 Live from Las Vegas, it's theCUBE. Covering Splunk.conf 19 brought to you by Splunk. Hey, welcome back everyone. It's theCUBE's coverage here in Las Vegas for Splunks.conf 19.conf 19. This is Splunk's 10th year doing .conf, theCUBE's seventh year of coverage. We've watched the progression of the security. The data market, log files, getting the data. The data exhaust turned into gold nuggets. Now it's the centerpiece of data security, data protection, and a variety of other great things and important things going on. And we're here two great guests from Splunk. I am Song's Vice President and General Manager of Security Markets and Oliver Friedrichs of EP of Security Automation. And guys, great to see you again. We just saw you in, hey, there's reinforce. Thanks for coming back. Thank you for having us. So you guys announced Security Operations Suite last year, okay? Now it's being discussed here. What's the update? What are customers doing? How are they embracing the security piece of it? Wow, well, it's been a very busy year for us. We really updated the entire suite. More innovation going in, ES6.0 got announced and Phantom and UVA. Every product is getting some major enhancement. Focusing on scale, for example, ES now, we have customers running in the cloud, like 15 terabytes. And that's like three X. And in on-prem, it's like 50 terabytes, five O with search test cluster. So that's one example. And Phantom throughout the years is just lots of capabilities we're adding. Case management was a major theme. And that's actually the release before the current one. So we've been really innovating and focusing on that. Just to summarize sort of the suite, right? UVA continue to be the machine learning driven and there's a lot of maturity that's going into the product and there's a lot more scale. And backup and restore was like one of the major features because it become more mission critical. But what's really, really, really exciting is how we're using a new product called Mission Control to bring everything all together. I want to get into the Mission Control because I love that announcement. Just love the name and what's behind it. But staying on the suite, even they're talking about, it's a portfolio. And one of the things that's been consistent every year at dot com of our coverage and reporting has been the evolution of a platform, an enabling platform. So as that evolves, does the guiding principles remain the same? How are you guys seeing it? Because now you're shipping it, it's available. It's not just a point product, it's a portfolio and an ecosystem falling behind it. You know, the app showcase developer security and compliance, foundation and platforms and just IT ops and AI ops are happening. So you have a variety of things coming out of a platform. What's the guiding principle these days? Is it continuing to push the security? Can you share the vision? Or guiding principle and the vision, it's really, we believe the world as we digitize more as everything's happening at machine speed as people really need to go to analytics to bring insights into things and bring data into doing. That's really turning that into doing. So it's the security nerve center vision that continues to guide what we do. And we believe security nerve center needs really data, analytics and operations to come together. And again, I gotta tell you, Mission Control is one of the first examples that we bring all of the entire stack together. And you talk about ecosystem. It takes a village, it's a team sport and I'm so excited to see everybody here and we've done a lot of integrations as part of the suites to continue to mature. More than 1900 API integrations, more than 300 apps just just phantom alone. That's a lot of automated actions people can take. And the response from the people in the hallways and also the interviews have been very positive. Oliver, I gotta get to Mission Control. Phantom was a huge success. You are a big part of taking that into the world. Now part was flunk, Mission Control, love the name, this is the headline, by the way. Splunk, Mission Control takes off super-charging security operations. So I think at Mission Control, I think NASA launching rockets, SpaceX, really new innovation. But there's really the big story behind is unification. Could you share where this came from, what it is, what's in the announcement? Yeah, so this is all about optimizing how SOC analysts actually work. So if you think about it, SOC typically is made up of literally a dozen different products and technologies that are all different consoles, different vendors, different tabs in your web browser. So for an analyst to do their job, they're literally pivoting between all of these consoles. We call it swivel chair syndrome, like you literally are frantically moving between different products. Mission Control ties those together and we started by tying Splunk's products together. So we allow you to take our SIM, which is Enterprise Security, our UBA product, Splunk UBA, and Phantom, which is our automation and orchestration platform or SOAR platform and manage them and integrate them into one single presentation layer to be able to provide that unified SOC experience for the analyst. So it's an industry first, but it also boosts productivity, letting analysts do their job more effectively to reduce the time it takes. So now you're able to both automate, investigate, and detect in one unified presentation layer or work surface. You know, the name evokes dashboards, NASA, but what that really was was an accumulation, an extraction of data into a surface area where people who are analysts could do their job and manage the launching rockets. But I want to ask you a question because this all is based on the underpinnings of massive amounts of volume of data. And the old expression, rising tide floats all boats, also is rising tide floats more