>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners. >> Okay, welcome back. Everyone keeps live coverage here in Boston. Messages of AWS reinforce That's Amazon. Webster's his first inaugural commerce around cloud security on John Kerry with David Lantz. One of the top stories here, the announced being announced here reinforced is the VPC traffic nearing and we wanted to bring in alumni and friend Mike Banner was the VP of marketing at a Vectra who specializes in networking. Welcome to the Q. We go way back. HP networking got a hot start up here so wanted to really bring you in to help unpack this VPC traffic mirroring product is probably medias announcement of everything on stage. That other stuff was general availability of security have which is great great product, Absolutely. And guard guard duty. Well, all this other stuff have it. But the VPC traffic nearing is a killer feature for a lot of reasons, absolutely. But it brings some challenges and some opportunities that might be downstream. I don't get the thoughts on what is your take on the BBC traffic nearing >> a tte. The highest level brings a lot of value because it allows you get visibility and something that's really opaque, which is the traffic within the cloud. And in the past, the way people were solving this was they had to put an agent on the workload, and nobody wants that one. It's hard to manage. You don't want dozens to hundreds or thousands of agents, and also it's going to slow things down. On third, it could be subverted. You get the advanced attacker in there. He knows how to get below that level and operated on in a way where he can hide his communication and and his behavior isn't seen. With traffic nearing that, we're getting a copy of the packet from below. The hyper visor cannot be subverted, and so we're seeing everything, and we're also not slowing down the traffic in the virtual private cloud. So it allows us to extract just the right data for a security application, which is our case, metadata and enrich it with information that's necessary for detecting threats and also of performing an investigation. >> Yeah, it was definitely the announcement that everybody has been talking about has the buzz. So from a from a partner perspective, how do you guys tie into that? What do you do? Was the value that you bring to the customer, >> So the value that we're bringing really stems from what you can do with our platform. There's two things everybody is looking to do with him at the highest level, which is detect threats and respond to threats. On the detection side, we could take the metadata that we've extracted and we've enriched. We're running through machine learning algorithms, and from there we not only get a detection, but we can correlated to the workers we're seeing it on. And so we could present much more of an incident report rather than just a security alert, saying, Hey, something bad happened over there. It's not just something bad happened, but these four bad things happen and they happen in this time sequence over this period of time, and it involved these other work looks. We can give you a sense of what the attack campaign looks like. So you get a sense of like with cancer, such as you have bad cells in your liver, but they've metastasized to these other places. Way also will keep that metadata in something we call cognito recall, which is in AWS. And it has pre built analytics and save searches so that once you get that early warning signal from cognito detect, you know exactly where to start looking for. You can peel back all the unrelated metadata, and you can look specifically at what's happened during the time of that incident. In order, perform your threat investigation and respond rapidly to that threat. >> So you guys do have a lot of machine intelligence. OK, ay, ay chops. How close are we to be able to use that guy to really identify? Detect, but begin to automate responses? We there yet eyes. It's something that people want don't want. >> We're getting close to being there. It's answer your first question, and people are sure that they want it yet. And here's some of the rationale behind it. You know, like we generally say that Aria is pretty smart, but security operations people are still the brains of the operation. There's so much human intelligence, so much contextual knowledge that a security operations person can apply to the threats that we detect. They can look at something and say, Oh, yeah, I see the user account. The service is being turned on from, you know, this particular workload. I know exactly what's happening with that. They add so much value. So we look at what we're doing is augmenting the security operations team. We're reducing their workload by taking all the mundane work and automating that and putting the right details at their fingertips so they could take action. Now there's some things that are highly repeatable that they do like to use playbooks for So we partner with companies like Phantom, which got bought by spunk, and to Mr which Palazzo Networks acquired. They've built some really good playbooks for some of those well defying situations. And there was a couple presentations on