 Live from Washington D.C., it's theCUBE, covering AWS Public Sector Summit 2018. Brought to you by Amazon Web Services and its ecosystem partners. Hey, welcome back everyone. This is theCUBE's exclusive coverage live in Washington D.C. of Amazon Web Services. AWS Public Sector Summit, I mean, it's so jam-packed. You can't even move. This is like the reinvent for Public Sector, even though it's a summit for Amazon Web Services. I'm here with Dave Vellante, my co-host. Our next guest is John Wood, chairman and CEO of Telos and Rick Tracy, chief security officer and the co-inventor of EXACTA, the top technology. John, great to see you. Welcome to theCUBE. Thanks, guys. Love to get the brain trust here. John, you're like probably one of the most experienced cyber security gurus in the D.C. area, still standing. As we said last time on theCUBE. Okay. And you've got some patents here with some core technology. So first of all, before we get into some of the cool features of the product, talk about the dynamic of Public Sector because Amazon has these summits and they're kind of like a recycled reinvent, small scale, still packed. Talk about what Public Sector Summit is because this is a completely different ball game in this world. Sure. It's a perfect age for the cloud and what this summit does is it provides a great venue for people to come, learn about what works, get best practices, find use cases and just see what the ecosystem is all about in terms of how to make it work with the cloud. Rick, so what's your take? Well, if there's any doubt about it, but it's a double the size of last year, I think there were 7,000 people here last year and Theresa said today, 14.5. So yeah, I mean, it suits us perfectly because this is our sweet spot. So Dave and I are always amazed by Amazon in general, the slew of announcements. Theresa Carlson, you know, picking the reins up where Andy Jassy does that Amazon reinvent, which is just tons of content, so many new announcements. What's your guys take on the hot news for you guys because you guys are a major sponsor and you're in the ecosystem. You've been doing a lot of business with Amazon. Sure. What's going on in the business? What's happening with Telos? Why is it so booming right now for you guys? Well, I think people realize that there is a way to use automation where security can help drive cloud adoption. So Rick and I co-authored an article back in 2011 that talked about why the cloud was more secure and it went over kind of like a lead balloon. And then back in 2014 the agency made the decision, the CIA made the decision, arguably the most security conscious organization in the world to go to the cloud. And so that was a big, big, big deal. But what we do is we help drive the security automation orchestration stuff so you can reduce the time it takes to get what's called your authority to operate. And so I think that's a big deal now. The use of automation is being used to enhance the mission so that the mission owners can get to their mission using the cloud much more quickly. And we heard from the most powerful sentence in the keynote this morning was the cloud on its weakest day is more secure than client service solutions. This is a practitioner saying that, a leader of an agency saying that, not Amazon or not Telos. Absolutely. And it's because of that automation, right? I mean, that's really a key factor. It's because the automation, it's also because the cloud providers are making sure that they lock down their physical infrastructure, guards, gates, guns, all the physical infrastructure and the virtual infrastructure, they do a really good job of that. You think about it, the US government unfortunately, 80% of their spend is around maintaining old systems. Well, the cloud providers are keeping modern. Those old systems have a lot of weaknesses from a standpoint of cybersecurity flaws. So with a modern technology like the cloud, there's a lot more you can do around automation to lock down much more quickly. And the standardization that you get with a cloud makes it easier as well because there's not so many variations of things that you have to figure out how to protect. So the standardized services that everything's built on really helps. Yeah, and people are adopting cloud in kind of different ways, which makes it harder too. But you get the benefits of scale and speed, certainly. But I got to just pick up on some big news that's happened just last night and today. Microsoft Azure suffered an 11 hour downtime across Europe. 11 hours, Azure's down, Microsoft Azure. This is huge concern. Downtime, security. These are, I mean, this is just like, so what's going on with this? So the truth of the matter is, if you think about where Amazon is today, Amazon is light years ahead of the rest of the cloud guys. The reason for that is, they made the decision early on to make the risk around cloud. As a result of that, they have so many lessons learned that are beyond all the other cloud providers that that wouldn't happen to Amazon today because of all of the backup replication and duplication that they have and their environments. How big do you think that lead is? You know, there's a lot of debate in the industry that other guys are catching up. The other side of the coin is, no, actually the flywheel effect is like Secretariat and the stretch run of the Belmont that we're talking about racing before. What's your sense of that lead, even subjectively? I think it's between five and 10 years. There was crickets in this world, in the public sector world for cloud, up until literally the agency decided to adopt. So when the CIA made that decision, that was sort of the shot her in rounder world as it relates to cloud adoption, not just for public sector, but for commercial as well. Because if you look at Amazon's ramp up, right after that decision was made, their ramp up's been amazing. That was a watershed event for sure. It was, and it was very well documented. I mean, I read the judges ruling on that when IBM tried to stop them and the judge eviscerated IBM. And of course, IBM had no cloud at the time. They had to go out and spend $2 billion on software. John has lots of opinions on that. But it's okay, so that's- I'm on the right side of