>> Narrator: From downtown San Francisco, it's theCUBE, covering RSA North America 2018. >> And welcome back everybody, Jeff Frick here with theCUBE. We're at the RSA Conference in San Francisco, it's 40 thousand plus people talking security, really one of the biggest conferences in San Francisco, and security continues to be an ever increasing and important topic, and more and more complex and complicated and multifaceted. We're excited to have really an innovator who just recently sold his company to Sumo Logic, he's Dave Frampton, VP of security solutions now at Sumo Logic. Dave, great to see you. >> Dave: Good to be here. >> So you guys were relatively a relatively small team working on a very specific piece of this giant pie. So, tell us a little bit about what you're doing and what attracted Sumo Logic to you. >> FactorChain, acquired by Sumo Logic in Q4 of last year was focused on building an investigation platform to really help security analysts very quickly and completely identify, for an individual threat or alert of which they get an avalanche every day, what happened, where did it spread, and then what should be done about it, more importantly. >> It's funny 'cause we talk often, at all these conferences, right, everybody in the keynote will talk about it, "six months before you know you've been breached", or two years, or whatever the average, it changes all the time. But nobody ever really talks about once you've figured it out, then what? So that's really what you guys are about, the "then what?" So what are some of the things that people do wrongly, and what are some of the immediate triage and best practices that people should be aware of if they're not already? >> It's a great question, there's really a difficult work flow that exists when you start digging into one of these indicators of compromise or alerts, typically an analyst is trying to connect the dots across huge numbers of systems and huge data sets. They may have to go to five to ten different systems, run queries which take a long time to run and then take a long time to interpret, kind of stitch together the clues across all of them, and this process can often take 30 minutes, an hour, or even two hours against an inflow rate of hundreds of these per day. So there's sort of this expanding backlog of uninvestigated urgent threats. In many cases, people only get to about 10% of the most urgent threats or alerts that come in to their security operation center, or SOC. And FactorChain's innovation was to develop some new techniques to help human analysts quickly connect the dots across these huge data sets. Integrate a lot of those different systems, so you can go to one place, see huge, deep connections between data sets, and then kind of put it all together in a very concise work flow that helps you get through this process just a lot faster, a lot more skilled. >> So are you identifying patterns of past behavior, 'cause you have a database of how these things work, are you looking for consistency of behavior within one system in others, I mean, what are some of the, obviously you're not going to tell us your secret sauce, but what are some of the tricks and tips that enable you to speed up that process? It's scary to hear that they have hundreds of high priority that they can't get to. >> There's two main components of trying to accelerate this whole work flow. The first one is trying to help analysts very quickly get insight into how variables change in an environment. This investigation process is little bit like a game of whack-a-mole, you're following a particular user or particular machine, but then the name will change, and then there'll be another variable introduced but it will change four times, and you're left to try to figure out which one of these changes map to the original. This process just repeats over and over again. So part of our insight was to try to figure out how to chain, hence the name FactorChain, all of these variable changes together in a very, very concise way, so you can help the analyst find the right path through the data and ignore all the false trails, get back on the trail when they lose the trail. So it's really sort of a data navigation and insight, sort of the key core of FactorChain's innovation. >> So a big factor, shouldn't use that word again, but we'll use it again, factor happening today in the industry is everything going to cloud, right? A huge percentage of business going to cloud. AWS is up to 20 billion dollar run rate and Sumo is a big partner, and Microsoft and Google are trying to catch up from behind, and IBM's got a cloud. So cloud's a big thing and there's more and more cloud. Also, we're in this API economy now, so whether I want to use public data sets and inject those into my processes, or I've got partners that I'm, I'm connecting all these things via API's and I still have my on-prem stuff, or the stuff that just can't go to cloud or legacy for whatever reason. So the environment is becoming way more complex, the number of third party people that you're playing nice with is becoming much, much larger, and a lot of these connections are completely automated, right, when you look at ad tech and some of the financial trading systems. So how does that increasing complexity play into what you guys are doing? >> The migration to the cloud is putting enormous disruptive pressure on some of these traditional security processes. You think about, the old world involved a security operations center and a small team of analysts just going through this list of alerts that were sent in by their infrastructure. The cloud really challenges that in two fundamental