>> Announcer: Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2019, brought to you by Amazon Web Services, and Intel, along with its ecosystem partners. >> Welcome back, this is theCUBE seventh year of coverage of the mega AWS re:Invent show, here in Las Vegas. Somewhere between 60 and 65,000, up and down the street. We are here in the Sands Convention Center. I am Stu Miniman, my cohost for this segment is Justin Warren. And happy to welcome back to the program, one of our CUBE alumni Jesse Rothstein, who is the co-founder and CTO of ExtraHop, Jesse, great to see you. >> Thank you for having me again. >> So, we caught up with you at AWS re:Inforce-- >> We did. >> Not that long ago, in Boston. Where, it rains more often in Boston than it does in Vegas and it's raining here in Vegas, which is a little odd. >> Strangely it is raining here in Vegas, but re:Inforce at the end of June in Boston was the first AWS security conference. Great energy, great size, we had a lot of fun at that show. >> Yeah, so Dave Vellante, who was one of the ones at re:Inforce, and he actually came out of the three-hour keynote yesterday with Andy Jassy and said, "I'm a little surprised there wasn't as much security talk." You know, it's not like we can remove security from the discussion of cloud, it is you know one of the top issues here. So I want to get your viewpoint, were we missing something? Is it just there, what grabbed you? >> I know this thing as well. I think, perhaps, they're saving some announcements for, you know, re:Inforce coming again in June in Houston this year. There was at least one announcement around IAM Access Analyzer as I recall. But generally the announcements seem to focus in some other areas. You know some big announcements around data warehousing, you know for federated red shift queries I think. And some big announcements around machine learning tooling, like the SageMaker Studio. But I noticed that as well, not as many security announcements. >> You never know, Werner still has his keynote tomorrow. So we're sure there'll still be another 50 or 100 announcements before the week is done. ExtraHop also has something new this week, so why don't we make sure-- >> Well first I can assure you that cloud security is not solved. It's not a solved problem, in fact, unfortunately despite record spend year after year after year, we still continue to see record numbers of compromises and data breaches that are published. I think cloud security in particular remains a challenge. There's a lot of energy there and I think a lot of attention, people recognize it's a problem. But we're dealing with massive cyber security skill shortages. It's very hard to find people with the expertise needed to really secure these workloads. We're dealing with more sophisticated attackers. I think in many cases, attackers with nation state sponsorship. Which is scary, you know five or 10 years ago we didn't see that quite as much. More cyber criminals, fewer nation states. And of course, we're seeing an ever increasing attack surface. So ExtraHop's right in the mix here, and we focus on network detection and response. I'm a huge believer in the power of network security, and I'll talk more about that. At re:Inforce last June, we announced ExtraHop Reveal(x) Cloud, which is a SaaS offering using AWS's recent VPC Traffic Mirroring capability. So the idea is, all you do is you mirror a copy of the traffic, using VPC Traffic Mirroring, to our SaaS, and then we provide all of the sophisticated detection, investigation and response capabilities, as a product. So that's hosted, you still do the work of investigating it, but you know we provide the entire offering around that. Very low TCO, very turnkey capabilities. And of course, it wouldn't be a modern day security offering if we didn't leverage very sophisticated machine learning, to detect suspicious behaviors and potential threats. But this is something I think we do better than anybody else in the world. >> So walk us through some of what the machine learning actually does. 'Cause I feel that the machine learning and AI is kind of hitting peak hype cycle maybe. >> You know I almost can't say it with a straight face because it's so overused. But, it is absolutely real, that's where the state of the art is. Machine learning allows us to recognize behaviors, and behaviors are very important because we're looking for post-breach behaviors and indicators of compromise. So there are a million ways that you can be breached. The attack surface is absolutely enormous. But there's actually a relatively small number, and a relatively tractable set of post-breach behaviors that attackers will do once you're compromised. And I think more and more organizations are realizing that it's a matter of when and not if. So what we've done is we've built the machine learning behavioral model so that we can detect these suspicious behaviors. In some cases we have an entire team of threat researchers that are simulating attacks, simulating pen testing tools, lateral movement, exfiltration so we can train our models on these behaviors. In some cases, we're looking for very specific indicators of compromise. But in just about all cases, this results in very high quality detections. And because just detections alone are completely insufficient, ExtraHop is built on top of an entire analytics platform, so that you're always one or two clicks away from being able to determine, is this something that requires immediate attention and requires kind of an incident response scenario? One of the capabilities that we announced here at this show, is automated response. So we integrate with the AWS API, so that we can automatically isolate and quarantine a workload that's behaving suspiciously. You know in cyber security, some attacks are low and slow but some are very fast and destructive. And for the fast and destructive ones, you move faster than a human's ability to respond, so we need that automated response. And we also announced a continuous packet capture capability for forensics, because sometimes you need the packets. >> That's a response, a lot of different things that we'd actually like to bring the capability a little bit earlier than that so that we don't actually get breached. It's great that we can detect it and say, great we've got the indication of compromise and we can react very, very quickly to that. Are you able to help us get one step ahead of the cyber crimes? >> So I'll actually be a little contrarian on that. I'm going to say that organizations have really been investing in protection and prevention, for the last decade or two. You know this strategy's called defense and depth, and you should do it, everybody should, that's a best practice. But, you know, with defense and depth, you have lots of layers of defense at the perimeters. You know keep the attackers out of the perimeter, gateways, firewalls, proxies. Lots of layers of defense at the end point, you know keep attackers off of my workstations, my instances, my laptops, things like that. But, you know, I think again, organizations have learned that attackers can fire, you know, 1,000 arrows, or 100,000 arrows, or 100 million arrows and only one needs to land. So the pendulum is really swung toward detection response. How do I know if I'm breached right now? How can I detect it quickly? The industry average dwell time is over three months, which is unacceptably long, and we always hear about cases in the news that are three years or more. And what I like to say is if it were three weeks, that would be too long. If it were three days, that would be too long, if it were three hours, I think you could do a lot of damage in three hours. If you can start getting this down to three minutes, well maybe, you know, we can limit the blast radius in three minutes. >> So Jesse, you brought up the ever growing surface area of attack and one of the big themes we've seen at the show is AWS is pushing the boundaries of where they touch customers. You know I said if Amazon is the everything store, AWS is becoming the everywhere cloud. Outposts, from Amazon's perspective, they said Outposts just extends their security models. I see and hear a lot of the ecosystem talking about how they're leveraging that and integrating with that. Does Outposts or any of their other Edge solutions impact what your customers and your solutions are doing? >> So it's funny you say that, I was wondering that myself. My expectation is that Outposts are a good thing because they the have same security controls that we expect to see in any AWS kind of VPC enabled environment. Where I haven't gotten full clarification is do we have the full capabilities that we expect with VPCs? In particular, you know VPC Traffic Mirroring, which is the capability that was announced at re:Inforce, that I'm so excited about, because it allows us to actually analyze and inspect that traffic. Another capability that I think slipped in under the radar but it was announced yesterday is VPC Ingress Routing. This doesn't really effect ExtraHop that much, but as a network head, I like seeing Amazon enable organizations to kind of make their own choices around how they want to inspect and control traffic. And with VPC Ingress Routing, it actually allows you to run in-line devices between your VPCs, which previously you were unable to do. So I think that one slipped in under the radar, maybe you have to be a network head like me to really appreciate it. But I'm seeing more flexibility and not less and that's something that I'm really pleased with. >> That one thing that we definitely see with cloud is that explosion of customer choice, and all of these different methods that are available. And Amazon just keeps pushing the boundaries on how quickly they can release new features. What does that mean for ExtraHop in being able to keep up with the pace of change that customers are using all of these different features? >> That's a good question, I think that's just the reality, so I don't think about what it means or doesn't mean, that's just the way it is. In general though, I've seen this trend toward more flexibility. You know VPC Traffic Mirroring, to use that example again, was one of the few examples I could point to a year ago as something really useful and valuable that I could do on-premises, you know for diagnostic purposes, for forensics purposes, that for some reason wasn't available in public cloud, at least not easily. And, you know, with this announcement six months ago, and going to general availability, Amazon finally ticked that one off. And we're starting to see the rest of the public cloud ecosystem move that way as well. So I'm seeing more flexibility, and more control. Maybe that comes with a pace of innovation, but I think that's just the world we live in. >> You do mention that the customers are having to adopt this new regime, of look we need to look at compromise, can we detect if we've been compromised, and can we do it quickly. We have a lot of tools that are now being made available, like Igress Routing, but, sorry Ingress Routing. But what does that mean for customers in changing their mindset? One of the themes that we had from the keynote yesterday was transformation, so do customers need to just transform the way they think about security? >> Yes and no. You know certainly customers who are used to a certain set of on-prem tool set, tool chain can't necessarily just shoehorn that into their public cloud workloads. But on the other hand, I think that public cloud workloads have really suffered from an opacity problem, it's very difficult to see what's going on, you know its hard to sift through all those logs, it's hard to get the visibility that you expect. And I think that the cyber security tool set, tool chain, has been pretty fragmented. There are a lot of vulnerability scanners, there are a lot of kind of like API inspectors and recommendation engines. But I think the industry is still really trying to figure out what this means. So I'm seeing a lot of innovation, and I'm seeing kind of a rapid maturing of that kind of cloud security ecosystem. And for products like ExtraHop, I'm just a huge believer in the power of the network for security, because it's got these great properties that other sources of data don't have. It's