Zero Trust in the Supercloud | Supercloud 3
welcome back to supercloud three everybody we're digging into all things Cloud multi-cloud super cloud Ai and security we're pleased to welcome into our studio Jay chaudry the CEO of zscaler along with CSO of zscaler deep into size gentlemen thanks so much for coming in live to the studio really appreciate it well thank you for the opportunity I have often enjoyed our conversations yeah and so ditto we want to get into the state of security but before we do John and I were talking because Dave you know this is zero trust thing it's still a little fuzzy to me can you explain it I said you know what why don't we have Jay and deepen explain it of course here in zero trust is a big departure of 30 years of old network security architecture and it's like going from traditional car to electric cars to very different the traditional architecture said let's put people on the network so you can move around and find applications and life is wonderful but it's wonderful for bad guys too zero trust says I won't trust you I will only connect you to a given application or service period you never own the network so you had to build the different architecture that's why firewalls a VPN based architecture doesn't work unfortunately the Legacy network security vendors are scared of getting disrupted so they want to co-opt the zero trust terminology to confuse their customers and claim that they are zero trust too that's what's the root of all this confusion so deep as a C cell every CSO I talked to is now on a zero trust Journey they weren't so much before the pandemic but now they're leaning in in a big big way there's some challenges so what are the challenges that you see and how are your colleagues overcoming them yeah so um I do speak to a lot of scissors Global Systems around the world and I'll share a funny comment that I heard at RSA a couple months back hey we have implemented zero trust for all our remote employees right there is no there's no concept of implementing zero trust at one place and then having the traditional Network at the other right a simple thing that iOS call out is if you have true zero trust architecture implemented it should satisfy the three basic principles which is Never Trust always verify number two is least privilege access and number three is assume breach with those Concepts in mind the way you should look at your strategy is number one is my zero trust security solution allowing me to reduce my external attack surface number two is am I able to enforce consistent security no matter where my users are whether they are at home whether they're traveling whether they're in the office it should be consistent with full TLS inspection the third piece and this goes with the assumed breed scenario where if one of my users were to make a mistake and his machine is compromised I want to contain that blast radius this is where the lateral propagation reducing that with proper user to app segmentation deception things like that that will prevent that attack from becoming a breach and then finally everyone is after your data so your zero trust security solution has to help you consistently inspect anything that leaves your assets whether it's endpoint workload server environment and allow you to prevent any kind of data exploration I have to ask you a very cogent speaker and and quite eloquent do you spend most of your time internally as a security scale or sales guys out in the field okay so so let me let me share this I am the internal system we do have a beautiful version of me there are 12 field facing csos I am usually called in when when they want to go down down in the reads on how to implement certain things so my conversationals are more tactical on how to do it rather than big pitch yourself you know Jay I want to get into the um your point about zero trust and super cloud Security Plus AI is the topic um the market growth still isn't Securities well outpacing other parts in in Tech some companies have a Tailwind with this new network architecture and AI some have a headwind what's the difference between the winners and and I won't say losers yet but people who are winning doing the right things from a customer standpoint what are they doing differently with security and now data and AI is obviously new but not new been around for a while but certainly it's data right it's scaling yep there's observability out there what's your vision of the winners so at the end of the day customers want their business to be agile competitive secure and cost-effective solutions every new technology comes to help in those areas but over time those Technologies kind of lose their benefits and values then the new technology new Innovations have to be invented we're seeing Mobility hubs are iotot cloud has been helping every year technology incrementally gets better all the time but disruptive changes come every 20 to 30 years so AI is a disruptive change even though it built over time Cloud was disruptive similarly security and network is being disrupted for the first time in 30 years the architecture we use today for securing with firewalls and gasoline mode goes to early 90s so companies like zscaler who built a clean architecture for the new world on winning companies who are based on firewalls and boxes is like I like to call them like DVD players they're bound to lose but they're trying to put their DVD players in the cloud and call themselves for Netflix you don't become Network very high tape it would be a better version yeah but I mean the perimeter is dead Okay so the perimeter is dead right that's key now you have a surface area yep that's expanding you got hybrid which is going to go edge multiple clouds that's super cloud huge surface area yeah so yes it's huge surface area if you look at the old world in the old world every branch office would have a firewall that says I am here come and attack me or I'm here connect with me in the world of Z scalar with zero trust your surface area literally disappears because your assets your employees your services are hidden behind