 From our studios, in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hi, and welcome to theCUBE Studios for another CUBE Conversation, where we go in-depth with thought leaders driving innovation across the tech industry. I'm your host today, Peter Burris. One of the biggest challenges that every enterprise faces is how best to focus attention on the most important assets that are driving or facilitating that drive, the digital business and digital business transformation. There's been a lot of emphasis over the last 50 years in tech on the hardware assets, but increasingly, we need to look at the elements of IT that are actually creating net new value within a business, namely the people, the services, and the data that make digital business possible. And that requires that we rethink our approaches to how we actually manage, conceive of, and monitor those key assets and is likely to lead to some very interesting unifications over the next few years, especially in sec ops and neck ops. Now, and to have that conversation, we've got a great guest today. Sanjay Munchi is the Vice President of Product Management at Netscout Technologies. Sanjay, welcome to theCUBE. Thank you, Peter, thank you. So Sanjay said a lot upfront, but before we get into that, tell us a little bit about Netscout. Thank you, Peter, for the introduction. Netscout is a smart data company. Netscout has three decades of leadership and innovation in troubleshooting, monitoring, and securing IP-based networks. We are deployed in 90% of the Fortune 500 companies and 90% of the top communication service providers worldwide. We have 50% market share in each of the three segments that we play in, whereas the next biggest competitor we have has less than 5%. Those three areas are number one, network and application performance monitoring for hybrid cloud infrastructure for enterprises, DDoS and security for enterprises and service providers, and service assurance for service providers, which includes mobile operators, cable providers, as well as ISPs. Today we operate in 50 plus countries worldwide. We have 2,500 plus employees and 500 plus patents to our credit. Impressive story. Let's get right to the issue though, and how Netscout is actually participating in some of these crucial transformations. I mentioned upfront that one of the biggest challenges that every enterprise has is to focus more of their attention on those digital assets that are actually driving change in new sources of value, namely the data, the services, and the devices and the people, the applications and people that use those. So one of the challenges that we've had is that a focus on devices leads to a focus on certain classes of data that are mainly improved, or focus on improving the productivity of those devices. Give us a background on what that means. Let me introduce the concept of smart data that's born out of Netscout right away. So with smart data, Netscout pioneered the leverage of wire data or packet data three decades back that drives our ingenious portfolio, that drives net ops and cloud ops. ASI or Adaptive Services Intelligence, this is the smart data that comes out of packets. With ASI smart data, we uniquely converge application and network performance monitoring to give our customers thorough visibility across application tiers, end-to-end networks, and diverse data center locations. So just to pick up on that, moving away from a log focus, which is again, mainly let's improve the productivity of the device. We're moving into ASI, which is focused on let's improve the productivity of the connection and the application. Absolutely, absolutely. And we'll talk a little bit more about log. Let's talk about log and net flow, other sources of data that folks have gravitated towards which is not, they're not authoritative by any means. Let's say log data for example, syslog data. As soon as a threat actor, for example, gets access to your system, the first thing the threat actor will do is to turn off logging or to, worse, change the log data, change the syslog messaging itself. Let's take a look at net flow data, for example. Net flow data, number one problem is it's not, doesn't have layer seven intelligence in it. Number two, it's not generated by all the devices in the network. For example, the IoT devices do not generate any kind of flow data. So only data that is authoritative and that comes with high fidelity is packet or wire data. That's one element of smart data that we have. The other element of smart data comes from our Arbor portfolio. Arbor products are deployed in a 400 plus tier one operators, mobile operators and service providers worldwide. And as such, we see one third of the internet traffic. Through our strategically located sensors in the service provider core, we are able to generate another type of smart data that we call Atlas intelligence feed or AIF in short. AIF or Atlas intelligence feed essentially tracks cyber reputation across domains, across geolocations and across user identities. The combination of the ASI smart data that is generated from the core of the hybrid cloud infrastructure, let's call it intranet, and AIF smart data that is generated from the internet