ways. I think one of them you hit really well in your description of it, which is just the sheer surface area of possible attack has increased so dramatically. You hit all the key points, there's automated processes, there's a lot of customer facing and production security that didn't exist in the old worlds, so you have so many more ways for the attackers to get in. But importantly, there are new sources of information which are critical to actually orchestrating the defense, to figuring out what to pay attention to and how to pay attention to it. Application layer information is much more relevant in a cloud context. And you have a lot of the infrastructures being standardized underneath, but a lot of the interesting insight might be from the application. Is this a customer or is it a partner? Is it a sensitive piece of information or application, or not? There's all sorts of context which needs to be brought in to the forensic process to help the investigators really get to the bottom of what happened and where did it spread. There's also a need to collaborate across security and other functions in IT in a much more seamless, horizontal way. A typical example would be an analyst in the SOC might understand an awful lot about security forensics but may not really understand some of this application context or even how to interpret some of the application logs at all. So you really need a horizontal collaboration involving IT operations, you hear a lot about DevOps and sort of DevSecOps, you need a much more collaborative work flow, not just a common data set, which I think everybody recognized a few years back, but also common analytics and a common work flow, common tooling that they can collaborate in the same system on the same investigation. And so those are the ways in which the traditional security industry and the boundaries around its processes and its tools are really being challenged and disrupted by the migration to the cloud, and at Sumo Logic, this is sort of at the center of where we live. We live in a world where people are rapidly migrating to the cloud, looking for monitoring and troubleshooting and security analytics, functionality. As they do that, looking at modern applications and how their architectures are changing and what implications that has for security. So we have our sights squarely set on sort of creating that new model for that new cloud-oriented environment. >> Right, and then how much do you work with other applications, which I guess in the past may have been thought of as competitive, but when you're in an environment with all these integrated systems at a customer, and there's probably tremendous benefit to sharing some level of information in terms of the signature of threats and when threats are coming in. I'm sure there's ton of great data that, if shared across people on the good side of the fence, will probably be to the benefit of all. So has that been changing, is that evolving, how do you see kind of working with other apps within, let's just pick the AWS cloud for example, within a particular customer, whether it's AWS directly or other partners in the ecosystem? >> Right, well first, you hit it, I mean, this function of security operations has to be agnostic, right? You have to be open to ingesting context from whichever system and whichever vendor and whatever source it might come from. And so these ecosystems are really important, and integration so that you can quickly, not only take in information from third parties, but then quickly get trending and visualization and really bring insight to that data. And so to that end, Sumo Logic's a leader in the AWS ecosystem, we've been built from the ground up on AWS, and we have rich partnerships with the vast majority of the ecosystem of tools that surround the AWS environment. So we can bring that in and very quickly deliver insight, make correlations, figure out what you need to pay attention to, and then do this investigation work flow that we were talking about earlier. >> Alright, crazy times. So, 40 thousand people here, what are you looking forward to for the next couple of days here at RSAC? >> I think a couple of things. One is, I think everyone is focused, right now, on the upcoming deadline for GEPR, and sort of data protection, data privacy, how do we identify within our data what might be subject to some of these regulations and new compliance requirements, and then how many of those overlap. Though the best of intentions, it creates some dilemmas about how to approach problems, such as for example, right to be forgotten. And I think seeing the community come together and sort of in a live venue, which is really what the show is all about, and kind of discuss and debate those issues, I think that's one. Two is the center of what we've been talking about, is the impact of modern application architectures and cloud on some of these old, traditional security practices and models. And that's why we have a bigger presence this year at the show, because we think that's something that is going to change the way things have been done in the security industry, and we want to be a part of that conversation and obviously giving previews of our upcoming products that address some of those problems. Looking forward to a good week. >> Should be good of a week for you, be busy. >> Dave: Absolutely. >> Thanks for taking a few minutes, and again congratulations on the acquisition with Sumo, great marriage I'm sure, and look forward to following the story. >> Thanks so much. >> Alright, he's Dave Frampton, I'm Jeff Frick. You're watching theCUBE from RSAC 2018 San Francisco. Thanks for watching.