 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Okay, welcome back everyone. CUBE's live coverage here in Boston, messages of AWS Reinforce, that's Amazon Web Services first inaugural conference around cloud security. I'm John Furrier with Dave Vellante. One of the top stories here at the announced, being announced here at Reinforce is the VPC traffic mirroring. And we wanted to bring in CUBE alumni and friend, Mike Bannick, who's the VP of marketing at Vectra, who specializes in networking. Welcome to theCUBE. We go way back, HP networking. You got a hot startup here. So I wanted to really bring you in to help unpack this VPC traffic mirroring product. It's probably the media's announcement of everything on stage. Other stuff was general availability of Security Hub, which is great, great product. Absolutely. And guard duty as well, all these other stuff happen. But the VPC traffic mirroring is a killer feature for a lot of reasons. Absolutely. But it brings some challenges and some opportunities that might be downstream, but I want to get the thoughts on what is your take on the VPC traffic mirroring? So at the highest level, it brings a lot of value because it allows you to get visibility into something that's really opaque, which is the traffic within the cloud. And in the past, the way people were solving this was they had to put an agent on the workload. And nobody wants that. One, it's hard to manage. You don't want dozens to hundreds or thousands of agents. And also it's going to slow things down. And third, it can be subverted. You get the advanced attacker in there. He knows how to get below that level and operate it in a way where he can hide his communication and his behavior isn't seen. With traffic mirroring, we're getting a copy of the packet from below the hypervisor. Cannot be subverted. And so we're seeing everything and we're also not slowing down the traffic in the virtual private cloud. So it allows us to extract just the right data for a security application, which is in our case metadata, and enrich it with information that's necessary for detecting threats and also in performing an investigation. Yeah, it was definitely the announcement that everybody has been talking about has the buzz. So from a partner perspective, how do you guys tie into that? What do you do? What's the value that you bring to the customer? So the value that we're bringing really stems from what you can do with our platform. There's two things everybody's looking to do at the highest level, which is detect threats and respond to threats. On the detection side, we could take the metadata that we've extracted and we've enriched, and we run it through machine learning algorithms. And from there, we not only get a detection, but we can correlate it to the workloads we're seeing it on. And so we can present much more of an incident report rather than just a security alert saying, hey, something bad happened over there. It's not just something bad happened, but these four bad things happened. And they happened in this time sequence over this period of time. And it involved these other workloads. So we can give you a sense of what the attack campaign looks like. So you get a sense of like with cancer, it's not just you have bad cells in your liver, but they've metastasized to these other places. We also will keep that metadata in something we call Cognito Recall, which is in AWS. And it has pre-built analytics and saved searches. So that once you get that early warning signal from Cognito Detect, you know exactly where to start looking for. You can peel back all the unrelated metadata and you can look specifically at what's happened during the time of that incident in order to perform your threat investigation and respond rapidly to that threat. So you guys do have a lot of machine intelligence, you know, AKA AI chops. How close are we to be able to use that AI to not only identify, you know, detect, but begin to automate responses. Are we there yet? Is it something that people want, don't want? We're getting close to being there to answer your first question and people aren't sure that they want it yet. And here's some of the rationale behind it. You know, like we generally say that our AI is pretty smart, but security operations, people are still the brains of the operation. There's so much human intelligence, so much contextual knowledge that a security operations person can apply to the threats that we detect. They can look at something and say, oh yeah, I see the user account, the service that's being turned on from, you know, this particular workload. I know exactly what's happening with that. They add so much value. So we look at what we're doing is augmenting the security operations team. We're reducing their workload by taking all the mundane work and automating that and putting the right details at their fingertips so they can take action. Now there's some things that are highly repeatable that they do like to use playbooks for. So we partner with companies like Phantom, which got bought by Splunk, and Demista, which Palo Alto Network's acquired. They've built some really good playbooks for some of those well-defined situations. And there was a couple of presentations on the floor that talked about those use cases. Yeah, Phantom was a pretty good solid product. It's built in the security hub. Security hub's a nice product. But I don't get back to the VPC traffic mirroring. It makes so much sense. I mean, it's about time. Yes. Finally they got it done. This didn't make any sense. It wasn't done before. But I got to ask, first of all, the analytics. You said in the queue before, network doesn't lie. The network doesn't lie. Network doesn't lie. And the subversion piece is a key piece. It's better be the lowest level possible. That's a great spot for the data. So totally agree. Where do you guys create value? Because now that everyone's got available VPC traffic mirroring, how do you guys take advantage of that? What's next for you guys? Is it, where's the differentiation come from? Where's the value go next? Yeah, there's really three things that I tend to focus on. One is we enrich the metadata that we're extracting with a lot of important data that makes it, it really accelerates the threat investigation. So things like directionality. Things