 Okay, we're back in Boston, everybody. This is Dave Vellante for theCUBE, the leader in enterprise tech coverage. This is Reinforce 2022. AWS's big security conference. We're here in Boston, the convention center where theCUBE started in 2010. Hyen Song is here. She's head of security and distributed cloud services at F5 and she's joined by Dan Woods, who's the global head of intelligence at F5. Great to see you again. Thanks for coming to theCUBE. Dan, first time, I believe. Yeah, happy to be here. All right, good to see you guys. How's the event going for you all? It's been just fascinating to see all those new players coming in and taking security in a very holistic way. Very encouraged. Yeah, Boston in July is good. A lot of action at the seaport. When I was a kid, there was nothing here. Couple of mob restaurants and that's about it and now it's just like a booming. I'm just happy to see people in person, finally. Is this your first event since? It's maybe my second or third. Okay, great. Since everything opened up and I tell you, I am done with Zoom. Yeah, I mean, it's very clear. People want to get back face to face. It's a whole different dynamic. I think the digital piece will continue as a compliment but nothing beats belly to belly, as I like to say. All right, Hayaan, let's start with you. So you guys do a security report every year. I think this is your eighth year, the app security report. I think you noted in this report the growing complexity of apps and integrations what were your big takeaways this year? And so, like you said, this is our eighth year and we interview and talk to about 1,500 of companies and IT digital makers. One of the things that's so prevalent coming out of the survey is complexity that they have to deal with, continue to increase. It's still one of the biggest headaches for all the security professionals and IT professionals. And that's explainable in a way if you look at how much digital transformation has happened in the last two years, right? It's an explosion of apps and APIs that's powering all our digital way of working in the last two years. So it's certainly natural to see the complexity has doubled and tripled and we need to do something about it. And the number of tools keeps growing, the number of players keeps growing. I mean, some of them are really interesting, they're really not startups anymore but well-funded new entrants into the marketplace. Were there any big surprises to you? You're a security practitioner, you know the space really well. Anything jump out like, whoa, that's surprising. Yeah, it's been an interesting discussion when we look at the results, right? Some of us would say, gosh, this is such a big surprise. How come people still willing to turn off security for the benefits of performance? And as a security professional, I will reflect on that. I said, it's a surprise or is it just a mandate for all of us in security, we got to do better and because security shouldn't be the one that prevents or add friction to what the business wants to do, right? So it's a surprise because how can, after all the breaches and the security incidents, people are still, you know, the three quarters of the interviewees said, well, you know, if we were given a choice, we will turn off security for performance. And I think that's a call to action for all of us in security. How do we make security done in a way that's frictionless and they don't have to worry about it. They don't have to do a trade-off. And I think that's one of the things, you know, Dan in working or entire anti-automation solution, one is to protect and the other thing is to enable. Yeah, you think about Dan, the, I would say that the adversary is extremely capable. The ROI of cyber attacks just keeps getting better and better and your jobs really is to lower the ROI, right? It decreased the value, increased the cost. But you're, I mean, fishing continues to be prevalent. You're seeing relatively new technique, island hopping, self-forming malware. I mean, it's just mind-boggling. But how are you seeing, you know, the attack change? You know, what's the adversary doing differently over the last, you know, several years? Maybe pre and post-pandemic. We've got a different attack surface. What do you see? Well, we're seeing a lot higher volume attacks, a lot higher volume and velocity. It is an uncommon at all for us to go in line and deploy our client-side signals and see the upper 90% is automated, unwanted automation hitting the application. So the fact that the security teams continue to underestimate the size of the problem, that is something I see every time we go in into an enterprise, that they underestimate the size of the problem, largely because they're relying on capabilities like CAPTCHA or maybe they're relying on 2FA and while 2FA is a very important role in security, it doesn't stop automated attacks and CAPTCHA certainly doesn't stop automated attacks. So, okay, so you said 90% now, as high as 90% are automated, up from where? Maybe dial back to give us a marker as to where it used to be. Well, less than 1% is typically what all of our