 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Welcome back everyone. Live coverage of AWS Reinforce, their first conference at theCUBE here in Boston, Massachusetts. I'm John Furrier. I'm my co-host Dave Vellante, our next guest Jesse Rothstein, CTO and co-founder of ExtraHop, Cube Alumni. Great to see you again, VMworld, reinvent. Now the new conference Reinforce, not AWS Summit, Reinforce, a branded event around cloud security. This is in your wheelhouse. Thank you for having me. Yeah, it's a spectacular event. Unbelievable turnout. I think there's 8,000 people here, maybe more. I know that's what they were expecting. For an event that was conceived of or at least announced barely six months ago, the turnout's just unbelievable. We've had many conversations in the past on theCUBE and others. Cloud security now having its own conference. So it's not like a security conference like Black Hat or Defcon, which is like a broader security. This is really focused on cloud security and the nuances involved for on-premise and cloud as it's evolving, it's certainly a lot more change coming on. This kind of spins into your direction. You've been talking to this year on the front end of this. What's your impression? It absolutely does. First it speaks to market demand. Clearly there was demand for a cloud security focused conference and that's why this exists. Every survey that I've seen lists security extremely high on the list of anxieties or even causes for delay for shifting workloads to the cloud. So Amazon takes security extremely seriously. And then my own personal view is that cloud security has been somewhat nascent and immature and we're seeing hopefully kind of a somewhat rapid evolution in that market. Certainly a lot of motivated people want to see it go faster and they're participating and building that out. So I got to ask you, what is... Before you get off the show, I want to actually say something if I may. I mean, this has been a long time coming. Yes. To your point, Jesse, there was a real need for it. And I think Amazon deserves a lot of credit for that. But at the same time, I think Amazon, there's a little criticism there. I mean, I think that the message that reinvented has always been we got the best security, we got the most features. And it's like, come on in. And the whole theme here of the shared responsibility model, which I'd love to get into, I think was somewhat misunderstood by some of those high level messaging. So I just want to put that out there as a topic that we might touch on. Great, let's talk about it. Okay, so I do think it was misunderstood the shared responsibility model. I think the messaging was, hey, the cloud is more secure than your existing data centers come on in. And I think a lot of people naively entered the waters and then realized, oh, wait a minute, there's a lot that we still have to secure. We can't just set it and forget it. I mean, do you agree with that? Oh, I think that's a controversial topic. I do agree with it. I think it continues to be misunderstood. The shared responsibility model in some ways is Amazon saying, we're going the security infrastructure and we're going to give you the tools, but organizations are still expected to follow best practices, certainly implement their own, hopefully best in class security operations. I mean, it's highly nuanced. I mean, you can say sharing data obviously increases visibility into threats and also making quality alerts. But I think it's a little bit biased, Dave, for Amazon to say shared responsibility because they're essentially want to share in the security posture because they're saying, we'll do this, you do that as inherently shared. So why wouldn't they say that? What are they going to say? We want to own everything? Well, I guess my takeaway though of this show is that I really like their focus on that. I think they've shown a light on it and for the goodness of the industry and the community. They have, but it is a bit nuanced and they've said some controversial, perhaps even contradictory statements. In the keynote yesterday, I was amused to hear that security is everyone's job, which is something I wholeheartedly believe in. But at the same time, David said that he didn't believe, or Steven rather said that he didn't believe in DevSecOps. And that seemed a little bit at odds because I think they're probably wasting all those things. Steven Schmidt. Steven Schmidt. CISO of AWS. But at the same time, there was a narrative around security as code. So yes, there were some contradictions in messaging. So there's small ones. There were small ones and they were nuanced, but it remains some confusion. And that's why people look to the ecosystem to help try to clear some of that up. And this goes back to my earlier point. I believe that cloud security is really quite nascent. When we look at the landscape of vendors, we see a number of vendors that really are kind of on-prem security solutions that are trying to shoehorn into the cloud. We see a lot of essentially vulnerability scanning and static image scanning, but we don't see in my opinion that much really best in class security solutions. And I think until relatively recently, it was very hard to enable some of them. And that's why I'd love to talk about the VPC traffic mirroring announcement because I think that was actually the most impactful announcement of this show. Yeah, that's what I wanted to get to. So this is a new one. By the way, the other feedback we've had on theCUBE is the sessions here have been so good because you can dig deeper than what you can get at reinvent given the size. This is a good example. Explain that story because this has been one of the most important stories, the traffic mirroring. Well, unlike reinvent, I think this show is more about education than it is about announcements. You know, Amazon announced a few new services going into GA, but these were services for the most part that we already knew were coming, you know, like Watchtower and AWS Security Hub. But the VPC traffic mirroring was really the announcement of this show. And gosh, it's been a long time in coming. One closely held belief I've had for a long time is that in the fullness of time, there's really nothing of value that you can do on-prem that you wouldn't eventually be able to do in the cloud. And it's just been a head-scratcher for me why for so many years we've been unable to get any sort of mirror or tap of the traffic for a diagnostic or analytic purposes. Something you can do on-prem so easily with a span port or a network tap. And in the cloud, we've been having to do kind of backflips and workarounds and software taps and things like that. But with this announcement, it's finally here. It's native. Explain the VPC traffic. What is it for the folks watching might not know it? Why, what is it and why is it important? So VPC