 Live from the Walt Disney World Swan and Dolphin Resort in Orlando, Florida, it's theCUBE. Covering Splunk.com 2016, brought to you by Splunk. Now, here are your hosts, John Furrier and John Walsh. And welcome back here on theCUBE. We are live in Orlando, Florida here at Doncoff 2016 with Splunk, with its community, with its users, customers, vendors. Just a huge congregation of Splunk energy that we've been bringing you here over the past couple of days, along with John Furrier. I'm John Walsh, and it's time for us to go back to school, John. You know, we're going on campus at Rice University and Indiana University, respectively. Albert Balt, who's a security analyst at Rice. Albert, thank you for joining us here. Thank you for having us. Good to have you. And Alan Tucker, who's the manager of the Health Net Central Systems at IU. And a CUBE alum. A CUBE alum. Right? You're here. Last year, yeah. Yeah, yeah. First off, you know, a couple of universities. What are you guys doing here? How does Splunk interface with what you're doing at Rice and then IU? Why don't you, Albert, if you would lead off. We're doing, what brought us here this year is we were able to have an offering to talk about what we've been able to use Splunk for. And it was intelligent driven, dynamic block list. So that gave us an opportunity to come here. And Splunk has actually replaced some older ways of doing things like our log correlation processes for other aspects of it. And also replaced our SIM product, essentially. So we're maturing through that process right now. That's right. And Alan? Yeah, so both members of my team are speaking today and actually both went fantastically. So we're just spending the time trying to soak in new ideas as well as really focus on trying to develop what we've already put out there. And so when you say new ideas, I mean, is there something like the near horizon set an area in which that you're really looking at for you, whether it's improvement or whether it's speed, efficiency, whatever it is, you said, okay, yeah, we can tweak this a little bit as far as your operation back in Bloomington's concerned. Yeah, so probably one of the biggest things is behavior analytics and machine learning. So we have an offering right now that's basically just an app that allows our users to look at a dashboard and see user logins and file logins and things like that and being able to identify those and somewhat predict outliers and things like that. That's incredibly important for us because it will save our users more time every single day. Right, it's all about time too, right? Yeah, absolutely. How do you guys deal with the whole university because they're very hardcore about the data? Different departments in cloud, multi-tenancies, a huge challenge. Correct. What is the strategy with Splunk? How do you guys make that happen? Yeah, so we actually, one of my team members, that's exactly what they talked about, multi-tenant environment and how to get it done. There are a lot of different layers. There's app layer security. There's index layer security. User access controls. So that, it's a hard nut to crack, but there is a great way to do it. So if you can't go and download that, you know, the talk. But Splunk support that? Yeah, absolutely. And the Muslim being use case, as universities look at what you said Arizona stayed on, he's taken a different strategy, come in, well, differentiate the most corporations, where he's to a safe zone, doesn't really touch corporate security or the security groups, and then he just ingrates sheets into other groups. How do you guys roll out and deploy Splunk in your universities? So we always start siloed. We have siloed data because we're very privacy conscious, and to bring someone, a new group in, the assumption there is that most likely they don't want their data shared with everybody in that environment, especially when you talk about the security team and things like that. But once it's in there, and we can start to have discussions from unit to unit about cross-pollination of data and correlation of data, then we've breached that subject. Well, you've built that architecture later. So your strategy is let's go serve the units or groups individually. Yes, yeah. I'm siloed. I'm siloed. But that's what you mean, individually, have their own Splunk. Because people get jealous, right? I want my own Splunk. Don't want their Splunk either. Jealous or paranoid or whatever you call it. Yeah, we're definitely not in the, everybody has their own instance scenario. So we're trying to share costs and trying to share the infrastructure. But you carve them out, though. Yeah, absolutely. And rice? We've worked with different departments right now within IT to actually leverage our top 20 goals that we're trying to do. One of them's like inventory. So we've worked with another department right now and helped mature the relationship there on what they expect from the Splunk instance and what we would like to gain from it. Because it's ultimately a good idea to have an inventory of what's out there. And with that, it gets around the privacy part because it is their data. They are controlling their data, but we're also able to show them different ways to see their data because the tool that they might be using with it might not be flexible enough to show them what they need to see, or the reporting mechanism going into a trouble-ticket system, the glue where there isn't working, and Splunk is providing that mechanism to glue between the two. You guys got to be proactive going in to security. Can you just expand on these security layers that Splunk offers and some of the best practices that you guys use around data isolation? So I won't say that I'm the guy. So I don't know. I hope you want to expand on that. So we've