 Live from the MGM Grand Hotel in Las Vegas, extracting the signal from the noise. It's theCUBE, covering Splunk.com 2015. Brought to you by Splunk. Now, here are your hosts, John Furrier and Jeff Rick. Okay, welcome back everyone. We're live here in Las Vegas. This is Silicon Angles theCUBE, our flagship program, where we go out to the events and extract the signal and noise. We are live at the splunk.com 2015. I'm John Furrier, my co-host, Jeff Frick. Today our next guest, David Monahan, Research Director, Security Risk Management at EMA. Welcome to theCUBE. Thank you, thank you. Welcome. Let's analyze the marketplace. Security's hot. Give us the update. I mean, what's going on at a high level here? Splunk, obviously, good platform, use cases, security. We're seeing that they have a lens into their platform with security. How are they doing vis-a-vis the landscape? Who are the horses on the track? Let's discuss that, share with us your opinion. That's a lot of questions all wrapped up into one there. So I think Splunk is doing very well from a general market perspective, especially, of course, they're growing by leaps and bounds. They've got a lot of big name customers. So from that perspective, they're doing very well in the marketplace. There are a number of other vendors that they're competing with. IBM has solutions out there, RSA, logarithm. When you start getting down to sim, you've got log logic and others out there as well. But I think from a growth perspective, they're doing very well against the competition. And I think a lot of it's because they do have a wide variety of support options from the community. And I mean that in terms of creating applications. So they have their own apps that they've built, like ES now has been upgraded from app to its own module. But then you also have many, many other security related and created applications in the community that you can get for free or you can buy. That has really propelled them forward in many aspects from a security standpoint. So let's try to get and separate and squint through the details. Honestly, a vendor like Splunk is one that promotes their products and messages. Some vendors actually promote more than they actually have. Not in this case, I'm not saying Splunk's doing that. But they're great company, good software. But where are the gaps? Where is the gap in Splunk? Where do they need to do the work? They're getting into the business analytics space. They're asking security. I mean, there's some table stakes that are pretty high bars to hurdle over. Are they making the grade, waiting to work on what's your critical analysis of Splunk? Well, you know, I think the thing that I hear most from a customer perspective in terms of challenges is scoping and scale, right? How much do I need to get from an underlying hardware architecture perspective? How do I architect that? That seems to be the biggest issue because every environment's a little different. So even though they have a great baseline architecture document, some customers experience some issues in that. So I think that's probably the most difficult aspect from a customer perspective. In terms of the other aspects that you asked about, I think they're doing a great job from a machine learning and analytics perspective. I actually wrote a paper about their Caspita and Metaphor acquisitions and how I kind of saw the products evolving and have had a number of conversations with their executive leadership around that. They have a great vision in terms of integrating these capabilities with the core product, the enterprise product, as well as creating additional modules that customers can purchase that will help them to drill down deeper into specific areas that they need to analyze. And so from, for example, the machine logic aspect drills more into time series data. So it's looking at events that happen over time and then aggregating, correlating, and then analyzing, which is the important part, because sims can aggregate, they can normalize, things like that, your average sim. But adding the capability to analyze and determine what's out of range for this particular data set, that's very, very key. And in fact, I've done research recently, a data-driven security research report that asks a large set of the market, what are you using this for? How can you use it? And it's very, very popular. It's getting a lot of market share and it's really accelerating in terms of growth. Have you done any TAM analysis of just a security portion? What's the TAM just in security? I mean, we were commenting yesterday on our opening segment of how tall can Splunk grow? I mean, they're growing up still, but they're one of the bigger vendors now and they're doing deals with Cisco, you got Palo Alto Networks right here. So, but on the security side, is there a TAM? Is it billions? Is it limited to them? What's your take? I really haven't had the opportunity to do that yet. I've got a lot on my plate and unfortunately I haven't been able to do that. I think there's a number of other research firms. You say big. Yeah, they're very big, right? And he says, it's super big. Why even size it? It's just large. There's definitely a very large market in this space, but I really couldn't quantify it for my own research. Okay, so my next question is for the complimentary aspect of Splunk, got to get your take on that. So Splunk's good platform. We heard customers say, I want to throw hardware at that. So that's good, Splunk can take more hardware, make it go faster, 6.3 is faster than the last rev. What's the ecosystem play in the security realm for Splunk? Obviously, they have a partner network now, they have a growing ecosystem. Is there more headroom there, a lot more headroom? And where are the complimentary components that bolt around Splunk? We hear Cisco, UCS, we see health and networks. Well, I think from my perspective, there's a, you know, Splunk is a data aggregator, data analytics tool, right? And it doesn't matter whether it's operations, security, whatever it is, right? And that's one of their strengths is the fact that they can work on data no matter where it comes from. So I think that from my perspective, the answer on that is their ecosystem is really driven by what the particular environment is willing to invest in from their security perspective. Cause they'll take endpoint data, they'll take firewall perimeter data, network data, IDS, they'll take packet data at this point. So really it comes down to from my security strategy in my business, what tools do I want to buy to try and protect myself? And then I can leverage Splunk to give me an additional capability around that data. Cause each one of those tools is a silo, right? And that's the problem we have in security is we've got hundreds of tools that are data silos, but we have very few tools that take that data and we'll actually take a, you know, pull it across all those silos and then analyze it. We've mentioned SIM before, and again, that's kind of where we started from a Splunk perspective and log aggregation, right? In the early days. But they've grown well beyond that. And they're one of the tools that has been able to take that data and utilize it to see what's going on from a multi-contextual perspective, right? The more points we have, it's like triangulations on cell phones is a great analogy. For trying to locate someone via cell phone, we need at least three points to make that triangulation happen. While Splunk takes enough data that you don't necessarily just have triangulation, you might have whatever the, you know, four, five, six, eight, 10 different data points which significantly