 Hello, and welcome back to theCUBE's coverage of AWS Reinforce here in Boston, Massachusetts. I'm John Furrier. We're here for a great interview on the next generation topic of State of Industrial Security. We have two great guests, Tim Jefferson, Senior Vice President, Data Network and Application Security at Barracuda and Sinon Aron, Vice President of Zero Trust Engineering at Barracuda. Gentlemen, thanks for coming on theCUBE. Talk about industrial security. Yeah, thanks for having us. So one of the big things that's going on, is you've got zero trust. You've got trusted software supply chain challenges. You've got hardware mattering more than ever. You've got software driving everything. And all this is talking about industrial. Critical infrastructure. We saw the oil pipeline had a hack and ransomware attack and that's this constant barrage of threats in the industrial area. And all the data's pointing to that this area is going to be fast growth. Machine learning's kicking in, automation's coming in. This is a huge topic, huge growth trend. What is the big story going on here? Yeah, I think at a high level, we did a survey and saw that over 95% of the organizations are experiencing security challenges in this space. So the blast radius of the interface that this creates so many different devices and things and objects that are getting network connected now, create a huge challenge for security teams to kind of get their arms around that, you know? Yeah, and I can add that, you know, majority of these incidents that these organizations suffered lead to significant downtime, right? And we're talking about operational technology here. You know, lives depend on these technologies, right? Our well-being, everyday well-being depend on those. So that is a key driver of initiatives and projects to secure industrial IoT and operational technologies in these businesses. Well, it's great to have both of you guys on. Tim, you know, you had a background at AWS and sitting on your startup founder, soldier coming to Barracuda, both very experienced, seen the ways before in this industry. And I like that, if you don't mind, talk about three areas, remote access, which we've seen in huge demand with the pandemic and now coming out with the hybrid and certainly industrial, that's a big part of it. And then secondly, the trend of clear commitment from enterprises to have a public cloud component. And then finally, the secure access edge, you know, with SaaS business models, securing these things, these are the three hot areas. But let's go into the first one, remote access. Why is this important? It seems that this is the top priority for have immediate attention on, what's the big challenge here? Is it the most unsecure? Is it the most important? What, why is this relevant? So now I'll let you jump in there. Yeah, sure, happy to. I mean, if you think about it, especially now we've been through a pandemic shelter in place cycle for almost two years, it becomes essentially a business continuity matter, right? You do need remote access. We also seen a tremendous shift in hiring the best talent wherever they are, right? On boarding them and bringing the talent into businesses that have maybe a lot more distributed environments than traditionally. So you have to account for remote access in every part of everyday life, including industrial technologies. You need remote support, right? You need vendors that might be overseas, providing you guidance and support for these technologies. So remote support is every part of life, whether you work from home, you work on your own to go, or you are getting support from a vendor that happens to be in Germany, teleporting into your environment in Hawaii. All these things are essentially critical parts of everyday life now. Talk about ZTNA, Zero Trust Network Access. This is a major component for companies. Obviously, you know, it's a position taking trust and verifies one other approach. Zero Trust is saying, hey, I don't trust you. Take us through why that's important. Why is Zero Trust Network Access important in this area? Yeah, I mean, I can say that traditionally remote access, if you think about the infancy of the internet in the 90s, right? It was all about encryption in transit, right? You were all about, internet was vastly clear text, right? We didn't have even SSL TLS widely distributed and available. So when the P.S. first came out, it was more about preventing sniffing clear text information from the network, right? It was more about securing the transport. But now that kind of created a big security control gap which implicitly trusted users, once they are teleported into a remote network, right? That's the essence of having a remote access session. You're brought from wherever you are into an internal network, they implicitly trust you. That's simply break down over time because you were able to compromise end points relatively easily using browser exploits, you know, so for supply chain issues, water hole in attacks and leverage the existing VPN tunnels to laterally move into the organization from within the network, you literally move in further and further and further down the network, right? So VPN needed a significant innovation. It was meant to be securing packets in transit. It was all about an encryption layer but it had an implicit trust problem with zero trust, we turn it into an explicit trust problem, right? Explicit trust concept ideally, right? So you are who do you say you are and you're authorized to access only two things that you need to access to get the work done. So you're talking about granular levels versus the one-time database lookup you're in. That's right. Tim, talk about the OT, IT side of this equation of industrial because IT is IP based networking. OT have been purpose-built, you know, maybe some proprietary technology. Yeah, that connects to the internet but it's mainly been secure. Those have come together over the years and now with no perimeter security, how is this world evolving? Because there's going to be more cloud, I mean, more machine learning, more hybrid on-premises going on, almost a reset if you will. I mean, is it a reset? What's the situation? Yeah, I think, you know, in typical