 From the Walt Disney World Swan and Dolphin Resort in Orlando, Florida, it's the Q. Covering Splunk.com 2016, brought to you by Splunk. Now, here are your hosts, John Furrier and John Walls. Okay, welcome back everyone. We are live in Orlando, Florida for Splunk.com 2016, 7th year of annual conference. This is the Q, our flagship program of SiliconANGLE Media, where we go out to the events and extract the synth and the noise. I'm John Furrier, my co-host, John Walls. Good event, so far, great. Grinding down day one of two days of Walt Walker. Yeah, and we've been talking about so many of the positive things that are happening in this space. Unfortunately, also, threat security, very much a topic, topic to shore here this week, and what this is talking about is Adam Vincent. He's a CEO threat connect of threat intelligence platform and Adam, thanks for joining us. Thanks, John. Good to have you here. Breaking your maiden here on theCUBE, so it's always good to have you. Yeah, that's great. Thank you for having me. Tell me, you're part of the adaptive response team that Splunk has put together. Tell us about that involvement, and really about the group's goal at large before we get into a little bit more about what you do. Yeah, so Splunk is a visionary in the security space, so we're a security company, and last, I think of February of last year, Splunk came to us with this thing they called the Adaptive Response Initiative, which was effectively a framework that allowed companies like ours to integrate into Splunk and to fuse the goodness from each of our products that was part of that, through that integration, make each of our products more powerful. So it's a framework, it's not a product, but it allows us to work as a team and fight the threat together, which is sorely needed in the security industry. So on the threat detection side, we're seeing a lot of huge news here. Tomorrow, we're going to see some announcements from Splunk on this keynote from what we can hear, but this is the top line issue. Board level, security, it's not an operational thing like the normal Splunk is doing, goodness there, this is huge, so what is Splunk doing, and what are you doing with them specifically in your business, and how does that relate to customers? Yeah, so first and foremost, the issue is only getting worse by the day, the number of technologies, the sheer volume of mobile devices and the technology that we've all become accustomed to having is growing so quickly that security people aren't able to keep up with it. Secondly, the security teams at companies that are looking to defend those assets are just not prepared for what they're up against. The threats have gotten much better. The number of technologies, although there's lots of great technologies out there, they're all fragmented, and that fragmentation has led to people in process and the technology being able to be circumnavigated by the threat, so they come through the seams, so to speak, between the people, the process and the technology. So what's the biggest issue that you hear from customers right now is that being over matched on manpower is a technology issue, and what is splunth due to the level of playing field? The biggest issue is that people don't even know what they're up against. Whether it's China, Russia, Iran, if you've been watching the news, you've seen all of the purported attacks from Russia on our election system. We don't even know whether we can trust the election when it happens, whether we're gonna let the people decide. So we don't know what we're up against, and for that reason, we don't even know what to do to defend against the attackers that we need to defend against. So Splunk has a great idea in that bringing together the technologies that someone already has is going to effectively make the people better at defending their organizations because they won't have 30 products that they need to log into and do different things in each one. They'll gain efficiency because they can automate parts of processes that traditionally have been human for better decisions. What Prec-Connect adds to Splunk, Splunk is deployed and is looking at what's going on in the network. Prec-Connect is effectively a knowledge base for threats. So we know the capabilities of the bad guys, and we know how to communicate that to Splunk so that Splunk can go look for those things specifically. So think of it like a big database of fingerprints and DNA and facial expressions of all the different people that's coming through our platform from a variety of sources, some of which are other companies, some of which are open source, some of which are people that are just giving back all of that information is being analyzed, and then we're taking that knowledge and we're fusing it with Splunk's ability to analyze what's going on in the network. So think of it like the way the brain works. You have all these memories that you're using to make decisions. We're providing Splunk the knowledge it needs to inform decision making, and then the nervous system, whether it's Splunk-E-S or Splunk Core, is helping communicate that information out to the various products that are part of the adaptive response initiative. I kind of feel like that the way you were talking about the scenario here is that