 Everyone, welcome back to theCUBE's coverage of AWS re-invent 2022. I'm John Furrier, host of theCUBE. We got a great conversation with Patrick Coughlin, vice president of go-to-market strategy and specialization at Splunk. We're talking about the open cyber security schema framework, also known as the OCSF, a joint strategic collaboration between Splunk and AWS. It's got a lot of traction and momentum. Patrick, thanks for coming on theCUBE for re-invent coverage. John, great to be here. I'm excited to do this. You know, I love this open source movement and open source continues to add value, almost sets the standards. You know, we were talking at the CNCF, Linux Foundation this past fall about how standards are coming out of open source, not so much the classic standards groups, but you start to see the developers voting with their code, groups deciding what to adopt, to fact those standards. And security is a real key part of that, where data becomes key for resilience. And this has been the top conversation at re-invent and all around the industry is how to make data a key part of building into cyber resilience. So I want to get your thoughts about the problem that you see that's emerging that you guys are solving with this group kind of collaboration around the OCSF. Yeah, well, look, John, I think you've already, you've already hit the high notes there. Data is proliferating across the enterprise. The attack surface area is rapidly expanding. The threat landscape is ever changing. We just had a lot of scares around open SSL before that. We had vulnerabilities and confluence in Atlassian and you go back to log 4j and solar winds before that and challenges with the supply chain. In this year in particular, we've had a huge acceleration in concerns and threat vectors around operational technology. In our customer base alone, we saw a huge uptick in double digit percentage of customers that were concerned about the traditional vectors like ransomware, like business email compromise, phishing, but also from insider threats and others. So you've got this highly complex environment where data continues to proliferate and flow through new applications, new infrastructure, new services driving different types of outcomes in the digitally transformed enterprise of today. And what happens there is our customers, particularly in security, are left with having to stitch all of this together. And they're trying to get visibility across multiple different services, infrastructure, applications, across a number of different point solutions that they've bought to help them protect, defend, detect and respond better. And it's a massive challenge. And when our customers come to us, they are often looking for ways to drive more consolidation across a variety of different solutions. They're looking to drive better outcomes in terms of speed to detection. How do I detect faster? How do I find the thing that went bang in the night faster? How do I then fix it quickly? And then how do I layer in some automation? So hopefully I don't have to do it again. Now, the challenge there that really OCSF helps to solve is to do that effectively, to detect and to respond at the speed at which attackers are demanding today. We have to have normalization of data across this entire landscape of tools, infrastructure or services. We have to have integration to have visibility. And these tools have to work together. But the biggest barrier to that is often data is stored in different structures and in different formats across different solution providers across different tools that our customers are using. And that lack of data normalization chokes the integration problem. And so several years ago, a number of very smart people and this was an initiative started by Splunk and AWS came together and said, look, we as an industry have to solve this for our customers. We have to start to shoulder this burden for our customers. We can't make our customers have to be systems integrators. That's not their job. Our job is to help make this easier for them. And so OCSF was born and over the last couple of years we've built out this collaboration to not just be AWS and Splunk but over 50 different organizations, cloud service providers, solution providers in the cybersecurity space have come together and said, let's decide on a single unified schema for how we're going to represent event data in this industry. And I'm very proud to be here today to say that we've launched it. And I can't wait to see where we go next. Yeah, I mean, this is really compelling. I mean, it's so much packed in that statement. I mean, data normalization, you mentioned chokes, this, the solution and the integration as you call it. But really also it's like data is not just stored in silos. It may not even be available, right? So if you don't have availability of data, that's an important point. Number two, you mentioned supply chain. There's physical supply chain that's coming up big time at reinvent this time as well as in open source the software supply chain. So you now have the perimeter has been dead for multiple years. We've been talking about that for years. Everybody knows that. But now combined with the supply chain problem, both physical and software, there's so much more to go on. And so the leaders in the industry, they're not sitting on their hands. They know this, but they're just overloaded. So how do leaders deal with this right now? Before we get into the OCSF, I want to just get your thoughts on what's the psychology of the business leader who's facing this landscape? Yeah, well, I mean, unfortunately, too many leaders feel like they have to face these trade-offs between how and where they are really focusing cyber resilience investments in the business. And often there is a siloed approach across security, IT, developer operations or engineering rather than the ability to kind of drive visibility, integration and connection of outcomes across those different functions. I mean, the truth is the telemetry that you get from an application for application performance monitoring or infrastructure monitoring is