 Hey there, welcome to theCUBE's coverage of Splunk.com 21. I am Lisa Martin, I've got a new guest joining me on theCUBE for the first time. Please welcome 20 peers, the senior manager of cybersecurity at EY. 20, welcome to the program. Hi, glad to be here. So your LinkedIn profile, I wanted to ask you about this. It states that you are delivering an evidence-based approach to cybersecurity. What does that mean, an evidence-based approach? And how are you and Splunk helping to deliver this approach? Yeah, and I'd like to call it like the outcome-based approach. Basically, you start with what you're trying to accomplish and then work your way backwards. A lot of people say, hey, I've got a problem and then they go try to buy a tool or whatever to go fix the problem. I go in and I'm like, all right, I got a problem. I'm gonna figure out what's holistically I can use in the environment. So it's just basically working in bags. Say you have a breach. What are all the different things that I knew to leverage to meet the controls for that breach, right? And so I think of MITRE in a way as a layered way of looking things and the full defense in depth. So that's kind of my approach. I go and I figure out what the problem is and I answer the question. And I use Splunk to do that, right? Because Splunk is able to give me a big data to everything guy to guy. And so I like to be able to pull in all the different data types that I need to answer our question to do that, right? And so whether it's vulnerability management, patching your networking, a good example of this like most common hacks in the world go after known vulnerabilities, right? And we get kind of caught up in all that. One of the things we like to do here at EY is like we like to combine what's happening in the network. So the threat landscaping, which is the network guys the vulnerability guys who are scanning the data. And then actually the patching who is actually mitigating the problem. Putting all those into one screen has really helped people with their risk rating. Talk to me a little bit about some of the changes. We've seen massive changes in the threat landscape in cybersecurity in the last year and a half during the pandemic. We've seen massive increase in ransomware and DDoS attacks ransomware becoming a household word the executive order that just came down a few months ago. What are some of the things that you've seen? Have you seen the acceleration of organizations coming to think help? We know that it's not a matter of if we get attacked. It's when, how are you seeing the last 18 months influence what you're doing? Oh man, it's been quite a crazy break. So by trade, I'm an instant responder, you know, a high level investigator and also a solutions architect. So I get called in a lot for those kinds of things. It has been kind of nuts. But you know, one of the things I always tell them when I start understanding what your threat landscaping is and identify your key cyber terrain. Unfortunately, most, you know, most companies as they grow, they get really big. They don't really do that. So they don't, they miss the consolidation point, right? I always say, hey, you know, if you're, if you're going to do this, if you say you have a ransomware attack, the first thing you can do is that, you know, there's so many different controls that you can do to stop that, but you really need to know where it is in injecting and then you can isolate if you need to. What we're seeing in the companies is that because they don't all have full coverage, right? And they expect their endpoint protections to actually do its job, you know? And then sometimes that's, you know, don't get me wrong. There are some amazing endpoint protections out there, but you really need to be able to log it. You need to know what it looks like and you need to know where it is. So if you need to, in case of a ransomware attack, as it spreads through the network, you're able to isolate it and reroute it to like, I like to call it a black hole VLAN and just reroute it so I can isolate it and then I can go after it instead of trying to try to do every endpoint at a time because you'll get, you'll get whacked. Definitely. So talk to me about working and partnering with Splunk and it's full security stack. How does the, how is that a differentiator for you and your role? Okay, so one of the things that we do here at EY is we combine SIM and Solar as one combined offering, right? So we try to bring the data in, we operationalize it and then we try to do something with it, right? We find that, and then if you really think about that in a situation where the Splunk products is the Splunk Core, Splunk ES and then Phantom, right? And so that's the automation play. And so we try to combine all those into one combined offering so that when bad things happen where we make a decision, we say, all right, so, hey, what we're seeing in the industry is like, a lot of times people spend so much time hunting the known that they forget about the unknown. Think about the target hack a couple of years ago, the oil and gas attack just recently, you know, they miss those core things. So we try to say, all right, well, let's automate a lot of that