 Live from the MGM Grand Hotel in Las Vegas. Extracting the signal from the noise. It's theCUBE, covering Splunk.com 2015. Brought to you by Splunk. Now, here are your hosts, John Furrier and Jeff Rick. Okay, welcome back everyone. We are here live in Las Vegas for Splunk.com 2015. This is theCUBE, our flagship program. We go out to the events and extract this signal from the noise from siliconangle.com, moogiebond.com. Go to siliconangle.tv to check out all the videos. And we're here live. I'm John Furrier, the founder of SiliconANGEL, my co-host Jeff Frick, GM of theCUBE. Our next guest is Myron Davis for APV, Alaska.gov. Project you're working on, welcome to theCUBE. I handle Splunk as well as Puppet and other intrusion detection and ID reverse and engineering of malware and phone records. You're the hammer. He's the guy that splunks things, right? You're the splunker, but you're also the hammer. You got to watch things, make sure, from a security standpoint, everything's provisioned. Everything's running operationally. Most everything is, we have outsourced a lot of stuff, but when stuff comes down to it, I have to be, someone's got to say whether or not it's to move on or not. So I'm one of those guys. Tell me about the project and where Splunk fits in. Well, Splunk, which project? Yeah, the infrastructure, the apps that you're running. Because Splunk actually is applied to several different target stuff. We're doing not just security, but it's doing our phone record requests for all of our phone records. We got about 200, let's see. I think we're at 100 to 200 million maybe phone records as well as it does all of our IDS systems. We have multiple IDS and firewall systems and we run it all into the SIM model, so everything is managed into Splunk Enterprise Security and so that no matter what device it is, it all shows up in the same. So talk about the flexibility of this tool because you're like the classic case where you brought in Splunk, but you just see opportunities to really point it at all different types of problems. How does that kind of work? Do you see any kind of limits or do you just see all kinds of things that you can quote unquote Splunk, which is what we hear always in the halls walking up and down. We want to Splunk that. Well, the way that we deployed it is we have a system which we wanted other people of access to. So we have all the IDS logs and firewall logs and a bunch of other data. And instead of us being primary ownership, we're actually, you have 15 different organizations, sub agencies below us, which need access to the data. But we need to find out, but they have access to the same, we're running a shared infrastructure. So there's the same firewall for all of them and everything. So we needed a way to spread it out so they can get just what they need and what they want to see. And that's what Splunk is doing for us right now. Talk about the performance issues. And we heard 6.3 showed some great numbers. Got a basically a big round of applause during the keynote yesterday. What are you seeing for performance? How's the speed? Good. So we're not running 6.3 yet, but the speed is pretty quick. And the way that we solved it was throwing hardware at it. So we're throwing, we have four different search ads of which there are about 100 gigs around each. And with 40 cores each. And that seems to do the job. Yeah, when it went in doubt, throw hardware at, I love that. Cause that's what, and look at Facebook, we were at the Facebook conference two weeks ago and all the underlying stuff is still the same, servers, storage, this really hasn't been a lot of, they're throwing hardware at it now. Now, granted, they make their own. So they're at Facebook. But that brings the next question up is that, in a DevOps kind of environment, you mentioned puppet and provisioning. Oh yeah. What are you guys doing in the DevOps side and how does that help you guys from an ops standpoint? How is the DevOps working? Well, we're running on puppet to manage all of our boxes. And that's a lot of different machines. And that saves a massive amount of time because you can ensure the same configuration, the same rule sets. And if somebody changes things what they're not supposed to do, puppet overwrites it. So you got to do through the puppet control center. And now I've also deployed, I've got deployed, Splunk actually is deployed by puppet as well. And I've got classes set up for Splunk. So whenever a new box comes in, you just add it in that regular expression. So if the host name matches the Splunk regular expression, it gets put as an indexer or a search ed or whatever in the configuration just gets dumped right onto it. What about the security aspect? What are you seeing for attacks? I mean, everyone we talked to has always, it started out in the old days doing some port scans. Now you got all kinds of spoofing of malware. You got phishing attacks. You got DDoS. What's