 Live from Las Vegas, it's theCUBE. Covering Discover 2016, Las Vegas. Brought to you by Hewlett Packard Enterprise. Now, here are your hosts, John Furrier and Dave Vellante. Okay, welcome back everyone. We are here live in Las Vegas for HPE, HPE Enterprise. Discover 2016, this is SiliconANGLE Media's theCUBE. Our flagship program, we go out to the events and extract the signal from the noise. I'm John Furrier, my co is Dave Vellante. Next guest is Sue Barciami, as Senior Vice President General Manager of HPE Security Props, welcome back to theCUBE. Great to see you. Thank you, John. Thank you, Dave. It's great to be back. So a lot of stuff's happened since we last talked. I'll see in London for HPE Discover in Europe. But security is front and center, obviously it has to be. But one of the things I like about HPE Discover this year is besides the theme being front and center, is that you have the hacker den. And it says keep out, it's dark and it looks like a hackathon. And it's with the bad guys, the guys who protect against the bad guys are in there. A lot of experts, we were strolled in there and was fascinating the data that they have on the breaches and the attacks. And what's so fascinating about it is that how prevalent it really, really is. Share your thoughts on the status of current landscape around the breaches, the hacks. What's called that? Yeah, absolutely. Well, first of all, I agree with you, the bad guy layer, the fact that it's dark, the fact that you have red bull and potato chips in there somehow just creates the whole environment, which is really fun. But it really brings to life the threat landscape. And we just came out not too long ago with our latest threat report. There are a myriad of these reports, whether it's Verizon, whether it's Force Point. And the reality is not surprising, breaches are going up, the attacks are getting more sophisticated. And this is the new world we live in and that we need to protect. Talk about the style of hacking is one of the things that's coming up in the data that you guys are sharing here. And also in the industry is a hybrid kind of approach kind of old school tactics. I'll see insider threats to new techniques that are going. Can you explain kind of how you guys came to that and what the data you have and what that means? Absolutely. We say it's an and not an or. Sometimes we're all guilty of running to the shiny new thing. And in security, that's the advanced persistent threats. Those are new categories of sophisticated threats because the adversaries are getting more sophisticated where you really need machine learning and behavioral analytics in order to identify suspicious behavior. And you need to do that because the threats are getting more sophisticated. But at the same time, you need to be aware that the top exploits of 2015 were the top exploits of 2014 and many of them were the top exploits of 2013. And so you need to continue to do the basic blocking and tackling. You need to patch your applications. And so it's a combination of do the basics well and make sure that you're prepared for some of these newer, more sophisticated attacks. So there's a metric out there. You guys have yours and you mentioned there's all different methods, but it's a scary one, which is after penetration that takes anywhere between 200 to 300, depending on whose metrics you're looking at days to identify. And we're talking a little bit about our CXO research. And the premise that we put forth that I want to test with you is that the conversation with the boards has shifted from one of, we have to thwart penetration to one of, we have to respond. So is that a valid premise? And how is HP shifting its business and helping its customers support that? Absolutely a valid premise. We say you have to assume compromise. And there is not a customer that I meet today that doesn't assume compromise. And if you think about that, that's a massive fundamental shift from two years ago, even one year ago. And when you assume compromise, you need to pay more attention to detection and response. You also need to pay more attention to is what they're after secure? And I would argue that in 99% of the cases, the adversaries after your data, either for financial gain or corporate espionage reasons, it's your data. 85% of the time they get to your data through an application. So we see a huge increase in focus on let's harden the data and let's harden the application because if they're in, at least we know that the target's safe. There's some scuttlebud out there and I've been hearing in the hallways, certainly in our research, and we're not holding a full security practice research, but in talking to some of the CXOs and IT guys is that China, for instance, there's a huge R&D theft going on outside of certain countries. So intellectual property is a big deal. And so you're seeing how the industry, some of these industries are built with no R&D, all kind of stolen theft. So we see that business model emerging. And I wanted you to talk about this because this is now coming up in mainstream boardrooms, is that there's a business model around hacks and that from everywhere from team formations, black markets selling of certain roles is like, it's like a football team. You got a running back, you got a quarterback, someone's on the inside, that's their roles to sprawl and expand. Can you talk about this dynamic and then what that means to the customer? Because that takes it out from an IT sort of point solution execution to a much more holistic view. People this process, it's technology. We call this the business of hacking. And like any adversary or a corporate competitor, you make it your job to understand everything there is to know about your competitor's business and their business model in order to determine how to disrupt it. That's normal course of business. And we need to think of the hackers and the adversaries that way. They're running businesses. They're running businesses for financial gain and