 Live from the MGM Grand Convention Center in Las Vegas, Nevada, it's the queue at Splunk.com 2014. Brought to you by headline sponsor Splunk. Here are your hosts, John Furrier and Jeff Kelly. Thank you very much. Good to be here. So we just got back from the keynote, but obviously security, what a great story you have, we're here using big data, looking at patterns, preventative, but also taking actions out of the inside. So what are you guys doing with security, and what's your general view of security evolution or transformation? Sure. Well, what you see now is just so many different threat vectors that people are coming in, and you've got a multitude of tools that allow you to look at this problem or this threat or what's going on here. And when you look at the different threat vectors and how these all tie together, you need a tool like Splunk where you can bring it all together and understand what's going on. Jeff, what's your take on this thing? Clearly, we've heard today from a few of the CUBE guests that security threats are evolving. It's a never-ending challenge, as soon as you figure out one way to stop a particular threat, security, vulnerability, the hackers, the perpetrators figure out a new way to get into your system. Exactly. So talk a little bit about that evolving landscape and how Splunk's helping you kind of keep up. Sure. So one of the things that we find is, well, a single point tool can tell you a piece of the story. It's not until you know everything that you can really figure out whether an incident is over. So I'll give you an example. We have an acquired division, so we have two different divisions, both of which got hit by a piece of malware. And in the first company that we dealt with, we didn't have Splunk. And so what you find is you're constantly searching for data. So you're going to one group and saying, hey, I need mail logs. Another group you're saying, I need proxy logs. You're going to a different group to get network information. And so when we reacted to that piece of malware, it took us three days. And each day, my boss would come to me and says, what's the chance of we're going to deal with this tomorrow? And I said, pretty hot. Now when we brought that same problem that we had the same problem on a different network that was all fully under Splunk, my security team was able to fully diagnose and get to root cause within three hours. So not only knowing who was infected, what happened, but where did it come from and how did it enter the organization? We were able to close that off and then also go back to every individual who also had that same email. So it came in through an email. We found everybody who had that email, we were able to delete it and talk to those people and make sure that they understood not to click it, et cetera. So why is, let's drill into that a little bit. So why was Splunk able to do that? Whereas the previous method was not. Because Splunk has a systems wide view or explain. Because it brings everything into that single pane of glass. So for us, we need to look at proxy logs, mail logs, network logs, and some of our application logs and bring those all together. So when we looked at it in Splunk, you could just go from one query to the next. So you could look at an IP address and put that into a search criteria and see everything that affects that IP address. Or you could look at a mail subject and say, show me everybody who's seen this mail. Or show me everyone who's, of these five people, what's similar. So we have five people that got infected. We didn't know exactly where it came from. So we said, we were able to go into Splunk very quickly and say, look across these five people and what mail did they receive that was similar. And so we found one that you look at and you're like, this doesn't make sense. And it turned out to be a phishing slash attack vector. So we were very quickly to say, okay, that's the email. Now, go search all the emails, find everyone that same subject or that same sender and pull those people out. And then also go look at the links and look at those in the proxy logs. So maybe someone received it through their Gmail or through some other vector. We were able to target that too. And then put it into all of our blocking mechanisms so that nobody could get to it after we found it. But in that case, three hours, the incident's completely over. My boss says, what's the chance of this happening tomorrow? And I said, it's not going to happen. Well, right, so three hours versus three days is pretty dramatic. Yes, absolutely. And so translate that into the business benefit. Simply, you stop the attack, you stop whatever damage is being done by the attack. In certain systems, we had to take offline during the attack. So we had to have our shared drive offline. So we didn't take any risk of infection until we knew we had found the route pause. So for three days, we had limited access to important data, right? Versus the other case, it was three hours. And even then it was only an hour and a half because we had known where we came from the other hour and a half was clean up. So having all that, and that was probably one of the best kind of in the field trenches view where everyone saw the difference. Because the other thing is everyone gets involved on the first day, right? So every group had to drop everything they were doing. So everyone in the infrastructure team was dropping everything and being pulled in and out versus when we had it in Splunk. The security team could do all the research in the forensics and then only when we had to take remediation actions involve other teams. So it even kept our velocity and our infrastructure moving forward. Now, looking ahead, so we heard more from Splunk about adding kind of out-of-the-box pattern detection capabilities. And talk to a few guests today who talked about from a security perspective, that's going to be huge. What is your take on that? Being able to proactively identify potentially threatening or security threatening trends out of the box, will that make your job easier? And what benefit will that provide? Right, absolutely. So we offer both software as a service as well as normal network operations to run. But being a service company, everything has online operations to it itself. So every way that we can notice attacks. So we listened to the keynote here today and we heard it only gets worse, right? The attacks only get stronger, they only come faster. When you can deploy something very quickly for a heart bleed or a shell shock, that you can very quickly detect the signatures