the floor that talked about those use >> cases. Fan of fan was pretty good. Solid product was built in the security hub. Suit helps nice product, but I'll get back to the VPC traffic, not smearing. It makes so much sense. It's about time. Yes, Finally they got it done. This make any sense? It wasn't done before, but I gotta ask first with the analytics, you and you said on the Q. Before network doesn't lie, >> the network is no line >> they were doesn't lie with subversion pieces of key piece. It's better be the lowest level possible. That's a great spot for the data. So totally agree. Where do you guys create Valley? Because now that everyone's got available BBC traffic mirroring How do you guys take advantage of that? What's next for you guys is that Where's the differentiation come from? Where's the value go next? >> Yeah, there's really three things that I tend to focus on. One is we enrich the metadata that we're extracting with a lot of important data that makes it. It really accelerates the threat investigation. So things like directionality, things like building a notion of what's the identity of the workload or when you're running us on prem. The device, because I P addresses changed. There's dynamic things in there, so having a sense of of consistency over a period of time is extremely valuable for performing a threat investigation so that information gets put in tow. Recall for the metadata store. If people have a data leak that they wanna have ascended to, whether it's elastic or spawn, Kafka then that is included in what we send to them and Zeke formatting use. Others eat tooling so they're not wasting any money there. And in the second piece is around the way that we build analytics. There's always, ah, a pairing of somebody from security research with the data scientist. This is the security researcher explains the tools, the tactics, the techniques of the attacker. So that way, the data scientist isn't being completely random about what features do they want to find in the network traffic. They're being really specific to what features are gonna actually pair to that tool, tactic and technique. So that way, the efficacy of the algorithm is better. We've been doing this for five plus years, and history speaks for something because some of the learning we've had is all right. In the beginning, there were maybe a couple different supervised techniques to apply. Well, now we're applying those supervised techniques with some deep learning techniques. So that way, the performance of the algorithm is actually 90% more effective than it was five years ago. >> Appreciating with software. Get the data extract the data, which the metadata, Yes, you're doing. Anyway. Now, It's more efficient, correct, low speed, No, no problems with informants in the agents you mentioned earlier. Now it's better data impact the customers. What's the What's the revelation here For the end of the day, your customer and Amazons customers through you? What do they get out of it? What's the benefit to them? >> So it's all about reducing the time to detect in the time to respond. Way had one of our fortune to 50 customers present last week at the Gardener Security Summit. Still on stage. Gentlemen from Parker Hannifin talked about how they had an incident that they got an urgent alert from from Cognito. It told him about an attack campaign. He was immediately alerted the 45 different machines that were sending data to the cloud. He automatically knew about what were the patterns of data, the volume of data. They immediately know exactly what the service is that were being used with in the cloud. They were able to respond to this and get it all under control. Listen 24 hours, but it's because they had the right data at their fingertips to make rapid decisions before there was any risk. You know what they ended up finding was it was actually a new application, but somebody had actually not followed the procedures of the organization that keeps them compliant with so many of their end users. In the end, it's saved tremendous time and money, and if that was a real breach, it would have actually prevented them from losing proprietary information. >> Well, historically, it would take 250 days to even find out that there was a breach, right? And then by then who knows what What's been exfiltrate ID? >> Yeah, we had a couple. We had a couple of firms that run Red team exercises for a living come by and they said, I said to them, Do you know who we are? And they said, Of course we know where you are. There's one tool out there, then finds us. It's victory. That's >> a That's a kind of historical on Prem. So what do you do for on Pramuk? This is all running any ws. Is it cloud only? >> It's actually both, so we know that there's a lot of companies that come here that have never owned a server, and everything's been in AWS from day one and for I t. Exactly. And for them waken run everything. We have the sensor attached to the VPC traffic nearing in AWS. We could have the brain of the cognitive platform in eight of us, you know. So for them they don't need anything on prime. There's a lot of people that are in the lift and shift mode. It can be on