>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners. >> Okay, welcome back. Everyone keeps live coverage here in Boston. Messages of AWS reinforce That's Amazon. Webster's his first inaugural commerce around cloud security on John Kerry with David Lantz. One of the top stories here, the announced being announced here reinforced is the VPC traffic nearing and we wanted to bring in alumni and friend Mike Banner was the VP of marketing at a Vectra who specializes in networking. Welcome to the Q. We go way back. HP networking got a hot start up here so wanted to really bring you in to help unpack this VPC traffic mirroring product is probably medias announcement of everything on stage. That other stuff was general availability of security have which is great great product, Absolutely. And guard guard duty. Well, all this other stuff have it. But the VPC traffic nearing is a killer feature for a lot of reasons, absolutely. But it brings some challenges and some opportunities that might be downstream. I don't get the thoughts on what is your take on the BBC traffic nearing >> a tte. The highest level brings a lot of value because it allows you get visibility and something that's really opaque, which is the traffic within the cloud. And in the past, the way people were solving this was they had to put an agent on the workload, and nobody wants that one. It's hard to manage. You don't want dozens to hundreds or thousands of agents, and also it's going to slow things down. On third, it could be subverted. You get the advanced attacker in there. He knows how to get below that level and operated on in a way where he can hide his communication and and his behavior isn't seen. With traffic nearing that, we're getting a copy of the packet from below. The hyper visor cannot be subverted, and so we're seeing everything, and we're also not slowing down the traffic in the virtual private cloud. So it allows us to extract just the right data for a security application, which is our case, metadata and enrich it with information that's necessary for detecting threats and also of performing an investigation. >> Yeah, it was definitely the announcement that everybody has been talking about has the buzz. So from a from a partner perspective, how do you guys tie into that? What do you do? Was the value that you bring to the customer, >> So the value that we're bringing really stems from what you can do with our platform. There's two things everybody is looking to do with him at the highest level, which is detect threats and respond to threats. On the detection side, we could take the metadata that we've extracted and we've enriched. We're running through machine learning algorithms, and from there we not only get a detection, but we can correlated to the workers we're seeing it on. And so we could present much more of an incident report rather than just a security alert, saying, Hey, something bad happened over there. It's not just something bad happened, but these four bad things happen and they happen in this time sequence over this period of time, and it involved these other work looks. We can give you a sense of what the attack campaign looks like. So you get a sense of like with cancer, such as you have bad cells in your liver, but they've metastasized to these other places. Way also will keep that metadata in something we call cognito recall, which is in AWS. And it has pre built analytics and save searches so that once you get that early warning signal from cognito detect, you know exactly where to start looking for. You can peel back all the unrelated metadata, and you can look specifically at what's happened during the time of that incident. In order, perform your threat investigation and respond rapidly to that threat. >> So you guys do have a lot of machine intelligence. OK, ay, ay chops. How close are we to be able to use that guy to really identify? Detect, but begin to automate responses? We there yet eyes. It's something that people want don't want. >> We're getting close to being there. It's answer your first question, and people are sure that they want it yet. And here's some of the rationale behind it. You know, like we generally say that Aria is pretty smart, but security operations people are still the brains of the operation. There's so much human intelligence, so much contextual knowledge that a security operations person can apply to the threats that we detect. They can look at something and say, Oh, yeah, I see the user account. The service is being turned on from, you know, this particular workload. I know exactly what's happening with that. They add so much value. So we look at what we're doing is augmenting the security operations team. We're reducing their workload by taking all the mundane work and automating that and putting the right details at their fingertips so they could take action. Now there's some things that are highly repeatable that they do like to use playbooks for So we partner with companies like Phantom, which got bought by spunk, and to Mr which Palazzo Networks acquired. They've built some really good playbooks for some of those well defying situations. And there was a couple presentations on the floor that talked about those use >> cases. Fan of fan was pretty good. Solid product was built in the security hub. Suit helps nice product, but I'll get back to the VPC traffic, not smearing. It makes so much sense. It's about time. Yes, Finally they got it done. This make any sense? It wasn't done before, but I gotta ask first with the analytics, you and you said on the Q. Before network doesn't lie, >> the network is no line >> they were doesn't lie with subversion pieces of key piece. It's better be the lowest level possible. That's a great spot for the data. So totally agree. Where do you guys create Valley? Because now that everyone's got available BBC traffic mirroring How do you guys take advantage of that? What's next for you guys is that Where's the differentiation come from? Where's the value go next? >> Yeah, there's really three things that I tend to focus on. One is we enrich the metadata that we're extracting with a lot of important data that makes it. It really accelerates the threat investigation. So things like directionality, things like building a notion of what's the identity of the workload