 Welcome back everyone to theCUBE and horizon3.ai, special presentation. I'm John Furrier, host of theCUBE. We're with Chris Hill, sector head for strategic accounts and federal at horizon3.ai. Great innovative company. Chris, great to see you. Thanks for coming on theCUBE. Yeah, like I said, great to meet you, John. Long time listener, first time caller. So excited to be here with you guys. Yeah, we were talking before camera. You had Splunk back in 2013 and I think 2012 was our first Splunk.com and boy man, you know, talk about being in the right place at the right time. Now we're at another inflection point and Splunk continues to be relevant and continuing to have that data driving security and that interplay and your CEO, former CTO of Splunk as well at horizon3.ai, who's been on before. Really innovative product you guys have. But you know, yeah, don't wait for a breach to find out if you're locking the right data. This is the topic of this thread. Splunk is very much part of this new international expansion announcement with you guys. Tell us, what are some of the challenges that you see where this is relevant for the Splunk and the horizon AI as you guys expand node zero out internationally? Yeah, across so, you know, my role within Splunk was working with our most strategic accounts. And so I look back to 2013 and I think about the sales process, like working with our Splunk customers. It was still very siloed back then. Like I was selling to an IT team that was either using us for IT operations. We generally would always even say, yeah, although we do security, we weren't really designed for it. We're a log management tool. And I'm sure you remember back then John, we were like sort of stepping into the security space and in the public sector domain that I was in, security was 70% of what we did. When I look back to sort of the transformation that I was witnessing in that digital transformation, when you look at like 2019 to today, you look at how the IT team and the security teams have been forced to break down those barriers that they used to sort of be siloed away would not communicate one. You know, the security guys would be like, oh, this is my box, IT, you're not allowed in. Today you can't get away with that. And I think that the value that we bring to, you know, and of course Splunk has been a huge leader in that space and continues to do innovation across the board. But I think what we're seeing in the space and I was talking with Patrick Coughlin, the SVP of security markets about this is that, you know, what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data. So Splunk himself, as you well know, is an ingest engine, right? The great reason people bought it was you could build these really fast dashboards and grab intelligence out of it. But without data, it doesn't do anything, right? How do you drive and how do you bring more data in? And most importantly, from a customer perspective, how do you bring the right data in? And so if you think about what node zero and what we're doing in a horizon three is that, sure, we do pen testing, but because we're an autonomous pen testing tool, we do it continuously. So this whole thought of being like, oh, crud, like my customers, oh yeah, we got a pen test coming up. It's gonna be six weeks away. Oh yeah, you know, and everyone's gonna sit on their hands. Call me back in two months, Chris. We'll talk to you then, right? Not a real efficient way to test your environment. And shoot, we saw that with Uber this week, right? You know, and that's a case where we could have helped. Well, just real quick, explain the Uber thing, because it was a contractor. Just give a quick highlight of what happened so you can connect the dots. Yeah, no problem. So it was, I think it was one of those, you know, games where they would try and test an environment. And what the pen tester did was he kept on calling them MFA guys, being like, I need to reset my password. We needed to set my password. And eventually the customer service guy said, okay, I'm resetting it. Once he had reset and bypassed the multi-factor authentication, he then was able to get in and get access to the domain area that he was in, or not the domain, but he was able to gain access to a partial part of the network. He then paralleled over to what I would assume is like a VMWare or some virtual machine that had notes that had all of the credentials for logging into various domains. And so within minutes, they had access. And that's the sort of stuff that we do. You know, a lot of these tools, like, you think about the cacophony of tools that are out there in a ZTA architecture, right? I'm gonna get like a Z scale or I'm gonna have Octom and I have a Splunk. I'm gonna use a source system. I mean, I don't need to name names. You're gonna have CrowdStriker or Sentinel-1 in there. It's just, it's a cacophony of things that don't work together. They weren't designed to work together. And so we have seen so many times in our business through our customer support and just working with customers when we do their pentests that there will be 5,000 servers out there, three are misconfigured. Those three misconfigurations will create the open door. Cause remember, the hacker only needs to be right once. The defender needs to be right all the time. And that's the challenge. And so that's why I'm really passionate about what we're doing here at Horizon 3. I see this, my digital transformation, migration and security going on, which we're at the tip of the spear. It's why I joined Sahal coming on this journey and just super excited about where the path's going and super excited about