>> Announcer: Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2019, brought to you by Amazon Web Services, and Intel, along with its ecosystem partners. >> Welcome back, this is theCUBE seventh year of coverage of the mega AWS re:Invent show, here in Las Vegas. Somewhere between 60 and 65,000, up and down the street. We are here in the Sands Convention Center. I am Stu Miniman, my cohost for this segment is Justin Warren. And happy to welcome back to the program, one of our CUBE alumni Jesse Rothstein, who is the co-founder and CTO of ExtraHop, Jesse, great to see you. >> Thank you for having me again. >> So, we caught up with you at AWS re:Inforce-- >> We did. >> Not that long ago, in Boston. Where, it rains more often in Boston than it does in Vegas and it's raining here in Vegas, which is a little odd. >> Strangely it is raining here in Vegas, but re:Inforce at the end of June in Boston was the first AWS security conference. Great energy, great size, we had a lot of fun at that show. >> Yeah, so Dave Vellante, who was one of the ones at re:Inforce, and he actually came out of the three-hour keynote yesterday with Andy Jassy and said, "I'm a little surprised there wasn't as much security talk." You know, it's not like we can remove security from the discussion of cloud, it is you know one of the top issues here. So I want to get your viewpoint, were we missing something? Is it just there, what grabbed you? >> I know this thing as well. I think, perhaps, they're saving some announcements for, you know, re:Inforce coming again in June in Houston this year. There was at least one announcement around IAM Access Analyzer as I recall. But generally the announcements seem to focus in some other areas. You know some big announcements around data warehousing, you know for federated red shift queries I think. And some big announcements around machine learning tooling, like the SageMaker Studio. But I noticed that as well, not as many security announcements. >> You never know, Werner still has his keynote tomorrow. So we're sure there'll still be another 50 or 100 announcements before the week is done. ExtraHop also has something new this week, so why don't we make sure-- >> Well first I can assure you that cloud security is not solved. It's not a solved problem, in fact, unfortunately despite record spend year after year after year, we still continue to see record numbers of compromises and data breaches that are published. I think cloud security in particular remains a challenge. There's a lot of energy there and I think a lot of attention, people recognize it's a problem. But we're dealing with massive cyber security skill shortages. It's very hard to find people with the expertise needed to really secure these workloads. We're dealing with more sophisticated attackers. I think in many cases, attackers with nation state sponsorship. Which is scary, you know five or 10 years ago we didn't see that quite as much. More cyber criminals, fewer nation states. And of course, we're seeing an ever increasing attack surface. So ExtraHop's right in the mix here, and we focus on network detection and response. I'm a huge believer in the power of network security, and I'll talk more about that. At re:Inforce last June, we announced ExtraHop Reveal(x) Cloud, which is a SaaS offering using AWS's recent VPC Traffic Mirroring capability. So the idea is, all you do is you mirror a copy of the traffic, using VPC Traffic Mirroring, to our SaaS, and then we provide all of the sophisticated detection, investigation and response capabilities, as a product. So that's hosted, you still do the work of investigating it, but you know we provide the entire offering around that. Very low TCO, very turnkey capabilities. And of course, it wouldn't be a modern day security offering if we didn't leverage very sophisticated machine learning, to detect suspicious behaviors and potential threats. But this is something I think we do better than anybody else in the world. >> So walk us through some of what the machine learning actually does. 'Cause I feel that the machine learning and AI is kind of hitting peak hype cycle maybe. >> You know I almost can't say it with a straight face because it's so overused. But, it is absolutely real, that's where the state of the art is. Machine learning allows us to recognize behaviors, and behaviors are very important because we're looking for post-breach behaviors and indicators of compromise. So there are a million ways that you can be breached. The attack surface is absolutely enormous. But there's actually a relatively small number, and a relatively tractable set of post-breach behaviors that attackers will do once you're compromised. And I think more and more organizations are realizing that it's a matter of when and not if. So what we've done is we've built the machine learning behavioral model so that we can detect these suspicious behaviors. In some cases we have an entire team of threat researchers that are simulating attacks, simulating pen testing tools, lateral movement, exfiltration so we can train our models on these behaviors. In some cases, we're looking for very specific indicators of compromise. But in just about all cases, this results in very high quality detections. And because just detections alone are completely insufficient, ExtraHop is built on top of an entire analytics platform, so that you're always one or two clicks away from being able to determine, is this something that requires immediate attention and requires kind of an incident response scenario? One of the capabilities that we announced here at this show, is automated response. So we integrate with the AWS API, so that we can automatically isolate and quarantine a workload that's behaving suspiciously. You know in cyber security, some attacks are low and slow but some are very fast and destructive. And for the fast and destructive ones, you move faster than a human's ability to respond, so we need that automated response. And we also announced a continuous packet capture capability for forensics, because sometimes you need the packets. >> That's a response, a lot of different things that we'd actually like to bring the capability a little bit earlier than that so that we don't actually get breached. It's great that we can detect it and say, great we've got the indication of compromise and we can react very, very quickly to that. Are you able to help us get one step ahead of the cyber crimes? >> So I'll actually be a little contrarian on that. I'm going to say that organizations have really been investing in protection and prevention, for the last decade or two. You know this strategy's called defense and depth, and you should do it, everybody should, that's a best practice. But, you know, with defense and depth, you have lots of layers of defense at the perimeters. You know keep the attackers out of the perimeter, gateways, firewalls, proxies. Lots of layers of defense at the end point, you know keep attackers off of my workstations, my instances, my laptops, things like that. But, you know, I think again, organizations have learned that attackers can fire, you know, 1,000 arrows, or 100,000 arrows, or 100 million arrows and only one needs to land. So the pendulum is really swung toward detection response. How do I know if I'm breached right now? How can I detect it quickly? The industry average dwell time is over three months, which is unacceptably long, and we always hear about cases in the news that are three years or more. And what I like to say is if it were three weeks, that would be too long. If it were three days, that