 RSA conference 2023, you know, 2020, this was the last conference actually before COVID and it's back, it's back in full swing. I'd say 50,000 plus people there, the exhibit hall is packed. I mean, it is wall to wall. Even when you're walking between North and South, it's just lined with smaller booths and a lot of startups, it's just amazing. Anand Oswald is here, Senior Vice President for Network Security at Palo Alto Networks. Anand, good to see you again. We had a great year end last year. We finished with Palo Alto Ignite, it was a great event. We had you guys on and, you know, just before, we're just right after AWS, so we just really strong ending through the year and now we're starting out strong again this year. And security is even a hotter topic. You know, we've talked about the whole OT and IT and that's what we're going to get into, but what is the state of the state? I mean, we've got plants and reservoirs and dams and pipelines and it's just a different world out there. What's the state of the state? Yeah, if you think about operational technology, OT networks, right? If you rewind the clock, they were air-gapped long, long ago, there was no connectivity. It's within its own self. Just that's the way it was, right? And now it's getting more and more connected. And you've seen this with the colonial pipeline attack that happened a while back, 2.5 million barrels of oil that were flowing every day were stopped. Eventually they paid a ransom. The White House issued a directive that any pipeline that has signatures should notify CISA within 12 hours. That's really what's happening. Critical infrastructure is embedded in everything that we do. Think of manufacturing, think of chemical plants, think of energy, utility, oil and gas. Securing those assets is extremely important, but you've got to go about it thoughtfully, right? I think we talked about it in the past that when you think of connected things or digitization, it's affected almost every single industry, for the positive, I would say, right? It's made things easier, lowering the operational cost for all of the firms using them. But if you don't go about the right way, it leads to security breaches, because you've got to think about it day one and how you want to secure your infrastructure. So is the way in which you secure the OT infrastructure, how is it different than the traditional IT infrastructure? So if you think about security, it can only secure something when you know what it is, right? So it starts with visibility. The most important aspect of OT is that you want to have true visibility in all your connected devices. And this cannot be done through just the traditional approach of a database, a signature, et cetera. There are more and more devices coming online every single day. So you have to use the power of AI and machine learning to identify these connected devices. And that's important. It should be automated and it should scale. You want to understand the device, the make, the model, et cetera. So that requires a lot of work. Now you may say, that's good. And a lot of people in the industry say that we have an OT solution with visibility. So let me give you an analogy. I tell you that you have a leak in your house and a walk away. I don't tell you where the leak is. I don't tell you who's the plumber. You'll find out eventually. You'll find out eventually. I don't tell you anything about home warranty, home insurance, information. And if the plumber does come to your house, he can access things he wants to access securely. So that's a state of only having visibility. It's good, but it's not good enough. The next step we do is around what I call segmentation or policy control. Who should be talking to whom? Should this device be talking to this device? We need to talk to the device. What's your policy? You start with the whole principle of least privileged access. You set those automatically. Third, as these devices talk outside, you want to watch continuously for threats. For malware, for command control connections, for software exploits on an ongoing basis. And the fourth step, which is not really security, really, I would say, but it's more on operational simplicity. You know, when I talk to a customer, they say, I don't want yet another point product solution. Give me a solution that indicates in my infrastructure. Reduces my operational costs. Tell me about the asset utilization of my devices. How long has this machine been used? Right? I'm getting asked to add more machines in my manufacturing floor. What's my utilization? How is the efficiency of this machine compared to the efficiency of the other machine? How is this plant operating compared to my plant in Beijing or India or some other place? So you want to incorporate all of those things into your solution. If I talk to, let's say, a server manufacturer like a Dell or an HPE or a storage manufacturer like a pure storage, they'll talk about security. They'll talk about their supply chains, their software bill of materials. They'll talk about silicon root of trust. They're very in tune with security. And they take their responsibility very seriously. When I think about things like devices, factory devices, machines, cameras, are those manufacturers as astute, have they gotten better in terms of just being more aware of the security issues? Yes and no. Look, we have over a billion new devices coming online in the next couple of years. They're made from a plethora of different manufacturers and there are all a variety of different cost points and capabilities. In many cases, you have the plant owner or in case of a medical factory, the biomedical engineer responsible for their equipment. It's very hard for them to understand how do you pass this equipment, which software, I need to update for all of these things. They want to do what they're best at their job. We want to make sure that it's simplified for them to understand the capability of all these devices. Automate all things that they want from a compliance perspective. All of these industries have heavy compliance. So how do you make sure that you can get audit ready? What is all the connected devices? Which of them have unpatched vulnerabilities? What do you need to do to patch these vulnerabilities? Who's talking to which device? Are you monitoring all the transactions? Are you doing this on a continuous basis? We want to do this in the entire life cycle. Who does that in the OT world? Is it the SecOps team? Are they now sort of bleeding into the OT world? Is there an analog to the IT SecOps team? Look, they have security engineers, right? But if you look at IT and OT networks, they're still run separately with common DMZ networks. But more and more you see organizations bring IT and OT networks together. Now, as these networks get connected, you can imagine the threat landscape will increase. I'll take another example. You've seen many of these OT networks during the pandemic, they started opening up connectivity using 5G because you can't have somebody physically always go for servicing, updating things. Now, as you open up connectivity to your equipment, how do you ensure it's secure? How do you ensure that you don't move laterally and spread these threats and malware? So, think about this very, very holistically and end to end. It reminds me of, and I'm just listening to you talk, it reminds me of the FBI and the CIA before 9-11, right? I mean, they had different agendas, right? And they were different DNA. And it just, that can't be an easy thing to bring together. So it was, are firms like Palo Alto Networks sort of a glue to bring them together? And what specifically can you do to help? If you see many of the customers in these