 Welcome back to the Aria in Las Vegas, Dave Vellante with Dave Nicholson, Falcon 22, the Cube's continuous coverage. Sean Henry is here, he's the president of the services division, and he's the chief security officer at CrowdStrike, and he's joined by Kevin Mandia, CEO of Mandiant, now part of Google. Gents, welcome to the Cube. Thank you. Congrats on closing the Google deal. Thank you. That's great, new chapter. New chapter. Coming fresh off the keynote, you and George, I really enjoyed that. Let's start there. One of the things you talked about was the changes. You've been in this business for a while. I think you were talking about, you know, doing some of the early stuff in the 90s. Wow, things have changed a lot. The Queen, right? You used to put the perimeter around the Queen, build the moat, the Queen's left her castle, new ball game, but you were talking about the board level knowledge of security in the organization. Talk about that change that's occurred in the last decade. You know, boards are all about governance, right? Making sure everybody's doing the right things. And they've kind of had a hall pass on cybersecurity for a long time. Like, we expect them to be great at financial diligence. They understand the financials of an organization. You're going to see a maturity, I think, in cybersecurity where I think board members all know, hey, there's risk out there. And we're on our own to kind of defend ourselves from it, but they don't know how to quantify it and they don't know how to express it. So bottom line, boards are interested in cyber and we just have to mature as an industry to give them the tools they need to measure it appropriately. Sean, one of the things I wanted to ask you. So Steven Schmidt, I noticed, changed his title from CISO, Chief Information Security Officer to Chief Security Officer. Your title is Chief Security Officer. Is that a nuance that has meaning to you or is it just less acronym? It depends on the organization that you're in. In our organization, the Chief Security Officer owns all risks. So I have a CISO that comes underneath me and I've got a security folks that are handling our facilities, our personnel, those sorts of things, all of our offices around the globe. So it's all things security. One of the things that we've found, and Kevin and I were actually talking about this earlier, is this intersection between the physical world and the virtual world. And if you've got adversaries that want to gain access to your organization, they might do it remotely by trying to hack into your network, but they also might try to get one of your employees to take an action on their behalf or they might try to get somebody hired into your company to take some nefarious acts. So from a security perspective, it's about building an envelope around all things valuable and then working it in a collaborative way. So there's a lot of interface, a lot of interaction and a lot of value in putting those things together. And you're also president of the services division. Is that a P&L role? It is. We have a P&L and we have an entire organization that's doing incident response and it's a lot of the work that we're doing with Kevin's folks now. So I've got both of those hats today. Okay, so you're self-funded, so in a way. Okay, where are companies most at risk today? You want to go on that one first, Sean? You talk faster than me, so it's bigger bang for the buck if you talk. You know, when I think about companies in terms of their risk, it's a lot of it has to do with the expansion of the network. Companies are adding new applications, new devices, they're expanding into new areas, there are new technologies that are being developed every day and that are being embraced every day. And all of those technologies, all of those applications, all of that hardware is susceptible to attack. Adversaries are looking for the vulnerabilities they can exploit. And I think just kind of that sprawl is something that is disconcerting to me from a security perspective. We need to know where our assets are, where the vulnerabilities lie, how do we plug the holes. And having that visibility is really critical to ensure that you're involved in mitigating that new architecture. Anything you'd add? Yeah, I would, like when I, so I can just tell you what I'm hearing from CISOs out there. The word about identity, the lateral movement that's been kind of part of every impactful breach. So identity is kind of top three of mind. I would say zero trust, whatever that means. We all have our own definitions of migration to zero trust and supply chain risk. You know, whether they're the supplier, they want to make sure they can prove to their customers they have great security practices. Or if they're a consumer of a supply chain they need to understand who's in their supply chain, what are their dependencies, how secure are they? Those are just three topics that come up all the time. As we extend, you know, talking about XDR, the X being extend, do you see physical security as something that's being extended into or is it already kind of readily accepted that physical security goes hand in hand with information security? I don't think a lot of people think that way. There certainly are some, and Dave mentions Amazon and Steve Schmidt as a CSO. There's a CSO that works for him as well. There's clear integration, there's an intelligence component to that. And I think that there are certain organizations that are starting to recognize and understand that when we say there's no real perimeter, it expands, the network expands into the physical space. And if you're not protecting that, you know, if you don't protect the server room and somebody can actually walk in, the door's unlocked, you've got a vulnerability that might be exploited. So I think to recognize the value of that integration from a security perspective to be holistic and for organizations to adopt a security first philosophy that all the employees recognize, they're the first line of defense oftentimes, not just from a fish, but by somebody catching up with them and handing them a thumb drive. Hey, can you take a look at this document for me? That's a potential vulnerability as well. So those things need to be integrated. I thought the most interesting part of the keynote this morning is when George asked you about election security, and you immediately went to the election infrastructure, I was like, yeah, okay, but then I was so happy to hear you went to the disinformation. I learned something there about