 from Orlando, Florida. It's theCUBE, covering ServiceNow, Knowledge 17. Brought to you by ServiceNow. Welcome back to Orlando, everybody. This is theCUBE, the leader in live tech coverage. We go out to the events. We extract the signal from the noise, and we're here for our fifth year at Knowledge. This is Knowledge 17. Sean Convery is here as the general manager of the security business unit at ServiceNow, an area that I'm very excited about, Sean. Welcome back to theCUBE. It's good to see you again. It's great to be here. Thanks for having me. Let's say you guys launched last year at RSA. We talked in depth at ServiceNow Knowledge about what you guys were doing. You quoted a stat the other day, which was, I thought, pretty substantial at the financial analyst meeting, 1.1 million job shortfall in cyber. That is huge. That's the problem that you're trying to address. Well, it's unbelievable. I was, you know, we're just doing the keynote earlier this morning, and I was recounting that, you know, most people in security get into it because they have some desire to save the world, right? They watched a movie, they read a book, they're really excited and motivated to come in. What was yours? Was it a comic book? It was War Games with Matthew Broderick. I was 10 years old, which totally dates me. Movie came out in 83, so nobody has to look it up. And, you know, I was just blown away by this idea of using technology and being able to change things. And the trouble is, analysts show up to work and they don't have that experience. And nobody would expect it, but they're not even close, right? They wind up being told, okay, here's all this potential phishing email. We'd like you to spend 20 minutes on each one trying to figure out if it actually is phishing. And there's 600 messages. So tell me when you're done and I'll give you the next 600 messages. And so it's not motivating. It's sexy as War Games. It's not as sexy as War Games, exactly. And then the CISOs say, well, you know, I can't even afford the people who are well trained. So I hire people right out of school. It takes me six months to train them. They're productive for six months and then they leave for double their salary. So you wind up with a sort of a 50% productivity rate out of your new hires. And it's just a recipe for the past, right? You know, we need to think more about how we change things. So let's sort of remind our audience in terms of security. You're not building firewalls. You're not competing with a lot of the brand name security companies like McAfee or FireEye or Palo Alto Networks. You're complimenting them. Talk about where you fit in the security ecosystem. Sure, so if you boil down the entire security market, you can really think about protection and detection as the main two areas. So protection, think of a firewall and antivirus, something that stops something bad. And then think of detection as I'm going to flag potentially bad things that I think are bad, but I'm not so certain that I want to absolutely stop them. And so what that does is it creates a queue of behavior that needs to be analyzed today by a human, right? So this is where the entire SIM market and everything else was created to aggregate all of those alerts. So once you've got the alerts, you know, awesome, but you've got to sort of walk through them and process them. So what ServiceNow has focused on is the response category. You know, visualization, aggregation is nice, but what would be much better is to provide folks a mechanism to actually respond to what's happening, both from a vulnerability standpoint and from an incident standpoint. And this is really where ServiceNow's expertise shines because we know workflow. We know automation. We know about system of action, right? So that's our pedigree. And IT, frankly, is several years ahead of where the security industry is right now. And so we can leverage that body of expertise, not just within ServiceNow, but within all of our partners to help accelerate this transformation for security teams. So I got to cut right to the chase. So last year we talked about, and of course every time we get a briefing, for instance, from a security vendor, we're given the stat that on average it takes 200. Sometimes you've seen them as high as 300, but let's say 200 days to detect an incident. And then the answer is so by our prevention or our detection solution. I asked you last year, and I tweeted out a couple of days ago, is has ServiceNow affected that? Can you, you asked you last year, can you affect that? Can you compress that timeframe? You said, we think so. What kind of progress have you made? Sure, so you have to remember about that 200 day stat, that that is a industry average across all incidents, right? So the Ponaman Institute pulls this data together once a year, they survey over 300 companies, and they found it, I think it's 206 days, is the average right now. And so to identify a breach, and then another 70 days to contain it. So together it's nine months, which is a frighteningly long period of time. And so what we wanted to do is measure across all of our production security operations customers, what is their average time to identify and time to contain? So it turns out it's so small, we have to convert it to hours. It's 29 hours to identify, 33 hours to contain, which actually is a 160X improvement in identification, and a 50X improvement in containment. And so we're really excited about that. But frankly, I'm not satisfied. We're still, I'm still measuring in hours. Granted, we've moved from months to hours, but I want to go from hours to minutes to seconds. And really, we can show how we can do that in minutes today with certain types of attacks, but there's still the long breaches. That's a dramatic reduction. I know that 206, whatever it is, is an average of averages, but the delta between