would be too long, if it were three hours, I think you could do a lot of damage in three hours. If you can start getting this down to three minutes, well maybe, you know, we can limit the blast radius in three minutes. >> So Jesse, you brought up the ever growing surface area of attack and one of the big themes we've seen at the show is AWS is pushing the boundaries of where they touch customers. You know I said if Amazon is the everything store, AWS is becoming the everywhere cloud. Outposts, from Amazon's perspective, they said Outposts just extends their security models. I see and hear a lot of the ecosystem talking about how they're leveraging that and integrating with that. Does Outposts or any of their other Edge solutions impact what your customers and your solutions are doing? >> So it's funny you say that, I was wondering that myself. My expectation is that Outposts are a good thing because they the have same security controls that we expect to see in any AWS kind of VPC enabled environment. Where I haven't gotten full clarification is do we have the full capabilities that we expect with VPCs? In particular, you know VPC Traffic Mirroring, which is the capability that was announced at re:Inforce, that I'm so excited about, because it allows us to actually analyze and inspect that traffic. Another capability that I think slipped in under the radar but it was announced yesterday is VPC Ingress Routing. This doesn't really effect ExtraHop that much, but as a network head, I like seeing Amazon enable organizations to kind of make their own choices around how they want to inspect and control traffic. And with VPC Ingress Routing, it actually allows you to run in-line devices between your VPCs, which previously you were unable to do. So I think that one slipped in under the radar, maybe you have to be a network head like me to really appreciate it. But I'm seeing more flexibility and not less and that's something that I'm really pleased with. >> That one thing that we definitely see with cloud is that explosion of customer choice, and all of these different methods that are available. And Amazon just keeps pushing the boundaries on how quickly they can release new features. What does that mean for ExtraHop in being able to keep up with the pace of change that customers are using all of these different features? >> That's a good question, I think that's just the reality, so I don't think about what it means or doesn't mean, that's just the way it is. In general though, I've seen this trend toward more flexibility. You know VPC Traffic Mirroring, to use that example again, was one of the few examples I could point to a year ago as something really useful and valuable that I could do on-premises, you know for diagnostic purposes, for forensics purposes, that for some reason wasn't available in public cloud, at least not easily. And, you know, with this announcement six months ago, and going to general availability, Amazon finally ticked that one off. And we're starting to see the rest of the public cloud ecosystem move that way as well. So I'm seeing more flexibility, and more control. Maybe that comes with a pace of innovation, but I think that's just the world we live in. >> You do mention that the customers are having to adopt this new regime, of look we need to look at compromise, can we detect if we've been compromised, and can we do it quickly. We have a lot of tools that are now being made available, like Igress Routing, but, sorry Ingress Routing. But what does that mean for customers in changing their mindset? One of the themes that we had from the keynote yesterday was transformation, so do customers need to just transform the way they think about security? >> Yes and no. You know certainly customers who are used to a certain set of on-prem tool set, tool chain can't necessarily just shoehorn that into their public cloud workloads. But on the other hand, I think that public cloud workloads have really suffered from an opacity problem, it's very difficult to see what's going on, you know its hard to sift through all those logs, it's hard to get the visibility that you expect. And I think that the cyber security tool set, tool chain, has been pretty fragmented. There are a lot of vulnerability scanners, there are a lot of kind of like API inspectors and recommendation engines. But I think the industry is still really trying to figure out what this means. So I'm seeing a lot of innovation, and I'm seeing kind of a rapid maturing of that kind of cloud security ecosystem. And for products like ExtraHop, I'm just a huge believer in the power of the network for security, because it's got these great properties that other sources of data don't have. It's as close to ground truth as you could possibly get, very hard to tamper with and impossible to turn off. With VPC Traffic Mirroring, we get the full power of network security and it's really designed with the controls and kind of the IAM roles and such that you would expect for these security use cases, which, I just, great, great advance. >> So along the discussion of transformation, one of the things Andy Jassy talked about is the you know, the senior leadership, the CEOs need to be involved. Something we've been saying in the security industry for years. Not only CEOs, the board is you know, talking about this and it's there, so you know, what are you seeing? You stated before that we haven't solved security yet, but so, bring us inside the mindset of your customers today, and what's the angst and you know, where are we making progress? >> That's a very interesting question. I'll probably be a little contrarian here as well, maybe not but I think we see a lot of pressure is regulatory pressure. You know were seeing a lot of new regulations come out around data privacy and security, GDPR was you know pretty transformative in terms of how organizations thought about that. I also think it's important that there are consequences. I was worried that for a few years data breaches were becoming so commonplace that people were getting kind of desensitized to it. Like, there was once a time that if, when there was a massive data breach kind of heads would roll. And there was a sense of consequences all the way up into the C-suite. But a few years ago I was starting to get concerned that people were getting a little lackadaisical like, "Oh just another data breach." My perception is that the pendulum's swinging back again. I think for truly massive data breaches, there really is a sense of brand. And I'm seeing the industry starting to demand better privacy. The consumer industry is perhaps leading the way. I think Apple's doing a very good job of actually selling privacy. So when you see the economics, I mean we're, it's a capitalist system. And when you see kind of the market economics align with the incentives, then that's when you actually see change. So I'm very encouraged by the alignment of kind of the market economics for paying greater attention to privacy and security. >> All right, want to give you a final word here, you said you'd like to have some contrarian viewpoints. So you know, the last question is just you know, what would you like to kind of just educate the marketplace on that maybe goes against the common perception when it comes to security in general, maybe network security specifically? >> Well, I'll probably just reiterate what I said earlier. Network security is a fundamental capability, and a fundamental source of data. I think organizations pay a lot of attention to their log files. I think organizations do invest in protection and prevention. But I think the ability to observe all of the network communications, and then the ability to detect suspicious behaviors and potential threats, bring it to your attention, take you through an investigative workflow, make sure that you're one click away from determining you know, whether this requires an actual incident response, and in some cases take an automated response. I think that is a very powerful solution and one that drastically increases an organization's cyber security posture. So I would always encourage organizations to invest there regardless of whether it's our solution or somebody else's. I'm a huge believer in the space. >> All right so, Jesse, thank you so much for sharing. We know that the security industry still has lots of work to do. So we look forward to catching ExtraHop soon at another event. And we have lots of work to do to cover all of the angles of this sprawling ecosystem here at AWS re:Invent. For Justin Warren, I'm Stu Miniman, be back with lots more right after this, and thank you for watching theCUBE. (bouncy electronic music)

