 Downtown San Francisco. It's theCUBE, covering RSA North America 2018. And welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA Conference in San Francisco. It's 40,000 plus people talking security. Really one of the biggest conferences in San Francisco. It's security continues to be an ever-increasing and important topic and more and more complex and complicated and multifaceted. We're excited to have really an innovator who just recently sold his company to SumoLogic. He's Dave Frampton, VP of security solutions now at SumoLogic. Dave, great to see you. Good to be here. So you guys were relatively small team working on a very specific piece of this giant pie. So tell us a little bit about what you're doing and what attracted SumoLogic to you. Factor chain acquired by SumoLogic in Q4 of last year was focused on building an investigation platform to really help security analysts very quickly and completely identify for an individual threat or alert of which they get an avalanche every day. What happened, where did it spread and then what should be done about it more importantly? It's funny because we talk often at all these conferences, right? Everybody in the keynote will talk about it. Six months before you know you've been breached for two years or whatever the average it changes all the time. But nobody ever really talks about once you've figured it out, then what? So that's really what you guys are about, the then what. What are some of the things that people do wrongly and what are some of the immediate triage and best practices that people should be aware of if they're not already? It's a great question. There's really a difficult workflow that exists when you start digging into one of these indicators of compromise or alerts. Typically an analyst is trying to connect the dots across huge numbers of systems and huge data sets. They may have to go to five to 10 different systems, run queries which take a long time to run and then take a long time to interpret, kind of stitch together the clues across all of them. And this process can often take 30 minutes an hour even two hours against an inflow rate of hundreds of these per day. So there's sort of this expanding backlog of uninvestigated urgent threats. In many cases people only get to about 10% of the most urgent threats or alerts that come into their security operations center or SOC. And factor chain's innovation was to develop some new techniques to help human analysts quickly connect the dots across these huge data sets, integrate a lot of those different systems so you can go to one place, see huge deep connections between data sets and then kind of put it all together in a very concise workflow that helps you get through this process just a lot faster, a lot more scalable. So are you identifying patterns of past behavior because you have a database of how these things work? Are you looking for consistency of behavior within one system in others? I mean, what are some of the, obviously I could tell us your secret sauce but what are some of the tricks and tips that enable you to speed up that process? It's scary to hear that they have hundreds of high priority that they can't get to. There's two main components of trying to accelerate this whole workflow. The first one is trying to help analysts very quickly get insight into how variables change in an environment. This investigation process is a little bit like a game of whack-a-mole. You're following a particular user or a particular machine but then the name will change and then there'll be another variable introduced but it will change four times and you're left to try to figure out which one of these changes map to the original. This process just repeats over and over again. So part of our insight was to try to figure out how to chain, hence the name factor chain, all of these variable changes together in a very, very concise way so you can help the analyst find the right path through the data and ignore all the false trails, get back on the trail when they lose the trail. So it's really sort of a data navigation and insight. It's sort of the key core of factor chain's innovation. So big factor, I shouldn't use that word again but we'll use it again. The factor happening today in the industry is everything going to cloud, right? A huge percentage of business going to cloud. AWS is up to $20 billion run rate. Sumo is a big partner and Microsoft and Google are trying to catch up from behind and IBM's got a cloud so cloud's a big thing and there's more and more cloud. Also we're in this API economy now so whether I want to use public data sets and inject those into my processes or I've got partners that I'm connecting all these things via APIs and I still have my on-prem stuff for the stuff that just can't go to cloud or legacy or for whatever reason. So the environment is becoming way more complex. The number of third-party people that you're playing nice with is becoming much, much larger and a lot of these connections are completely automated, right, when you look at ad tech and some of the financial trading systems. So how does that increasing complexity play into what you guys are doing? The migration to the cloud is putting enormous disruptive pressure on some of these traditional security processes. You think about the old world involved as security operations center and a small team of analysts going through this list of alerts that were sent in by their infrastructure. The cloud really challenges that in two fundamental ways. I think one of them you