as close to ground truth as you could possibly get, very hard to tamper with and impossible to turn off. With VPC Traffic Mirroring, we get the full power of network security and it's really designed with the controls and kind of the IAM roles and such that you would expect for these security use cases, which, I just, great, great advance. >> So along the discussion of transformation, one of the things Andy Jassy talked about is the you know, the senior leadership, the CEOs need to be involved. Something we've been saying in the security industry for years. Not only CEOs, the board is you know, talking about this and it's there, so you know, what are you seeing? You stated before that we haven't solved security yet, but so, bring us inside the mindset of your customers today, and what's the angst and you know, where are we making progress? >> That's a very interesting question. I'll probably be a little contrarian here as well, maybe not but I think we see a lot of pressure is regulatory pressure. You know were seeing a lot of new regulations come out around data privacy and security, GDPR was you know pretty transformative in terms of how organizations thought about that. I also think it's important that there are consequences. I was worried that for a few years data breaches were becoming so commonplace that people were getting kind of desensitized to it. Like, there was once a time that if, when there was a massive data breach kind of heads would roll. And there was a sense of consequences all the way up into the C-suite. But a few years ago I was starting to get concerned that people were getting a little lackadaisical like, "Oh just another data breach." My perception is that the pendulum's swinging back again. I think for truly massive data breaches, there really is a sense of brand. And I'm seeing the industry starting to demand better privacy. The consumer industry is perhaps leading the way. I think Apple's doing a very good job of actually selling privacy. So when you see the economics, I mean we're, it's a capitalist system. And when you see kind of the market economics align with the incentives, then that's when you actually see change. So I'm very encouraged by the alignment of kind of the market economics for paying greater attention to privacy and security. >> All right, want to give you a final word here, you said you'd like to have some contrarian viewpoints. So you know, the last question is just you know, what would you like to kind of just educate the marketplace on that maybe goes against the common perception when it comes to security in general, maybe network security specifically? >> Well, I'll probably just reiterate what I said earlier. Network security is a fundamental capability, and a fundamental source of data. I think organizations pay a lot of attention to their log files. I think organizations do invest in protection and prevention. But I think the ability to observe all of the network communications, and then the ability to detect suspicious behaviors and potential threats, bring it to your attention, take you through an investigative workflow, make sure that you're one click away from determining you know, whether this requires an actual incident response, and in some cases take an automated response. I think that is a very powerful solution and one that drastically increases an organization's cyber security posture. So I would always encourage organizations to invest there regardless of whether it's our solution or somebody else's. I'm a huge believer in the space. >> All right so, Jesse, thank you so much for sharing. We know that the security industry still has lots of work to do. So we look forward to catching ExtraHop soon at another event. And we have lots of work to do to cover all of the angles of this sprawling ecosystem here at AWS re:Invent. For Justin Warren, I'm Stu Miniman, be back with lots more right after this, and thank you for watching theCUBE. (bouncy electronic music)

>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners come >> back, Everyone live Coverage of AWS reinforced their first conference, The Cube here in Boston. Messages some jumper. MacOS David Lattin escapes Jesse rusting >> CT on co >> founder of Extra Cube alumni. Great to see you again. VM World Reinvent >> Now the new conference reinforce not a team. A >> summit reinforced a branded event around Cloud security. This is in your wheelhouse. >> Thank you for having me. Yeah, it's a spectacular event. Unbelievable turnout. I think there's 8000 people here. Maybe more. I know that's what they were expecting for an event that was conceived of, or at least announced barely six months ago. The turnout's just >> wait. Many conversation in the past on the Cube and others cloud security now having its own conference. It's not like a like a security conference like Black at Def Con, which is like a broader security. This is really focused on cloud security and the nuances involved for on premises and cloud as it's evolving. It's certainly a lot more change coming on this kind of spins into your direction you would talking this year in the front end. >> It absolutely does. First, it speaks to market demand. Clearly, there was demand for a cloud security focused conference, and that's why this exists. Every survey that I've seen lists security extremely high on the list of anxieties or even causes for delay for shifting workloads to the cloud. So Amazon takes security extremely seriously. >> And then my own personal >> view is that cloud security has been somewhat nascent and immature. And we're seeing, you know, hopefully kind of Ah, somewhere rapid, a >> lot of motivation in that market. Certainly a lot of motivated people want to see it go faster and there spitting in building that out. So I gotta ask >> you before you get off the show, I actually say something if I may. I mean, it's been a long time coming. Yeah, this to your point, Jesse. There was a real need for it, and I think Amazon deserves a lot of credit for that. But at the same time, I think Amazon. There's a little criticism there. I mean, I think that the message that reinvent that's always been we got the best security. We got the most features as I come on in, and the whole theme here of the shared responsibility model, which I'd love to get into, I think was somewhat misunderstood by some of those high high level messaging. So I didn't want to put that out there as a topic that we might touch on. Great. Let's talk about it. Okay, so I do think it was misunderstood. The shared responsibility model. I think the messaging was Hey, the cloud is more secure than your existing data centers. Come on in. And I think a lot of people naively entered waters and then realized, Oh, wait a minute. There's a lot that we still have toe secure. We can't just set it and forget it. I mean, you agree with that? >> I I think that's a controversial topic. I do agree with it. I think it continues to be misunderstood. Shared responsibility model in some ways is Amazon saying We're going the security infrastructure and we're going to give you the tools. But organizations air still expected to follow best practices, certainly, and implement their own, hopefully best in class security operations. >> It's highly nuanced. You can say sharing data see increases visibility into into threats and also of making quality alerts. But I think it's a little bit biased, Dave for Amazon to satiate responsibility because they're essentially want to share in the security posture because they're saying we'll do this. You do that as inherently shared. So why wouldn't they say that? >> Well, I guess we're gonna say way want to own everything? Well, I guess my weight So this show is that I really like their focus on that. I think they shone a light on it and for the goodness of the the industry in the community they have. But it is a bit >> nuanced, and they've said some controversial, perhaps even trajectory statements. In the keynote yesterday, I was I was amused to hear that security is everybody everyone's job, which is something I wholeheartedly believe in. But at the same time, you know, David said that he didn't believe Stephen Step Rather said that he didn't believe in depth set cops, and that seemed a little bit of odds because I but I think they're probably really Steven Schmidt. Steven >> so eight of us. But at the same time, there was a narrative around. Security is code. So, yes, there were some contradictions in messaging, so this smaller remains small ones. They were nuanced but remains some confusion. And that's why people look to the ecosystem to help acorns. And this goes back to >> my earlier point. I I believe that cloud security is really quite nascent. When we look at the way we look at the landscape of vendors, we see a number of vendors that really are kind of on Prem security solutions. They're trying to shoehorn into the cloud way, see a lot of essentially vulnerability scanning and static image scanning. But wait, don't see, in my opinion, that much really best in class security so solutions. And I think until relatively recently it was very hard to enable some of them. And that's why I'd love to talk about the VPC traffic marrying announcement, because I think that was actually the most impactful announcement >> that I want to get to it. So So this is ah, a new on the way. By the way, the other feedback up ahead on the Cube is the sessions here have been so good because you can dig deeper than what you can get it re invent given tries. This is a good example. Explained that the that story because this has been one of the most important stories, the traffic mirroring >> well, unlike >> reinvent. I think this show is Is Maura about education than it is about announcements? No, Amazon announced. A few new service is going into G ET, but these were service is, for the most part, that we already knew you were coming here like God Watchtower in security hub. But the BBC traffic mirroring was really the announcement of this show. And, gosh, it's been a long time in coming 11 closely held belief I've had for a long time is that in the fullness of time, there's really nothing of value that that you can do on Prem that you wouldn't eventually be able to do in the cloud. And it's just been a head scratcher for me. WIFE. For so many years, we've been unable to get any sort of view, mirror or tap of the traffic for diagnostic or analytic purpose is something you could do on prim so easily, with a span porter and network tap and in the cloud we've been having to do kind of back flips and workarounds and software taps and things like that. But with this announcement, it's finally here. It's native >> explain VPC Chapman. What is it for? The folks watching might not know it. Why it's wife. What is it and why is it important? >> So BBC traffic marrying is a network tap that is built into E. C. To networking. What it means is that you can configure a V p c traffic mirror four individual E C two instances actually down to the e n I. Level. You can configure filters and you can send that to a target for analysis purposes. And this analysis could be for diagnostics. But I think much more important is for security. Extra hop is is really began as a network analytics platform way do network detection and response. So this type of this ability to analyze the traffic in real time to run predictive models against it to detect in real time suspicious behaviors and potential threats, I think is absolutely game changing for someone security posture. >> And you guys have been on the doorstep of this day in day out. So this is like a great benefit to you guys. As a company, I can see that. I see That's a great thing for you guys. What's the impact of the customers? Because what is the good news that comes out of the traffic nearing for them? What's the impact of their environment? >> Well, it's all about >> friction. First, I wantto clarify that we've been running in a WS for over six years, six or seven years, so we've had that solution. But it's required some friction in the deployment process because our customers had to install some sort of software tap, which was usually an agent, that was analyzing that there was really gathering the packets in some sort of promiscuous mood and then sending them to us in a tunnel. Where