 Live from Las Vegas, it's theCUBE! Covering AWS re-invent 2019. Brought to you by Amazon Web Services and Intel, along with its ecosystem partners. Good afternoon. Welcome back to theCUBE's coverage of AWS re-invent 19 from Las Vegas. I'm Lisa Martin, a co-host as Justin Warren, the founder and chief analyst at Pivot9. Justin, great to have you. Great to be here. Thanks to be in the hosting chair today. Yeah, yeah, always fun. Let's have a great conversation next, shall we? Shall we, well. All right, please meet a couple of our guests that have joined Justin and me. I've got Dan Hubbard, to my love, CEO of Lacework, and Ilan Rabinovich, the VP of Product, a data dog. Guys, welcome. Thanks for having us. For having us. Our pleasure. Good to be here. Love, anytime we can talk about dogs, even if there's no relation to the actual technology, two thumbs up from me. So, but let's go ahead, I know that you guys have both been on or your companies have, but give our audience, Dan, we'll start with you, a refresher, an overview, Lacework. What do you guys, what do you do? Yeah, Lacework, we wake up every morning with a goal of trying to help our customers secure their public cloud infrastructure and or any type of cloud native technologies, such as Kubernetes or containers or any microservices. So, a security company for the cloud and cloud native technologies. Awesome, and Ilan, give us a refresher about DataDog. DataDog's a monitoring and analytics platform for your modern infrastructure and applications. So, microservices, containers, cloud providers like AWS were here at re-invent. Our goal is to help teams collaborate and to understand the health of their business and their applications and their infrastructure. So, how do you guys work together? So, we recently announced a partnership and an integration of the intelligence and the data of all the risks and the threats that Lacework is identifying, being sending those automatically inside of the DataDog platform. So, we're putting the data from our platform directly into obviously the monitoring, the metrics platform of DataDogs. Yep, and so, we're pulling that intelligence from Lacework into our platform for our new security monitoring platform in addition to enriching it with metrics from our infrastructure and application monitoring. We find that a lot of times the first signs that something's going wrong might be a change in how your infrastructure or your applications are performing or a request that came in. And so, if we're able to marry the two together, it's a better together story, give people much clearer insights into what's going on. So, security's been a really tricky thing to solve for as long as I've been in computing, which is longer than I care to remember. But walk us through, what does this extra visibility actually provide to customers? One of the big issues, it seems to be that security's just too hard. So, how does this make security easier for customers? So, one of the big trends that we're seeing is that security and infrastructure were, in the past, very separate groups. Silo's didn't, many times didn't know each other or talk to each other. But DevOps is becoming a unifying force of data, intelligence, and infrastructure. You know, it's infrastructure as code, it's a little bit different, like AWS for example, but it still is infrastructure. So, the combination of security and infrastructure comes together when you get DevOps. Some people call it secure DevOps, DevSecOps, SecDevOps, whatever you want to call it. But really bringing those two together is finally the first time really where there's a meaningful connection at the data level that allows you to actually combine both. Exactly, and so as all of these teams are taking advantage of infrastructure as code and other DevOps best practices, the security teams are looking at this and saying, how do I get earlier in the cycle? How do I make sure that code is enforcing this? So, I'm scaling with automation, scaling with code rather than with people. And then, as they start to do that, they realize that the data that's in the security Silo and that's in the application or infrastructure Silo is actually very relevant to one another, right? If a crypto miner shows up on your systems, the first thing it's going to do is spike your CPU. Something like Lacework will detect that as well. If we both look at both those signals, we'll detect it faster. Go ahead, Justin. This is a bit of, that's the reactive side of security, which is there's a threat happens and you react to that, but part of DevSecOps or whichever term you want to actually use, part of that is to actually shift left and try to get rid of these security flaws before they even happen in the code, which is a lot of software development. I like to say that the first 80% of software development is putting the bugs in and the second 80% is taking them out again. So, how do you help developers actually remove all of the security vulnerabilities before they even make it into production code? So, just like metrics and monitoring allow you to look at the quality of your infrastructure or very early in the pipeline. Security needs to go there also. And it's really, there is no time. It's just a continuous cycle. Early what we allow you to do is to look at your configuration and check to see if your configuration is changing in a way that is leaving you at risk or an exposure. What's particularly interesting about this partnership is that quite often security people don't know enough about the application or the infrastructure to know if it's a risk. It's actually the DevOps people that know. So, security people, when we send an alert many times to a security person, they scratch their heads and go, I don't know if this is good, bad, or indifferent. The DevOps people look at it and go, oh yeah, this is definitely okay. That's the way our infrastructure should work. This is the way our application should work. Or they say, oh no, this is a big problem. Let's get security involved. So, doing that early is really critical. And again, it's all about breaking down. I mean, if DevOps was all about breaking down silos between Dev and operations and other parts of the business, DevSecOps or SecureDevOps or whatever we want to call it is just bringing more people into the fold and helping security join that party and get at things earlier in the cycle so we can catch it before it. You know, before there's a breach that's in the news. Right, to be able to be predictive, which is, and