 Live from the MGM Grand Convention Center in Las Vegas, Nevada, it's The Cube at Splunk.com 2014. Brought to you by headline sponsor Splunk. Here are your hosts, John Furrier and Jeff Kelly. Okay, welcome back everyone. We are live here in Las Vegas with The Cube, our flagship program where we go out to the events and extract the signal from the noise. I'm John Furrier, co-founder of Slick and Angle Medium with the number one big data analyst at Wikibon, Jeff Kelly. Splunk Conference is going on here, dotconf2014, happy customers, a lot of new product stuff, a lot of amazing talk about security. Our next guest is Andrew Worcester, network consulting engineer with Cisco Cyber Range project, product, welcome to The Cube. Thank you. So what are you seeing out here right now? I'm honestly, the vibe is pretty hot right now. I want to break everyone's coming in and out. And usually I can tell the conference is good by the tweet volume. If the tweet volume is a little bit light but heavy on content, you know it's pretty damn good. So it's not a lot of pimping going on, a lot of action. What's your take of the show? What's the vibe? Share with the folks what's going on. Well, it's pretty fun so far. I see a good mix of attendees like myself. I'm sort of part-time attendee also speaking as well tomorrow and just enjoying. I've got some colleagues here in the partner area doing some demos and things like that, stuff we've been working on. So it's like a little bit of a mix all around. So share with the folks out there your vision and work you're doing around security. The role of Splunk, the role of big data, really around what we've heard in the keynote. I mean cybersecurity is huge. You know, you got attacks coming from foreign countries in America, you have all kinds of other security threats. One, what's your take and what's the general sentiment in the security industry? And then what are you working on? Oh, great, yeah. So what I do is I'm basically in professional services and so I go and help customers implement Cisco gear and also give them consulting and advice on how to best use it. And traditionally we left off at dropping the gear in and leaving it there but now it's people are asking us, well, can you help us integrate with this? Can you help us learn how to use it? And that's sort of where the cyber range concept came up is like people were not comfortable using the equipment to the best of their ability. You have lots of incidents where even people have security technology that's detecting events and incidents, whether it's something easy or something long and drawn out over time. And really they just need every bit of help they can get. And so one of the big shifts that we're seeing in the market is going towards big data, collecting as much as possible and storing it in a nice organized fashion and then giving people like myself and the customers we work with the tools to easily search into it. That's interesting. So the hardware business is definitely being impacted by this big data trend. So tell us a little bit more about cyber range specifically. I think you mentioned earlier, you're based out in Australia so you moved out there specifically for this project. Tell us a little bit about more of what you're doing. Yeah, so I originally am from the East Coast here and then I joined Cisco's Advanced Services in San Francisco and so I was traveling around doing lots of US based companies and then a big project came up, systems integration style project and needed a little bit more mental flexibility than the average Cisco box installation. And so we went out there and we did that and I was working with Splunk and that's sort of how I got started. And so I did a little bit of Splunk on the side and I continued to get better and better at it but then I come here every year and I realize I don't know anything and so I had to start over again. And then also I do all the Cisco gear installations and tuning and making sure it's all plugged in the right way. So making sure the gear is working properly, making sure that you're responding to customer concerns or issues, a very data driven challenge. So what role is Splunk playing in helping you do that and be more I guess responsive to customers and kind of what's impacting them in the real world? So whereas Splunk is meeting a sort of gap honestly in our product but every product that you'll see out here on the floor we've got some competitors of ours, some people we work together in joint solutions as well. The problem is that there is always going to be attacked and other incidents that make it past all the scanners or maybe you can't afford to have a scanner in every part of your network or maybe your scanner is misconfigured or something like that. And so Splunk is taking all the bits of information from disparate systems and trying to glue it together or join it together. And it's also giving you the statistical capabilities to look for patterns that maybe even the scanners themselves or the sensors themselves can't figure out just from one source of truth. So it's sort of a glue and also at the same time a tool and analysis tool as well. So walk us through a little bit from your perspective the evolution of some of these network security approaches. So intrusion detection, perimeter security, these things have been topics for a while. How has that market evolved? And now we're at Splunk Conference. Now Splunk doesn't necessarily market themselves as a security company but obviously that's one of the killer apps for