adversaries, ransomware attacks is the data attacks are everywhere, but also there's value in that data. So as the data volume grows, this is a big deal. How does Mission Control help me manage and take advantage of that volume? How do you guys see that playing out? Yeah, so Mission Control really optimizes the time it takes to resolve an incident ultimately because you're able to now orient all of your investigation around a single notable event. So it provides an optimal work surface where an analyst can see the event, interrogate it, investigate it, triage it. They can collaborate with others. So if I want to pull you into my investigation, we can use a chat ops like capability, whether it's directly in Mission Control or Slack integration, we can manage a case like you would with a normal case management tool to be able to drive your incident to closure, leveraging a case template. So if I want to pull in my crisis communications team, my legal team, my external forensics team and help them work together as well, case management lets me do that and triage that event. It also does something really powerful. Payan mentioned the operations layer, the analytics and the data layer. Mission Control ties together the operational layer where you and I are doing work to the data layer underneath. So we're able to now run queries directly from our operational layer into the data layer like SVL queries which Splunk is built on from the cloud where Mission Control is delivered from to on-premise based Splunk installations. So you could have Mission Control running in the cloud, Splunk running on-premise and you could have multiple Splunk on-premise installs. You could have one in one city, another one in another city or even another country. You could have a Splunk instance in the cloud and Mission Control will connect to all of those, tying them together for investigative purposes. So it's very powerful. That's a huge powerful one. This comes back to the new branding data to everywhere. And I see the themes everywhere, the new colors, the new brand, congratulations. But it's about themes, what doers, doing stuff, thinking and making things happen. Connecting these layers, not easy, okay? And diverse data is hard to get access to, but diverse data creates great machine learning and AI and AI creates great business value. So we see a flywheel developing that you guys got going on here. Can you elaborate on that data to everywhere and why this connective tissue that you're talking about is so important? Is it access to the more data? Is that flywheel happening? How do you see that playing out? I'll start with that because I was so excited. We're data to everything company. Our new tagline is turning data into doing and this wouldn't be just possible without technologies like Fentum coming in, right? We have traditionally been doing really great with block enterprise, with data platforms and with analytics. Now with Fentum, we can turn that into doing. Now with some of the new solutions around data, you know, stream processing. Now we're able to do a lot of things in real time. You mentioned about the scale, right? Scales changes everything. So for us, I think we're uniquely positioned in this new age of data and it's exploding but we have the technology to help you tame it and it's representing your business. We have the analytics to help you understand the insights and it's really the ones that's going to impact day to day enabling your business and we have the engine to help you take actions. So that's the exciting part. All right, talking about this flywheel because diverse data sounds great and it makes sense. The more data you see, the better the machines can respond and hopefully there's no blind spots. That creates good AI, right? That kind of knows that if they're in data but customers may not have the ability to do that. I think this is where the connecting these platforms together is important because if you guys can bring all that data, it could be ugly data, unstructured data, data is data but it's not always in the form you need. This has always been a challenge in the industry. How do you see that flywheel developing? Yeah, I think one of the challenges is the normalization of the data. How do you normalize it across vendors or devices? So if I have firewalls from Cisco, Palo Alto, Checkpoint, Juniper, all of that data is not the same but a lot of it is firewall block data for example that I want to feed into my SIM or my data platform and analyze. Similarly across endpoint vendors, you have Symantec, Mac, if you crowd strike and all of these vendors so the normalization is really key in normalizing that data effectively so that you can look at the entire environment as a single, from a single pane of glass essentially and that's where Splunk does really well is both our schema and readability to be able to query that data without having a schema in place but then also the normalization of that data is really key and then it comes down to writing the correlation searches or analytic stories to find the attacks in that data next and that's where we provide ES content updates for example that provide out of the box examples on how to look for threats in that data. So I want to get you guys reaction to some observations that we've made on theCUBE in the spirit of our CUBE observability and pun intended. Love it, love it. We talk to people, our CIOs and CISOs about how they look like cloud security from collecting logs and workloads, tracking cloud apps and on-premise infrastructure and we asked them who's protecting this? Who is your go-to security vendor? And it was interesting because cloud was in there, cloud is number one if it's cloud. Not number one, but they use the Clabelion tools in the cloud but then when asked on-premise who's the number one, Splunk clearly comes up in pretty much every conversation. It's