People have the right to know what others are doing with their data
Government Shutdowns, Bug Bountires, and Ethics - what do these have in common? Our first live panel of security experts in 2019.
Ben:Welcome to the Masters of Data podcast, the podcast that brings a human to data, and I’m your host, Ben Newton. This podcast episode is a first. Our first live panel episode, and our first three person panel with George Gerchow’s help, we recruited two great personalities from the security world to talk with him on a live panel. George, you probably know from a previous episode, and he’s also the chief security officer at Sumo Logic and a good friend of mine, Tricia Howard is a multi talented Texan living in New York City. She brings an artistic sensibility to the crazy world of security and is a client manager at Optiv, Davi Ottenheimer is the president of Flying Penguin, a multi-book author, a top rated public speaker, and he works in security at MongoDB and it turns out, as you’ll find in this podcast, he is a deep thinker and a historian. So I think you guys are gonna really enjoy this. Without any further ado, let’s dig in.
Welcome everybody to our first live panel for the Masters of Data podcast. I was thinking for such a momentous occasion we had to have the best. You mean you’ll be able to determine for yourself, will take your comments afterwards. But we needed a clash of titans. We needed a GOAT rodeo of discussions. We needed an uncontainable maelstrom of opinions. I think because you’re obviously the most interesting person here, Trish. We’re gonna start with you. You’re a Texan which is mostly a plus in your category. You’re an artist who somehow got into security and now you’re doing great things at Optiv, singing, painting. You’re an interesting personality Trish, I’m glad to have you on here. Welcome.
Tricia:Thanks. Thanks for having me.
Ben:Of course. We’ve got Mr. George Gerchow the chief security officer over here at Sumo Logic. He’s a well known speaker. He’s a ski glove model, runner up for the world’s shiniest bald head. We decided on gleaming was the right word, right? International man of mystery. You’re the only person I know that actually … I’ve seen having vacation pictures on the beach and the snow in the same week.
George:Same day dude, that was literally the same day. Welcome back, David.
That’s awesome. Pleasure to be here Ben, always a pleasure to work with you and these two psychopaths as well too.
Ben:And we have Davi back in, welcome Davi. And, Davi Ottenheimer, and he is a president of Flying Penguin. He’s over at MongoDB. He has written books. He speaks, he’s done security at bar … You’ve done everything, man. You’re apparently a humanitarian, you do poetry, you teach kids InfoSec. The kids actually listen when you teach them InfoSec?
Davi:Some do. [inaudible 00:02:54]
Ben:I don’t think my kids would. What we usually do on the podcast here is we usually try to get to know you guys and get a little bit more of your background because we’ve got three people here. We thought it’d be fun to do a question that would kind of dig a little bit under the surface. What I ask these guys to think about this week is I asked them to think about, if you had to have one song be the soundtrack of your life, what would it be and why? Again, starting with you Trish because you’re the most interesting person, what would yours be?
Tricia:One hundred percent “White and Nerdy” by “Weird Al” Yankovic.
Tricia:It’s too good. It’s got parody, which I’m a huge comedy fan. It got that. And then you know, I’m white and nerdy. Enough said.
Ben:You’re comfortable with yourself. I like that. How about you Davi what did you pick?
Davi:I’m gonna say Fatoumata Diawara has a song called “Nterini”
Ben:That’s like super sophisticated.
Davi:It’s really about loss and longing in the human migration problem. About a billion people on the planet are migrants and it really speaks to that.
Ben:Wow. You just took us on a serious turn.
Ben:That’s not …
Davi:That’s why you invited me.
Tricia:He’s here to up it a little bit.
Ben:The adult in the room. Okay. I see where we’re at. George, what about you?
George:So for me, without a doubt is Kid Cudi ‘Soundtrack of Your Life’ for multiple reasons. Number one, we kind of look alike, sound alike, but the song tells a tale of just coming in and out of despair and then sometimes rising to the top, which life is a rollercoaster, mine certainly has been. With every good time there’s some bad times too. And you got to try to just keep it in the middle somewhere.
Ben:I like that.
Davi:Well that’s deep.
George:We’ll talk about bacon then I’ll get to go back.
Ben:Okay, we’ll save that for a little later. We got to build up to that, man. I was thinking about this as well, for me at least today, it’s a competition between “Overkill” by Men at Work or “Sweet Dreams” by The Eurythmics.
Tricia:What a great song.
George:Great Song. Great haircut T.
Ben:Oh, thank you.
George:Not you, Annie Lennox, man.
Tricia:You just killed his soul. He was so excited. Did you see how taken aback he was.
Ben:Uh, we’re done here. How do we kick George off? Alright, well and welcome everybody that has been able to join. We’re really excited to have you here. And again, sorry, it looked like the time got changed in the Zoom webinars. For those of you who got a little confused about that, thank you for your patience with us. So what we’re going to do is I asked these guys to come up with a couple of topics, they’re going to be watching for the rest of this year and we’re just going to start talking there. We’re going to, I’m sure there’s going to be some name calling, I’ve told George to keep it PG-13. We’ll see how that goes.
Ben:But, okay good start. But one thing, just because Trish is watching the breaking news here, one of the topics was going to be about the government shutdown and apparently there was just an agreement coming through that Trump has agreed to something with the Democrats about that. But George, you brought that up as one of your topics. I’m going to give you the floor. What was on your mind?
George:I did. And that’s good news. I mean, the best news source in the world besides this podcast is Twitter. Without a doubt, but it’s just had such a dramatic effect, not only on my professional life but also work life as well too. And then all the people out there currently today that are struggling with this. I mean if I think about just professional life first because I mentioned that we’re currently going through our FedRAMP certification and the entire PMO shut down. The government can’t process anything. Sponsors can’t reach out to potential companies, software companies that they want to endorse. And so it’s really had a dramatic effect on us that way. And then just personally like travel. Tricia and I were just commenting that, I mean I travel all the time, I know Davi does too and seems like Tricia does too. I mean with TSA employees calling in sick and I don’t blame them. Right? They’re not getting paid. Having to show up to work.
