 Okay, welcome back to here in Las Vegas. We're at the SplunkConference.converse 2013. This is theCUBE SiliconANGLE's flagship program. We go out to the events, expect a signal from the noises. Second day of two days of live wall-to-wall coverage. I'm John Furrier with Dave Vellante. Mark Seward here is here. Senior Director of Security and Compliance, marketing at Splunk. Welcome to theCUBE. Thanks, glad to be here. So I got to ask you, a lot of customers have come on theCUBE the past two days and they're raving with the product. Just all the compliments are coming in. But we've had a couple conversations yesterday about security and they feel liberated. So I got to ask you, how has that affected your product? A lot of people are using it for security, compliance, because all the data's there. So tell us, what's the security angle for this SplunkConference? I've actually seen that, that liberating kind of feeling come over people. It's kind of like a glow that kind of washes over them when they get that big light bulb over their head at the same time. And so what's liberating about it is that they're actually be able to answer questions with what is usually considered to be exhaust gas in the business. I mean the exhaust gas of data that comes off of servers and applications, taking a look at that and understanding whether this data is security relevant. And in fact, Splunk makes all data security relevant and that's what makes it unique and gives them that feeling. Talk about in that vertical, particularly that category, the traction and some of the things that you guys are doing with the product because it does have a ton of traction. People are using it. They feel good about it. So what are some of the features and one of the things going on with the product? Oh gosh. I mean today we obviously announced Splunk, since you've probably had some folks on that already talked about Splunk 6 and how we're trying to make the data more accessible and available to everyone, where we're actually taking and allowing people to pivot through their data, creating their own reports. You know, I actually, I saw that glow on customers face the other day when I was talking about Splunk 6 and the fact that this gentleman I was talking to was always having to create reports for C-level folks above him and he was looking forward to being able to teach them how to simply point and click to build their own reports inside of Splunk and let them get the information that they want. And that's really a huge enabling feature for the rest of the business. You had the NSA CTO on yesterday keynote, talking about the risk management side of the business. What else is there involved with security concerns that people have with the data? Because it is the exhaust, it is laying around, is it just that they're not acting on the data, they're using it proactively, reactively, can you comment on that? They're using it reactively for the most part and when you think about the data and how the data is really the definitive record of all of the human to machine and machine to machine interactions you've got inside of your business or your agency, it's at this definitive record that you can put together in many ways to answer what I used to call the five W's of journalism. You know, in the first paragraph of any newspaper article is who, what, when, where and why and that's really what security people want to get at is they want to get at that kind of thing and it's all inside of that data either through the data itself or through correlations amongst the data so where you can answer things like fraud use cases for example or you can answer security use cases or you can take a look and understand whether or not you might have had some kind of disgruntled employee go into a clean room in a manufacturing facility and turn up the temperature five degrees, badge in and as a result contaminate a whole product set that may go out the door, may hit the shelves and then cause all kinds of reputational issues for their business. So when you think about data and this definitive record that crosses over multiple parts of the business and how you can use it in many different ways suddenly you have a multiple use case single layer of fabric across the business that you can actually harvest information from and ask questions of. So there's also compliance and security tools at the same time? Sure, correct. I mean, again, that definitive record allows me to just as easily see whether or not I have an insider threat as whether or not I've got somebody who feels entitled for example to intellectual property and is going to walk out the door with it. When I first thought about the types of things I needed to know as a security professional or the things my chief tools I would use to say firewalls, any virus, IPS. And now I think it's more my book of statistics so I can begin to understand outliers and know what's normal and what's not. My creativity and my imagination and then my subscription to psychology today to understand how people think. Because once you have all that data and if you can use apply yourself in those ways there's no limit to what you can actually accomplish. So Mark, you made the statement that Splunk makes all data security relevant. I wonder if we could dig into that a little bit. Can you just give us some detail on what you mean by that? Well when I think about the security relevance of data so maybe I have a billing