>>EDR NDR, what are the differences, which one's better? Are they better together? Today's security stack contains a lot of different tools and types of data and fortunate, as you know, this creates data silos, which leads to vis visibility gaps. EDR is endpoint detection and response. It's designed to monitor and mitigate endpoint attacks, which are typically focused on computers and servers, NDR network detection, and response. On the other hand, monitors network traffic to gain visibility into potential or active cyber threats, delivering real time visibility across the broader network. One of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data, pretty easily network data. On the other hand, much harder to manipulate because attackers and malware can avoid detection at the endpoint. NDR, as you're gonna hear is the only real source for reliable, accurate, and comprehensive data. >>All endpoints use the network to communicate, which makes your network data, the ultimate source of truth. My name is Lisa Martin, and today on the special cube presentation, Tom Binkowski senior director of product marketing at net scout, and I are gonna explore the trends and the vital reasons why relying upon EDR is not quite enough. We're also gonna share with you the growing importance of advanced NDR. Welcome to the series, the growing importance of advanced NDR in the first segment, Tom's gonna talk with me about the trends that are driving enterprise security teams to implement multiple cyber security solutions that enable greater visibility, greater protection. We're also gonna explore Gartner's concept of the security operations center, SOC visibility triad, and the three main data sources for visibility, SIM EDR and NDR in segment two, Tom. And I will talk about the role of NDR and how it overcomes the challenges of EDR as Tom's gonna discuss, as you'll hear EDR is absolutely needed, but as he will explain it, can't be solely relied upon for comprehensive cybersecurity. And then finally, we'll come back for a third and final segment to discuss why not all NDR is created equal. Tom's gonna unpack the features and the capabilities that are most important when choosing an NDR solution. Let's do this. Here comes our first segment. >>Hey, everyone kicking things off. This is segment one. I'm Lisa Martin with Tom Binowski, senior director of product marketing at nets scout. Welcome to the growing importance of advanced NDR. Tom, great to have you on the program, >>Glad to be here. >>So we're gonna be talking about the trends that are driving enterprise security teams to implement multiple cyber security solutions that really enable greater visibility and protection. And there are a number of factors that continue to expand the ECAC service for enterprise networks. I always like to think of them as kind of the spreading amorphously you shared had shared some stats with me previously, Tom, some cloud adoption stats for 2022 94% of all enterprises today use a cloud service and more than 60% of all corporate data is store in the cloud. So, Tom, what are some of the key trends that nets scout is seeing in the market with respect to this? >>Yeah, so just to continue that, you know, those stats that, that migration of workloads to the cloud is a major trend that we're seeing in that was exasperated by the pandemic, right along with working from home. Those two things are probably the most dramatic changes that we we see out there today. But along with that is also this growing sophistication of the network, you know, today, you know, your network environment, isn't a simple hub and spoke or something like that. It is a very sophisticated combination of, you know, high speed backbones, potentially up to a hundred gigabits combination with partner networks. You have, like we said, workloads up in, in private clouds, pub public clouds. So you have this hybrid cloud environment. So, and then you have applications that are multi-tiered, there are pieces and parts. And in all of that, some on your premise, some up in a private cloud, some on a public cloud, some actually pulling data off when you a customer network or potentially even a, a partner network. So really, really sophisticated environment today. And that's requiring this need for very comprehensive network visibility, not only for, for cybersecurity purposes, but also just to make sure that those applications and networks are performing as you have designed them. >>So when it comes to gaining visibility into cyber threats, I, you talked about the, the sophistication and it sounds like even the complexity of these networks, Gartner introduced the concept of the security operations, visibility triad, or the SOC visibility triad break that down for us. It consists of three main data sources, but to break those three main data sources down for us. >>Sure. So Gartner came out a few years ago where they were trying to, you know, summarize where do security operations team get visibility into threats and they put together a triad and the three sides of the trier consists of one, the SIM security information event manager, two, the endpoint or, or data that you get from EDR systems, endpoint detection, response systems. And the third side is the network or the data you get from network detection, response systems. And, you know, they didn't necessarily say one is better than the other. They're basically said that you need all three in order to have comprehensive visibility for cybersecurity purposes. >>So talk, so all, all three perspectives are needed. Talk about what each provides, what are the different perspectives on threat detection and remediation? >>Yeah. So let's start with the SIM, you know, that is a device that is gathering alerts or logs from all kinds of different devices all over your network. Be it routers servers, you know, firewalls IDs, or even from endpoint detection and network detection devices too. So it is, it is the aggregator or consumer of all those alerts. The SIM is trying to correlate those alerts across all those different data sources and, and trying to the best it can to bubble up potentially the highest priority alerts or drawing correlations and, and, and, and giving you some guidance on, Hey, here's something that we think is, is really of importance or high priority. Here's some information that we have across these disparate data sources. Now go investigate the disadvantage of the SIM is that's all it gives you is just these logs or, or, or information. It doesn't give you any further context. >>Like what happened, what is really happening at the end point? Can I get visibility into the, into the files that were potentially manipulated or the, the registry setting or what, what happened on the network? And I get visibility into the packet date or things like that. It that's, so that's where it ends. And, and that's where the, so there other two sides of the equation come in, the endpoint will give you that deeper visibility, endpoint detection response. It will look for known and or unknown threats, you know, at that endpoint, it'll give you all kinds of additional information that is occurring in endpoint, whether it be a registry setting in memory on the file, et cetera. But you know, one of, some of its disadvantages, it's really difficult because really difficult to deploy pervasive because it requires an agent and, you know, not all devices can accept an agent, but what it miss, what is lacking is the context on the network. >>So if I was an analyst and I started pursuing from my SIM, I went down to the end point and, and said, I wanna investigate this further. And I hit a, I hit a dead end from some sort, or I realize that the device that's potentially I should be alerted to, or should be concerned about is an IOT device that doesn't even have an agent on it. My next source of visibility is on the network and that's where NDR comes in. It, it sees what's traversing. The entire network provides you visibility into that from both a metadata and even a ultimately a packer perspective. And maybe, you know, could be deployed a little bit more strategically, but you know, it doesn't have the perspective of the endpoint. So you can see how each of these sort of compliments each other. And that's why, you know, Gartner said that, that you need 'em all, then they all play a role. They all have their pros and cons or advantage and disadvantages, but, you know, bringing them and using 'em together is, is the key. >>I wanna kinda dig into some of the, the EDR gaps and challenges, as you talked about as, as the things evolve and change the network, environment's becoming far more sophisticated and as well as threat actors are, and malware is. So can you crack that open more on some of the challenges that EDR is presenting? What are some of those gaps and how can organizations use other, other, other data sources to solve them? >>Yeah, sure. So, you know, again, just be clear that EDR is absolutely required, right? We, we need that, but as sort of these network environments get more complex, are you getting all kinds of new devices being put on the network that devices being brought into the network that may be, you didn't know of B Y O D devices you have, I T devices, you know, popping up potentially by the thousands in, in, in some cases when new applications or world that maybe can't accept an and endpoint detection or an EDR agent, you may have environments like ICS and skate environments that just, you can't put an endpoint agent there. However, those devices can be compromised, right? You have different environments up in the cloud or SaaS environments again, where you may not be able to deploy an endpoint agent and all that together leaves visibility gaps or gaps in, in, in the security operation triad. Right. And that is basically open door for exploitation >>Open door. Go ahead. Sorry. >>Yeah. And then, then you just have the malware and the, and the attackers getting more sophisticated. They, they have malware that can detect an EDR agent running or some anti malware agent running on device. And they'll simply avoid that and move on to the next one, or they know how to hide their tracks, you know, whether it be deleting files, registry, settings, things like that. You know, so it's, that's another challenge that, that, that just an agent faces. Another one is there are certain applications like my SQL that are, you know, have ministry administrative rights into certain parts of the windows operate system that EDR doesn't have visibility into another area that maybe EDR may not have visibility is, is, is in, you know, malware that tries to compromise, you know, hardware, especially like bios or something like that. So there's a number of challenges as sort of the whole network environment and sophistication of bad actors and malware increases. >>Ultimately, I think one of the things that, that we've learned, and, and we've heard from you in this segment, is that doing business in, in today's digital economy, demands, agility, table stakes, right? Absolutely essential corporate digital infrastructures have changed a lot in response to the dynamic environment, but its businesses are racing to the clouds. Dave Alane likes to call it the forced March to the cloud, expanding activities across this globally distributed digital ecosystem. They also sounds like need to reinvent cybersecurity to defend this continuously expanding threat surface. And for that comprehensive network, visibility is, as I think you were saying is really, really fundamental and more advanced network detection is, and responses required. Is that right? >>That's correct. You know, you know, we, we at ESCO, this is, this is where we come from. Our perspective is the network. It has been over for over 30 years. And, and we, as well as others believe that that network visibility, comprehensive network visibility is fundamental for cyber security as well as network performance and application analysis. So it, it, it's sort of a core competency or need for, for modern businesses today. >>Excellent. And hold that thought, Tom, cause in a moment, you and I are gonna be back to talk about the role of NDR and how it overcomes the challenges of EDR. You're watching the cube, the leader in enterprise tech coverage. Hey everyone, welcome back. This is segment two kicking things off I'm Lisa Martin with Tom Binkowski, senior director of product marketing at nets scout, Tom, great to have you back on the program. >>Good to be here. >>We're gonna be talking about the growing importance of advanced NDR in this series. In this segment specifically, Tom's gonna be talking about the role of NDR and how it overcomes the challenges of EDR. So Tom, one of the things that we talked about previously is one of the biggest advantages that NDR has over EDR is that bad actors can hide or manipulate endpoint data pretty easily, whereas network data, much harder to manipulate. So my question, Tom, for you is, is NDR the only real source for reliable, accurate, comprehensive data. >>I'm sure that's arguable, right? Depending on who you are as a vendor, but you know, it's, it's our, our answer is yes, NDR solutions also bring an analyst down to the packet level. And there's a saying, you know, the, the packet is the ultimate source or source of truth. A bad actor cannot manipulate a packet. Once it's on the wire, they could certainly manipulate it from their end point and then blast it out. But once it hits the wire, that's it they've lost control of it. And once it's captured by a network detection or, or network monitoring device, they can't manipulate it. They can't go into that packet store and, and manipulate those packets. So the ultimate source of truth is, is lies within that packet somewhere. >>Got you. Okay. So as you said in segment one EDR absolutely necessary, right. But you did point out it can't organizations can't solely rely on it for comprehensive cybersecurity. So Tom, talk about the benefits of, of this complimenting, this combination of EDR and NDR and, and how can that deliver more comprehensive cybersecurity for organizations? >>Yeah, so, so one of the things we talked about in the prior segment was where EDR, maybe can't be deployed and it's either on different types of devices like IOT devices, or even different environments. They have a tough time maybe in some of these public cloud environments, but that's where NDR can, can step in, especially in these public cloud environments. So I think there's a misconception out there that's difficult to get packet level or network visibility and public clouds like AWS or Azure or Google and so on. And that's absolutely not true. They have all kinds of virtual tapping capabilities that an NDR solution or network based monitoring solution could take advantage of. And one of the things that we know we spoke about before some of that growing trends of migrating workloads to the cloud, that's, what's driving that those virtual networks or virtual taps is providing visibility into the performance and security of those workloads. >>As they're migrated to public clouds, NDR can also be deployed more strategically, you know, prior segment talking about how the, in order to gain pervasive visibility with EDR, you have to deploy an agent everywhere agents can't be deployed everywhere. So what you can do with NDR is there's a lot fewer places in a network where you can strategically deploy a network based monitoring device to give you visibility into not only that north south traffic. So what's coming in and out of your network, but also the, the, the, the east west traffic too west traversing, you know, within your network environment between different points of your op your, your multi-tiered application, things like that. So that's where, you know, NDR has a, a, a little bit more advantage. So fewer points of points in the network, if you will, than everywhere on every single endpoint. And then, you know, NDR is out there continuously gathering network data. It's both either before, during, and even after a threat or an attack is, is detected. And it provides you with this network context of, of, you know, what's happening on the wire. And it does that through providing you access to, you know, layer two through layer seven metadata, or even ultimately packets, you know, the bottom line is simply that, you know, NDR is providing, as we said before, that that network context that is potentially missing or is missing in EDR. >>Can you talk a little bit about XDR that kind of sounds like a superhero name to me, but this is extended detection and response, and this is an evolution of EDR talk to us about XDR and maybe EDR NDR XDR is really delivering that comprehensive cybersecurity strategy for organizations. >>Yeah. So, you know, it's, it's interesting. I think there's a lot of confusion out there in the industry. What is, what is XDR, what is XDR versus an advanced SIM, et cetera. So in some cases, there are some folks that don't think it's just an evolution of EDR. You know, to me, XDR is taking, look at these, all these disparate data sources. So going back to our, when our first segment, we talked about the, the, the security operations center triad, and it has data from different perspectives, as we were saying, right? And XCR, to me is the, is, is trying to bring them all together. All these disparate data source sets or sources bring them together, conduct some level of analysis on that data for the analyst and potentially, you