been able, at least from different layer perspectives, we've been able to do certain niche cases right now because our model, our Splunk instance right now is about two years of age. It's grown on three. So I would say ours is just above immaturity stage, but as we go through it, we're able to do certain things like blocking attackers, dynamically, repeat offenders approaches. We're able to also take care of our DCM violations almost without even touching the email now anymore, which is a big offloading right there because it happens. You have people that make claims and you have to chase down if the person exists or not. However, whatever university policy dictates on how that needs to be done. What are some of the things about this show, this year that gets you guys excited? You see the keynotes, you have the keynote tomorrow. It's going to be much more of a fuzzy art of the possible, which really taps the creative side of how Splunk, what you can do with Splunk. So I get that's on the last day, but first two days, core updates, today's IT operations, big walk aways for you guys, big thoughts to this weird show. Specific to Indiana, the licensing changes are going to be pretty big for us to be able to spin up tests and dev environments under what was it, 50 gig. Yeah, so that's really big. For us, that means that we don't have to go against our production license if someone just wants to try something out and we can actually pull them into test and dev and even develop a full app, but know exactly how much data they're going to ingest and then once we know that true number, then we can roll them into production. That'll accelerate more use, right? Yeah, absolutely. Probably most likely. Absolutely. Right, because there's some buffer. Some buffer. Yeah, because we don't have to do work on that production side. We can throw that in a VM and just play with it in a VM and destroy it and then move the programming from there to actually the online. Get a feel for what's going on, then spark it out, understand the scope. Yes, sir. And Alan, I mean, help net, I mean, maybe I didn't set the stage quite right. Why don't you tell us a little bit about what's involved within help net? I mean, what your slices are. So we understand exactly who your clients are, who you're serving and how you're serving them. Yeah, so help net within the overall IT organization within IU is in the support division and what we do is we actually provide end user support, systems administration and web development to over 60 different departments throughout IU. So one of those pieces is that we spin up services that are helpful to the IU community. And so we implemented Splunk to basically start to help people with IT compliance. And that's really the crux of where we started and why we started. And then there was a discussion on in the first day keynote yesterday's keynote about licensing and about the test dev environment, having free or at least some latitude, little more latitude on that. I mean, how attractive, you're starting to touch on that a little bit. How attractive is that to you all that first off there's training available and then there's also kind of this green space or green field area to experiment a little bit and play around and get an idea of what those controls are like. Yeah, I think that all of those models help us. And especially in a university scenario where procurement of new licensing is a long process. So being able to have a little, once again, wiggle room there is really beneficial to us. Something the company does, which is really nice is bring out people to do Splunk search parties. And that has actually been a really helpful to bring out new ideas, exposed Splunk to different departments to see what it can do. And that's actually starting to foster more conversations with different pieces of my university that we're able to take advantage of and it starts bringing in the growth of the product but also the capabilities of it and how we're going to interact with that part of it. But with the offering with the test case, we're able to, I see us probably using that for other departments for their testing part. But not only that, we'll wind up actually being able to try out some things that we weren't able to. Different apps, possibly, or different pieces of like the security offering, user analytics. We could probably throw that in there, give it a try, and then show management exactly what could be done there on that side of it. And the future that you guys need, talk about what you guys are looking for. As you guys set this foundation, you're getting down in the trenches, obviously the test dev thing, we can imagine the hassles just procuring licenses, productions, nightmare, and federal government and or EDUs, always hard, right? It's like, it's a foundation. So that's cool. As this progresses, how do you see it unfolding in the education? Because there's a ton of data, there's a lot of work being done, you get a lot of faculty, you get some network stuff, and everything's going on. You're like a full-on networking yourself so it's not like it's a trivial backbone of any kind. It's like you have all the needs of an enterprise. Yeah, I think that you would find that a lot of universities and maybe, I don't want to speak for you, Albert, but a lot of universities, IT, is distributed and siloed. And that even goes for generally the enterprise IT organization, the umbrella organization, and being able to take all of those and start pushing data into a single consolidated front-end or dashboard or whatever it is, that's a new thing. That really has changed the game in a higher ed landscape. How about sharing data? Is there a trend on sharing data? And you mentioned that you're also, I get that, makes sense, given the environment. Is