 Well, hello everybody. I'm John Walls here with theCUBE and we're very happy to continue our coverage here of Splunk.conf 21. And today we're going to talk about cybersecurity. Obviously, everybody is well aware of a number of breaches that have happened around the globe, but you might say there's been a surge in trying to prevent those from happening down the road. And I'm going to let our guests explain that. Ryan Kovar, who's a security strategist at Splunk. Ryan, good to see you with us here on theCUBE. Glad you could join us today. Thank you very much. I wish we could have been doing this in person, but such is the time of life we live. Yeah, we have learned to live on Zoom. That's for sure. And it's the next best thing to being there. So again, thanks for that. Well, let's talk about surge, if you will. I know obviously Splunk and data security go hand in hand. That is a high priority with the company, but now you have a new initiative that you're just now rolling out to take that to an even higher level. Tell us about that. Yeah, it's something I'm extremely excited to announce. It's the first time we're really talking about it is at .com21, which is wonderful. And it's kind of the culmination of my seven years here at Splunk. Before I came to Splunk, I did about 20 years of cybersecurity research and defense and nation state hunting and threat intelligence and policy and compliance and just about everything, public sector in the US and the UK, private sector, a couple of different places. So I've kind of been around the block. One of the things I found that I'm really passionate about is just being a network defender or a blue teamer. And a lot of my time here at Splunk has been around that. It's been speaking at conferences, doing research, coming up with ways to basically defend organizations with the tools they have at hand. And something that we say a lot is we work on the problems of today and tomorrow, not the distant future, right? The really practical things. And we had, and there's a little bit of a thing called SolarWinds, you might have heard of it, that happened earlier in December. And we were able to stand up kind of an ad hoc, rag tag group of Splunkers around the world in a matter of hours. And we worked about 24 hours through handing over to Australia into a MIA and then back over to America and able to publish really helpful work for our customers to detect or defend or mitigate against what we knew at the time around SolarWinds, the attack. And then as time went on, we were continuing to write and create material but we didn't have a group that was focused on it. We were all kind of chipping in after hours or deprecating other bits of work. And I said, you know, we really need to focus on this. This is a big deal. And how can we actually surge up to meet these needs if you will, the play on the punter. So we created an idea of a small team dedicated to current events and also doing security research around the problems that people are facing around the world in security who use Splunk and maybe even those who don't. And that's where the idea of this team was formed and we've been working all summer. We're releasing our first research project, excuse me, app.conf, which is around supply chain compromise using JAW3Z and Splunk, authored by myself and primarily Marcus Lafrera. And we have other research projects coming out every quarter along with doing this work around just helping people with any sort of immediate cybersecurity threat that we're able to assist with. So what are you hoping that security teams can get out of this work? Obviously you're investing a lot of resources and doing the research, I assume diversifying, you know, the areas into which you're exploring. Ultimately, what would be the takeaway if I was on the other end, if I was on the client end, what would you hope that I would be extracting from this work? Sure. We want to get you promoted. I mean, that's kind of the joke of it, but we talk a lot. I want to make everyone in the world who use a Splunk or cybersecurity look good to their bosses and defend their company as fast and quickly as possible. So one of the big mandates for my team is creating consumable, actionable work and research. So we joke a lot that, you know, I have a pretty thick beard here, one I even call a neck beard. And a lot of people in our community, we create things for what I would call wizards, cybersecurity wizards. And we go to conferences and we talk from wizard to wizard and we kind of sit on our ivory tower on stage and kind of proclaim out how to do things. And I've sat on the other side and sometimes they sound great, but they're not actually helping people with their job today. And so the takeaway for me, what I hope people are able to take away is we're here for you, we're here for the little guys, the network defenders. We're creating things that we're hoping you can immediately take home and implement and do and make better detections and really find the things that are immediate threats to your network in not necessarily having to, you know, create a whole new environment or apply magic. So is there a difference then in terms of, say, enterprise threats, as opposed to if I'm a small business or of a medium-sized business, maybe I have four or 500 employees as opposed to four or 5,000 or 40,000. What about, you know, finding that ground where you can address both of those levels of business and of concern? You know, 20 years ago or 10 years ago, I would have answered that question very differently. And I fully acknowledge I have a bias in nation-state threats. That's what I'm primarily trained in. However, in the last five years, thanks or not thanks to ransomware, what we're seeing is the same threats that are affecting and impacting Fortune 100, Fortune 10 companies, the entire federal government of the United States are the exact same threats that are actually impacting and causing havoc on smaller organizations and businesses. So the reality is in today's threat landscape, I do believe actually the threat is the same to each, but it is not the same level of capabilities for a 100-person or 500-person company to a company the size of Splunk or a Fortune 100 company. And that's something that we are actually focusing on is how do we create things that help every size of that business? Right, yeah, I mean, giving me the tools, right? Exactly. Which is giving you the power to fight that battle yourself as much as possible. You may never be able to have the headcount of a Fortune 100 company, but thanks to the power of software and tools and things like the cloud, you might have some force multipliers that we're hoping to create for you in a much more packaged, consumable method. Yeah, let's go back to the research that you mentioned. How did you pick the first topic? I mean, because this is your splash and I'm sure there was a lot of thought put into where do we want to dive in first? You know, I'd love to say there was a lot of thought put into it because it would make me sound smugger, but it was something we all just immediately knew was a gap. You know, SolarWinds, which was a supply chain compromise attack, really revealed to many of us something that reporters had been talking about for years that we never really saw come to fruition was a real