or look for what are the attack vectors and very quickly understand what's not patched, what is and what's coming together. You bring those things together, right? So the more information I have in one single pane of glass, the quicker I can put it in front of everybody's face and understand here's what we're trying to do, right? I mean, is there a way for us to get to the point where organizations are being more proactive around security threats versus reactive to, okay, here's a new security threat, we've got to act to stop it? Is there a way, do tools like Splunk or other tools or other approaches going to enable us to get to that point where you're being more proactive? Or is it always going to be, we just got to wait for the next attack? And then hopefully the tools will get better, we can deal with them faster. But really we just have to wait for the next attack to come. Right, I think you have that mix, right? So there's certain things that happen to you or that are the zero day attacks that you have to react to, right? There are things that have just never been known, there are vulnerabilities in software that have been detected and you have to react. From a proactive standpoint though, it's how are you patching, right? Can you tell that you've patched everything, right? So I think from a proactive standpoint, it's getting the reporting that shows me exactly where Landscape is as opposed to, yeah, where we run all the servers should be patched, the operative word being should, which is putting on a dashboard where you can look at it every day and say, we've got a problem, 10% of the machines are not seeing patches, right? That's when you go into full reactive mode and you find out that, oh, it's only the unpatched machines that are threat. So help me put this whole big data movement in perspective. So obviously security is a huge use case and you're having significant success using Splunk and I'm guessing some other tools associated with it. But let's take a step back. We've seen this market evolve when we saw on the keynote this morning, I think it was Godfrey who compared the old BI and Data Warehouse stack to this new approach, which allows for more iterative schema on-read type analytics. How is that playing out in your organization? Do you see, is there a tension between the two approaches? I'm sure you've got a robust Data Warehouse program in place in the half or years, I'm guessing. How is that being impacted by these new approaches, not just Splunk but other things like Duke and other more flexible, agile data management approaches? I think they're very complementary. So our traditional Data Warehouse is great for financial reporting and information that's very structured. But then when you start to look at the amount of data flowing through the organization and how you can use it, a business intelligence group and a business intelligence, again, understanding all the data before you bring it in, just can't react fast enough. So you start to look at just the complete volume of data. So in our case, a great example was our ability to look at customer performance. So if we look at performance data on what we're seeing, we get a huge amount of data from our web logs and our servers that if we waited to put them into a traditional Data Warehouse and report them, we'd have to know exactly what we wanted to know before we even started asking questions. What we're able to do with Splunk is look at it and say, well, what are our customers seeing? Well, what's this over here? Why is this happening? How do we drill it down? So that information, we didn't even know the question until we started looking at it. So I think that's where you see it's played out for us very well is our product management. So we can look at and be very proactive. So one of the things that I find, and I've talked about before in Splunk sessions is the ability to be proactive for your customers. So corporation service company, service is our middle name. And so things happen, people write reports that take a very long time, et cetera. And service is whether you can be proactive to those people and help them get better. And so one of the things that we put together is a Splunk dashboard that shows us kind of what we call the pain points of our system through the day. And we can see what pages are running slow and we can see which customers are most effective. So using some of the DB Connect technology, so we're using old school database technology combined with our Splunk technology, we can very quickly go and say, here's all our users, who do they work for and what companies are they with? We can very quickly see which companies are having the worst performance on our systems that day. We can then call them up and say, I see you're having problems. And the customers are like, wow, that's great. And a lot of times it's just coaching. Maybe if we don't write reports from 1899 to 2014, we can help your performance increase, right? And so what we found is that we don't even need to drop into software and write systems to get better performance. Okay, so to your point about bringing in some of the older technology you've got, it sounds like a key part of this is the integration between the system. So if people talk about big data, it's going to replace the old. Really it's an integration challenge. I think the structured data is there, it's running so many of our systems, right? And so it's bringing that into and being able to join it with all this big data. So you're getting all this intelligence and all this information, but how do I now put that back together with my structured data so that I can report in ways that everybody understands, right? That pulls in the information that I need to get. Scott, I want to get your perspective on from an industry standpoint, cyber security. Obviously the keynote here was talking about that. Obviously big data helps big time. We mentioned that earlier. Well, what's the general sentiment right there? Obviously we had a quote earlier on the cube that someone called the FBI head that said, there's two types of companies, ones that know they've been hacked by China and two, the ones that don't know they've been hacked by China. So it highlights this whole cyber warfare, cyber security issue. So what's your take on it? And what's the general sentiment inside the security industry? Like people pound on the tables and obviously red alert, what's the general sentiment? Sure. And I think we heard that in the keynote today, which is it's getting worse and it'll only get more worse, right? So it just continues