human behavior, you know, there's a lot of over rotation going on, you know, historically, a lot of security controls are all concentrated in a data center, you know, a lot of enterprises had very large, sophisticated, well-established security stacks in a data center. And as those applications kind of broke down and got re-architected for the cloud, they got more modular, they got more distributed, that centralized security stack became an anti-pattern. So now there's kind of over rotation, hey, let's take this stack and put it up in the cloud. You know, so there's lots of names for this, here access service edge, you know, secure service edge. But in the end, you know, you're taking your controls and migrating them into the cloud. And, you know, I think ultimately this creates a great opportunity to embrace some of the security best practices that were difficult to do in some of the legacy architectures, which is being able to push your controls as far out to the edge as possible. And the interesting thing about OT and IoT now is just how far out the edge is, right? So instead of being, you know, historically as the branch or user edge, remote access edge, you know, Sonon mentioned that you have technologies that can VPN or bring those identities into those networks. But now you have all these things, you know, partners, devices, so it's the thing edge, device edge, the user edge. So a lot more fidelity and awareness around who users are, because in parallel, a lot of the IDP and IDM platforms have really matured. So mirroring those concepts of this, this lot of maturity around identity management with advice and behavior management into a common security framework is really exciting. But of course it's very nascent, so people are, it's a difficult time getting your arms around that. It's funny, we were joking about the edge, we're just watching the web telescope photos come in and they're made deep space, the deep edge. So the edges continue to be pushed out, totally see that. And in fact, you know, one of the things we're gonna, we're going to talk about this survey that you guys had done by an independent firm has a lot of great data, I want to unpack that. But one of the things that was mentioned in there, and I want to get your both reaction to this, is that virtually all organizations are committing to the public cloud. Okay, I think it was like 96% or so was the stat. And if you combine in that the fact that the edge is expanding, the cloud model is evolving at the edge. So for instance, a building, there's a lot behind it. You know, how far does it go? So we don't, and what's the topology because the topology seemed to change too. So there's this growth and change where we need cloud operations, DevOps at the edge and the security, but it's changing. It's not pure cloud, but it's cloud has to be compatible. What's your reaction to that, Tim? I mean, this is a big part of the growth of industrial. Yeah, I think, you know, if you think about, there's kind of two exciting developments that I think of, you know, obviously there's this increase to the surface area. The attack surface area as people realize, you know, it's not just laptops and devices and people that you're trying to secure, but now there are refrigerators and, you know, robots and manufacturing floors that, you know, could be compromised have their firmware updated or, you know, be ransomware. So this is huge kind of increase in surface area. But a lot of those, you know, industrial devices weren't built around the concept with network security. So kind of bolting on, I'm thinking through how can you secure who and what ultimately has access to those devices and things and where's the control framework? So to your point, the control framework now is typically migrated now into public cloud. These are custom applications, highly distributed, highly available, very modular. And then, you know, so how do you, you know, collect the telemetry or control information from these things and then, you know, it creates secure connections back into these control applications, which again are now migrated to public cloud. So you have this challenge, you know, how do you secure? We were talking about this last time we discussed, right? So how do you secure the infrastructure that I've built in deploying now this control application in public cloud and then connect in with this physical presence that I have with these, you know, industrial devices and taking telemetry and control information from those devices and bringing it back into the management. And this kind of marries again, back into the remote access that Sonoma was mentioning. Now with this increase awareness around the efficacy of ransomware, we're, you know, we're definitely seeing attackers going after the management frameworks, which become very vulnerable, you know, and they're typically just unprotected web applications. So once you get control of the management framework, regardless of where it's hosted, start moving laterally and causing some damage. Yeah, that seems to be the common thread. Sonoma, talk about what's your reaction on that because, you know, zero trust, if it's evolving and changing, you got to have zero trust. You didn't even know it's out there. And then it gets connected. How do you solve that problem? Because, you know, there's a lot of surface area that's evolving, old OT stuff and the new IT. What's the perspective and posture that the clients, your clients are having and customers. I think they're having this conversation about further mobilizing identity, right? We did start with, you know, user identity that become kind of the first foundation of building block for any kind of zero trust implementation. You work with, you know, some sort of a SSO identity provider. You get your, you sync with your user directories. You have a single social truth for all your users. You authenticate them through an identity provider. However, that didn't quite cut it for industrial IoT and OT environments. So we see that we have the concept of hardware machines machine identities now become an important construct, right? The legacy notion of being able to put controls and rules based on network constructs doesn't really scale