or when you're running us on prem. The device, because I P addresses changed. There's dynamic things in there, so having a sense of of consistency over a period of time is extremely valuable for performing a threat investigation so that information gets put in tow. Recall for the metadata store. If people have a data leak that they wanna have ascended to, whether it's elastic or spawn, Kafka then that is included in what we send to them and Zeke formatting use. Others eat tooling so they're not wasting any money there. And in the second piece is around the way that we build analytics. There's always, ah, a pairing of somebody from security research with the data scientist. This is the security researcher explains the tools, the tactics, the techniques of the attacker. So that way, the data scientist isn't being completely random about what features do they want to find in the network traffic. They're being really specific to what features are gonna actually pair to that tool, tactic and technique. So that way, the efficacy of the algorithm is better. We've been doing this for five plus years, and history speaks for something because some of the learning we've had is all right. In the beginning, there were maybe a couple different supervised techniques to apply. Well, now we're applying those supervised techniques with some deep learning techniques. So that way, the performance of the algorithm is actually 90% more effective than it was five years ago. >> Appreciating with software. Get the data extract the data, which the metadata, Yes, you're doing. Anyway. Now, It's more efficient, correct, low speed, No, no problems with informants in the agents you mentioned earlier. Now it's better data impact the customers. What's the What's the revelation here For the end of the day, your customer and Amazons customers through you? What do they get out of it? What's the benefit to them? >> So it's all about reducing the time to detect in the time to respond. Way had one of our fortune to 50 customers present last week at the Gardener Security Summit. Still on stage. Gentlemen from Parker Hannifin talked about how they had an incident that they got an urgent alert from from Cognito. It told him about an attack campaign. He was immediately alerted the 45 different machines that were sending data to the cloud. He automatically knew about what were the patterns of data, the volume of data. They immediately know exactly what the service is that were being used with in the cloud. They were able to respond to this and get it all under control. Listen 24 hours, but it's because they had the right data at their fingertips to make rapid decisions before there was any risk. You know what they ended up finding was it was actually a new application, but somebody had actually not followed the procedures of the organization that keeps them compliant with so many of their end users. In the end, it's saved tremendous time and money, and if that was a real breach, it would have actually prevented them from losing proprietary information. >> Well, historically, it would take 250 days to even find out that there was a breach, right? And then by then who knows what What's been exfiltrate ID? >> Yeah, we had a couple. We had a couple of firms that run Red team exercises for a living come by and they said, I said to them, Do you know who we are? And they said, Of course we know where you are. There's one tool out there, then finds us. It's victory. That's >> a That's a kind of historical on Prem. So what do you do for on Pramuk? This is all running any ws. Is it cloud only? >> It's actually both, so we know that there's a lot of companies that come here that have never owned a server, and everything's been in AWS from day one and for I t. Exactly. And for them waken run everything. We have the sensor attached to the VPC traffic nearing in AWS. We could have the brain of the cognitive platform in eight of us, you know. So for them they don't need anything on prime. There's a lot of people that are in the lift and shift mode. It can be on Prem and in eight of us, eh? So they can choose where they want the brain. And they could have sensors in both places. And we have people that are coming to this event that their hybrid cloud, they've got I t infrastructure in Azure. But they have production in eight of us and they have stuff that's on Prem. And we could meet that need to because we work with the V Top from Azure and so that we're not religious about that. It's all about giving the right data right place, reducing the time to detective respond, >> Mike, Thanks for coming and sharing the insights on the VP. Your perspective on the vpc traffic mirror appreciated. Give a quick plug for the company. What you guys working on? What's the key focus? You hiring. Just got some big funding news. Take a minute to get the plug in for electric. >> Yeah, So we've gone through several years of consecutive more than doubling in. Not in a recurring revenue. I've been really fortunate to have to be earning a lot of customer business from the largest enterprises in the world. Recently had funding $100,000,000 led by T C V out of Menlo Park. Total capitalization is over to 22 right now on the path to continue that doubling. But, you know, we've been really focusing on moving where the you know already being where the puck is going to by working with Amazon. Advance on the traffic nearing. And, you know, we know that today people are using containers in the V M environment. We know that you know where they want to go. Is more serverless on, you know, leveraging containers more. You know, we're already going in that direction. So >> great to see congratulates we've known each other for many, many years is our 10th anniversary of the Q. You were on year one. Great to know you. And congratulations. Successive victor and great announcement. Amazon gives you a tailwind. >> Thanks a lot. It's great to see your growth as well. Congratulations. >> Thanks, Mike. Mike Banning unpacking the relevance of the VPC traffic mirroring feature. >> This is kind >> of conversation we're having here. Deep conversation around stuff that matters around security and cloud security. Of course, the cubes bring any coverage from the inaugural event it reinforced for me. Ws will be right back after this short break.