(bright upbeat music) >> Hello, everyone, welcome to this special CUBE Conversation. I'm John Furrier here in the Palo Alto studio, a Cube Conversation with Mike Banic, who's the VP of Marketing at Vectra Networks. Big news coming for you guys, you just had a good year, we love security and I want to drive a good conversation with you because you're in the front lines, you're seeing all the trends. You guys have been doing very well with AI for cyber, you're also impacting IT operations because security is certainly forcing modernization in the IT world, using data, just really interesting stuff. But hacking is the number one threat problem. What's the security trends, Mike, what are you seeing and what's happening? There's a ton of stuff happening, we're seeing ransomware, a bunch of stuff going on across the board, spearfishing to you name it. It's at a rampant pace; no perimeter anymore, a whole new ballgame. You know networking, you know the perimeter, now you're in the cloud, what are the trends? >> I think one of the things that a lot of people aren't paying enough attention to is the fact that all the systems they have in place are looking for exploits. They're looking for the use of malware, and there's a lot of attacks that actually don't use malware. There may be malware that's used for a specific exploit in the beginning to start it, but the smart attacker now, they sit and they lay low. They watch how your enterprise operates. They look at the tools that you use, and they steal credentials, and then they start to use those tools against the business to steal information or to do damage. And that's something you won't catch if you're using tools that are specifically looking for malware. And that's where using AI to look for explicit attacker behaviors becomes so useful. The other thing is that attackers are on the inside for much longer than people think. We look at M-Trends data from last year that says that the average amount of time that an attacker has gone unmitigated before it's discovered is 99 days. It's actually much longer than that. Those are just the attacks that are reported and those are just the attacks that we have data on. We've seen it actually run much longer than that. And we also know that an attacker can get admin credentials in three days or less. As soon as they get those, they have the keys to the kingdom. >> Yeah, and you mention hacker groups involved. It's lucrative, it's a whole business, we've seen that. >> Mike: It's a supply chain. >> It's a really big racket. Now, networking is interesting because footprints can be left on the network. So you've got encryption, oh, it's encrypted, but you can still get around the encryption. Talk about how you guys do it. How do you guys see the patterns? With encryption out there, you guys have the network footprints, what's the secret sauce, what's the formula? >> So what we're doing to detect this is we're looking at network metadata. We're not performing deep packet inspection. Deep packet inspection is the approach that a firewall uses or traditional intrusion detection and prevention platforms use. So what we're doing, we're collecting metadata, we're collecting log information, we're collecting cloud events, and we're using all that in our mix of analytics. What we're looking for are the behavioral patterns. So, I'll give you a really tangible example. Let's say you're the attacker, John, and you've got control of my computer, and you've got fingers on the keyboard. So you're using a RAT, a Remote Access Trojan. The way that I'm going to use advanced analytics or AI to detect that is I'm going to look at, first, the fact that my machine's opened a connection to an external IP address. That's your machine. I'm going to look for random silences, those are the pauses in the conversation. If I'm just web browsing, then my machine's going to interrupt all those random pauses 'cause I'm moving from page to page, site to site. If your IP address is always interrupting them, then you're in control of the conversation. Anybody in IT should care when an internal host is being controlled by an external host. I didn't have to read any of the web browsing traffic, any of the email traffic, the app traffic, in order to do that. I did that principally by analyzing network metadata. >> So this is unspoofable, either, because the network doesn't lie. >> That's correct. >> Because the packets have to move around. >> That's correct. The attacker has to perform certain things. There's no way for them to erase them. And there's a group of companies that tried to apply analytics to logs, and here's the problem they have. If the smart attacker knows that logs are sent in batches, it's like when somebody breaks into your house. They know they have about 45 seconds to get the alarm code right. They know that they have a certain amount of time before the batch of logs is sent up. So if they have admin access, they'll erase the footprint of what they've done on your machine, and there's no logs. If there's no body, there's no murder. >> Yeah, I've done a few ventures in my day that have been first movers and usually the first movers take the arrows in the back. One of my relatives says, if this is such a great idea, why hasn't someone else done it? So, the question for you guys is it's so obvious that now that you explain it that way that it's a great way to do it. Why hasn't someone else done it? Is it the timing, is it the founding team, is it the approach? I mean a lot of people are in network; you've got Cisco, you've got a zillion networking people. Why hasn't anyone else done this? >> There's a couple of things that come to mind right away. The first is that people who are in this business already, that want to take advantage of AI, it's really difficult to add it to an existing platform. You really have to start from scratch. And then the second is what you said about the approach. The approach that we've taken is very different than others. So there are people in this business that claim they're doing AI and they fall into one end of the spectrum or the other. They either have this big group of security researchers and they've hired a couple of data science guys and they're trying to solve this problem. Or they have a big data science team and they've got a couple of security researchers. We've taken an approach that's in the middle. Whenever we develop an algorithm, we take a security researcher who has a really strong experience or background in the attacker behavior we're trying to detect. And we pair them with somebody in data science who has expertise in the techniques that are going to be