Buu Lam (00:00)
I'll let you lead the way. We can edit out the swear words. Awesome. Okay. It's recording, so whenever you're ready.
Jon Scheele (00:09)
Okay. So in earlier conversations about DevOps, we touched on automation and API security. Had a great conversation with Chuck Herron, the F5's field chief information security officer. And we're continuing the theme on observability.
So I'm really pleased to welcome Buu Lam, who's come all the way from Vancouver just to see us in Singapore. Welcome, Buu.
Buu Lam (00:33)
Yeah, thank you. I'm glad to be here. And yeah, this is something that I looked forward to once I heard that we were doing this. So really excited to see you again after two years.
Jon Scheele (00:42)
Yeah. And so we're here at Govware in Singapore. And I guess there are a number of themes that come through, particularly about cybersecurity here at Govware.
But I guess from what I see in the environment here is a lot of companies are continuing their move to the cloud, but they've recognized that some of their infrastructure should remain on premise. They're in the middle of this move to the cloud, but they don't want to be restricted to one cloud, so they're a multi-cloud environment. I'd be keen to hear your perspective on how companies can manage that shift and have all the flexibility that entails, but also manage that complexity.
Buu Lam (01:28)
I think F5 has always had a unique position here, and others might disagree, but we've always kind of seen the world in that way because F5 can't do what we do without our partners. And so from very early on, needing to partner with the hyperscalers, but still needing to partner, I shouldn't say still needing to partner, but always having partnered with on-prem virtualization solutions, and then as workloads turn into containers as well, partnering with folks like Red Hat for OpenShift, folks like Rancher in different ways as well, and folks like the container offerings inside of the hyperscalers as well.
When you ask that question, for us, it's always been like that. We've always had to look at the world in terms of multi-cloud and in terms of being able to manage things holistically wherever things are. Early days for us was when everything was homogeneous and you just had multiple data centers that you owned. But then workloads moved elsewhere and it just didn't really change for us. Does it still have an IP address? Great. Do we still have connectivity? Great.
At end of the day, that's where we're trying to move things to and we'll just help make decisions based on security and what you're trying to get after.
Jon Scheele (02:40)
I think your point about partners is really relevant because for anyone looking for one solution, it's not the only solution that they're going to have. And whenever they assess something, they're always going to wonder, does it play well with others? And a really complex CI/CD pipeline and containerization of workloads and then where you deploy those. It's a challenge for organizations to make sure that the mix of technologies that they have already invested in doesn't have to be refactored, replaced when they seek to bring in a new tool or a new practice to help to manage that. So the automation of that is is a challenge if things don't play well with others. But what do you see as how tool vendors need to be thinking when they recognize that they specialize in one part of that whole pipeline?
Buu Lam (03:39)
That's such a good point. How often do we see technologies that are amazing at what they do, but they can't quite figure out how to build an ecosystem, don't know how to really do business development, they don't take it seriously. So you have this wonderful product that is the very best thing at one thing, but it just doesn't work with anything other than their narrow opinionated focus, and then it doesn't go anywhere, or it needs to be acquired and somebody else has to handle that. I think a great example is Red Hat, not to be very specific about vendors, but when you look at Red Hat, at how they have evolved from, we have a certain set of products that do a certain set of things, and then once they opened up their ecosystem to everybody, including F5, even though they have their own things that can do many of those functions, they've opened up this entire world of people where, and right now, without naming any specific situations, people really looking into that platform, it won't go anywhere until we have that ecosystem laid.
I think the hyperscalers saw that as well. The hyperscalers thought that, we can do everything. It's all software. We'll just write it all ourselves and carry all that load. And then they realized, people aren't going to use all of this. And we're not going to be able to bring those workloads over into the hyperscaler until we provide the ecosystem so that that customer who has built out a DevOps pipeline can actually make us a significant piece of it, but all the other pieces that provide their security and opening up that lens to everything else allows people to come over.
Maybe that's the whole thing is opening up that lens. You're very narrow focused. You have blinders on because you've built the best thing in the world, but then you don't realize that in a real ops scenario, if you're running this stuff, you have to be able to do all the things. I'm just thinking of govware, like compliance.
Like if you're government or you're financial and you have to attest that you can do certain things and you don't have the proper recording for it or you don't have all the things that prove that you can do what you say you're going to do, you can't do business. So we'll stop there. So I think some of those people are going to realize if they haven't already that that needs to be built up early. You need to look at who the main players are because at the end of the day that's going to increase your total addressable market. Then you can hopefully thrive from there.