>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners come >> back, Everyone live Coverage of AWS reinforced their first conference, The Cube here in Boston. Messages some jumper. MacOS David Lattin escapes Jesse rusting >> CT on co >> founder of Extra Cube alumni. Great to see you again. VM World Reinvent >> Now the new conference reinforce not a team. A >> summit reinforced a branded event around Cloud security. This is in your wheelhouse. >> Thank you for having me. Yeah, it's a spectacular event. Unbelievable turnout. I think there's 8000 people here. Maybe more. I know that's what they were expecting for an event that was conceived of, or at least announced barely six months ago. The turnout's just >> wait. Many conversation in the past on the Cube and others cloud security now having its own conference. It's not like a like a security conference like Black at Def Con, which is like a broader security. This is really focused on cloud security and the nuances involved for on premises and cloud as it's evolving. It's certainly a lot more change coming on this kind of spins into your direction you would talking this year in the front end. >> It absolutely does. First, it speaks to market demand. Clearly, there was demand for a cloud security focused conference, and that's why this exists. Every survey that I've seen lists security extremely high on the list of anxieties or even causes for delay for shifting workloads to the cloud. So Amazon takes security extremely seriously. >> And then my own personal >> view is that cloud security has been somewhat nascent and immature. And we're seeing, you know, hopefully kind of Ah, somewhere rapid, a >> lot of motivation in that market. Certainly a lot of motivated people want to see it go faster and there spitting in building that out. So I gotta ask >> you before you get off the show, I actually say something if I may. I mean, it's been a long time coming. Yeah, this to your point, Jesse. There was a real need for it, and I think Amazon deserves a lot of credit for that. But at the same time, I think Amazon. There's a little criticism there. I mean, I think that the message that reinvent that's always been we got the best security. We got the most features as I come on in, and the whole theme here of the shared responsibility model, which I'd love to get into, I think was somewhat misunderstood by some of those high high level messaging. So I didn't want to put that out there as a topic that we might touch on. Great. Let's talk about it. Okay, so I do think it was misunderstood. The shared responsibility model. I think the messaging was Hey, the cloud is more secure than your existing data centers. Come on in. And I think a lot of people naively entered waters and then realized, Oh, wait a minute. There's a lot that we still have toe secure. We can't just set it and forget it. I mean, you agree with that? >> I I think that's a controversial topic. I do agree with it. I think it continues to be misunderstood. Shared responsibility model in some ways is Amazon saying We're going the security infrastructure and we're going to give you the tools. But organizations air still expected to follow best practices, certainly, and implement their own, hopefully best in class security operations. >> It's highly nuanced. You can say sharing data see increases visibility into into threats and also of making quality alerts. But I think it's a little bit biased, Dave for Amazon to satiate responsibility because they're essentially want to share in the security posture because they're saying we'll do this. You do that as inherently shared. So why wouldn't they say that? >> Well, I guess we're gonna say way want to own everything? Well, I guess my weight So this show is that I really like their focus on that. I think they shone a light on it and for the goodness of the the industry in the community they have. But it is a bit >> nuanced, and they've said some controversial, perhaps even trajectory statements. In the keynote yesterday, I was I was amused to hear that security is everybody everyone's job, which is something I wholeheartedly believe in. But at the same time, you know, David said that he didn't believe Stephen Step Rather said that he didn't believe in depth set cops, and that seemed a little bit of odds because I but I think they're probably really Steven Schmidt. Steven >> so eight of us. But at the same time, there was a narrative around. Security is code. So, yes, there were some contradictions in messaging, so this smaller remains small ones. They were nuanced but remains some confusion. And that's why people look to the ecosystem to help acorns. And this goes back to >> my earlier point. I I believe that cloud security is really quite nascent. When we look at the way we look at the landscape of vendors, we see a number of vendors that really are kind of on Prem security solutions. They're trying to shoehorn into the cloud way, see a lot of essentially vulnerability scanning and static image scanning. But wait, don't see, in my opinion, that much really best in class security so solutions. And I think until relatively recently it was very hard to enable some of them. And that's why I'd love to talk about the VPC traffic marrying announcement, because I think that was actually the most impactful announcement >> that I want to get to it. So So this is ah, a new on the way. By the way, the other feedback up ahead on the Cube is the sessions here have been so good because you can dig deeper than what you can get it re invent given tries. This is a good example. Explained that the that story because this has been one of the most important stories, the traffic mirroring >> well, unlike >> reinvent. I think this show is Is Maura about education than it is about announcements? No, Amazon announced. A few new service is going into G ET, but these were service is, for the most part, that we already knew you were coming here like God Watchtower in security hub. But the BBC traffic mirroring was really the announcement of this show. And, gosh, it's been a long time in coming 11 closely held belief I've had for a long time is that in the fullness of time, there's really nothing of value that that you can do on Prem that you wouldn't eventually be able to do in the cloud. And it's just been a head scratcher for me. WIFE. For so many years, we've been unable to get any sort of view, mirror or tap of the traffic for diagnostic or analytic purpose is something you could do on prim so easily, with a span porter and network