the relationship with Splunk. I can get into more details on some of the specifics of that, but, you know, great. Well, you're nailing it. I mean, we've been doing a lot of things around super cloud and this next gen environment. We're calling it next gen. You're really seeing DevOps, obviously DevSecOps has already won. The IT role has moved to the developer. Shift left is an indicator of that. It's one of the many examples. Higher velocity code, software supply chain. You hear these things. That means that IT is now in the developer hands. IT is replaced by the new ops, data ops teams and security where there's a lot of horizontal thinking to your point about access. There's no more perimeter. There is no perimeter. Huge, 100% right is really right on. I don't think it's one time, you know, to get in there. Once you're in, then you can hang out, move around, move laterally, big problem. Okay, so we get that. Now the challenge is for these teams, as they are transitioning organizationally, how do they figure out what to do? Okay, this is the next step. They already have Splunk. So now they're kind of in transition while protecting for 100% ratio of success. So how would you look at that and describe the challenges? What do they do? What are the teams facing with their data? And what's next? What are they, what action do they take? So let's do some vernacular that folks will know. So if I think about DevSecOps, right? We both know what that means that I'm going to build security into the app. But no one really talks about SecDevOps, right? How am I building security around the perimeter of what's going inside my ecosystem and what are they doing? And so if you think about what we're able to do with somebody like Splunk is we can test the entire environment from soup to nuts, right? So I'm going to test the endpoints through the ITs. I'm going to look for misconfigurations. I'm going to look for credentials, suppose credentials. You know, I'm going to look for anything I can in the environment. Again, I'm going to do it at light speed. And what we're doing for that SecDevOps space is to, you know, did you detect that we were in your environment? So did we alert Splunk or the Sim that there's someone in the environment laterally moving around? Did they more importantly, did they log us into their environment? And when do they detect that log to trigger that log? Did they alert on us? And then finally, most importantly, for every CISO out there is going to be, did they stop us? And so that's how we do this. And I think when speaking with Stay Hall before, you know, we've come up with this Boil Scooter Loop, but we call it Fine Fix Verify. So what we do as we go in is we act as the attacker, right? We act in a production environment. So we're not going to be, we're a passive attacker, but we will go in, uncredential, unagent, but we have to assume, have an assumed breach model, which means we're going to put a docker container in your environment. And then we're going to fingerprint the environment. So we're going to go out and do an asset survey. Now that's something that's not, something that Splunk does super well, you know? So can Splunk see all the assets? Do the same assets marry up? We're going to log all that data and then put, load that into the Splunk Sim or the Splunk Logging Tools, just to have it in enterprise, right? That's an immediate future ad that they've got. And then we've got the fix. So once we've completed our pen test, we are then going to generate a report. And we can talk about these in a little bit later, but the reports will show an executive summary, the assets that we found, which would be your asset discovery aspect of that, a fix report. And the fix report, I think is probably the most important one. It will go down and identify what we did, how we did it, and then how to fix that. And then from that, the pen tester or the organization should fix those. Then they go back and run another test and then they validate like a change detection environment to see, hey, did those fixes take place? And you know, Snehal, when he was the CTO of JSOC, he shared with me a number of times about it. He's like, man, there would be 15 more items on next week's punch sheet that we didn't know about. And it has to do with how they were prioritizing the CVEs and whatnot because they would take all CVDs that was critical or non-critical. And it's like, we are able to create context in that environment that feeds better information into Splunk and whatnot. That brings up the efficiency for Splunk, specifically the teams out there. By the way, the burnout thing is real. I mean, this whole, I just finished my list and I got 15 more or whatever the list just keeps growing. How did Node Zero specifically help Splunk teams be more efficient? Like that's the question I want to get at because this seems like a very scalable way for Splunk customers and teams, service teams to be more efficient. So the question is, how does Node Zero help make Splunk specifically their service teams be more efficient? So today in our early interactions with building Splunk customers, we've seen our five things. And I'll start with sort of identifying the blind spots, right? So kind of what I just talked about with you, did we detect, did we log, did we alert and did they stop Node Zero, right? And so I would put that in a more layman's third grade term and if I was gonna beat a fifth grader at this game would be, we can be the sparring partner for a Splunk enterprise customer, a Splunk essentials customer, someone using Splunk SOAR or even just an enterprise Splunk customer that may be a small shop