 Hi guys and gals, welcome back to theCUBE's day two coverage of CrowdStrike Falcon 23 Live from Caesars Palace in Las Vegas. Lisa Martin at Dave Vellante. We're going to be talking with Dell and Intel next about their partnership with CrowdStrike. We're going to be breaking down hardware and system security, what it means, why it's so important. Please welcome our two guests here. R.B. is here, Director of Product Security Manageability and Serviceability at the Client Solutions Group at Dell Technologies and Rick Eschivari at VP Security Center of Excellence It's great to have both of you on the program. It's great to be here with you. Share with us. J.R.B., we're going to start with you and then Rick will go to you. Talk about the three-way partnership, Dell, Intel, CrowdStrike. When was it founded? What's going on there? What's exciting? Absolutely. I always say that cybersecurity is a team sport. As the attackers have gotten more and more sophisticated the industry has recognized that it's not one company, one product, one platform that just solves everything. It's the coming together of the best silicon out there, Intel, the best hardware service provider, the most secure PC in the industry, Dell, the best security company out there, CrowdStrike, bringing us together and see what we can do and how we can collaborate on areas where we each specialize in and bringing that together and really reducing and shrinking the attack surface. That's what excites us the most. We started our partnership with CrowdStrike earlier this year. Though we have integrations into some of their solutions but we also have their products sold through Dell channel. You can buy a Dell PC and buy a CrowdStrike license with that and that's also pretty exciting for us. Definitely. Rick, talk a little bit about the CrowdStrike partnership with Intel. It goes back farther, I understand, yes? Yes, it goes back at least five years and it got started out of the idea of delivering defense in depth which is a big philosophy and what brings up together and we've always been a big believer in platforms and partnering with platform companies and that's what CrowdStrike really is and years ago we thought there are, if you think about where the silicon sits within a compute stack, it is the foundation. It is the foundation of the computing stack. How can the silicon play a more active role in helping the defenders deliver the right security outcomes and so we have been working together on this whole concept of there's a lot that the CPU and the silicon sees above the stack. Can we start harnessing that intelligence to again do a better job of identifying threats as quickly as possible that are not visible through any other means? So the collaboration goes deep and wide in a number of different capabilities. We have been working with Dell for a long time but specifically in the manageability and security space for over 16 years through a lot of our collaborations with our VPRO platform and so over the last year the CrowdStrike collaboration, the Dell collaboration all those converge as JRV described. You know Rick, I asked Pat Gelsinger in the Cube one time, is security a do-over and he said yes, it was his answer definitively and Pat so articulate. And in one of the latter VMware or VM worlds in his tenure he made the statement, my mission is to fix security. Now little did I know he was going to do that at Intel. So I wonder if you could talk about the evolution of what's happening at the silicon level, what's changed maybe even some of the threats and that you've learned over the years the exposures, you know whether it's memory leaks or the hypervisor being able to get certain silicon components and how Intel has evolved and then we can move up the stack. Yeah, okay. I'll try to give you a short answer because that is a question that we can speak to forever but over the decades that we've been in the industry and even dating to when Pat was originally at Intel we have been looking at trying to protect every little bit of surface area of attack on the platform. You know in the early days it was about the PC and protecting the operating system and then we started looking at how do you protect both below and above. Things that you wouldn't think about like page tables, okay and protecting page tables. I mean all those things were part of the early evolution of security was again there's a surface area, how can it be attacked? Can you go protect it? Fast forward to where we are today with a much more broader portfolio of technologies. The client, the edge, the cloud, they all represent different challenges for us. So the way we approach security at the silicon level is first you have to deliver very strong foundation through a lot of the work we do with security, development practices and product assurance, right? And as you move up the stack you start identifying what are some of those newer threats that we can solve with silicon. So I'll give you three examples and then we'll move up. If you look at endpoint with this collaboration with Dell and CrowdStrike, a large number of attacks today are fileless attacks, okay? They really require visibility in memory in a persistent way. So we developed a technology that allows CrowdStrike to have visibility into memory. That's a very expensive process. You heard George yesterday talking about complaining about performance, but what if we offloaded that visibility from memory to the integrated GPU that's already in the PC? That allows you to look at memory four to seven times more without having that impact in performance. So we kind of thread the needle that would performance and security. So that's one example of the role that silicon is playing, okay? Now take that telemetry and that insight that CrowdStrike has at the silicon level and now make it part of what they do with at the edge with Zscaler and the trust exchange. Well now that silicon and that posture becomes visible as they're doing conditional access. And then if you go look at the cloud where people are concerned over data, privacy, managing access to data, that's where our trusted execution environments in silicon technologies like SGX and TDX come into play. So that's just an example of how we've evolved and sort of three distinct areas where we're increasing our focus is endpoint security, it's zero trust and it's confidential computing and the Dell collaboration across all of them is just a natural for us. Okay, now JR, describe where you guys come in in the value chain and take us up the stack and maybe even out to the supply chain as well where I know you guys- Absolutely, and you said it right. I mean, if I take a step back and as Rick alluded to this, cybersecurity has