your monitoring the network effects and actually there's a career stream around that. The reason I had, so years ago I interviewed, I was like, it was 2016, Robert Gates, former defender. And I said, yeah, but don't we have the best cyber? Can't we go on the offensive? He said, wait a minute, we have the most to lose. But you gave an example where you can identify the bots, like let's say there's disinformation out there, you could actually use bots in a positive way to disseminate the truth in theory. Is that something that's actually happening out there? I think we're all still learning. You're going to have deep fakes, both audible files or visual files and images. And there's no question the next generation, you do have to professionalize the news that you consume. And we're probably going to have to professionalize the other side, critical thinking, because we are a marketplace of ideas in an open society. And it's hard to tell where's the line between someone's opinion and intentional deception. And sometimes it could be to source a foreign threat trying to influence the hearts and minds of citizens. But there's going to be an internal threat or domestic threat as well, to people that have certain ideas and concepts that they're zealots about. Is it enough to simply expose where the information is coming from? Because look, I could make the case that the Red Sox or a horrible baseball team and you should never go to Fenway. And you're Yankees Jersey. Right, so is that disinformation, is that misinformation? He'd say yes, someone else would say no, but it would be good to know that 1,000 bots from some troll farm are behind this. There's, it's helpful to know if something can be tied to identity or is totally anonymous. Start just there, you can still protect the identity. Over time, I think all of us, if you're going to trust the source, you actually know the source, right? So I do believe, and by the way, much longer conversation about anonymity versus privacy and then trust, all right? All three, you could spend this whole interview on. But we have to have a trustworthy internet as well. And that's not just in the tech and the security of it, but over time it could very well be how we're being manipulated as citizens and people. When you guys talk to customers and peers, when somebody gets breached, what's the number one thing that you hear that they wished they'd done that they didn't? I think we talked about this early and I think identity is something that we're talking about here. How are you protecting your assets? How do you know who's authorized to have access? How do you contain the access that they have? And the area we see with these malware-free attacks where adversaries are using the existing capabilities of the operating system to move laterally through the network. I mean, Kevin's folks, my folks, when we respond to an incident, it's about looking at that lateral movement to try and get a full understanding of where the adversary's been, where they're going, what they're doing, and to try to find a root cause analysis. And it really is a critical part. So part of the reason I was asking you about it was at a P&L, because you wear two hats, right? You've got revenue generation on one side and then you've got, you protect the company and you've got peer relationships. So the reason I bring this up is I felt like when Stuxnet occurred, there was a lot of lip service around, hey, we as an industry are going to work together. And then what you saw was a lot of attempts to monetize private data, sell private reports and things of that nature. You were referencing today, Kevin, that you think the industry's doing a much better job of collaboration. Is it, can you talk about that and maybe give some examples? Absolutely, I mean, I lived through it as a victim of a breach a couple years ago. If you see something new and novel, I just can't imagine you getting away with keeping it a secret. I mean, I would even go, what are you doing harboring that? If you have it, that doesn't mean you tell the whole world. You don't come on your show and say, hey, we got something new and novel, everybody panic. You start contacting the people that are most germane to fixing the problem before you tell the world. So if I see something that's new and novel, certainly, Con Sean and the team at CrowdStrike saying, hey, there's, because they protect so many endpoints and they defend nations. And you got to get to Microsoft. You have to talk to Pan. You have to get to the companies that have a large capability to do shields up. And I think you do that immediately. You can't sit on new and novel. You get to the vendor where the vulnerability is. All these things have to happen at a great rate of speed. So you guys probably won't comment, but I'm betting dollars to donuts, this Uber lapses hack you guys knew about. I turn to you. No comment. I'm guessing, I'm guessing that that wasn't novel. My point being, let me ask it in a more generic fashion that you could maybe comment. You, I think my inference is where the industry is compressing the time between a zero day and a fix. Like dramatically. Yes. Awareness of it and a fix. Yes. Yeah, okay. And a lot of the hacks that we see as laypeople in the media, you've known about for quite some time. Is that fair or no? Not necessarily. It's, you know, it's harder to handle an intrusion quietly and discreetly these days, especially with what you're up against. And most CEOs, by the way, their intent isn't let's handle it quietly and discreetly. It's what do we do about it and what's the right way to handle it. And they want to inform their customers and they want to inform people that might be impacted. I wouldn't say we know it all that far ahead of time. And pens. And I think companies don't know it. Companies don't know they've been breached for weeks or months or years in some cases, which talks about a couple of things. First of all, some of the sophistication of the adversaries, but it also talks about the inability of companies to often detect this type of activity. When we're brought in, it's typically very quickly after the company finds out because they recognize they've got to take action, they've got liability, they've got brand protection, that whole sort of things they need to take care of and we're brought in. It may or may not become public. But CrowdStrike was founded on the premise that the unstoppable breach is a myth. Now, that's a bold sort of vision. We're not there yet, obviously. And CISO can't accept