 Live from Washington D.C., it's theCUBE, covering .conf 2017, brought to you by Splunk. Welcome back, here on theCUBE, the flagship broadcast for SiliconANGLE TV. Glad to have you here at .conf 2017, along with Dave Vellante, John Walls. We are live in Washington D.C., and balmy Washington D.C. It's like 88 here today, really hot. It's cooler here than it is in Boston, I hear. Yeah, right, but we're not used to it, this time of year. Brad Mederi now joins us. He's an SVP at Booz Allen Hamilton, and Brad, thank you for being with us. And another Redskins fan, I... Another Redskins fan. It was big night, wasn't it? Sunday night, I mean, we haven't had many of those the last decade or so. Yeah, yeah, I became a Redskins fan in 1998, and unfortunately a little late after the three or four Super Bowls. That's a long dry spell, yeah. Dry spell. Are you guys Nats fans? Oh, huge Nats fans. I don't know how about Brad, I don't want to speak for you. Soft spot on my heart for the Nats. What's the story with that team? Well, it's just, it's been post-season disappointment, but this year. This is the year. This is the year. Although... Hey, if the Red Sox and the Cubs can do it. I hate to go down the path, but Geo's worried me a little bit, but we can talk about it offline. Yeah, let's not talk about DC's first. We had five outings now, not been very good, but anyway, let's just, let's take care of what we can. Cyber, let's talk a little cyber here. Yeah. I guess that's your expertise, so pretty calm, nothing going on these days, right? Boring field, you know, boring field, yeah. So you've got clients, private sector, public sector. What's kind of the cross-pollination there? I mean, what are their mutual concerns and what can you, what do you see from them in terms of common threads? Yeah, so at Boots Island, we support both federal and commercial clients and we have a long, long history in cybersecurity, kind of with deep roots in the defense and the intelligence community and have been in the space for years. What's interesting is, you know, I kind of straddle both sides of the fence from a commercial and a federal perspective and, you know, on the commercial side, you know, some of the major breaches really force a lot of these organizations to quickly get religion and, you know, early on, everything was very compliance-driven and now it's much more proactive and, you know, the need to be, you know, much more both efficient and effective. The federal space is, I think in many cases, catching up and so I've done a lot of work across .mil and there's been a lot of investment across .mil and very secure.gov, you know, is still probably a fast follower and one of the things that we're doing is bringing a lot of commercial best practices into the government space and the government's quickly moving from a compliance-based approach to cybersecurity to much more proactive defense. Yeah, and can you get, it's almost like a glacier sometimes, right? I mean, there's a legacy mindset in a way that government does its business but I would assume that events over the past year or two have really prompted the belong a little bit more. I mean, there's definitely been, you know, some highly publicized events around breaches across .gov and I think there's a lot of really progressive programs out there that are working to, you know, quickly, you know, remediate a lot of these issues. One of the programs we're involved in is something called CDM that's run out of DHS, Continuous Diagnostic and Mitigation. And it's a program really designed to uparmour.gov, you know, to increase situational awareness and provide, you know, much more proactive reporting so that you can get real-time information around events and postures of the network. So I think there's a lot of exciting activities and I think DHS and partnership with the federal agencies is really kind of spearheading that. So if we can just sort of lay out the situation in the commercial world and see how it compares to what's going on in .gov. Product creep, right? There's dozens and dozens and dozens of products that have been installed. Security teams are just sort of overwhelmed, overworked. Response is too slow. I've seen data from, whatever, 190 days to 350 days to identify an infiltration. Nevermind remediate it. And so it's a challenge. So what's happening in your world and how can you guys help? Yeah, you know, it's funny. I love going out to the RSA conference and, you know, I watch a lot of folks in the space, you know, walking around with a shopping cart and they meet all these great vendors and they have all these shiny pebbles and they walk away with the silver bullet, right? And so if they implement this tool or technology, they're going to be, they're done, right? And I think we all know that that's not the case. And so, you know, over the years, I think that we've seen a lot of organizations, both federal and commercial, try to solve a lot of the problems through, you know, new technology solutions, whether it's, you know, the next best, you know, intrusion detection or if it's endpoint, you know, the rage now is EDR, MDR. And so, but the problem is at the end of the day, the adversaries live in the seams. And, you know, in the world that I grew up in focused a lot around counter-terrorism, we took a data-centric approach to finding advanced adversaries. And, you know, one of the reasons that Booz Allen has strategically partnered with Splunk is we believe that, you know, in a data-centric approach to cyber and Splunk as a platform allows us to quickly integrate