>> Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2018 Brought to you by Amazon Web Services, Intel, and their ecosystem partners. >> Hey, welcome back. And we're live here at Las Vegas AWS re:Invent 2018 live coverage from theCUBE. I'm John Furrier. Dave Vellante, my co-host, wall to wall coverage. Dave, six years covering Amazon, watching it grow. Watching it just an unstoppable force of new services. Web services being realized from the original vision years and many, many years ago, over a decade. Jesse Rothstein, CTO and co-founder of ExtraHops our next guest, welcome back to theCUBE, good to see you. >> Thanks for having me. >> So first of all before we get into the conversation, what's your take on this madness, here? It's pretty crazy. >> You know this is, I think this is my sixth year, as well, and this show must double in size every year. It's enormous, spread across so many venues, so much going on, it's almost overwhelming. >> I remember six years ago, we used to be on theCUBE, and I think we just kept the stream open, "Hey, come on up! We have an opening!" Now it's like two cubes, people tryin' to get on, no more room, we're dyin', we go as hard as we can, 16 interviews, hundreds of interviews, lots of change. So I got to ask you, what is your view of the ecosystem? Because back then, handful of players in there. You guys were one of 'em. Lot of opportunities around the rising tide here. What's your thought on the ecosystem evolution? >> Well, of course the ecosystem has grown, this show has really become recognized as the pre-eminent Cloud show, but I see some themes that I think have certainly solidified, for example I spent a bunch of time on the security track. That's the largest track by far, I'm told. They're actually breaking it out into a separate add-on conference coming up in the summer. So clearly there's a great deal of interest around Cloud security as organizations follow their... >> Did they actually announce for that security conference? >> They did, they did. >> Okay, so Boston in June, I think right? >> June, that's correct. They announced, I think, I don't want to mess up the dates, June, late June. >> I think June 26. Breaking News here, that's new information. That's a really good signal for Amazon. They're taking security serious. When I interviewed Andy Jassy last week, he said to me, "Security used to be a blocker. Oh the Cloud's not secure!" Couple short years ago, now it's actually competitive advantage, but still a lot more work to get done. Network layer all the way up, what's your take? Never done. >> Well, so that's what Andy says, and I think that I would rephrase that slightly differently. Security used to be a blocker and it used to be an area of anxiety and organizations would have huge debates around, you know, whether the Cloud is less secure, or not, inherently. I think, today, there's a lot more acceptance that the Cloud can be just as secure as on-prem or just as insecure. You know, for my view, it relies on the same people, processes, and technologies, that are inherently insecure as we have on-prem, and therefore it's just as insecure. There are some advantages, the Cloud has great API logging, building blocks like CloudTrail. New services like GuardDuty, but at the same time it's hard to hire Cloud security expertise, and there is an inherent opacity in public Cloud that I think is a real challenge for security. >> Well, and bad human behavior always trumps good security. >> Well, of course. >> Talk about ExtraHop, how you guys are navigating, you guys have been in the ecosystem for a while. Always an opportunity to grow, I love this TAM's expanding, huge expansion in the adjustable market, new use cases. What's up with you guys? Give us an update. Where's the value proposition resonating? What's the focus? >> Well you can probably tell from my interests that we see a lot of market pull and opportunity around Cloud security. ExtraHop is an analytics product for IT ops and security, so there's a certain segment of what we do for IT operations use cases. Delivering essentially a better level of service, we attach to use cases like Cloud migrations, and new application roll-outs. But we also have a cyber security offering, that's a very advanced offering, around network behavioral analytics, where we actually can detect suspicious behaviors and potential threats, bring them to your attention. And then since we leverage our broader analytics platform, you're a click away from being able to investigate or disposition these detections and see, hey is this something I really need to be concerned about. >> Give an example of some of the network behavior, because I think this is a real critical one, because with no perimeter, you got no surface area, you got API's, this is the preferred architecture but, you got to watch the traffic. How will you guys be specific and give an example. >> So, some of my favorite examples have to do with detecting when you've already been breached. Organizations have been investing in defense and depth for decades, you know, keep the attackers out at the perimeter, keep the attackers away from the endpoint, but how would you know if you've already been breached. And it turns out, your Verizon does a great data breach investigation report annually. And they determine that they're only nine or so behaviors that count for 90% of what all breaches do, what they look like. So, you look for things like, parts of the cyber security attaching. You look for reconnaissance, you look for lateral movement, you look for some form of ex-filtration. Where ExtraHop is taking this further, is that we've built sophisticated behavioral models. We're able to understand privilege. We're able to understand what are the most important systems in your environment, the most important instances. Who has administrative control over them, and then when that changes, you want to know about it, because maybe this thing, this