tap and in the cloud we've been having to do kind of back flips and workarounds and software taps and things like that. But with this announcement, it's finally here. It's native >> explain VPC Chapman. What is it for? The folks watching might not know it. Why it's wife. What is it and why is it important? >> So BBC traffic marrying is a network tap that is built into E. C. To networking. What it means is that you can configure a V p c traffic mirror four individual E C two instances actually down to the e n I. Level. You can configure filters and you can send that to a target for analysis purposes. And this analysis could be for diagnostics. But I think much more important is for security. Extra hop is is really began as a network analytics platform way do network detection and response. So this type of this ability to analyze the traffic in real time to run predictive models against it to detect in real time suspicious behaviors and potential threats, I think is absolutely game changing for someone security posture. >> And you guys have been on the doorstep of this day in day out. So this is like a great benefit to you guys. As a company, I can see that. I see That's a great thing for you guys. What's the impact of the customers? Because what is the good news that comes out of the traffic nearing for them? What's the impact of their environment? >> Well, it's all about >> friction. First, I wantto clarify that we've been running in a WS for over six years, six or seven years, so we've had that solution. But it's required some friction in the deployment process because our customers had to install some sort of software tap, which was usually an agent, that was analyzing that there was really gathering the packets in some sort of promiscuous mood and then sending them to us in a tunnel. Where is now? This is This is built into the service into the infrastructure. There's no performance penalty at all. You can configure it. You have I am rolls and policies to secure it. All of the friction goes away. I think, for the kind of the first time in in cloud history, you can now get extremely high quality network security analytics with practically the flip of a switch. >> So It's not another thing do manage. It's like you say, inherit to the network. John and I have heard this this week at this event from practitioners that they want to see less just incremental security products and Maur step function and what they mean by that is way want products that actually take action or give us a script that we can implement, or or actually fix the problem for us. Will this announcement on others that you guys were involved in take that next step more proactive security that these guys so a couple of thoughts >> on that first, the answer is yes, it can, and you're absolutely right. Remediation is extremely important, especially for attacks that they're fast and destructive. When you think about kind of the when you think about attack patterns, their attacks are low and slow. Their attacks their advanced in persistent but the taxes, air fast and destructive movie the speed that is really beyond the ability for humans to respond. And for those sorts of attacks, I think you absolutely need some sort of automated remediation. The most common solutions are some form of blocking the traffic, quarantining the traffic or maybe locking the accounts, and you're kind of blocking. Quarantining and locking are my top three, and then various forms of auditing and forensics go along the way. Amazon actually has a very good tool box for that already. And there are security orchestration, products that can help. And for products like extra hop, the ability to feed a detection into an action is actually a trivial form of integration that we offer out of the box. So the answer is yes. >> But let me go >> back to kind of the incrementalist approach as well that you mentioned. I kind of think about the space and really, really broad strokes and organizations for the last 10 years or so have really highly invested in prevention and protection. So a lot of this is your perimeter defense and in point protection, and the technologies have gotten better. Firewalls have turned into next generation firewalls and antivirus agents have turned into next generation anti virus or in point detection and response. But I strongly believe that network security has and in some ways just kind of lagged behind, and it's really ripe for innovation. And that's why that's what we've really spent the last decade >> building. And that's why you're excited about the traffic BPC traffic nearing because it allows for parallel analytics and so more real time, >> more real >> time. But the network has great properties that nothing else has. When you think about network security with the network itself is close to ground Truth as you can get, it's very hard to tamper with, and it's impossible to turn off those air great properties for cyber security. And you can't say that about something like that. Logs, which are from time to time disabled and scrubbed on. You certainly can't say that about en Pointe agents, which are often worked around and in some cases even used as a better for attack. >> I'm gonna ask you Okay, on that point, I get that. So the next question would come to my mind is okay with the surface here. With coyote expanding and with cloud, you have a sprawling surface area. So the surface area is growing just by default by natural evolution, connecting to the cloud people of back hauling their data into the cloud. All this is good stuff. >> Absolutely. Call it the attack surface, and it is absolutely glowing perhaps in an exponential >> about that dynamic, one sprawling attack air. Because that's just the environment now. And what's the best practice to kind of figure out security posture? Great, great >> question. People talk a lot about the dissolution of the perimeter, and I think I think that's a bit of the debate. And regardless of your views on that, we can all believe that the perimeter is changing and that workloads are moving around and that users are becoming more mobile. But I think an extremely important point is that every enterprise just about is hybrid. So we actually need protection for a hybrid attack surface. And that's an area where I believe extra hop offers a great solution because we have a solution that runs on premises in physical data centers are on campuses, which, no matter how much work, would you move to the cloud. You still have some sort of user on some sort of laptop or some sort of work station in some sort of campus environment, way workin in private cloud environments that are virtualized. And then, of course, we work in public cloud environments, and another announcement that we just made it this show, which I also think is game changing, is our revealed ex cloud offering. So this is an SAS. This is a sass based, network detection and response solution, which means that I talked about removing friction by marrying the traffic. But in this case, all >> you have to >> do is mirror the traffic, pointed to our sass, and we'll do all of the management mean that So is that in the streets for you that is in the marketplace. We launched it yesterday, >> So it's great integration point for you guys. Get it, get on board more customers. >> And I think I think solutions like ours are absolutely best practices and required to secure this hybrid attacks in the >> marketplace. What was that experience like, you know, Amazon >> was actually great to work with. I don't mean to say that with disbelief. You work with you work with such a large