Jesse Rothstein, ExtraHop, sits down with John Furrier & Dave Vellante at AWS re:Invent 2018 in Las Vegas, NV. #reInvent #ExtraHop #theCUBE https://siliconangle.com/2018/12/21/machine-learning-network-analytics-could-be-toughest-security-cop-on-the-block-startupoftheweek/ Machine learning analytics could be toughest security on the block What is breach-detection technology good for? Does a police report help if the thief is already out the back door with the sofa, TV and grandfather clock? Getting closer to real time analysis is essential to effectively put out fires before they seriously injure an organization. Cybersecurity officers need to not only detect, but also investigate and take action on threats immediately. The computing network is emerging as a plane on which they can see and deal with suspicious activity as it happens. If companies want real-time, always-on security, the network level is the place to be, according to Jesse Rothstein (pictured), co-founder and chief technology officer of ExtraHop Networks Inc. “It’s as close to ground truth as you can get, it’s very hard to hide from, and you can never turn it off,” he said. Security tools that examine packets of data in motion may be seen as a form of superficial network security. “If you’re only looking at the packets, you’re barely scratching the surface,” Rothstein stated. Security analytics based on data flow offer very sparse reports, he added. “It’s like a phone bill. It tells you who’s talking to whom and how long they spoke, but there’s no notion of what was said in the conversation. In order to do really high-quality security analytics, you need to go much deeper,” Rothstein said. Applying more sophisticated analytics to real-time network telemetry data results in immediate, actionable detection. “Network analytics has tremendous implications for security,” he added Rothstein spoke with John Furrier (@furrier) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during AWS re:Invent in Las Vegas. They discussed the role of the network in real-time threat response and the great cloud-versus-on-premises security debate. (* Disclosure below.) This week, theCUBE spotlights ExtraHop Networks in our Startup of the Week feature. Splunk for network Organizations have been investing in defense in depth for decades. This type of security shuts out attackers at the parameter and at end points. But it does not do a good job of alerting users to breaches happening in real time, according to Rothstein. Are breaches terribly difficult to spot? Actually, there are not many different behaviors that signal that a breach is about to take place. Verizon Communications Inc.’s “2018 Data Breach Investigations Report” gives statistics on security breaches. According to the report, “there are only nine or so behaviors that account for 90 percent of all breeches … what they look like,” Rothstein said. “You look for reconnaissance; you look for lateral movement; you look for some form of exfiltration.” ExtraHop monitors the network for activities like these with sophisticated behavioral models and analytics. “I often describe ExtraHop as Splunk for the network,” Rothstein stated. Splunk Inc. is the highly successful software platform for searching, monitoring and analyzing machine-generated data. ExtraHop uses very different technology, but the idea is the same, according to Rothstein. The company offers analytics products for IT operations and security. Its targeted cybersecurity offering, Reveal(x), leverages machine learning to analyze network security threats at a deep level. Its network behavioral analytics allow it to actually “detect suspicious behaviors and potential threats, bring them to your attention,” Rothstein added. Reveal(x) connects to ExtraHop’s broader analytics platform, which gives users the ability to investigate threats on the fly. “You’re a click away from being able to investigate or disposition these detections and see, ‘Hey, is this something I really need to be concerned about?'” Rothstein stated. Importantly, it doesn’t rely solely on statistical baselines, but is actually predictive. “We’re actually building predictive models around how we expect end points and instances to behave, and then when they deviate from their model, that’s when we say, ‘Hey, there’s something strange going on,'” he said. ... Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of AWS re:Invent. (* Disclosure: ExtraHop Networks Inc. sponsored this segment of theCUBE. Neither ExtraHop nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)