know, float to the top. The most, you know, important events are events that we, that you know, that the system deems high priority or most risky and so on. But as I, as I'm describing this, I know there are many advanced Sims out there trying to do this today too. Or they do do this today. So this there's this little area of confusion around, you know, what exactly is XDR, but really it is just trying to pull together these different sources of information and trying to help that analyst figure out, you know, what, where's the high priority event that's they should be looking at, >>Right? Getting those high priority events elevated to the top as soon as possible. One of the things that I wanted to ask you about was something that occurred in March of this year, just a couple of months ago, when the white house released a statement from president Biden regarding the nation's cyber security, it included recommendations for private companies. I think a lot of you are familiar with this, but the first set of recommendations were best practices that all organizations should already be following, right? Multifactor authentication, patching against known vulnerabilities, educating employees on the phishing attempts on how to be effective against them. And the next statement in the president's release, focus on data safety practices, also stuff that probably a lot of corporations doing encryption maintaining offline backups, but where the statement focused on proactive measures companies should take to modernize and improve their cybersecurity posture. It was vague. It was deploy modern security tools on your computers and devices to continuously look for and mitigate threats. So my question to you is how do, how do you advise organizations do that? Deploy modern security tools look for and mitigate threats, and where do the data sources, the SOC tri that we talked about NDR XDR EDR, where did they help fit into helping organizations take something that's a bit nebulous and really figure out how to become much more secure? >>Yeah, it was, it was definitely a little vague there with that, with that sentence. And also if you, if you, I think if, if you look at the sentence, deploy modern security tools on your computers and devices, right. It's missing the network as we've been talking about there, there's, there's a key, key point of, of reference that's missing from that, from that sentence. Right. But I think what they mean by deploying monitor security tools is, is really taking advantage of all these, these ways to gain visibility into, you know, the threats like we've been talking about, you're deploying advanced Sims that are pulling logs from all kinds of different security devices or, and, or servers cetera. You're, you're deploying advanced endpoint detection systems, advanced NDR systems. And so on, you're trying to use, you're trying to utilize XDR new technology to pull data from all those different sources and analyze it further. And then, you know, the other one we, we haven't even mentioned yet. It was the, so the security operation and automation, right. Response it's now, now what do we do? We've detected something, but now help me automate the response to that. And so I think that's what they mean by leveraging modern, you know, security tools and so on >>When you're in customer conversations, I imagine they're coming to, to Netscale looking for advice like what we just talked through the vagueness in that statement and the different tools that organizations can use. So when you're talking to customers and they're talking about, we need to gain visibility across our entire network, across all of our devices, from your perspective from net Scout's perspective, what does that visibility actually look like and deliver across an organization that does it well? >>Yeah, we, I mean, I think the simple way to put it is you need visibility. That is both broad and deep. And what I mean by broad is that you need visibility across your network, no matter where that network may reside, no matter what protocols it's running, what, you know, technologies is it, is it virtualized or, or legacy running in a hundred gigabits? Is it in a private cloud, a public cloud, a combination of both. So that broadness, meaning wherever that network is or whatever it's running, that's, that's what you need visibility into. It has to be able to support that environment. Absolutely. And the, the, absolutely when I, we talk about being deep it's, it has to get down to a packet level. It can't be, you know, as high as say, just looking at net flow records or something like that, that they are valuable, they have their role. However, you know, when we talk about getting deep, it has to ultimately get down to the packet level and that's, and we've said this in this time that it's ultimately that source of truth. So that, that's what that's, I think that's what we need. >>Got it. That that depth is incredibly important. Thanks so much, Tom, for talking about this in a moment, you and I are gonna be back, we're gonna be talking about why not all NDR is created equally, and Tom's gonna actually share with you some of the features and capabilities that you should be looking for when you're choosing an NDR solution. You're watching the cube, the leader in enterprise tech coverage, >>And we're clear. >>All right. >>10 45. Perfect. You guys are >>Okay. Good >>Cruising. Well, >>Welcome back everyone. This is segment three. I'm Lisa Martin with Tom gin. Kowski senior director of product marketing at nets scout. Welcome back to the growing importance of advanced NDR in this segment, Tom and I are gonna be talking about the fact that not all NDR is created equally. He's gonna impact the features, the capabilities that are most important when organizations are choosing an NDR solution. Tom, it's great to have you back on the program. >>Great, great to be here. >>So we've, we've covered a lot of content in the first two segments, but as we, as we see enterprises expanding their it infrastructure, enabling the remote workforce, which is here to stay leveraging the crowd cloud, driving innovation, the need for cybersecurity approaches and strategies that are far more robust and deep is really essential. But in response to those challenges, more and more enterprises are relying on NDR solutions that fill some of the gaps that we talked about with some of the existing tool sets in the last segment, we talked about some of the gaps in EDR solutions, how NDR resolves those. But we also know that not all NDR tools are created equally. So what, in your perspective, Tom are some of the absolutely fundamental components of NDR tools that organizations need to have for those tools to really be robust. >>Yeah. So we, we, we touched upon this a little bit in the previous segment when we talked about first and foremost, your NDR solution is providing you comprehensive network visibility that must support whatever your network environment is. And it should be in a single tool. It shouldn't have a one vendor per providing you, you know, network visibility in the cloud and another vendor providing network visibility in a local network. It should be a single NDR solution that provides you visibility across your entire network. So we also talked about it, not only does it need to be broadened like that, but also has to be deep too, eventually down to a packet level. So those are, those are sort of fundamental table stakes, but the NDR solution also must give you the ability to access a robust source of layer two or layer three metadata, and then ultimately give you access to, to packets. And then last but not least that solution must integrate into your existing cybersecurity stack. So in the prior segments, we talked a lot about, you know, the, the SIM, so that, that, that NDR solution must have the ability to integrate into that SIM or into your XDR system or even into your source system. >>Let's kind of double click on. Now, the evolution of NDR can explain some of the differences between the previous generations and advanced NDR. >>Yeah. So let's, let's start with what we consider the most fundamental difference. And that is solution must be packet based. There are other ways to get network visibility. One is using net flow and there are some NDR solutions that rely upon net flow for their source of, of, of visibility. But that's too shallow. You ultimately, you need to get deeper. You need to get down to a pack level and that's again where some, so, you know, you, you want to make sure that your NDR or advanced NDR solution is packet based. Number two, you wanna make sure that when you're pulling packets off the wire, you can do it at scale, that full line rate and in any environment, as we, as we spoke about previously, whether it be your local environment or a public cloud environment, number three, you wanna be able to do this when your traffic is encrypted. As we know a lot of, lot of not of network traffic is encrypted today. So you have the ability to have to have the ability to decrypt that traffic and then analyze it with your NDR system. >>Another, another, another one number four is, okay, I'm not just pulling packets off the wire, throwing full packets into a data storage someplace. That's gonna, you know, fill up a disc in a matter of seconds, right? You want the ability to extract a meaningful set of metadata from layer two to layer seven, the OSI model look at key metrics and conducting initial set of analysis, have the ability to index and compress that data, that metadata as well as packets on these local storage devices on, you know, so having the ability to do this packet capture at scale is really important, storing that packets and metadata locally versus up in a cloud to, you know, help with some compliance and, and confidentiality issues. And then, you know, last final least when we talk about integration into that security stack, it's multiple levels of integration. Sure. We wanna send alerts up into that SIM, but we also want the ability to, you know, work with that XDR system to, or that, that source system to drill back down into that metadata packets for further analysis. And then last but not least that piece of integration should be that there's a robust set of information that these NDR systems are pulling off the wire many times in more advanced mature organizations, you know, security teams, data scientists, et cetera. They just want access to that raw data, let them do their own analysis outside, say the user interface with the boundaries of a, of a vendor's user interface. Right? So have the ability to export that data too is really important and advance in the systems. >>Got it. So, so essentially that the, the, the breadth, the visibility across the entire infrastructure, the depth you mentioned going down to a packet level, the scale, the metadata encryption, is that what net scout means when you talk about visibility without borders? >>Yeah, exactly. You know, we, we have been doing this for over 30 years, pulling packets off of wire, converting them using patent technology to a robust set of metadata, you know, at, at full line rates up to a hundred in any network environment, any protocols, et cetera. So that, that's what we mean by that breadth. And in depth of visibility, >>Can you talk a little bit about smart detection if we say, okay, advanced NDR needs to deliver this threat intelligence, but it also needs to enable smart detection. What does net scout mean by that? >>So what you wanna make sure you have multiple methods of detection, not just a methods. So, you know, not just doing behavioral analysis or not just detecting threats based on known indicators or compromise, what you wanna wanna have multiple ways of detecting threats. It could be using statistical behavioral analysis. It could be using curated threat intelligence. It could be using, you know, open source signature engine, like from Sara COTA or other threat analytics, but to, but you also wanna make sure that you're doing this both in real time and have the ability to do it historically. So after a, a threat has been detected, for example, with another, with another product, say an EDR device, you now want the ability to drill into the data from the network that had occurred in, in, you know, prior to this. So historically you want the ability to comb through a historical set of metadata or packets with new threat intelligence that you've you've gathered today. I wanna be able to go back in time and look through with a whole new perspective, looking for something that I didn't know about, but you know, 30 days ago. So that's, that's what we, what we mean by smart detection. >>So really what organizations need is these tools that deliver a far more comprehensive approach. I wanna get into a little bit more on in integration. You talked about that in previous segments, but can you, can you give us an example of, of what you guys mean by smart integration? Is that, what does that deliver for organizations specifically? >>Yeah, we really it's three things. One will say the integration to the SIM to the security operations center and so on. So when, when an ed, when an NDR device detects something, have it send an alert to the SIM using, you know, open standards or, or, or like syslog standards, et cetera, the other direction is from the SIM or from the so, so one, you know, that SIM that, so is receiving information from many different devices that are, or detecting threats. The analyst now wants the ability to one determine if that's a true threat or not a false positive, if it is a true threat, you know, what help me with the remediation effort. So, you know, an example could be an alert comes into a SIM slash. So, and part of the playbook is to go out and grab the metadata packets associated with this alert sometime before and sometime after when that alert came in. >>So that could be part of the automation coming from the SIM slash. So, and then last one, not least is we alluded to this before is having the ability to export that robust set of layer two through layer seven metadata and or packets to a third party data lake, if you will, and where analysts more sophisticated analysts, data scientists, and so on, can do their own correlation, enrich it with their own data, combined it with other data sets and so on, do their own analysis. So it's that three layers of, of integration, if you will, that really what should be an advanced NDR system? >>All right, Tom, take this home for me. How does nets scout deliver advanced NDRs for organizations? >>We do that via solution. We call Omni the security. This is Netscout's portfolio of, of multiple different cyber security products. It all starts with the packets. You know, our core competency for the last 30 years has been to pull packets off the wire at scale, using patented technologies, for example, adapt service intelligence technologies to convert those broad packets into robust set of layer seven layer two through seven metadata. We refer to that data as smart data with that data in hand, you now have the ability to conduct multiple types of threat detection using statistical behavioral, you know, curative threat intelligence, or even open source. So rules engine, you have the ability to detect threats both in real time, as well as historically, but then a solution goes beyond just detecting threats or investigating threats has the ability to influence the blocking of threats too. So we have integrations with different firewall vendors like Palo Alto, for example, where they could take the results of our investigation and then, you know, create policies, blocking policies into firewall. >>In addition to that, we have our own Omni a E D product or our Arbor edge defense. That's, that's a product that sits in front of the firewall and protects the firewall from different types of attacks. We have integration that where you can, you can also influence policies being blocked in the a E and in last but not least, our, our solution integrates this sort of three methods of integration. As we mentioned before, with an existing security system, sending alerts to it, allowing for automation and investigation from it, and having the ability to export our data for, you know, custom analysis, you know, all of this makes that security stack that we've been talking about better, all those different tools that we have. That's that operations triads that we talked about or visibility triad, we talked about, you know, our data makes that entire triad just better and makes the overall security staff better and makes overall security just, just better too. So that, that that's our solution on the security. >>Got it. On the security. And what you've talked about did a great job. The last three segments talking about the differences between the different technologies, data sources, why the complimentary and collaborative nature of them working together is so important for that comprehensive cybersecurity. So Tom, thank you so much for sharing such great and thoughtful information and insight for the audience. >>Oh, you're welcome. Thank you. >>My pleasure. We wanna thank you for watching the program today. Remember that all these videos are available@thecube.net, and you can check out today's news on Silicon angle.com and of course, net scout.com. We also wanna thank net scout for making this program possible and sponsoring the cube. I'm Lisa Martin for Tomski. Thanks for watching and bye for now.