often incredibly valuable when there's a security incident. And vice versa, some of the security data that you may see in a security operations center can be incredibly valuable when trying to investigate a performance degradation in an application and understanding where that may come from. And so what we're seeing is this data layer is collapsing faster than the org charts are or the budget line items are in the enterprise. And so at Splunk here, we believe security, resilience is fundamentally a data problem. And one of the things that we do often is actually help connect the dots for our customers and bring our customers together across the silos they may have internally so that they can start to see a holistic picture of what resilience means for their enterprise and how they can drive faster detection outcomes and more automation coverage. You know, we recently had an event called SuperCloud. We were going into the next gen kind of a cloud, how data and security are all kind of part of this next gen applications, not just SAS. And we had a panel that was titled The Innovator's Dilemma, kind of talk about some of the challenges. And one of the panelists said, that's not the innovator's dilemma, it's the integrator's dilemma. And you mentioned that earlier, I think this is a key point. Right now, integration is so critical not having the data and putting pieces together. Now open source is becoming a composability market. And I think having things snapped together and work well, it's a platform system conversation, not a tool conversation. So I really want to get into where the OCSF kind of intersects with this area that people are working on. It's not just solution architects or cloud, cloud native SREs, it's actually where DevSecOps is. So this intersection is critical. How does OCSF integrate into that integration of the data, making that available to make machine learning and automation smarter and more relevant? Right, right. Well, look, I mean, I think that's a fantastic question because we talk about, we use buzzwords like machine learning and AI all the time. And I know they're all over the place here, it reinvents. And there's so much promise and hope out there around these technologies and these innovations. However, machine learning AI is only as effective as the data is clean and normalized. And we will not realize the promise of these technologies for outcomes in resilience, unless we have better ways to normalize data upstream and better ways to integrate that data to the downstream tools where detection and response is happening. And so OCSF was really about the industry coming together and saying, this is no longer the job of our customers. We are going to create a unified schema that represents an event that we will all bite down on. Even some of us are competitors. This is, that no longer matters because the point is, how do we take this burden off of our customers and how do we make the industry safer together? And so 15 initial members came together along with AWS and Splunk to start to create that initial schema and standardize it. And if you've ever worked with a bunch of technical grumpy security people, it's kind of hard to drive consensus around just about anything. But I'm really happy to see how quickly this organization has come together, has open sourced the schema. And just as you said, like I think this unlocks the potential for real innovation that's going to be required to keep up with the bad guys, but right now is getting stymied and held back by the lack of normalization and the lack of integration. I've always said Splunk was eight data for breakfast, lunch and dinner and turns it into insights. And I think you bring up the silo thing. What's interesting is the cross-company sharing. I think this hits point on. So I see this as a valuable opportunity for the industry. What's the traction on that? Because to succeed, it does take a village, takes a community of security practitioners and architects and developers to kind of coalesce around this de facto movement. Has uptake been good? How's the traction? Can you share your thoughts on how this is translating across companies? Yeah, absolutely. I mean, look, I think cybersecurity has a long track record of standards development. There's been some fantastic standards recently, things like sticks and taxi for threat intelligence. There's been things like the MITRE attack framework coming out of MITRE and the adoption and the traction that we've seen with ATAC in particular has been amazing to watch how that has kind of roared onto the scene in the last couple of years and has become table stakes for how you do security operations and incident response. And I think with OCSF we're going to see something similar here, we are in literally the first inning of this. So right now, we're architecting this into every part of our sort of backend systems here at Splunk. I know our collaborators at AWS and elsewhere are doing it too. And so I think it starts with bringing the standard now the standard exists in schema format and there's confluence and JIRA tickets around it. How do we then sort of build this into the code of the collaborators that have been leading the way on this? And it's not going to happen overnight but I think in the coming quarters you'll start to see the schema be the standard across the leaders in this space, companies like Splunk and AWS and others who are leading the way. And often that's what helps drive adoption of a standard is if you can get the big dogs so to speak to embrace it and there's no bigger one than AWS. And I think there's no more important one than Splunk in the cybersecurity space. And so as we adopt this, we hope others will follow. And like I said, we've got over 50 organizations contributing to it today. And so I think we're off to a running start. You know, it's interesting choking innovation or having things kind of get slowed down has really been a problem. We've seen successes recently over the past few years like Kubernetes has really unlocked and accelerated the cloud native roles of runtime with containers to kind of have the