 Good afternoon everyone, welcome back to theCUBE's day one coverage of CrowdStrike StyleCon 23. Lying from Cesar's Palace in sunny, warm Las Vegas. I'm Lisa Martin here with Dave Vellante. We're going to have a very cool conversation next. We're going to be talking about the FBI. We're also going to be talking about that breach you may have heard about that happened here very recently. Please welcome Mark Bowling, Chief Information Security and Risk Officer at ExtraHop. Mark, great to have you, thank you for joining us. Thank you very much, it's a pleasure to be here. So speak with both of you and to speak to your customers. Yeah, you worked with the FBI for what, 20 years? That's correct. Tell us a little bit about that history. I was an FBI special agent. I started in Washington DC, which was a really cool place to start. I actually worked with other agencies doing some of the technical things here in the United States that's statutorily, they're not allowed to do, and that's all I'm going to say about it. I can't tell you what I did, can't tell you the tools I used, can't tell you how I did it. After about four years, I went to Wisconsin, and that was when we started setting up cyber programs nationwide. While I was in DC, I worked very closely with the National Computer Crime Squad. It was C-17 at the time in Tyson's corner, but then when I went to Wisconsin, they started pushing cyber squads out because of the growth of cyber crime to each of the states. So I was the cyber crime coordinator there in Wisconsin. I had a brief interlude right after 9-11 where I went back to headquarters and I worked on Director Mueller's staff. I was a subject matter expert for both cyber and counterterrorism. I worked on a technical project out of his office, and then I became a supervisor in Detroit where I had a cyber task force that reported to me, cyber crime task force, did a lot of great internet crimes against children work. ICAC is a wonderful program. And then following that, I went to Arkansas in 2010 as a field executive. It's called an assistant special agent in charge. So I was the number two, I was the assistant. Means I got all the nasty jobs that the boss didn't want to do. You know how those executives are. And spent my last five years with the FBI there in that capacity. And then I went to another agency, Department of Education, Office of the Inspector General where I was in charge of nationwide of their technology crimes. So it was a great federal career as you're both a law enforcement officer and an intelligence officer. And it was a privilege to serve the American people and it was a privilege to serve in that capacity. Fascinating. Well, thank you for your service. Talk a little bit about maybe compare and contrast your current role with ExtraHop to what you were doing back in, what you can say with what you're doing with the FBI. So it's really cool when you're in the federal government you have all these well documented rules that you have to follow. So like when we built the system that we designed, IDW, Investigative Data Warehouse, it was the first federated data warehouse that the FBI built. And this was right after 9-11. When we did that we had very specific what we called certification and accreditation. There were rules. And so we had a NIST standard 853. Now we're on revision five. It was revision three at the time. But NIST 853 gave us all of the controls we needed to implement in that system. So sometimes it's different because the control frameworks are different. If you're in healthcare, you generally start with HIPAA. If you are in financial services and you're a bank, it's Graham Leach-Bliley. If you are doing any kind of equities or stock trading, it's FINRA or FFIEC. Those are all, well, the stock trading is all governed or regulated by the SEC. So we had very specific, so it's different in that the frameworks that you implement are different. And I would say the maturity of the business practices are much higher in the federal government, particularly like in the FBI, which is part of the intelligence community. But on the other hand, you still have to do the right things. So you always want to start out with the technology framework that you're using. Are you going to use the Center for Internet Security, top 18 critical security controls, or are you going to use the NIST cybersecurity framework? They tell you what to use in the government and you have to implement those controls. But in the commercial world, it depends on the industry largely. But you still have to have a framework, you still have to have a roadmap that you need to implement. So your choices may be different, but you still have the same process. Many government agencies, some anyway, take the IRS for instance, they're behind on technology relative to say their commercial counterparts. My sense has always been that the intelligence community is not behind when it comes to things like cyber and threat intelligence. I wonder if you could discuss the role of public and private partnerships, specifically as it pertains to cybersecurity. What's the state of that? Where are we? How mature is it? Are we doing enough? What can be done? Well, so you need to understand that there's multiple critical infrastructures. I think DHS, Department of Homeland Security, they've identified 17 individual critical infrastructures. Some of those are very mature. Like the electrical power industry under NERC, North American Energy Reliability Corporation, they are very mature. They have that locked down. On the other hand, you have maybe like the pipeline operators like Colonial Pipeline on the East Coast, and they weren't that mature. So they literally had to shut down their entire operational technology environment because their enterprise IT environment was hacked, and they weren't able to demonstrate that you couldn't transition, you couldn't move laterally from the enterprise IT environment to the operational technology environment. So the level of maturity is dependent on the infrastructure. Healthcare, they're all over the map. You have small, in many cases, rural hospitals don't have the money. They're not as mature. I was talking to an amazing hospital that uses our tool on the East Coast in Carolinas, and they're very mature. So even in a specific infrastructure like healthcare, you have a wide variety or wide variation or a wide spectrum