I was in Minneapolis, unfortunately, no offense to my Minneapolis friends, but a couple of weeks ago, and the air traffic controllers were out in front educating people on how they’re not getting paid and they’ve actually been getting food supplied to them and donations by GoFundMe from other traffic controllers all around the world. So it’s just had a tremendous effect on our economy and it’s the first time that we’ve actually seen something like this happen. And then last thing on this before I hand it over, I live in Colorado Springs, Colorado, amazing Colorado and we’re a military town, but it went through, I mean Davi’s been there, it’s got the Air Force Academy at Fort Carson, you got Homeland Defense which is at Cheyenne Mountain and all these people are affected by that. And so when you see them out there just struggling to pay rent or pay their mortgage or pay their bills, because of something that I just believe is absolute nonsense. I mean, I don’t want to talk bad about the President. I wouldn’t do that, but it’s just has a dramatic effect on your life.
Ben:Bringing it over to you Davi, you actually had, one of the things you were thinking about was kind of in this line, but I mean, have you seen anything from your preview that’s kind of affecting. I mean, what effects are you seeing this from your vantage point?
Davi:I’m seeing effects all over the place. I mean, one of the things that happened today was people are missing meetings because they’re trying to travel and it’s taking them days, literally days to take a trip that normally would take two hours. They’re spending 24 hours and missing important business meetings. We’re pushing back and scheduling around the fact that people have to move a short distance in the United States, but that’s just even the tip of the iceberg. I’m meeting with the federal employees and they’re telling me that they’re not allowed to take vacations, are not allowed to take sick leave, but they still have to work and they’re not getting paid. It’s just changing the whole dynamic of the meetings we’re having with them, whether we should even be working with them because they need to be going out and taking care of their families.
It’s treated like a national disaster the way a hurricane or a tornado might be … You need to go take care of your situation, not be here talking to us about business. It’s just, I have so much empathy for people who have to go through this and when it’s a manufactured crisis. But as a historian, I also want to make the point, the Maginot Line lesson, everyone makes fun of the Maginot Line, which is a wall that failed when the Nazis invaded France. The lesson was that they spent all that money on the line and had no money when things went real. From a national security perspective, I want to make this very clear. If we spend money on the wall, the way the French spent money on the Maginot Line, and we don’t spend money on airport security, which we’ve effectively shut down in this government shutdown, we are literally repeating the worst mistakes of history.
We are weakening the places where people do come into the United States, 40,000 people who have been apparently in the airport flow, considered threats to this country and we are defunding that and making it highly risky. At the same time, we’re shutting down the government to fund something which is effectively not even necessarily going to be useful. You’re going to redirect even more threats if the wall even worked, you would redirect more threats to the things which are being weakened at this moment. It’s just absolutely nonsensical from a national security perspective. It’s hurting the country in the worst possible way. It’s such a diabolical plan. I can’t even put words to it.
Ben:You get a gold star for bringing up the Maginot Line and the discussion. I like you, Davi. And I think most people wouldn’t know what the Maginot Line means, much less make fun of it, but I get your point. Absolutely.
George:Yeah explain it Davi.
Davi:Maginot was a guy, he was a guy who fought in World War I and for the French and his idea was build such a good resistance line of concrete, build a concrete wall on the border with Germany that they would stop the imminent threat of German invasion and they ended up doing that and funding it and by funding it at such an absurd cost. I believe it was $7 billion, very close to what we’re talking about today in relative terms. They did not fund airplanes, innovation airplanes. They did not fund mobile tanks that could move faster, redistribute faster, and so what the Germans effectively did was they went through neutral countries, Belgium, that don’t have a wall because France didn’t want to build a wall on borders where they had trade and neutrality. And so the problem wasn’t that the wall didn’t work. In fact, it did stop them from coming through that direction, it’s that it was such an opportunity cost and everyone in security knows what I’m talking about.
If you spend all your money on antivirus and it gives you 10 percent effectiveness, you are dead in the water when people actually come around the antivirus. Maginot is just a reference to a huge catastrophe in cost planning and that’s what we’re doing right now. But shutting down the government to reduce the security of airports is just the dumbest thing I can possibly think of to fund the thing that wouldn’t help.
Ben:I think that’s, that makes a lot of sense and in … And I think it’s focusing on something that’s symbolic instead of really trying to think about this in a balanced, holistic way I think. I think what you’re saying is making a lot of sense. Yeah. You’re getting some praise from the audience here.
Davi:Well thanks. I try.
Ben:I think you nailed it with the word marginalized. That’s good. Okay, he’s starting it. Clearly he’s a historian in the room. Okay, what do you bring to the table George?
George:Me, go to Tricia. You’ve already talked to me, man.
Ben:She’s the most interesting, We’ve already established she’s the most interesting person.
Tricia:Some of us.
Davi:Let’s go Tricia, let em have it.
Tricia:I mean obviously amazing points brought up. The one thing from a cyber and InfoSec perspective that concerns me, is that we’re going to be discouraging talent from going into our national security. And that’s scary. It’s already hard enough to find people. That’s not a fake thing. That’s not market architecture. There is actually a deficit of talent. You start talking about that and then there’s the whole private sector that’s going to pay way more and now we’re on top of that. That’s already a problem and now you’re going to bring this on where they’re working and not considered necessary employees. It’s a skeleton crew. They’re absolutely necessary employees. It’s the new warfare. We need to have more people there and we need to have great talent. We need to be able to show that not just in the private sector but also in the government sector, that we need them. We need smart people there who are going to be wanting to work and getting paid work for their immense talent.
It’s just really scary to me. I am very happy that right before this call we came up that he is bringing it back for three weeks, so we’ll hopefully, we’ll be able to be able to have a much happier conversation about it at that time.
George:It depends at what cost, but you bring up a good point. Ben, I didn’t tell you this, this week, but you know our guy John Visneski from Pokémon, he’s effectively the CSO there. He was working out of the academy with a bunch of other guys and they were talking about the exact problem you just brought up, Tricia, which is trying to recruit talent into the military from a cybersecurity perspective and so he was doing talks going by directionally, one on how to bring talent into the military and retain it. But then also people who are in the military right now who are frustrated because they’re not getting growth not getting paid or anything else. How can they start seamlessly entering the commercial world, the software world? I had those guys over for dinner on Wednesday night and their opinions on that were just crazy, like how this has made it even more difficult to do so.
Ben:Yeah. I was actually reading some article, which lines up because I worked in DC for over a decade and I remember is that a lot of these kind of high skilled, particularly information workers aren’t getting calls from recruiters and they’re saying, “Hey, is this painful? Why don’t you come work for us as a contractor come work in this other company.” I mean it’s good that they have those opportunities in there, but it’s going to leech out talent. Absolutely. And I think that’s a serious issue. I mean it’s basically, our government is basically saying we don’t really value that much. You’re less important than these other issues. And that’s a serious thing, particularly when the kind of people that are going to drive us forward on these really important issues, particularly around cyber. I mean, they’re highly, highly skilled people who can find other jobs.