known stuff so that the incident responders can focus on the unknown. And so when we combine all three of those products, you get a pretty good security stack. When you say automating the known, is that at all in any way? Like let's help companies get back to basics. I've been hearing a lot in the last 18 months that some from a data protection perspective and from a ransomware attack perspective. So it's when, not if, but are you seeing that companies are sort of skipping past the basics where security is concerned? Well, I don't say it's skipping past the basics, right? I think that sometimes people get caught up in the definitions of what it is, right? So there's so many, there's so many framework out there, right? So like I'm a big fan of your trust. A lot of incident responders use a MITRE, I use MITRE for that as it retains their incident responders. Some people like to use high trust. I think a lot of what happens is, they get lost in the confusion of all these different frameworks, right? I like to go back to basics. I've been doing cyber for, oh my gosh, about 20 plus years, right? I'm an active hacker, this is what I do. I like to call it defense and depth, right? So when you're doing that, if you follow the defense and depth side or it doesn't matter what framework you have, you can actually go back and you can fix that problem, right? So going back in the automation of unknown to an unknown, we know an IOC is 100%. Now you can, I know I say IOC, it's like a hash, right? So when a bad thing happens like an exploit, first thing we try to do is we try to grab that hash and then we try to build a role around it to stop that hash from spreading and going anywhere else. That's a, we know 100% that it's bad. Now, can exploits change their hash? Absolutely, it happens all the time. But for that moment in time, that hash is 100%. And so we try to say, hey, look, we got an endpoint protection, but also, why don't we use automation to block it at the boundary? Or why don't we keep it from doing lateral movement? Why don't we activate it from a defense and depth so you have your network? I like to say, hey, look, you have your egress, ingress and your lateral movement. So if you understand all those three effect vectors, you can automate the control so that it doesn't spread. You had mentioned ransomware has been really huge, right? And everybody goes, oh, well, if we do zero trust, zero trust talks about, segmentation a whole lot. And then segmentation is usually important. It won't stop everything, but it'll do a good job. Being able to get leverage splunk, we actually pull that in and we say, hey, you know, from an EY, we take all that network and we try to put it in a single pane of glass so that we can see everything. And then once we able to see it, once we get a good robust data set and understand that operations, we're able to go in and automate it. And so if I can go in and say, hey, look, all these hashes are bad. Yeah, I'm not gonna rely on my endpoint. I'm gonna put another control in place. So if the endpoint misses it, I have another control that will actually layer it and prevent it from spreading. Which is absolutely critical. Talk to me about some of the outcomes that EY and Splunk are delivering to the end user customers. Everyone's always talking about, it's all about outcomes. What are some of those? Yeah, so we've really embraced like the data to everything, right? So I kind of have this opinion of like, you know, everything's data. So everything needs to be secured, right? The people who miss that tend to get whacked pretty quickly. So what I like to do is I'm like, all right. So, you know, like IOT is huge out there right now. OT is doing it. And so some of the things that we've done is like from a healthcare perspective, we've combined IOT and IT into a commonality solution, leveraging like network, simple things like pulling in from the WAN, pulling in understanding what those MAC addresses are so that you can actually, you do like a workplace analytics around, say RFID tagging, right? So you know where your people are at. Here we also do like what we call a sock in a box where we put everything together that every like a, from a tiered perspective, like a tier one, tier two analyst, you know, what does it they need to do to mitigate and observe something? What does the investigator need, right? So we try to simplify those conversations. And so that, you know, it's actually around like a threat hunting as well, like threat hunter and investigator, they're totally different roles, right? So they need to be separated. We also like tie in like the, what is it? I really hate like PowerPoint, I'm not a big PowerPoint guy, right? So I really like to be able to give the CISO. He needs to understand what risk is, right? So we try to automate it so we can get to that too. He can pull up his phone and pull up his plunk app. And he knows at any given time what his risk rating of his company is, right? So we try to combine all of those in like, again, you know, there is, we do stuff around blockchain, supply chain, you know, it doesn't really matter. It's a data analytics tool. You know, a lot of people look at Sfunk as a SIM. I don't