what you're seeing in your customer base is not explainable by, oh, well, the service now customers just happen to be better at it or luckier. It's clearly an impact that you're having. Well, sure, let's be as honest as we can be here. The people who are adopting security operations are forward-thinking security customers, so you would expect that they're better. Leading edge, yeah. And so their program should be already more mature than the average program. And if you look across those statistics, like 200 and some days, that includes four year long breaches, and it also includes companies that frankly don't pay as much attention to security as they should. But even if you factor all of that out, it's still a massive, massive difference. So if I looked at the bell curve of your customers versus sort of the average in that survey, you'd see the shift, the lump would shift way to the left. Correct, correct. And we actually have a customer, Ron Wakeley from AMP Financial Services out of Australia, who was just up on stage talking about a 60% improvement in his vulnerability response time. So from identifying the vulnerabilities via QALIS, Rapid7, Tenable, whoever their scanning vendor is, all the way through IT patching, 60% faster. And given that, I think it's something like 80% of attacks come from existing vulnerabilities, that's a big change. So you got to love when you're measuring things and you change the variable that you're measuring as opposed to the number, right? That means you're doing good things. So to go from hours to minutes, is it continuous improvement, or are there some big potential challenges that you can see that if you overcome those challenges, those are going to give you some of these monumental shifts in the performance? I think we're ready. I think when we come back next year, the numbers will be even better, and this is why. So many of our customers started by saying, I have no process at all. I have manual, you know, I'm using spreadsheets and emails and notebooks, you know, to try to manage the security incident when it happens. So let me just get to a system of action. Let me get to a common place where I can do all of this investigation, and that's where most of our production customers are. So if you look across the ones who gave us the 29 hour and the 33 hour stat, they're really just getting that benefit from having a place for everybody to work together. Where we're going, but this is already shipping in our product, is the ability to automate the investigation. So back to the, you know, the poor 10 year old who was disappointed that he didn't get to save the world, you know, now he gets to say, this entire investigation stage is entirely automated. So if I hand an analyst, for example, an infected server, there's 10 steps they need to do before they even make a decision about anything, right? They have to get the network connections, get the running processes, compare them to the processes that should be on the system, look up on a reputation site, all the ones that are wrong, like all these manual steps, we can automate that entire process so that the analyst gets to make the decision. He sort of presented the data, here's the report, now decide. The analogy I always use is the doctor who's sort of rushing down in an ER show and somebody hands an MRI or an X-ray and he's looking at it, you know, through the fluorescent lights as he's walking, he's like, oh, you know, five milliliters of whatever and do this, right? Like, that's the way an analyst wants to work, right? They want the data so they can decide. It's just the classic way that machines help people do better work, right? Which we hear about over and over and over. Let the machines do the machine part, collecting all the shitty, boring data, and then present, you know, the data to the person to make the decision. Absolutely. Probably with recommendations as well, right? With some weighted average recommendations. Yeah, and this is where it gets really exciting because the more we start automating these tasks, you know, the human still wants to make the decision, but as we grow and grow this industry, one of the benefits of us being in the cloud is we can start to measure what's happening across all of our customers. So when attack X occurs, this is the behavior that most of our customers follow. So now if you're a new customer, we can just say in your industry, customers like you tend to do this, right? And really excited by what our engineering team is starting to put together. Do you have a formal, or at some point, maybe down the road, a formal process where customers can opt into an aggregation of, you know, we're all in this together, we are publicly going to share our reach data with one another so that we can start to apply a lot more data across properties to come to better resolution quicker. Well, we actually announced today something called Trusted Security Circles. So this is a capability to allow all of our customers to share indicators. So when you're investigating an issue, the indicators of something bad are called an indicator of compromise or an IOC. So we can share those indicators between customers, but we can do that in an anonymous way, right? And so, you know, analogy I'd give you is, what do you do when you lose power in your house, right? You grab the flashlight, you check the breakers, and then when you look out the window, because what are you trying to find out? Is anybody else out? Is anybody else out? Exactly. So you can't do that in security. You're all alone, right? Because if you disclose anything, you risk putting your company further in a bad spot, right? Because now it's reputation damage, somebody discloses the information. So now we've been able to allow people to do this anonymously, right? So it's automatic. I share something with both of you. You only see that