 Hello everyone, welcome to the AWS Startup Showcase. This is season two, episode four, the ongoing series covering exciting startups from the AWS ecosystem to talk about cybersecurity. I'm your host, John Furrier. And today I'm excited for this keynote presentation and I'm joined by John Ramsey, vice president of AWS security. John, welcome to theCUBE's coverage of the startup community within AWS and thanks for this keynote presentation. Happy to be here. So John, what do you guys, what do you do at AWS? Take a minute to explain your role because it's very comprehensive. We saw at AWS Reinforce event recently in Boston a broad coverage of topics from Stephen Schmidt, CJ, a variety of the executives. What's your role in particular at AWS? If you look at AWS, there are, there is a shared security responsibility model and CJ, the CISO for AWS is responsible for securing the AWS portion of the shared security responsibility model. Our customers are responsible for securing their part of the shared security responsible model. For me, I provide services to those customers to help them secure their part of that model and those services come in different categories. The first category is threat detection with guard duty that does real-time detection and alerting and detective is then used to investigate those alerts to determine if there is an incident. Vulnerability management, which is inspector which looks for third-party vulnerabilities and security hub which looks for configuration vulnerabilities and then Macy which does sensitive data discovery. So I have those sets of services underneath me to help provide, to help customers secure their part of the shared security responsibility model. Thanks for the call out there. I want to get that out there because I think it's important to note that you know, everyone talks inside out, outside in, customer focus. AWS has always been customer focus. We've been covering you guys for a long time but you do have to secure the core cloud that you provide and you got great infrastructure, tools, technology down to the chip levels. That's cool. You're on the customer side and right now we're seeing from these startups that are serving them. We had interviewed here at the showcase. There's a huge security transformation going on within the security market. It's the plane at 35,000 feet that's engines being pulled out and rechanged as they say. This is huge and what's it take for your customers or the enterprises out there that are trying to be more cyber resilient from threats but also at the same time protect what they also got. They can't just do a wholesale change overnight. They got to be reactive but proactive. How does it, what do they need to do to be resilient? That's the question. So I think it's important to focus on spending your resources. Everyone has constrained security resources and you have to focus those resources in the areas and the ways that reduce the greatest amount of risk. So risk really can be summed up as assets that are most valuable and have a vulnerability that a threat is going to attack. In that world then you want to mitigate the threat or mitigate the vulnerability to protect the asset. If you have an asset that's vulnerable but a threat isn't going to attack, that's less risky but that changes over time. The threat and vulnerability windows are continuously evolving as threats develop and trade craft as vulnerabilities are being discovered as new software is being released. So it's a continuous picture and it's an adaptive picture where you have to continuously monitor what's happening. If you like use the NIST framework, cybersecurity framework, you identify what you have to protect. That's the asset parts. Then you have to protect it. That's putting controls in place so that you don't have an incident. Then you, from a threat perspective, then you have to detect an incident or a breach or a compromise and then you respond and then you remediate. You have to continuously do that cycle to be in a position to have cyber resiliency. And one of the powers of the cloud is if you're building your application in a cloud-native form, your ability to respond can be very surgical which is very important because then you don't introduce risk when you're responding. And by design, the cloud is architected to be more resilient. So being able to stay cyber resilient in a cloud-native architecture is an important characteristic. Yeah, I think that's, I mean, it sounds so easy. You just identify what's to be protected. You monitor it, you protect it, you remediate. Sounds easy, but there's a lot of change going on and you got the cloud scale. And so you got security, you got cloud, you guys, there's a lot of things going on there. How do you think about security and how does the cloud help customers? Because again, there's two things going on. There's a shared responsibility model and at the end of the day, the customer is responsible on their side, right? So cloud has some tools. How do you think about going about security and where does the cloud help specifically? Yeah, so really it's about there's a model called Observe, Orient, Decide, and Actor, the Uda Loop, and it was created by John Boyd. I mean, he was a fighter pilot in the Korean War and he knew that if I could observe what the opponent is doing, orient myself to my goals and their goals, make a decision on what the next best action is and then act and then follow that Uda Loop or also set a sense, sense making, deciding and acting. If I can do that faster than the enemy, then I will win every fight. So in the cyber world, being in a position where you are observing, and that's where cloud can really help you because you can interrogate the infrastructure, you can look at what's happening, you can build baselines from it and then you can look at deviations from the norm, it's just one way to observe. This orient yourself around, does this represent something that increases risk? If it does, then what's the next best action that I