like building a notion of what's the identity of the workload or when you're running us on prem, the device, because IP addresses change. There's dynamic things in there. So having a sense of consistency over a period of time is extremely valuable for performing a threat investigation. So that information gets put into recall for the metadata store. If people have a data lake that they want to have us send it to, whether it's elastic or Splunk Kafka, then that is included in what we send to them in Zeke format. They use all their Zeke tooling. So they're not wasting any money there. And then the second piece is around the way that we build analytics. There's always a pairing of somebody from security research with a data scientist. The security researcher explains the tools, the tactics, the techniques of the attacker. So that way the data scientist isn't being completely random about what features do they want to find in the network traffic. They're being really specific to what features are going to actually pair to that tool, tactic and technique. So that way the efficacy of the algorithm is better. We've been doing this for five plus years and that history speaks for something because some of the learning we've had is, all right, in the beginning, there were maybe a couple different supervised techniques to apply. Well now we're applying those supervised techniques with some deep learning techniques so that way the performance of the algorithm is actually 90% more effective than it was five years ago. First rule out. So you're differentiating with software, get the data, extract the data, which is the metadata. Which you were doing anyway but now it's more efficient. Low speed, no problems with informants and the agents you mentioned earlier. Now it's better data. Impact the customers. What's the revelation here for at the end of the day your customer and Amazon's customers through you? What do they get out of it? What's the benefit to them? So it's all about reducing the time to detect and the time to respond. We had one of our Fortune 250 customers present last week at the Gardner Security Summit. Still on stage, gentlemen from Parker Hannafin talked about how they had an incident that they got an urgent alert from Cognito. It told them about an attack campaign. He was immediately alerted to 45 different machines that were sending data to the cloud. He automatically knew about what were the patterns of data, the volume of data. They immediately know exactly what the services that were being used within the cloud. They were able to respond to this and get it all under control in less than 24 hours. But it's because they had the right data at their fingertips to make rapid decisions before there was any risk. What they ended up finding was it was actually a new application, but somebody had actually not followed the procedures of the organization that keeps them compliant with so many of their end users. In the end, it saved tremendous time and money. And if that was a real breach, it would have actually prevented them from losing proprietary information. Well, historically it would take 250 days to even find out that there was a breach. Right. And then by then, who knows what's been exfiltrated? Yeah, we had a couple of firms that run red team exercises for a living, come by and they said, I said to them, do you know who we are? And they said, of course we know who you are. There's one tool out there that finds us, it's Vectra. I'm like, okay, let me tell you about the news. We didn't try to say that. That's the kind of historical on-prem. So what do you do for on-prem? But is this all running in AWS? Is it cloud-only? It's actually both. So we know that there's a lot of companies that come here that have never owned a server. And everything's been in AWS from day one. And for... No IT. Exactly. And for them, we can run everything. We have the sensor attached to VPC traffic mirroring in AWS. We can have the brain of the cognitive platform in AWS. So for them, they don't need anything on-prem. There's a lot of people that are in the lift and shift mode can be on-prem and in AWS. So they can choose, where do they want the brain? And they can have sensors in both places. And we have people that are coming to this event that they're hybrid cloud. They've got IT infrastructure in Azure, but they have production in AWS. And they have stuff that's on-prem. And we can meet that need too, because we work with the VTAP from Azure. And so we're not religious about this. It's all about giving the right data, the right place, reducing the time to detect and respond. Mike, thanks for coming in, sharing the insights on your perspective on the VPC traffic mirroring. Appreciate it. Give a quick plug for the company. What are you guys working on? What's the key focus you're hiring? You just got some big funding news. Take a minute to get the plug in for Vectra. Yeah, so we've gone through several years of consecutive more than doubling in an annual recurring revenue. I've been really fortunate to be earning a lot of customer business from the largest enterprises in the world. Recently had funding, $100 million led by TCV out of Menlo Park. Total capitalization is over 222 right now on the path to continue that doubling. But we've been really focusing on moving where the, already being where the puck is going to. By working with Amazon in advance on the traffic mirroring. And we know that today, people are using containers in the VM environment. We know that where they want to go is more serverless and leveraging containers more. We're already going in that direction. Well, great to see you. Congratulations. We've known each other for many, many years. It's our 10th anniversary in the queue. You were on year one. Great to know you and congratulations on the successful Vectra and great announcement with Amazon. Gives you a tailwind. Thanks a lot. It's great to see your growth as well. Congratulations. Thanks, Mike. Mike Bennett unpacking the relevance of the VPC traffic mirroring feature. This is kind of conversations we're having here. Deep conversations around stuff that matters around security and cloud security. Of course, the cubes bring any of the coverage from the inaugural event at Reinforced from AWS. We'll be right back after this short break.