 From Las Vegas, it's theCUBE, covering Kuala Security Conference 2019. Brought to you by Kuala. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're in Las Vegas at the Bellagio at the Kuala Security Conference. They've been doing this for 19 years. They've been in this business for a long time, seen a lot of changes. So we're happy to be here. Our next guest works for Caterpillar. He is Brian Rossi, the Senior Security Manager of Vulnerability Management. Brian, great to see you. Thanks for having me. So I was so psyched. I had to interview a gentleman from Caterpillar a few years ago, and it was fascinating to me how far along kind of the autonomous vehicle route Caterpillar is. And I don't think most people understand, right? They see the Waymo cars driving around and they read about all the stuff. But Caterpillar's been doing autonomous vehicles for a super long time. Really long time, a really long time. 25 plus years kind of pioneering a lot of the autonomous vehicle stuff that's out there. And we've actually, it's been cool. Had an opportunity to do some security testing on some of the stuff that we're doing. So even making it safer for the mines and the places that are using it today. Yeah. You don't want one of those big giant dump truck things to go rogue. Off a cliff. Yeah, no, bad idea. We're into a bunch of people. All right, so let's jump into it. So vulnerability management, what do you kind of focus on? What does that mean exactly? So for me, more on the traditional vulnerability management side. So I stay out of the application space, but my group is focused on identifying vulnerabilities for servers, workstations, endpoints that are out there, working with those IT operational teams to make sure they get those patched and reduces many of vulnerabilities as we can over the course of a year. So we've done some stuff with Forescout and they're the kings of vulnerability sniffing out. In fact, I think they have an integration with Klaus as well. So is it always amazing as to how much stuff that gets attached to the network that you weren't really sure was there in the first place? Yes, absolutely. And it's fun to be on the side that gets to see it all and then tell people that it's there. I think with Klaus and with some of the other tools that we use, right, we're seeing these things before anybody else is seeing them and we're seeing the vulnerabilities that are associated with them before anybody else sees them. So it's an interesting job to tell people what's out there when they didn't even know. Right, so another really important integration is with ServiceNow and you're giving a talk I believe tomorrow on how you use both Klaus and ServiceNow together. Give us kind of the overview of what you're going to be talking about. Absolutely. So the overview is really what our motto has been all year, right, is put work where people work. So what we found that was with our vulnerability management program, we're doing scanning, we're running reports, we're trying to communicate with these IT operational teams to fix what's out there. But that's difficult when you're just sending spreadsheets around and you're trying to email people, there's organizational changes, people are moving around, they might not be responsible for those platforms anymore. And keeping track of all that is incredibly difficult in a global scale with hundreds of thousands of assets that people are managing. And so we turned to ServiceNow and Qualis to really find a way to easily communicate, not just easily, but also timely communicate those vulnerabilities to the teams that are responsible for doing it. Right, so you guys already had the ServiceNow implementation obviously, it was something that was heavily used you. So kind of implying that that was the screen that a lot of people had open on their desktop all the time. We lucked out that we were early in the implementation with ServiceNow. So Caterpillar was moving from a previous IT service management solution to ServiceNow. So we got in on the ground floor with the teams that were building out the configuration management database. We got in with the ground floor with the teams who were operationalizing using ServiceNow to drive their work. We had the opportunities to just build relationships with them, take those relationships, ask them how they want that to work and then go build it for them. Right, it's so funny because everyone loves to talk about single pane of glass and to own that real estate that's on our screens that we sit and look at kind of all day long on our right day. It used to be email, it's not so much email anymore and ServiceNow is one of those types of apps that when you're in it, you're working it, that is your thing. And it's one thing to sniff out vulnerabilities and find vulnerabilities, but you got to close the loop. You got absolutely. And that's really where the ServiceNow piece fits. And it's been great. We've seen a dramatic reduction in the number of vulnerabilities that are getting fixed over the course of the 30 day period. And I think it simply is because the visibility is finally there and it's real time visibility for these groups. They're not receiving data 50 days after we found it. We're getting them that data as soon as we find it and they're able to operationalize it immediately. Right, and what are some of the actions that are kind of the higher frequency that you found that you're triggering that this process is helping you mitigate? I would say actually what it's really finding is some of our oldest vulnerabilities. A lot of stuff that people have just kind of let fall off the plate and they're isolated, right? They may have run patching for a specific vulnerability