 Live from Orlando, Florida, it's theCUBE, covering .conf18, brought to you by Splunk. We're back in Orlando, everybody, at splunk.conf18. Hashtag SplunkConf18, I'm Dave Vellante with my co-host Stu Miniman, and you're watching theCUBE, the leader in live tech coverage. We like to go out to the events, we want to extract the signal from the noise, we've been documenting the ascendancy of Splunk for the last seven years, how Splunk really starts in IT operations and security, and now we hear today Splunk has aspirations to go into the line of business, but speaking of security, Gary McCoolis here, he's a senior director of cyber and information security at FINRA, and he's joined by Sid Artha, Sid Dada, who's the director of information security engineering at FINRA. Gentlemen, welcome back to theCUBE. Gary and Sid, first time, welcome on theCUBE. So, I want to start with FINRA, why don't you explain, I think many people know what FINRA is, but explain what you guys do and sort of the importance of your mission. Sure, our main aspiration is to protect investors, and we do that in two ways. We actually monitor the brokers and dealers that do trades for people, but more importantly, and what precipitated our move to the cloud was the enormous amount of data that we have to pull in daily. Every transaction on almost every U.S. stock market has to be surveilled to ensure that people are acting properly, and we do that at the petabyte scale, and doing that with your own hardware became untenable, and so the ability to have elastic processing in the cloud became very attractive. How much data are we talking about here? Is there any way you can sort of quantify that for us or give us a mental picture? Yeah, so the example I use is if you took every transaction that Visa has on a normal day, every Facebook like, every Facebook update, and if you took every Twitter tweet, you added them all together, you multiplied it by 20, you would still not reach our peak on a peak day. Oh yeah, hence, a splunk, and we'll talk about that, but Sid, in what's your role? You got to architect all this stuff, the data pipeline, what do you do? My role is basically to work with DevOps teams, application teams to basically integrate security in the processes, how they roll out applications, how they look at data, how they use the same data that security uses for them to be able to leverage for DevOps and other performance. So your mission is to make sure security is not an afterthought, it's not a bolt-on, it's a fundamental part of the development process, so it's not thrown over the fence, hey, secure this application, it's built in, is that right? Okay, Gary, I wonder if you could talk about how security has changed over the last several years? You hear a lot that, well, all the spending historically has been on keeping the bad guys out, the perimeter, as the perimeter disappears, things change, and the emphasis changes, certainly data is a bigger factor, analytics have come into play, from your perspective, what is the big change, or the big changes in security? So it's an interesting question, so I've been through several paradigm changes, and I don't think anyone has been as big as the move to the cloud, and the cloud offers so much opportunity from a cost perspective, from a processing perspective, but it also brings with it certain security concerns, and we're able to use tools like Splunk to be able to do surveillance on our AWS environments in order to give us the confidence to be able to use those services up there, and so we now are actually looking at how we're going to secure individual AWS services before we use them, rather than looking to bring stovepipe solutions in, we're looking to leverage our AWS relationship to be able to leverage what they've built out of the box. Yeah, people oftentimes do talk about cloud security, like it's some binary thing. Oh, I don't want to go to the cloud, because cloud is dangerous, or cloud security is better. It's not that simple, is it? I mean, maybe the infrastructure, in fact, we heard the CIA, Stu and I were in DC in December, we heard the CIO or the CIA say cloud on its worst day is better than my client server from a security perspective, but he's really talking about the infrastructure. There's so much more to security, right? Absolutely, and so I agree that the cloud gives the opportunity to be better than you are on-prem. I think the way FINRA has rolled out, we've shown that we are more secure in the cloud than we have been on traditional data centers, and it's because of our ability to actually monitor our whole AWS environment. Everything is API-based. We know exactly what everybody's doing. There's no shadow IT anymore, and those are all big positives. Yeah, I'm wondering what KPIs you look at when you look at your Splunk environment. What we hear from Splunk is it's scalability, cost, performance, and that management, the monitoring of the environment. How are they doing? How does that make your job easier? So I think we still look at the same KPIs with Splunk actually advertisers all the time, but some of the reasons, from our perspective, we can look at it in terms of how much value can we give it to not just one part of the company, but how can we make it a much more enhanceable product for everyone in the organization. So the more we do that, I