necessarily look at it that way. I look at it as a data analytics tool that does SIM. It's just one of the functions it does. If you start understanding data and all the different things that data can do, then you need to go in and you can use Sfunk to basically answer those questions so that you can start putting in a control set. What's the differentiated value that EY and Sfunk bring together to customers? What really sets this partnership and what it delivers apart? I, well, I'm biased on that, right? Because I run the North America SIM team for UI for consulting. So I would say that those two things is innovation and time to value, right? So let's start with innovation for a minute. Because Sfunk is so customizable, right? And because it pretty much can integrate with just anything, we're able to very fast take data in and do something with it and operationalize it. Doesn't matter who the customer is. They're going to give us a question. We'll break it all the way down and we'll understand and we'll do them an answer. A good example of that is like we were doing stuff around PCI compliance. The checklist, you know, the financial sector, they get a huge amount of audits, right? And especially around PCI. So we took all the PCI checklist and we said, Harry, what can we answer those questions? And so we built a dashboard that actually sends out a report to internal audit and we call it compliance over time, right? It's looking at data in a different perspective to answer a question. Now, the other thing is that we try to do here is, you know, as we do as Sfunk and Sfunk helps us with this, right? We have a great relationship with them. Is basically, oh, I lost my train of thought there for me. So innovation is time to value, right? So from time to value, what we do is we ask to say, hey, look, we have a lot of the stuff in our lab. But one of the things I don't like to do is I don't like to go to clients and say, hey, look, we're going to build this for the first time. I like to say, hey, look, here's these questions in the industry. Get ahead of the question and go build it in our lab so that when we actually get on site, our time to value is not in months, you know, we can begin weeks, right? Because we already have a huge repository of use cases. Now, those every use cases actually tied into an automation play. And so when we say that, we say, hey, look, here's everything in Sfunk. Let's do this, let's go answer that question and let's go automate it and let's make a decision where we want to automate it and where do we want a human interaction? Talk to me about what's next for the partnership in terms of the future. What can you tell us where EY and Sfunk are going together? So we've been partnering around, I think our next things that we're really looking at is AI. We're really getting kind of into that as well as AR and VR technology, right? And so especially around like a, I'm looking at like the energy companies and the financial banking. One of the things I would love to do is like go into a bank ATM, right? And right now it takes somebody actually has to plug into that and to do a diagnostic on it. I would love to be able to get to it like a point where you can just take your camera, scan the QR code on the device and then pull up an AR and it runs all the diagnostics on the device as it's there. Another one is like the infrastructure. Instead of actually going out, plugging into like say a solar panel, going out, pulling out on a tablet, just scanning the solar panels and it tells you if it's good or bad. And that's kind of the next step that we're trying to do. We're trying to really take that and data to everything and just kind of turn it's on its end. And you got to remember everything is data nowadays, right? It's not the old days where things are moving around and everything's in a file folder, it's gone, right? Everything is data, so everything is security, right? And the first thing is we need to know what our threat landscape is. We need to know what that is and we need to apply that, right? So if we can simplify answering questions, that's so much better. And one of the things I like about Splunk is it scales really well, right? And I've looked at some of those fetters and don't get me wrong. I mean, everybody has their place. But one thing I like about Splunk is it doesn't, it literally scales really well. So the more data you can get into it, it actually does better, right? And how you do it now. That's just our approach. That's the next steps that we're really looking at from a technology standpoint. Exciting step, Tony. Thank you for joining me sharing what EY and Splunk are doing together. Some of the unique use cases that you're helping to solve for customers and some of the things that you're excited about. We appreciate your time and your information. No, this is fine. I, you know, like I said, I'm a big fan. I even wore my Splunk shirt just for this meeting. Show us. Fantastic, you're on brand. Well, Tony, thank you again. We appreciate your time. All right, thank you. You have a wonderful day. Thanks, he was well. For Tony Pierce, I am Lisa Martin. You're watching theCUBE's coverage of Splunk.com 21. Thanks for watching.