is now? This is This is built into the service into the infrastructure. There's no performance penalty at all. You can configure it. You have I am rolls and policies to secure it. All of the friction goes away. I think, for the kind of the first time in in cloud history, you can now get extremely high quality network security analytics with practically the flip of a switch. >> So It's not another thing do manage. It's like you say, inherit to the network. John and I have heard this this week at this event from practitioners that they want to see less just incremental security products and Maur step function and what they mean by that is way want products that actually take action or give us a script that we can implement, or or actually fix the problem for us. Will this announcement on others that you guys were involved in take that next step more proactive security that these guys so a couple of thoughts >> on that first, the answer is yes, it can, and you're absolutely right. Remediation is extremely important, especially for attacks that they're fast and destructive. When you think about kind of the when you think about attack patterns, their attacks are low and slow. Their attacks their advanced in persistent but the taxes, air fast and destructive movie the speed that is really beyond the ability for humans to respond. And for those sorts of attacks, I think you absolutely need some sort of automated remediation. The most common solutions are some form of blocking the traffic, quarantining the traffic or maybe locking the accounts, and you're kind of blocking. Quarantining and locking are my top three, and then various forms of auditing and forensics go along the way. Amazon actually has a very good tool box for that already. And there are security orchestration, products that can help. And for products like extra hop, the ability to feed a detection into an action is actually a trivial form of integration that we offer out of the box. So the answer is yes. >> But let me go >> back to kind of the incrementalist approach as well that you mentioned. I kind of think about the space and really, really broad strokes and organizations for the last 10 years or so have really highly invested in prevention and protection. So a lot of this is your perimeter defense and in point protection, and the technologies have gotten better. Firewalls have turned into next generation firewalls and antivirus agents have turned into next generation anti virus or in point detection and response. But I strongly believe that network security has and in some ways just kind of lagged behind, and it's really ripe for innovation. And that's why that's what we've really spent the last decade >> building. And that's why you're excited about the traffic BPC traffic nearing because it allows for parallel analytics and so more real time, >> more real >> time. But the network has great properties that nothing else has. When you think about network security with the network itself is close to ground Truth as you can get, it's very hard to tamper with, and it's impossible to turn off those air great properties for cyber security. And you can't say that about something like that. Logs, which are from time to time disabled and scrubbed on. You certainly can't say that about en Pointe agents, which are often worked around and in some cases even used as a better for attack. >> I'm gonna ask you Okay, on that point, I get that. So the next question would come to my mind is okay with the surface here. With coyote expanding and with cloud, you have a sprawling surface area. So the surface area is growing just by default by natural evolution, connecting to the cloud people of back hauling their data into the cloud. All this is good stuff. >> Absolutely. Call it the attack surface, and it is absolutely glowing perhaps in an exponential >> about that dynamic, one sprawling attack air. Because that's just the environment now. And what's the best practice to kind of figure out security posture? Great, great >> question. People talk a lot about the dissolution of the perimeter, and I think I think that's a bit of the debate. And regardless of your views on that, we can all believe that the perimeter is changing and that workloads are moving around and that users are becoming more mobile. But I think an extremely important point is that every enterprise just about is hybrid. So we actually need protection for a hybrid attack surface. And that's an area where I believe extra hop offers a great solution because we have a solution that runs on premises in physical data centers are on campuses, which, no matter how much work, would you move to the cloud. You still have some sort of user on some sort of laptop or some sort of work station in some sort of campus environment, way workin in private cloud environments that are virtualized. And then, of course, we work in public cloud environments, and another announcement that we just made it this show, which I also think is game changing, is our revealed ex cloud offering. So this is an SAS. This is a sass based, network detection and response solution, which means that I talked about removing friction by marrying the traffic. But in this case, all >> you have to >> do is mirror the traffic, pointed to our sass, and we'll do all of the management mean that So is that in the streets for you that is in the marketplace. We launched it yesterday, >> So it's great integration point for you guys. Get it, get on board more customers. >> And I think I think solutions like ours are absolutely best practices and required to secure this hybrid attacks in the >> marketplace. What was that experience like, you know, Amazon >> was actually great to work with. I don't mean to say that with disbelief. You work with you work with such a large company. You kind of have certain expectations, and they exceeded all of my expectations in terms of their responsiveness. They worked with us extremely closely to get into the marketplace. They made recommendations with partners who could help accelerate our efforts. But >> in addition to the >> marketplace, we actually worked with them closely on the VPC traffic marrying feature. There was something we began talking with them about a SW far back, as I think last December, even before reinvent, they were extremely responsive to our feedback. They move very, very quickly. They've actually just >> been a delight to work. There's a question about you talking about the nana mutability of logs, and they go off line sometimes. And yet the same time there's been tens of $1,000,000,000 of value creation from that industry. Are there things that our magic there or things that you can learn from the analytics of analyzing logs that you could bring over to sort of what you're positioning is a more modern and cloud like approach? Or is there some kind of barrier to entry doing that? Can you shed some light on Jesse? That's >> a great question, and this is where I'll say it's a genius of the end situation, not a tyranny of the or so I'm not telling people. Don't collect your logs or analyze them. Of course you should do that, you know that's the best practice. But chances are that that space, you know, the log analysis and the, you know, the SIM market has become so mature. Chances are you're already doing that. And I'm not gonna tell organizations that they shouldn't have some sort of point protection. Of course you should. But what I am saying is that the network itself is a very fundamental data source that has all of those properties that are really good for cyber security and the ability that analyze what's going on in your environment in real time. Understand which users air involved? Which resource is air accessed? And are these behavioral patterns of suspicious and do they represent potential threats? I think that's very powerful. I have a I have a whole threat research team that we've built that just runs attacks, simulations and they run attack tools so that we can take behavioral profiles and understand what these look like in the environment. We build predictive models around how we expect you re sources and users and end points to behave. And when they deviate from those models, that's how we know something suspicious is going on. So this is definitely a a genius of the end situation. John >> reminds me of your you like you're very fond of saying, Hey, what got you here is not likely to move you forward. And that's kind of the takeaway for practitioners is >> yeah. I mean, you gotta build on your success. I mean, having economies of scale is about not having Disick onyx of scale, meaning you always constantly reinventing your product, not building on the success. And then you're gonna have more success if you can't trajectory if you it's just basic competitive strategy product strategy. But the thing that's interesting here is is that as you get more successful and you continue to raise the bar, which is an Amazon term, they work with you better. So if you're raising the bar and you did your own network security probably like OK, now we get parallel traffic mirroring so that >> that's true. But I think we've also heard the Amazon is I think they caught maniacally customer focused, right? And so I think that this traffic marrying capability really is due to customer demand. In fact, when you when you were if you were at the Kino when they made the announcement, that was the announcement where I feel like every phone in the in the whole auditorium went up. That's the announcement where I think there's a lot of excitement and for security practitioners in particular, and SEC ops teams I think this. I think this really reduces some anxiety they have, because cloud workloads really tend to be quite opaque. You have logs, you have audit logs, but it's very difficult to know what actually going on there and who is actually accessing that environment. And, even more important, where is my data going? This is where we can have all sorts of everything from a supply chain attack to a data exfiltration on. It's extremely important to to be able to have that visibility into these clouds >> way agree. We've been saying on the cue many, many years now that the network is the last bottleneck, really, where that script gets flipped upside down where Workloads air dictating Dev ops. Now the network piece is here, so I think this is going to create a lot of innovation. That's our belief. Love to follow up Mawr in Palo Alto. When we get back on this hybrid cloud, I think that's a huge opportunity. I think there's a create a blind spot for companies because that's where the the attackers will go, because they'll know that the hybrids rolling out and that'll be a vulnerability area >> one that's, you know, it's an arms race. Network security is not new. It's been around for decades. But the attack the attackers in the attacks have become more sophisticated, and as a result, you know the defenders need to raise their game as well. This is why, on the one hand, there's there's so much hype and I think machine learning in some ways is oversold. But in other ways, it is a great tool in our arsenal. You know, the machine learning the predictive models, the behavioral models, they really do work. And it really is the next evolution for defensive >> capabilities. Thanks for coming on. Great insight. >> One last question. The beer. Extra guys have been here way did in the past. It's been a while since >> we've done that, but it comes from early days when when I founded the company, people would ask you in the name extra hoppy. Oh, are you guys an online brewery? And we were joking. We said no, that that was extra hops way embraced it and We actually worked with a local brewer that has since been acquired by a major beverage brands. I >> don't know that. I just heard way built our own >> label, and it was the ex Rob Wired P. A. It was it was extremely well received. Every time we visit a customer they'd ask us to bring here. >> That's pretty. You gotta go back to proven formula. Thanks for the insights. Let's follow up when we get back in Palo Alto in our studio on his high breathing's a compelling conversation network Security Network analytics innovation areas where all the action's happening here in Boston, 80 best reinforced. Keep coverage. We'll be right back.

>> Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2018 Brought to you by Amazon Web Services, Intel, and their ecosystem partners. >> Hey, welcome back. And we're live here at Las Vegas AWS re:Invent 2018 live coverage from theCUBE. I'm John Furrier. Dave Vellante, my co-host, wall to wall coverage. Dave, six years covering Amazon, watching it grow. Watching it just an unstoppable force of new services. Web services being realized from the original vision years and many, many years ago, over a decade. Jesse Rothstein, CTO and co-founder of ExtraHops our next guest, welcome back to theCUBE, good to see you. >> Thanks for having me. >> So first of all before we get into the conversation, what's your take on this madness, here? It's pretty crazy. >> You know this is, I think this is my sixth year, as well, and this show must double in size every year. It's enormous, spread across so many venues, so much going on, it's almost overwhelming. >> I remember six years ago, we used to be on theCUBE, and I think we just kept the stream open, "Hey, come on up! We have an opening!" Now it's like two cubes, people tryin' to get on, no more room, we're dyin', we go as hard as we can, 16 interviews, hundreds of interviews, lots of change. So I got to ask you, what is your view of the ecosystem? Because back then, handful of players in there. You guys were one of 'em. Lot of opportunities around the rising tide here. What's your thought on the ecosystem evolution? >> Well, of course the ecosystem has grown, this show has really become recognized as the pre-eminent Cloud show, but I see some themes that I think have certainly solidified, for example I spent a bunch of time on the security track. That's the largest track by far, I'm told. They're actually breaking it out into a separate add-on conference coming up in the summer. So clearly there's a great deal of interest around Cloud security as organizations follow their... >> Did they actually announce for that security conference? >> They did, they did. >> Okay, so Boston in June, I think right? >> June, that's correct. They announced, I think, I don't want to mess up the dates, June, late June. >> I think June 26. Breaking News here, that's new information. That's a really good signal for Amazon. They're taking security serious. When I interviewed Andy Jassy last week, he said to me, "Security used to be a blocker. Oh the Cloud's not secure!" Couple short years ago, now it's actually competitive advantage, but still a lot more work to get done. Network layer all the way up, what's your take? Never done. >> Well, so that's what Andy says, and I think that I would rephrase that slightly differently. Security used to be a blocker and it used to be an area of anxiety and organizations would have huge debates around, you know, whether the Cloud is less secure, or not, inherently. I think, today, there's a lot more acceptance that the Cloud can be just as secure as on-prem or just as insecure. You know, for my view, it relies on the same people, processes, and technologies, that are inherently insecure as we have on-prem, and therefore it's just as insecure. There are some advantages, the Cloud has great API logging, building blocks like CloudTrail. New services like GuardDuty, but at the same time it's hard to hire Cloud security expertise, and there is an inherent opacity in public Cloud that I think is a real challenge for security. >> Well, and bad human behavior always trumps good security. >> Well, of course. >> Talk about ExtraHop, how you guys are navigating, you guys have been in the ecosystem for a while. Always an opportunity to grow, I love this TAM's expanding, huge expansion in the adjustable market, new use cases. What's up with you guys? Give us an update. Where's the value proposition resonating? What's the focus? >> Well you can probably tell from my interests that we see a lot of market pull and opportunity around Cloud security. ExtraHop is an analytics product for IT ops and security, so there's a certain segment of what we do for IT operations use cases. Delivering essentially a better level of service, we attach to use cases like Cloud migrations, and new application roll-outs. But we also have a cyber security offering, that's a very advanced offering, around network behavioral analytics, where we actually can detect suspicious behaviors and potential threats, bring them to your attention. And then since we leverage our broader analytics platform, you're a click away from being able to investigate or disposition these detections and see, hey is this something I really need to be concerned about. >> Give an example of some of the network behavior, because I think this is a real critical one, because with no perimeter, you got no surface area, you got API's, this is the preferred architecture but, you got to watch the traffic. How will you guys be specific and give an example. >> So, some of my favorite examples have to do with detecting when you've already been breached. Organizations have been investing in defense and depth for decades, you know, keep the attackers out at the perimeter, keep the attackers away from the endpoint, but how would you know if you've already been breached. And it turns out, your Verizon does a great data breach investigation report annually. And they determine that they're only nine or so behaviors that count for 90% of what all breaches do, what they look like. So, you look for things like, parts of the cyber security attaching. You look for reconnaissance, you look for lateral movement, you look for some form of ex-filtration. Where ExtraHop is taking this further, is that we've built sophisticated behavioral models. We're able to understand privilege. We're able to understand what are the most important systems in your environment, the most important instances. Who has administrative control over them, and then when that changes, you want to know about it, because maybe this thing, this instance, in an on-prem environment, could be like a contractor laptop, or an HVAC system. It now exercises some administrative control over a critical system, and it's never done that before. We bring that to your attention, maybe you want to take some automated action, and quarantine it right away, maybe you want to go through some sort of approval process and bring it to someone's attention. But either way, you want to know about it. >> I'm going to get your reaction to a comment I saw yesterday morning at a keynote on Teresa Carlson's breakfast, her public sector breakfast, Christine Halvorsen, FBI. Said, we're in a data crisis. And she talked about that they can't react to some of these bad events, and a lot of it's post event, That's the basic stuff they need now, and she said, I can't put the puzzle pieces together fast enough. So you're actually taking that from a network Ops standpoint, IT Ops. How do you get the puzzle pieces together fast? What's the secret? >> Well so, the first secret is that we're very focused on real time network data, and network telemetry. I often describe ExtraHop as like Splunk for the network. The idea requires completely different technology, but the idea's the same. Extract value and insight out of data you already have, but the advantage of the network for security, and what I love about it, is that, it's extremely real-time, it's as close to ground truth as you can get, It's very hard to hide from, and you can never turn it off. >> Yeah. >> So with all of those properties, network analytics, makes for, has just tremendous implications for cyber security. >> I mean honestly, you're visibly excited, I'm a data geek myself, but you made a good point, I want to double down on, is that, moving packets from A to B is movement. And movement is part of how you detect it right, so? >> It is, so packets itself, that's data in motion, but if you're only looking at the packets you're barely scratching the surface. Companies have tried to build security analytics based on flow data for a long time. And flow data, flow records, it's like a phone bill. It tells you who's talking to whom and how long they spoke, but there's no notion of what was said in the conversation. In order to do really high quality security analytics, you need to go much deeper. So we understand resources, we understand users, we understand what's normal, and we're not using statistical baselines, we're actually building predictive models around how we expect end points and instances to behave. And then when they deviate from their model, that's when we say, "Hey, there's something strange going on. >> That's the key point for you guys. >> And that means you can help me prioritize... >> Absolutely. >> Because that's the biggest challenge these guys have. They oftentimes don't know where to go, they don't know how to weight the different... >> So that's one challenge and I think another really big challenge, and we see this even with offerings that have been publicized recently, is that detection itself isn't good enough, that's just an alert cannon, and there was a session that actually talked about alarm deafness that occurs, it occurs in hospitals, and other environments, were all you get is these common alarms, and people stopped paying attention to them. So, in addition to the ability to perform high quality detections, you need a very streamline investigative work flow. You know, one click away so you can say, "Okay, what's going on here?" Is this something that requires additional investigation. >> Well, I think you guys are on the right track, and I think what's different about the Cloud is that, you know, they call the show re:invent, but rethinking, existing stuff for Cloud scale, is a different mindset, it's a holistic. Like, you're taking more of a holistic view saying, "I'm not going to focus on a quote packet path, or silo that I'm comfortable with, you kind of got to look at the bigger picture, and then have a data strategy, or a some competitive unique IP." >> I think that's an excellent summary. What I would add is that organizations, as they kind of follow their Cloud journey, we're seeing a lot of interest from security teams in particular, that don't want to do swivel chair integration. Where I have something on-prem and I have something in the Cloud. They want something much more holistic, much more unified. >> Seamless, automated. >> Much more seamless, much more automated. (laughing) You know, I sat in about five different securities track sections, and every single one of them kind of ended with the, "So we automated it with a Lambda Function." (laughing) Clearly a lot of capability for automation, in public Cloud. >> Jesse great to have you on theCube, CTO, Co-founder of ExtraHop. What's next for you? What's goin' on? What's next? >> Well, we continue to make really big investments on security, I wish I could say that cyber security would be done at some point, but it will never be done. It's an arms race. Right now I think we're seeing some really great advancements on the defense side, that will translate into big success. Always focusing on the data problem, as data goes from 10 gigabits to 100 gigabits. You know Amazon just announced their seat five accelerated 100 gigabit network adapter. Always looking at how can we extract more value from that data at scale. >> Leverage to power, leverage to power. Well, we got to get you back on the program. We're going to increase our cyber security coverage, we certainly will be at the security event, I didn't know it was announced publicly, June 26th and 27th, in Boston. Give or take a day on either side, could be 27th, 28th, 26th, 27th. This is a big move for Amazon, we'll be there. >> I think it is. >> Great job, live coverage here, from the floor, on the Expo floor at Amazon re:Invent in 2018, will be right back more Cube coverage, after this short break, two sets. We'll be right back. (soft electronic music)