best used to detect that. We pair them up; the data scientist looks at the features that they can find in the network. The features I mentioned before, internal IP to external random silences, they determine what those are, they build the algorithm, and then they run it. Then we put it into precursor mode, just like Hitesh's Tesla has precursor stuff running as he's driving up and down the freeway, we do the same thing with our customers. And then once we see that the efficacy is really high, we release that into production. >> So it's a combination of timing and the management team's unique problem space that they addressed, and combined with people and data and software. >> Yes. >> You're kind of blending them all together, so it's a new approach. >> It is very much a new approach, and one following the approach that people have taken before. They go in one of those other two directions. >> I mean if you're a hammer, everything looks like a nail. So Cisco sees everything they do their way, maybe an application developer might take a different approach. So, I buy that, so timing's good. What makes you guys different, what makes you guys think you could be successful? Because, you know, I hear this all the time. Amazon's out there, Amazon could just copy it, you always hear those arguments. How do you guys answer that question; manageability, what's the protection? >> I think first we've taken an approach that gives us a unique capability that is succeeding against others who are really explicitly trying to solve the cyber security problem. I think the other is that we've been very open-minded about not taking just one approach in a field like data science. We don't just use supervised machine learning, unsupervised. We don't just use neural networks. We use whatever tool is best to solve the problem. The other is, we're not religious about where the product gets deployed. We look at protecting cloud workloads, enterprise private cloud workloads. We look at traditional data centers, users, IoT devices, so we're looking at the threat landscape in a very holistic way. Many of the others out there have a very specific focus as they start, and I think our breadth and our approach is serving us well. >> The whole value proposition in business models tends to change in these new value utilities, if you will, like the clouds create. I mean Amazon's successful because they never look in the rear view mirror, they just continue to push forward. Sounds like you guys have that same approach, just keep moving the needle with more people, more data, more software. >> Yeah, relentless, it's day one. It's always day one, just like Jeff says. >> Alright so you guys are doing good, where do you guys do well, and specifically talk about this malware that was hacking computers and doing money on Bitcoin. Big story that's been in the news lately, a couple of weeks ago, but still it's important. Malware being used for not only hacking your cash, using your machine to generate Bitcoin. >> That's correct. So we have a set of algorithms that look for things we call botnet monetization behaviors. And Bitcoin mining is one of them. So, if somebody is mining Bitcoin on your computer they're not really stealing from you, they're just stealing compute cycles to mine Bitcoin. Finding this stuff is actually really important because the attack landscape can quickly pivot on you. I mentioned before that cyber attackers, it's a supply chain. If your machine is latched to a botnet and it's performing Bitcoin mining and the price of Bitcoin falls, the person who owns that botnet might say, screw Bitcoin mining, I'm going to sell all my bot machines to whoever the highest bidder is. Somebody finds out you work for a really interesting company and they want to steal data from you, they're going to buy that IP address, they're going to buy your machine, and they're going to start to launch a direct attack. We've actually seen that scenario in enterprises, and been able to alert the team in real time so they can stop it. And it's the AI that's doing this, it's a not a human that has to take an action. And that's the thing that's really cool in terms of helping us win. We see a lot of customers run red team exercises in parallel with an evaluation, and that red team is designed to explicitly challenge the blue team. It's not a pen test. A pen test is all about trying to see whether the hacker can break in. A red team, they actually give the attackers access to a computer on the inside and then they say, "You've got to steal this trophy." They give them a flag to steal. >> Capture the flag. >> Capture the flag! And the goal of the blue team is to defend it. What we've seen over and over again in these evals is that AI is able to detect those behaviors of the red team in real time fast enough for them to stop them, so the data isn't stolen. It becomes evidence that if we had this tool every day then we're a lot better off than we were before. >> So you guys aren't just looking for known patterns and mapping policy to some script. You guys are losing data in real time, inferring network behavior to look for anomalies. >> Exactly. I'll give you a great example. Last year when there was ransomware, the NotPetya attack. The thing that was interesting about that is it spread like a worm. We hadn't seen a worm since Confecker and that was 10 years ago. The interesting thing is we built an algorithm to detect worm-like behavior based on what we had seen 10 years ago with Confecker. It detected the spread of NotPetya. It's because we're looking for behavior and not the... >> The payload. >> The malware, not the payload, we're able to find it, even if it's a brand new attack vector like NotPetya. And that's the cool thing, 'cause the old style was, let me look for the precise definition of the malware or the exploit or the reputation list. >> And I personally believe we've reported on theCUBE that the cloud computing and distributed computing and even decentralized computing, for that matter, encourages more packet movement. More packet movement gives you more data. >> That's correct. >> So it's a great approach. Congratulations, Mike, on your success. Looking forward to seeing what you guys do this year. Keep in touch. Security, obviously, is top of mind. We care about that at theCUBE. Cyber warfare is number one problem in America. It's the number one problem for enterprises, government, and users. Spearfishing, malware, you name it, it's out there, we've all been hacked and we probably don't even know it. It's theCUBE hackin' the data here inside the studio, I'm John Furrier and thanks for watching. (bright music)