 Hi everybody, this is Dave Vellante of theCUBE. This is day two of Falcon 2022 CrowdStrike's big customer event. Over 2,000 people here, 100 sessions, a lot of deep security talk. Amal Khulkarni is here. He's the Chief Product and Engineering Officer at CrowdStrike, and we're going to get into it Amal. Thanks for coming to theCUBE. It's great to be here. Enjoyed your keynote today. It was very informative. First of all, how's the show going for you? It's going fantastic. First and foremost, to be having everyone here in person after three years, that's just out of the world, right? So great to meet and a lot of great conversations across the board with customers, partners. It's been fantastic. Yeah, so I want to start with cloud native. It's kind of your dogma this whole. The new acronym is CNAP, Cloud Native Application Protection Platform. There's a mouthful. What is that? How does it relate to what you guys are doing? Yeah, so CNAP is what Gartner has coined as the term for covering entire cloud security, and they have identified various components in it. The first and foremost is the runtime protection, cloud workload protection, as we call it. Second is posture management, that's CSPM, cloud security posture management. Third is CIEM, which we announced today. And then the fourth is shift left kind of DevSecOps part of cloud security. And all together, Gartner coined that as a solution or a suite, if you will, to cover various aspects of cloud security. Okay, so shift left, and then shield right. You still get a shield right, right? So that's where network security comes in, right? Which is not your main focus, but okay. So now I'll explain it. Now that Gartner's acronym, now I get it. But the CIEM announcement, cloud infrastructure entitlement management. So you're managing identities, is that right? Let's explain that in more detail. So yeah, I mean, as in the on-premise world, but even more exacerbated in the crowd world, you have lots and lots of identities, both human identities and service accounts that are accessing cloud services. And a lot of the time, the rigor is not there in terms of what permissions those identities are provisioned with. So are they over-provisioned? Do they have lots of rights that it should not have? Are services able to connect to resources that they should not be able to connect to? All of that is falls under the entitlement management, identity entitlement management part. And that's where CIEM comes in. So what we said is we have a great identity security story for on-premise, right? And now we are applying that to understand identities, the entitlements they have, secrets that are lying around, maybe leaked or just available for adversaries to exploit in the cloud security world. So taking all of that into account and giving customers a snapshot view, a one single view to say these are the identities, these are their permissions, this is where you can trim them down because these are the dependencies that are present across services. And you see something that's not right from a dependency perspective. You can say, okay, this connection doesn't make sense. There's something malicious going on here. So there's a lot that you can do by having that scope of identities be very narrowed down. It's a first step in the zero trust journey for the cloud infrastructure. So I have to ask you, when you now extend this conversation to the edge and operations technology, traditionally the infrastructure has been air-gapped by brute force, air-gapped, don't worry about it. And maybe hasn't had to worry so much about the hygiene. So now as you, as the business drives and forces essentially digital transformation and connectivity, I mean, wow, that's a playground for the hackers. You absolutely nailed it. So most of these infrastructure was not designed with security in mind, unfortunately, right? As you said, most of it was air-gapped, disconnected and now everything is getting to be connected because the updates are being pushed rapidly, changes are happening. And that really, in some sense, has changed the environment in which these devices are operating, the operational technology, industrial control. We had the colonial pipeline breach last year and that really opened people's eyes, like, hey, nation-state adversaries are going to come after critical infrastructure and that is going to cause impact directly to the end users, to the citizens. So we have to protect this infrastructure and that's why we announced Discover for IoT as a new module that looks at and understands all the IoT and industrial control systems assets. So that didn't require an architectural change, though, right? That was a capability that you introduced with partners, right? Am I right about that? They don't have to re-architect anything. It's just your architecture fits perfectly into those scenarios, right? Yeah, yeah, actually, while the pace of change is there, architectural change is almost very difficult because these are very large systems, they are built up over time. You take an industrial control system, the iteration speed is very different from a laptop. So yeah, you can't impose any architectural change. It has to be seamless from what the customers have. You were talking, I