Splunk. How has this market kind of developed to the point where Splunk who is not a security specialist is not necessarily what they set out to do is really one of the leading security providers. Godfrey told him this earlier, they're a leader in the Gartner's Magic Squadron in the space. So how did we get here? So again, people recognize that you can't get one perfect source of truth from one box, right? And I think for a long time even Cisco itself might have thought that it had the best that could block not just about anything but as attackers evolve they're doing techniques such as lateral movement or pivoting so they're getting into one system and then moving to another. So in some cases they're evading even the best in class sensors. So you need something like Splunk to take information from all these different points and pull it together and then make sense of it somehow. And also assist the humans, assist the users in making sense of that and reacting to it. Now from Cisco's perspective, did it make, apparently it made sense to look to a provider like Splunk rather than develop that software internally or those capabilities internally? Well we used to have a product that we end of life that was a SIM and it was taking logs and stuff like that and it was tough to maintain and it didn't sell very well, right? So they, you know, end of life that and then now it's kind of coming back up is that we need this SIM technology to compete for our customers to succeed and not get hacked and not get exploited and things like that. And so now it's things like Splunk and honestly other companies are starting to come up to the top again and now this big data concept is coming back is it's simply so much information and it's not well organized and you know, not many people understand it. You know, logs that have been around for years and years people, you know, get their CCIEs and they study for months and months and they still don't know what these messages mean, so. So yeah, expand on that a little bit around the big data component. So you've got Splunk and you've got other tools that are, you know, other approaches, tools, frameworks, whatever you want to call them, Hadoop and all the related technologies and the ecosystem that's developed around there. Talk a little bit about how that the larger big data movement is impacting essentially hardware manufacturers, in your case, you know, networking equipment. How is that impacting those, the kind of the core hardware markets? Right, so some, I think the hardware market's so strong but we've got, you know, other folks within the company working to make our boxes better, right? Give off better intelligence, that's a big drive so that we can play more evenly with the big data movement, right? As opposed to big data to sucking information or, you know, things like Splunk's sucking the information off these boxes more readily give it off in an organized fashion. So when you're designing the product, thinking about the types of data you want to come off of these boxes and potentially even running some level of analytics on the box itself. Right, and so we've got even in the partner area here we've got some folks from our source fire team, from our identity services trust sec team and they're developing these APIs or these partner ecosystems so that they can play nicely with Splunk and they, you know, we pony up our developer resources, we engage with their developer resources, make sure that their products understand what they're looking at and make sure the visualizations make sense to the ultimate users which might be more familiar with the platform than the developers of the tool. So it's very much requires deep integration among the different providers. That's where the movement's going is that there will be instead of just a subscription model where you just look at all the information I'm giving you it's more of a back and forth, you know, maybe we can push some mitigations out to systems, refresh some analytics from one box to another and things like that. That's where things are going. So what is your take on customers and enterprises in terms of their understanding and appreciation of the security situation that we're dealing with today? When you hear about a new threat, a new attack pretty much every day in the press, do they understand, do you feel like, or is the understanding of the enterprise that your customers up to date with kind of reality what's really happening out there or they, is it over hyped at all? And how do you see customers and their reaction to what's going on in the security arena? That's a great point. Customers are actually scared and you would have seen the security keynote today. The reality is that we see it on the news now, you know, the target incidents, home depot incidents, what have you. We were talking about Stuxnet and the keynote. That stuff is reality and it's well known in the industry even outside of the industry. Like, you know, our parents can understand these concepts now because they have their actual credit cards being stolen and personal information being stolen. So as more information goes into a company's, you know, bottom line, it becomes more valuable. So people understand that. But the problem is that budgets are always hindering what people can do with their software and hardware solutions to keep up to date and hire the right people, analysts to find these incidents. And so people are woefully underprepared. So they're really concerned, scared, but they're not ready. Exactly, exactly. So