on cloud or switchboard you only get connected to the right party maybe I'll give a metaphor if you want to talk to if you want that your five and a friend should be able to reach you you can publish your phone number they'll find you they'll call you but a million other people who you don't want to talk to will also call you I spam we all hate it and that's how things work today you publish your application on the internet people can find them connect with them but many people can either or stem your attack surface keeps on growing and in the new world suppose you hired a switchboard service you say I will only take phone calls from these 500 people and no one so the right party gets connected to you all others are dropped in the same way we hide customers application branches and all from the bad guys the old model every branch have a firewall the new model your branches should go dark there's no listening port to the internet they're all hidden behind us so a tank surface almost zero is what we Advocate it's it's unlimited service area but hidden to the bad guys exactly it's the best defense yep even hidden to the good guys the good guy only gets connected to the party without divulging where you are what's your IP address is on yeah so you have to protect yourself from everybody not just the bad guys exactly let's talk about AI a little bit deep in and everybody says every company whether the buyer seller says well we've been using AI before chat CPT of course but how are you using it and and what has the what I sometimes call the AI heard around the world how has that affected how you think about Ai and deploying it right so so we've been using AIML for several years now our product has several use cases addressed where we we identify new new polymorphic malware payloads we identify previously unknown attacker control server destination we also leverage it for flagging phishing attacks now with the generative AI aspect coming in we have also started investing heavily over the past six months in the customized large language models so the goal over here is generative AI solves certain use cases very well where you can ask question it converts it into code and it will simplify the overall product experience for customers but if we are able to merge that with the predictive AI then there are several different use cases that you will be able to address one of them that I'm personally driving is where we're trying to predict breach scenarios even before they happen by using the Telemetry that a product provides I was going to ask that question I mean everyone's hoarding Telemetry observation data observability up and down the stack sometimes I don't even get to it right I mean how much that is actually used is the question that always comes up and when people are off camera they say about 15 percent of it quantity of data that matters too so so first of all every company will use AI otherwise they'll go out of business so there's no such thing as are you an AI company or not it's like 10 years ago you used to say zskill as a cloud company now every company is trying to be a cloud company but the one who had the right architecture will succeed the one with the wrong architecture will wither away now the most important thing for AI is the data now data combined with domain expertise and and data scientists will make it happen what's unique about z-scaler right why why are we so excited about it think of the breaches before any breach happens there is a reconnaissance activity that goes on they go 911 before 9 11 happened there's so much reconnaissance going on if they really acted on it these guys were getting pilot trainings with certain kind of stuff you could figure it out if they really could make sense out of it we are like a switchboard we sit between all communication for every user to every application an application to the application so what do bad guys want to do reconnaissance they want to ping you they want to send certain things all of that communication goes through us so being able to leverage 300 billion transactions a day that give us logs and over 500 trillion signals we now can leverage this AIML combination of predictive and generative AI to predict breach and actually tell our customers ahead of time so they can take steps I'm excited because this couldn't be done before and with all the data we're going to put it to use it's interesting I mean I love your company because you guys are ahead of the curve um in security you got to be where the puck is going to be in the future where is that puck going to be what's your vision now because again you're leveraging your data yep you probably were before but now it's even more valuable yep that you got synthesized that day you train it you infer from it that's the new context and behavior it's inference and training what's the next move for you guys we are looking at where things are headed there's a cyber side of it there's a non-cyber side of it I'll give you one example of each in cyber it's getting easier for bad guys to do bad things if I want to know your attack surface for internet which means all the branches all of your IP addresses firewalls vpns and all it could take a few hours before or maybe a few days now you ask a question about give me all a tax surface for this company it shows up in minutes so the job gets easier so AI is going to help bad guys but companies like zskirt also smart people who can figure out the defenses against it so we are building defenses ahead of them the other part is the bad guys may have open source public data about a tax service they do not really have any of the internal data that belongs to a company we combine external data with the inside internal communication data to come up with better defenses I think that's our key that's why a forward-looking progressive customer the jump on us that's why over some 45 percent of 14 500 companies they trust system put the magnitude one more question for them see so to get ahead of the Defenders of the offense you got to be better than them you think like them and think smarter