I find interesting is I've seen in the last six months is more of a target towards the actual person itself. So what, so someone's going to, we've had these people or people call up and they're either a job interview or they pretend to be somebody that the person already has relationships with. And then they're using that as a connection in. And that's pretty scary because- What are they looking for? Passwords? Just access? You know, the malware they have actually been installing has been crypto wall. And that's really nasty if you've ever run across that. No, we have not. What's it like? Crypto wall runs and it encrypts all the local machine hardware and then it decides to crawl over the network and encrypt everything on the network. And then once that happens, it throws up a little dialogue box saying, hey, you want your data? You're going to pay some Bitcoin. That's ransomware. We heard that earlier. We had a guest on earlier today saying- And the return. This is a huge problem. So what I think is what's happening is they realize is a return on some of these people who are worth the effort for actually doing a little Solstice engineering to get their malware on the system. Because there's certain organizations which will pay. And it's a lot, if you look at some of the news articles, you'll see that people are paying some money, a significant amount to get their data back. So how do you, that's just best practices. That's just training. I mean, it's not much technology. That's, or is there? Well, it's hard for one because how do you train organization and people live in a small town of a hundred people? How do you train the people at that level in order not to trust people? Because generally people are trustworthy. Nearly trust people. You're calling up on the phone. I kind of trust you a little bit. You're going to send me an interview. You're going to send me a resume for a job you're applying locally here. Okay, I'll read that resume. Oh, so then the next comment says, oh, it's being stopped by your spam system. Well, how about you just send it to my personal Gmail account? And so then it goes to the Gmail account and then it's SSL, then it goes right past all the security software and gets in. That's the hacking, that's the culture. I mean, all kinds of weird malware, the spoofing. How about any DDoS attacks? We haven't had, the only ones we've seen as far as people attempting to use us as relays sometimes. And we had one instance a while back where if you're familiar with DNSSEC, unfortunately DNSSEC has some flaws where it decides to send large packets over UDP, which is pretty much, I don't know why the government decided to go with that, because it's a pretty bad idea, because if you can do a small request for a DNS packet and get a large response and you don't have to authenticate the sender, well, every person who tries to secure their system ends up being yet one more vector for bringing down another person's network. So... So, good. As you say, so you're giving a talk later today, right? Tomorrow. Tomorrow. So for the folks that aren't here, give a little plug, what are you going to be talking about? Why should they come and attend if they're here? And then for the people that aren't going to make it, give a little overview of what you're going to cover. So my talk is basically about applying regular expressions to ACLs. So in Splunk, you don't have the controls to do complex regular expressions on access control lists. And if you did, it would be, it uses a lot of CPU power. So my talk is about how to pre-munch your data so that it's ready for search filters in Splunk by using complex regular expressions. So we run about 400 different regular expressions, but there's a way if you organize your regular expressions, right, and you're smart about it, you can effectively share equipment amongst agencies. So what's the vibe of the show? Share with the folks out there, what your take of the show is. For the folks that aren't here watching, what's it like here? It's a lot of nerds walking around with Splunk shirts. It's the one thing I've noticed. And people you can talk to as far as like the lunch and or the breakfast. You just sit down and talk to people and everyone you talk to is pretty much interested in the same thing you're interested in, which is pretty neat. And the conversations are broad. You can talk about Alaska.gov to some other thing over here. We'll be different industries. A banking guy next to me and then there's somebody else on the other side and it's interesting enough. There's a lot of commonalities behind between industries as far as software people are running. Myron, thanks for taking the time to come by theCUBE. Really appreciate it. Thanks for sharing the data with us. We really appreciate it. Enjoy the stretch of the show and then thanks for taking the time. This is theCUBE. We'll be back with more live coverage after this short break.