company. You kind of have certain expectations, and they exceeded all of my expectations in terms of their responsiveness. They worked with us extremely closely to get into the marketplace. They made recommendations with partners who could help accelerate our efforts. But >> in addition to the >> marketplace, we actually worked with them closely on the VPC traffic marrying feature. There was something we began talking with them about a SW far back, as I think last December, even before reinvent, they were extremely responsive to our feedback. They move very, very quickly. They've actually just >> been a delight to work. There's a question about you talking about the nana mutability of logs, and they go off line sometimes. And yet the same time there's been tens of $1,000,000,000 of value creation from that industry. Are there things that our magic there or things that you can learn from the analytics of analyzing logs that you could bring over to sort of what you're positioning is a more modern and cloud like approach? Or is there some kind of barrier to entry doing that? Can you shed some light on Jesse? That's >> a great question, and this is where I'll say it's a genius of the end situation, not a tyranny of the or so I'm not telling people. Don't collect your logs or analyze them. Of course you should do that, you know that's the best practice. But chances are that that space, you know, the log analysis and the, you know, the SIM market has become so mature. Chances are you're already doing that. And I'm not gonna tell organizations that they shouldn't have some sort of point protection. Of course you should. But what I am saying is that the network itself is a very fundamental data source that has all of those properties that are really good for cyber security and the ability that analyze what's going on in your environment in real time. Understand which users air involved? Which resource is air accessed? And are these behavioral patterns of suspicious and do they represent potential threats? I think that's very powerful. I have a I have a whole threat research team that we've built that just runs attacks, simulations and they run attack tools so that we can take behavioral profiles and understand what these look like in the environment. We build predictive models around how we expect you re sources and users and end points to behave. And when they deviate from those models, that's how we know something suspicious is going on. So this is definitely a a genius of the end situation. John >> reminds me of your you like you're very fond of saying, Hey, what got you here is not likely to move you forward. And that's kind of the takeaway for practitioners is >> yeah. I mean, you gotta build on your success. I mean, having economies of scale is about not having Disick onyx of scale, meaning you always constantly reinventing your product, not building on the success. And then you're gonna have more success if you can't trajectory if you it's just basic competitive strategy product strategy. But the thing that's interesting here is is that as you get more successful and you continue to raise the bar, which is an Amazon term, they work with you better. So if you're raising the bar and you did your own network security probably like OK, now we get parallel traffic mirroring so that >> that's true. But I think we've also heard the Amazon is I think they caught maniacally customer focused, right? And so I think that this traffic marrying capability really is due to customer demand. In fact, when you when you were if you were at the Kino when they made the announcement, that was the announcement where I feel like every phone in the in the whole auditorium went up. That's the announcement where I think there's a lot of excitement and for security practitioners in particular, and SEC ops teams I think this. I think this really reduces some anxiety they have, because cloud workloads really tend to be quite opaque. You have logs, you have audit logs, but it's very difficult to know what actually going on there and who is actually accessing that environment. And, even more important, where is my data going? This is where we can have all sorts of everything from a supply chain attack to a data exfiltration on. It's extremely important to to be able to have that visibility into these clouds >> way agree. We've been saying on the cue many, many years now that the network is the last bottleneck, really, where that script gets flipped upside down where Workloads air dictating Dev ops. Now the network piece is here, so I think this is going to create a lot of innovation. That's our belief. Love to follow up Mawr in Palo Alto. When we get back on this hybrid cloud, I think that's a huge opportunity. I think there's a create a blind spot for companies because that's where the the attackers will go, because they'll know that the hybrids rolling out and that'll be a vulnerability area >> one that's, you know, it's an arms race. Network security is not new. It's been around for decades. But the attack the attackers in the attacks have become more sophisticated, and as a result, you know the defenders need to raise their game as well. This is why, on the one hand, there's there's so much hype and I think machine learning in some ways is oversold. But in other ways, it is a great tool in our arsenal. You know, the machine learning the predictive models, the behavioral models, they really do work. And it really is the next evolution for defensive >> capabilities. Thanks for coming on. Great insight. >> One last question. The beer. Extra guys have been here way did in the past. It's been a while since >> we've done that, but it comes from early days when when I founded the company, people would ask you in the name extra hoppy. Oh, are you guys an online brewery? And we were joking. We said no, that that was extra hops way embraced it and We actually worked with a local brewer that has since been acquired by a major beverage brands. I >> don't know that. I just heard way built our own >> label, and it was the ex Rob Wired P. A. It was it was extremely well received. Every time we visit a customer they'd ask us to bring here. >> That's pretty. You gotta go back to proven formula. Thanks for the insights. Let's follow up when we get back in Palo Alto in our studio on his high breathing's a compelling conversation network Security Network analytics innovation areas where all the action's happening here in Boston, 80 best reinforced. Keep coverage. We'll be right back.