it's almost like the fingers in the dice, right? That there are a lot of problems, a lot of intrusions, a lot of threats. There are some good solutions in pieces, but you put one here and it pops here. It's whackable to a really scary degree. Yeah, we're doing the best we can. Companies are not sitting back in their lounge chair, their business processes, in how they obtain malware and use that malware against us. All of those reasons lead to us being outmatched in many situations. So what we need to do is agree, oligies is part of it, but first and foremost, we recommend to our clients to just figure out what good looks like and what is going on. Splunk provides the ability to aggregate all of that data inside the network. We can look for those things, can then highlight who's coming after that organization to them on what and against those things. But the first step is know what you're up against so that you can plan of coming. All right, so tell me about why the Splunk thing's a big deal, the adaptive thing, we'll hear that tomorrow in detail. But in general, Splunk has provided a lot of value for people, but how do customers use the security aspect? Because I can see you're Splunking different systems of data. So I can see some sort of nerve center concept you're injecting, essentially pattern recognition on signatures of threats. I get that, but there's always going to be new threats. So you got to manage it on your end, you share that data, but so how does a customer deploy Splunk and how do you guys recommend and advise doing it from a security perspective? Splunk is really revolutionizing the way using data to make decisions in an organization. Splunk core has been doing that for many years on the business end, on the IT end of the spectrum and now that security has been those same approaches to the security part of the business. So first and foremost is just knowing what's going on and being able to analyze that information. Splunk being an active response initiative takes the next level is around being able to go beyond and actually start to conduct the security organization, the security products, almost like a conductor does with the symphony. So they're not just listening and then going in the back room and waiting for the symphony to walk off the stage and tell them what they did well. They're actually providing pro acts of the music playing. And so... So prescriptive advice. Real time bi-directional input out to all of the different sensors and or control points in the security organization. And so you're not automatically automated. In some cases it could be automated. In some cases it could be human driven but that's what adaptive response it can ultimately do for this industry is that organizations that products to work as one within your security organization. Now take that to the next level. Some of what we've done in adaptive response initiative is we've allowedization to share data about what they're seeing with other Splunk instances and other companies. So now you have the crowdsourced capability and you can take the level up for the industry not just for a single company looking at just their data. And there's a lot of leverage on the data too. I mean it seems to be that the organization can offload a lot of the tasks of data collection. The critical data or identifying where the data is which has a time component, right? So if you're going to be doing that real time or prescriptive bi-directional the data time factor is huge, isn't it? I mean the attackers are penetrating our networks and this is not something I'm making up the Verizon data breach report. It's been around for many years. People look at it like the Bible of what it looks like. Back in the early 2000s the Verizon data breach report stated that attackers were gaining access to the networks of the organization sharing data with Verizon in days or less while defenders were detecting in days or less at a much lower rate. Now the rate at which the detection deficit, the difference was staggering. It was over 90% back in the early 2000s that attackers were gaining access in days or less and it was less than 10% back then that the defenders were defending in days or less. Today, now almost 15 years later the detection deficit has only increased. Attackers are up to 97% days or less penetrating our networks while defenders are like 9%. So they've gotten better in the last 10, 15 years than we have and the deficit is still so great. And as a security practitioner this is the frightening piece of information is despite all of the investments and the things that you see going on where organizations care more about security based on that data set we're still failing at doing our jobs effectively. That's what gets me is that we're here in there, I don't know 30, 40 vendors here in different stripes and people are talking about different flavors of security and different levels of threat detection intrusion detection and we're losing by how much? So it's like a football team, right? We're going out and we got a lot of good players and we keep falling further and further. The personnel on the field are shorthanded what we were saying, but here's the issue. Splunk has the prospect of accelerating the knowledge base of their customers because even when we were on