>>from the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a cube conversation. Hi, >>I'm stupid, man. And welcome to another cube conversation. I'm here in our Boston area studio. And of course, the intersection of networking and security has always been a hot topic. Even Mawr, if you look at it in 2020 everybody working from home their stresses and strains and a lot more changes than usual for what corporate I t has to deal with. Happy to welcome to the program. Tom Bonkowski. Hey, is the director of product marketing with Net Scout. We're gonna get into some of those topics. Um or Tom, thanks so much for joining us. Welcome. Alright. Eso you came to Donetsk out by way of the Arbor Networks acquisition. Ah, few years ago when I want to give our audience just a little bit about your background, what your team works on and we're gonna be talking about the the edge defense. A solution Said >>Sure. Yes, I I've been with Arbor Networks for over 10 years. I've been the director of product marketing for the DDOS line of products during that time and when we came over to Netsch e still have kind of continue that role. So I'm basically responsible for anything that you know to do with the Arbor Adidas Solutions. We have solutions for the service Friars of the world, large enterprises in the world. >>Yeah, maybe it would help if you just refresh our audience so, you know, generally out in the marketplace. You know d das? It's, you know, attacks on the internet. If I if I was, you know, a big provider technology. It's like, Hey, why can't I get to that website? Oh, they had a DDOS attack that hit them. But you know when when it comes to the enterprise you talked about about service brighter also, you know, when is this hitting them? You know, who are the ones causing this kind of thing? It just kind of give our audience a little bit of level. Said if you would in 2020. >>Oh, yeah. I mean, you know, Adidas attacks have been around for over 20 years. This isn't anything new, as you know, um, but the reality is is as that these attacks have been getting bigger. We're getting more frequent. They're getting more complex. Um, and like I said before, I've been here for over 10 years, and I feel like I say that every single year, but it is absolutely true. Um, and you know, the service Fridays of the world Bear the brunt of this. This problem, they're the ones taking on these large attacks. They're the ones trying to stop it not only to protect their own infrastructure, but also potentially the target, which could or could not be one of their customers. There's a lot of collateral damage associated with the details attacks, especially from a service buyer's perspective, because it impacts everything running on their backbone or in their whatever facility that this attack is flowing through. And then, obviously, you have potentially the target of these attacks, which could be any enterprise, any large government, whatever its very indiscriminate, uh, anyone could be a potential target on br. All >>right. And for for the enterprises themselves, you know, how are they making sure that they are protecting their perimeter? Where does Netsch out? You know, fit in tow, helping protect them against the sort of malicious >>attack. Yeah. So when When it comes to protecting your perimeter in particular. Let's let's talk about where we are today in this whole cove in 19 Pandemic. Um, a zoo. We all know this. This caused a massive work slash. Uh, you know, learn from home scenarios never seen before. And you know the quote. New perimeter is everyone who was once inside the organization now home coming back in, right. And, you know, the the Internet inbound Internet circuit, the firewall, the VPN, gateway, the load master all now coming from the opposite direction that maybe they were utilized in the past. Um, it is really the new perimeter, and it is has become very crucial to maintain business continuity, especially in this time. But as we'll talk about it also has become very vulnerable to to DDOs attacks in particular. And, you know, one of the areas that we'll talk about it is how one particular piece of that infrastructure, the VPN gateway, is actually become not only one of the most critical pieces in that chain of communication, but also one of the most vulnerable pieces to simply because it was never anticipated that this many users would would utilize that VPN gateway, and it was never designed for that on. Therefore, it's running at, you know, high or near capacity or at capacity, and it and it could be toppled over pretty easily with fairly small DDOS attacks. We'll get into that a little bit later. Yeah, >>absolutely, Tom. So I've had so many conversations over the last few months about, you know, the ripple effects of what? Work from home. Or, you know, if we think about however things play out in the next few months, it really will be almost work from anywhere. Um, is what will happen on Dwell. Everyone is working at home. That doesn't mean that some of those bad actors out there have gone away. In fact, you know, every company I talked to that's involved with security has seen way need to raise our capabilities and often are getting mawr attacks out there. What have you been seeing out there in the marketplace? You know, how have things been so far in 2020 when it when it comes, toe your space? >>Yeah, I know the same thing. So I'm gonna put up a chart here. And this is a chart which shows, uh DDOs attacks during the first, um, of six months of 2000 and 20 and this data comes from what we call our cyber threat horizon. This is This is a free online portal that anyone could access and see this information if they wish, But it's fueled by the deployment of our products all over the world. So our our DDOS protection products are utilized by a majority of the world's Internet service fighters. And from that deployment, they send this information about DDOS attack activity like, you know, the size of attack. Who is being tacked? Who was being attacked? Where is it coming from? The protocols or vector is being used, etcetera. So we we gather this information on a daily basis presented in this portal. So what this represents is the first six months of 2000 and 20 and as you can see, there's been over 4.8 million attacks thus far in 2000 and 20. That's about 15% higher than last year at the same exact time period. But if you look at the chart a little bit closer, we snapped the line at February, sort of the start of the global pandemic and the lock down periods, if you will and what you can see February, March, April May as it is an uptick in the number of DDOS attacks almost up to 36% in in May. Eso all this is happening during the time of this lock down, right? All this is happening where organizations are struggling to maintain a new a new normal. If you are this. But this is continuity, right? Eso what you represented before you said before that organizations are still struggling with cyber attacks. In fact, probably more is exactly what's happened to in the DDOS realm. And then finally like if you look at June, you see this little drop off there and you know, here everyone talking about the new normal, the new normal is not the new normal. Possibly. It's still too soon to tell. I think we'll wait for another couple of months here. But the bottom line is that during the midst of all this, as organizations trying to maintain some level of this canoe, they're also being faced with cyber threats like Adidas attacks to like they've never seen before. So amazing challenge that that folks have faced out there. >>Yeah, Tom, there's a few spaces in the marketplace that were already very important, you know, really top of mind from the business. I think about automation security being to the ones that come up most often. And when I talked to the participant in the space they like, I thought I was busy in 2019 and had ah lot playing for 2020 and oh, my gosh. I had no idea what 2020 was really going to bring. So that that data that you showed, you know, you're talking about millions of attacks, and you know that that increase, they're putting a focus on it. Even mawr here. So ah, lot of work for people to be done. So but bring us inside a little bit. Uh, you know how Net Scout, How are you helping customers? What invite you have for them, You know, how do we make sure that we can curb, You know, the the the impact of these attacks? Which is that in the millions? >>Sure. So let's go back to that. That inbound infrastructure now, right? Where everyone working from home, coming into the in down router hitting a firewall and but more likely, hitting a VPN gateway of some sort. That's what's allowing them to get access into these internal resource. Is that VPN? Gateway? As I mentioned before, uh, has been crucial during this time, but it also has been very susceptible to denounce attacks that VPN gateways a zwelling that firewall these air. You know what was referred to a state ful devices? They have to track TCP state in order to work properly? Well, there are three types of DDOS attacks, if you will, to make things simple. One is the volumetric attack, which people normally think of as a DDOS attack. It is designed to saturate that that inbound circuit that that Internet facing router interface, right? Um, and then their application layer taxis. They're very small, stealthy attacks. They're going after specific application servers. They're trying to bleed off. Resource is there. And then there's an attack called state exhaustion attacks these air, specifically designed to go after stay full devices like firewalls or, in today's world, the VPN gateway, and it doesn't take much. It takes a small 100 megabit per second attack lasting for 5 10 minutes to potentially fill the state tables in some of these VPN gateways, especially in light of the fact that they weren't prepared or designed to take on all the legitimate users right there coming in as a result of the pandemic. So the key to stopping these sorts of attacks the state full attacks and protecting at VPN Gateway is to put something on premise that iss stateless, meaning it has the ability to inspect packets using stateless packet processing technology. And we have such products are our product, which we call the Arbor edge defense eyes designed to stop all types of attacks. But in this in this particular environment, uh, it is our excels at stopping state exhaustion attacks, and you deploy it just inside the Internet router and in front of the VPN gateway or that firewall there, it could pick off short lived state exhaustion attacks and protect the availability of the VPN, gateway and firewall. Now, if you're relying upon which rating organizations do relying upon a cloud based data protection service, which we have to we have something called Arbor Cloud. Uh, it may not be able to stop those attacks in time, So you're running a little risk by relying on more traditional cloud based protection services. That's why you need this product Arbor Edge defense on premise, because it will react instantaneously and protect that VPN gateway from going on and maintain that business continuity for you. >>You know, Tom, when I think about that that footprint that you have in a customer's environment, you know, in addition to the D DOS services, it would seem like that Ah, prime opportunity that that there's other services and applications that could be run there. Is that the case with with your your solution to >>Well, if I understand what you mean by the services, well, we have the ability Thio conducted fully managed services that Are you going with that? >>Yeah, I e think Think that Yeah, that z one of right. Understand how how that service works. Yes. >>So? So the our bridge defense, um, is a system that once you have it configured, you design it for protecting sort of the interior services like the protective VPN gateway firewalls. Any other application running internal in the event of a large attack that we've been talking that will fill that Internet pipe, It has a feature called Cloud Signaling, where it will intelligently call for help upstream to either in Arbor Cloud service. This is a fully managed details protection service. We have global scrubbing centers, uh, and or call your I S P, who may you may be getting your data protection service from already. So it has the ability to link the on premise with the with the cloud based protection. And this hybrid approach to protection is absolutely industry best practice. This is this is how you protect yourself from the multiple vector DDOs attacks, as we mentioned previously. Now, if you're an organization that maybe doesn't have enough experience, uh doesn't want to deal with the on Prem our bridge defense. You know, we have you covered there, too. We have the ability to manage that that scenario or that device for you. We have to manage the ability to manage not only the arbor edge of the fence, but they also integration in the arbor cloud. So that whole hybrid scenario that we're talking about could be fully managed by, um, you know, by our folks who do this every single day 24 7. >>Yeah, it's any breakdown. Is thio your customers as toe. You know, when they choose that that that fully managed solution versus on Prem recommendation we've had for a long time is you wanna have your i t focused on things that have differentiation in your environment and seems like a natural thing that, you know, your team has the expertise. Eso What is that decision point as to whether they do it themselves or go with the manage solution? >>I think it really just has to do with the culture and the experience of the company. Really, What we're seeing is some of the smaller organizations that, you know, you have smaller teams, right? That wear multiple hats. They just cannot stay abreast of the latest threats. Indeed, us A. Z I mentioned before these things were getting more and more complex. So I think they're they're coming to the conclusion that all right, this is something that I can't do my by myself anyway for the large attacks. I need a cloud based service, part of some sort. I need someone to help me there anyway. So why don't they just handled the whole thing? Why don't they just handle the on premise component and in the cloud based component of this and make sure that it's running is officially as possible. But you know, even that said, it's not just the smaller org's. We're seeing larger organs do it, too, just to push things off their plates. Let's let's leave Dido's to the experts again because I can't do about myself. Anyway. >>Tom, I I saw a video. I think it was you that did actually talking about how our bridge defense is the first and last defense. When, when, when it comes to DDOS may explain that a little bit or audience. >>Yeah, So our tagline for the product is first and last line of defense. The first lines which we've been talking about all along here, is the ability to stop the inbound DDOS attacks. Now it also acts as the last line of defense, too. So, as we were alluding to before, you know, all you here during this time of the pandemic is watch out for you know, Kobe 19 related ransomware and things like that, right? Um, because the Arbit edge defense, it's just inside the rotter and outside that for a while, it is literally the last component in that cybersecurity change before the let's look from the outbound perspective packets, leaving the enterprising going out to the Internet. It is the last piece of product in that security chain, right, for it leaves the Internet. The arbor edge of the fence has the ability to consume threat intelligence not only from our own atlas system, which we spoke about earlier about third parties to via sticks and taxi. It has the ability to consume threat intelligence. And they're sitting on that. That last piece of you know, the security pipe, if you will or chain it has the ability to intercept. Uh, indicators of compromise have come from internal compromise devices that have made it through the entire security chain. Outgoing. Reach outside the farewell. Now it's one last one last line of defense, if you will, that has ability to recognize and stop that internal indicator compromise. And this is going to help stop the proliferation of malware that, and ultimately avoid that data breach that everyone is fearful. So it has a dual role. It could protect you from inbound DDOS attacks and Uncle also gonna as his last line defense stopping the proliferation this now where we're talking about? Yeah. Great, >>Tom. That actually refers I was curious about you know what other things your your your device did. And you know, there's the intelligence baked into their toe have kind of a multipurpose when you're in that environment. All right, Tom, I want to give you the last word here. You know, cos today they often need to react very fast to be able to deal with, you know, the changing dynamics of their business. You know, spinning up resource is everybody, you know, working from home. And like so, you know, what final advice do you have for them And, you know, give us the final >>word? Yeah. You know, during this time, president times, You know, we all unfortunately thought to me remain very vigilant when it comes to protecting our organization from cyberattacks. One of the one of the areas that seems to get overlooked as eyes DDOs protection. Right? Everyone is focused on malware and things like that, but don't overlook DDOs attacks. These things were happening on a daily basis, as I showed you over almost five million so far this year. Uh, it is an absolute part. Maintain the availability of your organization. It's part of the security Triad, as we know. And, you know, it's it's really their thio, you know? Do you disrupt your business continuity if you are getting hit, So don't overlook your and don't under underestimate your videos protection. All >>right, Well, Tom Bonkowski, thank you so much for the update and, uh, appreciate everything you shared. >>Welcome. All >>right. Be sure to check out the cube dot net for lots more coverage from the Cube. I'm still madman. Thanks for watching.

