 from our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hi, and welcome to the CUBE Studios for another CUBE Conversation, where we go in depth with thought leaders driving innovation across the tech industry. I'm your host, Peter Burris. One of the veins of every enterprise is complexity, especially in the security world. The more devices, the more things, the greater the surface attack areas. One of the biggest or best approaches to reducing the challenges of security is to try to increase the overall simplicity of what it is you're trying to secure and the practices that you use. Now, today, to talk about that, we're here with Ken Athanasiu, who's a VP and CISO of AutoNation. Ken, welcome to the CUBE. Thanks, thanks for having me. So I said upfront that challenges of complexity and simplicity are very real. We're going to get into that, but let's start with AutoNation. Tell us a little bit about AutoNation. Tell us a little bit about yourself. Sure, so AutoNation is the nation's largest, a new car dealership. We have about 300 dealerships across the country. We're all North American based. We sell thousands of cars a year and we're about a $22 billion a year business. Well, that's pretty sizable. And as a company that has to actually deliver something physical, it means you have a pretty broad network of locations where AutoNation has to operate. Have I got that right? Yeah, that's correct. We have, as I said, about 300 different locations across the country. We also have about seven parts distribution centers. We have collision centers where we actually repair vehicles that have been involved in accidents as well. So it's an extensive network. So AutoNation is a company that requires a fair amount of security. You're taking a lot of personal and private information from your customers. You're enacting or affecting pretty significant transactions at least in their lives. Tell us a little bit about some of the challenges that AutoNation was facing and what you had to do to reduce the complexity of your overall security stance. Sure, so I've been with the organization about not quite five years now. I'm actually the first CISA that the organization has had. And I was brought in because they had a small breach at a third party company that was handling some of their customer information. That obviously is enough to raise the awareness of the executives, the general counsel, et cetera. So the focus was to ensure that they were being as diligent as necessary. So they, at the recommendation of an outside party hired in me to build a cybersecurity program. One of the first things I noticed when I got here was that each of the independent locations, the store locations had an internet point of presence as well as a circuit back to our data centers. Those internet points of presence were protected with fairly antiquated software and techniques. So that was kind of exposing some significant risk to the organization. That was one of the main problems that I had to solve in the first few months. So you had internet in, you had points of presence, and then you had connections back to the data center, which meant that someone could, if they breached one of those pops, one of those dealerships, could actually affect a fair amount of chaos within your overall corporate network and application infrastructure. Have I got that right? Yeah, absolutely. And obviously as a car dealership, we take credit applications from folks on a daily basis. Those applications contain pretty significant privacy information and basically have most everything you need to be able to compromise someone's identity, steal their identity, and or commit, all sorts of different fraud activities. So we take that very seriously. And while we do treat our store's environment, you know, not as untrusted, but we do segment our store's environment from our backend systems, that lack of perimeter protections or adequate perimeter protections in the stores was a significant risk. So you come in, you look at the situation, a fair amount of locations where problems could arise, a fair amount of personal data that have compromised would affect your brand. Ken, how'd you think through the way forward? Sure, so, you know, the traditional approach to an internet point of presence is to put a firewall in place. And then of course you put a web proxy in place and then you put an SSL interceptor in place and then you put some, you know, network-based malware detection engine in place and then you layer on it, you layer on these controls until you get to the point where A, you think we're okay. The costs associated with doing that sort of thing at 300 different locations, not just the cost of purchasing and implementing a small stack of iron at every one of those locations, but then the ongoing costs of trying to manage it and most of these devices are not, you're not intended to actually run 300 of these devices across the country. So managing them, replacing them when they fail, just it was something that was a pretty significant challenge. So we decided it was time to think outside the box and look for something that was cloud-based that we could leverage across the entire enterprise with a much less investment resources. So what you looked at was these large numbers of devices, the inability to put talent close to them, which would have led to both a lot of cost in the actual devices and a lot of uncertainty in their operation. You looked at using the internet as a way of securing the points of presence themselves. What direction did you take? So we started looking at cloud-based services. We looked at, I'd been in discussions with a couple of these folks while I was at my previous in engagement, I was at American Eagle Outfitters as their CISO for about seven years. But that organization was very much a hub and spoke environment and we were backhauling all of the traffic from the stores to the data center and then out to the internet. So the environment at AutoNation was significantly different. And I think much more of a modern approach of having local breakouts at the stores, taking advantage of the capacity of the internet, that sort of thing. But to do that, it obviously requires that you still control those. So we started looking at cloud-based services. We looked at Zscaler, we looked at BlueCoat, we looked at WebSense, we looked at Cisco stuff. And we also looked at some of the hardware-based solutions, such as like Sonic Wallens and some of the Palo Alto devices. So we didn't immediately discount the idea that, hey, maybe hardware in each of these stores like a SoHo, small office home office device wouldn't work for us, but it became quickly apparent that an internet-based cloud solution was the right way to go. And you chose Zscaler. We did, we did. When we were going through the evaluation and looking at the various products, Zscaler definitely had the most complete solution. Most of the other products were not truly a full protocol, next-generation firewall in the cloud solution. Some of the solutions were quote-unquote cloud-based, but they basically were talking about putting a virtual instance or multiple virtual instances of a firewall in the cloud, right? Which was actually just somebody else's data center and then pumping that traffic through those virtual instances. That would have reduced the number of instances that we would have had to manage significantly, but it would still be a traditional hardware-based firewall approach just stuck into someone else's data center as a quote-unquote cloud solution. So Zscaler really had the most comprehensive of all the solutions that we looked at. And we started to pilot it and roll things out and it was working very, very well. So right now you've got Zscaler to handle your endpoint security from a cloud-based solution. How has that changed your security posture? Let's start there. Yeah, so as soon as we started rolling Zscaler out, as a prophylactic around the environment, it gave us some pretty excellent visibility. We were running McAfee antivirus at the time. We were using Microsoft SCCM to do patching. We were doing a number of other things in the environment but as soon as we rolled Zscaler out, we started getting the visibility into the traffic. We started really seeing what was actually happening in our environment. It was very clear that those solutions were significantly deficient. We were seeing commodity malware infections happen on a fairly regular basis. We were seeing bot traffic originating from our systems. It was obvious that our internal controls were not where they needed to be and that actually generated, using that as empirical evidence and taking that to my executives and my risk committee, it was very easy to justify additional investments and other security tools to really clean up the environment. We deployed a brand new endpoint protection solution. We deployed a brand new solution for management and patching of the endpoints. We made a lot of very significant changes in the environment and all of that was generated out of the visibility we got from pumping all that client traffic through Zscaler. Well, it sounds like Zscaler's had a significant impact on the overall security posture of AutoNation. How has it made your CISO feel? Yeah, well, I can sleep at night for the most part. Whenever you get into a new organization and you get a perspective on the level of risk that you're subjected to, your reaction is along a spectrum and it's either a complete panic to, oh, okay, this isn't so bad. I will say that I wasn't in complete panic when I got down here and fully understood the situation, but I will say that I wasn't on the oh, it's not too bad side of the spectrum either. There was a significant amount of work that needed to be done and, again, I can't stress how much that visibility actually helped us drive new controls into the environment. Ken, I thought I'd see you talking about the impact of Zscaler and how it simplified the security posture of AutoNation. Thanks very much for being on theCUBE. Thanks very much for having me. Once again, I'm Peter Burris. This has been another CUBE Conversation. See you next time.