 Hello, and welcome to this special CUBE Conversation. I'm John Furrier in the Palo Alto studio. CUBE Conversation, Mike Bannock who's the VP of marketing at Vectra Networks, big news coming for you guys. You guys had a good year, we love cybersecurity. I want to drive a good conversation with you because you're in the front lines, you're seeing all the trends. You guys have been doing very well with AI for cyber, also impacting IT operations because security is certainly forcing modernization in the IT world, using data. Just really interesting stuff, but hacking is the number one threat problem. What's the security trends, Mike? What are you seeing? What's happening? There's a ton of stuff happening. We've seen ransomware, bunch of stuff going on across the board, spear phishing too. You name it, it's at a rampant pace. No perimeter anymore, holding the ball game. You know networking, you know the perimeter, now you're in the cloud, what are the trends? I think one of the things that a lot of people aren't paying enough attention to is the fact that all the systems they have in place are looking for exploits, they're looking for the use of malware, and there's a lot of attacks that actually don't use malware. Once there may be malware that's used for a specific exploit in the beginning to start it, but the smart attacker now, they sit and they lay low, they watch how your enterprise operates. They look at the tools that you use and they steal credentials and then they start to use those tools against the business to steal information or to do damage. And that's something you won't catch if you're using tools that are specifically looking for malware and that's where using AI to look for explicit attacker behaviors becomes so useful. The other thing is that attackers are on the inside for much longer than people think. I mean, we look at M-trend's data from last year that says the average amount of time that an attacker has gone unmitigated before it's discovered is 99 days. It's actually much longer than that. Those are just the attacks that are reported and those are just the attacks that we have data on. We've seen it actually run much longer than that. And we also know that an attacker can get admin credentials in like three days or less. As soon as they get those, they have the keys to the kingdom. Yeah, and then you mentioned hacker, hackers as groups involved. It's lucrative, it's a whole business. We've seen that. It's a supply chain even. It is a really big racket. Now, networking is interesting because footprints can be left on the network. Sir, you got encryption. You know, that's, oh, it's encrypted, but you can still get around the encryption. Talk about how you guys do it. How do you guys see the patterns with encryption out there? You guys have the network footprints. What's the secret sauce and what's the formula? So what we're doing to detect this is we're looking at network metadata. We're not performing deep packet inspection. Deep packet inspection is the approach that a firewall uses or traditional intrusion detection and prevention platforms use. So what we're doing, we're collecting metadata, we're collecting log information, we're collecting cloud events, and we're using all that in our mix of analytics. And what we're looking for are the behavioral patterns. So I'll give you a really tangible example. If I want to, let's say you're the attacker, John, and you've got control of my computer and you've got fingers on the keyboard. So you're using a rat, a remote access trojan. The way that I'm going to use advanced analytics or AI to detect that is I'm going to look at first the fact that my machines open a connection to an external IP address. That's your machine. I'm going to look for random silences. Those are the pauses in the conversation. If I'm just web browsing, then I'm going to be, my machine's going to interrupt all those random pauses because I'm moving from page to page, site to site. If your IP address is always interrupting them, then you're in control of the conversation. Anybody in IT should care when an internal host is being controlled by an external host. I didn't have to read any of the web browsing traffic or any of the email traffic, the app traffic, in order to do that. I did that principally by analyzing network metadata. So this is unspoofable either because network doesn't lie. That's correct. Because the packets have to move around. That's correct. The attacker has to perform certain things. There's no way for them to erase them. And there's a group of companies that try to apply analytics to logs and here's the problem they have. If the smart attacker knows that logs are sent in batches and it's like when somebody breaks into your house they know they have about 45 seconds to get the alarm code right. They know that they have a certain amount of time before the batch of logs is sent up. So if they have admin access, they'll erase the footprint of what they've done on your machine and there's no logs. If there's no body, there's no murder. I've done a few ventures in my day that have been first movers and usually the first movers take the arrows in the back. One of my relics is like, if that's such a great idea, why hasn't someone else done it? So the question for you guys is it's so obvious that now that you explain it that way that this is a great way to do it. Why isn't someone else done it? Is it timing? Is it the founding team? Is it the approach? I mean a lot of people are in there where you've got Cisco, you've got a zillion networking people. Why hasn't anyone else done this? There's a couple of things that come to mind right away. The first is that people who are in this business already that want to take advantage of AI, it's really difficult to add it to an existing platform. You really have to start from scratch. And then the second is what you said about the approach. The approach that we've taken is very different than others. So there are people in this business that claim they're doing AI and they've fallen one into the spectrum of the other. They either have this big group of security researchers and they've hired a couple data science guys and they're trying to solve this problem. Or they have a big data science team and they've got a couple of security researchers. We've taken an approach that's in the middle. Whenever we develop an algorithm we take a security researcher who has a really strong experience or background in the attacker behavior we're trying to detect. And we pair them with somebody in data science who has expertise in the techniques that are