Jon Scheele (06:01)
So for organizations that have already invested in, it's not just the infrastructure and the tools that they've invested in, they've also invested in the skill set of their people. And change management doesn't just mean changing the code, it means changing the way people do things. And when they've already built a dashboard, they don't necessarily want to have yet another dashboard over here, they want to incorporate whatever signals there are from another tool into their existing dashboard. what I've noticed is there's this separation between the data plane and the control plane and how solutions now need to be really thinking about not just I'm going to display everything that I know on this screen, but I'm going to make it accessible to others so that they can extend their existing tools.
What do you see? You live on the other side of the world, so what do you see with the organizations that you deal with?
Buu Lam (06:57)
Yeah. The exact same thing, right? I think it's Security Operations Centre (SOC) and all the processes that go along with it. Although you can't, well actually you can put a dollar amount on it, real value when it comes to those processes, even though it's like a soft cost at times, but it can be a hard cost if it needs to be, that is both a cost in terms of like time to mitigation or discovering what you don't know or being able to not even... the time to reaction if something bad happens.
So all of the processes, if somebody comes along and they can't have this, they can't build into your existing dashboard, as a salesperson, you can't discount your way out of that. Like there's no dollar amount that's gonna tell somebody that it's okay to buy this product and forfeit your ability to mitigate a solution within 30 minutes. Like that has implications that are well beyond the tier of the SOC at that point. That's a C level problem that you've just created because you wanted that thing that does something really well and has its own dashboard.
So yeah, I would say it's, you gotta look at all of the costs, not just the hard cost of that, not even just the soft cost of your time and your processes, but the downstream implications of your business not meeting your objectives of your software.
Jon Scheele (08:20)
So I notice you have a lot of discussion about resiliency. Part of resiliency is the machines being able to manage changes, but then there's also the human element, the observability of what's going on in the environment. So touch on where you see... What are some of the best practices that you see organizations being concerned about with the observability? What are the signals they really look for in order to achieve the performance and resiliency that they really want out of their stack?
Buu Lam (09:00)
You know, I think I've seen, and over the years too, I know we talk about APIs, but we have this heritage of web applications. And for the longest time, we've always used an indicator as far as a ramp up in response time on a web application to give us a signal that, something is starting to happen over here that we need to take a look at.
And so I think continuing to look for that type of behavior and moving on from, and we call it behavioral DDoS, but that might just be a signal like somebody is trying to DDoS you but there's maybe a red herring that they're throwing in the way so that they can execute something else. Those kind of signals are really important to resiliency, I'd say. And even if it's just a slowdown, you still have the ability to access something. Something's happening there that is a change in behavior and being able to observe that is another data point. And I don't think there's ever, I shouldn't say that; I hate, I hate, committing myself to one signal. Just to say that there are multiple data points that you need to look at in order to make decisions.
The work that I do isn't necessarily work in a SOC, but I have to make decisions and those decisions are based on data points and it's never one data point, it's multiple data points and being able to tie all that in together. When it comes to resiliency, that's something that if you have the right signals coming in and you can formulate that. And then maybe with the evolution of AI and being able to start to see some patterns or start to learn how those signals interact with each other, maybe some of that can be automated and maybe then we can also look at additional signals even beyond what we pick up in a SOC, things that we're observing in the environment, things that we're observing like geopolitically and start to tie in. There's some things that are happening, say in the US around November time and that's going to affect things that happen just on a network.
The more of that stuff you can tie in, more decision points and observability and then keeping your application up because you've avoided something that you can see.
Jon Scheele (11:10)
I guess you want to see signals in a logical form because there may be one or two markers that suggest that something is wrong but then you need to be able to drill down to where the actual problem it is so you can't rely on the one signal. In the troubleshooting process you have to take a logical approach to looking at the first thing and then seeing what that's connected to and what may be influencing that. So you need to collect a lot of data but if it's all presented at once to an operator then it becomes just overwhelming.
You can't attend to it all. So, I'm taking your point about the looking for some signals that suggest you should look over here because there's something going on here, but then you also need the detail of what they were drawn into.
Buu Lam (12:00)
And one thing that came up recently is the experience level of that operator, maybe a really well-seasoned operator does know that that one signal actually has a few different elements to it, but a very new operator, level one SOC analyst, might not have that experience and they need to be able to sift through it to pick up and learn from experience there but they won't always have the tier 3 right beside them to be able to mentor them.
Jon Scheele (12:28)
And the tier 3 rep, there aren't many of them and they're always really busy so being able to drive down assistance to that tier 1 level pays for itself quite a lot. Okay, well thanks very much for sharing that, I learned a lot and I hope you your time in Singapore.
Buu Lam (12:47)
Yeah, lovely to be here, thanks.