core gives net scout a unique data set combination that's unparalleled in the marketplace and makes us perhaps the one of the few vendors who can drive a consolidated visibility architecture across net ops, cloud ops and sec ops. Okay, so let's turn that into again some very practical things for folks because what IT has historically done is by focusing on individual devices or classes of devices and the data that those devices generate, they end up with a panoply, a wide arrangement of security tools that are each good at optimizing those devices with those you said, they may not necessarily be authoritative, but it's difficult to weave that into a consolidated, unified sec ops, net ops overall, not just architecture, but platform for performing the work, crucial work of sustaining your digital business infrastructure. How does smart data translate into unified operations? Very good point, Peter, thank you. That's a very good point. So let me give you an example and talk about the customers that we have deployed our ASI smart data, our hybrid cloud infrastructure. This is a typical Fortune 500 and where we are deployed, a net scout is deployed as the hybrid cloud monitoring infrastructure on the net ops and the cloud ops side. Typically, you will see this type of organization has one tool to cover the entire hybrid cloud monitoring infrastructure across their entire portfolio, whether it is on-prem, whether it's in the cloud, whether it's in the co-location facility. But when you look at the sec ops on the security side, the story is completely different. The same organization, the same enterprise customer has 25 to 30 different disparate tools. As a matter of fact, analysts are saying today that a typical Fortune 500 in the US has 70 disparate security tools. Why is that the case? Why is it that on the net ops and cloud ops side, they need one tool, net scout for example, but on the sec ops, there are 70 different products. The reason is not only smart data, but also smart architecture. So what we have seen, what we have done over the past three decades, we have designed this two-tier architecture that generates smart data. The tier one is our distributed instrumentation of sensor framework, which we call infinity stream or vstream. This is the distributed sensor framework that is deployed in the hybrid cloud infrastructure that generates the ASI smart data. And then we have the centralized analytics layer, which is our ingenious platform that essentially correlates data across the hybrid cloud infrastructure and provide customers complete visibility across the portfolio of their data centers. On the sec ops side, security side, security is roughly 10 to 15 years old. Security tried to emulate this two-tier model as well, but the security industry failed in doing that. Nobody could design this distributed sensor instrumentation cost-effectively to make wire data feasible for analytics. With the result, they migrated to, as you said, this subpar sources of data, like syslog, like netflow. And today, they put all the emphasis on the analytics layer and with the result, they need one tool per use case or one vendor per use case on the sec ops side and that's why you see the tool proliferation because they don't have this distributed sensor framework that will make wire data or packet data feasible for the analytics layer. Yeah, I want to build on something you're saying because it's a misperception that all resources and all work of digital business and technology is going to end up in a central cloud location. The cloud really is an architecture for a more broad distribution of data and work, which means ultimately that if we don't deal with this proliferation of security tools now, we're going to probably have an even greater explosion in the number of security tools, which will more radically diminish our ability to establish new classes of options in digital business. Very good point, as a matter of fact, just a couple of years back, the average number of tools was 40 in a sec ops portfolio. Enterprise has in the US, today it's 70 and it could go to 100, but if you look at the risk profile, the risk profile has stayed the same. In many cases, deteriorated. What we found is the number of tools is going up, the cost of breach is going up, the number of breaches are going up, and at the same time, the number of analysts is always in depth. So in short, high investments on the security side fail to reduce risk. So the risk and investment vector, both are going in the northbound, both are going up. So how do you control that? How do you make them come down? The only way is smart data on a smart platform, on a smart analytics layer. Yeah, again, let me emphasize this crucial point because it's one of the things that we've seen in our conversations with clients is a proliferation of tools, proliferation of data leads to a proliferation of tasks and responsibilities within a business and you end up with more human failure as a consequence. So by bringing all these things together, you end up with smarter data, smarter platform, simpler operations, more unified operations and you get greater leverage. So let's talk then about ultimately, how should a