>>buy from San Francisco. It's the queue covering our essay conference 2020. San Francisco Brought to you by Silicon Angle Media >>Hey, welcome back here. Ready? Jeff Frick here with the Cube. We're in downtown San Francisco. It is absolutely spectacular. Day outside. I'm not sure why were incited. Mosconi. That's where we are. It's the RCC conference, I think 50,000 people the biggest security conference in the world here in Mosconi this week. We've been here, wall to wall coverage. We'll be here all the way till Thursday. So thanks for joining us. We're excited to have our next guest. He's got a lot of great data to share, so let's jump into it. It's hard mode. He's a VP engineering threat and mitigation products for nets. Cowhearted. Great to meet you. >>Thank you. Good to be here, >>too. So for people who aren't familiar with Net Scout, give em kind of the basic overview. What do you guys all about? Yes, and that's what we consider >>ourselves their guardians of the connected world. And so our job is to protect, like, you know, companies, enterprises, service providers, anybody who has on the Internet and help keep their services running your applications and things returned deliver to your customers would make sure that it's up there performing to, like, you know the way you want them to, but also kind of give you visibility and protect you against DDOS attacks on other kind of security threats. That's basically in a nutshell. What we do as a company and, yeah, wear the garden of connected world. >>So So I just from a vendor point of the I always I feel so sorry for >>buyers in this environment because you walk around. I don't know how many vendors are in here. A lot of >>big boost, little boost. So how do you kind of help separate? >>You know, Netsch out from the noise? How what's your guys? Secret sauce? What's your kind of special things? >>Really, it's like 30 years >>off investment in like, network based visibility, and >>we truly >>believe in the network. Our CEO, he says, like you know the network like, you know, actually, when you monitor the network, it's like taking a blood test. It tells you the truth, right? And it's really like how you find out, like, you know, some things right or wrong. I mean, I actually, for my background to like network monitoring. There's a lot of our what we think of as like the endpoint is actually contested territory. That's where the adversary is. When you're on the network and your monitoring all activity, it really gives you a vantage point. You know, that's >>really special. So we really focus on the network. Our heritage and the network is is one of our key strengths and then, you know, as part of >>us as a company like Arbor Arbor. Networks with coming in that's got acquired some years ago were very much part of Net Scout with our brand of products. Part of that, you know, the Arbor legacy includes huge visibility into what's happening across the Internet and visibility like nobody else like in terms of the number of service providers and large enterprises who work with us, help us understand what's happening across the landscape. That's like nobody else out here. And that is what we consider a key differentiator. >>Okay, great. So one of the things you guys do >>a couple times years, I understand his publisher reporting solution, gift people. Some information as to what's going on. So we've got the We've >>got the version over four here. Right Net scout threat, intelligence report. So you said this comes out twice a year, twice a year. So what is the latest giving some scoop >>here, Hot off the presses we published last week. Okay, so it's really just a few days old and, you know, our focus here is what happened in the last six months of last year. So that and then what we do is we compare it against data that we've collected a year prior. >>So really a few things >>that we want you to remember if you're on the right, you know, the first number is 8.4 million. That's the number of D DOS attacks that >>we saw. This doesn't mean that >>we've seen every attack, you know, in the world, but that's like, you know just how many DDOS attacks we saw through the eyes of our customers. That's >>in this in six months. 8.4 number is >>actually for the entire year here in an entire year of 2019. There's a little bit of seasonality to it. So if you think of it like a 4.4, maybe something that that was the second half of the year. But that's where I want to start. That's just how many DDOS attacks we observed. And so, in the >>course of the report, what we can do a >>slice and dice that number talk about, like, different sizes, like, what are we seeing? Between zero and 100 gigabits per 2nd 102 104 100 above and >>kind of give you a sense of just what kind of this separation there is who is being targeted >>like we had a very broad level, like in some of the verticals and geographies. We kind of lay out this number and give you like, a lot of contact. So if you're if you're in finance and you're in the UK, you want to know like, Hey, what happened? What happened in Europe, for example, In the past 66 months, we have that data right, and we've got to give you that awareness of what's happening now. The second number I want you to remember is seven seven or the number of new attack vectors reflection application attack vectors that we observed being used widely in in in the second half. >>Seven new 17 new ones. So that now kind of brings our tally >>up to 31 like that. We have those listed out in here. We talk about >>just how much? Uh huh. Really? Just how many of these vectors, how they're used. Also, these each of these vectors >>leverage vulnerabilities in devices that are deployed across the Internet. So we kind of laid out like, you know, just how many of them are out there. But that's like, You know that to us seven is reflecting how the adversary is innovating. They're looking for new ways to attack us. They've found 71 last year. They're going to war, right? Right. And that's that's kind of what we focus on. >>Let's go back to the 8.4. So of those 8.4 million, how many would you declare >>successful from the attacker point of view? >>Yeah, You know something that this is always >>like, you know, you know, it's difficult to go estimate precisely or kind of get within some level of >>precision. I think that you know, the the adversaries, always trying to >>of course, they love to deliver a knockout blow and like all your services down but even like every attack inflicts a cost right and the cost is whether it's, you know, it's made its way all the way through to the end target. And now you know, they're using more network and computing resource is just to kind of keep their services going while they're under attack. The attack is low, You're still kind of you. You're still paying that cost or, you know, the cost of paid upstream by maybe the service provider. Somebody was defending your network for you. So that way, like, you know, there's like there's a cost to every one of these, right? In >>terms of like outages. I should also point out that the attacks that you might think >>that this attack is like, you know, hey, you know, there was a specific victim and that victim suffered as a result of but >>in many cases, the adversaries going after people who are providing services to others. So I mean, if a Turkish bank >>goes down right, like, you know, our cannot like services, customers for a month are maybe even a few hours, right, And you know, the number of victims in this case is fairly broad. Might be one attacks that might be one target, however, like the impact is fairly, >>is very large. What's interesting is, have begs a question. Kind of. How do you >>define success or failure from both the attacker's point of view as well as the defender? >>Yeah, I mean, I mean and again, like there's a lot of conversation in the industry about for every attack, right? Any kind of attack. What? When do I say that? You know what? I was ready for it. And, you know, I was I was fine. I mean, I don't care about, you know, ultimately, there's a cost to each of these things. I'd say that everybody kind of comes at it with their You know, if you're a bank, that you might go. Okay. You know what? If my if I'm paying a little bit extra to keep the service up and running while the Attackers coming at me, No problem. If I if my customers air aren't able to log in, some subset of my customers aren't able to log in. Maybe I can live through that. A large number of my customers can't log in. That's actually a really big problem. And if it's sustained, then you make your way into the media or you're forced to report to the government by like, outages are like, You know, maybe, you know, you have to go to your board and go like a sorry, right? Something just happened. >>But are the escalation procedures >>in the definition of consistency? Right? Getting banged all the time right? And there's something like you said, there's some disruption at some level before it fires off triggers and remediation. So so is there some level of okay, that's kind of a cost of doing business versus, you know, we caught it at this. They're kind of like escalation points that define kind of very short of a full line. >>I think when we talk to our service provider customers, we talked to the very large kind of critical enterprises. They tend to be more methodical about how they think of like, Okay, you know, degradation of the service right now, relative to the attack. I think I think for a lot of people, it's like in the eyes of the beholder. Here's Here's something. Here's an S L. A. That I missed the result of the attack at that point. Like you know, I have, I certainly have a failure, but, you know, it's it's up until there is kind of like, Okay, you're right >>in the eyes the attacker to delay service >>at the at the Turkish bank because now their teams operate twice, twice the duration per transaction. Is it? Just holding for ransom is what benefit it raises. A range >>of motivations is basically the full range of human nature. There's They're certainly like we still see attacks that are straight journalism. I just I just cause I could just I wanted I wanted to write. I wanted to show my friend like, you know, that I could do this. There's there's definitely a lot of attacks that have that are like, you know, Hey, I'm a gamer and I'm like, you know, there's I know that person I'm competing with is coming from this I p address. Let me let me bombard them with >>an attack. And you know, there's a huge kind of it could be >>a lot of collateral damage along the way because, you know, you think you're going after this one person in their house. But actually, if you're taking out the network upstream and there's a lot of other people that are on that network, like you know, there's certain competitive element to it. They're definitely from time to time. There are extortion campaigns pay up or we'll do this again right in some parts of the world, like in the way we think of it. It's like cost of doing business. You are almost like a business dispute resolution. You better be. You know, you better settle my invoice or like I'm about, Maybe maybe I'll try and uses take you out crazy. Yeah, >>it, Jeff. I mean things >>like, you know the way talked about this in previous reports, and it's still true. There's especially with d dos. There's what we think of it, like a democratization off the off the attack tools where you don't have to be technical right. You don't have to have a lot of knowledge, you know, their services available. You know, like here's who I'm going to the market by the booth, so I'd like to go after and, you know, here's my $50 or like a big point equivalent. All right, >>let's jump to >>the seven. We talked about 8.4 and the seven new attack vectors and you outline, You know, I think, uh, the top level themes I took from the summary, right? Weaponizing new attack vectors, leveraging mobile hot spots targeting compromised in point >>about the end points. I o t is >>like all the rage people have mess and five G's just rolling out, which is going to see this huge i o t expansion, especially in industrial and all these connected devices and factories in from that power people. How are people protecting those differently now, as we're getting to this kind of exponential curve of the deployment of all these devices, >>I mean, there are a lot of serious people thinking about how to protect individual devices, but infrastructure and large. So I'm not gonna go like, Hey, it's all bad, right? Is plenty back on it all to be the next number, like 17 and 17 as the number of architectures for which Amir, I mean, I was really popular, like in a bar right from a few years ago. That still exists. But over time, what's happened is people have reported Mirai to different architectures so that, you know, think of it like, you know, if you have your your refrigerator connected to the Internet, it comes. It's coming with a little board, has CPU on it like >>running a little OS >>runs and runs in the West on it. Well, there's a Mirai variant ready for that. Essentially, as new devices are getting deployed like, you know, there's, you know, that's kind of our observation that there's even as new CPUs are introduced, a new chips or even the West they're introduced. There's somebody out there. We're ready to port it to that very now, Like, you know, the next level challenges that these devices, you know, they don't often get upgraded. There's no real. In many cases, they're not like, you know, there's very little thought given to really kind of security around it. Right? There are back doors and, like default passwords used on a lot of them. And so you take this combination. I have a whole you know, we talk about, you know, large deployments of devices every year. So you have these large deployments and now, you know, bought is just waiting for ready for it Now again, I will say that it's not. It's not all bad, but there are serious people who were thinking about this and their devices that are deployed on private networks. From the get go, there was a VPN tunnel back to a particular control point that the the commercial vendor operates. I mean, there are things like that, like, hardening that people have done right, So not every device is gonna find its way into a botnet. However, like, you know, you feel like you're getting a toy like Christmas and against $20 you know, and it can connect to the Internet. The odds are nobody's >>thinking not well. The thing we've heard, too, about kind of down the i t and kind of bringing of operations technology and I t is. A lot of those devices weren't developed for upgrades and patches, and Lord knows what Os is running underneath the covers was a single kind of use device. It wasn't really ever going to be connected to the outside world. But now you're connecting with the I t. Suddenly exposing a whole host of issues that were never kind of part of the plan when whoever designed that thing in the first place for sure for sure is crazy. Alright, so that's that. Carpet bombing tactics, increased sector attack, availability. What is there's carpet bomb and carpet bombing generally? What's going on in this space? >>Well, so carpet bombing is a term that we applied a few years ago to a kind of a variation of attack which, like >>traditionally, you know, we see an attack >>against a specific I P address or a specific domain, right? That's that's where that's what I'm targeting. Carpet bombing is taking a range of API's and go like, you know, hey, almost like cycling through every single one of them. So you're so if your filters, if your defense is based on Hey, if my one server sees a spike, let me let me block traffic while now you're actually not seeing enough of a spike on an individual I p. But across a range there's a huge you know, there's a lot of traffic that you're gonna be. >>So this is kind of like trips people >>up from time to time, like are we certainly have defensive built for it. But >>now what? We're you know, it's it's really like what we're seeing is the use >>off Muehr, our other known vectors. We're not like, Okay, C l dap is a protocol feel that we see we see attacks, sealed up attacks all the time. Now what we're >>seeing is like C l >>dap with carpet bombing. Now we're seeing, like, even other other reflection application protocols, which the attack isn't like an individual system, but instead the range. And so that's that's what has changed. Way saw a lot of like, you know, TCP kind of reflection attacks, TCP reflection attacks last year. And then and then the novelty was that Now, like okay, alongside that is the technique, right? Carpet bombing technique. That's that's a pipe >>amounts never stops right? Right hard. We're out of time. I give you the final word. One. Where can people go get the information in this report? And more importantly, for people that aren't part of our is a matter that you know kind of observers or they want to be more spark. How should they be thinking about security when this thing is such a rapidly evolving space? >>So let me give you two resource is really quickly. There's this this >>report available Dub dub dub dub dot com slash threat report. That's that's that's what That's where this report is available on Google Next Threat report and you'll find your way there. We've also, you know, we made another platform available that gives you more continuous visibility into the landscape. So if you read this and like Okay, what's happening now? Then you would go to what we call Met Scout Cyber Threat Horizon. So that's >>kind of tell you >>what's happening over the horizon. It's not just like, you know, Hey, what's what am I seeing? What are people like me seeing maybe other people other elsewhere in the world scene. So that's like the next dot com slash horizon. Okay, to find >>that. And I think like between those two, resource is you get >>access to all of our visibility and then, you know, really, in terms of like, our focus is not just to drive awareness, but all of this knowledge is being built into our products. So the Net's got like arbor line of products. We're continually innovating and evolving and driving like more intelligence into them, right? That's that's really? How We help protect our customers. Right >>hearted. Thanks for taking a few minutes >>and sharing the story. Thank you. 18 Scary. But I'm glad you said it's not all bad. So that's good. >>Alright, he started. I'm Jeff. You're watching the Cube. We're at the RSA conference 2020 >>Mosconi. Thanks for watching. We'll see you next time. >>Yeah, yeah, yeah.

from our studios in the heart of Silicon Valley Palo Alto California this is a cute conversation hello and welcome to the cube studios in Palo Alto California for another cube conversation where we go in-depth with thought leaders driving innovation across the tech industry I'm your host Peter Burris Michael Siegel is the product manager or area vice-president strategic alliances and net scout systems Michael we are sitting here in the cube studios in Palo Alto in November of 2019 reinvent 2009 teens right around the corner net scout and AWS are looking to do some interesting things once you give us an update of what's happening yeah just a very brief introduction of what net Scout actually does so net scout assures service performance and security for the largest enterprises and service provider in the world we do it through something we refer to as visibility without borders by providing actionable intelligence necessary to very quickly identify the root cause of either performance on security issues so with that net Scout partnering very closely with AWS we are an advanced technology partner which is the highest tier for ice fees of partnership this enables us to partner with AWS on a wide range of activities including technology alignment with roadmap and participating in different launch activities of new functionality from AWS it enables us to have go-to-market activities together focusing on key campaigns that are relevant for both AWS and net Scout and it enables us also to collaborate on sales initiatives so with this wide range of activities what we can offer is a win-win-win situation for our customers for AWS and for net scout so from customers perspective beyond the fact that net Scout offering is available in AWS marketplace now this visibility without borders that I mentioned helps our customers to navigate through their digital transformation journey and migrate to AWS more effectively from AWS perspective the wienies their resources are now consumed by the largest enterprises in the world so it accelerates the consumption of compute storage networking database resources in AWS and fournette scout this is strategically important because now net Scout becoming a strategic partner to our large enterprise customers as they navigate their digital transformation journey so that's why it's really important for us to collaborate very very efficiently with AWS it's important to our customers and it's important to AWS Michael Siegel net Scout systems thanks very much for being on the tube thank you for having me and once again we'd like to thank you for joining us for another cube conversation until next time