great data independent of the tools. Because the other thing with these tool ecosystems is all these tools work really well within their own ecosystem. But as soon as you start to mix and match best-of-breed tools and capabilities, they tend to not play well together. And so we use Splunk as that integration hub to bring together the data that allows us to bring our advanced trade craft and tech craft around hunting, understanding the adversaries to be able to fuse that data and do advanced detection and help our clients be a lot more proactive. So cyber foresight is the service that you lead with? Yeah, you know, one of the things, so, you know, having a company that's been Booz Allen, I think now is 103 years old with obvious deep roots in the federal government. And so we have a pedigree in defense and intelligence. And we have a lot of amazing analysts, a lot of amazing what we call tech craft, you know, and, you know, what we did was, you know, this was many, many years ago, and we're probably one of the best kept secrets in threat intelligence. But after, you know, maybe five or six years ago when you started to see a lot of the public breezes in the financial services industry, a lot of the financial service clients came to us and said, hey, Booz Allen, you guys understand the threat. You understand actors, you understand TTPs, help educate us around what these adversaries are doing. Why are they doing it? How are they doing it? And how can we get out in front of it? The question has always been, you know, how can we be more proactive? And so we started a capability that we developed a capability called cyber foresight, where we provided some of our human intelligence analysts and applied them to open source data and we were providing threat intelligence as a service. And what's funny is, you know, today, you know, you see a lot of the cyber threat intelligence landscape is fairly crowded. When I talk to clients, they affectionately refer to people that provide threat intelligence as Beltway Book Reporters, which I love. But, you know, for us, you know, we've lived in that space for so many years. We have the analysts, the scale, the tradecraft, the tools, the technologies, and you know, we feel that we're really well positioned to be able to provide clients with the insights. You know, early on when we were working heavily in the financial services sector, the biggest challenge a lot of our clients had in threat intelligence was, what do I do with it? Okay, so you're going to send me what we call a spot report and so, hey, we know this nation-state actor with this advanced set of TTPs is targeting my organization. So what? I'm the CISO, I'm the CIO. Should I resign? Should I jump out the window? What do I do? I know these guys are coming after me. How do I actually operationalize that? And so what we've spent a lot of time thinking about and investing in is how to operationalize threat intelligence. And when we started, you know, you kind of think of it as a picture and a catcher, right? You know, so the threat intelligence provider throws those insights, but the receiver needs to be able to catch that information, be able to put it in context, process it, and then, you know, operationalize it, implement it within their enterprise to be able to stop those advanced threats. And so one of the reasons that we gravitated towards Splunk, Splunk is a platform, Splunk has is becoming really in our mind one of the de facto repositories for IT and cyber data across our client space. So when you take that, all those insights that Splunk has around the cyber posture and the infrastructure of an enterprise and you overlay the threat intelligence with that, it gives us the ability to be able to quickly operationalize that intelligence. And so what does that mean? So, you know, when a security operator is sitting at a console, they're drowning in data and, you know, analysts, you know, we've investigated tons of commercial breaches and in most cases what we see is the analysts at some point had a blinking red light on their screen that was an indicator of that particular breach. The problem is, you know, how do you filter through the noise? And that's the problem that this whole industry, it's a signal to the noise ratio issue. So you guys bring humans to that equation. It's human intelligence meets analytics and machine intelligence. But in your adversary has evolved. And I wonder if you could talk about that. It's gone from sort of hacktivist to organized crime in nation states. They've become much more sophisticated. How have the humans sort of evolved as well that you're breaking clear? I mean, certainly the barrier to entry is lower. And so now we're seeing ransomware as a service. We're seeing attacks on industrial control systems on IoT devices. You know, financial services now is extremely concerned about building control systems because if you can compromise the building and control system, you can get into, you know, potentially laterally move into the enterprise network. And so our analysts now not only are, you know, traditional intelligence analysts that understand adversaries and TTPs, but they also need to be technologists. They need to, you know, have reverse engineering experience. They need to be malware analysts. They need to be able to look at attack vectors in TTPs to be able to put all this stuff in context. And again, it goes back to being able to operationalize this intelligence to get value out of it quickly. And they need to have imaginations, right? I mean, thinking like the bad guys, I