system for a public utility. And I've got people who routinely go out and solve problems. They're in their trucks, a utility truck, they're circulating around. And I have a billing event that causes a shut off. That would be a normal kind of thing for me to have happen. Someone's electricity or water or power is shut off because there was a billing event. Well what happens if I happen to see that there's a truck outside of a particular location in GPS data that I collect and there's no billing event that would trigger a shut off. Yet the meter registers that shut off. Do I have an insider threat? Do I have a person who has potentially taken that meter off or shut it off somehow so that to shut off the electricity so that I could go in and rob the place? I need to know whether or not there is an event that's driving a person or an individual to go do something. And then once I know that, then that's legitimate. But if there's no billing event and I see these other two things happen, then I've got a problem. So that's kind of a security event in the case that that would be some data that a security guy would be tapped on the shoulder and say, hey, can you figure this out for me? It's not necessarily the typical kind of threat that you'd see, but it's actually insider fraud. Is, I want to ask you sort of a divergent question but it's somewhat related. Is Splunk making us safer from a national security standpoint? I mean, is it clear in present danger in terms of infrastructure attacks and the like? You read a lot about this, potentially attacking nuclear facilities, shutting down electric grids. Can Splunk make us safer in that regard? Absolutely. And it's not that I sleep better because my customers have Splunk, but I'd like to be able to say that. But when I think about the supply chain for a nuclear reactor, what happens if I have a nuclear reactor and there's nothing wrong inside the nuclear reactor itself? Everything is normal, but my water supplier, the water I need to cool a reactor is having a problem. So that's a potential threat to my being able to properly deal with the nuclear reactor, make sure it stays cooled. So I want to be able to take data from my ecosystem of suppliers to be able to know whether or not I'm going to have a downstream problem or an upstream problem from me. And that's certainly making us safer in that that knowledge allows me to take some sort of action prior to my having a problem inside of my nuclear reactor if I know I've got a water or cooling problem. Are you seeing customers, so part of that equation of response is having the data and making sure the data's obviously accurate. But are you seeing customers adapt to their processes so that they can actually respond in time? I won't say in real time, but in time before the threat occurs? Yeah, that's again, the example I just used would be one example of where if you see these things, then take this particular action. And we have customers implementing us in that manner all the time where we have just a very basic use case of IT operations where for example, if I see these three things happen in this amount of time, I've got 20 minutes before the server goes down. And some of our brick and mortar retail customers who have servers that they need to keep up 100% of the time in a holiday season to collect sales, that's very important to them. If you take that analogy and apply it to the supply chain, to situations where you have partners that are interconnected with you actively, perhaps they're inserting things into your database and you're able to then sell those goods sort of in a just in time kind of way, I'm able to take that data and use that to react in many different ways. Excellent, okay, so you've actually, but you actually, if I go back to the security threat issue, from a process standpoint, it seems like that's the big step that people have to take. How does that occur? I mean, is it something that occurs internally? Are you doing that with your partners? Does Splunk have any role in that? Are you just sort of the platform provider? I mean, I know you're providing the platform, but can you catalyze any other activity there? Because it seems like that's a critical step in terms of reaching that objective. Sure, Splunk can act as the glue between a lot of different solutions that customers have on the security side. And we have a very large bank in Southern California that has a couple of common products. They have a blue coat for proxy data and they have a FireEye, which is exhibiting here as a way to detect command and control sites. So as FireEye sees something new, as they see something, some sort of connection to a command and control site outbound, they report that to Splunk. And Splunk executes a script that says, okay, I see this new, I'm going to append this particular domain into my blue coat data to prevent people from going to that particular site all in real time. So Splunk can sort of be, can act as a catalyst as well as a platform. I can actually write a script to have Splunk do many different things. You know, just off the topic of security for two seconds where one of the most interesting things I've seen a customer do is they had sort of an arbitrage list of the cost of kilowatts per hour in Australia. And what happens is when the kilowatts per hour price comes up to a certain level, Splunk executes a script to go turn on five large diesel generators to add power to the