I shared if it's relevant, meaning if the service now, instance, founded in your own environment, and then all three of us are in a trusted circle, when any one of us shares, we know it was one of the three, but we don't know which one, so the company's protected. So, just anecdotally, when I speak to customers, everybody still is spending more on prevention than on detection. And there's a recognition that that has to shift, and it's starting to. Now you're coming in and saying, invest in response, which you remember from our conversation last year, I think is right on. I'm super excited about that because I think the recognition must occur at the boardroom that you are going to get infiltrated. It's your response that is going to determine the quality of your security. And you still have to spend on prevention and detection. But as you go to the market, first of all, can you affirm or deny that you're seeing that shift from prevention to detection and spending, is it happening fast enough? And then as you go in and advise people to think about spending on responding, what's the reaction? What are you finding are the headwinds and what's the reception like? Sure, so to your first question about protection to detection, I would say that if you look at the matured protection technologies, they are continuing to innovate, but certainly what you would expect a firewall to do this year is somewhat similar to what you expected it to do last year. But the detection category really feels like where there's a lot of innovation. So you're seeing new capabilities on the endpoint side, network side, anomaly, you're seeing all sorts of different analytics. Absolutely, and so I do see more spend simply because more of these attacks are too, too nasty to stop, right? You sort of have to detect them and do some more analysis before you can make the decision. To your second question about what's the reception been when we start talking about response, I haven't had a single meeting with a customer where they haven't said, wow, we need that, right? I've never had anybody go, oh yeah, our program is mature, we're fine, we don't need this. The question is always just where do we start? And so we see vulnerability management as one great place to start, incident response is another great place to start. We introduced the third way to start just today as well. We started shipping this new capability called vendor risk management, which actually acknowledges the, we talked about the perimeter list network what five years ago, something like that. We're saying, oh, the perimeter's gone, mobile devices, whatever. But there's another perimeter that's been eroding as well which is the distinction between a corporate network and your vendors and suppliers. And so your vendors and suppliers become massive sources of potential threat if they're not protected. And so the assessment process, there's telcos who have 50,000 vendors. And so you think about the exposure of that many companies and the process to figure out do they have a strong password policy, right? Do they follow the best practices around network security, those kinds of things. We're allowing you to manage that entire process now. So you're obviously hunting within the ServiceNow customer base, presumably, right? You want to have somebody to have the platform in order to take advantage of your product. Can you talk about that dynamic but also other products that you integrate with? What are you getting from the customers? Do I have this capability? This is who I use for firewall, who I use for detection. Do you integrate with them? I'm sure you're getting that a lot. Maybe talk to them. Sure, sure. So first off, it's important to share that the ServiceNow platform as a whole is very easy to integrate with, right? So there's APIs throughout the entire system. We can very easily parse even emails. We have a lot of customers that have an email generated from an alert system and we can parse out everything in the email and map it right into a structured workflow. So you kind of move from unstructured email immediately into now it's in ServiceNow. But we have 40 vendors that we directly integrate with today. And when I was here about a year ago, that number I think was three or maybe even two. And so we're up at 40 now. And that really encompasses a lot of the popular products. So we can, for example, a common use case, we talked about phishing a little bit, right? Let me process a potential phishing email, pull out the URL, the subject line, all the things that might indicate bad behavior. Let me look them up automatically on these public threat sources like a virus total or meta defender. And then if the answer is they don't think it's bad, I can just close the incident, right? But if they think it's bad, now I can ask the Palo Alto firewall, are you already blocking this particular URL? And if the Palo Alto firewall says, yeah, I was already blocking it, again, you can close the incident. Only the emails that were known to be bad and your existing perimeter capabilities didn't stop, do you need to involve people? I have to ask you, it goes back to the conversation we had with Robert Gates last year. But I felt like Stuxnet was this milestone where the game just got escalated big time and it went from sort of harmless, sometimes not harmless, but really up the level of risk because now others, the bad guys really dug into what they could do and it became pretty substantial. I was asking Gates generally about sort of the future of warfare and cyber and this is obviously before the whole Russian hacking but certainly Snowden and WikiLeaks and so forth was around. And he said the United States has to be very careful about how it responds. We have maybe many more capabilities but if we show our hand, others are going to see those weapons and have access to those