 Welcome back, here we are, welcome back to the Cosmopolitan Hotel in beautiful Las Vegas, actually it looks like it's a little stormy outside, it was very hot earlier. We want to welcome you back to Splunk 2012, Conf 2012, this is the place for everybody involved with Big Data should be. If you're not here, we're happy to have you along via theCUBE, we want you to join in the conversation on Twitter, hashtag data journey. I'm Jeff Frick with Silicon Angle, I'm joined here by my co-host Jeff Kelly, the pre-minute Big Data analyst from wikibond.org, you probably all know him. Thank you very much for that lovely introduction, I appreciate it. And we're also joined here by Marquis Montgomery, welcome. So you are the security architect and team lead for corporate security at Cedar Crestone. So tell us a little bit about Cedar Crestone and your role there. So Cedar Crestone's main business is Oracle PeopleSoft hosting, we actually do some consulting down the road, we help our clients do great things with PeopleSoft, we also have a managed services offering where we'll actually host it in our data center for you and take it from beginning to the end, we'll do everything for you, keep it up to date, add new modules, basically take a very complicated product and make it so you don't have to worry about it. We host over 700 environments of PeopleSoft in our data center. So we are the largest integrated services provider for Oracle PeopleSoft in the world right now. Wow. So you take away some of that complexity, let us deal with some of that hard work and you use the applications up front. Absolutely. And I can imagine that's some major security concerns when you're talking about all that data living off site and at a service provider like yourself. Exactly, if you look at an application like PeopleSoft, you might have upwards of half a million users using the same application. You've got multiple servers supporting, you've got web servers, you've got app servers, you've got many database clusters that you've got to deal with and of course if you're looking at something like a student administration system, that's protected information that you've got to make sure you have secure. So that's a very big focus for us on corporate security as well. Absolutely. So I guess following up on the keynote from earlier today, Mark Seward from Splunk said the key to good security is to think like a criminal. So hopefully you're thinking like a criminal, you haven't been down to the stores, there's a lot of tempting jewelry and things down there. So tell us a little bit about thinking like a criminal and what you do and how does Splunk help you with that? Thinking like a criminal, really it's a mantra that we use all over the security community. Basically what that means is that you're looking at the same stuff that the hackers are looking at because that's where you're going to find your weaknesses and a lot of times if you look at just a big picture of things, you're only looking at the perimeter or you're only looking at the high level stuff that everybody catches, you're missing the little details and it's the little details that can actually hurt you in a security environment. So one of the things that Splunk helps us do is aggregate all of our information from all of our different devices, all of our different servers. And then it'll help us do some statistical analysis, bring out those things that we would not have been able to catch otherwise because we have everything in one place that makes it very easy for us to search through and do things from a better holistic approach. Instead of having an app, let's say you're looking at the firewall data, well okay, pull your monitor, your perimeter, you see when people try to hack in, you see when people are knocking at your door essentially. But you may not be watching the people who are already in your web application, for instance. Try and SQL injection and their firewall can't help you at that case. So pulling all that information together from all your different types of security controls and your network devices and your servers and your third-party apps, I mean it really kind of snowballs. And Splunk is actually really useful in that case because it allows us to basically take anything we want, put it in one place and report on it, etc., etc. So talk a little bit about kind of real-time or almost real-time or not quite real-time because there's a lot of conversation about what is real-time and of course at the end of the day if you take it down to the atomic level there's no such thing as real-time, right? You've got to break it down. And also the complexity relative to the value return as you get infinitely closer to zero time that becomes difficult. But you know, security obviously you want to know when the guy's breaking in the door. Right. And the key that you have to kind of understand with security, you can't win every battle. I mean we have to be perfect 100% of the time, which is impossible. And that hacker only have to be right once to get in and compromise. So knowing that you can't be perfect. You strive to be perfect, but knowing that you can't be perfect, what's the next best thing? Being able to respond effectively and quickly. So being able to respond effectively and quickly means that you need to have that operational intelligence to know something has happened. Notice that something has happened. And then be able to know where to go look to actually focus in and fix the problem. So incident response, we turn the squawk almost anytime we have an incident because all of our information is there. We can pinpoint it down rather quickly. I mean, two, three searches in squawk and you're pretty much done. You've got your culprit, you've got what servers were affected, you've got basically what's going on. And if there's something you don't know, the information to at least know where to go look next is always another search away. So what, before, well let me back up. So when did you guys start using Splunk? And I'm curious, because with all these data elements, it must have been, I imagine if you're trying to do this manually, it was a lot of code writing and a lot of scripts. And that must have been a difficult proposition, which I'm guessing is probably what led you to Splunk in the first place. Tell us about that. Right. So we started with a different product. I'll leave the name out, but we started with a different product. Oh, it's the cue we were going to get through with the private name. Well, that was before my time. And I didn't have any personal experience with it. So I hate to, you know, hearsay or anything like that. So anyway, we hit a roadblock with that product as far as what we were trying to put into it and what we're getting out of it. Kind of a relational style? Well, it's just it had support for some things and not for others. We wanted to do custom development