power grid. So Splunk has the ability to talk to other parts of the infrastructure and automate those kinds of responses. What are some of the power folks doing? I'm just a great example. Because power is one of those things where they can use a lot of utility data. Are they doing a lot of big data? Do you have any customers in the power and utility space? We do, a lot of them so far are using Splunk for sort of classic use cases for availability of applications through application monitoring and management, security of those kinds of applications. We're just starting to see some of those customers take, for example, skate of firewall data and begin to put that into Splunk. We're just beginning to see some of those same customers look at sensor data from pipelines and begin to monitor in real time whether or not they've got pipelines that are seeing too much pressure or looking for failures in various pipelines based on the fact they see a sudden drop in pressure. So I'd say there, power and energy is really more about availability and safety than anything else. I mean, I want to constantly be able to deliver my power to customers. So I want to make sure my systems are available and that's the use case we see primarily there. I got to ask you about this sweeping IT right now, that's BYOD, right? So that's something that is near and dear to everyone's heart, consumerization of IT. That's a lot of data coming in there. So people are looking at usage, just some security and also what's your take on BYOD and what are you guys playing a role in that? Well, that BYOD forces a lot of our customers to become much, much more dependent on network layer data. Because suddenly if I've lost, if I don't have control over the endpoint and I can't put an agent on that, for example, I need to be able to at least monitor what that endpoint is actually doing, what that server is doing. So bring your own data or bring your own device, actually presents a whole lot of challenges as Splunk is actually qualified to perform. And that's a lot of analytics. I need to know whether or not this particular host without an agent on it is doing things it's not supposed to be doing. So by taking data from the network layer, I can begin to paint a fingerprint of what that host does on a regular basis and then look for changes in that profile for that host along the same line for the user where maybe I have proxy data and the ratio of different types of sites that that person goes to is pretty fixed and pretty constant. And then suddenly that changes dramatically. This person is now, I don't know, maybe they suddenly got religion or maybe they're suddenly surfing to gun sites. You'd want to know that the ratio of those things changes, changed. And that's kind of nice because you don't necessarily have to monitor where they're going to as much as you monitor the type of sites they're going to and the changes in that ratio to figure out what that endpoint is doing. So analytics helps on a BYOD environment quite a bit. Did Splunk help Bin Laden? You don't have to answer that. I can't say that on, I've been advised by my attorney. You guys have a lot of attorneys now. He's your public company. Yeah, exactly, exactly, I do. And I love them, I know you're out there, I love your attorneys. What do we all do? What's the hottest trend in security? Now, stepping outside the Splunk, looking at the security landscape, what in your opinion, what's the hottest trend that people are talking about and working on in the security space? I think the hottest trend right now is actually applying analytics and statistical analysis to data rather than relying on signature-based systems. And there was a time when I was running, managing a SIM when I was really happy because basically the data was reduced into that big funnel that we all imagined and there were these few drops of blood that come out the bottom. Those are my security incidents and I would wait for something to happen and then I would go investigate that. And applying analytics to data really does change the game because I can begin to really look for outliers, statistical outliers, things that are not the norm. And then when I find that, it's not necessarily a problem, but it's an indication that there could be and I'm able to be much more proactive than I ever have been before with statistical analysis. How reliable is that? Is it getting reliable? It's pretty reliable. It also depends on how far out your outliers are. For example, if you're looking at a URL that's 10 times the normal length of all the URLs that your customers are using to surf with or in your web logs, that's more than likely, it's pretty much a certainty there's command and control instructions embedded in it. So you can begin to take a look at outliers far out and sort of throttle that back until you begin to get true false positives and stop and say, okay, anything outside of bounds out there is something that I need to take care of or something I need to look at. Mark, great to have you on theCUBE, really appreciate security, obviously top concern, liberation for folks out there in the compliance, risk management, also security, space, Splunk. You guys done a great job. We're at Splunk Conference at theCUBE. I'm John Farrer with Dave Vellante. We'll be right back with our next guest after this short break. Live coverage of day two exclusive coverage here at Splunk Conference.conference 2013, right back.