there movement on sharing or is it still parochial? I got my data. I think there's movement on sharing. I think it's more not out of the box. We don't want to share it right away or by default, but if we decide that it's a strategic movement. It's still meeting, huddle up, collaboration. Absolutely, and if it's valuable to both teams, I think that it absolutely makes sense to go that direction. One of the ways that we're looking at sharing the least data is through that inventory process. Once we find out who the owner is of the device, being able to take flow data, some other security metric data from either the firewalls or the IPSs and actually being able to give at least the system administrator a view of what that particular box is looking at. We're also taking in our scan data for our vulnerability assessments. So we're looking at being able to have that system administrator having one-stop shopping, at least seeing what's happening to that host from an external view and at least give them something to work with where they need to shore up the system. Yeah, we had a big use case probably about six months ago about PCI compliance and that was a prime example that prior to Splunk, there really was no place that networking data, all of the firewalling and switching as well as the server active directory, there was nowhere that they could push all those logs into a consolidated format where to meet that compliance need. So that was a really, really, actually fairly quick win for us. Well, hanging fruit. Yeah, pretty much, there's all of it's right there. Well, that also gets people trained on the fact that you start storing the data, then it gets people kind of ginned up on the idea, hey, why don't we just do this more often? Not just for compliance reasons. Right, I think that there's, just getting the name out is part of the job. I always feel like I'm trying to sell Splunk to my own university, but. I know you guys are the best Splunk salespeople. That's why they have you on the queue because the customer should be talking. Albert, I want to get your take because I asked in the question last year, there's BS and then there's, that's BS is before Splunk. Okay, before Splunk. Not BS. For a Bachelor of Science. Right, yeah. For a few BSs out there. For a few BSs out there. For a few BSing out there. All right, all right. We're shooting the BS thing right here. For orders. Okay, so let's talk about before Splunk and after Splunk. So BS AS. Before Splunk, that's a great example of how a lot of manual stuff going on, compliance, low hanging fruit, quick win. That's like a single, knock that down. You get some momentum. Can you share what was before Splunk and what you brought Splunk in? What was it like? Can you give us some anecdotal examples? So before Splunk. But don't BS me. I'm not. Before Splunk was a whole lot of Pearl Strips and a whole lot of gripping. After Splunk, we've actually been able to automate a lot of reporting mechanisms, controls moving within certain systems, and also the response time on that particular search, searching engines that we're actually been working with. Before a Pearl script would have to log into five different computers. It would have to run the script. It would have to find the data. And maybe, maybe in two and a half hours, you had your answer. Maybe. Maybe. Yeah, and a lot of sweat too. A lot of sweat equity in there. Hit it, go back, go grab a cup of coffee, go work on something else. And now it's automated. So you just look up your dashboard, you see it there and you've got your answer already. Cool. Now, the future of cloud. Is that part of your equation at all? Cloud, on-premise. Can you share how Splunk fits into that? Are you guys using Splunk in the cloud capacity? On-prem only? Yeah, so right now I use only on-prem. I'm starting to look at cloud as an option. I think, so higher ed, I have a very strong opinion about cloud and higher ed. You told us last year. Yeah, I think that higher ed is the slowest adopter to cloud that you will ever see. But I think the strategy there is put things in cloud, where it makes sense, and what is sort of a safe- Test and dev would be great for cloud, wouldn't it? What's that? Test and dev? Yeah, absolutely, absolutely would be. Even sort of small sets of data, whatever it is. But making those decisions and actually saying, this might make sense to move there. Put it on-prem first and then start to think, okay, what makes sense to move or not? All right, so you're back to Indiana. You're back to Texas. Briefly, your takeaways. What are you going to take back with you to your respective communities? You first? Oh, not you first. You know, I think a lot of what I'm going to take back is actually just contact with other people. Being able to network with everyone has been fantastic this year. The higher ed community is a close knit one, obviously. So that's probably been the most valuable thing, being able to see people like Albert once a year and touch base with them, see what their pitfalls have been within the last year and what they've had really good success with. You guys do a lot of sharing here with other higher eds. Yeah, we're not selling anything. The kinship spirits, you're growing right now. It's going to be growing right now. Sometimes he'll have the same problem, I will, or I might have already gone through the problem and then we exchange the information and lessons learned. And it's just part of how the process is. Oh, it's good to be in the same boat. It is. It is. Yeah, it's nice to not have to worry about the bottom line of holding trade secrets and not sharing anything. Thanks for sharing with us about BS, too. We appreciate that. Absolutely. Before Splunk. Before Splunk. Before Splunk. Back with more after this break from .conf 2016.