need to take to make that decision and then act? And that's also where the cloud is really powerful because there's this huge control plane that lets you enable or disable resources or reconfigure resources. And if you're in the situation where you can continuously do that very, very rapidly, you can outpace and outmaneuver the adversary. Yeah, you know, I remember I interviewed Steven Schmidt in 2014 and at that time, everybody was poo-pooing. Oh my, the cloud is so unsecure. He made a statement to me and we wrote about this. The cloud is more secure and will be more secure because it can be complicated to the hacker but also easy for provisioning. So he kind of brought up this discussion around how cloud would be more secure. Turns out he's right, he was right. Now people say, oh, the cloud's more secure than standalone. What's different, John, now than, I'm not even going back to 2014, just go back a few years. Cloud is helpful, there's more interrogation you mentioned, this is important. What's changed in the cloud per se in AWS that enables customers and say third parties who are trying to comply and manage risk as well? So you have this shared back and forth. What's different in the cloud now than just a few years ago that's helping security? Yeah, so if you look at the parts of the shared responsibility model, AWS is the further up the stack you go from just infrastructure to platform, say containers up to serverless, we are taking more of the responsibility of that stack. And in the process, we are investing resources and capabilities, for example, GuardDuty takes an EKS audit feed for containers to be able to monitor what's happening from a container perspective. And then in serverless, really the majority of what needs to be defended is part of our responsibility model. So that's an important shift, because in that world, we have a very large team, in our world, we have a very large team who knows the infrastructure, who knows the threat and who knows how to protect customers all the way up to the boundary. And so that's a really important consideration when you think about how you design your applications is you want the developers to focus on the business logic, the business value, but still also the security of the code that they're writing, but let us take over the rest of it so that you don't have to worry about it. Great, good insight there. I want to get your thoughts too on another trend. Here at the showcase, one of the things that's emerging besides the normal threat landscape and compliance and whatnot is API protection. I mean, APIs, that's what made the cloud great, right? So, and it's not going away, it's only going to get better because we live in an interconnected digital world. So, APIs are going to be lingua franca, as they say. Here, companies just can't sit back and expect third parties complying with cyber regulations and best practices. So how do security and organizations be proactive, not just on API, it's just a signal in my mind of more connections. So you got shared responsibility, AWS, your customers and your customers, partners and customers have connection points. So we live in an interconnected world. How do security teams and organizations be proactive on the cyber risk management piece? Yeah, so when it comes to APIs, the thing you look for is the trust boundaries. Where are the trust boundaries in the system between the user and the machine, the machine and another machine on the network? The API is a trust boundary. And it is a place where you need to facilitate some form of control because what could happen on the trust boundaries, it could be used to attack. Like I trust that someone's going to give me something that is legitimate, but you don't know that that actually is true. You should assume that the one side of the trust boundary is malicious and you have to validate it and by default make sure that you know that what you're getting is actually trustworthy and valid. So think of an API as just a trust boundary and that whatever you're going to receive at that boundary is not going to be legitimate and that you need to validate the contents of whatever you receive. You know, I was noticing online, I saw my land who runs S3, AWS commenting about 10 years anniversary, 10 year birthday of S3. Amazon simple storage service. A lot of the customers are using all their applications with S3, I mean it's file repository, for their application workflow ingesting literally thousands and trillions of objects from S3 today. You guys have about, I mean trillions of objects on S3. This is a big part of the application workflow. Data security has come up as a big discussion item. You got S3, I mean forget about the misconfiguration about S3 buckets that's kind of been reported on. Beyond that as application workflows tap into S3 and data becomes the conversation around securing data. How do you talk to customers about that? Because that's also now part of the scaling of the modern cloud native applications. Managing data on prem, cross in flight, at rest, in motion. What's your view on data security, John? Yeah, data security is also a trust boundary. The thing that's going to access the data there, you have to validate it. The challenge with data security is is customers don't really know where all their data is or even where their sensitive data is. And that continues to be a large problem. That's why we have services like Macy, which whose job is to find in S3, the data that you need to protect the most because it's sensitive. Getting with least privileges always been the goal when it comes to data security. The problem is is least privilege is really, really hard to achieve because there's so many different common nations of roles and accounts and orgs and so there's also another technology called Access Analyzer that we have that helps customers figure out, like, is this the right, are my intended authorizations, the authorizations I have, are they the ones that are intended for that user? And you have to