 from San Diego, California. It's theCUBE, covering Cisco Live US 2019. Brought to you by Cisco and its ecosystem partners. Welcome back to theCUBE's coverage of Cisco Live day two from sunny San Diego. I'm Lisa Martin, joined by Dave Vellante. Dave and I have an alumni, a CUBE alumni back with us, Jeff Moncreef, consulting systems engineer from Cisco. Jeff, welcome back. Thank you very much, great to be back. Yeah, so we're in the DevNet zone. Loads of us going on behind us. This community is nearly 600,000 strong. We want to talk with you about StealthWatch. You did a very interesting talk yesterday. You said it had a couple hundred folks in there. War stories from real networks. War stories, strong descriptor. Talk to us about what that means, what some of those war stories are and how StealthWatch can help customers learn from that and eradicate those. Yeah, so it's called Saved by StealthWatch. It was a really good session. This is the third Cisco Live that I presented that session at. And it's really just stories from actual customer networks where I've actually deployed StealthWatch into. I've been selling StealthWatch for about five years now and I've compiled quite a list of stories, right? And it really, if you think about advanced threats and insider threats and those kinds of exciting things, the presentation was really about getting back to fundamentals. Getting back to the fact that in all these years that I've been working with customers and using StealthWatch, a lot of the scary things that I've found have nothing to do with that with the advanced type threat stuff. It really has to do with the fact that they're forgetting the basics, okay? Their firewalls are wide open. Their networks are flat. Their segmentation boundaries aren't being adhered to. So it's allowed us to come in and expose a lot of scary things that were going on and they were just completely oblivious to it. Why are those gaps there? Is it because of a change management issue? Are technologies moving so quickly? Lack of automation? Yeah, I think it's a couple of reasons that I've seen. It's a recurring theme really. Limited resources, number one. Number two, limited budget so your priorities have to shift. But I think a big one that I've seen a lot is turnover and attrition, okay? A lot of times we'll go in with StealthWatch and we'll kick off an evaluation and whatnot and the customer will say, I just don't know what's there, okay? I don't know if I have a hundred machines that need visibility or for a thousand. And I'm a StealthWatch cloud consulting systems engineer so the cloud world is really where I spend a lot of my time now. And what I'm seeing as it relates to the cloud realm is that it's exponentially worse now because now you've got things like DevOps and Shadow IT that are all playing in the customer's public cloud environment, deploying workloads, deploying instances and building things that the security team has no awareness of. So there's a lot of things that are living and breathing on the network that they just don't know about. And so the tribal knowledge leaves the building. How do you guys help solve that problem? Yeah, so we come in and the last time that you and I spoke, you used the term Cockroaches, I think, which I love. I actually have used that a lot since then. So thank you for that. Yeah, you're welcome. Yeah, but we come in and we actually, we turn the customer's network infrastructure, okay, whether it's on-prem or in the public cloud into a giant security sensor grid. And we leveraged something called NetFlow, which you've probably heard of. And it's essentially allowing us to account for every conversation throughout the entire infrastructure, whether or not it's on-prem or in the public cloud or maybe even in a private cloud. We've got you covered in that area and it allows us to expose every one of those living, breathing things and then we can just query the system. So think of us like a giant network DVR on steroids. We see everything, you can't hide from us because we're using the network to look at everything. And then we can just set little tripwires up. And that's kind of what I go into in my presentation also is how you can set these tripwires ahead of time to find things that are going on that you just didn't know about and frankly, they're probably going to scare you. One of the stories that you shared in your talk yesterday, talk about people really forgetting the basics a university that had a vending machine breached. You just think a vending machine in a cafeteria? That's right, yeah. Really? Tell us about that. What kind of data was exposed from a vending machine? Yeah, so that's one of my favorite stories to tell. We'd gone in and we'd installed StealthWatch at a small university in the U.S. And they had a very small team, okay? You can see that recurring team, limited staff and they really just had a firewall. Okay, that was what they were doing for security. And so we came in, we enabled NetFlow. We kind of let StealthWatch do its thing for a couple of days. And I just queried the system, okay? It's not rocket science, it's not AI a lot of times. It's really the fundamentals. And I just said, tell me anything talking on remote desktop protocols inside the network, out to the internet. And lo and behold, there was one IP address that had communication from it to every bad country you can imagine. Okay, actively. And I said to them, I said, you know, what is this IP address? What's it doing? And I was in the conference room in the university with their staff and the guy looked it up in the asset inventory system. And he looked at me and he goes, that's a vending machine. And I said, a vending machine? He said, yeah. And then I was like, okay, well that's a first. I've never heard of that before. And he goes, wait a minute. It's a dirty tray return machine. You ever heard of one of those? I hadn't even. So for loss prevention, I guess universities and other public institutions that will buy these unique vending machines that are designed for loss prevention. So that the college students don't