 Live from Las Vegas, it's theCUBE. Covering Splunk.conf 19, brought to you by Splunk. Okay, welcome back everyone. It's theCUBE's live coverage in Las Vegas for Splunks.conf. This is their annual conference, the 10 year anniversaries theCUBE's coverage for seven years. We've been covering this company from startup to IPO to growth to now going to the next level as a leader in security. And our next guest is Scott Ward, Principal Solutions Architect for AWS. Amazon Web Services obviously reinvents coming up. I'm sure you're super busy Scott, but you're here at Splunk.conf. Actually they're a big partner of AWS. Yeah, yeah, definitely. I mean Splunk's a great partner. We've had a strong relationship with Splunk for quite a long time. Both sides of the house, AWS and Splunker are leaning in to help kind of add value to our mutual customers. And I'd say even building on that, Splunk's been a long time customer. And so you guys obviously really focus on cloud security. You had your inaugural reinforce event in Boston this year of which we broadcasted live videos around YouTube. YouTube.com still has an angle for anyone interested. But this was really kind of a watershed moment because it wasn't your classic security show, it was a cloud security. Yeah, it was definitely, it was very much focused on just kind of focusing in and in some ways it actually allowed people who don't normally get to come to an AWS event or focus on security and really dive deeper into security. I mean, security AWS is our top priority and we want to make sure that our customers are really understanding and being able to execute on that and be able to feel confident in what they're doing or running on AWS. And Splunk has become a very successful and some people call them the number one third party vendor in security for workload apps. I'll see log files. You bought SignalFX for tracing microservices around the corner, a lot of good things there. But as the cloud equation starts to come in where the operations need to have security end to end on-premises, edge, cloud, the role of Amazon and your partners are super important. You talk about that relationship and how that's evolving. Yeah, I mean, I think when you talk about our partners it's definitely very important. We have, AWS has lots of different services on its platform that we allow customers to use, but those partners come in and help fill out the gaps where customers need somebody to be able to provide more or extra, especially when we look at security. So that shared responsibility model we have, where the top half is the customer's responsibility. They have a lot of flexibility in what they can do and that means that they can bring in the partners they want and help them to be able to accomplish the things that they want to do. Tell me about the Security Hub, the Amazon's AWS Security Hub, what's that about? Sure, so Security Hub is a service that we actually launched at, reinforced at when generally available then. And it's focused on really giving customers visibility into high severity security alerts and their compliance status. While they're running across all their AWS accounts, it allows them to aggregate, prioritize, and sort all of this data coming from multiple data sources. And when we talk about those multiple data sources it really is a couple of different areas, Amazon GuardDuty, Amazon Inspector, and Amazon Macy, but also third-party products. So if a customer is using third-party security products they can feed into Security Hub to kind of give them that visibility. And then it's also running continuous compliance checks against the customer's AWS accounts to kind of let them know where they stand, when it comes to compliance and where they need to go and correct things with the account or the resource level. So really, you know, enabling customers to kind of get a lot more visibility into what's going on with their AWS environments. And we've been covering this in reporting on the story, but Amazon, and cloud providers in general, Amazon, Azure, Google Cloud Platform, customers are relying more and more on you guys for security, but you have a relationship with Splunk, say a third party. How do they fit in? How does Splunk fit into that Security Hub model? What's the, how's that going? Because just clarify that relationship between, say, Splunk and the Security Hub. Yeah, yeah, so when you talk about Splunk and Security Hub there's actually a couple of different angles there. One is the Splunk Enterprise product. It is a consumer of all the data that is in a customer's Security Hub environment. So you can feed all that data into the Enterprise product and then be able to kind of ask the questions and take all the data that Security Hub provided as well as all the other data that's in Splunk and really be able to get some deep insights into what's going on in your environment. And then on top of that is the Splunk Phantom integration which I'm really, really excited about because Splunk is with Phantom is allowing customers to actually take action on their security data. So customers have often told us, like, it's great, you're making all this data available to me and I can see it, but what do I actually do with it? How am I going to do something with it? And so we advocate a lot for customers to be able to automate what they're doing when it comes to their security findings and get the humans out of the way as much as possible so they can really be adding a lot of value. So Security Hub feeds us to Phantom and Phantom can run playbooks that will do as much or as little on that security finding data to kind of integrate that finding into the customer's operational workflows and collect the right information or hopefully ultimately remediate that security finding so that the customer can get some sleep and they can focus on other things that are more important. Talk about Phantom for a minute