for some things, and it didn't support that or it was very difficult to work with. So the decision was made just before I started with Cedar Creston to move into Splunk because it had that flexibility that we really needed. We have over, I believe it's 12 or 13 industry vendors, products inside our environment, Dell, Juniper, Cisco, F5, Low Balancers. And then we've got all of our software products. So we're running Solaris, we're running Oracle Enterprise Linux. We've got both Server 2003 and Server 2008. A very mixed environment. One of the things that also makes us kind of unique is we have separate domains. So your regular enterprise corporate environment might have one active directory domain. Some of our tech people will know that. We have over six. So it gets a lot, it gets really complicated. Just adds to the complexity. Yeah, and so that product, we just kind of hit those limitations of, oh, you can't do that, you can't do this, you can't do that. And so we needed to move to something that was just way more flexible and Splunk was the product for us that made sense. Not only because there's a lot of support in the community for all of these different products that we have, so it's just kind of snap and go. But for the different things that we know we're going to have to build into the product, Splunk makes it easy to start from scratch and do your own thing too. That's great. We're here with Marquis from Cedarstone. He's telling us all about security. He hosts 700 instances of PeopleSoft or more, which is amazing when only just a few years ago no large company would ever put their stuff in a cloud-based application. I'm just kind of curious, overcoming that hurdle as large enterprises have been more comfortable with outsourcing big pieces of technology. How have you guys as a vendor waylaid their field? Your security guy, that's probably the biggest things they're concerned about is, oh my gosh, how are you going to protect my data? It gets out of them in big trouble. Absolutely. That's the number one question we get from new perspective clients. And what we explain to them is we've got a proven situation where our security is sound. We haven't had any breaches. We don't plan on it. But that goes, we've been in business for a long time. So that goes, we're getting stuff done right. We come out to conferences like Splunk, we're on the forefront of new technology. We're thinking outside of the box when it comes to securing our environment. Because our environment is not only big, but it's complex. I mean, we've got a lot of stuff going on. Two continents, two data centers, multiple offices. It's a small field, but a lot of endpoints, a lot of work to do. So we just kind of prove to them that we've got it going on as far as security's concerned. Good, good. And data journey, right, is the theme of the show. We had the target guys on before you came on, and they talked about kind of the classic use case of they had a little small problem to solve. They downloaded the application, they solved the problem. You kind of started in a similar type of journey. Your other tool didn't work well enough. You put it in. Now you've got it in and it's running. Now, what's next? What opportunities have you seen that prior to putting in Splunk and implementing effectively, you maybe didn't even know exist? So Splunk was brought into our environment to help us out with security. So we actually took advantage of the Splunk app for enterprise security. We're tying in almost everything, every network device, every server is talking to Splunk in real time. And in the Splunk app for enterprise security, it's bringing out those details of things we might want to take a look at, and it's been really valuable to us. The next step was Splunk is taking a look at some of the non-security benefits that Splunk can offer. Mark was talking this morning in the keynote about how all the information that operations finds useful, security guys find useful as well. And that works the other way around. The stuff that we're finding useful from a security perspective, our operations teams can take advantage of as well. Can you give us a for instance on that? Say for instance, I'm looking at a database and I want to make sure that no one's breaking into the database. So I audit who's accessing the database and what they're doing as far as making changes. Well, if something happens to break, maybe it was unauthorized changed or not, but if something happens to break or we run into an issue, the operations team, the database administrators can go back and look at that same information I've been monitoring all along and see what changed. Another thing that's really useful is if you're auditing all the information across your entire environment, you can look for differences. So if you have one situation with one app that works perfectly fine, and you have a different situation with a different app that has some issues, you can look at what the differences between the two are, look at what kind of maintenance happened or what changes were made or who's working on it or whatever you need to do, and you can see the differences. The information is there to help you out. And Splunk makes it really easy to get to that information. I mean, it's a couple searches. Type in what you want, it brings it back. Right, right, interesting. Yeah, so we dig in even further into some of the kind of the real core use cases. What are some of the really interesting correlations maybe you guys have noticed or you've discovered through using Splunk and maybe you never would be able to kind of get to before? A really interesting correlation that we're taking advantage of right now is the relationship between our intrusion prevention system and our firewalls. So we monitor on both sides of the network inside and out and so the IPS is going off for stuff that was attempted, stuff that didn't work or something that might have worked because we weren't walking on the firewall. The difference though is the IPS is made by one vendor and the firewall is made by a different vendor. So they're not talking together, right? So the IPS doesn't know if attack was successful or not. It doesn't know if it was blocked or not. It just knows that someone attempted something. In Splunk, I can pipe the information from the IPS and from the firewall. I can correlate the two together and I can tell well this attack came in but it was blocked by the firewall. So I don't have to worry about it. Maybe in a different situation this attack came in it was against the web server that wasn't blocked by the firewall. I need to see if I'm vulnerable to that attack and if I need to take any further action. So Splunk's automatically doing a lot of work for us off the bat by coordinating those two things together to make sure I'm not working any harder than I need to. I can focus on the stuff that really matters. And before you