the cube two weeks ago doing an event in Sandhill Road in Silicon Valley, one of the guests was from this cyber consulting firm, 1.4 million jobs opening right now in cyber. So like one, we're shorthanded across the industry. So it's kind of like data science, right? And it's hard to get those people, but if you can extract away the machine learning and other techniques with data, you can essentially arm people to be as good as what a trained ninja would be, if you will. So like, I mean, this is where the value is. So how do you see that going forward? Does Splunk help companies be smarter? There is no possible way that we can course correct on the human capital side. We need to make the assumption that we're going to be shorthanded potentially forever. And on the technology side, we have great technologies, but they need to be tied together. They need to be coordinated in the symphony or like the quarterback does on the field. Without the quarterback, there would be a lot of issues in running plays, right? Because no one would be there to call them. Security as a part of an organization has lacked a quarterback from a technology perspective. The Splunk Adaptive Response Initiative is starting to create that fabric, like I said, of products that are gonna, so that they can all learn from each other. They can all hear how each other are doing so that they can fight as one. And then the next step beyond that is to be able to orchestrate them with knowledge and decision-making capabilities that will inform decision-making. And humans can't be sitting there saying, allow this, don't allow that, because back to your point, there's not enough of them to do that. So we have to automate. So you use the collective intelligence of the data, surface that, and then have abstracting some signal from there so that you can make a decision. Exactly. That's where the heavy lifting gets done. Yep, that's right. Versus going out and again finding stuff that you hope is right. Again, hope is the big word, you do it manually. You know, I was involved in the wireless industry for a number of years, and there was always a huge tension toward the industry and government when it came to information sharing and a lot of restrictions. So from an instance, some other federal agencies about what you can and what you cannot share. Do you have those same kinds of frictions or tensions between what governments allow you to, how they let you converse and what you can share and what you cannot share? So there's been a lot of change in this area in the last 12 to 18 months in that the government has made it much easier through legislation to share cyber threat information, public, private. So the government is sharing data with private sector and private sector sharing data with each other and there's some carve outs that allow or fort something in the right way to the SEC. But the bottom line is despite some of the legislation there's still not enough happening. Where I'm excited is that I see more grass roots sharing than I ever have in the industry. So companies are coming together and they're fighting together around their industry, around their geography. States of the United States are working together now allowing private public corporations to share incident data in a sanitized way. We're seeing more and more automation that allows ThreatConnect and Splunk at one company to share some data with a cloud service that will then share it with another company that uses Splunk. So now what this company found- You're a federated sharing platform, Splunk, is that we provide that for Splunk in that? I would agree. I see this all the time, more recently and ever the organic sharing is up and I think what I see and what I hear you guys talk about and you're validating it is the downside of fraud is so massive that it's in everyone's best interest to share. And I think this is what the beginning of them saying, hey, I might take a hit on compliance but that is a risk management decision. The real threat from a cash perspective, fraud, hacking, I mean, it's just the numbers are off the chart. I mean, the order of magnitude of consequences and they remind us psychology. Who wants to be the CIO that says I was the guy at Yahoo got hacked. I mean, this is the psychology's in favor of sharing and the ROI. And no one will hire that person again because of the insurance liability of, if I hired that person, I'd be always worried that if I got hacked. He was a skipper of the Valdez, hits the iceberg, and you know, it's another gig again. He's done, but that is a real thing. I mean, but again, this is a trade-off. Data sovereignty and data management is now under siege from this one trend. Okay, so let's talk Splunk. So how does Splunk do that? Do they have the capability to do the management of sharing? Do they actually have that in their product? Are we going to hear that tomorrow? I'm hoping they'll tell you that we do that for them, but I mean, Splunk is a- So you provide that piece for Splunk? We provide the capability to allow Splunk instances to share cross-company through Threkinet, which is provided as a cloud service. A cross-company or cross-companies? Hey, cool. Got it, yeah. And so Splunk is a very powerful on-premises problem in recent days. I think, you know, the last year