with three people and just wants to know, where am I exposed? So by creating and generating these reports and then having the API that actually generates the dashboard, they can take all of these events that we've logged and log them in and then where that then comes in as number two is how do we prioritize those logs, right? So how do we create visibility to logs that have critical impacts? And again, as I mentioned earlier, not all CVEs are high impact and also not all are low, right? So if you daisy chain a bunch of low CVEs together, boom, I've got a mission critical to CVE that needs to be fixed now, such as a credential moving to an NT box that's got a text file with a bunch of passwords on it. That would be very bad. Then then third would be verifying that you have all of the hosts. So one of the things that Splunk's not particularly great at and they'll admit themselves, they don't do asset discovery. So dude, what assets did we see and what are they logging from that? And then for every event that they are able to identify the one of the cool things that we can do is actually create this low code, no code environment. So they could let, you know, Splunk customers can use Splunk soar to actually triage events and prioritize that events or where they're being routed within it to optimize the socks team time to market or time to triage any given event, obviously reducing MTR. And then finally, I think one of the neatest things that will be seeing us develop is our ability to build glass tables. So behind me, you'll see one of our triage events and how we build a locking Martin kill chain on that with a glass table, which is very familiar to the Splunk community. We're going to have the ability and not too distant future to allow people to search, observe on those IOCs and if people aren't familiar with an IOC, it's an incident of compromise. So that's a vector that we want to drill into. And of course, who's better at drilling into data in Splunk? Yeah, this is a critter. This is an awesome synergy there. I mean, I can see a Splunk customer going, man, this just gives me so much more capability, action, action ability, and also real understanding. And I think this is what I want to dig into, if you don't mind, understanding that critical impact, okay, is kind of where I see this coming. We've got the data, data ingest, now data is data, but the question is what not to log, where are things misconfigured? These are critical questions. So can you talk about what it means to understand critical impact? Yeah, so I think, going back to the things that I just spoke about, there's a lot of those CVEs where you'll see low, low, low, and then you daisy chamber together and they're suddenly like, oh, this is high now. But then to your other impact of like, if you're a Splunk customer, and I had several of them, I had one customer that terabytes of McAfee data being brought in and it was like, all right, there's a lot of other data that you probably also want to bring, but they could only afford one to do certain data sets because that's, and they didn't know how to prioritize or filter those data sets. And so we provide that opportunity to say, hey, these are the critical ones to bring in, but there's also the ones that you don't necessarily need to bring in because low CVE in this case, really does mean low CVE. Like an ILO server would be one that's the print server where your admin credentials are on like a printer. And so there will be credentials on that. That's something that a hacker might go in to look at. So although the CVE on it is low, if you daisy chain was something that's able to get into that, you might say, that's high. And we would then potentially rank it giving our AI logic to say, that's a moderate. So put it on the scale and we prioritize low versus a vulnerability scanner is just gonna give you a bunch of CVEs and good luck. And translating that, if I can, and tell me if I'm wrong, that kind of speaks to that whole lateral movement challenge. Print server, great example. Look stupid, low end, who's going to want to deal with the print server? Oh, but it's connected into a critical system. There's a path. Is that kind of what you're getting at? Yeah, I use daisy chain. I think that's from the community they came from, but it's just a lateral movement. It's exactly what they're doing. And those low level, low critical lateral movements is where the hackers are getting in, right? So that's the beauty thing about the Uber example is that who would have thought, I've got my multi-factor authentication going in, a human made a mistake. We can't not expect humans to make mistakes we're fallible, right? The reality is, is once they were in the environment, they could have protected themselves by running enough pen tests to know that they had certain exposed credentials that would have stopped the breach. And they did not had not done that in their environment. I'm not poking. Yeah, it's an interesting trend though. I mean, it's obvious if sometimes those low end items are also not protected well, so it's easy to get at from a hacker standpoint, but also the people in charge of them can be fished easily or spear fished because they're not paying attention because they don't have to. No one ever told them, hey, be careful of what you collect. Yeah, for the community that I came from, John, that's exactly how they would meet you at an international event, introduce themselves as a graduate student. These are national actor states. Would you mind reviewing my thesis on such and such? And I was at Adobe at the time when I was working on this and started off with the PDF. They