 Live from Las Vegas, it's theCUBE! Covering AWS re-invent 2019. Brought to you by Amazon Web Services and Intel, along with its ecosystem partners. Welcome back, this is theCUBE's seventh year of coverage of the mega AWS re-invent show here in Las Vegas, somewhere between 60 and 65,000 up and down the street. We are here in the Sands Convention Center. I am Stu Minnan, and my co-host for this segment is Justin Warren, and happy to welcome back to the program one of our CUBE alumni, Jethy Rostin, who is the co-founder and CTO of ExtraHop. Jethy, great to see you. Thank you for having me again. Ah, so we caught up with you at AWS re-inforce, not that long ago, in Boston, where it rains more often in Boston than it does in Vegas, and it's raining here in Vegas, which is a little odd. Strangely, it is raining here in Vegas, but re-inforce at the end of June in Boston was the first AWS security conference, great energy, great size. We had a lot of fun at that show. Yeah, so Dave Vellante was one of the ones at re-inforce, and he actually came out of the three-hour keynote yesterday with Andy Jassy and said, I'm a little surprised there wasn't as much security talk. You know, it's not like we can remove security from the discussion of cloud. It is one of the top issues here. So I want to get your viewpoint. Were we missing something? Is it just there? I know this does well. I think perhaps they're saving some announcements for re-inforce coming again in June and Houston this year. There was at least one announcement around IAM access analyzer, as I recall, but generally the announcements seemed to focus in some other areas, you know, some big announcements around data warehousing, you know, for federated Redshift queries, I think, and some big announcements around machine learning tooling, like the SageMaker Studio, but I noticed that as well, not as many security announcements. Yeah, you never know. Werner still has his keynote tomorrow, so we're sure there'll still be another 50 or 100 announcements before the week is done. ExtraHop also has some new this week, so why don't we make sure? Well, first I can assure you that cloud security is not solved. It's not a solved problem. In fact, unfortunately, despite record spend year after year after year, we still continue to see record numbers of compromises and data breaches that are published. I think cloud security in particular remains a challenge. There's a lot of energy there, and I think a lot of attention. People recognize it's a problem, but we're dealing with massive cybersecurity skills shortages. It's very hard to find people with the expertise needed to really secure these workloads. We're dealing with more sophisticated attackers. I think in many cases, attackers with nation-state sponsorship, which is scary, you know, five or 10 years ago, we didn't see that quite as much. More cyber criminals, fewer nation-states, and of course we're seeing an ever-increasing attack surface. So ExtraHop's right in the mix here, and we focus on network detection and response. I'm a huge believer in the power of network security, and I'll talk more about that. At Reinforce last June, we announced ExtraHop RevealX Cloud, which is a SaaS offering using AWS's recent VPC traffic mirroring capability. So the idea is all you do is you mirror a copy of the traffic using VPC traffic mirroring to our SaaS, and then we provide all of the sophisticated detection investigation and response capabilities as a product, so that's hosted. You still do the work of investigating it, but you know, we provide the entire offering around that very low TCO, very turnkey capabilities. And of course, it wouldn't be a modern-day security offering if we didn't leverage very sophisticated machine learning to detect suspicious behaviors and potential threats, but this is something I think we do better than anybody else in the world. So walk us through some of what the machine learning actually does, because I feel that the machine learning in AI is kind of fitting peak hype cycle maybe. You know, I almost can't say it with a straight face because it's so overused, but it is absolutely real, that's where the state of the art is. Machine learning allows us to recognize behaviors, and behaviors are very important because we're looking for post-breach behaviors and indicators of compromise. So there are a million ways that you can be breached. So the attack surface is absolutely enormous, but there's actually a relatively small number and a relatively tractable set of post-breach behaviors that attackers will do once you're compromised, and I think more and more organizations are realizing that it's a matter of when and not if. So what we've done is we've built the machine learning behavioral models so that we can detect these suspicious behaviors. In some cases, we have an entire team of threat researchers that are simulating attacks, simulating pen testing tools, lateral movement, exfiltration, so we can train our models on these behaviors. In some cases, we're looking for very specific indicators of compromise, but in just about all cases, this results in very high quality detections, and because just detections alone are completely insufficient, Extrap is built on top of an entire analytics platform so that you're always one