profit. And they have a complete structure. They have R&D teams, they have marketplaces and RADs to market where they sell their services. They have HR forums where they recruit, train and retain staff. And the more you understand how they build their organization and what their profit pool and business model looks like the more you're then able to disrupt it. I mean, it's happening in the shadows but now it's apparent. So what do you guys look at? What conversations do you have with customers? Let's go down that route because that must be very difficult. And can you share some of the anecdotal conversations you have with customers? Do they scratch their head and like, what do I do? They face palming. I mean, what's happening with the customers? Because it is a dynamic, it's a landscape. It's Chris Hsu who's got a military background and he says, the enemy's complexity in his view but in security, you have now teams. What's the conversations like? Well, I would tie it back to the conversation we just had which is that if you assume compromise and again, you look at the very sophisticated adversary, you look at the fact that they've got sophisticated and complicated business models of themselves. If you assume compromise and you say, okay, what do I need to be prepared for in the event that they get in and in the event that they actually get what they're after. Well, there's no reason these days if they're after your intellectual property, whether that's structured data or unstructured data, you can render it value-less even if they get it and you can do that with technologies that we have today around encryption, around tokenization so that even if they capture your data, it has no value for them because it's completely encrypted. These password vaults are becoming prevalent too for men in the middle attacks and we've seen a lot of the basics as an old school technique. Yeah, absolutely. There's, I mean, the whole category, back to the earlier conversation, the whole category of data security, I think in the context of I'm assuming compromise is becoming increasingly more important. Okay, so given that not everybody encrypts everything, response is also an important part of the whole remediation process. So specifically, what is HP doing to sort of shift its business toward that response mechanism? Is it more analytics, different tooling? Have you obviously delevered some security assets that maybe weren't a fit? But talk about that a little bit. Yeah, since we were together last, divested of the tipping point portfolio in order to double down on analytics and detection and response. So we shifted that investment directly into intelligence security operations, which is around the things we were already doing to detect known threats at scale, increasing our capacity to detect the unknown with both analytics and machine learning. So for example, one of the things we've announced and have shipped in the last year is the use of analytics and machine learning to detect malware infected hosts by analyzing DNS traffic and DNS streams. We actually developed and tuned those algorithms over a two year period with HP Labs and our own in-house cyber defense center, the team that protects HPE. And that is a great example of the use of analytics and machine learning to analyze a stream like DNS for behavioral anomalies that would indicate exfiltration is going on. DNS is a signal that you're looking as one data point, but it can be telling, right? Yeah, yeah, and there are many data points. And so the important thing is, analytics is not one size fits all, but it is what are the use cases that you need to look at? And for that particular use case, what's the data science that will help you identify the anomaly and what are the sources of data that you need to analyze in order to do so? So assuming compromise, assuming somebody's inside, how are analytics allowing you to identify, for instance, activities inside and servicing them more quickly? Can you compress that 200 days or 300 days or whatever metric it is? Yeah, absolutely. First of all, you should understand that part of the 218 we say days is the fact that part of a sophisticated attack is waiting, right? Because you may rise above the threshold or above the radar, but then you go back below the radar before you prosecute the next step. So the Bank of Bangladesh heist is a great example, which got a lot of publicity. Well, the adversaries were in and they specifically waited until just before the start of the weekend to prosecute the attack because they knew that the staffing levels in the SOC would be lower at that period of time. So waiting is actually part of the game these days. How about visualization? How does that play into maybe compressing the time in which it takes to discover, seeing people trying to traverse or the bad guys traversing different servers or different answers? You're triaging a lot of information if you're an analyst. Will service something that is suspicious? The question is, is it malicious and how do you compress the time between suspicious to malicious? And when you're looking at complex data sets and triaging data points, like, okay, that looks like suspicious behavior around an IP address. What is that IP? Is it a user? Is it a host? What was happening at that time? What was happening in the previous 24 to 48 hours? And visualization techniques are really valuable in terms of being able to get your arms around correlations. And we give a variety of options. Do you want to visualize it in a pie chart, a bar chart, a spider graph? And the answer will be yes, yes, and yes, depending upon the use case. So analyzing log files has been sort of, five years, three years ago, was sort of the big thing. What's next? What's sort of beyond analyzing log files? What are we seeing there? IoT, we did a big announcement here. So Cs of sensors getting input from the edge. We did the edge line announcement this year. We did the GE partnership here at Discover. So as you look