want to go back to CNAP. You were talking about protecting the runtime. You could really do that with an agent. You had said agent in your keynote, agentless solutions don't give you runtime security protection. Yeah. Can you double click on that and just elaborate? Yeah, absolutely. So what the agentless solutions today are doing, they are essentially tapping into APIs from AWS or Azure, CloudTrail, for example, and looking at misconfigurations. So that is indeed a challenge. So that is one part of the story, but that only gives you a partial view. Let's say that an attacker attacks and uses an existing credential, a legitimate credential to access one of the cloud services. And from there, they escalate the privileges and then now start branching off. The CSPM, the agentless only solutions will not catch that. So what you need is, you need this agentless part, but you have to couple that with seeing the activity that's actually happening. The living of the land attacks that cannot be caught by the CSPM piece. So you need a combination of agentless and agent runtime to give that overall protection. What's the indicator of attack for a hacker that's living off the land, meaning using your own tools against you? That's right. So the indicators of attack are saying, accessing services, for example, that are not normally accessed, or escalating privileges. So you come in as a normal user, but then suddenly you have admin privileges because you have escalated those privileges. Or you are moving laterally very rapidly from one place to another, or spraying across a lot of services in order to do reconnaissance and understand what is out there. So it's almost like looking for what is an abnormal attack path, abnormal behavior compared to what is normal. And the good part is, cloud there is a lot that is normal. It's fairly constrained. It's not like a end user who is downloading stuff from the internet and doing all sorts of things. Cloud services are fairly constrained. So you can profile and you can figure out where there is a drift from the normal. And that's really the indicator of attack in some sense from cloud services. In a previous life, I saw the change subjects on you. In a previous life I spent a lot of time with CIOs, helping them look at their application portfolio, understanding what to rationalize, what to get rid of, what to invest in, bringing in new projects. Because you never throw stuff away in IT. But so. Right, so. There is no obsolescence. It's so right. But they wanted to, anytime you go through these rationalization exercises, change management is everything. And one of the hardest things to do was to map and understand the business impact of all the dependencies. Absolutely. Across the portfolio. Because application A needs this data set. That's right. If you retire it, it has ripple effects. And you talked about that in a security context today when you were talking about the asset graph and the threat graphs giving you the ability to understand those dependencies. Can you add some color to that? Absolutely, absolutely. So what we've done with the asset graph, it's a fundamental piece of technology that we've been building now for some time that complements the threat graph. And the asset graph looks at assets, identities, applications and configuration. All of those aspects. And the interconnections between them. So if a user is accessing an application on a server, all those, and in what role, all of that relationship is tied together in the asset graph. So what that does now is it gives you an ability to say this application connects to this application. And that's the dependency on that port, for example. So you can now build up a dependency map. And then the threat graph, what it does is it looks at the continuous activity that's happening. So if you now take the events that are coming into the threat graph and the graphical representation of those, combine it with the asset graph, you get that full dependency map. And now you can start doing that impact analysis that you talked about. It's an unsolved problem, right? And that's why security, as I said in my keynote, is most people do not have their security tools enabled to their highest level or they don't have full coverage. Just because the pace of change is so rapid, they cannot keep up with it. So we want to enable change management at a rapid pace where businesses and customers can say we are confident about the change management, about the change we are going to implement because we know what the potential impact would be. We can validate, test it in a smaller subset and then roll it out quickly. And that's the journey we are on. Sort of, the theme of my talk was to make IT and security friends again. Right, you talked about that gap and bringing those two together. You all said a great quote on there, the pace of change and security is insane. Yes, yes. And so this assets graph capability dependencies and the threat graph help you manage that accelerating pace of change. Absolutely. Before I forget, I want to ask you about your interview with Girls Who Code. What was that like? Who did you interview? I unfortunately couldn't see it, I apologize. Yeah, fantastic. So Reshma Sawjani, she heads Girls Who Code