Davi:It reminds me of the old saying that, you go to work for the government because you always get a paycheck and I think a lot of people went there for stability and it’s not necessarily that they get paid the most, but they get paid reliably and they can hang on to a case forever. Like the secret service is fantastic at the work they do and they don’t get paid a lot, but they keep at it forever. If you have a breach 10 years ago, it’s an open case and they’re not gonna give up on it, commercial world doesn’t work like that. They let it go two, three years. There’s no money in it.
They’re done. They’re moving onto the next thing. And so when people ask me like, “What do you think of this role? It’s a $600,000 job for a hedge fund is going to be looking at money, making more money and on top of money.” I say, “Maybe you should pay your taxes and help fund some of the secret service better.” Who already do a fantastic job instead of trying to like raise huge amounts of money to hire somebody who’s 20 years old.
Ben:Huge. The thing that reminds me of Davi too is I’ve read and heard a couple of other things too where you have people that are not necessarily central employee still coming in, even when they don’t have to because they believe in what they’re doing and I think that’s super important.
George:It’s interesting too because at Sumo our team is pretty much almost all prior military and what we’ve noticed is, one of the things you said Ben is that they are highly skilled people but a lot of times they don’t know how to express themselves out of that world. It’s difficult for them to apply for jobs, especially in software. What they usually end up doing is becoming contractors. But I have found it really interesting that they have rigor like no one else. I mean, you know [Willem Palmer 00:16:19], you’ve seen him around the office, that guy brings rigor and that we have a former NSA red team on our squad as well too, in the sock and they make tremendous, just tremendous collaboration type people that come into your team and deliver as well as they bring that rigor, which in software a lot of times you need.
Maybe we can all benefit from this in that way, I hate to say that, but maybe it’ll raise more eyebrows. The people who are currently doing those jobs that they want to step out and start talking to more commercial type companies instead of becoming contractors or staying within the military.
Ben:Yeah, absolutely, definitely some of the best people I worked with in the software industry for former military. I definitely agree on that. Well, I’m going to switch gears here a little bit. Another piece of news that we heard before we started this was about GDPR and so I think you guys all saw that, but it sounds like we have the first large fine with Google, BX are being fined $57, million dollars, particularly, I know you’ve mentioned this a couple of times in some of the comments you came back Davi that, is this the year that CSO goes to jail? But I mean this is kind of a start over. I mean we’re actually seeing fines now. From your perspective, I mean, what do you think this means? How do you see this playing out?
Davi:Well, I’ve written several blog posts about this. Let me condense into, for me what the main point is. I feel like the Facebook CSO was a tragedy after tragedy after tragedy and held very little personal responsibility. But GDPR is a manifestation of his arrogance in the European market. I feel like in 2016 we had a turning point where Facebook was trying to argue to the Belgian regulators directly that they don’t know security, American companies know security, and Facebook in particular as the CSO of Facebook, he would solve things that they couldn’t possibly understand and they came back, I believe that GDPR was passed almost directly as a reaction to that kind of hubris. And they gave a two year window where they said, “Okay, it’s 2016 now. If what you say is true, then in two years we’ll revisit this.” And Facebook got fined $50,000 I believe was the first.
To me is, regulators aren’t messing around. They’re trying to say, “Look, we want privacy to be a human right.” And it’s sort of a coin operated snake oil CSOs like the guy who was at Facebook who show up blathering about all the things they’re going to do to make people safer when in fact they’re not, they’re making the world less safe. And the regulators say, “Okay, if we call privacy a human right and you mess up, let’s see some accountability.” The fines are a start, but I think we really need to go further.
Tricia:Yeah. This is kind of a weird thing to say, but I was excited to see the fine come out. I know out in the field there was a little bit of a hesitation whenever we started talking about GDPR that is this actually going to matter? Is this something I really need to deal with? And you know, I’m here in New York. I’m dealing with businesses who have global presences. So GDPR affected a ton of people that I’ve talked to. Now that it’s heated up again, it’s nice to see that there is some follow through. I agree Davi, I’d love to see it go further than that because privacy is a human right. We should be fighting for that. But at the same time I think what it is doing is bringing it back into normal people’s mindset that, “Hey this is crazy.”
Now they’re taking time to learn what GDPR is, even if they’re not in the space. And you know, security awareness is the one thing that I talk about more than anything. I think there are going to be some nice takeaways from that. I think it’s a good start but I’m sure the U.S. is coming with their version of it too.
George:They already are. You have the California consumer regulation, Illinois actors, many more. But I’m gonna take a different perspective on this. When I saw that fine, I kind of laughed for two reasons. Number one, it’s 57 million to Google. That’s a slush fund, let’s face it, like that’s their happy hour. My question is this, was it a regulator who needs funding that put a number out there that said, because what’s that number based off of, right? I mean everything that we had read before was four percent of overall revenue or you know, $20 million euros, whatever it may be. That number just seems to be a weird number to me and I want to know how they’d arrived at that. Is it a number that Google might just go, “Screw it, we’ll just pay that.” And then move forward or is it a number that Google will look at it and go, “You know what, I’m not down with this. You’re coming after us just trying to get money for an infraction that you believe happened.” I’m not really sure where all that is coming from.
I do believe, I’m with you guys when it comes to privacy being a human right and all that. It’s all good. I understand that. I think a lot of the onus comes back on the humans though and how they share their information. Something that I always like to say is that like, again, I’ve got a couple of kids, and with my kids, they understand privacy way better than adults. It’s so funny, that’s why all kids are running to Snapchat instead of Facebook because your grandparents are on Facebook and every good meal there they have they’re like this. They can’t even sit and watch a concert, like I take my kid to a concert, half the parents have their phone out the entire concert instead of watching the show and they’re streaming it on Facebook or wherever else. Where Snapchat brings some more privacy of things, I don’t know, I’m with you Tricia, where I hope that we learn something from this. Like I want to know exactly what the infractions were.
I read everything about the androids and everything else I want to know how they derived at that number, but then most importantly I want to know like how I can protect our company Sumo Logic against something like this and learn because I believe we’ve been best level of effort. We have a DPO. We’ve been doing this for a couple of years, I just want to know if it’s bullshit or not.