customers across the F5 network enjoy. Less than 1% of all traffic hitting origin is unwanted. But when we first go in line, it is upper 90, we've seen 99% of all traffic being unwanted automation. But Dan, if I dial back to say 2015, was it that high that was automated back then? You know, I don't know if it was that high then because production stuffing was just starting to kind of take off. But as production stuffing became better and better known among the criminal elements, that's when it really took off. Explain Paisy. You're right, crime Paisy. Yeah, it's unfortunate, but it's true. Explain the CAPTCHA thing, because sometimes, as a user, like it's impossible to do the CAPTCHA. It's like a twister, you know, I got that one wrong. And I presume it's because CAPTCHA can be solved by bots. Well, actually the bots use an API into a human click farm. So they're humans that sit around solving CAPTCHAs all day long. I actually became a human CAPTCHA solver for a short time just to see what the experience was like. And they put me to the training, teaching me how to solve CAPTCHAs more effectively, which was fascinating, because I needed that training, frankly. And then they tested to make sure I solved CAPTCHAs quickly enough. And then I had solved maybe 30 or 40 CAPTCHAs and I hadn't earned one penny U.S. yet. So this is how bots are getting around CAPTCHAs. They just have humans solve them. Oh, okay. Now, we hear a lot at this event. You got to turn on multi-factor authentication. And obviously you don't want to use just SMS-based MFA. But, Dan, you're saying not good enough. Why explain that? Well, most implementations of 2FA is, you know, you enter in username and password, and if you enter in the correct username and password, you get a text message, and you enter in the code. If you enter in the incorrect username and password, you're not sent to code. So the purpose of a prevent stopping attack is to verify whether the credentials are correct. That's the purpose. And so if it's a 2FA protected login, I've done that. Admittedly, I haven't taken over the account yet, but now that I have a list of known good credentials, I could partner with somebody on the dark web who specializes in defeating 2FA through social engineering or port outs or SIM swaps, SS7 compromises, insiders and telcos, lots of different ways to get at the 2FA text message. So wow, this is really interesting, scary discussion. So what's the answer to that problem? How do you have five approaches? High end touched on it, we want to improve security without introducing a lot of friction. And the solution is collecting client-side signals. You interrogate the users, interactions, the browser, the device, the network, the environment, and you find things that are unique, that can't be spoofed, like how it does floating point math or how it renders emojis. This way, you're able to increase security without imposing friction on the customer. And honestly, if I ever have to solve another capture again, my blood is boiling over capture. I wish everyone would rip it out. As a user, I second that request. High end, technology got us into this problem. Can technology help us get out of the problem? It has to. I think when you think about the world that is powering all the digital experiences and there's two things that comes to mind, that apps and APIs are at the center of them. And in order to solve the problem, we need to really zero in where the epic center of the attack can be and have the max amount of impact. So that's part of the reason, from a F5 perspective, we think of application and API security together with the multi-tiered defense, with DDoS, to bots, to the simple bots, to the most sophisticated ones. And it has to be a continuum. You don't just say, hey, I'm going to solve this problem in this silo. You have to really think about app and APIs. Think about the infrastructure. Think about, you know, we're here at AWS and cloud native solutions and API services is all over. You can't just say, I only worry about one cloud. You cannot say, I only worry about VMs. You really need to think of the entire app stack. And that's part of the reason, when we build our portfolio, there is web application firewall, there's API security, there's bot solution, and we added application infrastructure protection coming from our acquisition for a threat stack. They're actually based in Boston. So it's really important to think holistically of telemetry, visibility, so you can make better decisions for detection response. So leads me to a number of questions. First, I want to stay within the AWS silo for a minute. What's the relationship with AWS? How are you integrating, partnering with AWS? Let's start there. Yeah. So we work with AWS really closely. A lot of our solutions actually runs on the AWS platform. For part of our shape services, it's using AWS capabilities and threat stack is purely running on AWS. We just actually had integration. Maybe I'm pre-announcing something with the cloud front with our bot solutions. So we can be adding another layer of protection for customers who are using cloud front