traffic mirroring is a network tap that is built into EC2 networking. What it means is that you can configure a VPC traffic mirror for, you know, individual EC2 instances actually down to the ENI level. You can configure filters and you can send that to a target for analysis purposes. And this analysis could be for diagnostics, but I think much more important is for security. ExtraHop is really began as a network analytics platform. We do network detection and response. So this type of, this ability to analyze the traffic in real time, to run predictive models against it, to detect, you know, in real time suspicious behaviors and potential threats, I think is absolutely game changing for someone's security posture. And you guys have been on the doorstep of this day in and day out. So this is like a great benefit to you guys as a company. I can see that and I see that's a great thing for you guys. What's the impact of the customers? Because what is the goodness that comes out of the traffic mirroring for them? What's the impact of their environment? Well, it's all about friction. First, I want to clarify that we've been running in AWS for over six years, you know, six or seven years. So we've had that solution, but it's required some, you know, friction in the deployment process because our customers had to install some sort of software tap, which was usually an agent that was, you know, analyzing that there was really gathering the packets in some sort of promiscuous mode and then sending them to us in a tunnel. Whereas now, this is built into the service, into the infrastructure. There's no performance penalty at all. You can configure it, you have IAM roles and policies to secure it, all of the friction goes away. I think for kind of the first time in cloud history, you can now get extremely high quality network security analytics with practically the flip of a switch. So it's not another thing to manage. It's like you say, inherent to the network. John and I have heard this week at this event from practitioners that they want to see less just incremental security products and more step function. And what they mean by that is we want products that actually take action or give us a script that we can implement or actually fix the problem for us. Will this announcement and others that you guys are involved in take that next step? More proactive security that these guys want. So a couple of thoughts on that. First, the answer is yes, it can. And you're absolutely right. Remediation is extremely important, especially for attacks that are fast and destructive. You know, when you think about kind of the, when you think about attack patterns, there are attacks that are low and slow. There are attacks that are advanced and persistent. But the attacks that are fast and destructive move at a speed that is really beyond the ability for humans to respond. And for those sorts of attacks, I think you absolutely need some sort of automated remediation. The most common solutions are some form of blocking the traffic, quarantining the traffic, or maybe locking the accounts. So you're kind of blocking, quarantining, and locking are my top three. And then various forms of auditing and forensics go along the way. Amazon actually has a very good toolbox for that already. And there are security orchestration products that can help. And for products like ExtraHop, the ability to feed a detection into an action is actually a trivial form of integration that we offer out of the box. So the answer is yes, but let me go back to kind of the incrementalist approach as well that you mentioned. I kind of think about the space in really broad strokes and organizations for the last 10 years or so have really highly invested in prevention and protection. So a lot of this is perimeter defense and end point protection. And the technologies have gotten better. Firewalls have turned into next generation firewalls and antivirus agents have turned into next generation antivirus or end point detection and response. But I strongly believe that network security has, in some ways just kind of lagged behind and it's really ripe for innovation and that's what we've really spent the last decade building. And that's why you're excited about the VPC traffic mirroring because it allows for parallel analytics and so more real time. More real time, but the network has great properties that nothing else has. When you think about network security with the network itself, it is as close to ground truth as you can get. It's very hard to tamper with and it's impossible to turn off. Those are great properties for cybersecurity and you can't say that about something like audit logs which are from time to time disabled and scrubbed. And you certainly can't say that about end point agents which are often worked around and in some cases even used as a vector for attack. I'm going to ask you, okay, on that point, okay, I get that. So the next question would come to my mind is, okay, with the surface area with IoT expanding and with cloud, you have a sprawling surface area. So the surface area is growing just by default and it's by natural evolution. Connecting to the cloud, people are backhauling their data into the cloud. All this is good stuff. Absolutely, we call it the attack surface and it is absolutely growing, perhaps in an exponential way. Talk about that dynamic one, the sprawling attack area because that's just the environment now and what's the best practice to kind of figure out security posture, whatnot. Great question. Well, people talk a lot about the dissolution of the perimeter and I think that's a bit of a debate and regardless of your views on that, we can all believe that the perimeter is changing and that workloads are moving around and that users are becoming more mobile, but I think an extremely important point is that every enterprise just about is hybrid. So we actually need protection for a hybrid attack surface and that's an area where I believe ExtraHop offers a great solution because we have a solution that runs on-premises in physical data centers or on campuses which no matter how much workload you move to the cloud, you still have some sort of user on some sort of laptop or some sort of workstation in some sort of campus environment. We work in private cloud environments that are virtualized and then of course we work in public cloud environments and another announcement that we just made at this show which I also think is game-changing is our RevealedX cloud offering. So this is a SaaS-based network detection and response solution which means that I talked about removing friction by mirroring the traffic but in this case, all you have to do is mirror the traffic, point it to our SaaS and we'll do all of the management and maintenance of hosting that surface for you. That is in the marketplace, we launched it yesterday. So