Ben:Actually I’d read a couple of places that they would start with the big guys to kind of make a point they were not going to go after smaller companies. I think they’ve already came after Davi. He just disappeared. There he is.
Davi:George that’s an excellent point, but I think two responses there, we would probably give away too much if we showed people how to calculate fines because then they start the reverse engineering so they can figure out how to get the exact fine they want. I think there’s a bit of secret sauce there and more to the point, I don’t think the fine really means anything to the regulators. They’re trying to make it mean something to the regulated. They’re testing the waters by, and we see this with the FTC for example, what is an unfair business practice. They tried to sort of see how big a fine is necessary and they start with small ones and they ratchet it up until they get the reactions they’re looking for. It’s kind of an art or a science. And on the flip side I would also say, I’ve gotten down to DC and I’ve been working on lobbying around a lot of these issues.
Just another thing I do and meeting with these lawyers, it’s such a conservative slant right now where I get like, I’m talking to like 50 to 100 lawyers in the room. We were talking about the GDPR and there, and actually people in government as well and they’re saying regulations are going to stifle innovation and GDPR is going to kill technology and I’m thinking as somebody who is inside making the sausage every day, they got it completely backwards. Like a GDPR regulation for me is helping me drive massive innovation projects. I’m working on encryption like never before. I’ve been building key management systems now like never before and GDPR is like god sent to the security industry in terms of how we can innovate. It’s like get to the moon, to the rocket industry. Without that, without the regulation of getting to the moon, people are building rockets that barely get out of their backyard.
For me this is, the fines to me are sort of a game. You’re right they are low, but I think they’re sort of like a, an experimentation and we’ll see what happens. Maybe if jail comes out, that’ll be even more effective. I don’t think it’s about the money, but I really am glad that we have regulations that help us improve security.
Ben:Something that brings to mind Davi what you said. Go back to the history here. I just been reading his book called the poison squad and it’s about how they created the FDA and it’s, people were putting all sorts of crazy shit and food like formaldehyde and they called it, what did they …
Davi:For the German.
Ben:No. But they were putting all this stuff in food and what was happening was, which I thought was really interesting about it is that what the food manufacturers we’re saying is like, “Look, they’re putting this stuff in their food to keep it fresh for longer and so they can sell it for cheaper. And so to compete we have to do the same thing.” And so on one hand you had, Hines went in there and was able to create a ketchup that wasn’t poisonous, crazy idea. And they were able to compete based on that, on quality, but in general they had to have these food regulation so you could set a baseline that everyone could operate from, because then when you have the bad actors coming in there and they were basically competing in some sense because they have that freedom. It seems to me like you’ve got a lot of the same thing here with the kind of data security data ethics lane is like if you don’t at least set a baseline.
Davi:I mean it’s so true, but I just have to point out that the FDA was created as a reaction to a 1906 book. That was The Jungle; and The Jungle was about working rights. It was a socialist manifesto essentially that said that people have unfair working practices such that they can be killed in the process of making meat, like they literally could fall into the grinders and then come out hamburger and people would eat it. And so it was talking about working conditions and regulation of working conditions to make workers safety. And the U.S. government translated that by 1930 into making food safer. And workers really didn’t get anything, so there’s an interesting twist to that story that they regulate the things that they are most self interested in.
George:Well see that’s part of the problem right though is like, by the way you brought images of the Golden Compass, Kingsman right my head for those of you who’ve seen it, of the big grinder scene or Fargo, which is insane, but let’s go back to some of the things that you were saying about the fines. Look, it matters. It matters what that sauce, it matters how you put it together and it matters what you’re doing because I’m with ya. Like GDPR helped fund some things for us internally as well to get better at what we do. We went back and refined a lot of our policies, not only from a perspective of, people always think when you go back and look at policies, it’s to make them tougher. It’s not. It’s actually remain agile and see if they make sense. Right?
You don’t want policies to be TPS reports, something that people just do over and over again, but at the same time, people have taken this out of control. Like half the people that send us their DPAs, DPAs are garbage, they don’t even know what they’re asking for, what they’re doing. They don’t know the difference between a sub processor and a processor and a controller. And so that’s why there’s also this perception that is stifling business and slowing things down. I think it’s lack of education out there and so it’s really irritating when you sit on the other side of the table and you get these things coming in and you find yourself slowing down because you do have to spend a lot of time trying to educate people who are a little bit more stubborn about what’s really happening and how you could come to a common agreement to be able to do business together and protect their data.
Because ultimately that’s what we all want to do. We want to make sure that all of our privacy is being protected and especially when you are a processor and you’re taking someone else’s data, you want to give them a level of comfort that you’re doing the right things.
Ben:I want to put something to you guys so particular on … One of the things I’ve been able to do on this podcast as I’ve talked to a lot of people about data ethics in particular had Cathy O’Neil and Virginia Eubanks who just got an award actually. There’s several people that came on and talking about, thinking about the implications of how you use data and algorithms and things like this. I’d definitely be interested to see how you guys think about it because there’s the two aspects of the, there’s multiple aspects. There is the regulatory aspect. There’s the securing your customer’s data because that’s the right thing to do, but there’s also this idea about data ethics about how you use the data, how you approach it. How do you guys come at that from kind of a security practitioner’s perspective?
Tricia:Oh man, I have so many thoughts here.
George: Come on Tricia, come on.
Tricia:From a data ethics perspective, I 100 percent believe that it needs to be clearly defined to everyone who was involved, what we’re going to be doing with our data. I think that was the problem with the large issue that we dealt with last year. People don’t understand, especially when you’re dealing with consumers, they don’t necessarily understand where their data is going. They don’t know that they’re clicking on this little quiz that they think is silly and really what they’re doing is people are mining their data. That’s a problem. We need to make that absolutely clear to people, and this is where the tech giants are going to have to step up. In my personal opinion. Some of them are already doing it, but it needs to be more, from a business perspective I think it’s the same thing. I mean the whole reason that Shadow IT and unstructured data and all of that is a problem is because we don’t make that as easy to understand for someone who doesn’t live in the bits and bytes worlds.
Does that make sense? Data ethics, this is very a very hot topic for me if you couldn’t tell because we, it comes down to the awareness. We have to be able, I 100 percent believe that the people who are putting their data in have the right to understand what they’re doing with their data, if they decide they don’t want to use the service, that’s fine, but they need to be able to understand what that is before they sign up blindly.