of maturity and capability. Very situational. Yes, absolutely. So I wonder if we could talk about what's in the news. The MGM hack and the Caesars hack. I was out here last week and I was delayed. We pulled in, MGM is big green, lion, all lit up. It was dark, no neon lights. There were probably of the thousands of rooms, there were maybe 50 to 100 lights on in the hotel. Now we were at the Aria across the street and they had part of that hack and they had to manually write down the credit cards. I'm like, what are you doing with that data? Exactly. Now it was interesting as this week, coming into Caesars, no problem. So quite different. But what do you and your colleagues in the SecOps world know about this? What can you share with us? So I think we know the same thing most people know. I've read some very, very, very insightful pot washes or lessons learned about the MGM hack specifically. That was done almost exclusively by social engineering. People went on LinkedIn, they identified information, they picked up the phone and they called people until they found a soft nut to crack. And it just, it's almost ridiculous. It borderlines on absurd. I find it shocking that enterprises that have the kind of money going through them, okay? So it's all about the money. They have a lot of money going through Caesars Palace. They have a lot of money going through MGM Grand that they wouldn't have more mature processes to train or to create awareness in their personnel. Now, I'm sure, and I'm not trying to be an apologist for them, I'm sure that both MGM Grand and Caesars occasionally have job retention issues may have trouble hiring and meeting all of their staffing requirements. And so that can impact your ability to ensure that your people are aware as aware as they need to be. But if you're somebody who can answer the phone and give out information that can cause the entire enterprise to be compromised, they should at least be trained up and they should have the level of awareness and the level of operational maturity that they can see this type of activity coming and take the appropriate action. It's a classic case of bad user behavior, beats good security every time. Absolutely. The awareness piece is so critical because the weakest link is always the human and we saw it yet again with this one. Absolutely. Was MGM or Caesars that paid 15 million of the demand of 30 million? I believe it was MGM. I think so too. I was looking more at the how it happened and then once it happened, how they responded. I didn't pay that much attention to any payments that were made. What does a business do? I mean, the guidance is don't pay the ransom because then you're just enabling these criminals. But your business is down, you're negotiating with these people. Instead of 15, can I pay a five because that's the cash? And of course, if you pay a ransom to a rogue state, that's illegal. Absolutely. You can't pay money to North Korea, you can't do that. So it's a really difficult situation. What do you advise customers who ask you, should I pay the ransom? Well, from a national security and a law enforcement perspective, I'm going to repeat what the FBI says. You don't pay the ransom because all you're doing is encouraging bad behavior. I have five adult children, okay? Three of them were at one time, high school boys between 15 and 18. And so I learned that you don't encourage bad behavior. You don't reward bad behavior because that just encourages more bad behavior. And so when you pay the ransom, you're encouraging bad behavior. And so I think as much as possible, don't pay the ransom, but here's the way I say, why don't you pay the ransom up front? And when you pay the ransom up front, why don't you have effective backups? And why don't you have effective security? You can buy a lot of security, I guarantee for $15 million, I could have secured MGM grant. That's not that heavy a lift without much money, okay? So why don't we pay the ransoms ahead of time and implement the type of effective security and get the effective training for the personnel so that you reduce your surface attack area and you reduce your human failure factor? Yeah, so that was going to my next question was what is your role at ExtraHop? Talk about both the internal and the external and how you protect ExtraHop customers and maybe advise them. Okay, so I do three things. First of all, I'm our chief risk, security and information security officer. So I have risk management and I like that because if you're going to do security, you want to start with risk management. You don't just do physical security and cybersecurity out of the box, no, you take a look at what are your risk factors? What can you afford to lose? What can't you afford to lose? We have a lot of proprietary information, critical business information, we cannot afford to lose that. So we have a very, very strong risk management program, enterprise risk identification, quantification and then effective management. We treat our risk. I'm responsible for physical and facility and most of all, personnel security. Remember those people who answered the phone and gave out the passwords? That's poor personnel security. So I'm responsible for personnel security, which means I also protect our people here, okay? I'm concerned deeply about every ExtraHop employee here at Falcon. And then third, I have the standard CISO type roles where it's identity management, access management and the whole range of technology controls and administrative controls that we implement to protect our cyber assets. So those are the three things I do. Now, inside that, those roles, I'm also customer facing. I've met with several customers here. I'm part of our CISO, we call it a cab board, customer advisory board, but I interact with our CISOs there. So I do have some customer facing roles internally. My job is to implement controls to protect our people and our assets. And as part of that, I also protect our customer's information that we have in our tool, our product, okay? So I protect our customer's data probably more assiduously than even I protect our own data. So those are the things I do. But the sales guys must be trying to drag you out all the time. They are, and I was actually going to go up to an FSISAC meeting, Financial Services ISAC meeting in New York and I said, well, how many customers are we going to meet? And they