[Music] hi I'm Peter Burris and welcome to another Cube conversation where we go in depth of thought leaders from around the industry to bring you the best ideas and insights about how to improve your business with technology one of the many things that CIOs and business leaders have to think about is how are they going to execute digital transformations what will be the priorities we all know the relationship between digital transformation and the use of data differently but different technologies assert themselves a different way and very important different relationships especially with cloud vendors assert themselves in different ways and that's one of the many challenges that CIOs have to deal with today serve the business better attend to those relationships and drive the company forward to achieve its ultimate outcomes and objectives so to have that conversation today we've got a great guest Thor Wallace is the senior vice president and CIO at Netscape door welcome to the cube thank you so tell us a little bit about what the CIO at netskope does sure so let me start by telling you a little bit about net sky so net Scout is a network monitoring and a service assurance company as the CIO I'm obviously responsible for providing the tools and the environment for running the company I'm also heavily involved in for example understanding and the applications and the business direction that we're taking we're also working on improving our customer relationships and experiences for example we have a customer portal that were sort of re-evaluating and sort of improving and we're also obviously trying to drive user productivity worldwide we have very briefly about 33 locations worldwide we're corner here and outside of Boston and have large offices both in Texas and California so you're a traditional supplier of technology services it's trying to make a transition to this new world and as part of that and that's got itself is going through digital transformation so that it can better support its customers digital transformations I got that right exactly so let me tell you a little bit about sort of what we're trying to achieve what some of the Y's are and sort of show where we are at this moment yeah so we're you know we as a company are being challenged by the same sort of environment that everyone else else is being a challenge with which is to be able to move as quickly as we can and provide as much of an impact of our customers as possible so so how I've read that sort of mandate in that remit is to really focus on improving our customer experience as I said you know working with a new sort of new platform and we re platforming and refactoring our application our customer service application but also really focusing on how best to improve user productivity so those are the areas that we've been focusing on direct driving IT productivity is important to me so that's a fairly substantial argument for moving operations to the cloud and we're also part of that is transforming sort of a hardware based environment to a much more of a virtualized and software based environment so that includes cloud that includes virtualization which we've obviously have taken a lot of ground on and for example what we've already done is virtualized all of our operations in the data center over the years we've also moved a lot of workloads to cloud were you know cloud agnostic but you know we have a fairly large environment it was salesforce.com we use office 365 which are obviously major applications on the cloud so we have a workload that's quite mixed for today we can we maintain on Prem data centers we have enough large engineering footprint as well so we will kind of live in all of the worlds so we live obviously on Purim we have cloud and one of the things that I think we've learned over the years is that in order to continue the journey of cloud we need to really worry about a couple things one is we want to make sure that we are we keep our operations in in an excellent place so and I can talk more about that in a few minutes and as I said we we want to continue to maintain our ability to execute and really what I call velocity to be able to add value and so cloud actually presents some of those opportunities for us but it also obviously makes things quite complicated in that we have multiple environments we have to make sure that people still get the services and the applications they need to do their job and provide those you know in a in a very productive way in a cost-effective way so that we can maintain that as an IT organization so you've got salesforce.com you've got office 365 you've got some other objectives movies some other applications up into the cloud each of those applications though has been historically associated with a general purpose network that you get to control so that you can give different quality of service to different classes workload or applications how is that changing and what pressures is that putting on your network as you move to more cloud based operations well I think that's a huge challenge for us and I think frankly for for most people I think you have to rethink how your network is designed fundamentally from the ground up and if you think about networks in the past you know in mainly an on-prem world you basically had a backhaul a lot of traffic in our in our case 33 locations worldwide a lot of back hauling of of services and and transactions back to wherever that application exists so for example historically we've had office excuse me in the Microsoft mail system or exchange on Prem we have you know other services that are on print for example Oracle and our ERP system etc and the challenge was to move all that traffic back to basically our core data center and as you move to the cloud you have an opportunity to actually real to rethink that so we've been in the process of doing over the last say year has been to redesign our network from the ground up and moving away from sort of the central monolithic network to more of a cloud slash edge base network so with that we've also moved from hardware basically a fairly heavy investment at hardware in each of the offices for example and we're now or we've actually in the process very far along in the process of converting all that hardware into a software-defined network that allows us to do some things that we have never been able to do operationally for example we can make deployments sort of from one central location worldwide both for security and patching etc and so what we've also done is we've moved as I said we have a lot of our workloads already in the cloud and we continue to put more on the cloud one of the things that's become important is we've got to maintain and create actually a low latency environment so for example ultimately putting our you know unified communication systems and technologies and the cloud to me where is me without having a low latency environment and a low latency network so that we can actually provide dial tone well worldwide and without worrying about performance so what we've what we've already done is we've transitioned from the centralized network into an edge based Network we've actually happened now a partner that we now are putting in services into a local presence idea have worldwide into firm into three locations for equinox and with that comes the software based network and allows us to move traffic directly to the edge and therefore once we're at the edge we can go very quickly a sort of backbone speeds into whatever cloud service we need whether it's as your AWS or Salesforce or any other provider office 365 we can get that sort of speed and low latency that is created a new environment for us at which is now virtual software base gives us a tremendous amount of flexibility moving what I consider fairly heavy and significant workloads that remain on Prem it gives us the option of moving that to the cloud so and with that one of the key things that comes with that is holding making sure that we can hold our accountable are our vendors very accountable for performance so for example if we experience an issue with office 365 performance whether it's in Pune or Westford or wherever it is we want to be able to make sure that we have the information and the data that says to Microsoft in this case hey you know we're actually the performance isn't great from wherever wherever those users are wherever that office is so we want to provide them information and to basically prove that our network or our insert internal capabilities and network are performing very well but may be that there's an issue with something and performance that on their size so without this sort of fact-based information it's really hard to have those discussions with vendors so one of the things I think is important for everyone to consider when you move more to a cloud is you've got to have the ability to troubleshoot and and make sure that you can actually maintain a very complicated environment so one of the things we have done is we and we continue to do is use our own products actually to give greater visibility that we've ever had before in this new sort of multi this multi sort of cloud multi Prem environment so so which is a very powerful thing for us and a team that is using this technology is sort of seeing visibility things that they've never really been able to see before so that's been quite exciting but I think that's sort of frankly table stakes moving forward into you know deeper more cloud or sort of sort of workload independent model that we're seeking well so one of the government building this because I have conversations like this all the time and I don't think people realize the degree to which some of these changes are really going to change the way that they actually get worked on when there's a problem you have control of the network and the application and the endpoints if there is an issue you can turn to someone who works for you and say here's the deal fix this so I'll find somebody else that can fix it so you have an employment-based almost model of coercion you can get people to do what you want to do but when you move into the cloud you find yourself having to use a contracting approach to actually get crucial things done and problems crop up either way it doesn't matter if you own it all or somebody else owns at all you're going to encounter problems and so you have to accelerate and diminish the amount of back-and-forth haggling that goes on and as you said the best way to do that is to have fact-based evidence-based visibility into what's actually happening so that you can pinpoint and avoid the back-and-forth about whose issue it really is exactly I mean there's so much you know is at the end of the day IT is still responsible for user productivity so whether somebody's having you know an application issue in terms of availability or frankly if it's not performing up to what it should be you're still accountable as an organization and regardless of where the workloads are it could be as you point out you know back in the day you could always go to your data center and do a lot of investigation and really do a lot of troubleshooting within the four walls today you just don't have that visit you don't have that luxury call it and so it's a whole new world and you know we all are relying increasingly on vendors which reads a contracting star which is you know presents an issue and you know sort of having these conversations with a vendor or contractor regardless of your relationship with them you're still again you're on the hook or for doing this so you've got to have some facts you've got to have some story you have to show in terms of hey you know we're good on this side you know the issue really is on you and we've actually had situations whether it was performance issues or service interruptions or bugs from different vendors where they've impacted our you know the net Scout organization and without you know deep understanding of what's going on you really don't have anywhere to go you you really have to have this sort of greater visibility and this is one of the things that you know is a is a is a lesson learned from at least from the journey that we're taking and so I think that's part of the story of the cloud and sort of migration and virtualization story is you really have to have this newfound visibility so I think that's been you know really important for us so I'm gonna I'm gonna see if I can't generalize that a little bit because I think it's great point as you go into a network redesign to support go to operations excellent operations in a cloud you have to also go into a sourcing and information redesign so that you can be assured that you're getting the information you need to sustain the degree of control or approximate the control that you had before otherwise you've got great technology but no way to deal with problems when they arise right exactly and you know as I said we've seen this movie and Minoo without having what we have I think we would have struggle as an organization actually to resolve the issue and that's not good for the company because you know IT part of the minute the mandate and their the remit for us is to make sure that people are as productive as it can be and so not having the ability to provide that environment is actually a huge problem for I think a lot of people and one of the ways we are working with it is to you know have that sort of visibility it also means upgrading the team skills which we've done a lot of work on so you take folks that were in IT that you know may have had a certain set of skills sort of in the on-prem environment call it those skills are quite different in in that in the sort of cloud or the mix exposure environment so I think upskilling you know having more information better information is really as part of the story that we're learning and that part of it at the end of the day it's not about upgrading the network it's about upgrading the network capability exactly yeah and you can't do that if especially the new world if you don't upgrade your ability to get information about how the whole thing is working together exactly all right Thor Wallis senior vice president and CIO at net Scout thanks very much for being on the queue thank you and once again I want to thank you participating in today's conversation until next time

from the silicon angle media office in Boston Massachusetts it's the queue now here's your host David on tape hello everyone and welcome to this cube conversation today we're gonna dig into the challenges of defending distributed denial of service or DDoS attacks we're gonna look at what DDoS attacks are why they occur and how defense techniques have evolved over time and with me to discuss these issues as Darin and Steve he's the CTO of security at net Scout Darren good to see you again can you tell me about your role your CTO of security so you got CTO specific to the different areas of your business yeah so I work within the broader CTO office at net Scout and we really act as a bridge between customers engineering teams our product management and the broader market and we're all about making sure that our strategy aligns with that of our customers that we're delivering what they need and when they need it and we're really about thought leadership so looking at the unique technologies and capabilities that that scout has and how we can pull those things together to deliver new value propositions new capabilities that can move our customers businesses forward and obviously taking us with of them great so let's get into it I mean everybody hears of DDoS attacks but specifically you know what are they why do they occur when what's the motivation behind the bad guys hitting us so a distributed denial of service attack is simply when an attacker is looking to consume some or all of the resources that are assigned to a network service or application so that a genuine user can't get through so that you can't get to that website so that your network is full of traffic so that firewall is no longer forwarding packets that's fundamentally what a DDoS attack is all about in terms of the motivations behind them they are many and varied there's a wide wide range of motivations behind the DDoS activity that we see going on out there today everything from cybercrime where people are holding people to ransom so I will take your website down unless you pay me you know X Bitcoin from ideological disputes through to nation-state attacks and then of course you get the you know things like students in higher educational establishments targeting online coursework submission and testing systems because they simply you know don't want to do the work fundamentally the issue you have around the motivations today is that it's so easy for anyone to get access to fairly sophisticated attack capabilities that anyone can launch an attack for pretty much any reason and that means that pretty much anyone can be targeted okay so you gotta be ready so are there different types of attacks I guess so right used to be denial of service now I'm distributed the service but what are the different types of attacks so the three main categories of distributed denial of service attack of what we call volumetric attacks State exhaustion attacks and application-layer attacks and you can kind of think of them around the different aspects of our infrastructure or the infrastructure of an organization that gets targeted so volumetric attacks are all about saturating Internet connectivity filling up the pipe as it were state exhaustion attacks are all about exhausting the state tables in specific pieces of infrastructure so if you think about load balancers and firewalls they maintain state on the traffic that they're forwarding if you can fill those tables up they stop doing their job and you can't get through them and then you have the application layer attacks which is their name would suggest is simply an attacker targeting an attack targeting a service at the application layer so for example flooding a website with requests for a download something like that so that genuine user can't get through it presumably some of those attacks for the infiltrators some of them are probably easier have a lower bar than others is that right or they pretty much also the same level of sophistication in terms of the attacks themselves there's big differences in the sophistication of the attack in terms of launching the attack it's really easy now so a lot of the attack tools that are out there today would be you know are fully weaponized so you click a button it launches multiple attack vectors at a target some of them will even rotate those attack vectors to make it harder for you to deal with the attack and then you have the DDoS for hire services that will do all of this for you is effectively a managed service so there's a whole economy around this stuff so common challenge and security very low barriers to entry how have these attacks changed over time so DDoS is nothing new it's been around for over 20 years and it has changed significantly over that time period as you would expect with anything in technology if you go back 20 years a DDoS attack of a couple of gigabits a second would be considered very very large last year we obviously saw saw DDoS attacks break the terabit barrier so you know that's an awful lot of traffic if we look in a more focused way at what's changed over the last 18 months I think there's a couple of things that are worth highlighting firstly we've seen the numbers of what we would consider to be midsize attacks and really grow very quickly over the last 12 months mid-sized to us is between 100 and 400 gigabits per second so we're still talking about very significant traffic volumes that can do a lot of damage you know saturate the internet connectivity of pretty much any enterprise out there between 2018 2019 looking at the two first halves respectively you're looking at about seven hundred and seventy six percent growth so there are literally thousands of these attacks going on out there now in that hundred to four hundred gig band and that's changing the way that network operators are thinking about dealing with them second thing that's changed is in the complexity of attacks now I've already mentioned this a little bit but there are now a lot of attack tools out there that completely automate the rotation of attack vectors during an attack so changing the way the attack works periodically every few minutes or every few seconds and they do that because it makes it harder to mitigate it makes it more likely that they'll succeed in their goal and then the third thing that I suppose has changed is simply the breadth of devices and protocols that are being used to launch attacks so we all remember in 2016 when Dyne was attacked and we started hearing about IOT and mirai and things like that that CCTV and DVR devices were being used there since then a much broader range of device types being targeted compromised subsumed into botnets and used to generate DDoS attacks and we're also seeing them use a much wider range of protocols within those DDoS attacks so there's a technique called reflection amplification which has been behind many of the largest DDoS attacks over the last 15 years or so traditionally it used a fairly narrow band of protocols over the last year or so we've seen attackers researching and then weaponizing a new range of protocols expanding their capability getting around existing defenses so there's a lot changing out there so you talking about mitigation how do you mitigate how do you defend against these attacks so that's changing actually so if you look at the way that the service provider world used to deal with DDoS predominantly what you would find is they would be investing in intelligent DDoS mitigation systems such as the Arbour TMS and they'd be deploying those solutions into their primary peering locations potentially into centralized data centers and then when they detected an attack using our sight line platform they would identify where it was coming in they identify the target of the attack and they divert the traffic across their network to those TMS locations inspect the traffic clean away the bad forward on the good protect the customer protect the infrastructure protect the service what's happening now is that the shape of service provider networks is changing so if we look at the way the content used to be distributed in service providers they pull it in centrally push it out to their customers if we look at the way that value-added service infrastructure used to be deployed it was very similar they deploy it centrally and then serve the customer all of that is starting to push out to the edge now contents coming in in many more locations nearer to areas delivered value-added service infrastructure is being pushed into virtual network functions at the edge of the network and that means that operators are not engineering the core of their networks in the same way they want to move DDoS attack traffic across their network so that they can then inspect and discard it they want to be doing things right at the edge and they want to be doing things at the edge combining together the capabilities of their router and switch infrastructure which they've already invested in with the intelligent DDoS mitigation capabilities of something like Ann Arbor TMS and they're looking for solutions that really orchestrate those combinations of mitigation mechanisms to deal with attacks as efficiently and effectively as possible and that's very much where we're going with the site line with sentinel products okay and we're gonna get into that you'd mentioned service providers do enterprises the same way and what's different so some enterprises approaching in exactly the same way so your larger scale enterprises that have networks that look a bit like those of service providers very much looking to use their router and switch infrastructure very much looking for a fully automated orchestrated attack response that leverages all capabilities within a given network with full reporting all of those kind two things for other enterprises hybrid DDoS defense has always been seen as the best practice which is really this combination of a service provider or cloud-based service to deal with high-volume attacks that would simply saturate connectivity with an on-prem or virtually on-prem capability that has a much more focused view of that enterprises traffic that can look at what's going on around the applications potentially decrypt traffic for those applications so that you can find those more stealthy more sophisticated attacks and deal with them very proactively do you you know a lot of times companies don't want to collaborate because their competitors but security is somewhat different are you finding that service providers or maybe even large organizations but not financial services that are are they collaborating and sharing information they're starting to so with the scale of DDoS now especially in terms of the size of the attacks and the frequency of the tax we are starting to see I suppose two areas where there's collaboration firstly you're seeing groups of organizations who are looking to offer services in a unified way to a customer outside of their normal reach so you know service provider a has reach in region area service provider B in region B see in region C they're looking to offer a unified service to a customer that has offices in all of those regions so they need to collaborate in order to offer that unified service so that's one driver for collaboration