(pulsing music) >> Live from Las Vegas, it's theCUBE, covering VMworld 2018. Brought to you by VMware and its ecosystem partners. >> Good morning from day three of theCUBE's coverage of VMworld 2018 from the Mandalay Bay, Las Vegas. I'm Lisa Martin, and I'm joined by my co-host, Justin Warren. Good morning, Justin. >> Good morning, Lisa. >> We're excited to welcome to the first time to theCUBE Jesse Rothstein, co-founder and CTO of ExtraHop. Jesse, it's nice to meet you. >> Nice to meet you, Lisa. Thank you for having me. >> Absolutely, so ExtraHop, you guys are up in Seattle. You are one of Seattle's-- >> Sunny Seattle (Jesse chuckles). >> Sunny Seattle. So, one of the best companies up there to work for. Tell us about ExtraHop. What to you guys do in the software space? >> Great. Well, ExtraHop does network traffic analysis, and that can be applied to both performance, performance optimization, as well as cybersecurity. Now, I'm not unbiased, but what I would tell you is that ExtraHop extracts value from the wired data better than anybody else in the world, and that's our fundamental belief. We believe that if you can extract value from that wired data and insights and apply in real-time analytics and machine-learning, then this can be applied to a variety of use cases, as I said. >> That's quite interesting. Some of the use cases we were talking about off camera, some of the things around micro-segmentation, particularly for security, as you mentioned, is really important, and also in software-defined networking, the fact that you are software, and software-defined networking we've had a few guests on theCUBE so far over the last couple of days, that's something which is really experiencing a lot of growth. We have VMware who's talking about their NSX software-defined networking. Maybe you could give us a bit of detail on how ExtraHop helps in those situations. >> Well, I'm paying a lot of attention to VMware's vision and kind of the journey of NSX and software, really software-defined everything, as well as, and within NSX, you see a lot of applications towards security, kind of a zero-trust, least-privileged model, which I think is very exciting, and there's some great trends around that, but as we've also seen, it's difficult to execute. It's difficult to execute to build the policies such that they maybe don't break. From my perspective, a product like ExtraHop, as solution like ExtraHop, we work great with software-defined environments. First, because they have enabled the type of visibility that we offer in that you can tap traffic from a variety of locations for the purposes of analysis. If left to its own devices, I think these increased layers of abstraction and increased kind of policy frameworks have the potential to introduce complexity and to limit visibility, and this is where solutions like ExtraHop can provide a great deal of value. We apply to both your traditional on-prem environment as well as these hybrid and even public cloud environments. The ability to get visibility across a wide range of environments, really pervasively, in the hybrid enterprise is I think a big value that we offer. >> We are at VMworld and on day one, on Monday, Pat Gelsinger talked about the average enterprise has eight or nine clouds. I heard somebody the other day say that they had four and a half clouds. I didn't know you could have a half a cloud, but you can. Multi-cloud, a big theme here, that's more the vision and direction that VMware's going to go into, but to your point, customers are living in this world, it's not about embracing it, they're in it, but that also I think by default that can create silos that enterprises need to understand or to wrap their heads around. To your point, they have to have visibility, because the data is the power and the currency only if you can have visibility into it and actually extract insights and take action. >> Absolutely. ExtraHop customers are primarily large enterprises and carriers, and everyone single one of them is somewhere on their own cloud journey. You know, maybe they're just beginning it, maybe their quite mature, maybe their doing a lot of data center consolidation or some amount of workload migration to public cloud. No matter where they are in that journey, they require visibility into those environments, and I think it's extremely important that they have the same level of visibility that they're accustomed to in their on-prem environment, with their traditional workloads, as well as in these sort of borne-in-the-cloud workloads. But, I want to stress visibility for its own sake isn't very useful. Organizations are drowning in data, you can drown in visibility. For us, the real trick is to extract insights and bring them to your attention, and that's where we've been investing in data science and machine-learning for about four and a half to five years. This is before it became trendy as it is today. >> Superpower, like Pat called it. >> There's so much ML watching, when you walk in the show floor, almost every vendor talks about their AI and machine-learning. A lot of it's exaggerated, but what I'll say for ExtraHop, of course, ours is real, and we've been investing in this for years. Our vision was that we had this unbelievable amount of data, and when you're looking at the wired data, you're not just drinking from the firehose, you're drinking from Niagara Falls. You have all of this data, and then with machine-learning, you need to perform feature extraction on the data, that's essentially what data science teams are very good at, and then, build the ML models. Our vision was that we don't want to just give you a big pile of data or a bunch of charts and graphs, we actually want to bring things to your attention so that we can say, "Hey, Lisa, look over here, "there's something unusual happening here", or in many cases there's a potential threat or there's suspicious behavior, an indicator of compromise. That's where that sort of machine-learning I believe is the, kind of the-- well, certainly the current horizon or the state of the art for cybersecurity, and it's extremely important. >> Jessie, can you give us an example of one of your enterprise customers and how they've used ExtraHop to manage that complexity that Lisa was talking about, that visibility that they need to get through all the different layers of abstraction, and maybe, if there's one, an example of how they've done some cybersecurity thing, particularly around that machine-learning of detecting an anomaly that they need to deal with? >> Sure, I can think of a lot. One customer of mine, that unfortunately, I can't actually name them, is a very large retail customer, and what I love about them is the actually have ExtraHop deployed at thousands of retail sites, as well as their data centers and distribution centers. Not only does ExtraHop give them visibility into the logistics operations, and they've used ExtraHop to detect performance degradation and things like that, that we're preventing them from, literally preventing the trucks from rolling out. But they're also starting to use ExtraHop more and more to monitor what's going on at the retail sites, in particular, looking for potential compromises in the point-of-sale systems. We've another customer that's a large, telco carrier, and they used ExtraHop at one point to actually monitor phone activations, because this is something that can be frustrating if you buy a new phone, and maybe it's an iPhone, and you go to activate it, it has to communicate to all these different servers, it has to perform some sort of activation, and if that process is somehow slow or could take a long time, that's very frustrating to your users and your customers. They needed the ability to see what was happening, and certainly, if it was taking longer than it usually does. That's a very important use case. And then we have a number of customers on the cybersecurity side who are looking for both the ability to detect potential breaches and maybe ransomware infections, but also the ability to investigate them rapidly. This is extremely important, because in cybersecurity, you have a lot of products that are essentially alert cannons, a product that just says, "Hey, hey, look at this, look at this, look at this. "I think we found something." That just creates noise. That just creates work for cybersecurity teams. The ability to actually surface high-quality anomaly and threats and streamline and even automate the workflows for investigation is super important. It's not just, "Hey, I think I found something", but let's take a click or two and investigate what it is so we can make a decision, does this require immediate action or not. Now, for certain sort of detections, we can actually take an automated response, but there are a variety of detections where you probably want to investigate a little more. >> Yeah. >> I also noticed the Purdue Pharma case study on your website, and looking at some of the bottom line impacts that your technology is making where they saved, reduced their data center footprint by 70% and increased app response times by 70%. We're talking about pharmaceutical data. You guys are also very big in the healthcare space, so we're talking about literally potentially life-saving situations that need to be acted on immediately. >> Certainly that can be true. Healthcare, there can be life-and-death situations, and timely access to medical records, to medical data, whether it's a workstation inside an exam room or an iPad or something like that can be absolutely critical. You often see a lot of desktop and application virtualization in the healthcare environment, primarily due to the protection of PHI, personal health information, and HIPPA constraints, so very common deployments in those environments. If the logins are slow or if there's an inability to access these records, it can be devastating. We have a large number of customers who are essentially care providers, hospital chains, and such that use ExtraHop to ensure that they have timely access to these records. That's more on the performance side. We also have healthcare customers that have used our ability to detect ransomware infections. Ransomware is just a bit of a plague within healthcare. Unfortunately, that industry vertical's been hit quite hard with those infections. The ability to detect a ransomware infection and perform some sort of immediate quarantining is extremely important. This is where I think micro-segmentation comes into play, because as these environments are more and more virtualized, natural micro-segmentation can help limit damage to ransomware, but, more often than not, these systems and workstations do have access to something like a network drive or a share. What I like about micro-segmentation is the flexibility to configure the policies, so when a ransomware infection is detected, we have the ability to quarantine it and shut it down. Keep in mind that there's defense in depth, it's kind of a security strategy that we've been employing for decades. You know, literally multiple layers of protection, so there are always protections at your gateway, and your firewall, at the perimeter, your NGFW, and there are protections at the endpoint, but if these were 100% effective, we wouldn't have ransomware infections. Unfortunately, they're not, and we always require that last, and maybe a last line of defense where we examine what's going on in the east-west corridor, and we look for those potential threats and that sort of suspicious activity or even known behaviors that are known to be bad. >> Well, Jesse, thanks so much for stopping by theCUBE and sharing with us what ExtraHop is doing, and what differentiates you in the market. We appreciate your time. >> My pleasure, Lisa, Justin. Thank you so much for having me. >> And we want to thank you for watching theCUBE. I'm Lisa Martin with Justin Warren. Stick around, we'll be back. Day three of the VMworld 2018 coverage in just a moment. (pulsing music)

