 Live from Las Vegas, it's theCUBE. Covering Splunk.conf 19 brought to you by Splunk. Hey, welcome back everyone. It's theCUBE's live coverage here in Las Vegas for Splunks.conf 2019. It's Splunk's 10th year having the event. This is theCUBE's coverage for seven years. theCUBE independent media company breaking down, extracting the signal from the noise, talking to the top people, top experts, telling the stories that matter. We're here with Mike Egg, Director of Applied Research for company Red Canary. Mike, thanks for coming on. Appreciate it. Thank you. So Red Canary is a company doing here. What's the focus? What does the company do? Take a minute to explain Red Canary and why you're here at .conf. Sure, thank you. So we are like a managed endpoint detection and response organization. We partner with organizations of all sizes to help them eradicate evil, for instance. So we help them with monitoring their environment. We investigate, respond, and act on threats for them. So on the notes here, you guys have a topic session, finding titled, finding evil is never an accident. How to hunt in bots. So using bots, hunting down evil. You guys are out there doing this as a business. What does it mean? What is, first of all, what is evil? And how do you hunt it down? Take us through that. Yeah, sure. So the talk is based around the Boss of the Sock data set that was released by Splunk. They have version two, version one, and version three will be coming out soon. And they just released version four here. And so the talk's all focused on how to find evil within bots v3, or actually v4, I'm sorry, the one that just came out. And so what we do as an organization is we help businesses get through their data, kind of like your guys' mission as well. Like get through all the haystack, find the bad things, and present that to our customers in a really fast way. So that's kind of where we are today. Our job is to find the good content, great experts like yourself. Talk about your role. You're like a researcher, but it's not like you're sitting back there, applied research. I mean, applied means it's not like just making up the next moonshot. You guys are applied specifically to hunting down evil. That's your role. What does that entail? You guys have to sit, zoom back, look at the data. Obviously Splunk's providing some benefits with their exposing their data. What does it mean to hunt down? What's the requirements? How do you set that up? What are you looking at? Are you going through data? Is it a dashboard? What do you deal with in your job? Yeah, so like a day-to-day or kind of what our team does is we focus on what's going on previously. What are we seeing in the wild? Like what campaigns are happening? And then my role within my team is focused on what's coming. So what are red teams working on? What are pen testers looking into? Take that information, begin testing it, begin building proof of concepts. Put that back into our product so that whether it's two weeks, six months, two years, we have coverage for it no matter what. So a lot of us, a lot of our time is generating proof of concepts on what may be coming. So there's a lot of very unique things that may be in the wild today and then there's some things that we may never see that are just very novel and kind of once a time kind of thing, right? Yeah, so you know, we love talking about data. We've been covering data since 2010. The thing that's interesting and I want to get your thoughts on this because evil has arbitrage built into it. We know where to hide. And so the question is, is that what are you looking at matters, right? So there's a lot of exposure, but the question I have for you is what is the problem that you're solving? Why do you guys exist? Was it because evil was better? Adversaries were better at hiding? Is it automation can solve patterns we haven't seen yet? Because how can you automate something you haven't seen yet? So is it new things? So what's the problem statement that you guys are attacking? Yeah, so there's a lot, there's a lot on box. So like in particular in this instance, if we're seeing something that happened yesterday and then what's happening today is actors are working to break process lineage within what's happening on the endpoint because actors know that everything's happening on an endpoint. Yes, there's traffic coming in, but there's execution going on in a single place on that box. So their whole like tactic now is to try to break that lineage. So it's not Microsoft Word spawning something. It's now Microsoft Word opens and it spawns over there off of another process, right? So we're here to monitor those types of behaviors and that's pretty much like the Corvette Canary. We've always focused on the endpoints. We only do endpoint based products. We don't like monitor networks. We don't monitor firewalls or anything like that. We're very focused, hyper focused on endpoint behaviors. And so, and that's the cool part about our job is we get to see all the really new things that are happening. And if you look at any previous breaches in the past, it's happening on the endpoint and that's right where we are. And obviously data, Canary in the coal mine, old expression, everyone knows that or if older might know that, but identifying and being that early warning detection system really kind of was the whole purpose of the Canary in the coal mine. Red Canary, red teams, I'm kind of putting it together. What are some of the things that you've seen that as an example of why you exist? Because is it new things? Is it that hay or a known thing or both? What are some of the examples that you can point to that point to why you guys exist? Yeah, sure. A good example is kind of like the looking forward stuff. Where are red teams going? Where are actors going? So a lot of them are moving to C-Sharp and .NET tradecraft, which is very native to the operating system in Windows. So if they're doing that, they're moving away from what they've been used to the last few years, which is PowerShell. So if PowerShell's kind of dead, then now we're going to C-Sharp and .NET. So a lot of our focus today is how can we better detect those? And vendors are moving that way too. They're starting to see that they have to evolve their products to the next level in order to detect these behaviors. Because, I mean, that's the reason why a lot of these EDR vendors are here, right? And it's all data, like you said. And so feeding it into a Sim or it's a Splunk in particular, you're able to correlate those behaviors and look at very specific things and find it real well. You know, one of the things that a lot of security practitioners and experts and advisors have been looking at over years is data. So it's no secret, data's critical. But one of the things that's interesting is that data availability has always been an issue. Sharing data, and then the message here at Splunk.com for 2019 is interesting, you've got data diversity now exposure to the fabric search concept. They got accelerators and real-time time series. We've always had that, but as it kind of comes together, they're looking to get more diverse aperture to data. Is that still an ongoing challenge? And what are, because if you have a blind spot, you can only, this is where the potential danger is. How do you guys talk about that? What's the narrative around diverse data sets? How to deal with them effectively? And then if blind spots exist, what do they look like? Or how do you figure that out? Yeah, we, so I've been with Red Canary for over three years, about three years now. And one of the things I started at was a technical account manager, incident handler. And so I helped a lot of our customers go from, we bought you Red Canary to monitor endpoints, but what should we do next? And so we, our incident handling team will come in and assist a customer with, you guys should start going down this road. Like how are you bringing everything together? How are you analyzing your data? Down to just operationalizing like some use cases and playbooks within their data. Like you got EDR, now let's look at your firewalls. How rich of that data can we help enrich with the EDR information? Like here's the IP address and carbon black response. Where is it going this way on your firewall? Or your appliance is going out, you know? And things like that. So we have a whole team dedicated to it and that's like the focus of the service. We took a poll on our, we have a, you know, this accusment operate for 10 years, it's our seventh year at Splunk. Dave Vellant and I took a poll of our CUBE community by 5,000 alumni and we asked them about cloud security, which vendors are the best? And Splunk is clearly number one in third party data management. I got a category, but cloud security, especially the cloud vendors provide security, Google, AWS, and Azure. But outside of the core cloud providers, Splunk's number one clearly across the board. How is Splunk doing in your mind? How do you guys work with Splunk? What's the dynamic? What's your relationship with Splunk? And where's Splunk positioned in your mind? Because as cloud becomes more prevalent with cloud native, born in the cloud and with hybrid, there's a unification not just with data, but infrastructure operations. So Splunk role and then their future prospects. Sure, so Red Canary uses Splunk to, so we process, I think like 30 terabytes plus of data a day coming through our engine that we build, and that's the kind of proprietary piece of Red Canary. 30 terabytes of data flows through, we use a DSL, like a language that sits on top of it that queries it looking for those behaviors. We send those tip offs as we call to Splunk and we actually track a lot of the efficiencies of our detectors that way. So we look for how well detector's doing, is it triggering, is it false positives, how many false positives over time, and then also how much time our analysts are spending on those detectors. They get a detector in an event and they review that event and they're spending 20, 30 minutes on it. Well, what's wrong with it? Is there something going on here? Do we need to cut something back and fix it? So we use Splunk a lot for like the analytics piece of just how our operation works. It's awesome, it's really neat to see in production. One of the things that I've been proud of with covering Splunk is, we saw them early when they were just a starter, then they went public. Just watching how they've grown, they've done a lot of great things. But now the theme is applications on top of Splunk. They've got an enabling platform. They've got a couple key pillars. I want you to talk about where you guys fit and where you see the upside. So Splunk has the developer area, which is they have all these new developers, security and compliance and fraud, foundations and platform stuff. And then IT ops, business analytics, AI ops, they got SignalFx, CloudNative. So those are the kind of four key areas around their apps, their app strategy. Do you guys cut across all those? Are you guys developing? Are you doing all what's the, how does Red Canary fit into that? Seems like you probably are cross-section. Yeah, most likely fitting into a few areas within it. My team has developed a couple apps for Splunk. So we've published those. We have like a Sysmon app that we pushed out. We have a carbon black response app, which we co-developed many years ago. Those things are all out there. We've helped other people with their apps. But yeah, it's a little mix of everything. And I think the big core thing that we're all looking to today is like, how can we use more of the machine learning toolkit with Splunk? For our customers and for