history on that call. I think you are, it's a pretty good call. What should be practitioners be thinking about? You talked about the standardization. Where should they be focused? Is it on response? Is it on analytics? Is it on training? What should it be? Well, from our perspective, it is a lot of it, a lot of the focus is on analytics. So a lot of the data that we've helped our customers collect over time for this ATO process that John previously mentioned. Our goal with IO is to help, exact IO is to help organizations leverage that data to do more through analytics. So there's this dashboard with ad hoc reporting and analytic capability that's going to allow them to blend asset data with risk and threat data with other sorts of data that they're collecting specifically for the ATO process that they can use now for more robust cyber risk management. So for me, analytics is huge moving forward. And that's a prioritization tool so they can focus on the things that matter or maybe double click on that. It could be a prioritization tool, but it could also be a tool that you use to anticipate what might happen, right? So some analytics will help you determine this asset is vulnerable for these variety of reasons. Therefore it has to go to the top of the stack for remediation but also using that data over time might help you understand that this plus this plus this is an indication that this bad thing is going to happen. And so analytics I think falls into both categories. Probably it's more, the forecasting and predictive is something that's going to come later but as you amass more data and understand how to apply rules to that data, it will naturally come. So Rick and I have worked together for many, many years and over a quarter of a century. So the way I would say it is like this, Exacto360 helps you to accelerate your authority to operate, but that's a point in time. The Holy Grail for us as security practitioners is all around continuous monitoring of your underlying risk. So the data analytics that he's talking about is where we come about in looking at ExactoIO. So ExactoIO helps fulfill that mission of continuous compliance, which means that the ATO is no longer just relevant at that moment in time. Because we can do continuous monitoring now at scale in hybrid environments in the cloud on-prem because our clients are huge. So they're going to be a combination of environments that they're sitting in and they need to understand their underlying risk posture. They need to have, they're going to have all kinds of scanners so we don't really care. We can ingest any kind of scanner that you have with ExactoIO as a result of that, the security professional can spend their time on the analysis and not the pedestrian stuff that's just kind of wasting time like documentation and all that stuff. For us data is a means to an end, right? It's either to get an ATO or it's to help you understand where you need to be focusing your resources to remediate issues. So for us, leveraging the data that's produced by many companies that are at this show is that their data is a means to help us get our job done. Are you able to have one follow-up, if I may? Are you able to have an impact? I mean, even again, subjectively on that number, whatever that number is, we get infiltrated, the customer gets infiltrated, it's 300 days before they even realize it. Are you seeing an impact on that as a result of analytics or is it two early days? I would say it's still early, but it's reasonable to expect that there will be benefits in terms of faster detection and maybe it's not even detection. At some point, hopefully it's anticipating so that you're not detecting something bad already happened. It's avoiding it before it happens. Yeah, and let me say it this way too. You know, if you listen to John Edwards, the CIO from the CIA, he talks about how the reason he loves the cloud is because it used to take the agency about a year to provision a server and now it's a few minutes, right? Well, that's great, but if you can't get your authority to operate because that could take another 18 months, you're not going to get the benefit of the cloud, right? So what we do is we help accelerate how fast you can get to that ATO so that guys like the agency and anybody else that wants to use the cloud can use it much more quickly, right? And the continuous integration and monitoring spray and the security, but I got to ask you the question, analytics are super important. We all know data now is in the center of the value proposition across the board, horizontally, not just data warehousing. Analytics that are used as instrumentation and variables into critical things like security. So with that being said, if you believe that, the question is how does that shape the architecture if I'm in an agency or I'm a customer, I want to build a cloud architecture that's going to scale and do all those things, be up, not go down and have security. How does the architecture change with the cloud formula for the decision maker? Because right now they're like, oh, should I do multi-cloud, should I just Amazon? So the data is a critical architectural decision point. How do you guys see that shaping? What's your advice to practitioners around designing the cloud architecture for data in mind? Just use Amazon? Yes, just use Amazon. I mean, all the tools that you need exist here, right? And so, all the tools you need in the cloud exist here. All right, so let me phrase it another way. But John, the issue is you're not going to have all your stuff in the cloud if you're the Air Force or if you're the Army, because you have 75 years of data that you've got to push in. So over the next 10 years, there's going to be this, quote, hybrid environment where you'll have some stuff in the clouds, some stuff in a hybrid world, some stuff on-prem, right? All right, how do I secure that? So that's a great point, so data's everywhere. So that means you need to collect it and then measure certain things. What's the best way to secure it? And then, does that work exactly what fits in? Or I'm trying to put that together if I'm like going to design my architecture and then go to procurement, whether it's on-premise or multi-cloud. Well, there are lots of