another one is where you see large service providers who have multiple kind of satellite operating companies so you know you think of some of the big brands that are out there in the search provider world they have networks in lots of parts of your well then they have other networks that join those networks together and they would very much like to share information kind of within that the challenge has always been well there are really two challenges to sharing information to deal with DDoS firstly there's a trust challenge so if I'm going to tell you about a DDoS attack are you simply going to start doing something with that information that might potentially drop traffic for a customer that might impact your network in some way that's one challenge the second challenge is invisibility in if I tell you about something how do you tell me what you actually did how do I find out what actually happened how do I tell my customer that I might be defending what happened overall so one of the things that we're doing in site language we're building in a new smart signaling mechanism where our customers will be able to cooperate with each other they'll be able to share information safely between one another and they'll be able to get feedback from one another on what actually happened what traffic was forwarded what traffic was dropped that's critical because you've mentioned the first challenges you got the balance of okay I'm business disruption versus protecting in the second is hey something's going wrong I don't really know what it is well that's not really very helpful well let's get more into the the Arbour platform and talk about how you guys are helping solve this this problem okay so sight line the honest sight line platform has been the market leading DDoS detection and mitigation solutions for network operators for well over the last decade obviously we were required by Netscape back in 2015 and what we've really been looking at is how we can integrate the two sets of technologies to deliver a real step change in capability to the market and that's really what we're doing with the site language Sentinel product site language Sentinel integrates net Scout and Arbor Technology so Arbor is traditionally provided our customers our sight line customers with visibility of what's happening across their networks at layer 3 and 4 so very much a network focus net Scout has smart data technology Smart Data technology is effectively about acquiring packet data in pretty much any environment whether we're talking physical virtual container public or private cloud and turning those packets into metadata into what we call smart data what we're doing in sight line with sentinel is combining packet and flow data together so you can think of it as kind of like colorizing a black and white photo so if you think about the picture we used to have insight line as being black and white we add this Smart Data suddenly we've colorized it when you look at that picture you can see more you can engage with it more you understand more about what was going on we're moving our visibility from the network layer up to the service layer and that will allow our customers to optimize the way that they deliver content across their networks it will allow them to understand what kinds of services their customers are accessing across their network so that they can optimize their value-added service portfolios drive additional revenue they'll be able to detect a broader range of threats things like botnet monitoring that kind of thing and they'll also be able to report on distributed denial of service attacks in a very different way if you look at the way in which much the reporting that happens out there today is designed it's very much network layer how many bits are forwarded how many packets are dropped when you're trying to explain to an end customer the value of the service that you offer that's a bit kind of vague what they want to know is how did my service perform how is my service protected and by bringing in that service layer visibility we can do that and that whole smarter visibility anger will drive a new intelligent automation engine which will really look at any attack and then provide a fully automated orchestrated attack response using all of the capabilities within a given network even outside a given network using the the the smarter signaling mechanism very whilst delivering a full suite of reporting on what's going on so that you're relying on the solution to deal with the attack for you to some degree but you're also being told exactly what's happening why it's happening and where it's happening in your secret sauce is this the way in which you handle the the metadata what you call smart data is that right I'll secret sauce really is in I think it's in a couple of different areas so with site language Sentinel the smart data is really a key one I think the other key one is our experience in the DDoS space so we understand how our customers are looking to use their router and switch infrastructure we understand the nature of the attacks that are going on out there we have a unique set of visibility into the attack landscape through the Netscape Atlas platform when you combine all of those things together we can look at a given network and we can understand for this attack at this this second this is the best way of dealing with that attack using these different mechanisms if the attack changes we love to our strategy and building that intelligent automation needs that smarter visibility so all of those different bits of our secret sauce really come together in centers so is that really your differentiator from you know your key competitors that you've got the experience you've got obviously the the tech anything else you'd add to that I think the other thing that we've got is two people so we've got a lot of research kind of capability in the DDoS space so we are we are delivering a lot of intelligence into our products as well now it's not just about what you detect locally anymore and we look at the way that the attack landscape is changing I mentioned that attackers are researching and weaponizing new protocols you know we're learning about that as it happens by looking at our honey pots by looking at our sinkholes by looking at our atlas data we're pushing that information down into site language Sentinel as well so that our customers are best prepared to deal with what's facing them when you talk to customers can you kind of summarize for our audience the the key to the business challenges you talked about some of the technical there may be some others that you can mention but try to get to that business impact yeah so on the business side of it there's a few different things so a lot of it comes down to operational cost and complexity and also obviously the cost of deploying infrastructure so and both of those things are changing because of the way that networks are changing and business models are changing on the operational side everyone is looking for their solutions to be more intelligent and more automated but they don't want them simply to be a black box if it's a black box it either works or it doesn't and if it doesn't you've got big problems especially if you've got service level agreements and things tied to services so intelligent automation to reduce operational overhead is key and we're very focused on that second thing is around deployment of capability into networks so I mentioned that the traditional DDoS that that the traditional DDoS mitigation kind of strategy was to deploy intelligent DDoS mitigation capability in to keep hearing locations and centralized data centers as we push things out towards the edge our customers are looking for those capabilities to be deployed more flexibly they're looking for them to be deployed on common off-the-shelf hardware they're looking for different kinds of software licensing models which again is something that we've already addressed to kind of allow our customers to move in that direction and then the third thing I think is really half opportunity and half business challenge and that's that when you look at service providers today they're very very focused on how they can generate additional revenue so they're looking very much at how they can take a service that maybe they've offered in the past to their top hundred customers and offer it to their top thousand or five thousand customers part of that is dry is intelligent automation part of that is getting the visibility but part of that again is partnering with an organization like netskope that can really help them to do that and so it's kind of part challenge part opportunity there but that's again something we're very focused on I want to come back and double down on the the point about automation seems to me the unique thing one of the unique things about security is this huge skills gap and people complain about that all the time a lot of infrastructure businesses you know automation means that you can take people and put them on you know different tasks more strategic and I'm sure that's true also its security but there's because of that skills gap automation is the only way to solve these problems right I mean you can't just keep throwing people at the problem because you don't have the skilled people and you can't take that brute force approach does that make sense to you it's scale and speed when it comes to distributed denial-of-service so given the attack vectors are changing very rapidly now because the tools support that you've got two choices as an operator you either have somebody focused on watching what the attack is doing and changing your mitigation strategy dynamically or you invest in a solution that has more intelligent art and more intelligent analytics better visibility of what's going on and that's slightly and with Sentinel fundamentally the other key thing is the scale aspect which is if you're looking to drive value-added services to a broader addressable market you can't really do that you know by simply hiring more and more people because the services don't cost in so that's where the intelligent automation comes in it's about scaling the capability that operators already have and most of them have a lot of you know very clever very good people in the security space you know it's about scaling the capability they already have to drive that additional revenue to drive the additional value so if I had to boil it down the business is obviously lower cost it's mentioned scale more effective mitigation which yeah which you know lowers your risk and then for the service providers it's monetization as well yeah and the more effective mitigation is a key one as well so you know leveraging that router and switch infrastructure to deal with the bulk of attack so that you can then use the intelligent DDoS mitigation capability the Arbour TMS to deal with the more sophisticated components combining those two things together all right we'll give you the final word Darren you know takeaways and you know any key point that you want to drive home yeah I mean sightline has been a market leading product for a number of years now what we're really doing in Nets care is investing in that we're pulling together the different technologies that we have available within the business to deliver a real step change in capability to our customer base so that they can have a fully automated and orchestrated attack response capability that allows them to defend themselves better and allows them to drive a new range of value-added services well Dara thanks for coming on you guys doing great work really appreciate your insights thanks Dave you're welcome and thank you for watching everybody this is Dave Volante we'll see you next time

from the silicon angle media office in Boston Massachusetts it's the queue now here's your host still minimun hi I'm Stu minimun and this is a cube conversation from our Boston area studio happy to welcome to the program a first-time guest on the program but from knit scout who we've been digging into the concept of visibility without borders dr. Vikram Saxena who's with the office of the CTO from the for mention net scout thank you so much for joining us thanks to it thanks for having me all right dr. Zana before we get into kind of your role why don't you go back give us a little bit about you know your background you and I have some shared background comm we both work for some of the arms of you know Ma Bell that's right back in the day yeah you work a little bit more senior and yeah you know probably a lot more patents than I have my current count is still sure happy to do that you're right I started in 82 which was two years before the breakup of Marbella so you know and then everything started happening right around that time so yeah I started in Bell Labs you know stayed there close to 20 years did lot of the early pioneering work on packet switching before the days of internet frame relay all of that happened it was a pretty exciting time I was there building up we built up the AT&T business from scratch to a billion dollars in the IP space you know in a voice company that was always challenging so and then I moved on to do startups in the broadband space the two of them moved to the Boston area and then moved on to play the CTO role and public companies sonnez networks Tellabs and then you know came to an EPS card about five years ago yeah you know I I love talking about you know some of those incubators of innovation though I you know historically speaking just you know threw off so much technology that's right been seeing so much the media lately about you know the 50th anniversary of Apollo 11 that's so many things that came out of NASA Bell Labs was one of those places that helped inspire me to study engineering that's you know definitely got me on my career but here we are 2019 that's you're still you know working into with some of these telcos and how they're all you know dealing with this wave of cloud and yeah I know the constant change there so bring us inside you know what's your role inside net Scout that office of the CTO yes so net Scout is in the business of you know mining Network data and and what we excel at is extracting what we call actionable intelligence from network traffic which we use the term smart data but essentially my role is really to be the bridge between our technology group and the customers you know bring out understand the problems the challenges that our customers are facing and then work with the teams to build the right product to you know to fit in to the current environment okay one of our favorite things on the cube is you know talking to customers they're going through their transformation that's what you talk about the enterprise you know digital transformation that's what we think there's more than just the buzzword there yeah I've talked to financial institutions manufacturing you know you name it out there if it's a company that's not necessarily born in the cloud they are undergoing that digital transformation bring us inside you know your customer base that this telcos the service providers you know most of them have a heavy tech component to what they're doing but you know are they embracing digital transformation what what does it mean for them so you know as you said it's it's a big term that catches a lot of things but in one word if I described for the telcos it's all about agility if you look at the telco model historically it has been on a path where services get rolled out every six months year multiple years you know not exactly what we call an agile environment compared to today you know but when the cloud happened it changed the landscape because cloud not only created a new way of delivering services but also changed expectations on how fast things can happen and that created high expectations on the customer side which in turn started putting pressure on the on the telcos and and the service providers to become as agile as cloud providers and and and as you know the the network which is really the main asset of a service provider was built around platforms that were not really designed to be programmable you know so they came in with hardwired services and they would change at a very low timescale and building around that is the whole software layer of OS SPSS which over time became very monolithic very slow to change so coupling the network and the software layer created a very slow moving environment so this is what's really causing the change to go to a model where the networks can be programmable which essentially means moving from a hardware centric model to a software centric model where services can be programmed on-demand and created on the fly and maybe sometimes even under the control of the customers and layering on top of that changing the OS s infrastructure to make it more predictive make it more actionable and driven by advances in machine learning and artificial intelligence to make this entire environment extremely dynamic in agile so that's kind of what we are seeing in the marketplace yeah I totally agree that that agility is usually the first thing put forward I I need to be faster yeah it used to be you know faster better cheaper now like a faster faster faster I can actually help compensate for some of those other pieces there of course service riders usually you know very conscious on the cost of things there because if they can lower their cost they can usually of course make them more competitive and pass that along to their ultimate consumers you know bring us inside that you know you mentions this change to software that's going on you know there are so many waves of change going on there everything from you know you talk about IOT and edge computing yeah it's a big you know massive role at a 5g that ya even gets talked about in the general press that these days and at government states they're so you know where are you know your customers today what are some of the critical challenge they have and yeah you know where is that kind of monitoring observability that that kind of piece fit in so so good so let me give to backdrop points first of all you mentioned cost so they are always very cost-conscious trying to drive it down and the reason for that is the traditional services have been heavily commoditized you know voice texting video data they've been commoditized so the customers worn the same stuff cheaper and cheaper and cheaper all the time right so that puts a pressure on margins and reducing cost but now you the industry is at a point where I think the telcos need to grow the top line you know that's a challenge because you can always reduce cost but at some point you get to a point of diminishing returns so now I think the challenge is how do they grow their top line you know so they can become healthier again in that context and that leads to whole notion of what services they need to innovate on so it's all about once you have a programmable Network and a software that is intelligent and smart that becomes a platform for delivering new services so this is where you know you see on the enterprise side Sdn Enterprise IOT all these services are coming now using technologies of software-defined networking network function virtualization and 5g as you mentioned is the next generation of wireless technology that is coming on board right now and that opens up the possibility for the first time to new things dimensions come into play first not only a consumer centric focus which was always there but now opening it up to enterprises and businesses and IOT and secondly fixed broadband right the the the era where telcos used to either drive copper or fiber slow cumbersome takes a lot of time right and the cable guys have already done that with coaxial cable so they need to go faster and faster means use Wireless and finally with 5g you have a technology that can deliver fixed broadband which means all the high definition video voice data and other services like AR VR into the home so it's opening up a new possibility rather than having a separate fixed network and a separate wireless network for the first time they can collapse that into one common platform and go after both fixed and mobile and both consumers and enterprise force yeah we said what one of the big topics of conversation at Cisco live was at San Diego just a short time ago it was 5g and then it you know Wi-Fi six the next generation of that because I'm still going to need inside my building you know for the companies but the 5g holds the promise - give me - so much faster bandwidth so much dense for environment I guess some of the concerns I hear out there and maybe you can tell me kind of where we are and where the telcos fit in is you know 5g from a technology standpoint we understand where it is but that rollout is going to take time yes you know it's great to say you're going to have this dense and highly available thing but you know that's gonna start the same place all the previous generations all right it's the place where actually we don't have bad connectivity today it's you know it's in the urban areas it's where we have dense populations you know sometimes it's thrown out there o5g is gonna be great for edge and IOT and it's like well you know we don't have balloons and planes you know and you know the you know the towers everywhere so where are we with that rollout of 5g what side of timeframes are your customer base looking at as to where that where that goes to play so I think from what I'm seeing in the marketplace I think there is a less of a focus on building out ubiquitous coverage because you know when the focus is on consumers you need coverage because they're everywhere right but I think where they are focusing on because they want to create new revenue a new top-line growth they're focusing more on industry verticals IOT now that allows you to build out networks and pockets of air your customers are because enterprises are always focused in the top cities and you know heck top metro areas so before you make it available for consumers if you get an opportunity to build out at least in the major metropolitan area an infrastructure where you're getting paid as you're building it out because you're signing up this enterprise customers who are willing to pay for these IOT services you get paid you get to build out the infrastructure and then slowly as new applications emerge I think you can make it widely available for consumers I think the challenge on consumer side is the smart phones have been tapped out you know and and people are not going to get that excited about 5g just to use the next-gen I found right so there it has to be about new applications and services and things that people talk about always on the horizon are a are we are and think like that but they are out there they're not there today because it device has to come on board that becomes mass consumable and exciting to customers so while the industry is waiting for that to happen I think there's a great opportunity right now to turn up services for enterprise verticals in the IOT space because the devices are ready and everybody because enterprises are going through their own digital transformation they want to be in a connected world right so they're putting pressure on telcos to connect all their devices into the network and there is a monetization opportunity there so I think what the carriers are going to do is