six months ago, but there was no view to tell them whether or not they got everything. Or maybe it was an asset that was off the network when they were patching and now it's back on the network, right? So we're getting them the real time visibility of stuff that they may have missed that they would have never seen before without this integration. So I'd love to get your take. One of the top topics that came in in the keynote this morning, both with Dick Clark as well as Philippe was kind of IoT 5G and the increasing surface area, attack surface area, right? Vulnerability surface area. You guys, Caterpillar is obviously well into Internet of Things. You've got a lot of connected devices. I'm sure you're excited about 5G and I'm sure like in a mining environment or those types of environments are just prime kind of 5G opportunities. Bad news is your attack surface just grew exponentially. So you're in charge of keeping track of vulnerabilities. How do you kind of balance the opportunity and what you see that's coming with 5G and connected devices and even another rash of sensors compared to the threat that you have to manage? Certainly in the IoT space it's unique. We can't do the things to those devices that we would do with normal laptops, assets, right? So I think figuring out unique ways to actually deal with them is going to be the hardest part. Finding vulnerabilities is always the easiest thing to do but dealing with them is going to be the hard part. 5G is going to bring a whole new ball game to a lot of the technology that we use. Our engineering groups are looking at those and we're going to be partnering with them all the way through their journey on how to use 5G, how to use IoT to drive better services for our customers and hopefully security will be with them the whole way. The other piece that they can get as much talk today but it's a hot topic everywhere else we go is edge. And this whole concept of do you move the data, do you move the data to the computer, do you move the compute to the data? I'm sure you guys are going to be leveraging edge in a big way when you're getting more of that horsepower closer to the sites. There's a lot of challenges with edge, it's not a pristine data center, there's nasty environmental conditions and you're limited in power and connectivity, some of these other things. So when you think about edge in your world and maybe you're not thinking of it but I bet you are, how are you seeing that again as an opportunity to bring more compute power closer to where you need it, closer to these vehicles. So I think, I wish I had our other security division here with me to talk about it there, we're piloting a lot of those things but that's been a big piece of our digital transformation at Caterpillar is really leveraging data from those connected devices that are out in the field and we actually, our edge has to be brought closer to home. Our engineers pack so much into the little space they have on the devices that are out there that they don't have room to actually calculate on that data that's out in the field. So we are actually bringing the edge a little closer to home in order for us to provide the best service for our customers. So another take, kind of on digital transformation, you talked about Caterpillar's digital transformation, you've been there for five years now, before that you were at State Farm, checking on your LinkedIn. State Farm is the business of actuarial numbers. Caterpillar has got big heavy metal things and yet you talk about digital transformation. How did you guys, how are you thinking about digital transformation in this heavy equipment industry that's in construction, probably not what most people think of as a digital enterprise but in fact you guys are super aggressively moving that direction. Yeah and for us from a securities perspective it's been all about shift left. We have to get embedded with these groups when they're designing these things, we have to be doing threat models, we have to be doing pen testing, we have to be doing that secure life cycle the entire way through the product because with our product line, unlike State Farm where we could easily just make a change to an application so that it was more secure, once we produce these vehicles and once we roll them out and start selling them they're out there and we build our equipment to last, right? So there's not an expectation that a customer is going to come back and say I'm ready to buy a new truck two years from now because there's a security vulnerability. So yeah, it's a big thing for us to get as early into development life cycle as possible and partner with those groups. I'm curious in terms of kind of the role of the software, kind of the embedded software systems in these things now compared to what it was five years ago, 10 years ago because you do need to upgrade it and we've seen with Tesla's, right? You get patches and upgrades and all types of things. So I would imagine you're probably a lot more Tesla-like than the Caterpillar of 20 years ago. Moving that direction, right? And that is the goal, right? We want to be able to get the best services and the most quality services to our customers as soon as possible. Right, very cool. Well, Brian, next time we talk I want to do it on a big truck. A big yellow truck. I do want to do it here at the Balajevo. Let's do it. All right, excellent. Well, thanks for taking a few minutes. Really appreciate it. Absolutely. All right, he's Brian. I'm Jeff, you're watching theCUBE. We're at the Balajevo in Las Vegas, not on a big yellow truck out in the middle of nowhere digging up holes and moving big dirt around. Thanks for watching. We'll see you next time.