then prescriptive, which is what a lot of businesses would love to be able to be. I'd like to get your opinion, Dan, on how cloud native, cloud, and the transformation of cloud technologies is changing the conversation within the customer base. One of the things Andy Jassy said yesterday is that transformation has got to be driven from the top down, like true business transformation so that a company isn't Uberized, for example. Are you seeing that, are these, for example, what you're talking about with enlightening the DevOps folks and SecureDevOps bringing them together so that they can be more collaborative? Are you seeing that come from more of a top down approach in terms of how do we leverage our data better, make sure that we have security and are able to securely extract insights from the data or is it still kind of from both ends? It depends on the company, it's very diverse. What we see a lot is in large companies that are migrating to the cloud, that weren't born in the cloud, every company they're buying is a cloud native company. So they buy these new companies and everyone looks at the new company and goes, wow, that's amazing, they can move so fast, they are super forward thinking and they're pushing code and they're more efficient than us, we want to do that also. So it just kind of breeds the innovation and the speed from an M&A perspective. In the cloud native side, what we see is it depends on your tenure as a company when you really want to take security seriously. Usually B2B companies take it more seriously than B2C for example, but it's usually, when your customers start asking you how secure are you, is when people start paying attention. We would like it to be before that, but it's not always before that. Yep, I think it's from both directions. It depends on the size of the company and the culture, but you can't dictate culture, right? So, and a lot of these silos and a lot of these camps and fiefdoms that start to exist within organizations that have caused these groups to be separate, they weren't necessarily top down, it's just, it's human to human interactions and so you can't just walk in and say, you must now be collaborative. The executives have to beat that drum and help people understand why that's important to the business, but the folks on the ground have to actually want to be friends, want to talk, want to collaborate on projects, want to pull people in earlier and once they have that human connection, it's a lot more successful, so you have to do both. I mean, what we're seeing is as IT becomes more distributed and security is more centralized, you run into problems. So, the people that are getting it right are distributing security as close to those teams, whether it's a scrum team, a weekly get together, you know, whatever it is, to get that human interaction together, because if you don't understand the application and what people are working on, how are you going to understand the risks and the threats and the models, so distributing it is really key. And it's important those security teams understand the business requirements as well. Sometimes the most secure answer isn't necessarily the answer that actually serves their customers. Sometimes, and sometimes app teams don't understand the trade-offs that security people may understand, so it has to be a partnership, yeah. But you mentioned cultural change is probably harder than anything else, especially if there's a legacy organization and Dan to your point, a lot of the acquisitions they're doing are of cloud native companies who are presumably much fresher, maybe have a younger workforce. That's hard to do. Ultimately, though, what a business needs to look at is the legacy business. There's probably somebody in my review mirror is a lot closer than I might think that is more agile, more nimble than we are, has great technology, and the aptitude and the culture to be able to move faster. How do you see some of these enterprises that you work with together? Let's put them in the context of they're an AWS customer. How are you seeing these enterprise organizations that are adapting and acquiring cloud native businesses, how are they able to pivot at the speed they need to use cloud technology, understand the security issues that they can remediate, and really take that data to what it should be, which is a business differentiator. Yeah, I mean a lot of the times you run into the DevOps people say security slows us down, they're getting in our way, and security says developers are insecure, we're totally going to get breached. So one of our models is you got to move with speed and safety. As soon as you get in the way of anything, typically the developer and the application's going to win. So you got to figure out where to get involved in that. In really big companies what we've seen that are very acquisitive is they're moving this as security to a central governance role and maybe have tooling and some specialty teams, and then they're distributing security baked as deep into the development infrastructure as they can, and then they have groups which kind of work together broadly across that. So you can structurally set it up that way, I think. And if you have the incentives right, nobody's looking to create a security breach or a vulnerability, they're going, well, I mean engineers and your employees have the company's best intentions at heart, otherwise they wouldn't work there. So they're looking to do the right thing. You just have to make it easy for them with, and some of that's tooling, some of that's culture, some of that's just starting the conversation, not the day of the release. Start it when the first line of code's being written, what would it take for us to solve this problem in a secure fashion, and then everybody's happy to work together. They just don't want to redo things the day before the launch and have to be slowed down. Well that technical debt becomes a real problem if they have to do that. I think one of the great things about our technical partnership and integration here is, security in the past has always been just very binary. Are we insecure or secure? That's it. There's all kinds of nuances around it, and that's what lends itself to metrics. What are our metrics? How are we doing? What's our risk? What's our exposures? Is it getting better over time? Is it worse over time? So there's always the doomsday scenario, but there's also the what's happening over time and are we getting better at what we do? And metrics really lends