sign up verticals whether it's transportation health care so if they sign up a bunch of hospitals they're going to deploy infrastructure in that area to sign up hospitals if they're going to sign up manufacturing they're going to build their infrastructure in those areas where they're right so by that model you can build out a 5g network that is concentrated on their customer base and then get to ubiquitous coverage later when the consumer applications come yeah so I like that a lot because you know when I think back if we've learned from the sins of the past it used to be if we build it they will come let's you know dig trenches across all the highways and with as much fiber as we can and then the dot-com burst happens and we have all of this capacity that we can't give away yeah what it sounds like you're describing is really a service centric view yes I've got customers and I've got applications and I'm going to build to that and then I can build off of that yeah piece there could talk a little bit about that focus and you know where yeah where your customers are going yeah so maybe just likely before that what I want to talk about the distributed nature of the 5g network so you mentioned edge right so one of the things that are happening when you want to deliver low latency services or high bandwidth services you need to push things closer to the edge as you know when cloud started it's more in the what we call the core you know the large data centers the hyper scale data centers where applications are are being deployed now but when you demand low latency let's say sub 15 millisecond 10 millisecond latency that has to be pushed much more closer to the customer now this is what's for saying the edge cloud deployment in 5g and then what that does is it also forces you to distribute functionality you know everything is not centralized in the core but it's distributed in the edge and the code the control plane maybe in the core but the user plane moves to the edge so that changes the entire flow of traffic and services in a 5g Network they are no longer centralized which means it becomes more challenging to be able to manage and assure these services in a highly distributed telco cloud environment which has this notion of edge and core now on top of that if you say that you know this is all about top-line growth and customer satisfaction then your focus on operationalizing these services has to change from in network centric view to a service centric view because in the past as you know when we were both in Bell Labs in AT&T you know we were pretty much you know focused on the network you know focused on the data from the network the network elements the switches and the routers and all of that and making sure that the network is healthy now that is good but it's not sufficient to guarantee that the services and the service level agreements for customers are being met so what you need to do is focus at the service layer much more so than you were doing it in the past so that changes the paradigm on what data you need to use how you want to use it and how do you stitch together this view in a highly distributed environment and do it in real-time and do it all very quickly so the customers don't see the pain if anything breaks and actually be more proactive in lot of cases be more predictive and take corrective actions before the impact services so this is the challenge and and clearly from a net Scout point of view I think we are right in the center of this hurricane and you know given the history we sort of have figured out on how to do this yeah you know the networking has a long history of we've got a lot of data we've got all of these flows and things change but right exactly as you said understanding what happened at that application that is we've been really tie to make sure it's just IT sitting on the side but IT driving that business that's my application those data flows so yeah you maybe expound a little bit more net Scouts fit there yeah and you know what why it's so critical for what customers need today yeah happy to do that so so if you look at what are the sources of data that you actually can use and and what you should use so basically they fall into three buckets what I call first is what I call infrastructure data which is all about data you get from hypervisors we switches they're telling you more about how the infrastructure is behaving where you need to add more horsepower CPU is memory storage and so on so that is very infrastructure centric the second one is from network elements you know what the DNS servers give you DHCP servers what your routers and switches are giving you the firewalls are giving you and they are also in a way telling you more about what the network elements are seeing so there's a little bit of a hybrid between infrastructure and a service layer component but the problem is that data is it's very vendor dependent it's highly fragmented across there because there's no real standards how to create this data so there is telemetry data there are sis logs and they all vendors do it what they think is best for them so the challenge then becomes on the service provider side and how do you stitch together because service is an end-to-end construct or an application it starts at a at a at a user and goes to a server and you need to be able to get that holistic view n2n so the most appropriate data that net scout feels is what we call the wire data or the traffic data is actually looking at packets themselves because they give you the most direct knowledge about how the service is behaving how it's performing and not only that you can actually predict problems as opposed to react to problems because you can trend this data you can apply machine learning to this data and be able to say what might go wrong and be able to take corrective action so we feel that extracting the right contextual information relevant implicit information timely information in a vendor independent way in a way that is universally if we available from edge to core those are the attributes of wire data and we excel in processing that at the source in real-time and converting all of that into actionable intelligence that is very analytics and automation friendly so this is our strength what that allows us to do is as they are going through this transition between 4G and 5g between physical and virtual across fixed and mobile networks you know you can go through this transition if you have it stitched together end to end view that crosses these boundaries or borders as we call it visibility without borders and in this context your operations people never lose insight into what's going on with their customer applications and behavior so they can go through this migration with confidence that they will not negatively impact their user experience by using our technology yeah you know we've thrown out these terms intelligence and automation for decades yes in our industry but if you look at these hybrid environments and all of these changes come out if an operator doesn't have tools like this they can't keep up they can go so I need to have that machine learning I have to have those tools that can help me intelligently attack these pieces otherwise there's no way I can do it yeah and one point there is you know it's like garbage in garbage out if you don't get the right data you can have the most sophisticated machine learning but it's not going to predict the right answer so the quality of data is very important just as the quality of your analytics in your algorithms so we feel that the combination of right data and the right analytics is how you're going to get advantage of you know accurate predictions and automation around that whole suite okay love that right data right information right delusion why don't want to give you right analytics I want to give you the final word final takeaways for your customers today so I think we are in a very exciting time in the industry you know 5g as a technology is a probably the first generation technology which is coming on board where there is so much focus on on things like security and and new applications and so on and and I think it's an exciting time for service providers to take advantage of this platform and then be able to use it to deliver new services and ultimately see their top lines grow which we all want in the industry because if they are successful then via suppliers you know do well you know so I think it's a pretty exciting time and and vyas net scout are happy to be in this spot right now and to see and help our customers go to go through this transition alright dr. Vikram Singh Saxena thank you so much for joining us sharing with us everything that's happening in your space and it glad to see the excitement still with the journey that you've been on thank you Stu happy to be here all right and as always check out the cubed on net for all of our content I'm Stu minimun and thanks as always for watching the cube [Music]

>> Live from San Diego, California It's the queue covering Sisqo live US 2019 Tio by Cisco and its ecosystem. Barker's >> Welcome Back Here in the San Diego Convention Center. I'm student in my co host, David Dante, and you're watching the Cube, the leader in worldwide Tech coverage, and its Sisqo Live 2019 happening. Welcome back to the program. One of our Cuba, Lem's Russ Curie, who is the vice president Enterprise strategy at Net Scout. It's great to see you. Thanks for joining you guys. Thanks for having me. Alright, we always say, we got a bunch of Massachusetts guys that had to fly all the way across the country to talk to each other really well. So a couple hours for the beast hip, all everybody excited. But a lot of excitement here in the definite zone specifically and Sisqo live overall, 28,000 intended you've been to a lot of customer meetings, gives a little insight. What's been your take away from the show so >> far? I think that there's a lot of energy towards the multi cloud called Deployments in general Security. The whole introduction of Umbrella has got a lot of conversation started. It's amazing the amount of cos you see out there talking about just visibility in general, and that's being one of them as well. So it's been a lot of fun. >> Good show this year, Russ. I've been looking for this conversation. We heard from Chuck Robbins in the keynote. He said The network sees a lot of things, and Cisco says they're going to give customers that visibility. Of course, that ties in a lot, too. What Net scouted love, you know, give us. You know, your thoughts on Multi Cloud. How Cisco doing in the space? And how does Net Scout fit into that whole picture? >> Well, I think that one of things as Chuck talks about that, it's the cloud is the one thing, or the network is the one thing that's common for all. Coming along the devices right? I have. If I go into a different cloud, I have one set a performance metrics I might be able to gather about. You look at what device or an operating system. It's all different. But all the communications on the network T C P I. P is common. That really provides that thread that you're able to provide that level of visibility. So it really becomes one of those things that the network is a unique place to gain perspective on both the performance in the security that we're delivering to our customers. So can >> you just summarize the problem that Net Scout solves for our audience? Sure, I think that primarily it's one of these situations where I've been my own prime environment. It was pretty easy. I had access to everything. I could see what was going on. Quite readily. I started introduced visual ization and now traffic start to move much more East West and became a problem for folks. I think can Cisco recently said 85% of the traffic there seeing on the network is East West traffic, right? And then we moved to the cloud, and it's even more obvious gay that I can't see anything in new ways of network traffic. There typically live in clover and desert starting to address that, but really being able to gain that level of visibility so you can understand exactly what's happening just gaining that perspective. So let's explain it. >> I'm going to stay with the East West north seven metaphor. Why is it easier to get visibility in a column? >> Then? It is a row, I think, because in a column is everything exploding north and self. So you've got everything right there, and usually you have a place where you can look into it. But when you're flat, it starts to become really different you're looking at. But advice is talking to know the devices that don't necessarily have to traverse any part of the network it. Khun, stay within. Ah, hi provides, for example, so providing solutions lawyer game visibility into that environment is really important and the protocols that we use their change a bit so traditional tools don't necessarily fit well. So what's the general solution to >> solving that problem? And then I want to understand the Net Scouts secret sauce. But let's stop. Let's start of high level. How does the industry solved that problem? So the industry >> has been trying to solve that problem mostly by looking at the goodwill of third parties, looking at things like net blower, log events and aggregating that normalizing it. You've had solution sets that looked at network traffic, but it becomes very difficult for a lot of folks to make use of that network traffic, and what we've done is really provide the ability to look into that network. Traffic and gain gather from really anywhere it's deployed whether it's public loud, private cloud, our solution said, That's our secret sauce. Our solution. Second go anyway. >> So so add some color to that in terms of your able to inspect deeper through what just magic software you got. You got a pro you send in so >> well. Actually, we have a device. It's called a SNG, and in the virtual world we use something that we call be stream. In the physical world, we have some that we call in Finnish Stream N. G. And that leverage is a technology that we've developed, called Sai, which is adaptive service intelligence and well, also do is watch all that traffic and build meta data in real time so we can surface key indicators of performance and security events. Get that information up into a collection mechanism that doesn't have to normalize that data. It just looks at it as is way. Build it into a service Contact services context laws uses to see across a multi cloud environment in a single pane of glass. Okay, so one of >> the biggest challenges for customers is that they're changing these environment. It's what happens. Their applications, you know, applications used to be rather self contained. Even the bm They might have moved some, but now we're talking about, you know, micro services, architecture, multi cloud environment. There's there's a lot going on there, you know? What's the impact on that for your world, >> Right? That's been exactly it. Weigh three tier application was kind of pretty straight forward, even though at the point we started introducing, we thought that was a really tough stuff. Now what we're doing, as you say, it's doing micro services architectures, and I might take my presentation layer and put out in the cloud and the public cloud in particular. So I'm closer to the UN user and delivering better high performance capabilities to them lower lately, Auntie and the like and I take my application server and I split that up all over the place, and I might put some in public. Claude. I might put some in private club. I maintain some of it in the legacy. So all that interconnection, all that independency is really, really hard to get your hands around and that complexity. We looked at the street study that said 94% of the 600 respondents said that the the networks are as complex or more complex than they have been two years ago. >> Yeah, that's not surprising, unfortunately to hear that, but you know, when we talk to customers out there, it used to be, you know, the network is something You set it up. You turned all your knobs and then don't breathe on this thing because I've got a just where I want today. It can't be like that. You know, I I we know that it's very dynamic has changed. The message from Cisco has been We need to simplify things and, you know, obviously everybody wants that. But how do you make sure you ensure that application, performance and security, without having the poor admit, have to constantly, you know, be getting tickets in dealing with things >> I think are Solution really provides a common framework for visibility, and that's really what I think is really important. When you're starting to infer based upon different data sets, it becomes very difficult to put your finger on the problem and identified. That's really a problem. And it's trying to blend the organization. Let's sit this concept of the versatile list and trying to make sure that people are more capable in addressing problems in kind of a multi dimensional role that they have now in particular network and security. The organizations, they're trying to come together, God, they rely on different data sense, and that's where it kind of falls apart. If you have a common day to say, you're going to have a better perspective, Okay, >> I was just a front from that application standpoint. How much of this is just giving notification to invisibility? Intuit vs, you know? Is it giving recommendations or even taking actions along those lines? >> Yeah, I think it has. It has to give you recommendations and has to give you pinpoints. You really? You've got to be able to say there here's a problem. This is what you need to do to fix it right? I think what often when I'm talking to folks, I say it's about getting the right information to the right person at the right time to do the right thing If you're able to do that, you're going to be much more effective. Yes. OK, so you've got this early warning system, essentially, hopefully not a tulip. But that's what practitioners want. Tell me something. Tell me. Give me a a gap and tell me the action to take before something goes wrong. Ideally. And so you could do that. You could give them visibility on it, Kind of pinpoint it. And do you see the day, Russ, where you can use machine intelligence toe as Stuart suggesting start to maybe suggest remedial action or even take remedial action? Oh, absolutely. I mean, there are some things that you can really do and do quite well. Walking for security events, for example, is the primary one. We've always had the ideas in place in the early days, a lot of folks who are cautious because they wanted to have a negative impact on the business. But when we take a look at ex filtration and blocking outbound connections, if you know the bad actors and you know the bad addresses, you can stop that before it gets out of your network. So people aren't gonna have that X illustration of your information. >> All right. So, Russ, you've been meeting with a bunch of customers here at the show, What's top of mind for them And if some of the conversation I've been having this week, you know, security, you know, has been climbing that that list for many years now. But in your world, what are some of the top issues? >> Yeah, security, definitely. There's no question. I think it's one of those environments where you can almost never have enough. There is always hungry more and more and better and more accurate solutions. I I think I saw something recently. There was a top 125 security solutions that's like top 120 times really way. Doyle The Town 25 Exactly. And I think I D. C's taxonomy has 73 sub categories to the security. So security is, you know, more than a $500 word. You know, it might be a $5,000 word. It's crazy and same with club, right, because it's not like, you know, in fact, I was talking to someone recently, and it's with the club village Go. It's not a club village. A more This is everything we're doing is the cloud. So it's change in mindset. So it's It's interesting as a cloud universe. So what's next for Net Scout, you know, give us a little road map? What Khun observers expect coming from you guys more significant, pushing the security in particular. One of things we see is that our data set really has the ability to be leverage for both security and performance work. Load sport floats were integrating the products that we bought with the Harbour acquisition we bought over networks. And they have a highly curated threat intelligence feed that we're going to bring in and add to our infinite streams and have the ability to detect problems deep inside the network. You know, it's one of these things the bad actors kind of live off the land. They get in there and they know their way around slowly and methodically and drought dribble information. No. Well, the only way to catch that is like continually monitoring the network. So having that perspective so continuing to grow that out and provide again more of that, eh? I aml approach to understanding and be more predictive when we see things and be able to surf. It's that type of information. Security already used to be activists. And now it's become, you know, high crime even. Yeah, even, you know, nation states, right. And the job of ah of a security technology company is to raise the cost, lower the value right to the hacker, right to the infiltrator so that they go somewhere else. All right. Hey, make it really expensive for them. So either get through. But we ve what's like you get through, make it really hard for them to take stuff out. And that's really what you're doing. >> It was like you made sure to lock the front door now because it stopped them. But, you know, maybe I'll go somewhere else, right? It's a little bit >> different. Preventing you wanna minimize your risk, right? So if you're able to minimize the risk from performance and security problems, it's really all about understanding what you've got, what your assets are protecting them. And then when that someone's trying to look at them stopping it from happening, >> OK, last question I have for you, Russ, is being in this Cisco ecosystem out there. We're watching Cisco go through a transformation become more and more software company now, four years into the Chuckle Robin's era. So you know, how's that going in? What's it mean to partner Francisco today? >> It's going really well, and I think that we adopted a lot of way or adopted a lot of what the Sisko has done as well and really transform Nets go from what was primarily a hardware first company into a software first company. You know, it's kind of I was in a conference once and we were talking about software eating the world, right and but ultimately, its hardware. That's doing the chewing right. So I think it's one of those balancing acts. You know, it's Cisco's still of selling a ton of hardware, but it's a software solution sets so they deploy on their hardware. That makes it happen. And it's similar for us. You know, we're building out software solutions that really address the issues that people have building all these complex environments. All right, >> Russ Curie, congratulations on all the progress there and look forward to keeping up with how Netscape's moving forward in this multi cloud world. Thank you. All right, we'll be back with lots more coverage here from Cisco Live, San Diego for David Dante Obst Amendment. Lisa Martin's also here. Thanks, as always, for watching the Cube.