guess, which is... Yeah, I mean, we spend a lot of time, you know, we've stood up a new capability called dark labs and it's our way to be able to unlock some of those folks that think like bad guys and be able to unleash them, to look at the world through a different lens and, you know, be able to help provide clients insights into attack vectors, new TTPs. And it's fascinating to watch those teams work. Yep. How does social media come into play here? I mean, or is that a problem at all? Is that a consideration for you at all? You know, when we look at a lot of attacks, I mean, what's kind of interesting with this space now is you look at nation-state and nation-state actors and they have sophisticated TTPs. In general, they don't have to use them. Nation-states haven't even pulled out their, quote, good stuff yet. Because right now, for the most part, they go with low-hanging fruit. Low-hanging fruit being... Just pushing the door open, right? Yeah, I mean, why try to crash through the wall when the door's not locked. And so, when you talk about things like social media, whether it's phishing, whether it's malware injected in images or on Facebook or Twitter, the majority of attacks are either driven through people or driven through just unpatched systems. And so, it's kind of cliche, but it really starts with policies, training of the people in your organization, but then also putting some more proactive monitoring in place to be able to kind of start to detect some of those more advanced signatures for some of the stuff that's happening in social media. It's like having the best security system in the world but you left your front door unlocked. That's right, that's right. I wonder, Brad, I don't know how much you can say, but I wonder if you could comment just generally. Like you said, we haven't seen their best pitch yet. We had Robert Gates on and when I was interviewing him, he said, you know, we have great offense, offensive posture, security, but we have to be super careful how we use it because when it comes to critical infrastructure, we have the most to lose. And when you think about the sort of aftermath of Stuxnet, when basically the Iranian said, hey, we can do this too. What's the general sort of philosophy inside the Beltway around offense versus defense? I think from, that's a great question. From an offensive cyber perspective, I think where the industry is going is, how do you take offensive tradecraft and apply it to defensive? And so by that, I mean, think about, we take folks that have experience thinking like a bad guy, but unleash them in a security operation center to do things like advanced hunting. And so what they'll do is take large sets of data and start doing hypothesis-driven analytics where they'll be able to kind of think like a bad guy and then they'll have developers or techies next to them building different types of analytics to try to take their mind and put it into an analytic that you could run over a set of data to see, hey, is there an actor on your network performing like that? And so I think we see in the space now a lot of focus around hunting and red teaming. And I think that's kind of the industry's way of trying to take some of that offensive mentality but then apply it on the defensive side. It just has to kind of Navy SEAL operations in security. Right, right, yeah. I mean, the challenge is there's a finite set of people in the world that really truly have that level of tradecraft. So the question is, how do you actually deliver that at any level of scale that can make a difference across this broader industry? So it's the quantity of those skill sets. They always say that the amazing thing, again, I come back to Stuxnet was that the code was perfect. And the antivirus guy said, we've never seen anything like that where the code is just perfect. And you're saying it's just a quantity of skills that enables that. That's how you know it's nation-state, obviously, something like that. Yeah, I mean, you know, the level of expertise, the skill set, the time it takes to be able to mature that tradecraft is many, many years. And so I think that when we can crack the bubble of how we can take that expertise, deliver it in a defensive way to provide unique insights and do that at scale. Because just taking one of those folks into an organization doesn't help the whole, right? How can you actually kind of operationalize that to be able to deliver that tradecraft through things like analytics as a service, through managed detection and response at scale so that one person can influence many, many organizations at one time. And just before we go, so cyber foresight is available today? It's something you've gone to? Yeah, we just partnered with Splunk. It's available as part of Splunk.es. It's an add-on. And it provides, you know, our analysts, the ability to provide insights and be able to operationalize that within Splunk. We're super excited about it and it's been a great partnership with Splunk and their ES team. So you guys are going to market together? We are partnered. We're going to market together and delivering the best of our tradecraft and our intelligence analysts with their platform and product. Good luck with it. Hey, thank you. Thank you very much guys. Good pair, that's for sure. Thank you, Brad, for being with us here and Monday night, let's see how it goes, right? Yeah, I'm optimistic. Very good, all right. Coach Brad Baderi joining us with his rundown of what's happening at Booz Allen. Back with more here on theCUBE. You're watching live.com, 2017.