that's a great integration point for you guys to get on board more customers. And I think solutions like ours are absolutely best practices and required to secure this hybrid attack surface. Into the marketplace, what was that experience like? You know, Amazon was actually great to work with and I don't mean to say that with disbelief but sometimes when you work with, oh it sounds surprising. Sometimes when you work with such a large company you kind of have certain expectations and they exceeded all of my expectations in terms of their responsiveness. They worked with us extremely closely to get into the marketplace. They made recommendations with partners who could help accelerate our efforts. But in addition to the marketplace we actually worked with them closely on the VPC traffic mirroring feature. It was something we began talking with them about as far back as I think last December, even before re-invent. They were extremely responsive to our feedback. They moved very, very quickly. They've actually just been a delight to work with. Can I ask you a question about, you were talking about the non-immutability of logs and they go offline sometimes. And yet at the same time there's been tens of billion dollars of value creation from that industry. Are there things that are magic there or things that you can learn from the analytics of analyzing logs that you can bring over to sort of what you're positioning as a more modern and cloud-like approach? Or is there some kind of barrier to entry doing that? Can you shed some light on that, Jesse? That's a great question. And this is where I'll say it's a genius of the end situation. Not a tyranny of the or. So I'm not telling people don't collect your logs or analyze them. Of course you should do that. That's a best practice. But chances are that that space, the log analysis and the sim market has become so mature, chances are you're already doing that. And I'm not going to tell organizations that they shouldn't have some sort of endpoint protection. Of course you should. But what I am saying is that the network itself is a very fundamental data source that has all of those properties that are really good for cybersecurity and the ability to analyze what's going on in your environment in real time, understand which users are involved, which resources are accessed and are these behavioral patterns suspicious and do they represent potential threats? I think that's very powerful. I have a whole threat research team that we've built that just runs attack simulations and they run attack tools so that we can take behavioral profiles and understand what these look like in the environment. We build predictive models around how we expect resources and users and endpoints to behave and when they deviate from those models that's how we know something suspicious is going on. So this is definitely a genius of the end situation. So John, it reminds me of your, you're very fond of saying, hey, what got you here is not likely to move you forward and that's kind of the takeaway for practitioners. Yeah, I mean you got to build on your success. I mean having economies of scale is about not having diseconomies of scale, meaning if you're always constantly reinventing your product not building on the success then you're going to have more success if you can have that trajectory if it's just basic competitive strategy, product strategy. But the thing that's interesting here is that as you get more successful and you continue to raise the bar, which is an Amazon term, they work with you better. So if you're raising the bar and you did your own network security product, they're like, okay now we got parallel traffic mirroring. So that's true but I think we've also heard that Amazon is, I think they call it maniacally customer focused, right? And so I think that this traffic mirroring capability really is due to customer demand. In fact, if you were at the keynote when they made the announcement, that was the announcement where I feel like every phone in the whole auditorium went up. That's the announcement where I think there's a lot of excitement. And for security practitioners in particular and SecOps teams, I think this really reduces some anxiety they have because cloud workloads really tend to be quite opaque. You have logs, you have audit logs but it's very difficult to know what's actually going on there and who is actually accessing that environment and even more important, where is my data going? This is where we can have all sorts of everything from a supply chain attack to a data exfiltration and it's extremely important to be able to have that visibility into these cloud workloads. And we totally agree, we've been saying on theCUBE many, many years now that the network is the last bottleneck really where that script gets flipped upside down where workloads are dictating DevOps now, the network piece is here. So I think this is going to create a lot of innovation that's our belief, love to follow up more in Palo Alto when we get back on this hybrid cloud. I think that's a huge opportunity. I think this creates a blind spot for companies because that's where the attackers will go because they'll know that the hybrid's rolling out and that'll be a vulnerability area. And one last thought, it's an arms race. Network security is not new, it's been around for decades, but the attackers and the attacks have become more sophisticated and as a result the defenders need to raise their game as well. This is why on the one hand there's so much hype and I think machine learning in some ways is oversold but in other ways it is a great tool in our arsenal. Machine learning, the predictive models, the behavioral models, they really do work and it really is the next evolution for defensive capabilities. Thanks for coming on, great insight. Oh wait, one last question. The beer, extra hop. You guys have a beer, I heard. You know, we did in the past, it's been a while since we've done that but it comes from early days when I founded the company, people would ask you the name extra hop, are you guys an online brewery? And we were joking, we said no, that was extra hops but we embraced it and we actually worked with a local brewer that has since been acquired by a major beverage brand, sorry. I didn't know that, I just heard the other guy ask about it. We built our own label and it was the extra hop wired APA, it was extremely well received. Every time we'd visit a customer they'd ask us to bring beer, it's pretty pretty. Yeah, I think you got to go back to the proven formula. Thanks for the insights, let's follow up when we get back in Palo Alto in our studio on some of this hybrid, I think it's a compelling conversation. Network security, network analytics, innovation areas, we're all the actions happening here in Boston, 80 best reinforced cube coverage, we'll be right back.