think that makes it a much better ROI for any organization to use a product like this one. You guys talk about this shift-left movement. What is shift-left and what's the relevance to security? Yeah, so shift-left is a concept where instead of looking at security as a bolt-on or an add-on or a separate entity, we're looking to leverage what our traditional DevOps tools, what our traditional SDLC pipeline roles, and we're looking at how we integrate security into that. And we use Splunk to be able to integrate collection of data into our CDCI pipelines and it's all hands-off. So somebody hits a button to deploy a new VPC in AWS automatically things are monitored and into our enterprise search, I'm sorry, enterprise security SIM and automatically being monitored. There's no hands-on that needs to be done. So on a scale of one to five, that's the thinking of a maturity model in terms of in a DevOps context, five being the gold standard and one being you're just getting started. Where would you put FINRA on that spectrum? Let me just subjectively. So I'll never say that we're a five because I think there's always, you're never done and there's always room for improvement, but I think we're at least a strong four. We've embraced those concepts and we've put them into action. And so I thought so and I want to ask you from a skill standpoint how you got there. So you've been around a long time. You had a dev team and an ops team before the term DevOps even came around, right? And we talk about this a lot Stu. What did you do with the ops guys and the dev guys? Is it ops dev or DevOps? Did you retrain them? Did you fire them all and hire new people? How did you go through that transition? Yeah, that's a fair thing. I went to my CISO John Brady a couple of years ago and I told him that we were going to need to get these new skill sets in and that I thought I had the right person in SID to be able to head that up and we brought in some new talent but we also retrained the existing talent because these were really bright people and they still had the security skills. And what SID's been able to do is to embrace that and create a working relationship with the traditional DevOps teams so that we can integrate into their tools. So it does include a little bit work on even an iron to do where you kind of learn how the DevOps versus work. So you got to do it on your own to first figure out things and then you can actually relate to the problems which they would go through and then you work through problems with them rather than you designing up a solution and then just say, hey, go and implement it out. So I think that kind of relationship has helped us and in the long run, we hope to do a bit more better work. Yes, SID, can you bring us in a little bit when you look at your Splunk deployment? Finner's got a lot of applications. How do you get all those various applications in there? Splunk talks about you can get access to your data, your way, do you find that to be the reality? Yes, to a certain extent, so let's take a step back here. So our design is much more hybrid oriented. So we use Splunk Cloud, but that's primarily for our indexers, whereas we host our own search clusters of them. All the data basically goes in from servers, from AWS components, from on-prem, basically flows into our Splunk Cloud indexers and we use a role-based access management to actually give everyone access to whatever data they need to be looking at. All right, they've made a number of enhancements from 7.2 updates to the cloud. Garry, is there anything that's jumped out that's going to architecturally help your team? So I think one of the interesting things is the new data pipeline, and to be able to actually mangle that data before I get it into my Splunk indexers is going to be really, really life-changing for us. One of the hard parts is that developers write code and they don't necessarily create logs that are event-driven. They don't have daytime stamps, they do dumps, so I'm going to be able to actually massage that before I get it, it hits the indexers and it's going to speed up our ability to be able to provide quick searches because the indexers won't be working on those mangling that data. And how big of a deal is it for you, they announced yesterday, the ability to scale storage and compute separately in a more granular fashion. Is that a big deal for you? So I actually, I remember speaking to Doug Merritt probably three years ago. I just started this. And I said, Doug, what's it called? I said, I really think that that's the direction that you need to go. You're going to have to separate those two eventually because we're doing a petabyte scale. We realized very early that that need to be done. And so it's really, really refreshing to see because it's going to be transformative to be able to do compute on demand after that. Because now we can start looking at API brokers and we can start looking at containers and all those other things can be integrated into Splunk. Love having customers on like you guys are so knowledgeable. I have to ask, switch gears a little bit. I want to ask you about your security regime. We had a customer on yesterday and it was the CISO who reported to him, he was the EVP and he reported to the CIO. A lot of organizations say, you know what? We want the CISO to be separate