George:I agree. One of the things that I’ll say here too, and I think Davi, you and I have always kind of agreed on this. I’ve always looked at Davi as being one of the most ethical security leaders on the planet. It’s also what you do when you make a mistake with that data. Okay. And it happens, we recently had an incident ourselves where the data was, that belonged to someone was actually exposed to someone else because of a human. Okay. And it just happens. You can’t control it. But a few things that were positives out of this. Number one, the human who did it stepped up and said, “I did this.” Okay, number two. A lot of kudos to my team. We reached out to the person who got the data and said, “Listen, this isn’t the way that we typically do things. Walk us through how you delete that data, let us know what your process is.”
That was pretty quick, but then even I think even more powerful, we’ve got on the phone with the customer whose data was exposed and it was nothing big. I mean, so don’t start going crazy, I think it’s consumer logic that’s done all this stuff, it was like a couple of IP addresses and a couple other things. We got on the phone and said, “Look, this is what happened. This is what we did. This is what was involved.” And I think just ethics across the board when it comes to security, just general human behavior is one of the best things you could do. Because you’re going to make mistakes and nine times out of 10 it’s going to be the human that makes the mistake, but you step up and you’re transparent about that mistake. I mean, Davi, I don’t know what you think about all that, but that’s usually the right thing to do, right?
Davi:Transparency is everything. Science is based on the accumulation of knowledge and knowledge is transparency and I always try to encourage people to think of privacy in adverse to knowledge because it’s … Everybody sort of talks about privacy is like this sort of ultimate goal that we should all get to, but you have to understand that you’re losing knowledge the more privacy you have. It’s not easy. It’s a very complicated problem and ethics is naturally very complicated. We have a sliding scale. I just ran into this the other day. I meet with CSOs and sometimes CEOs all the time traveling around and I’ve inverted a funnel, for example, I said the best ethical model for security, as you say in a disclosure, is you start with a small team. You go through basically a hidden layer if you will of a lot of decisions being made, but ultimately you want to get out and make it public and that’s why we have CVSS. That’s why we have CVE.
20 years ago these were debates about whether we should talk at all, but those are settled and now even have bug bounties and we have stuff we’ll probably get to. But the issue here is you want to get to where you’re sharing because knowledge makes us safer and I just had a CEO the other day, I was talking to one of these very successful leaders and he was like, “But surely there are things you just never ever reveal.” And I was like, “Okay, I don’t wanna know anything else about your personal life. Honestly I just …”
George:That’s funny though. Tricia, I mean you obviously you’re on Twitter and things a lot. Then you guys have a bunch of customers as well too. When it comes to transparency, what are you seeing because I think the world that Davi and I came from, like I don’t want to divulge my age, but when we got started in this, I mean no one talked about anything. It was always like, “Oh, that guy, oh that company.” And it’s like, you know what? That’s going to be you one day. What are you seeing amongst your peers? Do you think there’s more transparency today, which is an ethical thing? Or are people still kind of keeping everything close to the best?
Tricia:I think it definitely depends on the industry. Some industries are just by nature a little bit tighter to the best because they have to, depending on the type of data that they’re housing, all that kind of stuff. I think there is definitely, since we have become. I’m trying to think of the term here, it’s all mainstream now. Breaches are mainstream, they’re getting air time, which is awesome because now it’s like I said before, it’s coming down into the normal user, there is a lot more transparency between companies and their customers. I think even with when we were talking about GDPR, I mean I got $8, million emails explaining why my data was going to be used for all these things that had been signed up for. I think-
George:-May 24th by the way, it was May 24, I think this needs to be cleared.
Tricia:Yeah. I think it depends on the industry. Some of them are more open than others, more collaborative and I think it also depends on the leadership. if the sea levels and the board understand security and understand what it means and understand how important it is. There’s way more collaboration if it’s not that than it is a little bit closer because the security team doesn’t necessarily know how to communicate that to the board, which tightens itself off.
Davi:There’s such a perfect example of this in Microsoft in that they were the biggest bullies in the marketplace going after people who leaked any kind of IP or had any kind of secrets about them. They wanted to keep it super, super secret in order to be successful. There’s even a question in the chat box about, is there a secrecy that makes people successful in a business sense, but today Microsoft is, Linux is our operating system and it’s open source and Azure runs on a transparent system that you yourself can validate and we have all kinds of third party validations. Everything is open. Microsoft has flipped completely in trying to say a better business model is transparency and to your point Tricia, Gates in 2001 said, “I screwed up by not listening to my security team and the worms and the pain that people are suffering is because I wasn’t really being open about the flaws we had and I wasn’t being a good listener to the people telling me to fix it.”
and that that transparency openness allows for more scientific model of security where people can judge if you will, you get better collective bargaining if people have the knowledge to know what’s going on.
Ben:It’s really interesting guys. I mean it’s, when you bring up Microsoft, I mean that transition they’ve gone through is absolutely amazing.
Ben:When I started in the software business in the mid two thousands, we just, Microsoft was the bogeyman and then I remember when they bought Good Hub, it just hit me. I’m like, “Oh, Microsoft isn’t the boogeyman anymore.” you can really can change that if your leaders at top take it seriously.
Davi:You just got to get rid of Gates. That’s all it really is.
George:They got smart though, right? I mean like if you just look at their business model and everything over the years. First, to Davi’s point, I remember like you’d figured out all these buzzwords of Microsoft and then you’d get these KB articles left and right. And then they were the first ones that really started lining up for patch Tuesday and then they just grew over time. And then I also give them a lot of credit, because sitting at VMware way back in the day. Yeah. I’m going to blast on VMware a little bit right now. If VMware would have liked thought about things the same way Microsoft did, they could be number two in the market today as far as public cloud. It could have been VCR to VCR type workloads, but they didn’t. Microsoft is constantly reinventing themselves. Gates or not. It’s just what they do and they’re just really good at being the best number two on the planet.
Davi:That’s a good point. Well, I’ll make the transition that you guys were kind of hinting at. So one of the things that George you brought up is the importance of bug bounties. And I like to transition here because there’s some very practical things it seems like you can do to maintain the openness here and reach out to the community. Talk a little bit about that. What was on your mind when you wanted to talk about that?
George:Yeah. A few things. First one is again, we believe in transparency and I know like a lot of people had seen while playing cringe when they hear me talk about some of the, in public about some of the incidents that we’ve had. There’s a difference by the way, between incidents and events and so we were getting events quite often about two years ago and what an event was we get independent researchers who would send our team like an email or open up a support ticket saying, “Hey, we found the cross scripting vulnerability, give me a Bitcoin now.” That was pretty much the essence of it and that takes triage, I mean, you got to respect every one of those coming in. You’ve got to take a look at it and it takes time. And 99.9% of them were just untruths.