or two clicks away from being able to determine, is this something that requires immediate attention and requires kind of an incident response scenario? One of the capabilities that we announced here at this show is automated response, so we integrate with the AWS API so that we can automatically isolate and quarantine a workload that's behaving suspiciously. In cybersecurity, some attacks are low and slow, but some are very fast and destructive, and for the fast and destructive ones, you move faster than a human's ability to respond, so we need that automated response, and we also announced a continuous packet capture capability for forensics, because sometimes you need the packets. Yeah. So that's a response. A lot of different things that we would actually like to bring the capability a little bit earlier than that so that we don't actually get breached. It's great that we can detect it and say, great, we've got the indication of compromise and we can react very, very quickly to that. Are you able to help us get one step ahead of the cybercruise? So I'll actually be a little contrarian on that. I'm going to say that organizations have really been investing in protection and prevention for the last decade or two. This strategy is called defense in depth, and you should do it, everybody should, that's the best practice, but with defense in depth, you have lots of layers of defense at the perimeters, keep the attackers out of the perimeter, gateways, firewalls, proxies, lots of layers of defense at the end point, keep attackers off of my workstations, my instances, my laptops, things like that. But I think, again, organizations have learned that attackers can fire a thousand arrows or a hundred thousand arrows or a hundred million arrows and only one needs to land. So the pendulum has really swung toward detection response. How do I know if I'm breached right now? How can I detect it quickly? The industry averaged well time is over three months, which is unacceptably long, and we always hear about cases in the news that are three years or more, and what I like to say is if it were three weeks, that would be too long, if it were three days, that would be too long, if it were three hours, I think you could do a lot of damage in three hours. If you can start getting this down to three minutes, well, maybe we can limit the blast radius in three minutes. Jesse, you brought up the ever-growing surface area of attack, and one of the big themes that we've seen at the show is AWS is pushing the boundaries of where they touch customers. I said if Amazon is the everything store, AWS is becoming the everywhere cloud. Outposts, from Amazon's perspective, they said Outposts just extends their security models. I hear a lot of the ecosystem talking about how they're leveraging that and integrating with that. Does Outposts or any of their other edge solutions impact what your customers and your solutions are doing? So it's funny you say that, I was wondering that myself. My expectation is that Outposts are a good thing because they have the same security controls that we expect to see in any AWS kind of VPC-enabled environment, where I haven't gotten full clarification is do we have the full capabilities that we expect with VPCs? In particular, VPC traffic mirroring, which is the capability that was announced and reinforced that I'm so excited about because it allows us to actually analyze and inspect that traffic. Another capability that I think slipped in under the radar but it was announced yesterday is VPC ingress routing. This doesn't really affect extra hop that much but as a network head, I like seeing Amazon enable organizations to kind of make their own choices around how they want to inspect and control traffic and with VPC ingress routing it actually allows you to run inline devices between your VPCs which previously you weren't able to do. So I think that one slipped in under the radar. Maybe you have to be a network head like me to really appreciate it. But I'm seeing more flexibility and not less and that's something that I'm really pleased with. That's one thing that we definitely see with cloud is that explosion of customer choice and all of these different methods that are available and Amazon just keeps pushing the boundaries on how quickly they can release new features. What does that mean for extra hop and being able to keep up with the pace of change that customers are using all of these different features? That's a good question. I think that's just the reality so I don't think about what it means or doesn't mean that that's just the way it is. In general though, I've seen this trend toward more flexibility. VPC traffic marrying to use that example again was one of the few examples I could point to a year ago as something really useful and valuable that I could do on premises for diagnostic purposes, for forensics purposes that for some reason wasn't available in public cloud, at least not easily. And with this announcement six months ago and going to general availability, Amazon finally ticked that one off and we're starting to see the rest of the public cloud ecosystem move that way as well. So I'm seeing more flexibility and more control. Maybe that comes with a pace of innovation but I think that's just the world we live in. You