that, right? You've got to always be vigilant. But is that something that we're going to actually see manifest anytime in the near term? I mean, thinking about the Falcon platform, you guys are users of that. I don't know if that is part of the answer, but part of its technology, but without the cultural aspects, the people side of things, you're never going to get there. I can tell you, I started at Bandy in 2004 at the premise, security breaches are inevitable, they're far less marketable than stop breaches. I think you have to learn how to manage this, right? It's like healthcare. You're not going to stop every disease, but there's a lot of things that you can do to mitigate the consequences of those things, the same thing with network security. There's a lot of actions that organizations can take to help protect them in a way that allows them to live and operate in a strong position. If companies are lackadaisical, they're irresponsible, they don't care, those are companies that are going to suffer, but I think you can manage this if you're using the right technology, the right people, you've got the right philosophy, security first. And the culture? Well, I can tell you very quickly, the three reasons why people think why is there an intrusion? It should just go away. Well, wherever money goes, crime follows. We still have crime, so you're still going to have intrusions, whether it has to be someone on the inside or a faulty software and people being paid to write faulty software, you're going to have war. That's going to create war in the cyber domain, so information warriors are going to try to have intrusions to get to command and control. So wherever you have command and control, you'll have a warfighter, and then wherever you have information, you have espionage. So you're going to have people trying to break in at all times. And to tie that up, because everything Kevin said is absolutely right, and what he just said at the very end was people. There are human beings that are on the other side of every single attack. And think about this, until you physically get, physically get to the people that are doing it and stop them, this will go on forever because you can block them, but they're going to move. And you can block them again, they're going to move. Their objectives don't change because the information you have, whether it's financial information, intellectual property, strategic, military information, that's still there, they will always come at it, which is where that physical component comes in. If you're able to block well enough and they can't get you remotely, they might send somebody in. Well, in the keynote, I'm not kidding, I'm looking around the room and I'm thinking, there's at least one person here that is here primarily to gather intelligence, to help them defeat what's being talked about here. Well, you said it. It's kind of creepy. You said the adversary is very well-equipped and motivated, why do you rob banks? Well, that's where the money is, but it's more than that now. Would state-sponsored terrorism and exfiltration of state secrets, I mean, it's high stakes games, you guys are playing. This has become a tool of nation states in terms of, from a political perspective, from a military perspective, if you look at what happened with Ukraine and Russia, all the work that was done in advance by the Russians to soften up the Ukrainians, not just collection of intelligence, not just denial of services, but then disruptive attacks to change the entire complexity of the battlefield. This is an area that's never going away, it's becoming grained in our lives and it's going to be utilized for nefarious acts for many, many decades to come. I mean, you're right, Sean, we're seeing the future of war right before us. There is going to be, there is a cyber component now in war. I think it signals, the cyber component signals the silent intention of nations period, the silent projection of power, probably before you see kinetics. And this is where Gates says we have a lot more to lose as a country, so it's hard for us to go on the, we have to be very careful about our offensive capabilities, because we have to protect. One of the things that we do need to do though is we need to define what the red lines are to adversaries, because when you talk about human beings, you've got to put a deterrent in place so that if the adversaries know that if you cross this line, this is what the response is going to be. It's the way things were done during nuclear proliferation, right? During the Cold War. Here's what the actions are going to be. It's going to be mutual destruction. And you can't do it, and we didn't have a nuclear war. We're at a point now where adversaries are pushing the envelope constantly, where they're turning off the lights in certain countries, where they're taking actions that are quite detrimental to the host governments. And those red lines have to be very clear, very clearly defined and acted upon if they're crossed. As security experts, can you always tie that signature back to say a particular country or a particular group? Absolutely 100% no. Every time, no, yeah, no. It's a great question. You need to get attribution right to get deterrents, right? And without attribution, where do you proportionate respond to whatever act you're responding to? So attribution is critical. Both our companies work hard at doing it. And that's why I think you're not going to see too many false flag operations in cyberspace, but when you do, and they're well-crafted, where one nation masquerades as another, it's one of the last rules of the playground. I haven't seen broken yet. And that'll be an unfortunate day. Yeah, because that mutually assured destruction, a desk spot like Putin can say, well, it wasn't me. Right, and ironically, it's human intelligence and ultimately is going to be the only way to uncover that. Human intelligence is a big component, for sure. And David, like when you go back to your referring to Robert Gates, it's the asymmetry of cyberspace. One person in one nation that's not a controllable asset could still do an act and it just adds to the complexity of we have attribution. It's from that nation, but was it an order? Was it done on behalf of that nation? Very complicated. So this is an industry of superheroes. Thank you guys for all you do. I appreciate you coming on theCUBE. I love your cape. Yeah. All right, keep it right there. Dave Nicholson and Dave Vellante, be right back from Falcon 22 from the area. You're watching theCUBE.