to get worse because we've entered, and I thought it was interesting today when Mark discussed that the first salvo was launched in the cyber war, which is stuck to that. And basically just kind of opened the gate for we're at war in a technology based way. And from a commercial sense, all of every commercial entity is just a part of America, right? And so we have to be, we have to get better at our defenses because it is just, that's where we are. What's the general action item people look at? Is it government-led? Are we not doing enough there? Is it too slow? Is it just data technology? It's got to be refreshed. What's the general, I mean, remember the year 2000 bug was kind of like, oh yeah, nothing ever crashed, right? I mean, they did, but I mean, people moved over, but there's a lot of dough was spent on that energy. Are we in that same kind of inflection point with security, with cyber security? I think one of the things that you'll find that you talk about government spend, but also is just finding people that are interested, right? So science and technology and engineering and math in the United States and everybody wants to go straight for a business degree, so we still have to continue to grow computer scientists and security engineers so that we've got the resources here that are interested and trained to help us defend. And I got to ask you the Splunk question. What's the coolest thing you've seen that you say, oh, I'm jazzed? Because Splunk's an enabling technology platform. They have tooling, they have a platform, but they're doing some amazing things. What do you like the most about Splunk? What I like about it is you're never quite sure how you're going to see it used. So I've sat through a couple of different sessions, so I love the way we use it and the new insights it's brought to our business, but I've listened to a company that has all their elevators are under Splunk, right? And so they can tell exactly what's going on in an elevator from the central headquarters throughout the world of all their elevators and just never thought of who would instrument their elevators. And another good conversation is Comcast, using Splunk to watch basically what you're watching on TV. And so there's certain analog elements that you can't really monitor, but I can watch your behavior. So if you start and stop and start and stop a video on demand, there's probably something wrong with what you're seeing. So they can watch your key presses and figure out that there's something wrong with what you're seeing. So there's just two things that probably when Splunk was first written no one thought about. Data is a use case, it's one of these use cases where it's in the eye of the beholder, right? I mean, everyone's got their own different business so you can't map on a use case. And it's just this flexibility to, how do I look at this data and what does it mean to me? How do I look at data coming out of the internet of things and how do I use that to figure out something different about my environment that I've never had access to before? What does cloud do for our industry? Help, Hurt, they got news with Amazon, certainly speeds things up with Splunk, but does it open up more security holes or opportunities today? And it depends. So that's a great, it depends kind of question because one of the things that the cloud opens up is now you've got a central focus of, you've got that central company that is worried about how to secure this and how to make it available. So I think in that one way it makes us more secure. And it allows us to focus more on security than let me stand up this piece of hardware, let me stand up 10 servers and make sure that they're the same image. I can now focus on making sure that my security practices are running well and I'm using the data that are coming out of those servers. It's a function really in my mind of the security is getting worse and getting more worse because the old way was perimeter-based. Set up a perimeter, watch everything inside, hope nothing comes in, right? But now with API economy, you have all kinds of apps out there with mobile, maybe the cloud will be a nice reset. And it's resetting to you, there's no perimeter, right? So the kind of the thick and crunchy on the outside and the soft and gooey on the inside doesn't work anymore. So if you're talking cloud to cloud to cloud, it really has opened up that pretty much that soft and gooey inside. It has to be a hardened perimeter on every little piece. Yeah, everything's a perimeter now. But that brings up a good point. That's great insight. And again, we came back from VMworld. That was clear from the enterprise that we talked to was a mobile infrastructure, perimeter-less IT. This is a whole new shift. And it really comes down to culture, people available to work on it. So you see those things as legitimate issues, culture and people. Absolutely, absolutely. Okay, for the young guys out there that are in high school, maybe even elementary school, if they're watching theCUBE, obviously, or for parents or teachers, what's the advice you give for the new generation? Because we're seeing, there's a general tech interest from these natives, right? They all have mobile devices. So there's a future crop of computer scientists and engineers out there. What's the advice to the parents and the teachers and potentially to the candidates that you would give to them and saying, to be a tech athlete or a tech soldier, if you will, what would they need to do? I think it's to become more than just a user of the technology, but to understand it. So to be curious, and one of the things that we talked about today, you know, one of the people was speaking, he says, you know, what do you hire for a Splunk person to do Splunk? And it's a complete curiosity, right? So just never wanting to say, I have enough. And I think that's the same thing with anything with, you know, there's not just using my computer. It's how does it work? How does my phone work? What is the pieces below? So I think it's not just being a user, but really understanding. So my kids, I shut down the wifi. That's how I get their attention. And they figure out how to go past the net and go set IP address. Now they get the passwords. Now I'm locked out. That's right, exactly. So again, this new generation, again, great insight. Appreciate you taking the time. Come on inside the cube, inside the cube here. Appreciate it. This is the cube you're watching, SiliconANGLE's coverage of Splunk here, live in Las Vegas. We'll be right back with our next guest after this short break.