and she first off had a very, very powerful talk just from her own experiences. And essentially like what do we need to do to get more women into computer science first but then within that into cyber security and what all have they done with Girls Who Code? So very, very, I mean, we were very touched. The audience was like super, super into her talk. And then I had a chance to chat with her for a few minutes, ask her a few questions. Just my view was more like, okay, what can we do together? What can CrowdStrike do in our position in to attract more women? We've done a lot in terms of tailoring our job descriptions to make sure it's more, it removed the biases. Tuning the interview processes to be more welcoming and Reshma gave an example saying, hey, many of these interviews, they start with a baseball discussion. And I mean, some women may be interested in it but not all maybe. And so is that the right, is it a gender kind of affirming or gender neutral kind of discussion or do you want to have other topics? So a lot of that is about training the interviewers because most of the interviewers are men, unfortunately. That's the mix we have. And it was a great discussion. I mean, just like very practical. She's very much focused on increasing the number of people and increasing the pipeline, which is honestly the biggest problem. Because if we have a lot of candidates, we would definitely hire them and essentially improve the diversity. And we've done a great job with our intern program, for example, which has helped significantly improve the diversity on our workforce. But the gap keeps getting bigger in terms of unfulfilled jobs. That leads me to developers as a constituency because you guys are building the security cloud. You're on a mission to do that. And to me, if you have a security cloud, it's got to be programmable. You're going to have developers there. You don't, from what I can tell, you have a specific developer platform but it's organic. It's sort of happening out there. What's the strategy around, I mean, the developer today is so critical in terms of implementing a lot of security strategy and putting it into action. They've got to secure the runtime. They got to worry about the APIs. They got to secure the paths. They got to secure the containers. And so what's your developer strategy? Yeah, yeah. So within cloud security, enabling developers to implement DevSecOps as a philosophy, as a strategy is critical. And so we have a lot of offerings there on the shift left side. For example, you talked about securing containers. So we have container image assessment where we plug in into the container repositories to check for vulnerabilities and bad configuration in the container images. We then complement that with the runtime side where our agent can protect the container from runtime violations, from breakouts, for example. So it's a combination. It's a full spectrum, right, from the developer building an application all the way to the end. Second, I'll say is we are very much an API first company. So all of the things that you can do from a user interface perspective, you can do from APIs, what has enabled that is a bunch of partners, a rich partner ecosystem, that is building, using those APIs. So the developers within our partners are leveraging those APIs to build very cool applications. And the manifestation of that is CrowdStrike Store where essentially we have, as Josh mentioned in his keynote, we have agent cloud architecture that is very rich. And we said, okay, why can't we open that up for partners to enable them to leverage that architecture for their scenarios. So we have a lot of applications that are built on the CrowdStrike Store leveraging our platform, right? Areas that we are not in, for example. And here, describe it, is there a PAS layer that's purpose built for CrowdStrike so that developers can build applications? That's a great question. So I'll say that we have beginnings of a PAS layer. We definitely talked about CrowdStrike Store as being PAS for cybersecurity, but there's a lot more to do. And we are in the process of building up an application platform so that customers can build the applications for their SOC workflow or IT workflow. And Falcon Fusion is a key part of that. So Falcon Fusion is our automation platform built right into the security cloud. And what that enables customers to do is to define, encode their business process, the way they want, and leverage the platform that they way they want. It seems like a logical next step because you're going to enable a consistent experience across the board, and fulfill your promise, your brand promise, and the capabilities that you bring. And this ecosystem will explode once you announce that. And that's the notion we talk about of being the Salesforce of security. Right, right, yeah. That's the next step. Amal, thank you so much. I got to run and wrap. We really appreciate you coming on theCUBE. And congratulations on your keynote and all the success and great event. I appreciate it. Thank you very much for the time and great chatting with you. You're very welcome. All right, keep it right there. We'll be back very shortly to wrap up from Falcon, Falcon 2022. This is Dave Vellante for theCUBE.