 I'm Peter Burris and welcome to another CUBE Conversation from our studios here in beautiful Palo Alto, California. Once again, another great conversation today with Barbara Kay, who is a senior director of security at ExtraHop. Barbara, welcome to theCUBE. I'm delighted to be here. Thanks for inviting us. Well, this is your first time on theCUBE, but let's start with the obvious question. How is ExtraHop doing? What's going on? ExtraHop is doing incredibly well. I joined the company actually in January, so I just had six months here, and I came in as part of a transition from a very network performance-centric company to a really strong drive into the cybersecurity space. We've been selling very well and successfully for security use cases for more than four years, but we knew how important it was to help the people in the security operations group be more effective, be more successful, get to the chase, get to the root cause, and get on with life more quickly. So we've done a good job. We, in fact, we just shipped our second major release, bringing the right investigative workflows and automation and insights to the Security Operations Center front lines. So you mentioned cybersecurity. Why is this whole notion of network traffic analysis so hot in the security world right now? Well, you know, it's kind of amazing. I've been in the security space for a few too long, too many years, but we keep seeing breaches, right? You keep seeing so-and-so just lost another such-and-such, and ransomware, we thought that was last year's problem. It's still an ongoing issue. So there are things like that where once someone gets inside your network, or if they start inside your network as a privileged user, they are free to roam, because generally we are not instrumenting, we're not taking telemetry off of the things that are within our infrastructure, right? If we do get any sort of visibility into East-West network traffic, it's typically in the form of logs, and we may not have everything talking to us, right? So we call it the dark space. It's this place inside the network where nobody's able to see anything, and therefore you're not monitoring it, and what that means to the attackers is that once he gets inside, he has free reign. He can run around, do whatever he wants, and that's lateral movement, reconnaissance, command and control, and database exfiltration. He can go find the good stuff and shut it down or disrupt it. We've seen the kind of scorched earth attacks, and all that stuff has people really worried, and the network traffic zone is an area that has been underserved, if you will, in terms of security interest, and has the strength that pretty much anything you do as an employee or for your business uses the network. It runs across the network, and so by taking your visibility and your source of truth from network traffic, you are ahead of the curve. And one thing that's interesting about this space, this network traffic analytic zone, is that we're coming in at a different part of the history of computing really. I've seen us go from workstations to servers, to data centers, from Unix to Windows to on and on, and we're seeing an analytics first capability, an ability to process data in real time, in memory, that we didn't have 10 years ago, and we certainly couldn't harness that for the power and the capability of the average systems, right? It used to be, oh, that was a big data problem, oh, much too hard, much too slow, much too historical. Well, now you've got a lot of resources ready and able and accessible. That's what network traffic analytics is doing is taking that rich data and putting it to work and making it interesting and insightful for now, for real problems in terms of east-west attacks and late-stage attack activities. Well, any company's network is valuable in and of itself, but it becomes increasingly valued, as you said, as it's connected to other networks. And so it's all part of this effort to move away from a perimeter orientation to an approach to understand the value that's actually being transmitted on the network, and ensuring that you can both do that, while at the same time, better protect how data and users and other agents are engaging your company, right? Yeah, absolutely, and that critical, the critical asset lens is what I think of it as, you know, you want to protect the things that matter the most to you, right? And those may be repositories of data, right? Your, you know, your employee database, your customer database, that's obvious. But actually, think about it as a system or a service, you need the web server, the data store, you know, the app server, everything to work together and stay working in order for your mission-critical, business-critical fill-in-the-blank service to be functional, right? And that set of things is, in fact, your critical asset. That's the thing that will allow you to make money. We had a meeting a couple weeks ago and, you know, this customer, if their primary online application is an online, they're losing $10 million an hour. That's real money, right? And so, we've always thought about that from a performance perspective, but security, right? CIA, that A is availability. It's about making things work and having them be there when you need them. Well, going back to what we were talking about, it used to be the security largely focused on restricting access to things. But as we moved to a digital business where the actual data and the services associated with the data have become increasingly to the business, now you're not talking about how to restrict access, you're talking about how to appropriately share access. And that's where a lot of the advanced analytics comes in because you can't predict with any certainty who's going to want it, where they're going to want it, how they're going to want it, and you want to be able to open it up so that your customers, your partners, your markets can generate additional value out of what you have. Right, and I think that that's an important thing that's changing now is we think about, you know, it used to be that the model for protection was you loaded up your endpoint with a bunch of defenses and you were good, right? Well, so few devices now are ready to be managed with an agent, right? They are sensors, they are tags, they are whatever. They will be interacting with your systems and you can't control those endpoints