evolved so much that it's like a cat and mouse game. So the adversaries are constantly finding new attack vectors while the cybersecurity community is trying to keep closing the gaps and it's like a constant catch-up game. The way we think about that is if you look at as Rick alluded to that, you have different levels of stack up until very recently, the below the operating system and supply chain were largely unaddressed part of the ecosystem of security that attackers were just beginning to exploit and it's always about staying ahead of the attackers and not constantly playing catch-up as it is, it is pretty dire, right? Given all of the way we think about that is we take all of the technology that Intel has to offer, build it into our ecosystem, then we look at what else we can do. Dell creates its own BIOS. We validate and publish all of our firmware. We have developed capabilities where we can verify the BIOS integrity of a device. We can verify the integrity of the Intel management engine firmware. We can also look at supply chain. I always say that the security of a PC begins even before it's assembled. We go even backwards in terms of the process from the time we identify vendors, procure components, the controls we put in place in our fulfillment centers, implementing least privilege and all those things and what we call broadly as secure design lifecycle that we implement. And then we assemble the device and when we ship it to the device, we now have capabilities where customers can, through certificates, attest and make sure that what they ordered, the key components is exactly what they got. Through an offer we have called secure component verification. Now, all of that is, some people will look at, okay, you got more widgets. Yes, they are widgets, but more than widgets, for me they are sources of telemetry into areas that you never had visibility to before. Now that you have visibility to that part of the telemetry, you can take the telemetry and pipe it into platforms like Falcon. Now, the SOC analysts and others have much enriched dataset to work with and visibility into areas, which is essential, you cannot have zero trust without a hardened and observable endpoint. These are all defenses and layers that we build in that gives them that visibility. We were having an interesting discussion yesterday with Adam Myers of CrowdStrike and it used to be we talked a lot about dwell time, people would be, even the SolarWinds hack, they were inside for whatever, 300 days. And so the industry was focused on compressing that time, which I'm sure in part still is, but so much emphasis here has been on breakout time. So Adam's point was, dwell time doesn't even matter anymore if they're in and out and they've taken all your data and encrypted, it doesn't matter how long they've been there. You got to stop the breach. And that seems to be sort of the new philosophy, I mean not new for CrowdStrike, but what I'm hearing is you guys sort of adhere to that philosophy as well. I wonder if you could add some color to that sort of premise. Yeah, I would say that, you know, yeah, you're right. Now dwell time was also getting reduced, right? Because they were dwelling in the accounts for less time than let's say five years ago. And now we're calling it breakout time. I think it's right now 79 minutes versus 118 minutes five years ago. I even heard today that it's seven minutes. That was the fastest one they've seen, right? Well, I think it's going to be, which is why I think there's this conundrum in cybersecurity for a long time. Is it prevention or is it detection and response? Some companies took a prevention first approach. Some said, no matter what you do, you're going to get somebody in, detect and respond. I think there are two essential sites of the coin. Many of the solutions that we have partnered with Intel and built into are things that are sort of in the prevention. I said a little bit because if you can have these defenses built in, one of the things we have is root of trust, which is the very first time you press the boot button. The very first process that tells the machine to boot has to be first verified that it's clean. And then the subsequent activities all verify the previous activity to make sure they're clean. It's like a chain of events that we have instituted. And if that is something wrong there, the machine shouldn't boot. So building defenses like that also helps reduce the amount of things that the SOC analysts will have to deal with, right? So that you reduce the blast radius. You reduce the chances of these kinds of things happening. So they're only looking at then what more sophisticated things that adversaries are up to and how to prevent that or detect and respond to that. Totally aligned with that. I think in terms of sort of reducing that time to understand that the posture and the situation dealing with, it's a big part of our motivation. We want to give the defenders as much context as we can give them as quickly as possible on the state of these devices and the state of this platform, right? So they can apply the right controls. We like to call the three Cs, capabilities on the platform to deliver the right context to apply the right controls as quickly as you can get there. And that's really what the collaboration is. I do want to point out as JRU was describing the work that Dell has done, the importance of understanding that the surface area of attack and where attacks are happening continues to expand. And the work that Dell has done on bios and firmware protections really important. You would be surprised, and maybe JRB can comment on this, how many attacks at the firmware level we're starting to see more and more happen, right? Yeah, we did a study a couple of years ago and we found that about 44% of the organizations have seen some kind of a cyber incident, either a breach or an attempt, leveraging something around a hardware level. That they know about. Yeah, that they know about, yes. This number is probably 100%. And it doesn't surprise me in some ways. Some people think it's a surprising thing, but it doesn't surprise me because much of the work happens on the endpoints. It's your weakest link in the chain. And if you look at some of the biggest attack techniques like credential thefts or phishing, it all starts by tricking somebody who is on an endpoint, right? So, so hiding these mechanisms in place is super important. Okay, and so, but you were talking about firmware attacks. Do you have any data on that? So 44% had faced an attack. And then is a large percentage of those sort of firmware attacks or was that 44%? It's leveraging any kind of vulnerability on the device, which often happens to be buyer's firmware