(upbeat music) >> Hi, I'm Peter Burris and welcome to another Cube Conversation from our studios here in beautiful Palo Alto, California. Once again, another great conversation today with Barbara Kay, who is a Senior Director of Security at ExtraHop. Barbara, welcome to theCUBE. >> I'm delighted to be here, thanks for inviting us. >> Well, this is your first time on theCUBE, let's start with the obvious question, how's ExtraHop doing, what's going on? >> ExtraHop is doing incredibly well. I joined the company, actually, in January, so I just had six months here, and I came in as part of a transition from a very network performance centric company, to a really strong drive into the cyber security space. You know, we'd been selling very well, and successfully for security use cases, for more than four years. But, we knew how important it was to help the people in the Security Operations Group be more effective, be more successful, get to the chase, get to the root cause, and get on with life more quickly. So, we've done a good job, in fact, we just shipped our second major release. Bringing the right investigative work flows, and automation and insights to the Security Operations Center front lines. >> So, you mentioned cyber security, why is this whole notion of network traffic analysis so hot in the security world right now? >> Well you know, it's kind of amazing, I've been in the security space for a few too long, too many years, but we keep seeing breaches, right? You keep seeing so and so just lost another such and such, and ransom we thought that was last year's problem, it's still an ongoing issue. So there are things like that where once someone gets inside your network, or if they start inside your network, as a privileged user, they are free to roam, because generally we are not instrumenting, we are not taking telemetry off of the things that are within our infrastructure, right? If we do get any sort of visibility into east-west network traffic, it's typically in the form of logs, and we may not have everything talking to us, right? So we call it the dark space, it's this place inside the network where nobody's able to see anything, and therefore you're not monitoring it. And what that means to the attacker, is that once he gets inside, he has free reign, he can run around, do whatever he wants, and that's lateral movement, reconnaissance, command and control, and data base exfoltration, you know he can go find the good stuff and shut it down, or disrupt it. You know, we've seen the kind of scorched earth attacks, all that stuff has people really worried, and the network traffic zone is an area that has been underserved, if you will, in terms of security interest, and has the strength that pretty much anything you do, as an employee or for your business, uses the network, it runs across the network, and so by it taking your visibility, and your source of truth from network traffic, you're ahead of the curve, and one thing that's interesting about this space, this network traffic analytic zone, is that we're coming in at a different part of the history of computing really, you know, I've seen us go from workstations to servers, to data centers, from Unix to Windows, to on and on, and we're seeing an analytics first capability, an ability to process data in real time, in memory, that we didn't have 10 years ago, and we certainly couldn't harness that, for the power and the capability for the average systems. Right, it used to be, oh that was a big data problem, much too hard, much too slow, must too historical, well now you've got a lot of resources ready and able and accessible, that's what network traffic analytics is doing, taking that rich data and putting it to work, and making it interesting and insightful, for now, for real problems in terms of east-west attacks, and late stage attack activities. >> Well, any company's network is valuable, in and of itself, but it becomes increasingly valuable as you said, as it's connected to other networks. >> Yeah. >> And so, it's all part of this effort to move away from a perimeter orientation. >> Exactly. >> To an approach to understand the value that's actually being transmitted on the network, and ensuring that you can both do that while, at the same time, better protect how data and users, and other agents are engaging your company, right? >> Yeah, absolutely and that critical assets lens, is what I think of it as, you want to protect the things that matter the most to you, right? And those may be repositories of data, right? Your employee data base, your customer data base, that's obvious, but actually think about it as a system, or a service, you need the web server, the data store, the app server everything to work together and stay working, in order for your mission critical, business critical, fill in the blank service, to be functional, right? And, that set of things is in fact your critical asset, that's the thing that will allow you to make money, we had a meeting a couple weeks ago, and you know, this customer, if their primary online application, isn't online, they're losing $10 million an hour, that's real money, right? >> No, no question. >> And so, we've always thought about that from a performance perspective, but security, CIA, that A is availability, its about making things work and having them be there when you need them. >> Well, going back to what we were talking about, it used to be the security largely focus on restricting access to things. >> Right. >> But, as we move to a digital business, where the actual data and services associated with the data, become increasingly the business, now you're not talking about how to restrict access, you're talking about how to appropriately share access. >> Right. >> And, that's where a lot of the advanced analytics comes in because you can't predict with any certainty. who's going to want it, where they're going to want it, how they're going to want it, and you want to be able to open it up so your customers, your partners, your markets, can generate additional value, out of what you have. >> Right, and I think that that's an important thing that's changing now, is we think about, it used to be that the model for protection was you loaded up your end point with a bunch of defenses, and you were good, right? Well so few devices now are ready to be managed with an agent, right? They are censors, they are tags, they are whatever, they will be interacting with your systems, and you can't control those endpoints the same way we used to. So we really have to think differently about the problem, and again, for those devices to interact with things, and for either good things or bad things to happen, they have to use the network to achieve that. >> Yeah, and what company doesn't want potentially millions of customers utilizing their assets, leads to the next question, this is often associated with, network securities often associate with big companies who have their own networks, but we're talking about a circumstance where small companies are going to have to play as well, is this a company size specific issues, or is this all companies have to worry about this. >> So, there are two ways to think about that, I mean everybody has to worry about cyber security, to some degree, I think that what we feel is that the bigger that you are, the more likely you are to have a mature cyber security presence, you might have a security operation center, a physical place, or a set of people who together represent your sock? But if you have intellectual property, if you have something that you care deeply about, and would hurt you to have disappear, get in the wrong hands, or be offline, then you may pay more attention to this, so it isn't necessarily about size, its about your prospective on security, how important is security, if your services went down, or your database were stolen, how crippling would that be for your business, so generally companies that are more leaning in, a little more mature in terms of their approach to operations across the board, will be more interested in protecting and being more active and proactive about how they go about securing and designing response around cyber events. >> Oh well, we've also seen examples of big companies being penetrated because partners. >> Yeah. >> Sometimes smaller companies got penetrated, and that was the route into the big company through that partnership, so this is, again, all of these networks are being connected, >> Yeah. >> As part of the natural process, by which businesses are evolving, and so everybody has to, you don't want to be the small company. >> Right. >> Who is, becomes known as the company who made it possible to take down target. >> Right. Well and I think that, interdependency of entities and networks has made life even more difficult for the guy with the security on his job title, right? He's got to deal with all these things, at the end of the day, it doesn't really matter who caused the problem, he's got to figure it out and make it stop, then you go back and try to figure out what happened, and how you clean it up, but initially it's stop the bleeding, and we see a lot of finger pointing and my lights are all green, I don't know about you, right. And trying to find a source of truth that lets you tear that apart and say what's actually going on, right? And the faster you can do that and feel good about the conclusion you got to, the more successful, the more confident, and the more able you are to move forward, and my personal prediction is that we're going to see a backlash against all of these disclosure events where we see the regulatory windows pushing to have a 72 hour to disclose window, which is fine except 72 hours is just not that much time when something really complicated has gone on, right. So that's why we see these serial disclosure events, where they come back and say it was this, then they come back and say well it was this actually, then actually, well actually it was this, right. And then every time you have to re report your experience, you degrade what little credibility you had, and I think that's the kind of event that's really going to be the next wave of experiences we're seeing out there that will damage our industry. >> So you've talked about how old practices, like secure devices, secure perimeters, 72 hour disclosures, only work with people who you know who they are, those practices are failing, clearly utilizing new approaches, new technologies, AI, where the system increasingly is participating, actively participating in the process, of securing itself, is the way to go. What is ExtraHop bringing to the table? >> So, machine learning in AI, are sort of tools really, they are technologies and approaches for solving a problem, and the reason I think that they are helpful, in the security space, we've got zero percent unemployment, we just don't have enough people, so you can give them machines, tasks that are repeatable, boring, predictable, or really hard, right, you know, sort of finding the pattern in the data set, those are good problems for machine learning kinds of applications, and what ExtraHop is doing is taking the rich data, that we collect off of the network, and we are extracting from it, meaningful metrics, the metadata, thousands and thousands of points of information, that are beneficial and useful from a security perspective, we send that to the cloud, and the cloud then uses models that are designed, purpose built for security to extract behavioral implications, you know, and some things are always bad, right, you know, that should never happen, and so it happened, right, but some things can be derived over time based on base lining your behavior, and it could be device behavior, user behavior, application behavior, it's behavior and one thing that's interesting to me, about security is, you know you get all these tactics, or specifics rules and signatures and things, well they're only as good for the point of light when people were using that very specific thing, but we've been doing polymorphic everything for a long time, right. What that means is that you have to be thinking about the nature of the interaction rather than the explicit and only data point, right. Machine learning is a great way to extrapolate and understand the bigger landscape of things, and ExtraHop is hitching that machine learning engine to this great rich source of contextrial data, and translating that into investigative insight, and a work flow instead of visualizations that help you go from a huge pile of data to a few compelling insights that you can act on quickly and with confidence. >> So identify the problems faster, when they're identified, to shorten the time that they're open, and to take rapid actions to remediate the problem. >> You got it, perfect. >> Barbara Kay, director of security at ExtraHop, thank you very much for being on theCUBE. >> Thank you it was my pleasure. (upbeat music)