Prem and in eight of us, eh? So they can choose where they want the brain. And they could have sensors in both places. And we have people that are coming to this event that their hybrid cloud, they've got I t infrastructure in Azure. But they have production in eight of us and they have stuff that's on Prem. And we could meet that need to because we work with the V Top from Azure and so that we're not religious about that. It's all about giving the right data right place, reducing the time to detective respond, >> Mike, Thanks for coming and sharing the insights on the VP. Your perspective on the vpc traffic mirror appreciated. Give a quick plug for the company. What you guys working on? What's the key focus? You hiring. Just got some big funding news. Take a minute to get the plug in for electric. >> Yeah, So we've gone through several years of consecutive more than doubling in. Not in a recurring revenue. I've been really fortunate to have to be earning a lot of customer business from the largest enterprises in the world. Recently had funding $100,000,000 led by T C V out of Menlo Park. Total capitalization is over to 22 right now on the path to continue that doubling. But, you know, we've been really focusing on moving where the you know already being where the puck is going to by working with Amazon. Advance on the traffic nearing. And, you know, we know that today people are using containers in the V M environment. We know that you know where they want to go. Is more serverless on, you know, leveraging containers more. You know, we're already going in that direction. So >> great to see congratulates we've known each other for many, many years is our 10th anniversary of the Q. You were on year one. Great to know you. And congratulations. Successive victor and great announcement. Amazon gives you a tailwind. >> Thanks a lot. It's great to see your growth as well. Congratulations. >> Thanks, Mike. Mike Banning unpacking the relevance of the VPC traffic mirroring feature. >> This is kind >> of conversation we're having here. Deep conversation around stuff that matters around security and cloud security. Of course, the cubes bring any coverage from the inaugural event it reinforced for me. Ws will be right back after this short break.

(bright upbeat music) >> Hello, everyone, welcome to this special CUBE Conversation. I'm John Furrier here in the Palo Alto studio, a Cube Conversation with Mike Banic, who's the VP of Marketing at Vectra Networks. Big news coming for you guys, you just had a good year, we love security and I want to drive a good conversation with you because you're in the front lines, you're seeing all the trends. You guys have been doing very well with AI for cyber, you're also impacting IT operations because security is certainly forcing modernization in the IT world, using data, just really interesting stuff. But hacking is the number one threat problem. What's the security trends, Mike, what are you seeing and what's happening? There's a ton of stuff happening, we're seeing ransomware, a bunch of stuff going on across the board, spearfishing to you name it. It's at a rampant pace; no perimeter anymore, a whole new ballgame. You know networking, you know the perimeter, now you're in the cloud, what are the trends? >> I think one of the things that a lot of people aren't paying enough attention to is the fact that all the systems they have in place are looking for exploits. They're looking for the use of malware, and there's a lot of attacks that actually don't use malware. There may be malware that's used for a specific exploit in the beginning to start it, but the smart attacker now, they sit and they lay low. They watch how your enterprise operates. They look at the tools that you use, and they steal credentials, and then they start to use those tools against the business to steal information or to do damage. And that's something you won't catch if you're using tools that are specifically looking for malware. And that's where using AI to look for explicit attacker behaviors becomes so useful. The other thing is that attackers are on the inside for much longer than people think. We look at M-Trends data from last year that says that the average amount of time that an attacker has gone unmitigated before it's discovered is 99 days. It's actually much longer than that. Those are just the attacks that are reported and those are just the attacks that we have data on. We've seen it actually run much longer than that. And we also know that an attacker can get admin credentials in three days or less. As soon as they get those, they have the keys to the kingdom. >> Yeah, and you mention hacker groups involved. It's lucrative, it's a whole business, we've seen that. >> Mike: It's a supply chain. >> It's a really big racket. Now, networking is interesting because footprints can be left on the network. So you've got encryption, oh, it's encrypted, but you can still get around the encryption. Talk about how you guys do it. How do you guys see the patterns? With encryption out there, you guys have the network footprints, what's the secret sauce, what's the formula? >> So what we're doing to detect this is we're