at, I was just at it John Deere a couple of months ago. A modern tractor has 330 sensors on it already. Well, you want to protect that environment as well as use it for predictive analytics and security analytics. So the definition of what you stream in to a security operations center now goes far beyond security devices, infrastructure logs. And it goes all the way up to the cloud and all the way out to the edge. And your portfolio is expanding presumably to accommodate those changes. Is that it's a combination of organic, R&D. You've made some investments in companies, presumably M&A. If you want to share anything with us, it'd be great. Surprisingly not. Can you talk about who you're going to buy next? How are you evolving the portfolio? So we're evolving the portfolio very aggressively, organically. And we continue to look at M&A opportunities. I can tell you obviously can't share that with you this morning. And you mentioned the fact that we're very actively making venture investments through our HPE Pathfinder program. Hexadite was one that we've done in the last six months. They're here at Discover. And they essentially, in the security world, they automate the runbook, which means that once you get an alert and an analyst would go prosecute a series of steps to determine if suspicious is malicious, Hexadite can automate that process. That's huge because that's something that just takes so much time. Nobody really wants to do it, but they have to do it. And skills shortage is the number one problem. Right, and partnerships as well. I mean is it sort of, are there partnerships involved in solving this problem? I mean you mentioned Hexadite, of course that's an investment there, but other partnerships that you can talk about the ecosystem. Depending upon the category in security operations partnerships with almost every flavor of security analytics, in data security partnerships with people like our own non-stop team, that's a very good, highly secure hardware environment, is very synergistic with highly secure data. And then people like Teradata. Teradata is a very important industry partnership for us on the data security side for obvious reasons. On the application security side, partnerships like Microsoft, you saw on stage on day one, Microsoft's global CISO bread arsenal. And he uses our application security portfolio to protect and secure their entire repertoire of internal applications at Microsoft, but we integrate in with their development tool sets because that's a very important partnership. What about regulation? Regulation is a big deal. Do you attack regulation? Is there more regulation needed or less? We debate this all the time in the Cuba, open source. Some say open it up and then let the marketplace fill in the holes with security. So there's always been that balance. What's your thoughts on the regulation environment? Yeah, so ultimately I think in this space regulation is necessary. What we would like to see is compliance equaling security. And what you see in many cases is compliance adds complexity and cost, but doesn't actually translate into a secure environment. And I think the more we can make those synonymous, the better off we are. The more we can make complying with the regulation easier, which is part of our job, the better off we are. How would you describe the way in which CXO, CIO, CISOs should be, even best practice, are communicating to boards of directors about security, about cybersecurity. What should they know? Well, they should know that there's not a one size fits all approach to that conversation because the first thing the CXO needs to agree with the board is what's our risk posture? And every company will have a different risk posture based on the industry that they're in, based on the sensitivity of the data that they have within their environment, and based on what risks they're willing to take in exchange for how much they're willing to spend. And level setting that playing field is probably the first job of a CXO and a CISO. So it's great to have you on theCUBE. Thanks for sharing the great insights. Always a pleasure to get the insight that's going on security. I guess my final question may be more of a personal one for you. We were talking before we came on camera about our daughters, our daughters pre-med, and you have daughters of math degrees in science. What advice would you have for young people, women, young girls and ladies in tech that they could learn from the current environment that you see out here now to navigate if they have a real passion for science or math or anything in the STEM field? What, I'm sure you get this question all the time. Yeah, it's a great question. Yeah, in fact, I'll say we did a women's forum with Meg yesterday and Meg often gets the question what would you do differently? What would you advise your 17-year-old self? And her comment is I would go into STEM. And to me, it is the future and I would advise every young woman to go into STEM and put yourself in the path of a high-growth category and cyber is a perfect example. We just launched a fellowship with the ground truth called TechTruth. It's a women in tech fellowship where we're funding two fellows that are going to cover the Grace Hopper Conference. Oh, excellent. Yeah, in Houston. That's really exciting about that. And we have a 45-stage here with NPR, PRIs. We have a big presence there. Excellent, it's a great cause, nice job on that. Thank you so much, Sue, great insight. The security hackers are out there. It's a business model. You got to understand the competition. They're out there and that's a great board conversation. Certainly, Dave's, your work is very relevant. I think this is one of those things that's evolving rapidly and it's critical. So thanks so much for sharing. Great, thanks so much. We are here live in Las Vegas for HPE for Enterprise with Sue, the head of the security group here within HPE. This is theCUBE. I'm John Furrier with Dave Vellante. We'll be right back.