continuously review that as a means to make sure that you're getting as close to least privilege as you possibly can. Well, one of the luxuries of having you here on theCUBE keynote for this showcase is that you also have the internal view at AWS but also you have the external view with customers. So I have to ask you, as you talk to customers, obviously there's a lot of trends we're seeing, more managed services and areas with skill gaps but teams are also overloaded too. We're hearing stories about security teams overwhelmed by the solutions that they have to deploy quickly and scale up quickly, cost effectively. The need for instrumentation, sometimes it's intrusive, sometimes it's agentless, sensors, IoT. I mean, it's getting crazy at RIMARS when you saw a bunch of stuff there. This is a reality, the teams aspect of it. Can you share your experiences and observations on how companies are organizing, how they're thinking about team formation, how they're thinking about all these new things coming at them, new environments, new scale choices. What are you seeing on the customer side relative to security team and their role and relationship to the cloud and the technologies? Yeah, absolutely. And we have to remember at the end of the day, on one end of the wire is a black hat, on the other end of the wire is a white hat. And so you need people and people are a critical component of being able to defend. In the context of security operations, alert fatigue is absolutely a problem. The alerts, the number of alerts, the volume of alerts is overwhelming. And so you have to have a means to effectively triage them and get the ones into investigation that you think will be the most significant going back to the risk equation. You find those alerts and events that are the ones that could harm you the most. You also, one common theme is threat hunting. And the concept behind threat hunting is I don't actually wait for an alert. I lean in and I'm proactive instead of reactive. So I find the system that I at least want the hacker in. I go to that system and I look for any anomalies. I look for anything that might make me think that there is a hacker there or a compromise or some unattended consequence. And the reason you do that is because it reduces your dwell time, time between you get compromised to the time detect something which might be months because there wasn't an alert triggered. So that's also a very important aspect. For AWS and our security services, we have a strategy across all of the security services that we call end to end or how do we move from APIs? Because they're all API driven and security buyers generally not most do not have like a development team like their security operators and they want a solution. And so we're moving more from APIs to outcomes. So how do we stitch all the services together in a way so that the time that an analyst the SOC analyst spends or someone doing investigation or someone doing incident response is the most important time, most valuable time. And in the process of stitching this all together and helping our customers with alert fatigue we'll be doing things that will use sort of inference and machine learning to help prioritize the greatest risk for our customers. That's a great call out. And that brings up the point of you get the front line so to speak in back office, front office kind of approach here, the threats are out there. There's a lot of leaning in, which is a great point. I think that's a good comment and insight there. The question I have for you is that everyone's kind of always talks about that, but there's the, I won't say boring, but the important compliance aspect of things, this has become huge, right? So there's a lot of blocking and tackling that's needed behind the scenes on the compliance side as well as prevention, right? So can you take us through in your mind how customers are looking at the best strategies for compliance and security? Because there's a lot of work you got to get done and you got to lay out everything, as you mentioned, but compliance specifically to report is also a big part of this. Yeah, compliance is interesting. I suggest taking a security approach to compliance instead of a compliance approach to security. If you're compliant, you may not be secure, but if you're secure, you'll be compliant. And the really interesting thing about compliance also is that as soon as something like a category of control is required in some form of compliance regime, the effectiveness of that control is reduced because the threats go, well, I'm gonna presume that they have this control. I'm gonna presume, because they're compliant. And so now I'm gonna change my tactic to evade the control. So if you only are ever following compliance, you're gonna miss a whole set of tactics that threats have developed because they presume you're compliant and you have those controls in place. So you wanna make sure you have something that's outside of the realm of compliance because that's the thing that will trip them up. That's the thing that they're not expecting, the threat's not expecting and that's what we'll be able to detect them. And it almost becomes one of those things where it's his fault, right? So, you know, finger-pointing with compliance, you get complacent, I can see that. Can you give an example? Because I think that's probably something that people are really gonna want to know more about because it's common sense, but can you give an example of security driving compliance? Is there... Yeah, sure. So there is, there are, they're used just as an example, like multi-factor authentication was used everywhere for banks in high-risk transactions, in real high-risk transactions. And then that was a security approach to compliance. Like we said, that's a high net worth individual. We're gonna give them a token and that's how they're gonna authenticate. And there was no, the FFIC didn't say at the time that there needed to be multi-factor authentication. And then after a period