>> from our studios in the heart of Silicon Valley. HOLLOWAY ALTO, California It is a cube conversation. >> Hi, and welcome to the Cube studios for another cube conversation where we go in depth with thought leaders driving innovation across the tech industry. I'm your host today, Peter Boris. One of the biggest challenges that every enterprise faces is how best to focus attention on the most important assets that are driving or facilitating that drive the digital business and digital business transformation. There's been a lot of emphasis over the last 50 years in tech on the hardware assets, but increasingly we need to look at the elements of it that are actually creating net new value within a business now, maybe the people, the services and the data that make digital business possible. And that requires that we rethink our approach is to how we actually manage, conceive of and monitor those key assets and is likely to lead to some very interesting unification Tze over the next few years, especially in SEC ups and neck cops now and have that conversation got a great guest today. Sanjay Moon. She is the vice president, product management, that net scout Technologies. Sanjay, welcome to the >> Cube. Thank you, Peter. Thank you. >> So, Sanjay, I said a lot upfront. But before we get into that, tell us a little bit about Net Scout. >> Thank you, Peter, for the introduction. Net Scout is a smart data company. Net Scout has three decades of leadership and innovation in troubleshooting monitoring and securing it based networks. We are deployed in 90% off the Fortune 500 companies and 90% off the top communication service providers. World White. We have 50% market teacher In each of the three segments that we playing. Where is the next biggest competitor? We have has less than 5%. Those three areas are number one network and application performance monitoring for hybrid cloud infrastructure for enterprises, D does and on security for enterprise and service providers and service assurance for service providers, which includes mobile operators, cable providers as well as I speak. Today we operate in 50 plus countries worldwide. We have 25 100 plus employees and 500 plus pattern store credit. >> Impressive story. Let's get right to the issue, though, and how Net scout is actually participating in some of these crucial transformations. I mentioned upfront that one of the biggest challenges that every enterprise has is to focus Maura their attention on those digital assets that are actually driving change and new sources of value named of the data, the services and the devices and the people, the applications or people that use those. So one >> of >> the challenges that we've had is that, ah, focus on devices leads to a focus on certain classes of data that are mainly improved or focus on improving the productivity of devices. Give us a background and how that's what that means. >> Let me in to do the concept of smart data that's that's born out ofthe nets, calibrated with smart data. Next called Pioneer. The leverage off Wired ate our package data three decades back that drives over ingenious portfolio that drives net ops and cloud tops. S i r. Adapt to service intelligence. This is a smart data that comes out ofthe packets with S I smart data. We uniquely converge application and network performance monitoring you are customers Toro visibility across application tears and two and networks and diverse data center locations. >> So just toe pick up on that moving away from a log focus, which is again mainly, Let's improve the productivity of the device. We're moving in a sigh, which is focus on Let's improve the productivity of the connection in the application. >> Absolutely absolute. And we'll talk a little bit more about long. Let's talk about Log and Net flew other sources of data that folks have gravitated towards, which is not there, not there, not authority to by any means. Let's say log data, for example, this log data, you know, as soon as a threat actor, for example, gets access to your systems. The first thing the protector will do is to turn off flogging are doing verse changed the log days, change the cyst, log messaging itself. Let's take a look at net flow data. For example, Net flow data number one Problem is, it's not Doesn't have layers. Seven. Intelligence, innit? Number two. It's not generated by all the devices in the network. For example, the Coyote devices do not generate any kind of flow data, so only data that authoritative and that comes with high fidelity is packet or wire data. That's one element off of smart data that we have the other element of smart data comes from our arbor portfolio. Arbor products are deployed in 400 plus tier one operators, mobile operators and service providers worldwide. And as such, we see 1/3 of the Internet traffic to our strategically located. Sensors in the service provider corps were able to generate another type of smart data that we call Atlas Intelligence feed R A F in sharp air for it. Plus intelligence Feed essentially tracks cyber reputation across domains across joe locations and across user identities. The combination of the A S I smart data that is generated from the core of the hybrid cloud infrastructure. Let's call it intranet and F Smart data that is generated from the Internet Corps gives Net Scout a unique data set combination that's unparalleled in the marketplace and makes us perhaps Lee, one of the food vendors who can drive a consolidated visibility architectures across net ops, cloud ups and second >> Okay, So let's turn that into against very practical things for folks, because what it has historically done is by focusing on individual devices or classes of devices and the data that those devices generate, they end up with a panoply Ah, wide arrangement of security tools that are each good at optimizing those devices with those, he said, they may not necessarily be a forte tive, but it's difficult to weave that into a consolidated, unified SEC ops Net ops overall, not just architecture but platform for performing the work crucial work of sustaining your digital business infrastructure. How does smart data translate into unified operation >> is appoint Peter? Thank you. That's a very good point. So let me give an example and talk about the customers that we have deployed our smart data, our hybrid cloud infrastructure. This is a typical Fortune 500 where we are deployed. Next card is deployed as the hybrid cloud monitoring infrastructure, and the networks in the club cloud upside. Typically, you will see this type of organization has one tool to cover the entire hybrid cloud monitoring infrastructure across their entire portfolio, whether it is on Prem, whether it's in the cloud, whether it's in the core location facility. But when you look at the SEC locks and the security side, the story is completely different. The same organization, the same Enterprise customer, has 25 to 30 different disparate display tools As a matter of fact, analysts are saying today that a typical Fortune 500 the US has 70 disparate security tools. Why is that the case? Why is it that on the net tops and cloud upside, they need 11 tool net scout, for example? But in the second up there, 70 different products. The reason is not only smart data but also smart architecture. So what? We have seen what we have done over the past three decades, We have designed this two tier architecture that generates Margarita. The dear one is our distributed instrumentation of sense of framework, which we call in Finnish Stream or the Stream. This is the distributor sensor framework that is deployed in the hybrid cloud infrastructure that generates the smart data. And then we had the centralized Analytics layer, which is our ingenious platform that essentially correlates data across the hybrid cloud infrastructure and provide customers complete visibility across the portfolio off the data centers. On the second upside, security side security is roughly 1 10 to 15 years old. Security tried to emulate the studio model as well, but the security industry failed. In doing that, nobody could design this distributed sensor instrumentation cost effectively tto make violate our feasible for analytics with the result they migrated to. As you said, this subpar sources of data like CeCe log like net flow. And today they put all the emphasis on the analytics layer with the result. They need one tool for use case or one vendor per use case on the second offside. And that's why you see the two proliferation because they don't have this distributed sensor framework that will make violate our package data feasible for the analytics lately. >> And I want I want to build on something you're saying because, uh, the it's a It's a misperception that all resources and all work of digital business and technology is going to end up in a central crowd location. The cloud really is an architecture form or broad distribution of data and work, which means, ultimately, that if we don't deal with this proliferation security tools now we're going tow. Probably have an even greater explosion in the number of security tools, which will mohr radically diminish or ability to establish new classes of options and digital business. >> Very good point. As a matter of fact, just a couple of years back, the average number of tools was 40 in in a SEC cops portfolio on enterprise has in the U. S. To date 70 it could go 200. But if you look at the risk profile, well, this profile has stayed the same, are in and make mint. Many cases deteriorated, right? What we found is the tool that a number of tools is going up. The cost of breaches going up the third. The number of breaches are going up, and at the same time, the number of analysts is always and Earth. So in short, high investments on the security side failed to reduce risk. So the risk and investment factor both are going in the north bound go, both are going up. So how do you control that? How do you make them come down? The only way? Smart data on a smart platform on a smart analytics later. >> Yeah. Again, let me emphasize this crucial point because it's one of things that we've seen in our conversation with clients is, ah, proliferation of tools. Proliferation of data leads to a proliferation of tasks and response responsibilities within a business, and you end up with more human failures of consequence. So by bringing all these things together, you end up with smarter data, smarter platform, simpler operations, more unified operations and get greater leverage. So so, let's talk then about ultimately, how should a business What's the road map? What's the next two or three things that an enterprise needs to do to start bringing these to start unifying these resources and generating the simplicity so that you open up greater strategic options for how you configure your digital business? >> That's a very good point. So >> two things we talked about already one is smart data relying on smart data, which comes from wide ate our package data. And the second is smart, smart architecture, which comprises of this two tier architecture with distributed instrumentation and centralized analytics. What happens when you do that is the first thing is early warning detection. What we have realized, Peter, is that if you look at the traditional kill chain in Lockheed Martin's kill chain, our miter mortal that people are using now traditional reconnaissance weaponization shin as well as ex filtration, we have seen that if you rely, if you generate analytics based on packet date are smart data, which we do as a net scow. You can detect these phases much earlier than if you rely on device data. Net floor, sis log. So what I call day minus not day zero, but day minus so leveraging the smart data and smart architecture. Er, we're able tto detect these threats or compromises much earlier than a traditional kill chain more than lot of miter models, >> but But again, the reason why is because we're looking at patterns in the traffic. >> We're looking at behavioral patterns in the traffic. That's correct. Let me go little bit more technical, if you will, were looking at transactions at the DNA's level, transactions at the CP level or at the active directly level that happened much earlier than when electoral movement or a reconnaissance is detected. This happens much earlier because we have the smart data, the wide ADA that enables us to do this early warning detection, >> get more visibility to source as opposed to the target. >> That's correct. The second thing that happens with US smart architecture, the two tier architecture is the consolidation of fuse case. We talked about it a little bit, so today if you want in our in our hybrid cloud scenario that we the next card is deployed in Fortune five hundreds. Over the past 23 decades, our customers have moved from private cloud infrastructure. First they had the core righty. Then they moved Private cloud. You know, I am Francisco. Then they moved echolocation clinics and others. And then they moved also to public cloud. All the workloads are migrating and everywhere we did not make any change to our instrumentation there. Can you believe it? No changes You only changes we made was in the analytics layer to take care of the news cases. So with the result, we could consolidate multiple whose case is in the cloud monitoring in tow. One platform, the smart platform that smart data. Now we're building that value into security with the smart platform and smart data that we talked about. So the consolidation of use cases on the security side is the second advantage other than the early warning detection that we talked about. >> So this has got to improve. Detection has got intrude. Management's gonna improve. Forensics. If I got that right, >> made a good point. And forensics we should talk about a little bit more. Perhaps the second set of things that we're doing is we have done is consolidate in the SEC upside forensics and detection. So let me explain that a little bit more. If you look at a typical enterprise today, they use Seymour security information and even management platforms to correlate data from multiple sources. So in the event off a seam alert, off alert generated best SIM platform forensics teams need to determine what happened and what systems were impacted. Essentially the what when, how, where off, the off the alert or the compromise that has been detected today. As we said, security teams are not using packet data at all but foreign. 16. In orderto validate that alert, they need toe access sessions. They need to access packets belonging to that Ellen, but they cannot today because none of the devices none of the security platforms is using violator in the first place. So what the security teams are doing? Forensic analysts. They're leveraging devices like via shark and tracking investigations with spreadsheets. This is delaying the investigation time. As you know today, it's well known that this cause is alert, fatigue and 50% of the alerts that are going to the seam today are disregarded by the security analysts. With the result, the real threats are getting unabated, and enterprises come to know about a security breach from the media rather than from their own IT department. >> Sanjay. So we've had a great conversation talking about how smart data smart platform is going to lead to greater unification of tasks, people, responsibilities and set ups and net tops and some of the it impacts on eh enterprises Overall response stance both from a detection, management and forensic standpoint. So what's going on? Thank you very much for being on the cue. Sanjay Moon. She Thank you. Thank you. And thanks again for joining us for the Cube conversation. We've been Sanjay Moon, she of Net scout technology. I'm Peter Burke's. See you next time