us internally, like how can we predict things better with it? So there's a lot of little bit of focus of that. So. What do you think in your opinion? You've been out in the field, you've been in the front lines, now you're in research, you've got that holistic view, you're looking down at the, on the field, the battlefield if you will, with the adversaries, evil out there. What do you look for? I mean, what's the triggering event for you? How do you know when you need to jump in and get full, ready, alert, and really kind of sound off that canary alarm, saying, hey, you know, let's take action here or let's kind of look at that and take us through some of those priorities. What's some of the workflow concepts that you go through? Yeah, so we'll end up either sending a detection to a customer and either they'll trigger like, hey, can you give us more context around this event that happened? Or it will be, we had a pen test, red team, bad thing happened, can someone else investigate further? And so I'll come in, from my perspective, I'll come in kind of like a, almost like a tier three in a way. Come in, we'll do the additional research beyond what our detectors already caught. Looking for many things, you know, was there something we missed that we can do better at detecting next time? Is there any new behaviors involved? Was something dropped that, you know, the actor had left within the environment that may have gone by antivirus, prevention controls, anything like that. And then also just understanding their tradecraft, right? So we track a lot of teams and disturb behaviors and we're able to kind of explore and, you know, build those things out. You got to do a post-mortem, you got to be on everything basically. You got to survey the entire landscape. You come in, post-event, do the collateral damage analysis. Yeah, and that's a really cool thing about like the Splunk boss of the SOC data set, right? And that's what my talks a lot about is, it's a very like basic talk, but it focuses on how to go from beginning to end, investigating this big incident that happened, you know? Cause when you get into detection from like an organization, you might just find that it was delivered through a word doc, a couple of things executed, but was there something else that happened, right? And there's like your canary in the coal mine piece, right? You know, finding other things that occurred within the organization and helping out. And ideally your data essentially is the foundation for essentially preventative side. So it's kind of a closed loop, kind of life cycle of leverage, operating leverage from that data standpoint. Yeah, it's a solid point. We, I coined the term like three years ago called driving prevention with detection. So take all your detection logic and understanding and things you see with products, even EDR or AV, and use that to drive your prevention. So it's just a way that if you're just alerting on everything, take that data and put it into your preventative controls. So Michael, I got to ask you, how is cloud changing the security formulas? Because obviously scale and data are big themes we hear all the time. I mean, data's been around, it's not a new thing, but the constant theme that I see in all my CUBE interviews we've done over the years and this year is the word scale comes up. There's unprecedented scale, both in data volume, surface area, needs for things like red canary, teams to be in there. What do you see with the impact of cloud? Has it really changed the game in any way? Yeah, it's speed is new cloud. It's the speed of new cloud technology that seems to constantly be coming out. Like one day it's Docker, next day it's Kubernetes, and then there's going to be something tomorrow, right? Like it just constantly changes. So how can vendors keep up with logging, making sure it's the right type of logging and being able to write detection on it or even detect anything out of it, right? Well, and the diversity too is a great point. I want to, you know, for instance, blogs were great, now you got tracing. So yeah, so there's now different signaling. Yeah, exactly. So this is now a new thing that you got to stay on top of. Totally, like look at any MSSP. They have thousands of data sources coming in, and now I want you to monitor my Kubernetes cluster that scales horizontally from 100 to 5,000 all day every day, like Netflix or something, right? And I want you to find the bad things in that. It's a lot going on. And this is where machine learning and automation come into play because you need the observability, you need the machine learning, and then you got to categorize it. So again, humans can't do all this. No, yeah, it takes a machine. Using machines with human intelligence in a way, right? So have a human driving the machine to pull out those indicators as notables. Michael, thanks for coming on. Great insight, great signal from the noise you're extracting there. Great stuff. Final question for the end of the segment. In your opinion, what's the top story in the security industry that needs to be continually told and covered and reported on? Ooh, that's a good one. Security threats, platform development, new stacks developing, is there like a one area that you think that's a high order bit in terms of like impact? Yeah, I think focus on, I'm going to say end point because that's where everything's executing and everything's happening. And that's the biggest signal. And it's only going to get more challenging with the IoT edge and industrial IoT. The edge is the end point, end points are changing. The definition is changing. Yeah, exactly. Great stuff. Michael, thanks for coming on from Great Canary. Here on theCUBE, the Canary in the coal mine, that's theCUBE bringing you the signal here from .conf19, I'm John Furrier. Back with more after this short break.