than them how do you do that how does a company do that and that's the CSO opportunity for you to be better at defense how do you beat the bad guys so so being a ciso at a cyber security vendor I have a lot of advantages with this number one Jay kind of called out it's the visibility that our platform provides we have visibility across the full kill chain so we're able to see phishing attacks we're able to see exploitation we're able to see malware payload and post-infection activity we're able to spot where these threat actors are changing and evolving their ttps tools tactics and procedures including leveraging machine learning models in many of the cases leveraging that visibility combined with the Telemetry that we're collecting and then I have Global theme of Security Experts across seven different countries so it's a round-the-clock model we're leveraging this Intel to then learn train our models and then deliver High efficacy security control I wonder if I could ask you I felt as though prior to the whole chat GPT announcement that technology vendors like yourselves had an advantage because you had access to that technology ultimately do you think that attackers or Defenders will benefit the most from AI no tell you why because we got smart people figuring things out now hackers are smart and passionate too I think that big challenge is inertia in large companies I'll tell you an interesting dialogue I had with the board of directors of a very large Bank out of Asia and one board member said Che you're sitting in the U.S leading this to the number one company but some of the largest American Fortune 100 companies are getting breached they got technology they got money they go and got all the know-how why are they getting breached if they are what hope do I have what's the question I had to think about it for 30 seconds then I said all that is true the biggest thing that's holding large corporations back is inertia think of inertia is a very powerful thing people are comfortable keep on doing what they're doing the biggest thing we face is lots of people saying I have done my firewall and net worth for 30 years sometimes job security comes in sometimes lack of comfort comes in and I think part of the thing is to really educate our customers to make sure they start embracing they start taking benefit of it otherwise the best technology doesn't that properly use that's the biggest risk the pandemic was somewhat of an Awakening there I mean we have a data partner called ETR and we look at a couple of Dimensions momentum spending momentum on a platform and the penetration in the market and we would take companies that had high spending momentum and high high penetration in the market that showed up in the data and we give them four stars and z-scalers when we first started to do this it was it's and it's still z-scaler OCTA crowdstrike Palo Alto and Microsoft we're always consistently the four stars so I have a competitive question for you last week I was in the studio all week dude preparing for super cloud doing some pre-records I came out and my guys it was like quarter of four East Coast time Market's just about to close and they yelled to me Security's getting hammered Microsoft made some announcements and so I I looked at what they announced and I kind of shrugged I'm like Microsoft they've always been in security and they're sort of ubiquitous and so I called up a bunch of my friends from on Wall Street and said this is a buying opportunity I mean I'm not going to trade but you should think about it and of course you know the market settled down yep what do you think about that competitive threat how did did you get calls on that how did you respond to the market yeah we did get calls from many investors investors get nervous sometimes but if you and and part of the logic they said was well Microsoft ventropter endpoint has gone far after identity they can go ahead as well I think that the big difference is the following Microsoft Leverage windows for Windows Defender they leveraged A.D for directory to do network security to do zero trust you must state in the traffic fat for all traffic in line it's more of a network analysis play rather than identity play sitting in line around the globe inspecting traffic at speed detecting threats and all without introducing latency is a very different core competency than being an application company and the like so I think it's it's a very different play and I think for anybody to really do this requires a little different kind of skill Setter mindset so that brings us to a sort of multi-cloud cross Cloud super cloud what's your what's your vision for what we call super cloud so the world will be in this super cloud model where the multiple Cloud providers there are Edge clouds out there so Data Center and there'll be plants and factories with lots of work well done so in these things need to be need to access information from each other in the old world you would have said I'm going to have a network that connects everything like a U.S highway system once they get on i-18 San Francisco I could reach New York Miami or Dallas without hitting a single light soaking bad guys so I think this communication among this super cloud entities needs to be through zero trust exchange where this exchange says based on a policy this party can access this application that party maybe a user it may be a workload or it may be our device I think zero trust is ideal and AI will play a more role because zero trust architecture is collecting data the data needs to be processed and applied to the policies and more Dynamic fashion where we are seeing some some strained behavior in saying huh this party is connecting this party but there are some unusual things going on stop it those are the kind of things we are doing which is very natural to see skill is that data open or is that going to be proprietary data how do you look at the data sharing so very good question companies that offer free services their data is for sale often ads and all that stuff whether zscaler or service now or Salesforce