opened the PDF and whoever that customer was launches, and I don't know if you remember back in 2008 timeframe, there was a lot of issues around IP being by a nation state being stolen from the United States. And that's exactly how they get it. And John, that's... Or LinkedIn, hey, I want to get a joke. We want to hire you, double the salary. Oh, I'm gonna click on that for sure. Yeah, right, exactly. The one thing I would say to you is like, when we look at like sort of, because I think we did 10,000 pen tests last year, it's probably over that now. We have these sort of top 10 ways that we think and find people coming into the environment. The funniest thing is that only one of them is a CVE related vulnerability. Like, you guys know what they are, right? So it's like 2% of the attacks are occurring through a CVE. They have, there's all that attention spent to that. And very little attention spent to this pen testing side, which is sort of this continuous threat, you know, monitoring space and this vulnerability space where I think we play such an important role. And I'm so excited to be a part of the tip of the spear on this one. Yeah, I'm old enough to know the movie Sneakers, which I love as a, you know, watching that movie, you know, professional hackers are testing, testing, always testing the environment. I love this. I got to ask you as we kind of wrap up here, Chris, if you don't mind the benefits to professional services from this alliance, big news, Splunk, and you guys work well together. We see that clearly. What are, what other benefits do professional services teams see from the Splunk and Horizon 3.ai Alliance? So if you're, I think from our, from both of our partners as we bring these guys together and many of them already are the same partner, right? Is that first off, the licensing model is probably one of the key areas that we really excel at. So if you're an end user, you can buy for the enterprise by the number of IP addresses you're using. But if you're a partner working with this, there's solution ways that you can go in and we'll license as to MSPs and what that business model on MSPs looks like. But the unique thing that we do here is this C plus license. And so the consulting plus license allows like a, somebody a small to mid-sized to some very large, you know, Fortune 100 consulting firms use us by buying into a license called consulting plus where they can have unlimited access to as many IPs as they want, but you can only run one test at a time. And as you can imagine, when we're going and hacking passwords and checking hashes and decrypting hashes, that can take a while. So, but for the right customer, it's a perfect tool. And so I'm so excited about our ability to go to market with our partners so that we understand how not to just sell to or not to just to sell through, but we know how to sell with them as a good vendor partner. I think that that's one thing that we've done a really good job building, bringing it to market. Yeah, I think also the Splunk has had great success how they've enabled partners and professional service. Absolutely. You know, the services that layer on top of Splunk are multi-fold, tons of great benefits. So you guys vector right into that, ride that wave with friction. And the cool thing is that in, you know, in one of our reports, which could be totally customized with someone else's logo, we're going to generate, you know, so I used to work in another organization, it wasn't Splunk, but we did, you know, pentesting as for customers. And my pentesters would come on site, they'd do the engagement and they would leave. And then another release, somebody would be, oh shoot, we got another sector that was breached and they'd call you back, you know, four weeks later. And so by August, our entire pentestines teams would be sold out. And it would be like, well, can you eat in March maybe? And they're like, no, no, no, I got to breach now. And then when they do go in, they go through, do the pentest and they hand over a PDF and they pack on the back and say, there's where your problems are, you need to fix it. And the reality is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations. And then once you've fixed everything, you just go back and run another pentest. It's, you know, for what people pay for one pentest, they can have a tool that does that every patch on Tuesday, pentest on Wednesday, you know, triage throughout the week. Green, yellow, red, I wanted to see colors. Show me green. Green is good, right? Not red. And who doesn't want that dashboard, right? It's exactly it. We can help bring, I think that, you know, I'm really excited about helping drive this with the Splunk team because they get that. They understand that it's the green, yellow, red dashboard and how do we help them find more green so that the other guys are in red. Yeah, and get in the data and do the right thing and be efficient with how you use the data. Know what to look at, do so many things to pay attention to, you know, the combination of both and then go to market strategy, real brilliant. Congratulations, Chris. Thanks for coming on and sharing this news with the detail around the Splunk in action around the Alliance. Thanks for sharing. John, my pleasure. Thanks, look forward to seeing you soon. All right, great. We'll follow up and do another segment on DevOps and IT and security teams as the new new ops and super cloud a bunch of other stuff. So thanks for coming on in our next segment. The CEO of horizon three.a will break down all the new news for us here on theCUBE. You're watching theCUBE, the leader in high tech enterprise coverage.