>> Announcer: From downtown San Francisco, it's theCUBE, covering RSA North America 2018. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA Conference in downtown San Francisco. Forty thousand plus security experts really trying to help us all out. Protect our borders not so much, but protects access to these machines, which is harder and harder and harder everyday with bring your own devices and all these devices. So really, it's a different strategy. And we're really excited to have ExtraHop back, we had ExtraHop on last year for the first year, he's Matt Cauthorn, the VP of security at ExtraHop. So Matt, what do you think of the show? >> Oh, amazing. Absolutely amazing. Super packed, been walking like crazy. Got all my steps in, its fantastic. >> Alright, so you guys have been in network security for a long time? >> Yeah so we've been, so we live in the East-West corridor, inside the enterprise, inside the perimeter doing wire data analytics, and network security analytics. Our source of data is the network itself. >> Okay. And the network is increasing exponentially with all the traffic that's going through, the data sources are increasing exponentially with all the traffic going through. >> That's right. >> So how are you guys keeping up with the scale, and what's really the security solution that you guys are implementing? >> So the point you make is really interesting. Yes, it is increasing exponentially, and as a data source the network is the only sort of observational point of truth in the entirety of IT. Everything else is sort of self-reported. Logs, end points, those are very valuable data sources, but as an empirical source of truth, of evidence, the network wins. That assumes you can scale. And that assumes you're fluent with the protocols that are traversing the network, and you're able to actually handle the traffic in the first place. And so for us just this week, we announced a 100gb per second capable appliance, which you know is an unprecedented amount of analytics from the network's perspective. So we're very proud about that. >> So what are you looking for? What are some of the telltale signs that you guys are sniffing for? >> So generally, we auto-classify and auto-discover all of the behaviors on the wire. From the devices themselves, to the services that those devices expose, as well as the transactions that those devices exchange. And so from a context perspective, we're able to go far deeper than almost anyone else in the space, that we know of at least. Far deeper and far more comprehensive sort of analysis as it relates to the network itself. >> And the context is really the key, right? Tag testing what, why, how. System behavior, that's what you're looking for? >> A great example is a user logging into a database, that might be part of a cluster of databases, and understanding what the user's behavior is with the database, which queries are being exchanged, what the database response is in the first place. Is it an error, is it an access denied? And does this behavior look like a denial of service, for example. And we can do all of that in real time, and we have a machine learning layer that sits over top and sort of does a lot of the analytics, and the sort of insights preemptively on your behalf. >> And it's only going to get crazier, right? With IOT and 5g. Just putting that much more data, that many more devices, that much more information on the network. Yeah, so IOT in particular is interesting, because IOT is challenging to instrument in traditional ways, and so you really do have to fall back to the network at some point for your analysis. And so that's where we're very, very strong in the IOT world and industrial controls, SCADA and beyond. Healthcare, HL7 for example. So we're able to actually give you a level of insight that's really, really difficult to get otherwise. >> And we've been hearing a lot of the keynotes and stuff, that those machines, those end points are often the easiest path in for the bad guys. >> Yes they are. >> An enormous security camera or whatever, because they don't have the same OS, they don't have all the ability to configure the protections that you would with say a laptop or a server. >> That's right. There's a surprising number of IOT devices out there that are running very, very old. And vulnerable operating systems are easy to exploit. >> Alright, so Matt I guess we're into Q2 already, hard to believe the years passing by. What's priorities for 2018 for you and ExtraHop? >> So we've announced a first class, purpose-built security solution this year, and really the plan is to continue the sort of momentum that we've accrued. Which is very encouraging, the amount of interest that we've had. It's hard to keep up, frankly. Which is fantastic. We want to continue to build on that, grow out the use cases, grow out the customer base and continue our success. >> Alright Matt, well we'll keep an eye on the story, and thanks for stopping by. >> Great, thank you. Appreciate it. >> Alrighties Matt, I'm Jeff, you're watching theCUBE from RSA Conference, San Francisco. Thanks for watching.

>> Announcer: Live, from Las Vegas. It's the Cube, covering AWS re: Invent 2017, presented by AWS, Intel, and our ecosystem of partners. >> Oh, well welcome to the Cube. John Walsh, here, with Keith Townsend, talking about re: Invent, the big AWS show going on here at the Sands Expo Center and talking about 40,000 plus people. I don't know how many hundred thousand square feet of booth space we're talking about here, but this show has grown exponentially from last year to this year, and we're looking forward to being with you here for the next three days. Again, I'm John Walsh, with Keith Townsend. Keith, always a pleasure to see you sir, how ya been? >> I've been really well, I'm navigating the four hotels this conference is spanning. The last number I heard, almost 50,000 people. >> Is that right? >> Yeah, it's 48,000, 45,000, a huge conference. >> Well and quite often, for those of you who come out to Las Vegas a lot for shows, you realize that there are certain anchor centers, but as Keith pointed out, we're talking about four hotels, and even some spillover into a fifth as well. The sessions are packed, the exhibits are certainly dynamic, already attracting a lot of attention behind us and we're glad to be with you, here on the Cube. It's a pleasure now to introduce Eric Thomas, who's the Director of Cloud Products at ExtraHop and good to see you sir. Thanks for being with us. >> Thanks very much. >> Breaking your maiden on the Cube, is that correct? >> Absolutely, first time, hopefully not the last. >> We'll go easy on ya. >> Oh, thank you so much, appreciate that. >> ExtraHop, based out of Seattle. Tell us a little bit, first off, about core competencies, what you guys do, and then we'll drill down a little bit to just why you're here at AWS. >> Absolutely, so we're a platform for what we call wire data analytics. Essentially what we do is, we use the network as a data source for application intelligence, performance, security, forensics, you know whether that's sort of public or private Cloud, on-prem, hybrid set ups. We sort of sit on the network, virtual or physical network, listen to all the traffic, and then we analyze it, sort of at an application layer. So we speak web, and database, and storage, active directory, single signon, all these sort of services and protocols. Then we apply machine learning to that to surface insights to IT professionals and app developers. >> So I mean, are you looking for whether it's code issues, or maybe infiltration, or maybe performance, I mean, or everything? >> All of the above, all of the above. >> Oh, alright. >> So we sort of started off talking about IT operations, performance management, availability, downtime, and our customers then said to us, you know, once you have full visibility across the entire app delivery chain, there's real implications for security there, you know, finding intrusions, anomalies and things of that nature. And so, over the last few years, we've gotten more and more into that business. You know, as far as AWS is concerned, kind of the Cloud operations, we've been supporting AWS since 2013. That was our first product offering. And we allow our customers to maintain their visibility as they shift their workloads to AWS. And sort of the value prop here is kind of a shared responsibility model, whether you're talking about security or infrastructure. At the end of the day, the business and the customer still responsible for the application. >> So help us understand why are data in the Cloud? I mean, I'm used to taking a network analyzer and puttin' it on my wire in the data center and I can get the really smart people to look at that data and extrapolate and find really great patterns. Do I really get wire data in the Cloud? How do you guys work in AWS? >> Yeah, so the virtual wire is still a virtual network, still, you know, the same TCP connection, the same packets going across the virtual wire. So we capture that virtual network traffic, marry it with physical network traffic from the data center or on-prem, put it all together in one package. >> So across customers, you guys have to have a lot of great insights. Do you have a service where you anomolize that data and then provide that insight back to your customer base? >> Yeah, absolutely. So we sort of turn that you know, investigative workflow on its head, where we do analysis and find the interesting stuff up front so that you know, the smart people don't have to go digging through packets and network analyzers. We surface our machine learning insights by looking at behavioral anomalies. We can kinda separate those into operational versus security anomalies to kinda improve the signal to noise ratio for both IT Ops teams and security teams as well. >> But to deal with the security stuff, then, on that level then, interesting point, Keith, that you bring up. The fact that you can learn from the greater community, and apply it to specific examples. What are some of these high level findings? I don't want, don't get into specifics, or you know, too specific. But what are you finding out in terms of security concerns, and how people are best addressing and best practices to addressing this? >> So we just announced, yesterday, a new rev of ExtraHop for AWS, which enables a lot of new types of use cases or outcomes from those types of security anomalies. It's a great example. You know, you're still responsible for securing all of your storage, all of your web applications. It's easy to configure your AWS setup to let anybody in the front door of S3. >> We've see that a lot, yep. >> Right, pretty embarrassing when it happens. But ExtraHop and ExtraHop for AWS, that's an anomaly, it's a couple a clicks to find out where it's goin' on and to fix it. >> So is this more prescriptive or descriptive? Are we doin' this pre an event, or post discovery of some type of intrusion? >> So we're doing it as it happens. We talk about real time analytics and when we say real time, we mean within one second of it happening, we see it in ExtraHop. Some vendors say real time to mean 15 or 10 minutes. Not really enough, if you know, trying to find a ransomware infection and stop it, for example. With machine learning, we'll provide suggested root causes. We'll say, this looks like a security anomaly. It looks like you've opened your S3 bucket. Here's how you go fix it. >> Let's talk a little bit about ecosystem. Security, especially in the Cloud, is a really big topic. There's challenges with SSL, encryption, decryption. ExtraHop can't do it all by themselves. Are you guys partnering with other security firms to bring insights? >> Yeah, we partner with a lot of different firms. Splunk comes to mind as sort of you know, a log, analytics and aggregation vendor. A lot of sort of byte code instrumentation on the sort of performance analytics side. And if you think about it architecturally, you've got the inside out view from logs and byte code, which is great. Find out what's going on in the brains of the computer as it's self-reporting as a virtual machine or an application. We take the outside-in view. We're sort of looking at it from the outside to get more definitive about literally every single transaction and the impact of everything, from active, all the things you can't measure or instrument using classical agents and that sort of thing. So we've had those firms come to us and say, we'd like to partner with you on this ecosystem approach. >> So AWS, big conference. One of the things I've talked to a lot of folks