looking at network metadata. We're not performing deep packet inspection. Deep packet inspection is the approach that a firewall uses or traditional intrusion detection and prevention platforms use. So what we're doing, we're collecting metadata, we're collecting log information, we're collecting cloud events, and we're using all that in our mix of analytics. What we're looking for are the behavioral patterns. So, I'll give you a really tangible example. Let's say you're the attacker, John, and you've got control of my computer, and you've got fingers on the keyboard. So you're using a RAT, a Remote Access Trojan. The way that I'm going to use advanced analytics or AI to detect that is I'm going to look at, first, the fact that my machine's opened a connection to an external IP address. That's your machine. I'm going to look for random silences, those are the pauses in the conversation. If I'm just web browsing, then my machine's going to interrupt all those random pauses 'cause I'm moving from page to page, site to site. If your IP address is always interrupting them, then you're in control of the conversation. Anybody in IT should care when an internal host is being controlled by an external host. I didn't have to read any of the web browsing traffic, any of the email traffic, the app traffic, in order to do that. I did that principally by analyzing network metadata. >> So this is unspoofable, either, because the network doesn't lie. >> That's correct. >> Because the packets have to move around. >> That's correct. The attacker has to perform certain things. There's no way for them to erase them. And there's a group of companies that tried to apply analytics to logs, and here's the problem they have. If the smart attacker knows that logs are sent in batches, it's like when somebody breaks into your house. They know they have about 45 seconds to get the alarm code right. They know that they have a certain amount of time before the batch of logs is sent up. So if they have admin access, they'll erase the footprint of what they've done on your machine, and there's no logs. If there's no body, there's no murder. >> Yeah, I've done a few ventures in my day that have been first movers and usually the first movers take the arrows in the back. One of my relatives says, if this is such a great idea, why hasn't someone else done it? So, the question for you guys is it's so obvious that now that you explain it that way that it's a great way to do it. Why hasn't someone else done it? Is it the timing, is it the founding team, is it the approach? I mean a lot of people are in network; you've got Cisco, you've got a zillion networking people. Why hasn't anyone else done this? >> There's a couple of things that come to mind right away. The first is that people who are in this business already, that want to take advantage of AI, it's really difficult to add it to an existing platform. You really have to start from scratch. And then the second is what you said about the approach. The approach that we've taken is very different than others. So there are people in this business that claim they're doing AI and they fall into one end of the spectrum or the other. They either have this big group of security researchers and they've hired a couple of data science guys and they're trying to solve this problem. Or they have a big data science team and they've got a couple of security researchers. We've taken an approach that's in the middle. Whenever we develop an algorithm, we take a security researcher who has a really strong experience or background in the attacker behavior we're trying to detect. And we pair them with somebody in data science who has expertise in the techniques that are going to be best used to detect that. We pair them up; the data scientist looks at the features that they can find in the network. The features I mentioned before, internal IP to external random silences, they determine what those are, they build the algorithm, and then they run it. Then we put it into precursor mode, just like Hitesh's Tesla has precursor stuff running as he's driving up and down the freeway, we do the same thing with our customers. And then once we see that the efficacy is really high, we release that into production. >> So it's a combination of timing and the management team's unique problem space that they addressed, and combined with people and data and software. >> Yes. >> You're kind of blending them all together, so it's a new approach. >> It is very much a new approach, and one following the approach that people have taken before. They go in one of those other two directions. >> I mean if you're a hammer, everything looks like a nail. So Cisco sees everything they do their way, maybe an application developer might take a different approach. So, I buy that, so timing's good. What makes you guys different, what makes you guys think you could be successful? Because, you know, I hear this all the time. Amazon's out there, Amazon could just copy it, you always hear those arguments. How do you guys answer that question; manageability, what's the protection? >> I think first we've taken an approach that gives us a unique capability that is