that's the problem. That's something that's blunt we'll have to solve. Other vendors will have to solve, Cisco has to solve. And so that's the problem of our time. It's an industry-wide problem. It's not, no one vendor or group of vendors is going to solve. Exactly, it's not 100% automated yet, not even close. So this is the whole, we were at Cisco Booth last week at Oracle OpenWorld. And the unified servers thing is UCS systems, which is getting a lot of traction, where it's not just a server anymore, which really speaks to where DevOps is in the cloud and you know about security. There's no more perimeter anymore. The cloud and mobile infrastructure kills the perimeter. So what's your take on this? I mean, obviously, not Cisco, I don't want to get the Cisco commercial, but they have proven that unifying stuff together as a unit, kind of an operating model, if you will, versus siloed approach is working. Amazon with integrated stack is working for developers. But it brings up the security issues of, okay, no perimeter, that changes the game. APIs, notification economy, whatever you want to call it, whatever the hyped up is, means there's doors to open. A ton, ton more doors. What's the impact of security? The impact of security is it's more permeable, permeated, and it's everything's just looser, right? And so the DevOps culture is just go as quickly as possible, build as quickly as possible. And the security culture is like, no, slow down a bit. And so the push is going to be, how do we steer to the right cloud services and how do we control how our users or how our employees or our developers communicate with that cloud and how do our customers communicate back with us? And so it's really about controlling that, whether you're using a file service like Dropbox or Google or something like that, or whether you're using a SaaS like Salesforce or something like that, or even Splunk has its own cloud solution. It's all about making sure that it's well, those clouds are communicating information about usage back to the intelligence people back within the company. So your security operations center needs to understand what exactly's happening. So it's all about trade-offs. We had the banking guy on earlier and it's pretty clear banked, money, protect the money, protect the credit cards. I'll see highlights there, worry-ness or fear as you mentioned. But what is the trade-off? What are you seeing successful today where, hey, I still want to move the ball down the field on security, I mean on being, having cool apps and good user experience, same time having awesome security. What are those trade-offs? What has been a good mix and success have you seen? A good mix that I'm seeing in mobility, for instance, is sandboxing applications, giving the companies like a kill switch to wipe a mobile device or to wipe a laptop if they think it's been compromised. Giving people the power to mitigate because Splunk's all about giving the- And developers, specifically developers to the sandbox, the play-in. Yeah, exactly. So you have to be smarter about where the data's living and where it's resting and what exactly is the data. So if you have your mobile app with email, that potentially has confidential attachments in the email app. So it's like, what happens if that's stolen or compromised? How can you remotely wipe that? And developers don't always think about that stuff. Yeah, and this is where the DevOps angle comes in good. We were talking about it last week and all the shows we go to, the impact of virtualization really changes the game. So what kind of new software do the inner-circle security industry guys talk about as we need to do more of that? Is it more virtualization? Is it more, I want just better flash memory in devices? Or what's the elite taste makers conversations around? So the thing- More of blank. The thing Cisco's pushing for in the virtual space because everyone's virtualizing, right? That's happened already and it will continue to happen almost to the end, right? Until it's 100%. Virtualize the compiler inside the compiler inside the compiler. Exactly. So the push now is how do you lock down those tenancy issues? How do you prevent your customer environments from contacting each other? So Cisco's building virtual firewalls. We've got SourceFire doing host-side stuff, analyzing the actual virtual machines, looking at the processes being launched between them and connections being launched between them because traditionally we could put a sensor in between the physical network, right? Just put a tap in there and block stuff in line. If it's in the virtual network, you don't have your hands in so deep. So we've got to collaborate with the virtual vendors to put our software and our solutions inside the virtual network to get better visibility and better control. And this is just natural evolution. This is like soon we'll be walking erect and being human again. I mean, because that's what we're at right now. We're in a bad distressed state with security. I mean, the China attacks, stuff going on is pretty dangerous. It feels calm, but it's a lot of worrying going on. So given that perspective, what is the craziest thing that you've seen in security? Just kind of like, could be anything, like the weirdest, the craziest, most awesome, or crazy bad, good? One of the technologies I work a lot with is the web security appliance, basically a proxy that's scanning for like virus outbreaks, malware outbreaks, and also controlling, you know, employees going to certain