in the community for the past coupla days. For me, this is a very different community. We have anywhere from infrastructure architects from the Big Fortune 500s, to people who've been more traditional AWS customers and are not used to going through IT and consuming these services. How does a, that ladder customer surface up at ExtraHop. >> So having been at this show since 2013, I've seen more and more enterprise customers at these shows as these, you know, sort of Cloud strategies have finally come to pass. Been talking about public Cloud since 2008 or so from a strategic perspective in the enterprise. Now, it's becoming real. Those are our customers, full-stop. The CIOs, the CSOs, the VPs of App Dev, Product Management et cetera. It's great to see them moving their workloads to the Cloud. It's also great to see that they're, you know, modernizing some of the services, while choosing to leave some of their other legacy services for later. We can monitor all of that, sort of maintain visibility, performance assurance and security, as they're moving those workloads. >> So can you talk about how you ease the pain between those two worlds, the public Cloud which is a very different operating model than what we can do in a data center. We have complete control of the infrastructure in a data center. The Cloud is abstracted away. How do you get guys help even that out and make operations simple? >> So one thing that we're seeing, sort of from a megatrend perspective with CIOs. They really want to make as many options available to their app teams, their infrastructure teams, their dev teams as possible, because the CIO's saying, I don't know what's gonna stick from a technology perspective. I'm not the one to make those decisions, I'm the one to support them. And so, I'm gonna open the floodgates. You know, you're allowed to do whatever you want with public Cloud, virtual private Cloud, I'm gonna give you all these options. Meanwhile the CSO is saying, I really wish you'd standardize. It's gettin' hard to track all these assets, all these different, you know, middleware components that you're putting out there. They need a way to audit and assess what's really going on, you know, in both the public virtual private Cloud and on-prem and that's sort of where we come in. >> So just in general, Cloud migration, you were just saying how, '08, '09, this has been eight, nine years in the making. Is it finally been kinda demystified, do ya think, to a certain degree? Or people, there's been enough trial and error that there's more confidence for those who haven't made that leap yet that okay, there's a more defined path that I'm more comfortable with it now. >> I think it's gotten more realistic in terms of the assumptions around cost savings. When people started talking about this originally, it was like, oh, great, we're gonna completely map our consumption of resources to what we really need. We're gonna save all this money, and yeah, that's true, to a degree. I think those expectations have been tempered a little bit, as you figure out, you know, where you can track that sort of performance in your capacity, or you just wanna let people run wild. So that's a tempering of expectations. There have also been these unexpected benefits around next gen application architectures, microservices, continuous integration, even continuous delivery. The Cloud enables all of that, you know, it sort inspires a level of agility in historically less agile businesses. >> And then, you mentioned the, kind of these microservices. How do you guys support microservices? We're used to the VM centric view of the Cloud, when you're talking about services that are abstracted away from the VM. How does ExtraHop play in those realms? >> So, you know, this is sort of the next iteration of the services oriented architecture, as people have realized, you know, that the sort of the best practices and sort of code patterns for developing these services. For us, you know, we auto discover systems and services running across virtual or physical networks, which means you don't have to configure things ahead of time and we can scale to elasticity very easily. We see services spin up, spin down, move from one place to another, move across availability zones, and we just track all that as it happens. >> Well Eric, we certainly appreciate the time. And we wanna know, how was the first Cube experience? You alright with it? >> So far, so good, what do you think, you tell me, you're the experts. >> We didn't beat him up enough. >> We didn't, I gotta come with tougher questions next time. >> Next time. >> There you go. >> Eric Thomas, ExtraHop, glad to have you with us here on the Cube. >> Thank you so much, 'preciate it. >> Back with more here from re: Invent. We're in Las Vegas, be here all week, back with more on the Cube, right after this. (electronic music)

(upbeat music) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA Conference in downtown San Francisco. We're live, it's 40,000 people all talking about security, and we're excited for a first-time attendee of RSA. We're joined by John Smith, a solutions architect from ExtraHop Networks. Welcome, John. >> Hey, thanks for having me. >> Absolutely. So you said it's your first time to the RSA Conference? I'm just curious, kind of first impressions of the show? >> Wow. Well, there's certainly a lot of people here. It's the biggest show I've ever been to. We've been to Synergy, HIMSS, a couple of them. I think HIMSS might have more people, but it certainly seems more crowded. People are more involved in the booths here, asking a lot of really good questions. A lot of ones and zeros people at the booth, so you really got to be on your toes (laughs) when you're talking to folks. (Jeff laughs) >> All right, for the people that aren't familiar with ExtraHop, give us kind of the overview, what you guys are all about. >> So we're a real-time IT analytics product that uses wire data to provide, at least in the security space, the biggest play we have is more around surveillance and invisibility. One of the first two controls that SANS recognizes as being, that you need to secure your environment, is asset inventory and the ability to see what applications are running on those assets. A lot of the tools in the security industry try to engineer down to that, to try to give you that. That's one of the, a lot of security people will kind of name that as one of the more difficult things to get. We start there. So we are a wire data analytics, that's kind of the core of what we do, so we don't require any IP addresses, we don't, or, I'm sorry, we don't require any agents, we don't require any SNMP, any ping sweeps or anything like that. If it has an IP address, it can't hide from us. So that means whether it's an IOT device or a medical device that's been compromised, if it's someone who wants to work in the dark and they've got a NACL that's blocking people, the minute they communicate with someone else, they're made and they can't hide from us. So what we've seen in our, with our customer base, is kind of a burgeoning security practice where people are actually using the appliance more in a security use case, and that's probably our fastest-growing use case right now. >> So what was the core of the business before? You said ExtraHop's been around for 10 years, but you're new here. What was kind of the core business before your security practice really grew? >> So the core of the business, and, you know, there's three kind of major areas. There's, we generally use the wire as a data source. So we position the customer to interact directly with the wire and the data that's coming across it. So that can be break, fix, and performance of your different web applications from layer two up to layer seven. A lot of that is business intelligence. We had an online retailer that wanted to know, you know, the average of income of people who filled out their credit app by ZIP code so that they could adjust pricing. That used to be a complicated OLAP job on the back end. We were able to give that to them in real time so that they could see, "Hey, people in this ZIP code make $300 a month more "than people in this ZIP code, we can raise prices here." So business intelligence and break, fix, and performance are big ones, and then of course in the security place, or the security space, where we're able to provide full accountability for every single IP address on the network, has been very powerful. >> Interesting. So you said you had some announcements that you guys are making here at the show? >> Yeah, so we have, are announcing our SaaS offering, which is another, it's basically a machine-learning, a cloud-based machine-learning platform that allows us to do some anomaly detection without the need to, you know, a lot of your cloud-based anomaly detection tools require you to forward terabytes of data so that then they can look at it, analyze it, and then maybe an hour later you get some information that you've been breached or that there's a problem-- >> That, or a day. >> Yeah, or, maybe, yeah. >> Months and months and months. >> Exactly. We're kind of unique in that we're able to, you know, what our Atlas program is able to essentially interrogate systems that are deployed around the world, currently around the U.S., it's a U.S. offering today, but basically we can interrogate those systems for any types of anomalies that happen. Actually, in the run up to the offering, we had a customer that was able to reroute some traffic because they were able to see the mirai botnet was starting to meddle with some of the performance of different parts of their infrastructure. So having the ability to be able to provide customers visibility into what's going on on their networks without the burden of making them FTP data up to you so that then you can evaluate it, one, you don't have the infrastructure burden of sending the data to you and the delay with that, but in addition to that, you're able to provide some real-time visibility. One of the things we've noticed is that the people who have the ability to interpret the data and to kind of parse and tell you when there is an anomaly, they're very overworked and they're spread really thin in a lot of their organizations. We augment that capability by doing some of that heavy lifting for them so that we can say, "Hey, did you know you have 1,000% increase in, you know, "DNS traffic from this particular host?" >> Right. >> That type of visibility that you can do in real time, so that if you have multiple branches around the country, we can provide that visibility from one centralized location. >> Yeah, it's all about the real time, right? Real time is in time, hopefully. >> Real time, and really, the money is in the mash-up, right? We've had a lot of really, one of the things I've noticed over the years is thread intelligence has really matured, and I think that's great, but if you can't marry that with some of your own intelligence that's going on on your own networks, you know, the value is really a lot tougher to realize. If you can ad hoc or if you can engage in some ad hoc thread intelligence by leveraging a platform like ExtraHop that can do the evaluation and thread things like anomalous behavior, that makes your agility to deal with today's threats really, really, a lot more effective. Most threats, as you're probably aware, happen, I think 93% of them happen within a minute. Dealing with that with humans, dealing with that with logs, is, it's really, really tough to do. I love logs and I love humans, but if you can position yourself to engage in programmatically dealing with that, we see orchestration is becoming, you know, kind of an emerging technology, and we're uniquely positioned to be able to interact with any sort of orchestration engines, something like a phantom, you know, things like that, where we can observe some actionable data, and then we have an open platform that can then integrate with the orchestration they're after. >> All right. Well, John, that was a great summary. We're going to leave it there, thanks for stopping by. The money's in the mash-up, did I get it right? >> John And Jeff: The money's in the mash-up. >> Baby. >> All right. >> All right. >> He's John Smith, I'm Jeff Frick. You're watching theCUBE from RSA. >> Thank you. >> Thanks for watching. (upbeat music)