anymore, right? So you need to have this concept of another abstraction layer of identity that belongs to a service, that belongs to an application that belongs to a user that belongs to a piece of hardware, right? And then you can, yeah. Yeah, and then you can build a lot more of course scalable controls that basically understand the trust relation between these identities and enforce that rather than trying to say this internal network and talk to this other internal network to a network circuit. No, those things are really are not scalable in this new distributed landscape that we live in today. So identity is basically going to operationalize zero trust and a lot more secure access going forward. And that's why we're seeing the sassy growth, right? That's a main piece of it. Is that what you're seeing too? I mean, that seems to be the approach. I think like, yeah, I think like, you know, sassy to me is really about, you know, migrating and moving your security infrastructure to the cloud edge, you know, as we talk to the cloud, you know, and then, you know, do you funnel all ingress and egress traffic through this, you know, which is potentially an anti-pattern, right? You don't want to create, you know, some brittle constraint around who and what has access. So again, a security best practices, instead of doing all your enforcement in one place, you can distribute and push your controls out as far to the edge. So a lot of sassy now is really around centralizing policy management, right? Just the big bet, one of the big benefits is instead of having all these separate management plans which are always difficult to be very federated policy, right? You can consolidate your policy and then decide mechanism-wise how you're going to instrument those controls at the edge. So I think that's the real promise of the sassy movement. And I think the other big piece, which you kind of touched on earlier, is around analytics, right? So it creates an opportunity to collect a whole bunch of telemetry from devices and things, behavior consumption, which is a big common best practice around once you have sass-based tools that you can instrument and a lot of visibility in how users and devices are behaving and being operated. It's just an honest point, you can marry that in with their identity, right? And then you can start building models around what normal behavior is. And, you know, in very fine-grained control, you can, you know, these types of analytics can discover things that humans just can't discover. You know, anomalous behavior, any kind of indicators are compromised. And those can be, you know, dynamic policy blockers. But it's pretty interesting. I think Sinan's point about, what he was talking about, talks about that the perimeter's no longer secure, so you got to go to the new way to do that. Totally relevant, I love that point. Let me ask you guys a question on the macro, if you don't mind, how concerned are you guys on the current threat landscape and the geopolitical situation in terms of the impact on industrial IOT in this area? So I'll let you go first. Yeah, I mean, it's definitely significantly concerning, especially if now with the new sanctions, there's at least two more countries being, you know, let's say restricted to participate in the global economic, you know, marketplace, right? So if you look at North Korea as a pattern, since they've been isolated, they've been sanctioned for a long time, they actually doubled down on ransomware to even fund state operations, right? So now that you have Belarus and Russia being heavily sanctioned due to their activities, we can envision more increase in ransomware and sponsoring state activities through illegal gains, through compromising pipelines and industrial operations and seeking large payouts. So I think the more they will, they're balconized, they're pushed out from the marketplace, there will be a lot more aggression towards critical infrastructure. Oh yeah, I think it's going to ignite more action off the books, so to speak, as we've seen. Yeah, we've seen, you know, another point there is, you know, Barracuda also runs a backup, you know, product, we do a purpose-built backup of appliance and a cloud-to-cloud backup. And, you know, we've been running this service for over a decade, and historically, the amount of ransomware escalations that we got were very slow, you know, as whenever we had a significant one helping our customers recover from them, you know, once a month, but over the last 18 months, this is routine now for us. This is something we deal with on a daily basis, and it's becoming very common, you know, it's been a well-established, you know, easily monetized route to market for the bad guys, and it's being very common now for people to compromise management planes, you know, they use account takeover, and the first thing you're doing is breaking into management planes, looking at control frameworks, and then first thing they'll do is delete, you know, of course, the backups, which just sort of highlights the vulnerability that we try to talk to our customers about, you know, and this affects industrial too, is the first thing you have to do is, among other things, is protect your management planes, and putting really fine-grained mechanisms like zero trust is a great- Yeah, how good is backup, Tim, if you get deleted first, it's like no backup, there it is, so- Yeah, yeah, yeah. I mean, obviously that's kind of a best practice when you're bad guys, like go in and delete all the backups, so- And all the air gaps, they get in control of everything. Let me ask you about the survey pointed out that there's a lot of security incidents happening, you guys point that out and just discussed a little bit of it. We also talked about, in the survey, you know, the threat vectors in the threat landscape, the common ones, La Ransomware was one of them. The area that I liked that was interesting was the area that talks about how organizations are investing in security, and particularly around this, can you guys share your thoughts on how you see the market, your customers, and the industry investing? What are they investing in? What stage are they in when it comes to IoT and OT, industrial IoT and