weapons because it's digital. I wonder as a security expert if you could sort of comment on the state of security, the future of that threat generically or generally where you see that going? Well there's a couple things that come to mind as you're talking. One is you're right, Stuxnet was an eye-opener I think for a lot of people in the industry that these kinds of vulnerabilities are being used for nation-state purposes rather than just sort of random bad behavior. So I would go back to what I said earlier and say that we have to take the noise, the mundane off the table. We have to automate that because you're absolutely right. These sort of nation-state attackers, if you're at a global 2000 organization, your intellectual property is valuable, the data you have about your employees is valuable. All this information is going to be sought by competitors, by nation-states and you have to be able to focus on those kinds of attacks which back to my kind of war games analogy, like that's what these people wanted to do. They wanted to find the needle in the haystack and instead they're focusing on something more basic. And so I think if we can up the game, that changes things. The second really interesting thing for me is this challenge around vulnerabilities. So you talked about Gates saying that he has to be careful sort of how much he tips his hand. I think it was recently disclosed that the NSA had a stockpile of vulnerabilities that they were not disclosing to weaponize themselves. And that's a really paradoxical question. Do you share it so that everybody can be protected, including your own people? Imagine Acrobat, you find some problem in Acrobat. Like, well, do you use it to exploit the enemy or do you use it to protect your own environment? So you're kind of, it's a huge dilemma because you're assuming either they have it or they don't have the same vulnerability. And so I'm fascinated by how that whole plays out. It's a little frightening. And you know, in the land of defense, you think, okay, United States has the biggest defense, spends the most money, has the most amazing machines, whatever, but in cyber, you know, you presume that's the case, but you don't really know, I think, of high-frequency trading. You know, it was a lot of Russian mathematicians that actually developed that. So, you know, clearly other states have, you know, smart people that can, you know, create, you know, dangerous threats. And it's- Plus they only have to win once, too. That's kind of the defense game. You got to defend them all. You have to bat a thousand on the defense side or, you know, get it and react. But from the other guy's side, he can just pound, pound, pound, pound, pound. You just got to get through once. And so this is why- Tough math. Your strategy of response is such a winner. Well, this is where it comes back to risk as well, right? I mean, at the end of the day, you're right. You know, a determined adversary, you know, sorry to break it to everybody, you know, at some point is going to be able to find some way to do some damage. The question is, how do you quantify the various risks within your organization? How do you focus your energy from a technology perspective, from a people standpoint, on the things that have the most potential to do your organization harm? And then, you know, there's just no way people can stop everything unless you, you know, unplug. And then there's a business, then there's the business part of it, too, right? Because it's like insurance. When do you stop buying more insurance, you know? You could always invest more at a one point, at what point does the investment no longer justify the cost? Because there's no simple answer. Well, this is where, you know, we talk to chief information security officers all the time who are struggling with the board of directors' conversation. How do I actually have an emotional conversation that's not mired in data around how things are going? And today, they often have to fall back on stats, like, you know, we process five million alerts per day, or we have, you know, X number of vulnerabilities. But with security operations, what they can do is say things like, well, my mean time to identify, you know, was 42 hours and this quarter, it's 14 hours. And so the dollars you gave me, here's the impact. You know, I have 50 critical vulnerabilities last quarter. This quarter, I have 70, but only on my mission critical systems. So that indicates future need to fund or reprioritize, right? So suddenly now you've got data where you can actually have a meaningful conversation about where things are from a posture perspective. And these are the assets that we've, you know, quantified the value of. These are the ones that we're prioritizing the protection on. And here's why we came up with that priority. Let's look at that and, you know, agree. Exactly. You know, large organizations, I was talking to the CISO of a Fortune 50, I guess. And he was sharing that it takes that 40%, 40% of their time and incident response is spent tracking down who owns the IP address. 40%. So imagine you spend 40% of a, you know, 25 hour response time investigating who owns the asset. And then you find out it's a lab system or it's a spare. You just wasted 40% of your time. But if you can instead know, oh, this is your financial reporting infrastructure. Okay, super high priority. Let's focus in on that. So this is where the business service mapping, the CMDB becomes such a differentiator when it's in the hands of our customers. Super important topic, Sean Convery. Thanks very much for coming back in theCUBE and great work, love it. It's great to be here. Thanks for having me. You're welcome all day. All right, keep it right there, everybody. We'll be back with our next guest. This is theCUBE. We're live from Service Now Knowledge 17 in Orlando. We'll be right back.