as the WAF on AWS. Okay, so you integrate, you worry about APIs, AWS APIs and primitives, but you have business on-prem, you have business other cloud providers. How do you simplify those disparities for your customers? Do you kind of abstract all that complexity away? What's F5's philosophy with regard to then and creating that continuous experience across the states irrespective of physical location? Yeah, I think you're spot on in terms of we have to abstract the complexity away. The technology complexity is not going to go away because there's always going to be new things coming in. The world become more disaggregated and they're going to be best of great solutions coming out. And I think it's our job to say, how do we think about policies for web application? And you're on-prem, you're in AWS, you're in another cloud, you're in your private data center, and we can certainly abstract out the policies, the rules, and to make sure it's easier for a customer to say, I want this particular use case and they push a button, it goes to all the properties, whether it's their own edge or their own data center, and whether it's using AWS, cloud front is using Orwaf. So that is part of our adaptive, we call it adaptive application vision, is to think delivery, think security, think optimizing the entire experience together. Using data, I come from a company that was very much around data can power so many things and we believe in that too. We use a term called super cloud, which implies a layer that floats above the hyperscale infrastructure, hides the underlying complexity of the primitives, adds value on top, creates a continuous experience across clouds, maybe out to the edge even someday on-prem. Is that, does that sound like, it sounds like that's your strategy and approach and you know, where are you today and is that technically feasible today? Is it a journey, maybe you could describe that? Yeah, so in my title, right, you talked about a security and distributed cloud services and the distributed cloud services came from a really important acquisition we did last year and it's about, it's called Volterra. What they brought to F5 is the ability not only having a lot of the SaaS capabilities and delivery capabilities with a very strong infrastructure, they also have capability like multi-cloud networking and you know, people can really just take our solution and say, I don't have to go learn about all the, like I think using super cloud, is exactly that concept is, we'll do all the hard work behind the scenes, you just need to decide what application, what user experience and we'll take care of the rest. So that solution is already in the market and of course, there's always more things we can do, collect more telemetry and integrate with more solutions so there's more insertion point and customer can have their own choice of whatever other security solution they want to put on top of that but we already provide the entire service around web application and API services and bot solution is a big piece of that. So I could look at analytics across those clouds and on-prem and actually you don't have to go to four different stovepipes to find them, is that right? Yeah, and I think you'd be surprised on what you would see, like you know, typically you're going to see a large amounts of unwanted automation hitting your applications. It's, I think the reason so many security teams are underestimating the size of the problem is because these attacks are coming from tens of thousands, hundreds of thousands, even millions of IP addresses. So, you know, for years, security teams have been blocking by IP and it's forced the attackers to become highly, highly distributed. So the security teams will typically identify the attack coming from the top 100 or 1500 noisiest IPs but they missed the long tail of tens of thousands, hundreds of thousands of IPs that are only used one or two times. Because, you know, over time we've forced the attackers to do this. They're scaling. Yeah, they are. And they're coming from residential IPs now, not just hosting IPs, they're coming from everywhere. And wow, I mean, we know that the pandemic changed the way that organization, they had to think more about network security, rethinking network security. Obviously end point, cloud security. But it sounds like the attackers as well, not only did they exploit that exposure, but they were working from home. The human-clicked farms, they're now distributed, they're all working from home now. They said we could take advantage of that. When I was solving captures, you could do it on your cell phone just by walking around solving captures for money. Wow, scary world that we live in. Thank you for helping make it a little bit safer, guys. Really appreciate you coming to theCUBE. We'll continue to work on that and our motto is bring a better digital world to life. That's what we're going to set out to do. I love it. All right, great having you guys. Thank you. And thank you for watching. Keep it right there. This is Dave Vellante from Reinforced 2022. You're watching theCUBE right back after this short break.