just to kind of change gears really, you mentioned that. I talked to Oliver, I've interviewed him at Reinforce and here recently, he's part of that team, Spunk bought the company. What is, why is Phantom so popular? I think Phantom is popular because a couple of things. One, it is allowing customers to resolve and remediate and address an issue with what works for them in a workflow that works for them. It's not making them to clearly fall into a particular box, they can add or remove pieces. The fact that it's very Python based, it's Python's huge in the security community so that they can probably find resources that can actually orchestrate and build these playbooks. And then once they build playbooks they can reuse those pieces to address other issues or things that are coming up. So I think it allows them to really kind of at scale be able to kind of be able to accomplish these things when it comes to automation and addressing with security alerts as they continue to grow. So it makes things go faster, frees up people's time for productivity. I totally feel that that's one of the main reasons that people are looking at this. So if someone's using Splunk, for instance, say I'm a Splunk customer, I'm like, okay, Security Hub, why should I use both? What's, just clarify that piece. I think there's a couple of reasons where I would say that somebody would want to use both. One is Security Hub is the continuous compliance checks. So today's Security Hub offers checks based on the Center for Internet Security AWS benchmark. So we are continuously running those checks. There's about, I think 43 rules that we are running each of those checks against your AWS accounts or the resources in those accounts to tell you where you are or not in compliance. So you get an overall score. You can dig into what's where you need to do further there. Security Hub, I can look at it as a central integration spot to get stuff into Splunk as well. So you can have the GuardDuty, Macy Inspector and third party stuff coming into Security Hub. And then you have that one-stop shop to get all that data into Splunk Enterprise or Phantom. And then the third thing is the fact that Security Hub gives you that security view across multiple AWS accounts. You can designate a master account, invite all your other organizational accounts to share those findings. And your security team can go into Security Hub and have one view of your overall security landscape and be able to look at that at a one single pane of glass but across all of your organizations. So I think those are some key value points I would say that in addition to Splunk that a customer might use Security Hub. So Scott's been great insight on thanks for clarifying the Splunk AWS relationship. Let's pretend I'm a customer for a minute and I'm like, hey Scott, you're a solution architect. Thanks for the free consulting. We'll do it live on theCUBE. So I'm a Splunk customer, get log files. I see they got some tracing stuff. I'm going cloud native, going to the cloud. We're implementing Amazon. I'm a buyer, I'm a customer of Splunk and they got a lot of this new stuff. Anthem's awesome, SOAR Enterprise 6.0 is out. How do I, what do I do? Why do I architect my Splunk to give me more headroom and grow my Splunk capabilities at the same time take advantage of all the AWS goodness? How would you lay that out? I would say, I would say, you know, let your Splunk be kind of, you know what? You bought Splunk for a particular reason. It's there to answer questions. It's there to take data in. It's a lie to kind of move forward. I would definitely, you know, architect your Splunk to be able to consume as much of the data as possible. AWS has lots of different integrations. To consume that, you shouldn't move away from that. So I would definitely use that. I would use Security Hub for kind of getting that centralization spot for everything related to your AWS environment that can then be your central spot into Splunk. You may have people that it's really not necessary for them to be into Splunk. They don't know Splunk. Security Hub might be a good spot for them to actually do some investigations and learn things as well so that they can do their job. And then you really kind of use the deep technology and query capability of Splunk to kind of do those deeper dives and really understanding what's going on in your environment. So I think, you know, as a buyer, I think you can use both and I think there's room for you to kind of take advantage of both and get the best of both worlds. Yeah, it's really exciting with security going on. It's kind of crazy at the same time because you have cloud scale. You guys have been led the market there and continue to be the leaders in cloud, cloud scale, DevOps, everything else. And the role, volume of data has increased so much. You guys just had your inaugural conference reinforce. And I want to get your thoughts on this as a solution architect and someone who's in the field. Difference between traditional security, chasing the bad guys, defending, intrusion detection, all that good stuff, to cloud security because you have all the security shows out there, RSA, Black Hat, DEF CON. But cloud security introduces a new element around how to architect solutions. What should people know about the impact of cloud security as they start thinking holistically around their enterprise? Right, I think the important thing is, you know, the things you mentioned, the vulnerability scanning, the intrusion detection, because they're all still important in the cloud. I think the key thing that the cloud offers is the fact that you have the ability to now automate and integrate your security teams more tightly with the things that you're doing and you can actually, we always talk about the move fast and stay secure. Customers choose AWS for the self service, the elasticity of the price. And you can't take