go around and steal or throw away the trays from the cafeteria. You have to return the tray to get a coin. Okay, there's a common supermarket chain that does the same thing with their shopping carts. And it's for loss prevention. So I said, okay, that's pretty strange. Even stranger than just vending machine. And I said, well, did you realize that it was talking to remote desktop all over the world? And he said, no. And I said, so can you tell me what it has access to? So he looked it up in the firewall manager right there and he said, it has access to the entire network. Flat network, no segmentation, no telling how long this had been going on and we exposed it. And StealthWatch exposes those gaps with just kind of old school knocking on the door. I mean, it really is. I mean, we're talking about fundamental network telemetry that we're gathering off the route switch infrastructure itself, obviously we're at Cisco Live. We work really well with Cisco Gear. Cisco actually invented NetFlow about 20 years ago. And we leveraged that to give visibility footprint that allow us to expose things like the vending machine. I've found hospital X-ray machines that were scanning all the US military, for instance. I find things in the cloud that are just completely wide open from a security ACL standpoint. So we've got that fundamental level of visibility with StealthWatch. And then we kick in some really cool machine learning and statistical analytics and machine learning analytics. And that allows us to look for anomalies that would be indicators of compromise. So we're taking that visibility footprint and we're taking it to that next level looking for threats that might be in the customer's environment. So before we get to the machine intelligence, I presume that cloud and containers only makes this problem worse. What are you seeing in the field? How are you dealing with that? We're in a landscape today where we've got a lot of customers that might be cloud-averse, but we've also got a lot of customers that are on the wide other side of that spectrum. And they're very cloud progressive. And a lot of them are doing things like serverless, microservices, containers. And when you think of containers, you think of container orchestration, Kubernetes. So StealthWatch cloud is actually in that realm right now today, able to protect and illuminate those environments. That's really the wild west right now is trying to protect those very abstract serverless and containerized environments. But yeah, we come in, we are able to deploy inside Kubernetes clusters or AWS or Azure or GCP and tell the StealthWatch story in those environments, find segmentation violations, find firewall holes, just like we went on premise and then look for anomalies that would be interesting. The security paradigm for those three you mentioned, those three cloud vendors and your on-prem and maybe even some of your partners, there's a lot of variability there. How should customers deal with maintaining the edicts of the organization and sort of busting down those silos? Yeah, so you think about StealthWatch cloud, which is the product that I'm going to CSE for. We're really focusing on automation, high efficacy and accuracy. We're not going to be triggering hundreds or thousands of alerts whenever you plug us in that's going to further bog down a limited team. They've got limited time and they have to change their priorities constantly. This solution is designed to work immediately out of the box, quickly deploy within a matter of hours. It's all SaaS based, so it actually lives in the cloud and it really takes that burden off of the organization of having to go and set a bunch of policies and tripwires and alerts. It does it automatically. It's going to let you know when you need to take a look at it so that you can focus on your other priorities. So I'm curious where your conversations are within an organization, whether it's a hospital or a university, what you're finding is in this multi-cloud world that we live in where there's attrition and all of these other factors contributing to organizations that don't know what they have, with multi-cloud edge comes this very amorphous perimeter, right? Where are those conversations? Because if data is the lifeblood of an organization, if it's not secure and protected, if it's exposed, there's a waterfall of problems that can come with that. So are you, is this being elevated into the C-suite of an organization? How do you start those conversations? Yeah, so it's not just the C-suite and the executive type structure that we're having to talk to now. Traditionally, we would go in with a stealth watch opportunity and talk to the teams in the organization. It's going to be the infosec team, right? As we move to the cloud, though, we're talking about a whole bunch of different teams. You've got the infosec team, you've got the network operations team now that are deploying those workloads. The big one, though, that we've really got to think about and that we've got to educate our customers on is the DevOps teams. Because the DevOps teams, they're really the ones that are deploying those cloud workloads now, okay? You got to think about, they've got API access, they've got direct console login access. So you've got multiple different entry points now into all these different heterogeneous environments, right? And a lot of times, we'll go in and we'll turn on stealth watch and we show the organization, yeah, you knew that DevOps was in the VPCs deploying things, but you didn't know the extent that they were deploying them. Lights up like a Christmas tree? Yeah, lights up like a Christmas tree and like a conversation I had last week with a customer, I asked them. I said, all right, so you're in AWS. Are we talking, do you have 50 instances or do you have 500? He said, I have no idea because I'm not the one deploying these instances. I'm just lucky enough to get permission and have access to them to let you plug your stuff in to show me what's going on in that environment. But yeah, they're in charge of securing that data. So it's