we charge for our services the data is only meant for our customer we don't sell it now for security our customers want us to anonymize it and use it to detect all these bad things because all of them benefit from it but the data is private there's no chat GPT access to the kind of data we are talking data's data is a value my final question and I know time's tight but I want to ask if it comes up a lot in my conversations a lot of companies that we talk to want to partner with you how is your past posture with partnering with people up and down the stack you get a good position you're doing extremely well on the business side love that traffic flow that's the footprints people are moving around getting that flow you can see the packets so root of trust absolutely so so we believe that the world of 100 security products uh csos hated it they called them Appliance overload fatigue with security boxes but on all that extreme there's no such thing as God's security Cloud that does everything we think the market will settle around the best of breed platforms that each platform does its best so we have focused on being the best switchboard the best exchange and we partner with vendors such as vendors the identity space OCTA has been a partner for a long long time with identity with endpoint vendors with networking vendors and the like so we have over 100 Partners we have certified they work with these are there new kinds of partners that may emerge in this Preferred Future as they you skate to the next Puck where it's going to be in the future you see a new kind of partner emerging yeah so one new kind of partners that emerge and I already see dialogue going on is building application on top of the 300 billion transactional logs we're doing so different applications can be written we will write some Partners write some together they're going to help our customers are you suggesting Jay that The Narrative of consolidation is maybe a little bit overplayed that really best of breed is ultimately going or bathtub breed platforms so probably a handful of platforms that do the best job but trying to have one vendor be the best in each area won't help so for example take endpoint security there's a different kind of expertise needed that's where crowd strikes the world do very well we are the best one to be in line so that's why we work together but a firewall company trying to say oh I bought this endpoint company so I do it all have you seen that kind of thing happen every viral company has an endpoint offering never seen them out there so I would rather be in a few areas and be the best or partner with others so you can't be all things to all people and best of breed in each of those different sectors within a pretty broad sector you you can be but you can't and from a cso's perspective that's how you want to buy it is extremely important to have that these segments defined where there is consolidation happening and I'll talk from threat perspective especially in case of ransomware attacks where these things move so quickly they're able to encrypt say hundred thousand files in in an organization within five minutes so if you have best of breed Point products and you're relying on a third product to correlate and generate a signal or rely on your team to generate a signal it's game over so that's where having that platform in place that's able to feed the signal and take action at the time the attack is happening becomes very very important you know what I find interesting but also challenging same time in the industry love to get your perspective is security is like a Pro Sport right the speed of the game is fast so entrepreneurship is harder you can't just start a company and get in the game and be defending at scale and certainly as the data starts coming in where there's a value there at scale and speed it's a Speed game the pace to defend is so fast it's like pro ball absolutely what's your reaction what's that opportunity in Champion Square I think I see these good or best position we have built a platform we're still acting like a startup in many many ways and and we do pick up some of the startups who bring some new ideas and integrate them in our platform the right way that's the way I think about it and I want to just follow up before you end is that the startups all want to know one thing love z-scaler where's the white space where can I win because I want to play pro ball but I don't want to do all the heavy lifting to get to the acceleration so if you look at some of the example I'd give you recently we bought a company in the SAS supply chain space while we have been really offering solutions that tell you if this SAS company like Salesforce service no configuration misconfiguration alike and then Salesforce connected 40 other SAS companies out there and probably 30 of them are small startups are they properly do they take a risk and whatnot so we bought a company that extends a SAS risk Beyond to the other party that connect so it's adjacent space the hardest thing to figure out is the new threats that are coming on new angles we love to partner with companies who are in that so you say it's you so you would say that you enable startups we'd love to yes and we are investing in startups too and and you mentioned some M A what's the climate out there like now I mean there may be must be some good opportunities Bargains everywhere for you guys uh lots of them the number of calls inbound calls have kind of quadrupled or maybe higher than that the key is finding out what's real what's not in fact lately there's so many calls coming out I am the AI company okay I got an llm bias guys it's such a pleasure having you in our Palo Alto Studios thanks for your time and and your insights really appreciate it gentlemen thank you for the opportunity and hope to see you again I hope so thank you guys my pleasure okay keep it right there Dave vellante and John Furrier will be back John had kit Colbert in the studio last week one of the original supercloud Advocates stay tuned watching the cube foreign foreign foreign
2023-08-24 04:31