advantage of those unless your security can actually keep up with you. So the fact that everything is based on an API, you can define infrastructure as code. You can actually enforce standards now, whether it be before you write a line of code in your DevOps pipeline, we're actually being able to detect and react to those things all through code and in a consistent way, really allows you to be able to look at your security in a different way and take the kind of philosophy and minds that you've always had around security, but actually able to do something with it and be able to maybe do the things you've always wanted to do, but have never had a chance to do. So I think the security can actually keep up with you and actually help you differentiate your business even more than maybe it did in the past. So new capabilities are available now with new options. Yep, exactly. Great stuff. Conversations here at .conf in Vegas, Splunk's conference, obviously their user conference, so you guys have re-invent coming up. Cube will be there first week of December. And you got a music festival too, Intersect, which is going to be fun. I'm going to attend that if I don't fall over and die from all these cubenermies. What are you talking about here? What are the key conversations you're having here? Sure. And here at Splunk.conf, at your booth, two customers, what's the main talking point? Sure, I think the main talking point is, and I'm actually presenting in the breakout theater this afternoon, is we're talking about that taking action portion of data's in Security Hub or data's in AWS. How do you do something with that? And what do we enable? And how does a partner like Splunk come in? And what does that taking action actually look like to allow you to be able to do things at scale and be able to leverage and take advantage of your precious resources and use them in the best way possible? So I think that that's a lot of the conversation that we're having and the things that we're focusing on. What do you hope did walk away and action items going to be for people leaving that session? I think people should walk away and understand that it is within their reach to be able to actually be able to kind of have this nirvana of being able to react to security events and not have to have a human engage in every single thing. It is a crawl, walk, run type approach. You're going to need to figure out how do I, when I see this, what are the things I want to do? How do I automate that? Validate that that's actually true and then implement it and then go back and do the next thing. And I'd really like customers to walk away and know that that is possible and that with a little bit of investment they can make it happen and that at a certain point, it will really add benefits to them. Well, AWS has been following you guys for eight years with theCUBE. This will be our ninth year, I think, for re-invent. It's been fun to watch Amazon grow and I'm sure there'll be thousands of new announcements every year that's always blown away with the volume of new stuff. Give a plug for a second on the Amazon partner network which you're part of. And the scope of relationships with third party partners. How important it is and what are some of the cool things going on? Sure, so I mean, the Amazon partner network we're focused on partnering with, it's really that sell with motion where we're going out and AWS is selling, the partner is selling. We work with technology providers and solution systems integrators. And we're really focused on just working with them to make sure that the best solution possible is being created for customers so that they can take advantage of the partner solution and the AWS cloud and that they're getting some sort of a unique value that they're going to get by using the cloud and that partner solution together to help them whether it be security or any other sort of area that they can feel more confident and they can be more successful in the crowd through the combination of both AWS and the partner. And there's a whole team. It's not like a few guys. It's a whole organization committed to Amazon partners. Yes, yes. I mean, I'm one of many solution architects on the partner team. We have partner managers. We have marketing. We have the whole gamut of people that are working globally with our partners to help them really kind of have a great success and a great story to tell about. So all those people throwing foot out there. Amazon doesn't work with partners. Not true. We have tens of thousands of partners and that's my job. I'm working with partners on a daily basis. I'm at events like this. I'm on phone calls. I'm providing guidance. It is very much a core thing that we are focusing on. Partner network, you guys got Marketplace, Amazon's are really putting their resources behind the mission of helping customers with partners. Yes, definitely. And we do that in a lot of different ways. We have the partners that can go through tiers. We have competencies that we actually allow partners to get into so customers can really go find who's the best or who should I be looking at first when I have this particular problem to solve? We've got a security competency and many other competencies. I'm really working to help our customers understand who are these partners and how can they help them with the cloud? Well, we've been following Cherry Wise's career. He's done an amazing job. I know he's handed the reins over to new management. He's going to chill for a while. Congratulations on all your success. Thank you very much. With Amazon and Splunk. Appreciate it. Thanks for clarifying. Thanks for having me. Appreciate it. Scott Ward, Principal Solutions Architect for AWS Amazon Web Services here inside theCUBE at splunk.conf, 10th year of their conference, our seventh year covering with theCUBE. I'm John Furrier. We'll be back with more after this short break.