itself to that. And that comes right back to that, some of those DevOps philosophies of continuous improvement and continuous learning. Bringing that into the world of security is just as critical. So you mentioned culture, you mentioned transformation, you mentioned metrics, three things, very close to my heart. We keep hearing that security is becoming a board level conversation. So a lot of this is very technical, and DevSecOps is down here with the technical people, but that structure of the organization that you referred to and changing that structure and setting the culture, that tends to come from the top level. And we heard from Andy in the keynote yesterday that that is very, very important. So what are the sorts of conversations you're having with senior management and board level from what your products do together? What does that look like from the board's perspective? So learning to manage risk, looking at how are we doing, how much of what you do is actually available to the board for them to make their job easier. I think one of the exciting trends is that compliance is cool again. Right. Compliance is never a cool thing, you know? Compliance is kind of a boring thing. The auditor's coming once a year, you know, you get stuck with it and away you go. But now compliance is continuous. It's always running. And it's more about risks and exposures. And am I adhering to compliance via the risks and exposures? Executives, it's very challenging to explain things like Kubernetes and pods and nodes and all this technical acronyms in Mambo Jumbo that we live in every day, you know, in this world. But compliance is real. Are we PCI, SOC, are we applying best standards and best practices? So the ability to pull that in either via a metrics dashboard or through measurable things over time I think is really key as part of that. And similarly, as folks are moving, you know, whether they're moving new applications, existing applications from, you know, a legacy or on-prem environment into the cloud or building something from scratch. It's, you know, visibility on compliance is important. We can bring that into our dashboards and sort of into the tooling that executives can look at over time. But also just understanding, am I done with the migration? Is my application there? Taking this nebulous thing that is a cloud and making it a tangible asset that you can look at and see the health and progress on over time in Datadog has significantly sped up many of our customers' cloud migrations. They often get stuck in a sort of analysis paralysis. Are we performing the same as we did in the data center? I don't know. Are we as secure? Can we move this workload? And tooling like Datadog, like Lacework and the two together helps them put that into something concrete that they can say, actually, yes, we're ready to go or no, there's these three things we need to do first. Let's go do them. It's really challenging for traditional security people in this new world order because it's very ephemeral. Things change all the time. It used to be like I got five racks, I got 22 hundred servers, these are the IPs, and that's it. Now it's like, what time is it? I don't know what I have, so invisibility is key. You used to be able to have a server that you might have monitored throughout your tenure at a company, now you probably can't monitor it through the tenure of your lunch, yeah. How much, last question for you guys, how much do you see of a lift or an impact from something like the Capital One data breach that happened a few months ago? You talked about B2B being more on it in terms of B2C, but we see these breaches that, and many generations that are alive today, understand to some degree, is that, in terms of getting insight into where are all of our risks and villain bills and needing to get that visibility on it, do you see some of these big breaches as catalysts for businesses to go, whoa, we have a lot at stake here. We don't really try to understand what the heck's going on and what we own. I mean, security has a very bad reputation of fear, uncertainty, and doubt. I've been in the industry for a long time. That said, those moments do get up very high, especially somebody like Capital One, who's known to be one of the most sophisticated cloud security organizations on the planet. So it certainly piques people's interests. I think people get carried away, maybe on the messaging side of things, but in order for a security market to get really big, you have to have a big IT, transform a trend, you have to have a very diverse attack surface, and you have to have the beginnings of breach. If you don't have the beginnings of breach, you spend all your time convincing people there may be a problem, and because there is problems that are happening almost every week and are getting published, many of them are being acknowledged publicly, it does help, it definitely helps the conversation. I don't think that, there are a lot more breaches in the news off to some extent because there's a lot more tech companies using, going through these digital transformations having tech news. I don't know that this is cloud versus not cloud. What cloud does however, introduces new concepts and new workflows that security teams need to understand and that application teams need to understand, and so this is where the new breed of tooling and education comes in is helping people be ready for that. And yeah, of course, anytime there's a headline on any of the big news shows, of course the first thing we're going to do is say, well clearly they're going to bring on Dan, one of our security experts of some of the industry to talk about how you prevent that in the future, and so it does bring some attention our way, but I think that's great, it's reminding people of what's important. And one of the conversations we have with our prospects is have you ever had a breach before? They're always going to say no, of course, but then you ask, how do you know? How do you really know that? And then let's walk through how you would actually find that out if you did know, and that's a very different conversation than, oh my traditional data center, I would know this way. So it's just very different. Interesting stuff, guys. Thank you for sharing with us, and congratulations on the integration with Datadog, and Lacewick, we appreciate your time. Thank you for having us. Our pleasure. For Justin Moran, I'm Lisa Martin, and you're watching theCUBE live from AWS ReInvent 19 from Vegas. Thanks for watching.