said, well, 10 of them. I said, I'm not sure I could travel for 10. But I would love, you know, I was with Goldman Sachs right before I came to extra hop. So I love the financial services sector. I love the FSISAC. I love New York City. I don't want to live there, but I love visiting the city. And so it was like, but I have to make a choice. I have a full-time job I have to do as well as meeting our customers. So 10X that and I'll get in the point. Yeah, if you get me 40 or 50, yeah, I'll hop on a plane. And part of it is it's a monster of my own making. I live in Central Arkansas. So to get anywhere from Central Arkansas can be difficult. Yeah. Not so easy. You mentioned working for Goldman Sachs. We talked about your tenure at the FBI and your service there. So you've worked as a CISO in different industries. How is it different in your role for a cybersecurity company? That's what's interesting is the cybersecurity company, we're not publicly traded. We're privately held right now. So we don't have to worry about what's called Sox, Sarbanes-Oxley 404. So we don't have to worry about Sox 404, but we're going to get there. That's one of my priorities. We're going to get there with Sox 404. But what we have to worry about is our reputation. I'm not worried about Office of Civil Rights for Health and Human Services coming in and doing a HIPAA failure investigation. We're not going to have any HIPAA breaches. We don't run the electrical power grid, so I'm not worried about NERC coming in having, you know, hitting us with compliance failures. So everything is about the reputation and everything is about our customer. And there are bad guys out there. There are criminal enterprises who are head hunting for cybersecurity companies. We had, I don't remember it right off top of my head, but there was a cybersecurity company about three months ago that was hacked. And the first thing I did is send out email to everybody and said, there are scalp hunters, they're out there, they're taking scalps, and we are the kind of scalp they want to take. So we have to elevate our game. And so instead of saying, okay, did I meet an arbitrary set, not arbitrary, but a defined set of compliance requirements such as HIPAA or NERC or FFIEC, no, I have to make sure that all of our controls are buttoned down because we have to protect our proprietary data as well as our customer's operational data. You can't just check the boxes. I am not about checking boxes. How do you work with CrowdStrike? What's your relationship with them? That is just such an amazing relationship. CrowdStrike's an amazing company, okay? So CrowdStrike has, and I want you to think of what I'm going to call the SOC triad. And so you have SIM, which is a SOAR or a SIM would be a tool such as, well, it's Humio or Log Scale now for CrowdStrike. It could be another tool such as Splunk or LogRhythm, okay? And then you have NDR and EDR. Now, what I want you to think about is whenever you have a computer intrusion, you have three things. You have one host here, you have one host here, and then you have transactions between those two hosts. And what CrowdStrike Falcon does is it locks down these two hosts. What we do is we observe these transactions between the two hosts, okay? So we have EDR at the endpoints. We have NDR Network Detection Response at the networks, and then CrowdStrike because they purchased Humio now have Log Scale, they have the SIM built in. So what we do is we complete that triangle, all right? So CrowdStrike has Log Scale as a SIM, they have their Falcon as EDR, they have XDR, their Manage Detection Response Service, Falcon Complete. And so what we do is we fill that one thing that they don't have, and we do it at scale and we do it for enterprises, okay? So let's talk about the three ways we work together. Tom Etheridge is in charge of their security or their global managed services, okay? They do incident response. Whenever they go into an existing XTROP customer, they know to pick up the phone and say, we found XTROP in this environment, and then we have trained up their incident responders on how to use XTROP when they're doing an incident response in an environment where XTROP may be. So we're integrated from a managed services perspective for incident response. We're also integrated directly with the Falcon tool, okay? So we have APIs, application programming interfaces that connect XTROP to those endpoints. So if XTROP sees something, we can send an alert to the endpoint, the EDR endpoint detection response, and then that endpoint can either shut down or can deny that connection. And then finally we now have that connection directly to log scale. And so we've signed an agreement and we're working on the technology to integrate log scale as our backend data store. So right now for our typical enterprise customers, we use Google BigQuery. That's our record store for 360 in the cloud. But now if you are an existing crowd strike customer, now log scale, you have the option as a customer, you can select log scale to become your enterprise record data store. And so that just makes the integration between XTROP and crowd strike that much better. And I'm going to throw a, you know, I love working with Tom Ethridge and his staff. They're great guys. And you know, I remember Sean Henry who's the Chief Security Officer at CrowdStrike from the FBI, you know? And so it's great to have these relationships that we're able to capitalize on and it makes working together that much easier and that much more effective for the customer. It's not all about convenience for us. It's about making it as effective as possible for the customer. And that's really what the CrowdStrike XTROP relationship brings. It sounds like a great deeply integrated partnership. Martin, thank you so much for coming on, talking about your history with the FBI, your service there. Again, thank you for that. What XTROP and CrowdStrike are doing and what you're enabling customers to achieve as the threat is no longer, is it going to happen? It's a matter of when. We really appreciate your insights and your time. This was fascinating. Thank you. Oh, it's my pleasure. Thank you both very much. I appreciate it. For our guest and for Dave Vellante, I'm Lisa Martin. You're watching theCUBE Live. Today, one of our coverage of CrowdStrike Falcon 23. We're going to be back after short breaks. We'll see you soon.