OT security? Do they do audits? Are they too busy? I mean, what's the state of their investment thesis, progress of how they're investing in industrial IoT? Yeah, our view is, you know, we have a next generation product line we call, you know, our next, our CloudGen firewalls, and we have a form factor that supports industrial use cases, we call secure connectors. So it's interesting that if you, what we learned from that business is a tremendous amount of bespoke efforts at this point, which is sort of indicative of a nascent market still, which is related to another piece of information I thought was really interesting in the survey that I think it was 93% of the participants, the enterprises had a failed OT initiative, you know, that people tried to do these things and didn't get off the ground. And then once we see build, you know, strong momentum, you know, like we have a large luxury car manufacturer that uses our secure connectors on the robots on the floor. So well-established manufacturing environments, you know, building very sophisticated control frameworks and security controls in, but again, a very bespoke effort, you know, they have very specific set of controls and specific set of use cases around it. So it kind of reminds me of the late 90s, early 2000s of people trying to figure out, you know, networking and the blast radius of networking and customers are now, and a lot of SIs are invested in this building, you know, fast-scoring practices around helping their customers build more robust controls and helping them manage those environments. So yeah, I think that the market is still fairly nascent from what we're seeing. But there are some encouraging, you know, data that shows that at least helpful for the organizations are actively pursuing. There's an initiative in place for OT and industrial IoT security projects in place, right? They're dedicating time and resources and budget for this. And in regards to industries, verticals and geographies, oil and gas, you know, is ahead of the curve. More than 50% responded to have the project completed, which I guess colonial pipeline was the, you know, the call to arms that was the big, big, you know, industrial, I guess incident that triggered a lot of these projects to be accelerating and, you know, coming to the finish line. As far as geographies go, DACA, which is Germany, Austria, Switzerland, and of course, North America, which happens to be the industrial powerhouses of the world. Well, APAC, you know, also included, but they're a bit behind the curve, which is, you know, that part is a bit concerning, but encouragingly, you know, Western Europe and North America is ahead of these, you know, projects that a lot of them are near completion or they're in the middle of some sort of an industrial IoT security project right now. I'm glad you brought up the colonial pipeline one and oil and gas was the catalyst again. A lot of, hey, scared, better than than me, kind of attitude, better invest. So I got to ask you that that supports Tim's point about the management plan. And I believe on that hack or ransomware, it wasn't actually control of the pipeline. It was control over the management billing. And then they shut down the pipeline because they were afraid it was going to move over. So it wasn't actually the critical infrastructure itself to your point, Tim. Yeah, it's hardly ever the critical infrastructure, by the way, you always go through management play, right? It's such an easier line for it to compromise because it runs on an endpoint, it's standard endpoint, right? All control software will be easier to get to rather than the industrial hardware itself. Yeah, it's just, I just don't make the control software at the endpoint, put it, zero trust. Sit down, that was a great point. Oh, guys, so really appreciate the time and the insight and the white paper is called NetSec. It's on the Barracuda, NetSec's industrial security in 2022. It's on the Barracuda.com website, Barracuda networks. Guys, so let's talk about the read force event. Hasn't been around for a while because of the pandemic, we're back in person. What's changed in 2019? A ton. It's like security years is not dog years anymore. It's probably dog times too, right? So a lot's gone on. Where are we right now as an industry relative to the security, cyber security? Could you guys summarize kind of the high order bit on where we are today in 2022 versus 2019? Yeah, I think, if you look at the awareness around how to secure infrastructure in applications that are built in public cloud and AWS, it's exponentially better than it was. I think I remember when you and I met in 2018 at one of these conferences, there were still a lot of concerns whether IaaS was safe. And I think the amount of innovation that's gone on and the amount of education and awareness around how to consume public cloud resources is amazing. And I think that's facilitated a lot of the fast growth we've seen. The consistent fast growth that we've seen across all these platforms. What's your reaction to that? I think the shared responsibility model is well understood and we can see a lot more implementation around CSPM, continuously auditing the configurations in these cloud environments become a standard table stake investment from every stage of any business, right? Whether it's from early state startups all the way to public companies. So I think it's very well understood and the investment has been steady and robust and when it comes to cloud security, we've been busy, helping our customers and AWS Azure environments and others. So I think it's well understood and we are on a very optimistic note actually in a good place when it comes to public cloud. Yeah, a lot of great momentum, a lot of scale and data out there, people sharing data, shared responsibility. Tim, thank you for sharing your insights here in this CUBE segment coverage of Reinforce here in Boston. Appreciate it. All right, thanks for having us. Thank you. Okay everyone, thanks for watching theCUBE. We're here at the Reinforce conference, AWS Amazon Web Services Reinforce. It's a security focused conference. I'm John Furrier, host of theCUBE. We'll be right back with more coverage after this short break.