actionable threat. And when we started looking at our library of offerings and what we could actually help customers with, I talked to over 175 federal and private sector companies around the world in a month and a half after SolarWinds. And a lot of times the answer was, yeah, we can't really help you with this specific part of the problem. We can help you around all sorts of other places, but like, gosh, how do you actually detect this? And there's not a great answer. And that really bothered me. And to be perfectly honest, that was part of the reason that we've founded the team. So it was a very obvious next step was, well, this is why we're creating the team then our first product should probably be around this problem. And then you say, okay, supply chain, that's really big. That's a huge chunk of work. So the first question is like, well, what can we actually affect Chainjohn without talking about things like quantum computing, right? Which are all things that are blockchain, quantum computing, these are all solutions that are actually possible to solve or mitigate supply chain compromise, but it's not happening today. And it sure as heck isn't even happening tomorrow. So how do we create something that's digestible today? And so what Marcus did and one of his true skillsets is really refining the problem down, down, down, down. And where can we get to the point of, hey, this is data that we think most organizations have a chance of collecting. These are methodologies that we think people can do and how can they actually implement them with success in their network. And then we test that. And then we kind of keep doing a, I'm a huge fan of the concept of Oodaloop, Orien Observe Decide and Act. And we do that through our hypothesizing. We kind of keep looking at that and iterating over and over and over again until we're able to come up with a solution that seems to be applicable for the personas that we're trying to help. And that's where we got out with this research of, hey, collect network data, use a tool like Splunk and some of our built-in statistical analysis functions and come out the other side. And I'll be honest, we're not solving the problem. We're helping you with the problem. And I think that's a key differentiator of what we're saying is there is no silver bullet. And frankly, anyone who tells you they can solve supply chain, let me know because I wanna join that hot new startup. The reality is we can help you go from a field of haystacks to a single haystack. And inside that single haystack, there's a needle, right? And there's actually a lot of value in that because before the problem was unapproachable. And now we've gotten it down to saying like, hey, use your traditional tools, use your traditional analytic craft on a much smaller set of data where we've pretty much verified that there's something here, but look right here. And that's where we kind of focused. You talked about, and we all know about the importance and really the emphasis that's put on data protection, right? At the same time, can you use data to help you protect? I mean, is there information or insight that could be gleaned from data that whether it's behavioral or whatever the case might be, that not only is something that you can operationalize and it's a good thing for your business, but you could also put it into practice in terms of your security practices too. 100%, the undervalued aspect of cybersecurity, in my opinion, is elbow grease. You can buy a lot of tools, but the reality is to get value immediately, usually the easiest place to start is just doing the hard detail-oriented work. And so when you ask, is there data that can help you immediately, data analytics, actually I go to, knowing what you have in your network, knowing what you have that you're actually trying to protect, asset and inventory, CMDB, things like this, which it's not attractive, it's not something people wanna talk about, but it's actually the basis of all good security. How do you possibly defend something if you don't know what you're defending and where it is? And something that we found in our research was in order to detect and find anomalous behavior of systems communicating outbound, it's too much. So what you have to do is limit the scope down to those critical assets that you're most concerned about. And a perfect example of critical asset and there's no shame or victim blaming here put on SolarWinds, it's just that that is an example of an appliance server that has massive impact on organization as we saw in 2020. And how can you actually find that if you don't know where it is? So really that first step is taking the data that you already have and saying let's find all the systems that we're trying to protect and what's often known as a crown jewels approach and then applying these advanced analytics on top of those crown jewel approaches to limit the data scope and really get it to just what you're trying to protect. And once you're positive that you have that fairly well defended then you go out to the next tier and the next tier and next tier. And that's a great approach to take things you're already doing today and applying them and getting better results tomorrow. Well, before I let you go, I'd like to just have you put a bow on surge if you will on that package. Why is this a big deal to you? It's been a long time in the making. I know you're very happy about the rollout this week. What's the impact you wanna have? Why is it important? We did a lot of literature review. I have a very analytical background. My time working at DARPA taught me a lot about doing research and development and oddly enough the value of failure and how much sometimes even failing as long as you talk about it and talk about your approach and methodology and share that is important. And the other part of this is I see a lot of work done by many other wonderful organizations but they're really solving for a problem further down the road or they're creating solutions that not everyone can implement. And so what I think is so important and what's different about our team is we're not only thinking differently, we're hiring differently. We have people have a threat intelligence background from the White House. We have another researcher who did 10 years at DARPA in security research and development. We've recently hired a former journalist who she's made a career pivot into cybersecurity and she's helping us really review the data and what people are facing and come up with a real connection to make sure we are tackling the right problems. And so to me, what I'm most excited about is we're not only trying to solve different problems and I think what most of the world is looking at for cybersecurity research, we've staffed it to be different, think different and come up with things that are probably a little less normal than everyone's seen before. And I'm excited about that. Well, and rightly so. Ryan, thanks for the time. Pleasure to have you here on theCUBE and the information again, the initiative is surge. Check it out. Splunk very much active in the cybersecurity protection business and so we certainly appreciate that effort. Thank you, Ryan. Wonderful. Thank you very much, John. You bet. Ryan Kovar joining us here on our CUBE coverage. We continue our coverage of .conf21.