hit really well in your description of it which is just the sheer surface area of a possible attack has increased so dramatically. You hit all the key points. There's automated processes. There's a lot of customer facing and production security that didn't exist in the old world. So many more ways for the attackers to get in but importantly there are new sources of information which are critical to actually orchestrating the defense to figuring out what to pay attention to and how to pay attention to it. Application layer information is much more relevant in a cloud context. You have a lot of the infrastructures been standardized underneath but a lot of the interesting insight might be from the application. Is this a customer or is it a partner? Is it a sensitive piece of information or application or not? There's all sorts of context which needs to be brought in to the forensic process to help the investigators really get to the bottom of what happened and where did it spread. There's also a need to collaborate across security and other functions in IT in a much more seamless horizontal way. A typical example would be an analyst in the SOC might understand an awful lot about security forensics but may not really understand some of this application context or even how to interpret some of the application logs at all. So you really need a horizontal collaboration involving IT operations. You hear a lot about DevOps and sort of DevSecOps. You need a much more collaborative workflow. Not just a common data set which I think everybody recognized a few years back but also common analytics and a common workflow, common tooling that they can collaborate in the same system on the same investigation. And so those are the ways in which the traditional security industry and the boundaries around its processes and its tools are really being challenged and disrupted by the migration to the cloud. And at Sumo Logic, this is sort of at the center of where we live. We live in a world where people are rapidly migrating to the cloud looking for monitoring and troubleshooting and security analytics functionality as they do that, looking at modern applications and how their architectures are changing and what implications that has for security. So we have our sites squarely set on sort of creating that new model for that new cloud oriented environment. Right. And then how much do you work with other applications which I guess in the past may have been thought of as competitive but when you're in an environment with all these integrated systems at a customer and there's probably tremendous benefit to sharing some level of information in terms of the signature of threats and when threats are coming in. I'm sure there's a ton of great data that if shared across people on the good side of the fence will probably be to the benefit of all. So has that been changing? Is that evolving? How do you see kind of working with other apps within, let's just pick the AWS cloud for an environment for example within a particular customer whether it's AWS directly or other partners in the ecosystem. Well, first you hit it. I mean, this function of security operations has to be agnostic, right? So you have to be open to ingesting context from whichever system and whichever vendor and whatever source it might come from. And so these ecosystems are really important and integration so that you can quickly not only take in information from third parties but then quickly get trending and visualization and really bring insight to that data. And so to that end, SumoLogic's a leader in the AWS ecosystem. We've been built from the ground up on AWS and we have rich partnerships with the vast majority of the ecosystem of tools that surround the AWS environment. So we can bring that in and very quickly deliver insight, make correlations, figure out what you need to pay attention to and then do this investigation workflow that we were talking about earlier. Right, crazy time. So 40,000 people here, what are you looking forward to for the next couple of days here at RSAC? I think a couple of things. One is, I think everyone is focused right now on the upcoming deadline for GDPR and sort of data protection, data privacy. How do we identify within our data what might be subject to some of these regulations and new compliance requirements and then how many of those overlap? Through the best of intentions it creates some dilemmas about how to approach problems such as for example, right to be forgotten. And I think seeing the community come together and sort of in a live venue which is really what the show is all about and kind of discuss and debate those issues. I think that's one. Two is the center of what we've been talking about is the impact of modern application architectures and cloud on some of these old traditional security practices and models. And that's why we have a bigger presence this year at the show because we think that's something that is going to change the ways and things have been done in the security industry and we want to be a part of that conversation and obviously giving previews of our upcoming products that address some of those problems. Looking forward to a good week. Should be good week for you, be busy. Absolutely. Thanks for taking a few minutes and again congratulations on the acquisition with Sumo. Great marriage I'm sure and look forward to following the story. Thanks so much. All right, it's Dave Franson, I'm Jeff Frick. You're watching theCUBE from RSAC 2018 San Francisco. Thanks for watching.