business, what's the roadmap? What's the next two or three things that an enterprise needs to do to start bringing these, to start unifying these resources and generating the simplicity so that you open up greater strategic options for how you configure your digital business. That's a very good point. So two things we talked about already. One is smart data, relying on smart data which comes from wire data or packet data and the second is smart architecture which comprises of this two tier architecture with the distributed instrumentation and centralized analytics. What happens when you do that is, the first thing is early warning detection. What we have realized, Peter, is that if you look at the traditional kill chain in Lockheed Martin's kill chain or MITRE model that people are using now at traditional reconnaissance, weaponization as well as exfiltration, we have seen that if you rely, if you generate analytics based on packet data or smart data, which we do at NetScout, you can detect these phases much earlier than if you rely on device data, NetFlow or SysLog. So what I call day minus, not day zero, but day minus. So leveraging the smart data and smart architecture, we're able to detect these threats or compromises much earlier than a traditional kill chain model or a MITRE model. But again, the reason why is because we're looking at patterns in the traffic. We're looking at behavioral patterns in the traffic. That's correct. So let me go a little bit more technical, if you will. We're looking at transactions at the DNS level, transactions at the DHCP level or at the active directory level. That happened much earlier than when a lateral movement or a reconnaissance is detected. This happens much earlier because we have the smart data, the wire data that enables us to do this early warning detection. You get more visibility at the source as opposed to the target. That's correct, that's correct, Peter. The second thing that happens with this smart architecture, the two-tier architecture is the consolidation of use case. We talked about it a little bit. So today, if you want in our hybrid cloud scenario that NetScout is deployed in Fortune 500s, over the past two, three decades, our customers have moved from private cloud infrastructure. First, they had the core IT, then they moved to private cloud, VMware, Cisco, then they moved to co-location, Equinix, and others, and then they moved also to public cloud. All the workloads are migrating everywhere. We did not make any change to our instrumentation layer. Can you believe it? No changes. The only changes we made was in the analytics layer to take care of the new use cases. So with the result, we could consolidate multiple use cases in the cloud monitoring into one platform, the smart platform with smart data. Now we are bringing that value into security with the smart platform and smart data that we talked about. So the consolidation of use cases on the security side is a second advantage other than the early warning detection that we talked about. So this has got to improve detection, it's got to improve management, it's got to improve forensics. Have I got that right? Very good point. Forensics, we should talk about a little bit more perhaps. The second set of things that we are doing is, or we have done is consolidate in the SecOps side, forensics and detection. So let me explain that a little bit more. If you look at a typical enterprise today, they use SIEM or Security Information and Event Management Platform to correlate data from multiple sources. So in the event of a SIEM alert, of alert generated by a SIEM platform, forensics teams need to determine what happened and what systems were impacted, essentially the what, when, how, where of the alert or the compromise that has been detected. Today, as we said, security teams are not using packet data at all, but forensics teams, in order to validate that alert, they need to access sessions, they need to access packets belonging to that alert. But they cannot today because none of the devices, none of the security platforms is using wire data in the first place. So what the security teams are doing, forensic analysts, they are leveraging devices like wire shock and tracking investigations with spreadsheets. This is delaying the investigation time. As you know today, it's well known that this causes alert fatigue and 50% of the alerts that are going to the SIEM today are disregarded by the security analysts. With the result, the real threats are getting unabated and enterprises come to know about a security breach from the media rather than from their own IT department. Sanjay, so we've had a great conversation talking about how smart data smart platform is going to lead to greater unification of tasks, people and responsibilities and set ops and net ops and some of the significant impacts on a enterprise's overall response stance, both from a detection management and forensic standpoint. So once again, I want to thank you very much for being on the queue. Sanjay Munshi. Thank you. Thank you, Peter. And thanks again for joining us for another CUBE conversation. We've been Sanjay Munshi of NetScout Technology. I'm Peter Burris. See you next time.