security products that people use to secure, whether you're on-prem or whether you're in the cloud. And our platform leverages that information to determine whether things are secure enough. So this is the distinction between cyber risk management and actually securing a database, right? So there's so many granular point products that exist for different points along the security chain, life cycle chain, if you will, that our objective is to ingest as much of that information and purpose it in a way that allows someone to understand whether they're actually secure or not. And so it's understanding your security posture, transforming that secure information to risk so that you can prioritize that we were talking about before. You're taking a platform mentality as opposed to a point product. We're taking enterprise view of risk. So the enterprise is, remember, it's on-prem and hybrid and cloud. If all your stuff is in the cloud, Amazon has the answer for you. None of our customers are in that situation. If you're a startup, Amazon's the way to go, period. But all of our customers have legacy. As a result of that, it's an enterprise view of risk. That's why companies like Telos partner so well with Amazon because they're all about being close to the customer. They're all about using automation. We are as well. All right, talk about the news you guys have. ExactoIO, you're the co-inventor of it. Jack, talk about this product. What's the keys? What does it do? Where's it applied to? You mentioned a little bit about getting past the authority and time point there. What's the product about? The product is about ingesting massive amounts of information to facilitate the ATO process as one, but managing cyber risk more generically because not everybody has an ATO requirement. So you asked a few seconds ago about, so you're taking a platform approach. Yes, we're blending three separate products that we currently have taking that functionality and putting it on a very, very robust platform that can exist on-prem. It can exist in the cloud to enable organizations to manage their cyber risk. And if they choose or if they have a requirement to deal with things like FedRAMP and risk management framework and cybersecurity framework and ISO certification and things of that nature, the point is not everyone has an ATO requirement, but everyone has a need to manage their risk posture. So we're using our ability to ingest lots and lots of data from lots and lots of different sources. We're organizing that data in ways that allow an organization to understand compliance and or risk and or security and visualize all that through some dashboard with ad hoc reporting that lets them blend that data across each other to get better insights about risk posture. And to visualize it in a way that makes sense to the user. Yes. So if you're the CEO, you're going to want to see it a certain way. If you're the IT manager, you're going to want to see it a certain way. If you're a risk assessor, you're going to want to see it a different way. So that's kind of what we're talking about. So I got to ask you one question. I know we got to go, but a hardcore security practitioner once said to me that hard core security practitioners like you guys, when they were kids, they used to dream about saving the world. So I want to know, who's your favorite superhero? Superman. Superman? Spider-Man. All right. Awesome. It's a basic question for you guys. That's the hardest question. They're fast. They know it. Star Trek or Star Wars? It depends on the generation. Okay. We'll go there. We'll keep 15 more minutes of debate. Okay. Final question. What's this going to do for your business? Obviously now you have new, open up new window with the new product integration. How's it going to change? Tell us what does it do for you guys from a capability standpoint? Well, a big thing I'd suggest your listeners and your watchers to consider is there's a new case study that just came out. It's published jointly by the CIA, Amazon and Telos, talking about why working together is really, really, really groundbreaking in terms of this movement to the cloud. Because your public sector listeners and viewers are going to want to know about that because this ATO thing is really a problem. So this addresses a massive issue inside of the public sector. And final question is while you're here is to get your thoughts. Obviously there's a big change of the guard, if you will, from old guard to new guard. That's an Amazon term, Andy Jassy uses. Also we all saw the DOD deal, Jedi's right there on the table. A lot of people jockeying, kind of old school policy, lobbying, sales is changing. How is the landscape from a vendor supplier to the agencies changed and or changing with this notion of how things were done in the past and the new school? So three points. Legislatively, there's top cover. They understand the need to modernize, which is great. The executive branch understands the need to modernize through the IT Modernization Act as well as the cybersecurity executive order. And then lastly, there are use cases now that can show the way forward. Here's the problem. The IT infrastructure out there, the IT guys out there that do business in the government, many of them are not paid to be efficient. They're paid cost plus, they're paid time material. That's no way to modernize. So fundamentally, I think our customers understand that and they're going to revolutionize and move forward. And the rules are changing big time, sole source, multi-source. I mean, Amazon's on record. I got Teresa on record saying, look at, we don't want a sole source requirement. Let everyone bid fairly. Let's see who wins. Who can bring a secret cloud to the table? I don't, no one else has it. In terms of past performance and customer use cases, they're pretty much in the head for sure. Great. Amazon kicking butt here. Tell us congratulations for a great event. Thanks for coming on. Thanks a lot guys. I'm the new product. Cube coverage here in DC, this is Cube. I'm John Furrier with Dave Vellante. Stay with us. We have more great interviews stacked up all day and all day tomorrow. Actually up half a day tomorrow up to two o'clock at Eastern. Stay with us for more. We'll be right back.