level. Yeah, okay. Kind of attack. Okay, so that was sort of related to that number. What does a customer have to do to take advantage of sort of hardware assisted security? Are there prerequisites, or do they just, you guys take care of all that, or what would you advise customers? Yeah, short answer, we take care of all of that. So we have, we don't distinguish, like we have a commercial suite of devices, OptiPlex, latitudes and precisions. And we don't say a particular series gets the best security and some others don't. For us, security is essential for everybody. So we build these capabilities uniformly on all of our commercial devices. That, any new, of course, we are building new capabilities and adding to their list all the time. But any current shipping Dell commercial device pretty much carries most of these capabilities with it. And then like I said, we also have the ability to offer, so on all of them, of course, we have the option to buy with the V-Pro chipset. And then with any of those machines, we have the ability to work and add the CrowdStrike license on top of that for our customers. Rick, you talked about the threat landscape. You know, it's growing constantly. Here we are in Las Vegas. Two big attacks just happened that hit the news. How can hardware assisted security help customers to start raining in that attack surface that just seems to be just going like this? I mean, there's a lot that we can do, but this is where a company needs to understand it is a team sport and it's going to take silicon. It's going to take great systems design. It's going to take partnerships with companies like CrowdStrike to be able to really help pull it all together. So, you know, one of the things that I really like about these types of collaborations is we have a lot of ideas, but we're learning a lot from the people, companies like CrowdStrike who are on the front lines. What really do you need in terms of visibility, transparency, capabilities, the same thing with Dell? I remember years ago when Dell started doing the bios work, I happened to be responsible for that Vepro business and we started doing collaborations to get that visibility and expose it to companies like CrowdStrike who can capitalize it. And I think one of the best things about this three way collaboration is how much work we've done already on the integration side. You literally are buying a Dell system with Vepro capabilities and you're a CrowdStrike customer. You go to that console, it's really a couple of buttons that you turn on and the capabilities are there. So this is part of the Zero Trust Mosaic. Zero Trust sometimes it's kind of opaque, you know? And the other thing is it's, practitioners will say, oh that's good, but it's hard to operationalize or I can operationalize pieces of it. You guys are operationalizing a piece of the Zero Trust Mosaic. So, bring it back to Zero Trust and how it fits into the puzzle. Absolutely, right? So the first step in cybersecurity is visibility, right? So again, by doing the work we're doing, we are providing visibility to areas that never had visibility to before, right? So the fundamental premise of Zero Trust is what? Trust, but always verify. Now, how will you verify a machine has the right bias and it's not been tampered with? How will you verify that the supply chain was clean and nobody tampered or inserted a malicious component or inserted a malware into a hardware component? Whatever it is, right? How would you verify that the machine has booted to the most secure state? That's the foundation. And I call that a foundation as a building block of Zero Trust. You have to have that. So when customers buy into a hardware ecosystem, a PC ecosystem, or a server and storage ecosystem, they have to inherently buy it into that foundation. If you have the state of art identity protection, network protection solutions at the top, but have a gaping hole and gaps in hardware that you don't even have visibility to, there is no Zero Trust site. So for us, building that foundation across hardware ecosystems, working with partners like Intel is the essential, right? Then on top of that, we also think about what we call as a control plane ecosystem where we talk about three control planes. We talk about identity control plane, threat management control plane and policy management control plane. That's very simple example could be, let's say if this is all implemented in an environment and customer, user boots, machine, whatever reason, a firmware is compromised. Today, up until a few years ago, that was not visible, it was telly nobody knew. Now people know it, but then that telemetry flows into threat management control plane, which says, okay, I have one more actor variable to consider, I've seen a threat coming from a compromised firmware. Now I need to do an action, right? I need to either isolate the host or whatever it is. That's where the policy management comes in and says, okay, my policy states that in such a such instance, I'm going to either isolate the host or I'm going to do some forensics on it, whatever automation rules, you can do that. You can also have an identity player role and says, okay, the first step I'm going to do even before policy kicks in is, I'm going to re-verify the user, step up authentication. Can you verify who you say you are? Right, so by working these control planes in conjunction with everything we build together is really how we bring to bear the full benefit of Zero Trust. Wow, that's fascinating. Can I just summarize, I know we got a break, but I'm hearing four things. You're narrowing the attack surface, you're improving my threat detection, you're a part of the Zero Trust puzzle piece, and I'm leveraging my investment in CrowdStrike. It's the sort of fourth piece of that. Is that the right sort of framework to think about the business case here? You got it. That's the right way to look at it. And this is going to be an ongoing collaboration. Threats will continue to evolve, so will we evolve in the way we address them. So, great collaboration, looking forward to it. Great stuff, guys. We'll have to have you back, because I think we're just like literally just scratching the surface of what you guys are doing in hardware-assisted security. Why it's so important, how organizations can take advantage of it, and really the dynamics and the power that these three partners are bringing together for customers. We really appreciate you taking the time to talk with us today. Thank you. Thank you. Thank you. All right, for our guests and for Dave Vellante, I'm Lisa Martin. You're watching theCUBE's day two coverage of CrowdStrike Falcon 23. We're going to be back after a lunch break, so we'll see you soon.