did mention that customers are having to adopt to this new regime of look, we need to look at compromise. Can we detect if we've been compromised? Can we do it quickly? We have a lot of tools that we're now are being mailed available like egress routing, but sorry, ingress routing. But what does that mean for customers in changing their mindset? One of the themes that we had from the keynote yesterday was transformation. So do customers need to just transform the way they think about security? Yes and no, certainly customers who are used to a certain set of on-prem tool set, tool chain can't necessarily just shoehorn that into their public cloud workloads. But on the other hand, I think that public cloud workloads have really suffered from an opacity problem. It's very difficult to see what's going on. It's hard to sift through all those logs. It's hard to get the visibility that you expect and I think that the cybersecurity tool set, tool chain has been pretty fragmented. There are a lot of vulnerability scanners. There are a lot of kind of like API inspectors and recommendation engines, but I think the industry is still really trying to figure out what this means. So I'm seeing a lot of innovation and I'm seeing kind of a rapid maturing of that kind of cloud security ecosystem. And for products like Xdrop, I'm just a huge believer in the power of the network for security because it's got these great properties that other sources of data don't have. It's as close to ground truth as you can possibly get. Very hard to tamper with and impossible to turn off. With VPC traffic mirroring, we get the full power of network security and it's really designed with the controls and kind of the IAM roles and such that you would expect for these security use cases, which are just great, great, great advance. So along the discussion and transformation, one of the things Andy Jassy talked about is the senior leadership, the CEOs need to be involved. Something we've been saying in this security industry for years. It's not only CEOs, the board is talking about this and it's there. So what are you seeing, you stated before that we haven't solved security yet? So bring us inside kind of the mindset of your customers today. And what's the angst and where are we making progress? That's a very interesting question. I'll probably be a little contrarian here as well, maybe not, but I think we see a lot of pressure is regulatory pressure. We're seeing a lot of new regulations come out around data privacy and security. GDPR was pretty transformative in terms of how organizations thought about that. I also think it's important that there are consequences. I was worried that for a few years, data breaches were becoming so commonplace that people were getting kind of desensitized to it. There was once a time when there was a massive data breach, kind of heads would roll, and there was a sense of consequences all the way up into the C-suite. But a few years ago, I was starting to get concerned that people were getting a little laxadaisical, like, oh, just another data breach. My perception is that the pendulum's swinging back again. I think for truly massive data breaches, there really is a sense of brand. And I'm seeing the industry starting to demand better privacy. The consumer industry's perhaps leading the way. I think Apple's doing a very good job of actually selling privacy. So when you see the economics, I mean, it's a capitalist system, and when you see kind of the market economics align with the incentives, then that's when you actually see change. So I'm very encouraged by the alignment of kind of the market economics for paying greater attention to privacy and security. All right. I want to give you a final word here. You said you'd like to have some contrarian viewpoint, so the last question is just, what would you like to kind of just educate the marketplace on that maybe goes against the common perception when it comes to security in general, maybe network security specific? Well, I'll probably just reiterate what I said earlier. Network security is a fundamental capability and a fundamental source of data. I think organizations pay a lot of attention to their log files. I think organizations do invest in protection and prevention, but I think the ability to observe all of the network communications and then the ability to detect suspicious behaviors and potential threats, bring it to your attention and take you through an investigative workflow, make sure that you're one click away from determining whether this requires an actual incident response and in some cases take an automated response. I think that is a very powerful solution and one that drastically increases an organization's cybersecurity posture. So I would always encourage organizations to invest there, regardless of whether it's our solution or somebody else's. I'm a huge believer in the space. All right, so Jesse, thank you so much for sharing. We know that the security industry still has lots of work to do, so we look forward to catching extra hop soon at another event and we have lots of work to do to cover all the angles of this sprawling ecosystem here at AWS re-invent. For Justin Warren, I'm Stu Miniman. Be back with lots more right after this and thank you for watching theCUBE.