And then plus our regular pen testing just didn’t really seem to be doing the job. It was like a compliance checkbox necessary but really not finding anything. And we were giving people extended rights and everything else to hit the platform. And so we started looking at the idea of bug bounty because we were like, “Look, if we get these threats.” Because that’s the way I took them, “From independent researchers saying that they found something, what we can do is put them into the bounty.” And that way it’ll make us better and will also raise eyes from a development standpoint as well too, because you can start tracking whenever certain developers or certain business units within development have more bugs than others. Now it’s not an easy thing. I can get into detail about some of the things that you should look out for. There’s definitely lessons learned, but I think that kind of transparency is great.
And then the last thing I’ll say on it before handing it over to the other panelists to get the discussion going is you’re transparent with that. We have a self service portal where we actually published our results and say, “Look, this is what they found.” And they find some interesting stuff because they want to get paid. They’re highly motivated. In fact, last quarter we had a virtual social engineering bug that was found and it was incredible. It was just really cool to see how they got to it. And so I think it just makes you better as a whole. You’re transparent with it. You let people know this is what you’re doing and hopefully it builds trust because, Tricia and Davi it will be great to get your take on this.
A lot of times, when we first started our bounty programs about a year and a half ago, people would be like, “Oh, you’re opening up the keys to the kingdom. You’re making yourself less secure.” And it’s like, “No dummy. We’re being transparent about what we’re doing and we’re bringing in professionals to actually hack our stuff, look at it the other way.” It makes your privacy, your data more secure.
Ben:Davi you want to take a shot at, what do you think?
Davi:Well, my first reaction is always like, I don’t like the idea of a bounty as a motivator. I mean we find a lot of researchers who want to just improve things for the good of it, it’s almost like the open source community. People are making commits because they want to fix bugs and actually have the power to make commits. It’s kind of funny when you look at the way that we position this as a bounty and people need to get money and we need to like protect their right to make, in a gig economy sense that makes them money on the side by throwing some stuff against the wall and seeing if it sticks. There’s the old concept of MEECES: money, ego, entertainment, cause, entrance to social groups and status. And MEECES was a play on-
George:That hurt, didn’t it? That’s hurts you didn’t it?
Davi:Yeah. MICE is more, is easier, MICE is money, ideology, compromise and ego and MICE was the old FBI standard for what motivates people. Money is right front and center, is the M, but egos there and status and social entries, social groups, causes. Do we have bug bounties really for people who are on a cause, what are we rewarding them? I think my first reaction is always like I get the market argument, I get that some people are motivated by money and stuff, but I don’t think it represents really the way bugs should be triaged. And I also think it’s an odd way of trying to shift to a gig economy. If you don’t have control of the flow, there’s tons of noise that comes in. If you just open it up and aren’t clear in what people should be working on.
Ben:How would you change it? How would you do it differently that they wouldn’t?
Davi:I don’t have to do so much of that because of the bug bounty programs themselves have realized this and they’ve augmented they’re essentially automated flows of bugs with human operators, in the same way that Facebook had lots of damaging or Twitter for that matter. Lots of damaging information being used. Well, let me back up a step. Humans, like computers, have bugs and so people tweeting and often cases are trying to trigger reactions. Their [volume 00:40:14] testing in the human sphere, and so you’re monitoring that, filtering that and trying to figure out how to stop that. The way that it’s been changed as people put more intelligent humans in that process, in that flow to watch. As the bug flows come in, you start saying like, “Well this isn’t really relevant stuff, we’ll just throw it in the dumpster and say try again.” Or you’re on the wrong asset.
You’re not even hitting the right assets. We asked you to test this thing and you’re over here on this other thing that needs to be recategorized. We’ve added human thought back into it, which I think is a good step. I think we’ve also started to realize that a lot of people operate on not just monetary objectives like winning an election is, perhaps even more important because it has monetary impact later, but it’s not just about money. I’ve actually always said that there’s three categories we have to work through and money is the lowest threat always because you can get people, you can pick people off by just offering them more money, but when you get those social issues and when you get to issues that are embedded like race or color, creed, religion, stuff like that.
Then you get threats that are motivated by completely different things and bug bounties I feel like are just scratching the surface on how we should triage bugs in this space, but I’m all for them in the sense they legitimize the pursuit of knowledge and they allow people to safely communicate that they found things that need to be investigated. But beyond that I find that to be overly emphasizing money and quick gig hits.
Ben:Geez instead of taking a long time to get to the fact that you agree that there are a good thing, god. Tricia, but that was good, David, I get it. We’ll talk about the money side of it. But go ahead Tricia.
Tricia:No I’m a fan of bug bounties. I love following the big bug bounty people on Twitter and seeing what they, Kate Moussouris and all that. I love reading. What they’ve done, I think their work is really commendable. The only thing I will say is it takes a pretty mature organization to be able to deal with that. And so a lot of the people that I talked to may not necessarily have the people or the processes or the technology in place to be able to deal with the reverb of a bug bounty. That would be the only other thing, the only negative. But I do love the community aspect of it I think it’s really nice to see what everyone is working on so that we can, as Davi mentioned before, we can work together as a community and only move up, you know what I mean? If we’re working on similar … If similar companies have similar problems, then let’s fix it. Let’s fix it all now and then we can keep moving forward.
George:Yeah, I think, there are definitely negative aspects. One, like if you try to run it yourself, the triage can be crazy. Like Davi was alluding to that in that beautiful speech you gave for five minutes there, that it’s true. All of a sudden you’ll have, everyone is being driven by money, so they’re going to want to get paid. They’re going to score their shit way higher than it actually is because every organization’s different, their CVs scoring may be way higher than an actual impact to your organization. The triage can be crazy; you’ve got to be –
Davi:Bug bounty people are motivated by money. That’s kind of my point. You’re attracting people who want money as opposed to attracting people who really want to help you fix the things.
George:Agreed and look, and I’m all open, all open for another way to do it, but right now this is the best way that we have found to do it is to get people who are highly motivated by dollars to hit our environment to make it more secure and little bit more transparent. I’m with you. I wish I didn’t have to pay for it. I wish I could just send you some swag, man coz that’s what I used to do back in the day. Back in the day when someone found a vulnerability, it was usually a good independent research that had, “Hey listen, we’re not going to expose this to anyone. We just want you to know. They’d show us the steps that it took to get to that.” We would recreate it and we would send them some swag and it’d be so thankful man, they’d be like cool.
