally, they'll check the cache to see what's hot. And what's hot in the cache means that behaviorally, it's a path they can go. They're not cutting a new trail most of the time, right? So, living off the land is not only the tools that they're using, the automation, your automation, they're using against you, but it's also behavioral. And so, that makes it, you know, it makes it harder, is it impossible? No, can we make it harder for them? Yes. So, yeah, look, I'm having fun, and I've been doing this for over 25 years. Every week, it's something new. Well, it's a hard problem you're attacking. And, you know, Robert Herchevac, who came in the Cube, sort of opened my eyes. When you think about what are we securing? We're securing everything. I mean, critical infrastructure. We're essentially securing the entire global economy. And he said something that really struck me, he said, there's an $86 trillion economy. We spend 0.014% on securing that economy. And it's nothing. Now, of course, he's an entrepreneur and he's pimping for his business, but it's true. We are barely scratching the surface of this problem. Yeah, and it's changing. I mean, it's changing. Could it be better? Yes. It is changing. It's board awareness. Well, you know, 20 years ago, they invited me to a dinner party. What does your husband do? I'd say cyber security or something. They'd roll their eyes and change the subject. Now, they ask me the same question. It's like, oh, you know what? My computer's running really slow, right? These are not, this is everyone now. Well, I'm worried about a life hack. How do I protect myself? Or what about these companies? I trust the bank. I mean, those are the kinds of dinner table conferences. Every party. So now, I just make something up. I don't do cyber security. I just, you know, tour agent or something. You've been in this business forever. I can't remember. Have I ever asked you the superhero question? What is that? Who's your favorite superhero? Ooh, that's a tough one. There's all the security guys I know. They, like, always dreamed about saving the world, so. Is that right? Yeah, right. I don't know. The lifer is right. I just like- You're not a superhero guy. No, no. In case of video game, yeah, that's- You're my superhero, man. I love what you do. I think you're a great asset for Cisco and Cisco's customers. I really appreciate you coming on. Thanks, thanks. TK, give us a final word. If people want to, you know, find out more about what Cisco's doing, read more of what you're working on, what some of the best resources for them to go to. You know, just dropped by the webpages. I mean, everything's published out there. Like I said, even for the super nerdy, you know, we publish all our security analytics papers. I think we're over 50 papers published in the last 12 years. Yeah. TK, thank you so much. Always a pleasure to catch up with you and safe travels. Thank you so much. For Dave Vellante, I'm Stu Miniman. John Furrier is also in the house. We will be back with lots more coverage here from Cisco Live 2020 in Barcelona. Thanks for watching theCUBE.