going to be best used to detect that. We pair them up. The data scientist looks at the features that they can find in the network. The features I mentioned before internal IP to external random silences. They determine what those are. They build the algorithm and then they run it. Then we put it into precursor mode. Just like Hatesh's Tesla has got precursor stuff running as he's driving up and down the freeway we do the same thing with our customers. And then once we see that the efficacy is really high we release that into production. So it's a combination of timing management teams unique problem space that they addressed and combined with people and data and software. You're kind of blending them all together. So it's a new approach. It is very much a new approach. And one that just following the approach that people have taken before they go in one of those other two directions. I mean, if you're hammering everything with a nail. So Cisco sees everything they do to me their way. Maybe an application developer might take a different approach. So I buy that. So timing's good. What makes you guys different? What makes you guys think you could be successful? Because I hear this all the time. Amazon's out there. Amazon can just copy it. You always hear those arguments. How do you guys answer that question? Minability, what's the protection? Yeah, so I think first we've taken an approach that gives us a unique capability that is succeeding against others who are really explicitly trying to solve the cybersecurity problem. I think the other is that we've been very open-minded about not taking just one approach in a field like data science. We don't just use supervised machine learning, unsupervised. We don't just use neural networks. We use whatever tool is best to solve the problem. The other is we're not religious about where the product gets deployed. We look at protecting cloud workloads, enterprise private cloud workloads. We look at traditional data centers, users, IoT devices. So we're looking at the threat landscape in a very holistic way. Many of the others out there have a very specific focus as they start. And I think our breadth and our approach is serving us well. It's interesting the whole value proposition and business models tend to change with these new value utilities, if you will, because it's with cloud, it's great. I mean, Amazon's successful because they just never look in the rear view mirror. They just continue to push forward. Sounds like you guys have that same approach. Just keep moving the needle with more people, more data, more software. Yeah, relentless. It's day one. It's always day one, just like Jeff said. All right, so you guys are doing good. Where do you guys do well? And specifically talk about this malware that was hacking computers and doing mining on Bitcoin. Big story that's been in the news lately a couple of weeks ago. But still, it's important malware being used for not only hacking your cash, using your machine to generate Bitcoin. That's correct. We have a set of algorithms that look for things that we call botnet monetization behaviors. And Bitcoin mining is one of them. So if somebody's mining Bitcoin on your computer, they're not really stealing from you, they're just stealing compute cycles to mine Bitcoin. Finding this stuff is actually really important because the attack landscape can quickly pivot on you. I mentioned before that cyber attackers, it's a supply chain. If your machine is lashed to a botnet and it's performing Bitcoin mining, let's say the price of Bitcoin falls. The person who owns that botnet might say, screw Bitcoin mining. I'm going to sell all my bot machines to whoever the highest bidder is. Somebody finds out you work for a really interesting company and they want to steal data from you. Ah, they're going to buy that IP address. They're going to buy your machine and they're going to start to launch a direct attack. We've actually seen that scenario in enterprises and been able to alert the team in real time so they can stop it. And it's the AI that's doing it. It's not a human that has to take an action. And that's the thing that's really cool in terms of helping us win. We see a lot of customers run red team exercises in parallel with an evaluation. And that red team is designed to explicitly challenge the blue team. It's not a pen test. A pen test is all about trying to see whether the hacker can break in. A red team, they actually give the attackers access to a computer on the inside. And then they say, you know, you've got to steal this trophy. They give them a flag. Capture the flag. Capture the flag. And the goal of the blue team is to defend it. What we've seen over and over again in these evals is the AI is able to detect those behaviors of the red team in real time, fast enough for them to stop them. So the data isn't stolen. It becomes evidence that if we had this tool every day then we're a lot better off than we were before. So you guys aren't just looking for known patterns and mapping policy to some script. You guys are losing data in real time inferring network behavior to do and look for anomalies. Exactly. I'll give you a great example. Last year when there was ransomware, like the not pet shit attack, the thing that was interesting about that is it spread like a worm. We hadn't seen a worm since Conficker and that was 10 years ago. The interesting thing is we built an algorithm to detect worm-like behavior based on what we had seen 10 years ago with Conficker. It detected the spread of not pet shit. It's because we're looking for the behavior and not what the malware, not the payload, we're able to find it even if it's a brand new attack vector like not pet shit. And that's the cool thing because the old style was, let me look for the precise definition of the malware or the exploit or the reputation list. And I personally believe we've reported on theCUBE that cloud computing and distributed computing and even decentralized computing for that matter encourages more packet movement. More packet movement gives you more data. That's correct. It's a great approach. Congratulations, Mike, on your success. Looking forward to seeing what you guys do this year and keeping in touch. Security obviously at the top of mind. We care about that theCUBE. Cyber warfare is number one problem in America. It's number one problem for enterprises, government and users, spearfishing, malware. You name it, it's out there. We've all been hacked. Probably don't even know it. It's theCUBE. Hacking the data here inside the studio. I'm John Furrier. Thanks for watching.