 Live from Las Vegas, it's theCUBE, covering AWS re-invent 2018. Brought to you by Amazon Web Services, Intel, and their ecosystem partners. Hey, welcome back everyone. Live here in Las Vegas, AWS re-invent 2018. Live coverage from theCUBE. I'm John Furrier, Dave Vellante, my co-host. Wall-to-wall coverage day, six years covering Amazon, watching it grow, watching it just an unstoppable force of new services. Web Services being realized from the original vision years and many, many years ago, over a decade, Jesse Rothstein, CTO and co-founder of Extra Hops, our next guest, welcome back to theCUBE. Good to see you. Thanks for having me. Good to see you. So first of all, before we get into the conversation, what's your take on this madness here? It's pretty crazy. You know, this is, I think this is my sixth year as well, and this show must double in size every year. It's enormous, spread across so many venues, so much going on, it's almost overwhelming. We remember six years ago, we used to be on theCUBE, and I think we just kept the stream open. Hey, come on up, we had an opening. Now it's like theCUBE, people are trying to get on, no more room, we're dying, we go as hard as we can, 16 interviews, hundreds of interviews, lots of change. So I got to ask you, what is your view of the ecosystem? Because back then, a handful of players in there, you guys were one of them, a lot of opportunities around the rising tide here. What's your thoughts on the ecosystem evolution? Well, of course the ecosystem has grown. This show has really become recognized as the preeminent cloud show, but I see some themes that I think have certainly solidified. For example, I've spent a bunch of time on the security track. That's the largest track by far, I'm told. They're actually breaking it out into a separate add-on conference coming up in the summer. So clearly there's a great deal of interest around cloud security as organizations. So did they actually announce that security conference? They did. So it was in Boston in June, I think it is, right? Correct, they announced that. I think, I don't want to mess up the dates. June, late June. I think June 26th, breaking news here, that's new information. That's a really good signal for Amazon. They're taking security serious. When I interviewed Andy Jassy last week, he said to me, security used to be a blocker. Oh, the cloud's not secure. I was just a couple of short years ago. Now it's actually a competitive advantage, but still a lot more work to get done. Network layer all the way up. What's your take? Never done. Well, so that's what Andy says, and I think that I would rephrase that slightly differently. Security used to be a blocker and it used to be an area of anxiety and organizations would have huge debates around whether the cloud is less secure or not inherently. I think today there's a lot more acceptance that the cloud can be just as secure as on-prem or just as insecure. From my view, it relies on the same people processes and technologies that are inherently insecure as we have on-prem and therefore it's just as insecure. There are some advantages. The cloud has great API logging, building blocks like cloud trail, new services like guard duty, but at the same time, it's hard to hire for cloud security expertise and there isn't an inherent opacity in public cloud that I think is a real challenge for security. And bad human behavior always trumps good security. Of course. Talk about extra hop, how you guys are navigating. You guys have been in the ecosystem for a while. Always an opportunity to grow. I love this. TAM is expanding, huge expansion in the adjustable market. New use cases. What's up with you guys? Give us an update. Where's the value proposition resonating? What's the focus? Well, you can probably tell from my interest that we see a lot of market pull and opportunity around cloud security. Extra hop is an analytics product for IT ops and security. So there's a certain segment of what we do for IT operations use cases. Delivering essentially a better level of service. We attach to use cases like cloud migrations and new application rollouts. But we also have a cybersecurity offering that's a very advanced offering around network behavioral analytics, where we actually can detect suspicious behaviors and potential threats, bring them to your attention, and then since we leverage our broader analytics platform, you're a click away from being able to investigate or disposition these detections and see, hey, is this something I really need to be careful about? Give an example of some of the network behavior, because I think this is a real critical one, because with no perimeter, you got a surface area, you got APIs. This is the preferred architecture, but you got to watch the traffic. How are you guys, be specific and give an example. So some of my favorite examples have to do with detecting when you've already been breached. Organizations have been investing in defense in depth for decades, you know, keep the attackers out at the perimeter, keep the attackers away from the endpoint, but how would you know if you've already been breached? And it turns out, Verizon does a great data breach investigation report annually, and they determined that there are only nine or so behaviors that account for 90% of what all breaches do, what they look like. So you look for things like parts of the cybersecurity attack chain. You look for reconnaissance. You look for lateral movement. You look for some form of exfiltration. Where XTRAP has taken this further is that we've built sophisticated behavioral models. We're able to understand privilege. We're able to understand what are the most important systems in your environment, the most important instances. Who has administrative control over them? And