quite frightening, yeah. So you got discovery, you got ways to expose the gaps and then you're obviously advising on remediation activity. And then you're also bringing in machine intelligence. So what's the end game there? Is it automation? Is it systems of agency where the machine is actually taking action? Can you explain that? Right, so when the statistical analysis comes in and the anomaly detection comes in, it's really, that network DVR, all right? So we've got the data. So now let's do some really cool things with it. And that's where we're at actually, for every single one of these entities, and I do stress entities because the days of operating systems and IP addresses are going away. Face it, it's happening. Things are becoming more and more abstract. API keys, user accounts, lambdas and runtime compute. We have to think about those. So what we do for all these different entities is we build a model for each one of these. And that model, that's where all the math and the AI comes in. We're going to learn known good for it. Who do they talk to? How much data center received? And then we start looking for activity in that infrastructure as it relates to that entity that's outside of that known good model. So that would be the anomaly detection. And our anomaly detection, it really can be attributed to two different major categories. Number one is going to be, we're looking for things that cross the cyber kill chain. So those different IOCs as a threat actually manifests. That's what the anomaly detection's doing. And then we're also looking for just straight compliance and configuration violations in the customer's cloud infrastructure, for instance. That would just be a flat out security risk today, day one. Forget baseline in anomaly detection. It just should not be configured that way. Let's see, roughly 25% of Cisco's revenue is in services. What role does the customer service team play in all this? Do you interact with how do the product guys and the service guys work together? Yeah, so we've got a great customer experience team, customer services team for StealthWatch. And it doesn't matter if we're talking StealthWatch on-premise or the StealthWatch cloud, they cover both. And what will happen is we'll come in from a pre-sale standpoint, we'll do the evaluation, show good value. And then we've got a good relationship with the CX team where we'll hand that off to them and then we'll work with the CX team to make sure that customer is good to go. They're taking care of, and that's not, we've sold this and we're just going to forget you type scenario. They do a good job of coming in, they make sure that the customer's needs are met, any feature requests that they'd like or taking care of, they have routine touch points with the customers and they make sure that the product for all intents and purposes, doesn't lose interest or visibility in the customer's environment that they're using it, they're getting good value out of it and they're just going to build a relationship. You know, I call it cradle to grave. We're going to be with that customer cradle to grave. You know, Jeff, one of the things I didn't talk to you about at Google Next was, well, first I got to ask you, have you, you're a security guy, right? Have you always been a security guy? Yeah, security for about 20 years now, dating back to internet security systems, actually. The question I often ask security guys is, who's your favorite superhero? My favorite superhero, let's say Batman. Batman, I like Batman. So the reason I ask is that somebody told me one time that true security guys, they love superheroes because they grew up kind of wanting to save the world and protect the innocent, so just had to ask. Yeah, there you go, Batman. I'm sensing a tattoo coming. Last question for you, Jeff, is in terms of time-to-business impact, the vending machine story is just so polarizing because it's such a shocking, massive exposure point. Did they ever discover how long it had been open and in terms of being able to remedy that, how quickly can StealthWatch come in, identify these? Very quick to operationalize. So like the vending machine story, that's something that if you turn on flow and you send it to StealthWatch right now, we can pick that up in 10 minutes. That quick to visibility and value. Now, how long has it been going on? A lot of times they can't answer that question because they've never had anything to illuminate that to begin with. But moving forward, now they've got a forensic incident response audit trail capability with StealthWatch, which is actually a pretty common use case, especially if you think about things like PCI that have got audit requirements and whatnot. A lot of organizations, if they're not using a flow-based security analytics tool, they can't always meet those audit and forensic requirements. So at least from the point of installing StealthWatch, they'll be good to go from that point forward. So if they can find an anomaly that needs to be rectified in 10 minutes, what's the next step for them to actually completely close that gap? Yeah, so like with Cisco Identity Services Engine, we've got a great integration there, we can actually take action, shut off that machine instantly. Okay, we can shut off a switch port, we can isolate that machine to an isolated sandbox to VLAN, get it off the network. And then in the cloud, we can do things like automated remediation. We can use things like Amazon Lambda to actually shut off an instance that might be compromised. We can actually use lambdas to insert firewall rules. So if we find a hole, we can plug it. Very easily automated, the customer. Ship a function to it and plug it all. That's correct, yeah. Batman slash detective, I think you need a tattoo and a badge. I can work on that. I like it. Jeff, thank you so much for joining David and me on theCUBE this afternoon. It's my pleasure. Really interesting stuff, we appreciate your time. Absolutely. For Dave Vellante, I'm Lisa Martin. You're watching theCUBE's second day of coverage of Cisco Live from San Diego. Thanks for watching.