succeeding against others who are really explicitly trying to solve the cyber security problem. I think the other is that we've been very open-minded about not taking just one approach in a field like data science. We don't just use supervised machine learning, unsupervised. We don't just use neural networks. We use whatever tool is best to solve the problem. The other is, we're not religious about where the product gets deployed. We look at protecting cloud workloads, enterprise private cloud workloads. We look at traditional data centers, users, IoT devices, so we're looking at the threat landscape in a very holistic way. Many of the others out there have a very specific focus as they start, and I think our breadth and our approach is serving us well. >> The whole value proposition in business models tends to change in these new value utilities, if you will, like the clouds create. I mean Amazon's successful because they never look in the rear view mirror, they just continue to push forward. Sounds like you guys have that same approach, just keep moving the needle with more people, more data, more software. >> Yeah, relentless, it's day one. It's always day one, just like Jeff says. >> Alright so you guys are doing good, where do you guys do well, and specifically talk about this malware that was hacking computers and doing money on Bitcoin. Big story that's been in the news lately, a couple of weeks ago, but still it's important. Malware being used for not only hacking your cash, using your machine to generate Bitcoin. >> That's correct. So we have a set of algorithms that look for things we call botnet monetization behaviors. And Bitcoin mining is one of them. So, if somebody is mining Bitcoin on your computer they're not really stealing from you, they're just stealing compute cycles to mine Bitcoin. Finding this stuff is actually really important because the attack landscape can quickly pivot on you. I mentioned before that cyber attackers, it's a supply chain. If your machine is latched to a botnet and it's performing Bitcoin mining and the price of Bitcoin falls, the person who owns that botnet might say, screw Bitcoin mining, I'm going to sell all my bot machines to whoever the highest bidder is. Somebody finds out you work for a really interesting company and they want to steal data from you, they're going to buy that IP address, they're going to buy your machine, and they're going to start to launch a direct attack. We've actually seen that scenario in enterprises, and been able to alert the team in real time so they can stop it. And it's the AI that's doing this, it's a not a human that has to take an action. And that's the thing that's really cool in terms of helping us win. We see a lot of customers run red team exercises in parallel with an evaluation, and that red team is designed to explicitly challenge the blue team. It's not a pen test. A pen test is all about trying to see whether the hacker can break in. A red team, they actually give the attackers access to a computer on the inside and then they say, "You've got to steal this trophy." They give them a flag to steal. >> Capture the flag. >> Capture the flag! And the goal of the blue team is to defend it. What we've seen over and over again in these evals is that AI is able to detect those behaviors of the red team in real time fast enough for them to stop them, so the data isn't stolen. It becomes evidence that if we had this tool every day then we're a lot better off than we were before. >> So you guys aren't just looking for known patterns and mapping policy to some script. You guys are losing data in real time, inferring network behavior to look for anomalies. >> Exactly. I'll give you a great example. Last year when there was ransomware, the NotPetya attack. The thing that was interesting about that is it spread like a worm. We hadn't seen a worm since Confecker and that was 10 years ago. The interesting thing is we built an algorithm to detect worm-like behavior based on what we had seen 10 years ago with Confecker. It detected the spread of NotPetya. It's because we're looking for behavior and not the... >> The payload. >> The malware, not the payload, we're able to find it, even if it's a brand new attack vector like NotPetya. And that's the cool thing, 'cause the old style was, let me look for the precise definition of the malware or the exploit or the reputation list. >> And I personally believe we've reported on theCUBE that the cloud computing and distributed computing and even decentralized computing, for that matter, encourages more packet movement. More packet movement gives you more data. >> That's correct. >> So it's a great approach. Congratulations, Mike, on your success. Looking forward to seeing what you guys do this year. Keep in touch. Security, obviously, is top of mind. We care about that at theCUBE. Cyber warfare is number one problem in America. It's the number one problem for enterprises, government, and users. Spearfishing, malware, you name it, it's out there, we've all been hacked and we probably don't even know it. It's theCUBE hackin' the data here inside the studio, I'm John Furrier and thanks for watching. (bright music)