sites. And without fail, once you install that in a company, there's always stuff that goes off. And so that's sort of my look into the real world to see what exactly happens, because the customers will always say, well, we kind of know we have a problem, but we're pretty good, right? And then as soon as you flick it on, you know, same with source fire as well. As soon as you flick it on, you see alerts going off. You're like, I've been compromised. That's the reality. I've already been compromised. So no crazy horror stories or anything like that. But it's more of an awakening. It's an awakening. It's an awakening. Hey, we've been breached. Yeah, correct. So long no one knows. Correct. And one of the things we're working with on our project cyber range is that we're using some of our pen testers and some of our colleagues in the research side who actually go in and help us write sort of zero day modeling attacks that actually bypass all our sensors. And then we're using things like Splunk to make sense of all the different information sources to piece it all together. Yeah, I mean, I think one of the things that comes up is the machine learning meets human curation, right? So the human role of the human is key. So you got to program the machine learning. It's got to learn from someone. So what's your take on that? I mean, share with things that you've observed and best practices or just observations around the role of the humans with the machine learning and some of the, I won't say quote AI, it's not really AI, but like machine learning is very good. But it could be looking for the wrong patterns. So the humans are critical in this. Correct, correct. One of the best ways I think of being prepared for this is being organized, right? Same with like cleaning your room or what have you. Is that if you start out organized and you are orderly and everything on a day-to-day basis, most life tasks become easier. So all these legacy applications and even Cisco stuff, it just puts out messy information and it's not well documented. It's poorly formatted, things like that. So we look to Splunk to- It can be noisy. Correct, correct. And Splunk actually publishes standards and recommended best practices. How should you format your information? And so I look at that as a sort of Splunk kind of developer and I say, well, this is information I should be feeding back to my guys that I work with at Cisco to make their products better and more easy to understand. Well, Guido who runs the product group at Splunk and I were talking with Jeff and the thing that he's most excited about is the feed extractor and how that can come in and actually be kind of a munch of the data and at least get some of that sense out of that unstructured noise. Exactly. Or structured noise, in some cases, structured. The hardest part of our job is that there's a lot of legwork that goes in to organize all the information and classify it before Splunk can even do anything with it, right? So that's why people look to me as a Cisco expert to go in and configure the routers and switches to do it the right way because without the right level of information you can't make any decisions. It's like the Cisco has its own dialect. Correct, yeah. The machine language or the exhaust. There's at least a few dialects. Well, we hear all about the data science world. You hear all about 80% of the time spent getting the data ready for analysis. Is that kind of similar to what you're talking about? Yeah, I would say 80% definitely, yeah, at least. And that's the challenge. I have a question, being related, but not quite on topic, but I'm just curious if you have an opinion on, so when companies are getting breached, there's security breaches at Home Depot, Target and others and a lot of them are getting criticized for waiting too long to inform the public to inform regulators, et cetera. What are your thoughts on that? Should companies be, as soon as they get attacked, should they make it public? Or is there benefit to waiting and where's that line? I think it's generally best to share. That's like sort of my personality, maybe not my professional stance, but I think that waiting a certain amount of time to be safe, if it will prevent something from happening to other organizations that's similar, I think we have a responsibility sort of as a society to share that information. Same as we have an ethical sort of ethical code against some pen testers and white hats and even black hats to share vulnerability information before going public with the vendor, so we have time to patch and time to inform our customers of something that's coming. You never bet against open and open source. That's one thing that we've definitely validated on theCUBE. It's always better just trust in crowds and trust in the open. As it's open things up, good things normally happen. What we've seen. So, Andrew, we really appreciate it. We got to wrap it right there. Got our next segment. Getting the hook here from Greg, the producer. Thanks for coming on. I really appreciate it. Great insight and you're a tech athlete out there. I love the, I mean, security's fun. If I was going to be a computer science guy again, I was, but the old days, but now if I was a young kid, I'd definitely be in security. It's fun. It's serious fun. Certainly awesome. Well, we'll open a rec for you. No, no, no, I haven't coded in 15 years. We'll be right back live in Las Vegas. We are here at Splunk.conference 2014. This is theCUBE. John Furrier with Jeff Kelly. We'll be right back.