the same way we used to. So we really have to think differently about the problem. And again, you know, for those devices to interact with things and for either good things or bad things to happen, they have to use the network to achieve that. And what company doesn't want potentially millions of customers utilizing their assets? So that leads to the next question, is this is often associated with, network security is often associated with big companies who have their own networks. But we're talking about a circumstance where small companies are going to have to play as well. Is this a company-sized specific issue or is this like all companies have to worry about this? So there are two ways to think about that. I mean, everybody has to worry about cybersecurity to some degree. I think that what we feel is that the bigger that you are, the more likely you are to have a more mature cybersecurity presence, right? And you might have a security operations center, a physical place or a set of people who together represent your sock. But if you have an electoral property, if you have something that you care deeply about and would hurt you to have disappear, get in the wrong hands or be offline, then you may pay more attention to this. So it isn't necessarily about sides, it's about your perspective on security. How important is security? If your services went down or your database were stolen, how crippling would that be for your business? So generally, companies that are more leaning in, a little more mature in terms of their approach to operations across the board will be more interested in protecting and being more active and proactive about how they go about securing and designing response around cyber events. Although we've also seen examples of big companies being penetrated because partners, sometimes smaller companies, got penetrated and that was the route into the big company through that partnership. So this is, again, all of these networks are being connected as part of the natural process by which businesses are evolving. And so everybody has to think, you don't want to be the small company who becomes known as the company who made it possible to take down Tardi. Right. Well, and I think that interdependency of entities and networks has made life even more difficult for the guy with the security on his job title, right? He's got to deal with all these things and at the end of the day, it doesn't really matter who caused the problem, he's got to figure it out and make it stop, right? Then you go back and you try to figure out what happened and how you cleaned it up, but initially it stopped the bleeding, right? And we see a lot of finger pointing and sort of my lights are all green, I don't know about you, right? And trying to find a source of truth that lets you tear that apart and say, what's actually going on, right? And the faster you can do that and feel good about the conclusion you got to, the more successful and more confident and the more able you are to move forward. And my personal prediction is that we're going to see a backlash against all of these disclosure events where we see the regulatory window is pushing to have a 72 hour to disclose window, which is fine, except 72 hours is just not that much time when something really complicated has gone up, right? And so that's why we see these serial disclosure events where they come back and they say, it was this. And then they come back and say, well, it was this, actually, and then, well, actually it was this, right? And then every time that you have to re-report your experience, you degrade what little credibility you had. And I think that's the kind of event that's really going to be the next wave of experiences we're seeing out there that will damage our industry. So you've talked about how old practices like secure devices, secure perimeters, 72 hour disclosures, only work with people who you know who they are, those practices are failing. Clearly utilizing new approaches, new technologies, AI, where the system increasingly is participating, actively participating in the process of securing itself is the way to go. What is extra hop bringing to the table? So machine learning and AI are sort of tools, really. They are technologies and approaches for solving a problem. And the reason I think that they are helpful in the security space is we've got 0% unemployment. We just don't have enough people. So you can give the machines tasks that are repeatable, boring, predictable, or really hard, right? Sort of finding the pattern in the data set. Those are good problems for machine learning kinds of applications. And what extra hop is doing is taking the rich data that we collect off of the network and we are extracting from it meaningful metrics, the metadata, thousands and thousands of points of information that are beneficial and useful from a security perspective. We send that to the cloud and the cloud then uses models that are designed purpose-built for security to extract behavioral implications. And some things are always bad, right? That should never happen and so it happened, right? But some things can be derived over time based on baselining your behavior. And it could be device behavior, user behavior, application behavior, it's behavior, right? And one thing that's interesting to me about security is you get all these tactics, right? Or specific rules and signatures and things. Well, they're only as good for the point of light when people were using that very specific thing. But we've been doing polymorphic everything for a long time, right? What that means is that you have to be thinking about the nature of the interaction rather than the explicit and only data point, right? Machine learning is a great way to extrapolate and understand the bigger landscape of things. And ExtraHop is hitching that machine learning engine to this great rich source of contextual data and translating that into investigative insights and a workflow and a set of visualizations that help you go from a huge pile of data to a few compelling insights that you can act on quickly and with confidence. So to identify the problems faster when they're identified to shorten the time that they're open and to take rapid actions to remediate the problem. You got it, perfect. Barbara Kay, Director of Security at ExtraHop. Thank you very much for being on theCUBE. Thank you, it was my pleasure.