>> Live from Las Vegas, it's theCUBE. Covering AWS re:Invent 2018 Brought to you by Amazon Web Services, Intel, and their ecosystem partners. >> Hey, welcome back. And we're live here at Las Vegas AWS re:Invent 2018 live coverage from theCUBE. I'm John Furrier. Dave Vellante, my co-host, wall to wall coverage. Dave, six years covering Amazon, watching it grow. Watching it just an unstoppable force of new services. Web services being realized from the original vision years and many, many years ago, over a decade. Jesse Rothstein, CTO and co-founder of ExtraHops our next guest, welcome back to theCUBE, good to see you. >> Thanks for having me. >> So first of all before we get into the conversation, what's your take on this madness, here? It's pretty crazy. >> You know this is, I think this is my sixth year, as well, and this show must double in size every year. It's enormous, spread across so many venues, so much going on, it's almost overwhelming. >> I remember six years ago, we used to be on theCUBE, and I think we just kept the stream open, "Hey, come on up! We have an opening!" Now it's like two cubes, people tryin' to get on, no more room, we're dyin', we go as hard as we can, 16 interviews, hundreds of interviews, lots of change. So I got to ask you, what is your view of the ecosystem? Because back then, handful of players in there. You guys were one of 'em. Lot of opportunities around the rising tide here. What's your thought on the ecosystem evolution? >> Well, of course the ecosystem has grown, this show has really become recognized as the pre-eminent Cloud show, but I see some themes that I think have certainly solidified, for example I spent a bunch of time on the security track. That's the largest track by far, I'm told. They're actually breaking it out into a separate add-on conference coming up in the summer. So clearly there's a great deal of interest around Cloud security as organizations follow their... >> Did they actually announce for that security conference? >> They did, they did. >> Okay, so Boston in June, I think right? >> June, that's correct. They announced, I think, I don't want to mess up the dates, June, late June. >> I think June 26. Breaking News here, that's new information. That's a really good signal for Amazon. They're taking security serious. When I interviewed Andy Jassy last week, he said to me, "Security used to be a blocker. Oh the Cloud's not secure!" Couple short years ago, now it's actually competitive advantage, but still a lot more work to get done. Network layer all the way up, what's your take? Never done. >> Well, so that's what Andy says, and I think that I would rephrase that slightly differently. Security used to be a blocker and it used to be an area of anxiety and organizations would have huge debates around, you know, whether the Cloud is less secure, or not, inherently. I think, today, there's a lot more acceptance that the Cloud can be just as secure as on-prem or just as insecure. You know, for my view, it relies on the same people, processes, and technologies, that are inherently insecure as we have on-prem, and therefore it's just as insecure. There are some advantages, the Cloud has great API logging, building blocks like CloudTrail. New services like GuardDuty, but at the same time it's hard to hire Cloud security expertise, and there is an inherent opacity in public Cloud that I think is a real challenge for security. >> Well, and bad human behavior always trumps good security. >> Well, of course. >> Talk about ExtraHop, how you guys are navigating, you guys have been in the ecosystem for a while. Always an opportunity to grow, I love this TAM's expanding, huge expansion in the adjustable market, new use cases. What's up with you guys? Give us an update. Where's the value proposition resonating? What's the focus? >> Well you can probably tell from my interests that we see a lot of market pull and opportunity around Cloud security. ExtraHop is an analytics product for IT ops and security, so there's a certain segment of what we do for IT operations use cases. Delivering essentially a better level of service, we attach to use cases like Cloud migrations, and new application roll-outs. But we also have a cyber security offering, that's a very advanced offering, around network behavioral analytics, where we actually can detect suspicious behaviors and potential threats, bring them to your attention. And then since we leverage our broader analytics platform, you're a click away from being able to investigate or disposition these detections and see, hey is this something I really need to be concerned about. >> Give an example of some of the network behavior, because I think this is a real critical one, because with no perimeter, you got no surface area, you got API's, this is the preferred architecture but, you got to watch the traffic. How will you guys be specific and give an example. >> So, some of my favorite examples have to do with detecting when you've already been breached. Organizations have been investing in defense and depth for decades, you know, keep the attackers out at the perimeter, keep the attackers away from the endpoint, but how would you know if you've already been breached. And it turns out, your Verizon does a great data breach investigation report annually. And they determine that they're only nine or so behaviors that count for 90% of what all breaches do, what they look like. So, you look for things like, parts of the cyber security attaching. You look for reconnaissance, you look for lateral movement, you look for some form of ex-filtration. Where ExtraHop is taking this further, is that we've built sophisticated behavioral models. We're able to understand privilege. We're able to understand what are the most important systems in your environment, the most important instances. Who has administrative control over them, and then when that changes, you want to know about it, because maybe this thing, this instance, in an on-prem environment, could be like a contractor laptop, or an HVAC system. It now exercises some administrative control over a critical system, and it's never done that before. We bring that to your attention, maybe you want to take some automated action, and quarantine it right away, maybe you want to go through some sort of approval process and bring it to someone's attention. But either way, you want to know about it. >> I'm going to get your reaction to a comment I saw yesterday morning at a keynote on Teresa Carlson's breakfast, her public sector breakfast, Christine Halvorsen, FBI. Said, we're in a data crisis. And she talked about that they can't react to some of these bad events, and a lot of it's post event, That's the basic stuff they need now, and she said, I can't put the puzzle pieces together fast enough. So you're actually taking that from a network Ops standpoint, IT Ops. How do you get the puzzle pieces together fast? What's the secret? >> Well so, the first secret is that we're very focused on real time network data, and network telemetry. I often describe ExtraHop as like Splunk for the network. The idea requires completely different technology, but the idea's the same. Extract value and insight out of data you already have, but the advantage of the network for security, and what I love about it, is that, it's extremely real-time, it's as close to ground truth as you can get, It's very hard to hide from, and you can never turn it off. >> Yeah. >> So with all of those properties, network analytics, makes for, has just tremendous implications for cyber security. >> I mean honestly, you're visibly excited, I'm a data geek myself, but you made a good point, I want to double down on, is that, moving packets from A to B is movement. And movement is part of how you detect it right, so? >> It is, so packets itself, that's data in motion, but if you're only looking at the packets you're barely scratching the surface. Companies have tried to build security analytics based on flow data for a long time. And flow data, flow records, it's like a phone bill. It tells you who's talking to whom and how long they spoke, but there's no notion of what was said in the conversation. In order to do really high quality security analytics, you need to go much deeper. So we understand resources, we understand users, we understand what's normal, and we're not using statistical baselines, we're actually building predictive models around how we expect end points and instances to behave. And then when they deviate from their model, that's when we say, "Hey, there's something strange going on. >> That's the key point for you guys. >> And that means you can help me prioritize... >> Absolutely. >> Because