would have to manually kind of try to put those two things together. Absolutely. Get lucky and hopefully find a relationship. You have to bounce back and forth between the two consoles to see what's going on and a lot of times, you know, there's nothing to worry about it. We've got our configuration together and it's good to go. But then that one time that you miss it and something get through the firewall, then you have to scramble to see what's going on. And Splunk actually brings that information to the forefront for me. So I don't have to do that work. I can focus on what really matters. So you talk about kind of the user experience when you're working with Splunk. We saw actually in the keynote, they showed some screenshots of earlier versions of the product and how they've kind of, from a visualization perspective, kind of improved the product over time. Absolutely. What's it like working on that front end? Take a picture for our viewers. What is, what do you see there? What are you working with? So Splunk is very simple on the surface. When you launch the web browser, you end up with a search bar. Like Google is the metaphor that we always use. And you just type in the information that you're looking for your press return and Splunk comes back with events that match your search. Now that's just the surface of what you can get into. You can do all kinds of charting and reporting and graphs, literally any kind of statistical analysis you could ever dream of is possible on Splunk. They got a search link, which I think there's over 200 different commands for different ways for Splunk to take your data, massage it into a way that's going to make it more useful to you. We've been using Splunk for just over a year, I guess about a year and a half, full deployment. And so we've been able to see some of the changes. One of the more significant changes is they're pulling back on Flash and using more HTML5. I think they actually last year in their major release, they completely compatible with the iPad. So I can take my security dashboard with me on the iPad and actually not have to be right at my machine. Maybe I'm not doing something else, but I still got my finger on the pulse of the security landscape for my environment. That's great. So it allows you to really stay in touch even when you're not sitting right at your desk. Exactly. And of course, security doesn't take time off. Exactly. Hackers don't take time off. 24-7, 365, we've got to be on top of those alerts and making sure that we are responding to things that are of issue. And like I was saying before, it's already working so that I don't have to deal with the things that don't matter. So as it saves me time, it makes it easier to work. So I'd love to get your take, kind of a big picture question. So over the last five, 10 years, even last two, three years, we've seen kind of the term big data getting a lot of attention. But there is a lot of hype, but there's also a lot of substances we're seeing here at this conference with the things that Splunk can do. There's the Hadoop world and there's other types of big data that we're seeing out there. Just as a practitioner, what has it been like to live in this world as we've kind of evolved from an area where it was all about relational technologies and very structured data to all these types of unstructured, semi-structured data and all the new possibilities that are available now? I'm kind of recent to the industry. I've always worked in a field where there's a lot of stuff that you've got to kind of look at and make some sense of. So in my opinion, it's always been big data as far as security goes. We know that you've got to start paying attention to this stuff to be able to do anything with it. I will say that it's really neat to have a partner in the tech industry right now who is working really hard to make it easy to look at massive amounts of information and do something that makes it easy to use and fun to use. I actually love working with Splunk because it's something that makes my life easier. It's quick to use. It's not a pulling teeth product. Some of the other products I use are like pulling teeth. So I can comfortably say this is something that is actually a lot of fun to deal with. But drilling down on your question a little bit more specifically, that's the way it's going to be, you know? Going forward, there's not going to be less amounts of data that we're going to have to deal with. It's going to be even more than what we're dealing with right now. I'm sure no one predicted how much data we have in our daily lives. I mean, we're all carrying these devices where you've got the world at your fingertips, essentially. Some people like me have two or three of these devices, not too far away. And being able to secure that stuff is the next big step. Being able to understand it all is the next big step. And we're moving forward, trying to stay on the forefront of that. And I think that the best way to do it right now is work. Yeah, because not only for your own uses, but for the applications that you're hosting for your customers, all those applications add more devices and more channels of distribution. One thing I'll say that's kind of interesting about what you just said is, when you start paying attention to this data, you find insights, you find things that are interesting that you didn't know about ahead of time. So there've been more than one instance of, well, let me go just run the search, see what we got. Maybe I'll write a dashboard and figure out if someone finds this useful. And I come across something else that I was not aware of that I'm really much more concerned about that I have to go take some action on just because I was poking around and looking at it. And many people don't realize how often that happens because they're not paying attention. There's a lot of those insights, not just in security, figuring out how your website's running, figuring out why people don't buy this particular brand of your product, figuring out why this server continues to fail every week and you fix it and it drops again. I mean, there's all kinds of different ways that you can use this technology to help you. It's just a matter of if you're willing to kind of put in the effort to take a look. Kind of lift that rock and see what's under there and you might find things you didn't even. Absolutely. Actually, I guarantee it, you will. If you look, you will find something you didn't know was there. Well, that's a great message for our audience out there. So we're out of time, but thanks Markie so much from Cedar Crestone for coming to theCUBE, live here at Splunks.com. We also want to thank Splunk, our sponsor for bringing us here to the event. Great show. A lot of great guests including Markie here. Great customer and some use cases. So thanks so much for joining us and we'll be right back with our next guest shortly.