consensus of the community to say, hey, if we just do this, it gets better. I think this is really compelling with the OCSF because if people can come together around this and get unified, as well as all the other official standards, things can go highly accelerated. So I think it looks really good and I think it's a great initiative and I really appreciate your insight on that. On your relationship with Amazon, okay, it's not just a partnership, it's a strategic collaboration. Could you share that relationship dynamic? How to start? How's it going? What's strategic about it? Share to the audience kind of the relationship between Splunk and AWS on this important OCSF initiative. Look, I mean, I think this remarks the 10th year anniversary that Splunk and AWS have been collaborating in a variety of different ways. I think our companies have a fantastic and longstanding relationship and we've partnered on a number of really important projects together that bring value obviously to our individual companies but also to our shared customers. When I think about some of the most important customers at Splunk that I spent a significant amount of time with, I know how many of those are AWS customers as well and I know how important AWS is to them. So I think it's a collaboration that is rooted in a respect for each other's technologies and innovation but also in a recognition that our shared customers want to see us work better together over time and it's not two companies that have kind of decided in the back room that they should work together. It's actually our customers that are pushing us and I think we're both very customer centric organizations and I think that has helped us actually be better collaborators and better partners together because we're working backwards from our customers. As security becomes a physical and software approach we've seen the trend where even Stephen Schmidt at Amazon Web Services is the CSO, he's not the CSO anymore. So why he says, well, security is also physical stuff too. So he has lens is now expanded. You mentioned supply chain, physical, digital. This is an important inflection point. Can you summarize in your mind why open sub-cyber security scheme is important? I know the unification but beyond that, what, why is this so important? Why should people pay attention to this? You know, if you're loving to be just a little abstracting meta for a second, I think what's really meaningful at the highest level about the OCSF initiative and that goes beyond, I think the tactical value it will provide to organizations and to customers in terms of making them safer over the coming years and decades. I think what's more important than that is, is really the one of the first times that you've seen the industry come together and say, we got a problem we need to solve that, you know, doesn't really have anything to do with our own economics. Our customers are hurting and yeah, some of us may be competitors. You know, we've got different cloud service providers that are participating in this along with AWS. We've got different cybersecurity solution providers participating in this along with Splunk. But folks have come together and say, we can actually solve this problem. If we're able to kind of put aside our competitive differences in the markets and approach this from the perspective of what's best for information security as a whole. And I think that's what I'm most proud of and what I hope we can do more of in other places in this industry. Because I think that kind of collaboration from real market leaders can actually change markets. It can change the trend lines in terms of how we are keeping up with the bad guys. And I'd like to see a lot more of that. And we're seeing a lot more new kind of things emerging in the cloud, kind of this next generation architecture and outcomes are happening. I think it's interesting, you know, we always talk about sustainability, supply chain, sustainability about making the earth a better place. But you're hitting on this meta point about businesses are under the threat of going under. I mean, we want to keep businesses to businesses to be sustainable, not just, you know, the environment. So if a business goes out of business, which the threats here are can be catastrophic for companies. I mean, there is a community responsibility to protect businesses. So they can sustain and stay producing. This is a real key point. Yeah, yeah. I mean, look, I think, I think one of the things that, you know, we complain a lot in cybersecurity about the lack of talent, the talent shortage in cybersecurity. And every year we kind of whack ourselves over the head about how hard it is to bring people into this industry. And it's true. But one of the things that I think we forget, John, is how important mission is to so many people in what they do for a living and how they work. And I think one of the things that cybersecurity is strongest in information security general and has been for decades is this sense of mission. And people work in this industry, not because it's always the most lucrative, but because it really drives a sense of safety and security in the enterprises and the fabric of the economy that we use every day to go through our lives. And when I think about the spoke customers and AWS customers, I think about the different products and tools that power my life. And we need to secure them. And sometimes that means coming to work every day at that company and doing your job. And sometimes that means working with others, better, faster and stronger to help drive that level of maturity and security that this industry needs. It's a human opportunity, human problem and challenge. That's a whole other segment, the role of the talent and the human machines and with scale. Patrick, thanks so much for sharing the information and the insight on the open cybersecurity schema framework and what it means and why it's important. Thanks for sharing on theCUBE, really appreciate it. Thanks for having me, John. Okay, this is AWS re-invent 2022 coverage here on theCUBE. I'm John Furrier, the host. Thanks for watching.