that's the biggest challenge these guys have. They oftentimes don't know where to go, they don't know how to weight the different... >> So that's one challenge and I think another really big challenge, and we see this even with offerings that have been publicized recently, is that detection itself isn't good enough, that's just an alert cannon, and there was a session that actually talked about alarm deafness that occurs, it occurs in hospitals, and other environments, were all you get is these common alarms, and people stopped paying attention to them. So, in addition to the ability to perform high quality detections, you need a very streamline investigative work flow. You know, one click away so you can say, "Okay, what's going on here?" Is this something that requires additional investigation. >> Well, I think you guys are on the right track, and I think what's different about the Cloud is that, you know, they call the show re:invent, but rethinking, existing stuff for Cloud scale, is a different mindset, it's a holistic. Like, you're taking more of a holistic view saying, "I'm not going to focus on a quote packet path, or silo that I'm comfortable with, you kind of got to look at the bigger picture, and then have a data strategy, or a some competitive unique IP." >> I think that's an excellent summary. What I would add is that organizations, as they kind of follow their Cloud journey, we're seeing a lot of interest from security teams in particular, that don't want to do swivel chair integration. Where I have something on-prem and I have something in the Cloud. They want something much more holistic, much more unified. >> Seamless, automated. >> Much more seamless, much more automated. (laughing) You know, I sat in about five different securities track sections, and every single one of them kind of ended with the, "So we automated it with a Lambda Function." (laughing) Clearly a lot of capability for automation, in public Cloud. >> Jesse great to have you on theCube, CTO, Co-founder of ExtraHop. What's next for you? What's goin' on? What's next? >> Well, we continue to make really big investments on security, I wish I could say that cyber security would be done at some point, but it will never be done. It's an arms race. Right now I think we're seeing some really great advancements on the defense side, that will translate into big success. Always focusing on the data problem, as data goes from 10 gigabits to 100 gigabits. You know Amazon just announced their seat five accelerated 100 gigabit network adapter. Always looking at how can we extract more value from that data at scale. >> Leverage to power, leverage to power. Well, we got to get you back on the program. We're going to increase our cyber security coverage, we certainly will be at the security event, I didn't know it was announced publicly, June 26th and 27th, in Boston. Give or take a day on either side, could be 27th, 28th, 26th, 27th. This is a big move for Amazon, we'll be there. >> I think it is. >> Great job, live coverage here, from the floor, on the Expo floor at Amazon re:Invent in 2018, will be right back more Cube coverage, after this short break, two sets. We'll be right back. (soft electronic music)

(pulsing music) >> Live from Las Vegas, it's theCUBE, covering VMworld 2018. Brought to you by VMware and its ecosystem partners. >> Good morning from day three of theCUBE's coverage of VMworld 2018 from the Mandalay Bay, Las Vegas. I'm Lisa Martin, and I'm joined by my co-host, Justin Warren. Good morning, Justin. >> Good morning, Lisa. >> We're excited to welcome to the first time to theCUBE Jesse Rothstein, co-founder and CTO of ExtraHop. Jesse, it's nice to meet you. >> Nice to meet you, Lisa. Thank you for having me. >> Absolutely, so ExtraHop, you guys are up in Seattle. You are one of Seattle's-- >> Sunny Seattle (Jesse chuckles). >> Sunny Seattle. So, one of the best companies up there to work for. Tell us about ExtraHop. What to you guys do in the software space? >> Great. Well, ExtraHop does network traffic analysis, and that can be applied to both performance, performance optimization, as well as cybersecurity. Now, I'm not unbiased, but what I would tell you is that ExtraHop extracts value from the wired data better than anybody else in the world, and that's our fundamental belief. We believe that if you can extract value from that wired data and insights and apply in real-time analytics and machine-learning, then this can be applied to a variety of use cases, as I said. >> That's quite interesting. Some of the use cases we were talking about off camera, some of the things around micro-segmentation, particularly for security, as you mentioned, is really important, and also in software-defined networking, the fact that you are software, and software-defined networking we've had a few guests on theCUBE so far over the last couple of days, that's something which is really experiencing a lot of growth. We have VMware who's talking about their NSX software-defined networking. Maybe you could give us a bit of detail on how ExtraHop helps in those situations. >> Well, I'm paying a lot of attention to VMware's vision and kind of the journey of NSX and software, really software-defined everything, as well as, and within NSX, you see a lot of applications towards security, kind of a zero-trust, least-privileged model, which I think is very exciting, and there's some great trends around that, but as we've also seen, it's difficult to execute. It's difficult to execute to build the policies such that they maybe don't break. From my perspective, a product like ExtraHop, as solution like ExtraHop, we work great with software-defined environments. First, because they have enabled the type of visibility that we offer in that you can tap traffic from a variety of locations for the purposes of analysis. If left to its own devices, I think these increased layers of abstraction and increased kind of policy frameworks have the potential to introduce complexity and to limit visibility, and this is where solutions like ExtraHop can provide a great deal of value. We apply to both your traditional on-prem environment as well as these hybrid and even public cloud environments. The ability to get visibility across a wide range of environments, really pervasively, in the hybrid enterprise is I think a big value that we offer. >> We are at VMworld and on day one, on Monday, Pat Gelsinger talked about the average enterprise has eight or nine clouds. I heard somebody the other day say that they had four and a half clouds. I didn't know you could have a half a cloud, but you can. Multi-cloud, a big theme here, that's more the vision and direction that VMware's going to go into, but to your point, customers are living in this world, it's not about embracing it, they're in it, but that also I think by default that can create silos that enterprises need to understand or to wrap their heads around. To your point, they have to have visibility, because the data is the power and the currency only if you can have visibility into it and actually extract insights and take action. >> Absolutely. ExtraHop customers are primarily large enterprises and carriers, and everyone single one of them is somewhere on their own cloud journey. You know, maybe they're just beginning it, maybe their quite mature, maybe their doing a lot of data center consolidation or some amount of workload migration to public cloud. No matter where they are in that journey, they require visibility into those environments, and I think it's extremely important that they have the same level of visibility