instance, in an on-prem environment, could be like a contractor laptop, or an HVAC system. It now exercises some administrative control over a critical system, and it's never done that before. We bring that to your attention, maybe you want to take some automated action, and quarantine it right away, maybe you want to go through some sort of approval process and bring it to someone's attention. But either way, you want to know about it. >> I'm going to get your reaction to a comment I saw yesterday morning at a keynote on Teresa Carlson's breakfast, her public sector breakfast, Christine Halvorsen, FBI. Said, we're in a data crisis. And she talked about that they can't react to some of these bad events, and a lot of it's post event, That's the basic stuff they need now, and she said, I can't put the puzzle pieces together fast enough. So you're actually taking that from a network Ops standpoint, IT Ops. How do you get the puzzle pieces together fast? What's the secret? >> Well so, the first secret is that we're very focused on real time network data, and network telemetry. I often describe ExtraHop as like Splunk for the network. The idea requires completely different technology, but the idea's the same. Extract value and insight out of data you already have, but the advantage of the network for security, and what I love about it, is that, it's extremely real-time, it's as close to ground truth as you can get, It's very hard to hide from, and you can never turn it off. >> Yeah. >> So with all of those properties, network analytics, makes for, has just tremendous implications for cyber security. >> I mean honestly, you're visibly excited, I'm a data geek myself, but you made a good point, I want to double down on, is that, moving packets from A to B is movement. And movement is part of how you detect it right, so? >> It is, so packets itself, that's data in motion, but if you're only looking at the packets you're barely scratching the surface. Companies have tried to build security analytics based on flow data for a long time. And flow data, flow records, it's like a phone bill. It tells you who's talking to whom and how long they spoke, but there's no notion of what was said in the conversation. In order to do really high quality security analytics, you need to go much deeper. So we understand resources, we understand users, we understand what's normal, and we're not using statistical baselines, we're actually building predictive models around how we expect end points and instances to behave. And then when they deviate from their model, that's when we say, "Hey, there's something strange going on. >> That's the key point for you guys. >> And that means you can help me prioritize... >> Absolutely. >> Because that's the biggest challenge these guys have. They oftentimes don't know where to go, they don't know how to weight the different... >> So that's one challenge and I think another really big challenge, and we see this even with offerings that have been publicized recently, is that detection itself isn't good enough, that's just an alert cannon, and there was a session that actually talked about alarm deafness that occurs, it occurs in hospitals, and other environments, were all you get is these common alarms, and people stopped paying attention to them. So, in addition to the ability to perform high quality detections, you need a very streamline investigative work flow. You know, one click away so you can say, "Okay, what's going on here?" Is this something that requires additional investigation. >> Well, I think you guys are on the right track, and I think what's different about the Cloud is that, you know, they call the show re:invent, but rethinking, existing stuff for Cloud scale, is a different mindset, it's a holistic. Like, you're taking more of a holistic view saying, "I'm not going to focus on a quote packet path, or silo that I'm comfortable with, you kind of got to look at the bigger picture, and then have a data strategy, or a some competitive unique IP." >> I think that's an excellent summary. What I would add is that organizations, as they kind of follow their Cloud journey, we're seeing a lot of interest from security teams in particular, that don't want to do swivel chair integration. Where I have something on-prem and I have something in the Cloud. They want something much more holistic, much more unified. >> Seamless, automated. >> Much more seamless, much more automated. (laughing) You know, I sat in about five different securities track sections, and every single one of them kind of ended with the, "So we automated it with a Lambda Function." (laughing) Clearly a lot of capability for automation, in public Cloud. >> Jesse great to have you on theCube, CTO, Co-founder of ExtraHop. What's next for you? What's goin' on? What's next? >> Well, we continue to make really big investments on security, I wish I could say that cyber security would be done at some point, but it will never be done. It's an arms race. Right now I think we're seeing some really great advancements on the defense side, that will translate into big success. Always focusing on the data problem, as data goes from 10 gigabits to 100 gigabits. You know Amazon just announced their seat five accelerated 100 gigabit network adapter. Always looking at how can we extract more value from that data at scale. >> Leverage to power, leverage to power. Well, we got to get you back on the program. We're going to increase our cyber security coverage, we certainly will be at the security event, I didn't know it was announced publicly, June 26th and 27th, in Boston. Give or take a day on either side, could be 27th, 28th, 26th, 27th. This is a big move for Amazon, we'll be there. >> I think it is. >> Great job, live coverage here, from the floor, on the Expo floor at Amazon re:Invent in 2018, will be right back more Cube coverage, after this short break, two sets. We'll be right back. (soft electronic music)