has moved into the cloud, but it's still customer-specific cloud instances where Threkinet is more like an infrastructure set up around the idea of thousands of people collaborating in real time. Challenges in an automated way to allow one company to work, one company buys FireEye and another buys Palo Alto, we still can allow them to gain from those two products where otherwise you're stuck always buying FireEye and then coordinating another FireEye product. Well, Threkinet, you guys are onto something really big here, and we've been identifying it on our team, on our research side at Wikibon, where there's a social network developing in this community. When I say social network, I mean like people from different companies actually using tools amongst themselves as if it was like Facebook for security people. Yes. You know, there's direct connection issues, who's got what's circuits, am I using the internet? What software am I using? So, complete new category. I mean, is this a big trend? Do you see, am I on target here? What's your thoughts on that? I think Splunk believes in that vision and they would consider what they've built as a product that's a platform that allows people to create their ideas on top of that platform. Threkinet has created a very powerful capability on top of Splunk. Splunk was a visionary in creating a platform in the first place, similar to what you get with your iPhone. These companies didn't say we know best, we're going to create a single app for you to use. So, platform is definitely key to changing the paradigm in security. Next is getting evangelism in the community to solve problems. The threats are doing this and that they're working together to build malware, share malware, share best practices with each other. We need to do the same thing as a security industry. The platform is definitely the core to that, but the apps that are built and the knowledge that is shared and the ability for you to create a process and then give it to your business partner for them to automate something, those are all the evolutions of the platform that are still evolving. And it's early days too, I mean I think if you take the threat connect and now there's direct connection between companies, you're really weaving a social network fabric of peers. So the wisdom of crowd, if you will, kind of kicks in with data. I think that is to me a big thing that I would see as a enabler. And again, Splunk and you guys working together. Who else has that solution? Or is there, is it still siloed by FireEye here and that doesn't work, I got to put into some sort of federated data model. Everyone in the industry sees the power of data and has brought that to their product. Name a security company now that doesn't say that they're Intel driven or data driven, it's not the case anymore, everybody is. The difference is being able to coordinate across products with data and the value of data doesn't need to be explained but the value to security people is still evolving. And so it has to be cross-platform, not everyone uses FireEye and most companies use multiple products to defend their organizations. And some of them have a great deal of overlap. The ability to work together and bring that data set back to a shared platform like Splunk, the ability to take that data, analyze it and then take some of it and share it across your supply chain or your business partners. The ability for them to automate the ability to take that data and process it and put it into their Splunk instance and then go hunt for it. And if they see something, provide back some value to the human beings that says, I already did all the work for you, this is bad, go do something. That's the evolutionary step that we're at. And it's going to take time to get there but the adaptive response initiative and Splunk's platform at the core is taking us down that road and but they do need a community around that to that vision alone. Well, there's also another factor to the buyers of the technology, customers, they're buying everything, right? So they have a sprawl issue going on with what they're looking at, whether it's tire kicking or implementing, while meanwhile their organizations like Swiss Cheese getting attacked. Because when are we going to get out of that phase of throw the kitchen sink at security? Right now. We're in that phase now, you think? We are right now. Most companies have stopped buying the shiny object and have started rethinking their architecture and how they're building their security program and they're looking to a platform like Splunk to be at the core of that evolutionary direction. It's kind of like Splunk has evolved to the natural solution since it's already being used. So it's a new way of doing it. Enabled by where it came from, not necessarily how it was built. It's interesting, right? We were playing whack-a-mole before and now we actually have a strategy and we're actually implementing towards a plan. Adam, thanks so much for sharing the story. Great stuff. Security is hot. If you're being overman, been over-checked out by the hackers, you got to have adaptive security. I'm going to hear a lot about that tomorrow in the keynote. We'll be broadcasting live on theCUBE as well. More live coverage from day one at .com, 16th of the start break.