from the CIO because it's like the Fox in the henhouse kind of thing. And we want that sort of a little bit of tension in there. How do you guys approach it? What's the regime you have for? That is a fair question. And I've heard that and from many other CISOs that have that same sort of complaint. And I think it's really organization based. And I think, do you have the checks and balances in place? First of all, our CIO, Steve Randage, is extremely, he cares a lot about security and he is very good at getting funding for us for initiatives to help secure the environment. But more importantly, our board of directors bring up security at every board event. They care about it, they know about it, and that permeates through the organization. So there's a checks and balances to make sure that we have the right security in place and it's a working relationship, not adversarial at all. So having our CISO John Brady report to Steve Randage, the CIO has not been a hindrance. And I think that's a change in the last several years because that regime that I described, which was, there was a sort of wave there where that became common. And I think you just hit on it. When security became a board level issue and for every Fortune 1000, Global 2000 company, it's a board level issue. They talk about it at every board meeting. When that occurred, I think there was an epiphany of, we need the CIO to actually be on this. And you want the CIO to be responsible for that. And the change was, it used to be, hey, if I fail, I get fired. And I think boards now realize that failure in security doesn't mean you got breached. You know, breaches are going to happen. It's how you respond to them and how you react to them that is becoming more important. So there's much more transparency around security. In our view, I wonder if you agree with that. I think there's transparency. And the other thing is that you have to put the decision making where it makes the most sense. Most of the security breaches that we're talking about are highly technical in nature, where a CIO is better able to evaluate some of those decisions. Not all companies have a CEO that came from a technology train in order to be able to make those decisions. So I think it makes more sense to have the CISO report to somebody in the technology world. That's great, thank you for that. Now the other question I have for you is in terms of FINRA's experience with Splunk, did it start with SecOps in security or was it sort of IT operations? It did, it started with security. We were disenfranchised with traditional Sims that were out there and we decided to go with Splunk and we made the decision that security was going to own it, but we wanted it to be a corporate asset from day one. And we worked our tails off to integrate through brown bags, through training. So we permeated through the organization. And on any given week, we pull about 35 to 40% of all of technology is using Splunk at FINRA. So I'm curious as to, we heard some announcements today, I don't know if you saw them, about Splunknext building on that, Splunk for the line of business, the business flow, they did a nice demo there. Do you see, because security was sort of was the starting point and your mission was always to permeate the organization, do you see that continuing to other parts of the organization more aggressively now given this sort of democratization of data for the business lines and will you guys be a part of that or directly? We hope so, we hope we have part of that change too. I mean, the more we can use the same data for even business users, that would help them. That would relieve a lot of, they've made this point again and again in the keynote too that the IT ops and SecOps are already burdened enough. So how do we make life easy for business users to actually leverage the same data? So we hope to be able to put these tools up and see if we can make any difference to business users. So you guys have put a lot of emphasis on integrating with Splunk and AWS Cloud. You have a presentation later on today at Conf 18 around the AWS Firehose. What's that all about? What's the AWS Firehose? How are you integrating it? Why is it important? So it is streaming and it allows me to get information from AWS that's typically in something called CloudWatch logs that is really difficult to be able to talk to. And I want to get it into Splunk so that I can get more value from it. And what I'm able to do is put something called a subscription filter on it and flow that data directly into Splunk. So Splunk worked with AWS to create this integration between the two tools. And we think we've taken it to a high level. We use it for Lambda to grab those logs. We use it for VPC flow logs. We're using it for as SAS providers provide APIs into their data. We use it for that. And finally we're going to be doing database activity monitoring all leveraging this same technology. Love it. I mean, you guys are on the forefront of cloud and Splunk integration, cloud adoption, DevOps. You guys have always been great about sharing your knowledge with others and really appreciate you guys coming on theCUBE. Thank you. Thanks for having us. You're welcome. All right, keep it right there, everybody. Stu and I are back. You're watching theCUBE from Conf 18 Splunk's big user conference. We'll be right back.