reduces our false positive rate, which is another thing that we find is from research perspective is the biggest concern that people have. I get information, but it's false positives, what I do. The next thing is uncorrelated data. That was another big aspect from the research. And so again, by being able to take all these silos of data, put them together at the top and analyze them, you get rid of those two major problems which are over 80% of our respondents, you know, voted for those two things as their top two issues. So you guys do surveys? Yes. And what kind of surveys you guys have done recently that you can share some highlights? So I mentioned data-driven security reloaded. That's one that I finished up a couple of months ago. And I looked at 18 different categories of technology including SIM technologies, security analytics and security analytics. I have user behavior analysis, anomaly detection and predictive analytics. Those are really the three main categories. And the names flux a little bit between the different analytics vendors, if you will. Initially you had security web gateways, data classification, data loss protection. We also had next generation firewalls, et cetera. So there's a wide variety of, and that's just 18 out of literally a hundred stacks that we have out there. And in this particular research, I mentioned false positives were a big issue. The ability to correlate data was huge. And so the analytics vendors came out at the top of the stack in terms of value based on total cost of ownership. The relatively small market share, there's not a lot of organizations that have it yet. But the good news is because there's a really high amount of visibility in the marketplace around analytics and what it can do. And so if you're familiar- Well the price might be lower too, right? I mean ROI kicks in, and let's pack a season insight, they expand on that outlier. Right, it's not a replacement technology, it's an augmentation technology, absolutely. So you don't have to rip from the place something you already have to gain additional value out of the security infrastructure that you already have. And we find that's another aspect that customers really like about that. It's not about coming in and taking something out. It's how, you know, I've spent millions of dollars on this infrastructure. How can I get more out of it without necessarily having to throw more people at it? Okay, in our last couple of minutes here, we've got like two minutes left. I want to just get your thoughts on what enabling technologies do you see out there? Whether through your research anecdotally, talking to customers and vendors, that will help enable this next generation security, I guess, perimeter-less security. Is there any new technology that will impact us? Like, for instance, virtualizations out there, we heard Docker containers. There's now stuff hitting the scenes on a DevOps basis. Are you seeing anything out there? Any signals of new tech that looks promising? Well, I think we've beat the dead horse, to some degree, with analytics, and there's multiple types. And we know that they've invested in both machine learning and analytics from a UBA perspective. Those aspects, I think, are one of the biggest growth areas. Absolutely, with containers coming out, we're looking at organizations or companies that can supply security for containers. Containers look to be a very big growth area, but now it's the question of how do I contain them? How do I segment them and how do I keep them together? So the companies that can help secure not only virtual environments, but containerized environments, are going to be big as well, because that's going to be a growth area, and it's cheap for companies to create containers. So they're going to need ways to secure those, because they're going to be a similar aspect to what we saw with the growth of virtual machine environments, and the expansion around cloud and that kind of thing. You're going to see a similar expansion around containers, and so we're going to need ways to secure those containers well. It's all open source, all the codes really agile, so software has leaks, right? So if there's bad software, we'll find a hole in it, right? Absolutely. Okay, so final question. What are the top three conversations that you're in every day? Let's do a little machine learning on our own here. Top three pattern matching conversations. The ones that you seem to have the most of with practitioners and customers in the market today with respect to security. You know, it's interesting, so I'll say how do I do more with less, but I don't think it's budgets right now, it's people, right? Budgets seem to be on the incline since all the issues in 2014. Our research shows that there's a lot of attention at the sea level, a lot of budgets, but it's how do I get more people? How do I improve the people? So we need technologies that are forced multipliers that allow us to do more work with either less experienced people or less people in our shop, because unfortunately what's happening is that, especially in the SMB market and the lower mid markets, they don't have as big a pockets as the larger players do, so the guys with the big pockets are getting the big tech, big personnel, the big talent, and the other folks are having to work on that talent and development, so that's one. Two is how do we enable ourselves to get better visibility across our silos? A lot of folks bought point solutions so they could get better depth in the visibility, but now they're realizing once again, we have to look at how can we combine all that data and go back there and analyze it. The third one is probably how to detect threats earlier. We realize that technology is great and there's a lot of benefits to each technology, but with the dwell times we're seeing from both the Verizon report, for example, and the Mandiant reports, now FireEye, organizations are being compromised in a fairly short period of time, but there's a long dwell time, so they're trying to understand how they can identify those threats earlier to stop that, so they're not having a multi-million dollar forensics investigation. Stop the bleeding, if you will. Absolutely. Okay, final question to end the segment. What does Splunk need to do with the next year or so in their business model, in their technology, in your opinion, as of now, to be successful? I'm going to go back to that same Dead Horse. I think as they continue with the acquisitions of their analytics technologies of both types, as they need to continue to integrate that into their core enterprise modules so that people get additional value out of that, and that's one area they get beat up on traditionally was, well, I have to know what I'm looking for. I have to be able to create this query to find something. Well, the whole idea behind analytics is, if you tell it to look at a specific data set, it will tell you what the problems are in that data set, so they'll have to continue to integrate that, and they'll want to integrate that into their applications and make them extensible from that perspective so that the other communities, as they continue to create these applications, can leverage those technologies, and exponentially increase the value of those applications. I think that's one of the early detections, and then solve the problems. Absolutely. Really appreciate David Monaghan here inside theCUBE, EMA, great analysts from Thanks for sharing your analyst perspective and analyzing the data, and the horses on the track, as we say here in theCUBE. We'll be back with more live coverage Splunk.conference after the short break.