anecdotal, it's not a scientific survey, it's more of hand-picked. What that means is Splunk is essentially the number one provider with customers in terms of managing those workloads, logs to cross apps. But the cloud is now a new equation because now you've got Amazon, Azure and Google all upping their game on cloud security, you guys partner with those. So how do you guys see that? How do you talk to customers? Because with an enabling platform that you guys are offering, you're enabling applications. Clouds have applications. So how do you guys tell that story with customers? Because you're at number one right now, how do you thread that needle into this explosive data in the cloud and data on-premise? What's the story? So I wish you were part of our security super session. We actually spent a lot of energy talking about how the cloud is shifting the paradigm. The paradigm of how software gets built, deployed and consumed, how security needs to really sort of rethink where we start, right? We need to shift left. We need to make sure that I think you use the word observability, right? You got to start from there. That's why as a company we've got signal effects and all the others. So the story for us is start from our ability to work with all the partners. They're all like great partners of ours, AWS and GCP and Microsoft in many ways. Because the ecosystem for cloud, it's important. We're taking cloud data. We're building cloud security models. Actually our research team just released that today. Check that out. And we've been working with customers in building more and more use cases. We also spent a lot of time with our CISO, Customer Advisory Council just happened yesterday talking about how they would like us to help them. And part of that they were super excited. The other part is like, oh we didn't understand how complicated this is. So I think the story have to start in the cloud world. You got to do security by design. You got to think about automation because automation is everywhere. How deployment happens. I think we're really sitting in a very interesting intersection of that. We bring the cloud and on prime together. You mentioned CISOs. I wonder if I can get cameras in that room. I'm sure they don't want any cameras in the CISOs room. Oliver, taking that to the next level, it's a complexity is not necessarily a bad thing because software can extract away complexity. It's been the history of the computer industry that that's where innovation could happen. Taking away complexity. How do you see that? Because the cloud is a benefit. It shouldn't be a hindrance. So you guys are right in the middle of this big wave. What's your take on all this? Yeah, look, I think cloud is inevitable. I would say all of our customers in some form or another are moving to the cloud. So our goal is to be to not only deliver solutions from the cloud, but to protect them when they're in the cloud. So being able to work with cloud data source types, whether it's Azure, AWS, GCP and so on, is essential across our entire portfolio, whether it's enterprise security, but also phantom. One exciting announcement that we made today is we're open sourcing 300 phantom apps and making them available with the Apache 2.0 license on GitHub. So you'll be able to take the integrations for cloud services like the many AWS services, for example, extend them, share them in the community and it allows our customers to leverage that ecosystem to be able to benefit from each other. So cloud is something that we work with not only from detection, getting data in, but then also taking action on the cloud to be able to protect yourself. Whether it's, you know, I want to suspend an Amazon Army or instance, right, to be able to stop it when it's infected, for example, right? Those are, it's finishing that whole OODA loop and the investigate, monitor, analyze, act cycle for the cloud as we do with on-prem. I think you guys are in a really good position. Again, I'd said this in 2013, but I think my adjustment today would be, you know, in talking to Andy Jackson, the CEO of AWS, he and I always talk all the time around the question he gets every year, is Amazon going to kill the ecosystem? Everyone's afraid of Amazon. He says, John, no, we rely on third party. Our ecosystem is super important. And I think as on-premises and hybrid cloud becomes so critical, and certainly the IoT equations with industrial really makes you guys really in a good position. So I think Amazon would agree, having third party, if you want to call it that, I mean, supplier is a critical linchpin. Because the data needs to be scalable. And we need ecosystem for security. And we, you know, one of the things I shared is we're really in an asymmetric warfare where as the adversaries, right? You talk about AI and machine learning, data at the end of the day is the oxygen for really powering that arm race. And for us, if we don't collaborate as an ecosystem, we're not going to have an upper hand. Because the other side, as I always say, there's no regulations, there's no lawyers. They can share, they can do whatever. So I think as a call to action for our industry, we got to work together. We got to really sort of share and advance our industry together. Congratulations on all the new shipping and general availability of ES 6.0. Phantom's been continuing to be great success. Congratulations on the open source. You got an app out there. You got mission control. You guys keep on evolving Splunk, the platform. You got apps showcasing here. Good stuff. Beginning of the new day to eight. Super excited. We're riding the wave together with Splunk. We've been there from day one, actually 30 year in, but their 10th year.com, our seventh year covering Splunk. I'm John Furrier. Thanks for watching. We'll be back with more live coverage. Three days of CUBE coverage here in Las Vegas. We'll be right back.