then when that changes, you want to know about it, because maybe this thing, this instance, you know, in an on-prem environment, it could be like a contractor laptop or an HVAC system. It now exercises some administrative control over a critical system, and it's never done that before. We bring that to your attention. Maybe you want to take some automated action and quarantine it right away. Maybe you want to go through some sort of approval process and bring it to someone's attention, but either way, you want to know about it. I want to get your reaction to a comment I saw yesterday morning at a keynote on Theresa Carlson's breakfast, the public sector breakfast. Christine Halverson from the FBI said, we're in a data crisis. And she talked about that they can't react to some of these bad events and a lot of it's post-event. That's the basic stuff they need now. And she said, I can't put the puzzle pieces fast enough, together fast enough. So you're actually taking that from a network ops standpoint, IT ops. How do you get the puzzle pieces together fast? What's the secret? Well, so the first secret is that we're very focused on real-time network data and network telemetry. I often describe extra ops as like splunk for the network. The idea requires completely different technology, but the idea is the same. Extract value and insight of data you already have. But the advantage of the network for security, and what I love about it, is that it's extremely real-time. It's as close to ground truth as you can get. It's very hard to hide from and you can never turn it off. So with all of those properties, network analytics makes for, just tremendous implications for security. I mean, you're visibly excited. I'm a data geek myself, but you made a good point I want to double down on is that moving packets from A to B is movement. And movement is part of how you detect it, right? It is, but so packets itself, that's data in motion, but if you're only looking at the packets, you're barely scratching the surface. Companies have tried to build security analytics based on flow data for a long time. And flow data, flow records, it's like a phone bill. It tells you who's talking to whom and how long they spoke, but there's no notion of what was said in the conversation. In order to do really high-quality security analytics, you need to go much deeper. So we understand resources, we understand users, we understand what's normal, and we're not using statistical baselines. We're actually building predictive models around how we expect endpoints and instances to behave, and then when they deviate from their model, that's when we say, hey, that's the key point for you guys. And that means you can help me prioritize. Absolutely. Because that's the biggest challenge these guys have, right? They oftentimes don't know where to go, they don't know how to weight the different. So that's one challenge, and I think another really big challenge, and we see this even with offerings that have been publicized recently, is that detection itself isn't good enough. That's just an alert cannon. And there was a session that actually talked about alarm deafness that occurs, it occurs in hospitals and other environments where all you get are these common alarms, and people stop paying attention to them. So in addition to the ability to perform high-quality detections, you need a very streamlined investigative workflow. One click away so you can see, okay, what's going on here, is this something that requires additional investigation? Well, I think you guys are on the right track, and I think what's different about the cloud is that they call this show re-invent, but rethinking existing stuff for cloud scale is a different mindset. It's a holistic, like you're taking more of a holistic view thing. I'm not going to focus on a, quote, packet path or silo that I'm comfortable with. You kind of got to look at the bigger picture and then have a data strategy or some competitive, unique IP. I think that's an excellent summary. What I would add is that organizations, as they kind of follow their cloud journey, we're seeing a lot of interest from security teams in particular that don't want to do swivel chair kind of integration, where I have something on-prem and I have something in the cloud. They want something much more holistic, much more unified, much more seamless, much more automated. You know, I sat in about five different securities track sections and every single one of them kind of ended with the, so we automated it with a Lambda function. Clearly a lot of capability for automation in public cloud. Jesse, great to have you on theCUBE. CTO co-founder of ExtraHop. What's next for you? What's going on? What's next? Well, we continue to make really big investments on security. I wish I could say that cybersecurity would be done at some point, but it will never be done. It's an arms race. Right now I think we're seeing some really great advancements on the defense side that will translate into big success. Always focusing on the data problem. As data goes from 10 gigabits to 100 gigabits, you know, Amazon just announced their C5 accelerated 100 gigabit network adapter. Always looking at how can we extract more value from that data in real time. Well, we got to get you back on the program. We're going to increase our cybersecurity coverage. We certainly will be at the security event. I didn't know it was announced publicly June, I think 26th and 27th in Boston. Give or take a day on either side. Could be the 27th, 28th, 26th, 27th. This is a big move for Amazon. We'll be there. I think it is. Great job. Live coverage here from the floor on the Expo floor at Amazon re-invent 2018. We'll be right back. Cube coverage after this short break. Two sets, we'll be right back.