Davi:We still do that and I think it still works, but it’s like it becomes a self licking ice cream cone as we used to say in the mainframe days. The bug bounty system creates a class of people who think they can make quick money by doing bug bounties and it’s almost like the quality goes down as more people come in just to make quick money. Whereas the swag pack folks are working on their PhD and they really care about this product they’re using and they’re like, “I just hate the way it’s doing this. I’m going to self invest two or three days of my own time to try to figure out this problem I’m having with this product and then I’m going to send it in and I don’t really need money. I just want it to work better.” We still see that, but you get those out of hackathons. You get those out of user group mediums. You get those out of dedicated religious followers. You don’t get those out of, “Hey everybody, I’ll pay a dollar if you find something.”
George:I don’t know, I’ve got a disagreement man because I think a lot of the people who actually work in full blown bug bounty programs, they care. Yeah, they’re getting paid, but who doesn’t want to get paid for their craft as well too. It’s a good argument, like if you want people who are ethically tied into what they’re doing and they’re trying to make things better, I’m all for it, but at the same time as well too, if someone is talented and can really help you step up your security posture in that way. I’m all for that too and I’m like really thrilled with the way that our bug bounty programs gone over the last year and a half, ton of lessons learned. You guys both brought up a lot of stuff, the triage and everything else having to pay people money, but here’s something interesting that we did and for those of you who are listening as well too, we don’t do external pen testing anymore.
We do internal stuff because we’re not going to hand off the keys to the kingdom, but it’s all the external stuff, is now is about a bug bounty and so we replaced traditional pen testing with bug bounties. Here’s the other thing we do too, is like whenever marketing, no offense man, no offense to my marketing friends out there. Whenever they want the 15th product that we have to vet out, a new website or a web content site or whatever it may be. We just add that into the bounty. Then that way we have that taking place at the same time too, which alleviates pressure off of our team and external entities as well.
Ben:If you guys weren’t so slow George.
George:No that’s a fact. He should say that, he should because vendor management and vendor process sucks. Man. It’s tough on both sides because you want to do what’s right by the company and have oversight and governance, but at the same time you’re dealing with so much different stuff that it’s hard to vet it out early and sometimes this helps out tremendously. But what he said, Ben, thank you for that and it’s true. We shouldn’t be slow. We should find ways to make ourselves more agile and that’s what I feel bug bounties have brought to the table.
Ben:I mean, honestly, I haven’t been able to move past this self licking ice cream cone.
George:Look man, there was a funny comment about Davi just now in the chat. They called you a socialist, but you know what? And this is one of the things I love about this guy and I’ll go to war with Davi for Davi any day because he looks at things the right way. He tries to look at the human aspect first and sometimes it’s easy for us in this industry, and any industry to forget about that, so thanks for being you Davi. We’re not going to agree on everything. You are going to give long tangents about things, but we all get educated from it.
Ben:Davi you knew that The Jungle was a socialist manifesto …
George:Welcome to the jungle baby. I hear him talk about Guns and Roses that’s like the [inaudible 00:47:10]
Ben:This everything right there that says everything you need.
Tricia:It says everything right there man.
Davi:I’ve spent so much of my time trying to convince people I’m conservative and they just don’t believe it, but I come from a different line of conservative thinkers I think.
Ben:Can you be a conservative socialist?
Davi:Oh, for sure. There’s a spectrum of socialism. Karl Popper is a good example of that if you really want to dig into and how he had differences of opinion with the other socialists in Vienna. Yeah, and he really revolutionized philosophy and science as well, but they’re very different shades of socialists. Yeah, for sure. But I’m way more conservative than they are.
Ben:Oh, this is good. I am glad you guys finally disagreed, you were agreeing too damn much. That’s good.
Davi:George is just wrong about the bugs bounties, but I don’t want to go too far into it.
George:When do I see you next?
Ben:At least his head is shiny, I’m sorry gleaming.
Davi:Let me give you an example from a slightly tangential issue, but it’s still the same idea. When we talk about active defense, and I used to do a lot of work in the sense of hack back and act of defense as a bounty. In American history we had this period in which it’s called letters of marque and other things, but you basically get authorized to go out and attack. In the same way, you might be an authorized to attest or break in or hack, there is this famous case in American history where there was a ship that was sort of letting out and it had a British flag or whatever. And so this American ship comes up and attacks it so it can take the bounty and deliver it basically for a reward and another American ship saw and instead of coming up and with two American flags, helping in and taking spoils as half and half. They flipped up a British flag and they fought off the other American boat and it disappeared, and then since it was already so damaged, they flipped up the American flag took the British boat for themselves and tried to claim it as entirely their own.
And so this is why I think if we focus too much on bounty systems and money systems as a motivator, we lose sight of the fact that they’re fundamentally flawed systems and how we get people to do things in a predictable and reliable way for good. It becomes highly fraudulent. Take for example, a government worker right now who could be basically taking all of the bugs that they’ve been working on which have been secret and they’re not allowed to disclose them. Creating a fake persona and using bugs bounties to get enrichment because they’re basically desperate for food in America. Bug bounties have a dark side that we have to take into account and I think that they’re a good step. I think that they’re effective in some ways and we do get very, very good bug report, some research, but we also get the sort of long tail of fraud and garbage and noise and we have to be careful that we don’t over emphasize.
George:So again, he said he thinks they’re a good thing and now look, you gave me an idea, for those of you out there that are part of this government shut down, which is probably going to happen again in three weeks. Join bug bounty programs, get paid.
Davi:Okay. Let me put it this way. The reason that they can go for so long and they can actually get convictions is because they don’t have to disclose things on a short cycle for pay. They have a guaranteed paycheck and they’re working on it and if it takes them 10 years to finally get the bad guy it’s because they really spent the time and took the patients to not just rush out and get a bug. That’s another way of looking at it, if you really win something that isn’t just financially motivated on a short term, but on a long term scale, then you just get better outcomes. I’m not saying bounties are bad, I’m just saying the way you manage them can be very dangerous and I think over emphasizing them as your only tool can really ruin you, I’m not saying they’re bad at all. I’m just saying you’re wrong.