that they're accustomed to in their on-prem environment, with their traditional workloads, as well as in these sort of borne-in-the-cloud workloads. But, I want to stress visibility for its own sake isn't very useful. Organizations are drowning in data, you can drown in visibility. For us, the real trick is to extract insights and bring them to your attention, and that's where we've been investing in data science and machine-learning for about four and a half to five years. This is before it became trendy as it is today. >> Superpower, like Pat called it. >> There's so much ML watching, when you walk in the show floor, almost every vendor talks about their AI and machine-learning. A lot of it's exaggerated, but what I'll say for ExtraHop, of course, ours is real, and we've been investing in this for years. Our vision was that we had this unbelievable amount of data, and when you're looking at the wired data, you're not just drinking from the firehose, you're drinking from Niagara Falls. You have all of this data, and then with machine-learning, you need to perform feature extraction on the data, that's essentially what data science teams are very good at, and then, build the ML models. Our vision was that we don't want to just give you a big pile of data or a bunch of charts and graphs, we actually want to bring things to your attention so that we can say, "Hey, Lisa, look over here, "there's something unusual happening here", or in many cases there's a potential threat or there's suspicious behavior, an indicator of compromise. That's where that sort of machine-learning I believe is the, kind of the-- well, certainly the current horizon or the state of the art for cybersecurity, and it's extremely important. >> Jessie, can you give us an example of one of your enterprise customers and how they've used ExtraHop to manage that complexity that Lisa was talking about, that visibility that they need to get through all the different layers of abstraction, and maybe, if there's one, an example of how they've done some cybersecurity thing, particularly around that machine-learning of detecting an anomaly that they need to deal with? >> Sure, I can think of a lot. One customer of mine, that unfortunately, I can't actually name them, is a very large retail customer, and what I love about them is the actually have ExtraHop deployed at thousands of retail sites, as well as their data centers and distribution centers. Not only does ExtraHop give them visibility into the logistics operations, and they've used ExtraHop to detect performance degradation and things like that, that we're preventing them from, literally preventing the trucks from rolling out. But they're also starting to use ExtraHop more and more to monitor what's going on at the retail sites, in particular, looking for potential compromises in the point-of-sale systems. We've another customer that's a large, telco carrier, and they used ExtraHop at one point to actually monitor phone activations, because this is something that can be frustrating if you buy a new phone, and maybe it's an iPhone, and you go to activate it, it has to communicate to all these different servers, it has to perform some sort of activation, and if that process is somehow slow or could take a long time, that's very frustrating to your users and your customers. They needed the ability to see what was happening, and certainly, if it was taking longer than it usually does. That's a very important use case. And then we have a number of customers on the cybersecurity side who are looking for both the ability to detect potential breaches and maybe ransomware infections, but also the ability to investigate them rapidly. This is extremely important, because in cybersecurity, you have a lot of products that are essentially alert cannons, a product that just says, "Hey, hey, look at this, look at this, look at this. "I think we found something." That just creates noise. That just creates work for cybersecurity teams. The ability to actually surface high-quality anomaly and threats and streamline and even automate the workflows for investigation is super important. It's not just, "Hey, I think I found something", but let's take a click or two and investigate what it is so we can make a decision, does this require immediate action or not. Now, for certain sort of detections, we can actually take an automated response, but there are a variety of detections where you probably want to investigate a little more. >> Yeah. >> I also noticed the Purdue Pharma case study on your website, and looking at some of the bottom line impacts that your technology is making where they saved, reduced their data center footprint by 70% and increased app response times by 70%. We're talking about pharmaceutical data. You guys are also very big in the healthcare space, so we're talking about literally potentially life-saving situations that need to be acted on immediately. >> Certainly that can be true. Healthcare, there can be life-and-death situations, and timely access to medical records, to medical data, whether it's a workstation inside an exam room or an iPad or something like that can be absolutely critical. You often see a lot of desktop and application virtualization in the healthcare environment, primarily due to the protection of PHI, personal health information, and HIPPA constraints, so very common deployments in those environments. If the logins are slow or if there's an inability to access these records, it can be devastating. We have a large number of customers who are essentially care providers, hospital chains, and such that use ExtraHop to ensure that they have timely access to these records. That's more on the performance side. We also have healthcare customers that have used our ability to detect ransomware infections. Ransomware is just a bit of a plague within healthcare. Unfortunately, that industry vertical's been hit quite hard with those infections. The ability to detect a ransomware infection and perform some sort of immediate quarantining is extremely important. This is where I think micro-segmentation comes into play, because as these environments are more and more virtualized, natural micro-segmentation can help limit damage to ransomware, but, more often than not, these systems and workstations do have access to something like a network drive or a share. What I like about micro-segmentation is the flexibility to configure the policies, so when a ransomware infection is detected, we have the ability to quarantine it and shut it down. Keep in mind that there's defense in depth, it's kind of a security strategy that we've been employing for decades. You know, literally multiple layers of protection, so there are always protections at your gateway, and your firewall, at the perimeter, your NGFW, and there are protections at the endpoint, but if these were 100% effective, we wouldn't have ransomware infections. Unfortunately, they're not, and we always require that last, and maybe a last line of defense where we examine what's going on in the east-west corridor, and we look for those potential threats and that sort of suspicious activity or even known behaviors that are known to be bad. >> Well, Jesse, thanks so much for stopping by theCUBE and sharing with us what ExtraHop is doing, and what differentiates you in the market. We appreciate your time. >> My pleasure, Lisa, Justin. Thank you so much for having me. >> And we want to thank you for watching theCUBE. I'm Lisa Martin with Justin Warren. Stick around, we'll be back. Day three of the VMworld 2018 coverage in just a moment. (pulsing music)