industries of infrastructure, manufacturing, utilities, oil and gas, use Palo Alto on their IT side and also on the DMZ side, right? They also use our firewalls in the OT network. Now we're helping bridge that gap between IT OT networks. As they're connecting more and more devices on the OT networks to the outside world, we're ensuring that they are connected with the principles of zero trust, least privilege access and secure connectivity on a continuous basis. It's the same principles, but is it different solutions, different products, purpose built for OT? It's a purpose built product for OT networks because you want to provide, like I said, the four things, visibility. Then you want to do segmentation and automate your policy control. You want to monitor all the transactions and ensure that you're completely secure and then provide all of the operational simplicity and the visibility that they need from an asset utilization perspective. What's the number one question or maybe one and two that you get from the OT pros? How do I understand all the devices that I have on my network with all the details I want? Type of device, model, make, manufacturer, how do I ensure which of these devices are in unpatched vulnerabilities? I want that whole inventory map. That is their first problem because like I said, you can only secure something once you know what it is. Okay, so that's a problem. So is that metadata all available? How do you find that data? We do all that through a combination of our machine learning. So if you put our sensor, which are our firewalls, within 24 to 48 hours, I will be able to identify more than 95% of all devices. This is a work that we've done for last many years in terms of how do we understand the protocols, the makes, the model, et cetera. But a small percentage that we understand these devices but don't know exactly what they are. And that's something that we work with the owners or plant owners, manufacturers, et cetera, to understand. I know what time we keep getting better. As these devices in the factory or the plant, et cetera, as they become more programmable, you've essentially now got an analog to developers, right? Infrastructure is a code. Infrastructure in the plant as code. In IT, the developer has a critical role in the whole shift left thing. Even though it may not be their wheelhouse, they're being forced essentially and asked to help secure the network, is the same thing happening in the OT world? In the OT world, it's around ensuring that when these devices get connected or when we are connecting to these devices from the outside world, we're doing it securely. As these devices talk to each other or these devices talk to other interfaces as we bring IT and OT networks together, they're done securely. That is the number one thing that the OT owners are worrying about. Is there a, think about ransomware. You think about, you know, people talk about air gaps. I guess, like I say, it used to be that the whole OT infrastructure was air-gapped. Yes. Right, so that goes away. What are some of the best practices that you see with some of your top customers? If you see our top customers, the best practice that they do is really to say, how do you get a zero trust approach to operational technology, right? And zero trust is a very abused word. Dave, you and I talked about this in the past. Yeah, but you have the mindset, you're bringing that mindset into OT. But yes, it is abused word. But it's all around, how do you ensure that you give the least privilege access? So is the user or the machine authorized and authenticated? Is that device having malware itself? What is the, I'm trying to access. What application, what data, what other equipment, what server? Do you have the permission sets for that? What is my transaction? Which means that as I'm having data flow, I want to watch for threats, the ransomware, the malware, et cetera. And do that on a continuous basis. That's the principles of zero trust that our customers are involved. I was reading the Unit 42 threat intelligence report that came out last week, the week before, prior to RSA. It was just astounding to me, the one graph that really caught me was that 80% of the alerts come from 5% of the rules and it has for a long, long time. And then the other one was that the propensity of secrets to be hard coded, you know, the code base. And so, and that's in IT. Where there's, you know, very high awareness of security. OT, I would think their security, you know, maturity, on the maturity model, they're less mature than their IT brethren. Right? And also on the OT side and just like the IT side, majority of the breaches happen because you have misconfigurations or you haven't configured your security equipment properly, your security service properly. That's majority of the breaches that happen even in the OT world. Because OT networks are by nature flat, which means that you really want to ensure that you get full visibility and then really control, have granular control and policy. We start with, when you talk about zero trust, we say that no one can talk to nobody and then you allow each connection to go through. Versus the reverse motion of everybody can talk and I'm going to block, but I wouldn't want to block. It's just a mindset change. So a flat network means, in theory, it's easier to traverse horizontally, right? And so you want to really put all those granular policy controls thoughtfully and automate them because you can't do it manually again. You do manually in one scale and you'll make errors. What's the right regime? And we talked earlier about the OT and the IT world's coming together. Who's involved in that? It's the engineers, the plant manager, the CIO, but again, who's really going to take responsibility? Are organizations thinking about it as a holistic system or is it sort of a still stovepipe? So I would say it's a journey. You talk to different customers and they're in the different phases of their journey. First step they're doing is, how do you bring IT and OT networks together? And they're already connected to a DMZ, but you want to ensure that you can now connect to these OT assets from the outside. So how do you make sure that you have the zero trust network access to these devices? As these things come more together, I think it comes down to how organizations will also change their structures. How you have single entities managing their IT and OT networks versus what is done today. But that's a journey as you know. How big is this market? I mean, it's got to be enormous and a huge opportunity and it's very immature in terms of the security adoption, right? If you read reports of just say manufacturing, OT security completely end to end. It's a multi-billion dollar market. And then you think of energy and utility and oil and gas and food industry and beverage and chemical plants. And this is a massive opportunity. It's also important because it's critical infrastructure. The reports I read which said that threats to critical infrastructure could lead to possible deaths. And I was first alarmed when I read the report. And it talked about an example of a chemical plant. If an attacker gets access to the chemical plant and changes the composition of how much you're mixing the chemicals, it can lead to catastrophic effects. And that's why thinking about this holistically on day zero, day one is very important as we build these networks. They're very interesting conversation. And thanks so much for coming back in theCUBE. It was good to see you again. Good to see you, Dave. All right, and keep it right there. This is Dave Vellante for John Furrier. The entire CUBE team from RSA 2023 were live at Moscone West, right back.