George:I never said they were our only tool, you’re a tool, aren’t you? I’m just a tool in a security world. That’s what I meant to say. This is part of an overall ecosystem. Look, a bug bounty is not going to be like the single bullet to success. It’s just a matter on how you put everything together and I’m sure Trish, you guys at Optiv see a lot of different things too, but it’s another layer of defense that I truly believe in. I think it makes everyone better.
Tricia:I do too. We see all kinds of stuff like that. I mean, we having a huge AMP practice here. We do the full blown customer engagements that someone could look at as a bug bounty program here that are decided upon with many customers before. But I do like the idea of a bug bounty program, as long as you have the agility and speed to fix what happens as it goes on. That’s it.
George:Thanks. See, I think David, we’re all in agreement here.
George:Eventually it’s a good thing. Sorry. Ben.
Ben:Okay. I gotta make one mistake just to keep the bar a little lower. I was going to give you props, Davi for actually bringing back to the first topic. That was well done. Bringing it back to the government shutdown.
Tricia:Nice call back there.
Ben:Okay. What are we going to do here. I’m gonna try to put a bow on this thing and give you guys a last word. What I want you to think about is what is the one thing that you’re thinking about this year that you don’t think other people are thinking about? Like what’s that one big security issue that you really don’t think enough people are thinking about that maybe it’s not another people’s radars that you want more people to be thinking about. Who wants to go first?
Tricia:I’ll take this one. I think one of the biggest things that we’re going to see a lot of or hope that people are thinking of is definitely going to be around privileged account management. Identity is the new perimeter, right? It’s no secret there, but you know, at the end of the day if you get into a privileged account, you do have the keys to the kingdom and I think that this is … If there was one thing that you’re like, man I really should be working on this year. I really think it should be PAM or some for, like getting your identity practice up to where you can implement a PAM solution. But yeah, that’s it, identity for me.
Ben:Go ahead Davi.
Davi:Oh man. For seven years I’ve been working on this issue of learning systems being fundamentally flawed and I know more and more people are thinking about it, but I used to tell people Facebook sucks, Uber’s garbage. Tesla is going to crash and I got no support like I got executive [inaudible 00:52:59] …
Davi:You’ve got to shut up because we love Uber and everyone should use Uber. That’s changed fundamentally, I still think I’m thinking about things people aren’t, but I am telling you now that when they’re doing things wrong, they are killing people and the flaws and learning systems are so bad. The integrity issues are so bad that people are moving ahead too fast and we have to regulate better, but we don’t have anyone who understands how, including myself, seven years I’ve been working on this stupid problem and it’s really hard to figure out how to make data safe for learning systems that aren’t used by people who are such risk takers as like an Elon Musk is or [inaudible 00:53:33] that they just don’t care and they just don’t mind killing people if they can get a buck.
I’m thinking about ways to make integrity of data so safe that the AI and ML that we’re going to be putting on top of it isn’t going to go out and make horrible decisions that really cause civil rights issues and mass starvation or death. It’s a tough problem to solve and people I see working on it typically get it wrong. Mathematicians, they don’t understand the human condition well enough.
George:Yeah. And so I can back you up on that. You have been saying that for quite a long time. I remember like when we were both together at VMware and Uber first fully started getting launched. In fact, there was a VM world in San Francisco where they were giving us free rides. Remember that in black cars you were like, “This is bad! This is bad!” And so a lot of props to that. For me I think there’s nothing that I’m thinking of that anyone else may not, because I think they’re all common problems, but I’ll tell you what’s on top of mine for me Ben, is this whole notion of AWS cannibalizing their partners. It’s bothering me. It didn’t bother me that much over the years. I’ve always been a fan of AWS. I’m still a fan of AWS, but the more that they cannibalize their partners and the more they start competing with just the entire planet and all of that data is going to AWS, the big of a problem that’s going to be.
And I don’t care how controversial that sounds, I’m just tired of it, this year may be my last reinvent, just going there and you just look up and everything is a competitive product to someone else. It’s like when does it actually really stop with these guys, and how far are they willing to go and how far are we all willing to go? I am a user of Amazon prime. I love that. I think it’s a good competitive market. I think Wal-Mart’s done a good job and trying to catch up with them, but I got eyes on AWS coming up this year.
Davi:That’s an amazing point too. Because I think one of the things that came out about learning systems was Prime was deeply racist and Amazon fixed it, but they wouldn’t admit why it was racist or how they got there. It would not serve Black communities or colored communities and Prime is just exclusively for Whites and so that’s, as a tangent to that. But back to the main point, Amazon wasn’t really ethical in the sense that you would expect them to be as a pipe, right? They’re such an infrastructure play, but they’re not really ethical in the way that a pipe should just be neutral. They’re like going after people that are on their pipes and trying to surveil and take away their business and-
George:-Now that you …
Davi:Yeah. And that makes like your electric company your competitor. Do you want feed from the electric company if the electric company is basically going to take your business away when they figure out what you’re doing? I’ve had more and more people coming to me and say, “Microsoft has my trust. Get me out of Amazon.” I mean, cloud to me is like the last thing I’m trying to work on this artificial intelligence thing, but I get people come to me and say, “You know cloud, get us out into the Microsoft.” And that blows me away that Microsoft is so trusted, I’m like, “What?” And I want to get out of Amazon.
Ben:Well, I have a couple of conclusions out of this. I want to hang out more with you, Davi, you made me laugh.
George:We’re chop liver, Tricia, you get to see me all the time, but I personally want to hang out with Tricia more, I’m gonna see you in two weeks. I’ll meet you in person in Denver. That’ll be cool. Yeah.
Ben:And thank all of you guys for coming out. I think this was a lot of fun. We can do this again. I’m still going to be thinking about the self licking ice cream cone for days.
Davi:The mainframe and that mainframe’s on.
Ben:And for all of those you listening, we’re going to take this bad boy and we’re going to mix it into a podcast and put that on mastersofdata.com. Go check that out. And we’ve got a lot of other good interviews on there, actually one with George already and Tricia and Davi you have an outstanding invitation to come on and do some one on one interviews. I’d love to do that with you. And thanks everybody for joining and have a great weekend.
George:Thanks guys. Take care, great job.
Speaker 5:Masters of Data is brought to you by Sumo Logic. Sumo Logic is a cloud native machine data analytics platform, delivering real time continuous intelligence as a service to build, run, and secure modern applications. Sumo Logic empowers the people who power modern business. For more information, go to sumologic.com. For more on Masters of Data, go to mastersofdata.com and subscribe and spread the word by writing us on iTunes or your favorite podcast app.