of time when account takeover was on the rise, the FFIC, the Federally Financial Institute Examiners Council, something like that said, we need to do multi-factor authentication. Multi-factor authentication was now on every account. And then the threat went down to, okay, we're gonna do man in the browser attacks after the user authenticates, which now is a new tactic in that tactic for those high net worth individuals that had multi-factor didn't exist before it became commonplace. And so that's an example of sort of the full life cycle. And the important lesson there is that security controls, they have a diminishing half-life of effectiveness. They need to be continuous and adaptive, or else the value of them is going to decrease over time. I think that's a great call-up because agility and speed is a big factor when these merging threats, it's not a stable, mature hacker market. They're evolving too. All right, great stuff. I know your time's very valuable, John. I really appreciate you coming on theCUBE. A couple more questions for you. We have 10 amazing startups here in the AWS ecosystem, all private, looking great performance-wise. They're all got the kind of the same vibe of they're kind of on something new, they're doing something new and clever and different than what was kind of done 10 years ago. And this is where the cloud advantage is coming in cloud scale, you mentioned that some of those things you made up. So you start to see new things emerge. How would you talk to CISOs or CXOs that are watching about how to evaluate startups like these? They're somewhat still small relative to some of the bigger players, but they've got unique solutions and they're doing things a little bit differently. How should CISOs and CISOs evaluate them? How can startups work with the CISOs? What's your advice to both the buyer and the startup to bring their product to the market and what's the best way to do that? Yeah, so the first thing is when you talk to a CISO, be respectful of their time. They'll appreciate that. I remember when I was very, when I just started, I went to talk to one of the CISOs, one of the five major banks and he sat me down and he said, and I tried to tell him what I had. And he was like, son, and he went through his book and he had 10 of every one thing that I had. And I realized that, and I was grateful for him giving me an explanation. And I said to him, I'm sorry I wasted your time. I will not do that again. I apologize. If I can't bring any value, I won't come back. But if I think I can bring you something of value now that I know what I know, please will you take the meeting? He was like, of course. And so be respectful of their time. They know what the problem is. They know what the threat is. Be specific about how you're different. Right now there is so much confusion in the market about what you do. Like if you really have something that's differentiated, be very, very specific about it and don't be afraid of it. Like lean into it and explain the value to that. And that would save a lot of time and a lot and make the meeting more valuable for the CISO. And the CISOs are they evaluate these startups? How should they look at them? What are some kind of markers that you would say would be good kind of things to look for, size of the team, reviews, technology or is it doesn't matter? It's more about everyone's environment is different. What would your... Yeah, and for me, I always look first to the security value because if there isn't security value, nothing else matters. So there's got to be some security value. Then I tend to look at the management team, quite frankly, what are their experiences and what do they know that has led them to do something different that is driving security value. And then after that, for me, I tend to look to is this someone that I can have a long-term relationship with? Is this someone that I can... If I have a problem and I call them, are they gonna do this or are they gonna say, yes, we're in this together, we'll figure it out. And then finally, if for AWS, scale is important. So we like to look at scale in terms of, is this a solution that I can get to the scale that I needed at? Awesome. John Ramsey, Vice President of AWS Security here on theCUBE's keynote. John, thank you for your time. I really appreciate it. I'm so busy you are with that for the next minute or so. Share a little bit of what you're up to. What's on your plate? What are you thinking about as you go out to the marketplace, talk to customers? What's on your agenda? What's your talk track? Put a plug in for what you're up to. Yeah, so for the services I have, we are absolutely moving, as I mentioned earlier, from APIs to outcomes. We're moving up the stack to be able to defend both containers as well as serverless. We're moving out in terms of, we wanna get visibility and signal, not just from what we see in AWS, but from other places, to inform how do we defend AWS? And then also across the NIST cybersecurity framework, in terms of we're doing a lot of, we have amazing detection capability. And we have this infrastructure that we could respond, do like micro responses to be able to, to interdict the threat. And so be moving across the NIST cybersecurity framework from detection to respond. All right, thanks for your insight and your time sharing in this keynote. We've got great, 10 great amazing startups. Congratulations for all your success at AWS. You guys doing a great job. Shared responsibility, the threats are out there. The landscape is changing. The scale is increasing. More data, tsunamis coming every day. More integration, more interconnected. It's getting more complex. So you guys are doing a lot of great work there. Thanks for your time. Really appreciate it. Thank you, John. Okay, this is the AWS startup showcase season two, episode four of the ongoing series, covering the exciting startups coming out of the AWS ecosystem. This episode's about cybersecurity. I'm your host, John Furrier. Thanks for watching.